prep docs and service updates

docs/implplan/SPRINT_0110_0001_0001_ingestion_evidence.md

@@ -22,10 +22,10 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| P1 | PREP-CONCELIER-AIRGAP-56-001-58-001-AWAIT-MIR | DOING (2025-11-20) | Due 2025-11-21 · Accountable: Concelier Core · AirGap Guilds | Concelier Core · AirGap Guilds | Await Mirror thin-bundle milestone dates and evidence bundle artifacts for offline chain. <br><br> Document artefact/deliverable for CONCELIER-AIRGAP-56-001..58-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/concelier/prep/2025-11-20-airgap-56-001-58-001-prep.md`. |
-| P2 | PREP-CONCELIER-CONSOLE-23-001-003-CONSOLE-SCH | DOING (2025-11-20) | Due 2025-11-21 · Accountable: Concelier Console Guild | Concelier Console Guild | Console schema samples not yet published alongside frozen LNM; need evidence bundle identifiers. <br><br> Document artefact/deliverable for CONCELIER-CONSOLE-23-001..003 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/concelier/prep/2025-11-20-console-23-001-prep.md`. |
-| P3 | PREP-CONCELIER-ATTEST-73-001-002-EVIDENCE-LOC | DOING (2025-11-20) | Due 2025-11-21 · Accountable: Concelier Core · Evidence Locker Guild | Concelier Core · Evidence Locker Guild | Evidence Locker attestation scope sign-off still pending (due 2025-11-19). <br><br> Document artefact/deliverable for CONCELIER-ATTEST-73-001/002 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/concelier/prep/2025-11-20-attest-73-001-prep.md`. |
-| P4 | PREP-FEEDCONN-ICSCISA-02-012-KISA-02-008-FEED | DOING (2025-11-20) | Due 2025-11-21 · Accountable: Concelier Feed Owners | Concelier Feed Owners | Feed owner remediation plan. <br><br> Document artefact/deliverable for FEEDCONN-ICSCISA-02-012 / KISA-02-008 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/concelier/prep/2025-11-20-feeds-icscisa-kisa-prep.md`. |
+| P1 | PREP-CONCELIER-AIRGAP-56-001-58-001-AWAIT-MIR | DONE (2025-11-20) | Due 2025-11-21 · Accountable: Concelier Core · AirGap Guilds | Concelier Core · AirGap Guilds | Prep artefact published at `docs/modules/concelier/prep/2025-11-20-airgap-56-001-58-001-prep.md` (bundle mapping, hashes, import commands). |
+| P2 | PREP-CONCELIER-CONSOLE-23-001-003-CONSOLE-SCH | DONE (2025-11-20) | Due 2025-11-21 · Accountable: Concelier Console Guild | Concelier Console Guild | Prep artefact published at `docs/modules/concelier/prep/2025-11-20-console-23-001-prep.md` (console linkset/VEX samples, hashes, README instructions). |
+| P3 | PREP-CONCELIER-ATTEST-73-001-002-EVIDENCE-LOC | DONE (2025-11-20) | Due 2025-11-21 · Accountable: Concelier Core · Evidence Locker Guild | Concelier Core · Evidence Locker Guild | Prep artefact published at `docs/modules/concelier/prep/2025-11-20-attest-73-001-prep.md` (Concelier attestation ingest note, claims, DSSE linkage). |
+| P4 | PREP-FEEDCONN-ICSCISA-02-012-KISA-02-008-FEED | DONE (2025-11-20) | Due 2025-11-21 · Accountable: Concelier Feed Owners | Concelier Feed Owners | Prep artefact published at `docs/modules/concelier/prep/2025-11-20-feeds-icscisa-kisa-prep.md` (remediation schedule, normalized fields, hashes). |
 | 0 | PREP-ART-56-001 | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Mirror Creator Guild | Mirror Creator Guild | Milestone-0 thin bundle sample published at `out/mirror/thin/mirror-thin-m0-sample.tar.gz` (SHA256 `bd1013885a27f651e28331c7a240d417d265bd411d09b51b47bd7c2196659674`) with layout/commands documented in `docs/modules/mirror/milestone-0-thin-bundle.md`. |
 | 0.1 | PREP-EVIDENCE-BDL-01 | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Evidence Locker Guild · Excititor Guild | Evidence Locker Guild · Excititor Guild | Evidence Bundle v1 contract published at `docs/modules/evidence-locker/evidence-bundle-v1.md` with sample tarball + hashes under `docs/samples/evidence-bundle/`; includes manifest schema, payload ordering, determinism rules, and transparency handling. |
 | 0.2 | PREP-CONSOLE-FIXTURES-29 | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Console Guild · Docs Guild | Console Guild · Docs Guild | Console fixtures published at `docs/samples/console/console-vuln-29-001.json` and `docs/samples/console/console-vex-30-001.json`; hashes stored with CLI guardrail bundles under `out/console/guardrails/`. Final screenshots still depend on SBOM evidence. |
@@ -61,6 +61,8 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Completed PREP-FEEDCONN-ICSCISA-02-012-KISA-02-008-FEED: published remediation schedule + hashes at `docs/modules/concelier/prep/2025-11-20-feeds-icscisa-kisa-prep.md`; status set to DONE. | Implementer |
+| 2025-11-20 | Completed PREP-CONCELIER-AIRGAP-56-001-58-001/CONSOLE-23-001/ATTEST-73-001: published prep docs (`docs/modules/concelier/prep/2025-11-20-*.md`); statuses set to DONE. | Implementer |
 | 2025-11-20 | Published prep docs for CONCELIER airgap/console/attest feeds; moved PREP P1–P4 to DOING after confirming unowned. | Project Mgmt |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-19 | Reconfirmed SBOM-AIAI-31-003, DOCS-AIAI-31-005/006/008/009, CONCELIER air-gap/console/attest, and FEEDCONN-ICSCISA/KISA tracks remain BLOCKED pending CLI-VULN/CLI-VEX artefacts, Evidence Locker attestation scope, console fixtures, mirror thin bundle, and feed remediation plan (PREP-FEEDCONN-ICS-KISA-PLAN). | Project Mgmt |

docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md

@@ -1,81 +1,86 @@
-# Sprint 0114-0001-0003 · Concelier III — Ingestion & Evidence (Phase 110.B)
-
-## Topic & Scope
-- Document and expose Link-Not-Merge ingestion surfaces (OpenAPI + SDK) with provenance, tenant scope, and AOC guarantees.
-- Establish observability, attestation, and incident-mode hooks that keep advisory evidence replayable without merge-era heuristics.
-- Align ingestion workers with orchestrator controls for deterministic scheduling, backfill, and ledger linkage.
-- Working directory: `src/Concelier` (Core libraries, Storage.Mongo, WebService).
-
-## Dependencies & Concurrency
-- Depends on Sprint 0113-0001-0002 (Concelier II) Link-Not-Merge plumbing and graph/event groundwork.
-- Observability chain (OBS-51…55) builds sequentially; attestation work relies on evidence snapshot generation first.
-- Orchestrator integration tasks (ORCH-32…34) must coordinate with orchestrator worker SDK/controls; schedule alongside Policy Engine consumers.
-
-## Documentation Prerequisites
-- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
-- docs/modules/platform/architecture-overview.md
-- docs/modules/concelier/architecture.md (ingestion, observability, orchestrator notes)
-- Current OpenAPI spec + SDK docs referenced by CONCELIER-OAS-61/62/63
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| P1 | PREP-CONCELIER-OAS-61-001-LNM-SCHEMA-FROZEN-2 | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · API Contracts Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · API Contracts Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | LNM schema frozen 2025-11-17, but OpenAPI source/spec artifact not present in repo; need canonical spec to edit. <br><br> Document artefact/deliverable for CONCELIER-OAS-61-001 and publish location so downstream tasks can proceed. |
-| P2 | PREP-CONCELIER-OAS-61-002-DEPENDS-ON-61-001-B | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 61-001; blocked until OpenAPI spec is available. <br><br> Document artefact/deliverable for CONCELIER-OAS-61-002 and publish location so downstream tasks can proceed. |
-| P3 | PREP-CONCELIER-OAS-62-001-DEPENDS-ON-61-002-B | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · SDK Generator Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · SDK Generator Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 61-002; blocked with OAS chain. <br><br> Document artefact/deliverable for CONCELIER-OAS-62-001 and publish location so downstream tasks can proceed. |
-| P4 | PREP-CONCELIER-OAS-63-001-DEPENDS-ON-62-001-B | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · API Governance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · API Governance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 62-001; blocked with OAS chain. <br><br> Document artefact/deliverable for CONCELIER-OAS-63-001 and publish location so downstream tasks can proceed. |
-| P5 | PREP-CONCELIER-OBS-51-001-AWAIT-OBSERVABILITY | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Await observability spec (metrics names/labels, SLO burn rules) from DevOps; none present in repo. <br><br> Document artefact/deliverable for CONCELIER-OBS-51-001 and publish location so downstream tasks can proceed. |
-| P6 | PREP-CONCELIER-OBS-52-001-DEPENDS-ON-51-001-M | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 51-001 metrics contract; blocked accordingly. <br><br> Document artefact/deliverable for CONCELIER-OBS-52-001 and publish location so downstream tasks can proceed. |
-| P7 | PREP-CONCELIER-OBS-53-001-DEPENDS-ON-52-001-B | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 52-001; blocked until timeline instrumentation defined. <br><br> Document artefact/deliverable for CONCELIER-OBS-53-001 and publish location so downstream tasks can proceed. |
-| P8 | PREP-CONCELIER-OBS-54-001-DEPENDS-ON-OBS-TIME | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on OBS timeline artifacts; no attestation contract yet. <br><br> Document artefact/deliverable for CONCELIER-OBS-54-001 and publish location so downstream tasks can proceed. |
-| P9 | PREP-CONCELIER-OBS-55-001-DEPENDS-ON-54-001-I | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 54-001; incident-mode hooks need finalized attestation/timeline shape. <br><br> Document artefact/deliverable for CONCELIER-OBS-55-001 and publish location so downstream tasks can proceed. |
-| P10 | PREP-CONCELIER-ORCH-32-001-ORCHESTRATOR-REGIS | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Orchestrator registry/SDK contract not published; no registry metadata to align. <br><br> Document artefact/deliverable for CONCELIER-ORCH-32-001 and publish location so downstream tasks can proceed. |
-| P11 | PREP-CONCELIER-ORCH-32-002-DEPENDS-ON-32-001 | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 32-001; blocked until orchestrator SDK/controls provided. <br><br> Document artefact/deliverable for CONCELIER-ORCH-32-002 and publish location so downstream tasks can proceed. |
-| P12 | PREP-CONCELIER-ORCH-33-001-DEPENDS-ON-32-002 | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 32-002; blocked with orchestrator contract gap. <br><br> Document artefact/deliverable for CONCELIER-ORCH-33-001 and publish location so downstream tasks can proceed. |
-| P13 | PREP-CONCELIER-ORCH-34-001-DEPENDS-ON-33-001 | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 33-001; blocked with orchestrator contract gap. <br><br> Document artefact/deliverable for CONCELIER-ORCH-34-001 and publish location so downstream tasks can proceed. |
-| P14 | PREP-CONCELIER-POLICY-20-001-LNM-APIS-NOT-EXP | BLOCKED | Due 2025-11-21 · Accountable: Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | LNM APIs not exposed via OpenAPI; depends on OAS chain (61-001..63-001) now blocked. <br><br> Document artefact/deliverable for CONCELIER-POLICY-20-001 and publish location so downstream tasks can proceed. |
-| 1 | CONCELIER-OAS-61-001 | BLOCKED | PREP-CONCELIER-OAS-61-001-LNM-SCHEMA-FROZEN-2 | Concelier Core Guild · API Contracts Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Update OpenAPI spec so observation/linkset/timeline endpoints document provenance fields, tenant scopes, AOC guarantees (no consensus fields). |
-| 2 | CONCELIER-OAS-61-002 | BLOCKED | PREP-CONCELIER-OAS-61-002-DEPENDS-ON-61-001-B | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Examples library (conflict linksets, multi-source severity, timeline snippets) demonstrating raw advisory surfaces without merges; wire into docs/SDKs. |
-| 3 | CONCELIER-OAS-62-001 | BLOCKED | PREP-CONCELIER-OAS-62-001-DEPENDS-ON-61-002-B | Concelier Core Guild · SDK Generator Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | SDK smoke tests for advisory search/pagination/conflict handling ensuring provenance fields preserved and no inferred verdicts. |
-| 4 | CONCELIER-OAS-63-001 | BLOCKED | PREP-CONCELIER-OAS-63-001-DEPENDS-ON-62-001-B | Concelier Core Guild · API Governance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Implement Sunset/Deprecation headers + timeline notices for legacy endpoints being retired; discourage merge-era APIs. |
-| 5 | CONCELIER-OBS-51-001 | BLOCKED | PREP-CONCELIER-OBS-51-001-AWAIT-OBSERVABILITY | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit ingestion latency, queue depth, and AOC violation metrics with burn-rate alerts to prove pipeline health. |
-| 6 | CONCELIER-OBS-52-001 | BLOCKED | PREP-CONCELIER-OBS-52-001-DEPENDS-ON-51-001-M | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Timeline records for ingest/normalization/linkset updates containing trace IDs, conflict summaries, evidence hashes—facts only for replay. |
-| 7 | CONCELIER-OBS-53-001 | BLOCKED | PREP-CONCELIER-OBS-53-001-DEPENDS-ON-52-001-B | Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Evidence locker bundles (raw doc, normalization diff, linkset) with Merkle manifests for audit replay without live Mongo. |
-| 8 | CONCELIER-OBS-54-001 | BLOCKED | PREP-CONCELIER-OBS-54-001-DEPENDS-ON-OBS-TIME | Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Attach DSSE attestations to advisory batches; expose verification APIs; link attestation IDs into timeline/ledger. |
-| 9 | CONCELIER-OBS-55-001 | BLOCKED | PREP-CONCELIER-OBS-55-001-DEPENDS-ON-54-001-I | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Incident-mode hooks (extra sampling, retention overrides, redaction guards) to collect more raw evidence without mutating content. |
-| 10 | CONCELIER-ORCH-32-001 | BLOCKED | PREP-CONCELIER-ORCH-32-001-ORCHESTRATOR-REGIS | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Register every advisory connector with orchestrator (metadata, auth scopes, rate policies) for transparent, reproducible scheduling. |
-| 11 | CONCELIER-ORCH-32-002 | BLOCKED | PREP-CONCELIER-ORCH-32-002-DEPENDS-ON-32-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Adopt orchestrator worker SDK in ingestion loops; emit heartbeats/progress/artifact hashes for deterministic replays. |
-| 12 | CONCELIER-ORCH-33-001 | BLOCKED | PREP-CONCELIER-ORCH-33-001-DEPENDS-ON-32-002 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Honor orchestrator pause/throttle/retry controls with structured errors and persisted checkpoints. |
-| 13 | CONCELIER-ORCH-34-001 | BLOCKED | PREP-CONCELIER-ORCH-34-001-DEPENDS-ON-33-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Execute orchestrator-driven backfills reusing artifact hashes/signatures, logging provenance, and pushing run metadata to ledger. |
-| 14 | CONCELIER-POLICY-20-001 | BLOCKED | PREP-CONCELIER-POLICY-20-001-LNM-APIS-NOT-EXP | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide batch advisory lookup APIs for Policy Engine (purl/advisory filters, tenant scopes, explain metadata) so policy joins raw evidence without inferred outcomes. |
-
-## Execution Log
+# Sprint 0114-0001-0003 · Concelier III — Ingestion & Evidence (Phase 110.B)
+
+## Topic & Scope
+- Document and expose Link-Not-Merge ingestion surfaces (OpenAPI + SDK) with provenance, tenant scope, and AOC guarantees.
+- Establish observability, attestation, and incident-mode hooks that keep advisory evidence replayable without merge-era heuristics.
+- Align ingestion workers with orchestrator controls for deterministic scheduling, backfill, and ledger linkage.
+- Working directory: `src/Concelier` (Core libraries, Storage.Mongo, WebService).
+
+## Dependencies & Concurrency
+- Depends on Sprint 0113-0001-0002 (Concelier II) Link-Not-Merge plumbing and graph/event groundwork.
+- Observability chain (OBS-51…55) builds sequentially; attestation work relies on evidence snapshot generation first.
+- Orchestrator integration tasks (ORCH-32…34) must coordinate with orchestrator worker SDK/controls; schedule alongside Policy Engine consumers.
+
+## Documentation Prerequisites
+- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/concelier/architecture.md (ingestion, observability, orchestrator notes)
+- Current OpenAPI spec + SDK docs referenced by CONCELIER-OAS-61/62/63
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-CONCELIER-OAS-61-001-LNM-SCHEMA-FROZEN-2 | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · API Contracts Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · API Contracts Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | LNM schema frozen 2025-11-17, but OpenAPI source/spec artifact not present in repo; need canonical spec to edit. <br><br> Document artefact/deliverable for CONCELIER-OAS-61-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-CONCELIER-OAS-61-002-DEPENDS-ON-61-001-B | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 61-001; blocked until OpenAPI spec is available. <br><br> Document artefact/deliverable for CONCELIER-OAS-61-002 and publish location so downstream tasks can proceed. |
+| P3 | PREP-CONCELIER-OAS-62-001-DEPENDS-ON-61-002-B | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · SDK Generator Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · SDK Generator Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 61-002; blocked with OAS chain. <br><br> Document artefact/deliverable for CONCELIER-OAS-62-001 and publish location so downstream tasks can proceed. |
+| P4 | PREP-CONCELIER-OAS-63-001-DEPENDS-ON-62-001-B | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · API Governance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · API Governance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 62-001; blocked with OAS chain. <br><br> Document artefact/deliverable for CONCELIER-OAS-63-001 and publish location so downstream tasks can proceed. |
+| P5 | PREP-CONCELIER-OBS-51-001-AWAIT-OBSERVABILITY | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Await observability spec (metrics names/labels, SLO burn rules) from DevOps; none present in repo. <br><br> Document artefact/deliverable for CONCELIER-OBS-51-001 and publish location so downstream tasks can proceed. |
+| P6 | PREP-CONCELIER-OBS-52-001-DEPENDS-ON-51-001-M | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 51-001 metrics contract; blocked accordingly. <br><br> Document artefact/deliverable for CONCELIER-OBS-52-001 and publish location so downstream tasks can proceed. |
+| P7 | PREP-CONCELIER-OBS-53-001-DEPENDS-ON-52-001-B | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 52-001; blocked until timeline instrumentation defined. <br><br> Document artefact/deliverable for CONCELIER-OBS-53-001 and publish location so downstream tasks can proceed. |
+| P8 | PREP-CONCELIER-OBS-54-001-DEPENDS-ON-OBS-TIME | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on OBS timeline artifacts; no attestation contract yet. <br><br> Document artefact/deliverable for CONCELIER-OBS-54-001 and publish location so downstream tasks can proceed. |
+| P9 | PREP-CONCELIER-OBS-55-001-DEPENDS-ON-54-001-I | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 54-001; incident-mode hooks need finalized attestation/timeline shape. <br><br> Document artefact/deliverable for CONCELIER-OBS-55-001 and publish location so downstream tasks can proceed. |
+| P10 | PREP-CONCELIER-ORCH-32-001-ORCHESTRATOR-REGIS | DONE (2025-11-20) | Prep doc published at `docs/modules/concelier/prep/2025-11-20-orchestrator-registry-prep.md`; ready for implementation wiring. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Registry contract (connectorId, schedule, rate policy, lock key, egress guard) + sample manifest and telemetry expectations frozen for downstream ORCH-32-001. |
+| P11 | PREP-CONCELIER-ORCH-32-002-DEPENDS-ON-32-001 | DONE (2025-11-20) | Prep doc published at `docs/modules/concelier/prep/2025-11-20-orchestrator-registry-prep.md`; ready for worker SDK adoption. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Heartbeat/command envelopes, idempotent ack sequencing, rate overrides, and progress fields defined for SDK adoption. |
+| P12 | PREP-CONCELIER-ORCH-33-001-DEPENDS-ON-32-002 | DONE (2025-11-20) | Prep doc published at `docs/modules/concelier/prep/2025-11-20-orchestrator-registry-prep.md`; pause/throttle controls defined. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Orchestrator control compliance (pause/resume/throttle) and telemetry tags captured; ready for implementation. |
+| P13 | PREP-CONCELIER-ORCH-34-001-DEPENDS-ON-33-001 | DONE (2025-11-20) | Prep doc published at `docs/modules/concelier/prep/2025-11-20-orchestrator-registry-prep.md`; backfill manifest defined. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Backfill/replay contract (cursor range, artifact hashes, dsseEnvelopeHash, manifest path) frozen for ledger/export wiring. |
+| P14 | PREP-CONCELIER-POLICY-20-001-LNM-APIS-NOT-EXP | DONE (2025-11-20) | Prep doc published at `docs/modules/concelier/prep/2025-11-20-policy-linkset-prep.md`; OpenAPI fields enumerated. | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Policy-facing LNM API contract (filters, pagination, provenance fields, cached flag) frozen pending OpenAPI source update. |
+| 1 | CONCELIER-OAS-61-001 | BLOCKED | PREP-CONCELIER-OAS-61-001-LNM-SCHEMA-FROZEN-2 | Concelier Core Guild · API Contracts Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Update OpenAPI spec so observation/linkset/timeline endpoints document provenance fields, tenant scopes, AOC guarantees (no consensus fields). |
+| 2 | CONCELIER-OAS-61-002 | BLOCKED | PREP-CONCELIER-OAS-61-002-DEPENDS-ON-61-001-B | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Examples library (conflict linksets, multi-source severity, timeline snippets) demonstrating raw advisory surfaces without merges; wire into docs/SDKs. |
+| 3 | CONCELIER-OAS-62-001 | BLOCKED | PREP-CONCELIER-OAS-62-001-DEPENDS-ON-61-002-B | Concelier Core Guild · SDK Generator Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | SDK smoke tests for advisory search/pagination/conflict handling ensuring provenance fields preserved and no inferred verdicts. |
+| 4 | CONCELIER-OAS-63-001 | BLOCKED | PREP-CONCELIER-OAS-63-001-DEPENDS-ON-62-001-B | Concelier Core Guild · API Governance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Implement Sunset/Deprecation headers + timeline notices for legacy endpoints being retired; discourage merge-era APIs. |
+| 5 | CONCELIER-OBS-51-001 | BLOCKED | PREP-CONCELIER-OBS-51-001-AWAIT-OBSERVABILITY | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit ingestion latency, queue depth, and AOC violation metrics with burn-rate alerts to prove pipeline health. |
+| 6 | CONCELIER-OBS-52-001 | BLOCKED | PREP-CONCELIER-OBS-52-001-DEPENDS-ON-51-001-M | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Timeline records for ingest/normalization/linkset updates containing trace IDs, conflict summaries, evidence hashes—facts only for replay. |
+| 7 | CONCELIER-OBS-53-001 | BLOCKED | PREP-CONCELIER-OBS-53-001-DEPENDS-ON-52-001-B | Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Evidence locker bundles (raw doc, normalization diff, linkset) with Merkle manifests for audit replay without live Mongo. |
+| 8 | CONCELIER-OBS-54-001 | BLOCKED | PREP-CONCELIER-OBS-54-001-DEPENDS-ON-OBS-TIME | Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Attach DSSE attestations to advisory batches; expose verification APIs; link attestation IDs into timeline/ledger. |
+| 9 | CONCELIER-OBS-55-001 | BLOCKED | PREP-CONCELIER-OBS-55-001-DEPENDS-ON-54-001-I | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Incident-mode hooks (extra sampling, retention overrides, redaction guards) to collect more raw evidence without mutating content. |
+| 10 | CONCELIER-ORCH-32-001 | TODO | Prep completed; implement registry metadata per `docs/modules/concelier/prep/2025-11-20-orchestrator-registry-prep.md`. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Register every advisory connector with orchestrator (metadata, auth scopes, rate policies) for transparent, reproducible scheduling. |
+| 11 | CONCELIER-ORCH-32-002 | TODO | Prep completed; adopt heartbeat/command envelopes from `docs/modules/concelier/prep/2025-11-20-orchestrator-registry-prep.md`. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Adopt orchestrator worker SDK in ingestion loops; emit heartbeats/progress/artifact hashes for deterministic replays. |
+| 12 | CONCELIER-ORCH-33-001 | TODO | Prep completed; implement pause/throttle controls per orchestrator prep note. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Honor orchestrator pause/throttle/retry controls with structured errors and persisted checkpoints. |
+| 13 | CONCELIER-ORCH-34-001 | TODO | Prep completed; implement backfill manifests per orchestrator prep note. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Execute orchestrator-driven backfills reusing artifact hashes/signatures, logging provenance, and pushing run metadata to ledger. |
+| 14 | CONCELIER-POLICY-20-001 | TODO | Prep completed; expose LNM policy APIs/OpenAPI per `docs/modules/concelier/prep/2025-11-20-policy-linkset-prep.md`. | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide batch advisory lookup APIs for Policy Engine (purl/advisory filters, tenant scopes, explain metadata) so policy joins raw evidence without inferred outcomes. |
+
+## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Confirmed PREP-CONCELIER-ORCH-32-001/002/33-001/34-001 unowned; published orchestrator registry/control prep at `docs/modules/concelier/prep/2025-11-20-orchestrator-registry-prep.md`; set P10–P13 to DONE. | Implementer |
+| 2025-11-20 | Confirmed PREP-CONCELIER-POLICY-20-001 unowned; published policy-facing LNM API prep at `docs/modules/concelier/prep/2025-11-20-policy-linkset-prep.md`; set P14 to DONE. | Implementer |
+| 2025-11-20 | Moved CONCELIER-ORCH-32-001..34-001 and CONCELIER-POLICY-20-001 to TODO; prep blockers cleared and implementation can start. | Implementer |
 | 2025-11-19 | Normalized PREP task IDs (ORCH 32-002/33-001/34-001) to drop stray trailing hyphen so dependencies match. | Project Mgmt |
 | 2025-11-19 | Marked all PREP tasks P1–P14 BLOCKED while upstream OpenAPI, observability, orchestrator, and policy artefacts are missing; downstream tasks remain gated. | Project Mgmt |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
-| 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
-| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_114_concelier_iii.md` to `SPRINT_0114_0001_0003_concelier_iii.md`; no semantic changes. | Planning |
-| 2025-11-18 | Marked OAS tasks (61-001..63-001) BLOCKED: LNM schema is frozen but no OpenAPI source/spec exists in repo to update; downstream OAS/SDK tasks inherit block. | Concelier Core |
-| 2025-11-18 | Marked OBS chain (51-001..55-001) BLOCKED: repo lacks observability/AOC metric spec and attestation/timeline contract needed to instrument ingestion pipeline. | Concelier Core |
-| 2025-11-18 | Marked ORCH chain (32-001..34-001) and POLICY-20-001 BLOCKED: orchestrator registry/SDK contract and LNM OpenAPI exposure missing; blocked by upstream artefacts. | Concelier Core |
-
-## Decisions & Risks
-- Link-Not-Merge and OpenAPI alignment must precede SDK/examples; otherwise downstream clients will drift from canonical facts.
+| 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
+| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_114_concelier_iii.md` to `SPRINT_0114_0001_0003_concelier_iii.md`; no semantic changes. | Planning |
+| 2025-11-18 | Marked OAS tasks (61-001..63-001) BLOCKED: LNM schema is frozen but no OpenAPI source/spec exists in repo to update; downstream OAS/SDK tasks inherit block. | Concelier Core |
+| 2025-11-18 | Marked OBS chain (51-001..55-001) BLOCKED: repo lacks observability/AOC metric spec and attestation/timeline contract needed to instrument ingestion pipeline. | Concelier Core |
+| 2025-11-18 | Marked ORCH chain (32-001..34-001) and POLICY-20-001 BLOCKED: orchestrator registry/SDK contract and LNM OpenAPI exposure missing; blocked by upstream artefacts. | Concelier Core |
+
+## Decisions & Risks
+- Link-Not-Merge and OpenAPI alignment must precede SDK/examples; otherwise downstream clients will drift from canonical facts.
 - Observability/attestation chain (OBS-51…55) risks audit gaps if sequencing slips; each step depends on previous artifacts.
 - Orchestrator control compliance is required to prevent evidence loss during throttles/pauses.
 - OpenAPI source (swagger/OAS) for Concelier endpoints is missing from the repo; OAS tasks 61-001..63-001 (and dependent Policy 20-001 tasks) cannot proceed until the canonical spec artifact is provided or generated location is identified.
 - Observability metric/attestation contracts are absent; OBS tasks 51-001..55-001 cannot proceed without metric names/labels, AOC thresholds, and timeline/attestation schemas.
-- Orchestrator registry/SDK contract is absent; ORCH tasks 32-001..34-001 are blocked until orchestrator metadata, control APIs, and worker SDK are published.
-
-## Next Checkpoints
-- Schedule OpenAPI/SDK review once CONCELIER-OAS-61-001 draft ready (date TBD, gated on Sprint 0113 outputs).
-- Plan orchestrator contract review with Orchestrator guild before implementing ORCH-32-002.
-
-## Blockers & Dependencies (detailed)
-| Dependency | Impacted work | Owner(s) | Status |
-| --- | --- | --- | --- |
-| Link-Not-Merge schema + APIs from Sprint 0113 | Tasks 1–4, 14 | Concelier Core/WebService · API Contracts | Pending upstream completion. |
-| Observability metrics foundation (CONCELIER-OBS-51-001) | Tasks 6–9 | Concelier Core · DevOps | Not started; required for downstream timeline/attestation hooks. |
-| Orchestrator registry/SDK contracts | Tasks 10–13 | Concelier Core · Orchestrator Guild | Coordination needed; no contract recorded yet. |
+- Orchestrator registry/SDK contract now documented (see prep note above); downstream tasks must keep in sync with orchestrator module changes.
+- Orchestrator registry/control/backfill contract is now frozen at `docs/modules/concelier/prep/2025-11-20-orchestrator-registry-prep.md`; downstream implementation must align or update this note + sprint risks if changes arise.
+- Policy-facing LNM API contract (filters, provenance/cached flags, pagination order) is defined at `docs/modules/concelier/prep/2025-11-20-policy-linkset-prep.md`; OpenAPI source must be updated to match to avoid drift for Policy Engine consumers.
+
+## Next Checkpoints
+- Schedule OpenAPI/SDK review once CONCELIER-OAS-61-001 draft ready (date TBD, gated on Sprint 0113 outputs).
+- Plan orchestrator contract review with Orchestrator guild before implementing ORCH-32-002.
+
+## Blockers & Dependencies (detailed)
+| Dependency | Impacted work | Owner(s) | Status |
+| --- | --- | --- | --- |
+| Link-Not-Merge schema + APIs from Sprint 0113 | Tasks 1–4, 14 | Concelier Core/WebService · API Contracts | Pending upstream completion. |
+| Observability metrics foundation (CONCELIER-OBS-51-001) | Tasks 6–9 | Concelier Core · DevOps | Not started; required for downstream timeline/attestation hooks. |
+| Orchestrator registry/SDK contracts | Tasks 10–13 | Concelier Core · Orchestrator Guild | Coordination needed; no contract recorded yet. |

docs/implplan/SPRINT_0116_0001_0005_concelier_v.md

@@ -20,7 +20,7 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| P1 | PREP-CONCELIER-WEB-AIRGAP-57-001-DEPENDS-ON-5 | DOING (2025-11-20) | Due 2025-11-21 · Accountable: Concelier WebService Guild · AirGap Policy Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Concelier WebService Guild · AirGap Policy Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Depends on 56-002. <br><br> Document artefact/deliverable for CONCELIER-WEB-AIRGAP-57-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/concelier/prep/2025-11-20-web-airgap-57-001-prep.md`. |
+| P1 | PREP-CONCELIER-WEB-AIRGAP-57-001-DEPENDS-ON-5 | DONE (2025-11-20) | Prep artefact at `docs/modules/concelier/prep/2025-11-20-web-airgap-57-001-prep.md`; awaits inputs from WEB-AIRGAP-56-002 and WEB-OAS-61-002. | Concelier WebService Guild · AirGap Policy Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Depends on 56-002. <br><br> Document artefact/deliverable for CONCELIER-WEB-AIRGAP-57-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/concelier/prep/2025-11-20-web-airgap-57-001-prep.md`. |
 | 1 | CONCELIER-VULN-29-004 | TODO | Depends on CONCELIER-VULN-29-001 | Concelier WebService Guild · Observability Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Instrument observation/linkset pipelines with metrics for identifier collisions, withdrawn statements, chunk latencies; stream to Vuln Explorer without altering payloads. |
 | 2 | CONCELIER-WEB-AIRGAP-56-001 | TODO | Start of AirGap chain | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalogs, enforce sealed-mode by blocking direct internet feeds. |
 | 3 | CONCELIER-WEB-AIRGAP-56-002 | TODO | Depends on 56-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Add staleness + bundle provenance metadata to `/advisories/observations` and `/advisories/linksets`; operators see freshness without Excititor-derived outcomes. |
@@ -41,6 +41,7 @@
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-20 | Moved PREP-CONCELIER-WEB-AIRGAP-57-001 to DOING after confirming unowned; published prep doc at `docs/modules/concelier/prep/2025-11-20-web-airgap-57-001-prep.md`. | Project Mgmt |
+| 2025-11-20 | Marked PREP-CONCELIER-WEB-AIRGAP-57-001 DONE; prep doc in place and awaiting WEB-AIRGAP-56-002 + WEB-OAS-61-002 inputs. | Implementer |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
 | 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_116_concelier_v.md` to `SPRINT_0116_0001_0005_concelier_v.md`; no semantic changes. | Planning |

docs/implplan/SPRINT_0119_0001_0001_excititor_i.md

@@ -1,102 +1,102 @@
-# Sprint 0119_0001_0001 · Excititor Ingestion & Evidence (Phase I)
-
-## Topic & Scope
-- Stand up Advisory-AI evidence projection APIs (Excititor I) plus ingestion/attestation chain that stays aggregation-only prior to consensus.
-- Deliver telemetry and guardrails so RAG clients and Lens can observe usage; prep mirror-first + sealed-mode ingestion and portable evidence bundles for air-gapped deployments.
-- Establish attestation verifier harness and provenance linkage so Advisory AI can cite supplier identity without Excititor interpreting verdicts.
-- **Working directory:** `src/Excititor` (WebService, Core, Attestation, Connectors; shared EvidenceLocker/Export touchpoints only as noted).
-
-## Dependencies & Concurrency
-- Upstream: Sprint 100.A (Attestor DSSE verification); Export Center mirror bundle manifest (Sprint 162) and EvidenceLocker portable format (Sprints 160/161); Ops/Signals span sink deployment for observability; connector signer metadata delivery.
-- Concurrency: Advisory-AI API tasks can proceed while telemetry export waits on Ops span sink; AirGap 56/57/58 blocked on Export Center schema; Attestation 73-* blocked on 01-003 completion.
-- Peers: runs parallel with other Excititor batches; no CC-decade conflicts noted once dependencies above land.
-
-## Documentation Prerequisites
-- `docs/modules/excititor/architecture.md`
-- `docs/modules/excititor/README.md#latest-updates`
-- `docs/modules/excititor/mirrors.md`
-- `docs/modules/excititor/operations/*`
-- `docs/modules/excititor/implementation_plan.md`
-- Excititor component `AGENTS.md` files within each working directory (WebService, Core, Attestation, Connectors).
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| P1 | PREP-EXCITITOR-AIRGAP-56-001-WAITING-ON-EXPOR | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild | Excititor Core Guild | Waiting on Export Center mirror bundle schema (Sprint 162) to define ingestion shape. <br><br> Document artefact/deliverable for EXCITITOR-AIRGAP-56-001 and publish location so downstream tasks can proceed. |
-| P2 | PREP-EXCITITOR-AIRGAP-57-001-BLOCKED-ON-56-00 | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild · AirGap Policy Guild | Excititor Core Guild · AirGap Policy Guild | Blocked on 56-001 schema; sealed-mode error catalog pending. <br><br> Document artefact/deliverable for EXCITITOR-AIRGAP-57-001 and publish location so downstream tasks can proceed. |
-| P3 | PREP-EXCITITOR-AIRGAP-58-001-DEPENDS-ON-57-00 | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild · Evidence Locker Guild | Excititor Core Guild · Evidence Locker Guild | Depends on 57-001 plus EvidenceLocker portable format (160/161). <br><br> Document artefact/deliverable for EXCITITOR-AIRGAP-58-001 and publish location so downstream tasks can proceed. |
+# Sprint 0119_0001_0001 · Excititor Ingestion & Evidence (Phase I)
+
+## Topic & Scope
+- Stand up Advisory-AI evidence projection APIs (Excititor I) plus ingestion/attestation chain that stays aggregation-only prior to consensus.
+- Deliver telemetry and guardrails so RAG clients and Lens can observe usage; prep mirror-first + sealed-mode ingestion and portable evidence bundles for air-gapped deployments.
+- Establish attestation verifier harness and provenance linkage so Advisory AI can cite supplier identity without Excititor interpreting verdicts.
+- **Working directory:** `src/Excititor` (WebService, Core, Attestation, Connectors; shared EvidenceLocker/Export touchpoints only as noted).
+
+## Dependencies & Concurrency
+- Upstream: Sprint 100.A (Attestor DSSE verification); Export Center mirror bundle manifest (Sprint 162) and EvidenceLocker portable format (Sprints 160/161); Ops/Signals span sink deployment for observability; connector signer metadata delivery.
+- Concurrency: Advisory-AI API tasks can proceed while telemetry export waits on Ops span sink; AirGap 56/57/58 blocked on Export Center schema; Attestation 73-* blocked on 01-003 completion.
+- Peers: runs parallel with other Excititor batches; no CC-decade conflicts noted once dependencies above land.
+
+## Documentation Prerequisites
+- `docs/modules/excititor/architecture.md`
+- `docs/modules/excititor/README.md#latest-updates`
+- `docs/modules/excititor/mirrors.md`
+- `docs/modules/excititor/operations/*`
+- `docs/modules/excititor/implementation_plan.md`
+- Excititor component `AGENTS.md` files within each working directory (WebService, Core, Attestation, Connectors).
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-EXCITITOR-AIRGAP-56-001-WAITING-ON-EXPOR | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild | Excititor Core Guild | Waiting on Export Center mirror bundle schema (Sprint 162) to define ingestion shape. <br><br> Document artefact/deliverable for EXCITITOR-AIRGAP-56-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-EXCITITOR-AIRGAP-57-001-BLOCKED-ON-56-00 | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild · AirGap Policy Guild | Excititor Core Guild · AirGap Policy Guild | Blocked on 56-001 schema; sealed-mode error catalog pending. <br><br> Document artefact/deliverable for EXCITITOR-AIRGAP-57-001 and publish location so downstream tasks can proceed. |
+| P3 | PREP-EXCITITOR-AIRGAP-58-001-DEPENDS-ON-57-00 | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild · Evidence Locker Guild | Excititor Core Guild · Evidence Locker Guild | Depends on 57-001 plus EvidenceLocker portable format (160/161). <br><br> Document artefact/deliverable for EXCITITOR-AIRGAP-58-001 and publish location so downstream tasks can proceed. |
 | P4 | PREP-EXCITITOR-CONN-TRUST-01-001-CONNECTOR-SI | DONE (2025-11-20) | Due 2025-11-21 · Accountable: Excititor Connectors Guild | Excititor Connectors Guild | Connector signer metadata schema and samples published. <br><br> Artefacts: schema (`docs/modules/excititor/schemas/connector-signer-metadata.schema.json`), guidance (`docs/modules/excititor/connectors/connector-signer-metadata.md`), sample + hash (`docs/samples/excititor/connector-signer-metadata-sample.json[.sha256]`). |
 | P5 | PREP-ATTESTATION-VERIFIER-REHEARSAL-EXCITITOR | DOING (2025-11-20) | Due 2025-11-21 · Accountable: Planning | Planning | If issues persist, log BLOCKED status in attestation plan and re-forecast completion. <br><br> Document artefact/deliverable for Attestation verifier rehearsal (Excititor Attestation Guild) and publish location so downstream tasks can proceed. |
-| 1 | EXCITITOR-AIAI-31-001 | DONE (2025-11-12) | Available to Advisory AI; monitor usage. | Excititor WebService Guild | Expose normalized VEX justifications, scope trees, and anchors via `VexObservation` projections so Advisory AI can cite raw evidence without consensus logic. |
-| 2 | EXCITITOR-AIAI-31-002 | DONE (2025-11-17) | Start `/vex/evidence/chunks`; reuse 31-001 outputs. | Excititor WebService Guild | Stream raw statements + signature metadata with tenant/policy filters for RAG clients; aggregation-only, reference observation/linkset IDs. |
-| 3 | EXCITITOR-AIAI-31-003 | DONE (2025-11-17) | Counters/logs-only path delivered; traces remain follow-on once span sink is available. | Excititor WebService Guild · Observability Guild | Instrument evidence APIs with request counters, chunk histograms, signature-failure + AOC guard-violation meters. |
-| 4 | EXCITITOR-AIAI-31-004 | DONE (2025-11-18) | Doc published (`docs/modules/excititor/evidence-contract.md`); traces still gated on span sink but contract delivered | Excititor WebService Guild · Docs Guild | Codify Advisory-AI evidence contract, determinism guarantees, and mapping of observation IDs to storage. |
-| 5 | EXCITITOR-AIRGAP-56-001 | BLOCKED | PREP-EXCITITOR-AIRGAP-56-001-WAITING-ON-EXPOR | Excititor Core Guild | Mirror-first ingestion that preserves upstream digests, bundle IDs, and provenance for offline parity. |
-| 6 | EXCITITOR-AIRGAP-57-001 | BLOCKED | PREP-EXCITITOR-AIRGAP-57-001-BLOCKED-ON-56-00 | Excititor Core Guild · AirGap Policy Guild | Enforce sealed-mode policies, remediation errors, and staleness annotations surfaced to Advisory AI. |
-| 7 | EXCITITOR-AIRGAP-58-001 | BLOCKED | PREP-EXCITITOR-AIRGAP-58-001-DEPENDS-ON-57-00 | Excititor Core Guild · Evidence Locker Guild | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events. |
-| 8 | EXCITITOR-ATTEST-01-003 | DONE (2025-11-17) | Complete verifier harness + diagnostics. | Excititor Attestation Guild | Finish `IVexAttestationVerifier`, wire structured diagnostics/metrics, and prove DSSE bundle verification without touching consensus results. |
-| 9 | EXCITITOR-ATTEST-73-001 | DONE (2025-11-17) | Implemented payload spec and storage. | Excititor Core · Attestation Payloads Guild | Emit attestation payloads capturing supplier identity, justification summary, and scope metadata for trust chaining. |
-| 10 | EXCITITOR-ATTEST-73-002 | DONE (2025-11-17) | Implemented linkage API. | Excititor Core Guild | Provide APIs linking attestation IDs back to observation/linkset/product tuples for provenance citations without derived verdicts. |
+| 1 | EXCITITOR-AIAI-31-001 | DONE (2025-11-12) | Available to Advisory AI; monitor usage. | Excititor WebService Guild | Expose normalized VEX justifications, scope trees, and anchors via `VexObservation` projections so Advisory AI can cite raw evidence without consensus logic. |
+| 2 | EXCITITOR-AIAI-31-002 | DONE (2025-11-17) | Start `/vex/evidence/chunks`; reuse 31-001 outputs. | Excititor WebService Guild | Stream raw statements + signature metadata with tenant/policy filters for RAG clients; aggregation-only, reference observation/linkset IDs. |
+| 3 | EXCITITOR-AIAI-31-003 | DONE (2025-11-17) | Counters/logs-only path delivered; traces remain follow-on once span sink is available. | Excititor WebService Guild · Observability Guild | Instrument evidence APIs with request counters, chunk histograms, signature-failure + AOC guard-violation meters. |
+| 4 | EXCITITOR-AIAI-31-004 | DONE (2025-11-18) | Doc published (`docs/modules/excititor/evidence-contract.md`); traces still gated on span sink but contract delivered | Excititor WebService Guild · Docs Guild | Codify Advisory-AI evidence contract, determinism guarantees, and mapping of observation IDs to storage. |
+| 5 | EXCITITOR-AIRGAP-56-001 | BLOCKED | PREP-EXCITITOR-AIRGAP-56-001-WAITING-ON-EXPOR | Excititor Core Guild | Mirror-first ingestion that preserves upstream digests, bundle IDs, and provenance for offline parity. |
+| 6 | EXCITITOR-AIRGAP-57-001 | BLOCKED | PREP-EXCITITOR-AIRGAP-57-001-BLOCKED-ON-56-00 | Excititor Core Guild · AirGap Policy Guild | Enforce sealed-mode policies, remediation errors, and staleness annotations surfaced to Advisory AI. |
+| 7 | EXCITITOR-AIRGAP-58-001 | BLOCKED | PREP-EXCITITOR-AIRGAP-58-001-DEPENDS-ON-57-00 | Excititor Core Guild · Evidence Locker Guild | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events. |
+| 8 | EXCITITOR-ATTEST-01-003 | DONE (2025-11-17) | Complete verifier harness + diagnostics. | Excititor Attestation Guild | Finish `IVexAttestationVerifier`, wire structured diagnostics/metrics, and prove DSSE bundle verification without touching consensus results. |
+| 9 | EXCITITOR-ATTEST-73-001 | DONE (2025-11-17) | Implemented payload spec and storage. | Excititor Core · Attestation Payloads Guild | Emit attestation payloads capturing supplier identity, justification summary, and scope metadata for trust chaining. |
+| 10 | EXCITITOR-ATTEST-73-002 | DONE (2025-11-17) | Implemented linkage API. | Excititor Core Guild | Provide APIs linking attestation IDs back to observation/linkset/product tuples for provenance citations without derived verdicts. |
 | 11 | EXCITITOR-CONN-TRUST-01-001 | DONE (2025-11-20) | PREP-EXCITITOR-CONN-TRUST-01-001-CONNECTOR-SI | Excititor Connectors Guild | Add signer fingerprints, issuer tiers, and bundle references to MSRC/Oracle/Ubuntu/Stella connectors; document consumer guidance. |
-
-### Task Clusters & Readiness
-- **Advisory-AI evidence APIs:** 31-001 delivered; 31-003 instrumentation and 31-004 docs pending; ready to start once examples and telemetry fixtures finalize.
-- **AirGap ingestion & portable bundles:** 56/57/58 gated on Export Center schema and EvidenceLocker format; need sealed-mode error catalog and timeline mapping.
-- **Attestation & provenance chain:** 01-003 harness/diagnostics first, then 73-001 payload spec and 73-002 linkage docs.
-- **Connector provenance parity:** Inventory signer metadata, define shared fingerprint/tier schema, update connector acceptance tests.
-
-## Action Tracker
-| Focus | Action | Owner(s) | Due | Status |
-| --- | --- | --- | --- | --- |
-| Advisory-AI APIs | Publish finalized OpenAPI schema + SDK notes for projection API (31-004). | Excititor WebService Guild · Docs Guild | 2025-11-15 | In review (draft shared 2025-11-13) |
-| Observability | Wire metrics/traces for `/v1/vex/observations/**` (31-003) and document dashboards. | Excititor WebService Guild · Observability Guild | 2025-11-16 | PARTIAL (metrics/logs delivered 2025-11-17; traces await span sink) |
-| AirGap | Capture mirror bundle schema + sealed-mode toggle requirements for 56/57. | Excititor Core Guild · AirGap Policy Guild | 2025-11-17 | Pending |
-| Portable bundles | Draft bundle manifest + EvidenceLocker linkage notes for 58-001. | Excititor Core Guild · Evidence Locker Guild | 2025-11-18 | Pending |
-| Attestation | Complete verifier suite + diagnostics for 01-003. | Excititor Attestation Guild | 2025-11-16 | In progress (verifier harness ~80% complete) |
-| Connectors | Inventory signer metadata + plan rollout for MSRC/Oracle/Ubuntu/Stella connectors (CONN-TRUST-01-001). | Excititor Connectors Guild | 2025-11-19 | Pending (schema draft expected 2025-11-14) |
-
-## Execution Log
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
-| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
-| 2025-11-19 | Marked PREP tasks P1–P4 BLOCKED: mirror bundle schema (Sprint 162), sealed-mode error catalog, EvidenceLocker portable format, and connector signer metadata remain unpublished, keeping EXCITITOR-AIRGAP-56/57/58 and CONN-TRUST-01-001 gated. | Project Mgmt |
-| 2025-11-12 | Snapshot refreshed; 31-001 marked DONE; other tasks pending observability, AirGap schemas, and attestation verifier completion. | Excititor PM |
-| 2025-11-13 | Added readiness checklists and action tracker; awaiting Export Center mirror schema and Attestor verifier rehearsals. | Excititor PM |
-| 2025-11-13 | OpenAPI draft for 31-004 shared; observability wiring blocked until Ops deploys span sink. | WebService Guild |
-| 2025-11-14 | Connector provenance schema review scheduled; Export Center mirror schema still pending, keeping 56/57 blocked. | Connectors Guild |
-| 2025-11-14 | 31-003 instrumentation (counters, chunk histogram, signature failure + guard-violation meters) merged; telemetry export blocked on span sink rollout. | WebService Guild |
-| 2025-11-17 | Added chunk request/response telemetry + signature status counters; `/v1/vex/evidence/chunks` now emits metrics without traces. | WebService Guild |
+
+### Task Clusters & Readiness
+- **Advisory-AI evidence APIs:** 31-001 delivered; 31-003 instrumentation and 31-004 docs pending; ready to start once examples and telemetry fixtures finalize.
+- **AirGap ingestion & portable bundles:** 56/57/58 gated on Export Center schema and EvidenceLocker format; need sealed-mode error catalog and timeline mapping.
+- **Attestation & provenance chain:** 01-003 harness/diagnostics first, then 73-001 payload spec and 73-002 linkage docs.
+- **Connector provenance parity:** Inventory signer metadata, define shared fingerprint/tier schema, update connector acceptance tests.
+
+## Action Tracker
+| Focus | Action | Owner(s) | Due | Status |
+| --- | --- | --- | --- | --- |
+| Advisory-AI APIs | Publish finalized OpenAPI schema + SDK notes for projection API (31-004). | Excititor WebService Guild · Docs Guild | 2025-11-15 | In review (draft shared 2025-11-13) |
+| Observability | Wire metrics/traces for `/v1/vex/observations/**` (31-003) and document dashboards. | Excititor WebService Guild · Observability Guild | 2025-11-16 | PARTIAL (metrics/logs delivered 2025-11-17; traces await span sink) |
+| AirGap | Capture mirror bundle schema + sealed-mode toggle requirements for 56/57. | Excititor Core Guild · AirGap Policy Guild | 2025-11-17 | Pending |
+| Portable bundles | Draft bundle manifest + EvidenceLocker linkage notes for 58-001. | Excititor Core Guild · Evidence Locker Guild | 2025-11-18 | Pending |
+| Attestation | Complete verifier suite + diagnostics for 01-003. | Excititor Attestation Guild | 2025-11-16 | In progress (verifier harness ~80% complete) |
+| Connectors | Inventory signer metadata + plan rollout for MSRC/Oracle/Ubuntu/Stella connectors (CONN-TRUST-01-001). | Excititor Connectors Guild | 2025-11-19 | Pending (schema draft expected 2025-11-14) |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Marked PREP tasks P1–P4 BLOCKED: mirror bundle schema (Sprint 162), sealed-mode error catalog, EvidenceLocker portable format, and connector signer metadata remain unpublished, keeping EXCITITOR-AIRGAP-56/57/58 and CONN-TRUST-01-001 gated. | Project Mgmt |
+| 2025-11-12 | Snapshot refreshed; 31-001 marked DONE; other tasks pending observability, AirGap schemas, and attestation verifier completion. | Excititor PM |
+| 2025-11-13 | Added readiness checklists and action tracker; awaiting Export Center mirror schema and Attestor verifier rehearsals. | Excititor PM |
+| 2025-11-13 | OpenAPI draft for 31-004 shared; observability wiring blocked until Ops deploys span sink. | WebService Guild |
+| 2025-11-14 | Connector provenance schema review scheduled; Export Center mirror schema still pending, keeping 56/57 blocked. | Connectors Guild |
+| 2025-11-14 | 31-003 instrumentation (counters, chunk histogram, signature failure + guard-violation meters) merged; telemetry export blocked on span sink rollout. | WebService Guild |
+| 2025-11-17 | Added chunk request/response telemetry + signature status counters; `/v1/vex/evidence/chunks` now emits metrics without traces. | WebService Guild |
 | 2025-11-14 | Published `docs/modules/excititor/operations/observability.md` covering new evidence metrics for Ops/Lens dashboards. | Observability Guild |
 | 2025-11-16 | Normalized sprint file to standard template, renamed to SPRINT_0119_0001_0001_excititor_i.md, and updated tasks-all references. | Planning |
 | 2025-11-20 | Started PREP-ATTESTATION-VERIFIER-REHEARSAL-EXCITITOR (status → DOING) after confirming no existing DOING/DONE owner entries. | Planning |
-| 2025-11-17 | Implemented `/v1/vex/evidence/chunks` NDJSON endpoint and wired DI for chunk service; marked 31-002 DONE. | WebService Guild |
-| 2025-11-17 | Closed attestation verifier + payload/link API (01-003, 73-001, 73-002); WebService/Worker builds green. | Attestation/Core Guild |
+| 2025-11-17 | Implemented `/v1/vex/evidence/chunks` NDJSON endpoint and wired DI for chunk service; marked 31-002 DONE. | WebService Guild |
+| 2025-11-17 | Closed attestation verifier + payload/link API (01-003, 73-001, 73-002); WebService/Worker builds green. | Attestation/Core Guild |
 | 2025-11-18 | Marked AirGap 56/57/58 and connector trust 01-001 BLOCKED pending mirror schema, sealed-mode errors, portable format, and signer metadata schema. | Implementer |
 | 2025-11-18 | Authored Advisory-AI evidence contract doc (`docs/modules/excititor/evidence-contract.md`) covering `/v1/vex/evidence/chunks`, schema, determinism, AOC, telemetry; 31-004 doc deliverable ready. | Implementer |
 | 2025-11-20 | Completed PREP-EXCITITOR-CONN-TRUST-01-001: published connector signer metadata schema, guidance, and sample bundle hash to unblock connector trust rollout. | Implementer |
 | 2025-11-20 | Started EXCITITOR-CONN-TRUST-01-001 (status → DOING); adding loader/enricher for signer metadata and preparing connector wiring. | Implementer |
 | 2025-11-20 | Completed EXCITITOR-CONN-TRUST-01-001: loader/enricher wired into MSRC/Oracle/Ubuntu/OpenVEX connectors; env var `STELLAOPS_CONNECTOR_SIGNER_METADATA_PATH`; tests added for MSRC/Ubuntu/OpenVEX provenance enrichment. | Implementer |
 | 2025-11-20 | Implemented connector signer metadata loader/enricher with env var `STELLAOPS_CONNECTOR_SIGNER_METADATA_PATH`; plumbed provenance enrichment into MSRC/Oracle/Ubuntu/OpenVEX connectors. | Implementer |
-
-## Decisions & Risks
-- **Decisions**
-  - Until Ops span sink lands, keep observability fallback to log-only counters per `docs/modules/excititor/operations/observability.md`.
-  - If Export Center mirror schema slips, temporarily use placeholder from `docs/modules/export-center/architecture.md` with deltas noted; escalate to Export Center leads.
-  - Advisory-AI consumers must map observation IDs via projection service; keep aggregation-only stance (no consensus logic) for all new APIs.
-- **Risks & Mitigations**
-  - Observability sinks not ready for 31-003 → reuse Signals dashboards; ship log-only fallback. Severity: Medium.
-  - Mirror bundle schema still absent (blocks 56/57/58) → escalate to Export Center; track due date 2025-11-19; severity: High.
-  - Portable EvidenceLocker format not published (blocks 58-001) → request format drop from Evidence Locker leads; severity: High.
-  - Connector signer metadata schema missing (blocks CONN-TRUST-01-001) → chase schema artefact owners; severity: Medium.
-  - Attestation verifier misses 2025-11-16 target → daily stand-ups; parallel diagnostics; severity: High.
-
-## Next Checkpoints
-| Date (UTC) | Session / Owner | Goal | Fallback |
-| 2025-11-18 | Scanner mock bundle v1 delivered | Start GRAPH-INDEX/ZASTAVA tests using mock; publish hash | Scanner Guild |
-| --- | --- | --- | --- |
-| 2025-11-17 | Coordinator · WebService/Observability Guilds | Counters/logs-only fallback approved; start 31-003 execution without span sink. | Keep span sink as follow-on milestone. |
-| 2025-11-14 | Connector provenance schema review (Connectors + Security Guilds) | Approve signer fingerprint + issuer tier schema for CONN-TRUST-01-001. | If schema not ready, keep task blocked and request interim metadata list from connectors. |
-| 2025-11-15 | Export Center mirror schema sync (Export Center + Excititor + AirGap) | Receive mirror bundle manifest to unblock 56/57. | If delayed, escalate to Sprint 162 leads and use placeholder spec with clearly marked TODO. |
-| 2025-11-16 | Attestation verifier rehearsal (Excititor Attestation Guild) | Demo `IVexAttestationVerifier` harness + diagnostics to unblock 73-* tasks. | PREP-ATTESTATION-VERIFIER-REHEARSAL-EXCITITOR |
-| 2025-11-18 | Observability span sink deploy (Ops/Signals Guild) | Enable telemetry pipeline needed for 31-003. | If deploy slips, implement temporary counters/logs and keep action tracker flagged as blocked. |
-| 2025-11-19 | Connector metadata inventory (Connectors Guild) | Confirm signer metadata coverage for CONN-TRUST-01-001 rollout. | Fall back to partial coverage with feature flags. |
+
+## Decisions & Risks
+- **Decisions**
+  - Until Ops span sink lands, keep observability fallback to log-only counters per `docs/modules/excititor/operations/observability.md`.
+  - If Export Center mirror schema slips, temporarily use placeholder from `docs/modules/export-center/architecture.md` with deltas noted; escalate to Export Center leads.
+  - Advisory-AI consumers must map observation IDs via projection service; keep aggregation-only stance (no consensus logic) for all new APIs.
+- **Risks & Mitigations**
+  - Observability sinks not ready for 31-003 → reuse Signals dashboards; ship log-only fallback. Severity: Medium.
+  - Mirror bundle schema still absent (blocks 56/57/58) → escalate to Export Center; track due date 2025-11-19; severity: High.
+  - Portable EvidenceLocker format not published (blocks 58-001) → request format drop from Evidence Locker leads; severity: High.
+  - Connector signer metadata schema missing (blocks CONN-TRUST-01-001) → chase schema artefact owners; severity: Medium.
+  - Attestation verifier misses 2025-11-16 target → daily stand-ups; parallel diagnostics; severity: High.
+
+## Next Checkpoints
+| Date (UTC) | Session / Owner | Goal | Fallback |
+| 2025-11-18 | Scanner mock bundle v1 delivered | Start GRAPH-INDEX/ZASTAVA tests using mock; publish hash | Scanner Guild |
+| --- | --- | --- | --- |
+| 2025-11-17 | Coordinator · WebService/Observability Guilds | Counters/logs-only fallback approved; start 31-003 execution without span sink. | Keep span sink as follow-on milestone. |
+| 2025-11-14 | Connector provenance schema review (Connectors + Security Guilds) | Approve signer fingerprint + issuer tier schema for CONN-TRUST-01-001. | If schema not ready, keep task blocked and request interim metadata list from connectors. |
+| 2025-11-15 | Export Center mirror schema sync (Export Center + Excititor + AirGap) | Receive mirror bundle manifest to unblock 56/57. | If delayed, escalate to Sprint 162 leads and use placeholder spec with clearly marked TODO. |
+| 2025-11-16 | Attestation verifier rehearsal (Excititor Attestation Guild) | Demo `IVexAttestationVerifier` harness + diagnostics to unblock 73-* tasks. | PREP-ATTESTATION-VERIFIER-REHEARSAL-EXCITITOR |
+| 2025-11-18 | Observability span sink deploy (Ops/Signals Guild) | Enable telemetry pipeline needed for 31-003. | If deploy slips, implement temporary counters/logs and keep action tracker flagged as blocked. |
+| 2025-11-19 | Connector metadata inventory (Connectors Guild) | Confirm signer metadata coverage for CONN-TRUST-01-001 rollout. | Fall back to partial coverage with feature flags. |

docs/implplan/SPRINT_0119_0001_0002_excititor_ii.md

@@ -7,13 +7,13 @@
 - **Working directory:** `src/Excititor` (WebService, Core, Storage, Connectors); keep changes inside module boundaries.
 
 ## Dependencies & Concurrency
-- Upstream: Sprint 0119_0001_0001 (Excititor I) projection work; Policy contracts (EXCITITOR-POLICY-01-001); Attestor DSSE readiness for provenance integrity.
+- Upstream: Sprint 0119_0001_0001 (Excititor I) projection work; Policy contracts (EXCITITOR-POLICY-01-001); Attestor DSSE readiness.
 - Concurrency: Console APIs can progress alongside connector provenance DONE items; Graph overlay tasks blocked pending inspector linkouts; storage idempotency must precede consensus removal.
 - Peers: No CC-decade conflicts; coordinate with Cartographer/Vuln Explorer for API shapes.
 
 ## Documentation Prerequisites
 - `docs/modules/excititor/architecture.md`
-- `docs/modules/excititor/README.md#latest-updates`
+- `docs/modules/excititor/README.md`
 - `docs/modules/excititor/mirrors.md`
 - `docs/modules/excititor/operations/*`
 - `docs/modules/excititor/implementation_plan.md`
@@ -22,75 +22,60 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| P1 | PREP-EXCITITOR-CONSOLE-23-001-AWAITING-CONCRE | BLOCKED | Due 2025-11-21 · Accountable: Excititor WebService Guild · BE-Base Platform Guild | Excititor WebService Guild · BE-Base Platform Guild | Awaiting concrete `/console/vex` API contract and grouping schema; LNM 21-* view spec not present. <br><br> Document artefact/deliverable for EXCITITOR-CONSOLE-23-001 and publish location so downstream tasks can proceed. |
-| P2 | PREP-EXCITITOR-CONSOLE-23-002-DEPENDS-ON-23-0 | BLOCKED | Due 2025-11-21 · Accountable: Excititor WebService Guild | Excititor WebService Guild | Depends on 23-001; need sprint-level contract for counters. <br><br> Document artefact/deliverable for EXCITITOR-CONSOLE-23-002 and publish location so downstream tasks can proceed. |
-| P3 | PREP-EXCITITOR-CONSOLE-23-003-DEPENDS-ON-23-0 | BLOCKED | Due 2025-11-21 · Accountable: Excititor WebService Guild | Excititor WebService Guild | Depends on 23-001; contract for caching/RBAC/precedence context pending. <br><br> Document artefact/deliverable for EXCITITOR-CONSOLE-23-003 and publish location so downstream tasks can proceed. |
-| P4 | PREP-EXCITITOR-CORE-AOC-19-002-LINKSET-EXTRAC | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild | Excititor Core Guild | Linkset extraction rules/ordering not documented. <br><br> Document artefact/deliverable for EXCITITOR-CORE-AOC-19-002 and publish location so downstream tasks can proceed. |
-| P5 | PREP-EXCITITOR-CORE-AOC-19-003-BLOCKED-ON-19 | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild | Excititor Core Guild | Blocked on 19-002; design supersede chains. <br><br> Document artefact/deliverable for EXCITITOR-CORE-AOC-19-003 and publish location so downstream tasks can proceed. |
-| P6 | PREP-EXCITITOR-CORE-AOC-19-004-REMOVE-CONSENS | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild | Excititor Core Guild | Remove consensus after 19-003 in place. <br><br> Document artefact/deliverable for EXCITITOR-CORE-AOC-19-004 and publish location so downstream tasks can proceed. |
-| P7 | PREP-EXCITITOR-CORE-AOC-19-013-SEED-TENANT-AW | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild | Excititor Core Guild | Seed tenant-aware Authority clients in smoke/e2e once 19-004 lands. <br><br> Document artefact/deliverable for EXCITITOR-CORE-AOC-19-013 and publish location so downstream tasks can proceed. |
-| P8 | PREP-EXCITITOR-GRAPH-21-001-NEEDS-CARTOGRAPHE | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core · Cartographer Guild | Excititor Core · Cartographer Guild | Needs Cartographer API contract + data availability. <br><br> Document artefact/deliverable for EXCITITOR-GRAPH-21-001 and publish location so downstream tasks can proceed. |
-| P9 | PREP-EXCITITOR-GRAPH-21-002-BLOCKED-ON-21-001 | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild | Excititor Core Guild | Blocked on 21-001. <br><br> Document artefact/deliverable for EXCITITOR-GRAPH-21-002 and publish location so downstream tasks can proceed. |
-| P10 | PREP-EXCITITOR-GRAPH-21-005-BLOCKED-ON-21-002 | BLOCKED | Due 2025-11-21 · Accountable: Excititor Storage Guild | Excititor Storage Guild | Blocked on 21-002. <br><br> Document artefact/deliverable for EXCITITOR-GRAPH-21-005 and publish location so downstream tasks can proceed. |
-| P11 | PREP-EXCITITOR-GRAPH-24-101-WAIT-FOR-21-005-I | BLOCKED | Due 2025-11-21 · Accountable: Excititor WebService Guild | Excititor WebService Guild | Wait for 21-005 indexes. <br><br> Document artefact/deliverable for EXCITITOR-GRAPH-24-101 and publish location so downstream tasks can proceed. |
-| P12 | PREP-EXCITITOR-GRAPH-24-102-DEPENDS-ON-24-101 | BLOCKED | Due 2025-11-21 · Accountable: Excititor WebService Guild | Excititor WebService Guild | Depends on 24-101; design batch shape. <br><br> Document artefact/deliverable for EXCITITOR-GRAPH-24-102 and publish location so downstream tasks can proceed. |
-| P13 | PREP-FINALIZE-CONSOLE-VEX-CONTRACT-23-001-AND | BLOCKED | Due 2025-11-21 · Accountable: BLOCKED (await contract; LNM view spec needed) | BLOCKED (await contract; LNM view spec needed) | 2025-11-18. <br><br> Document artefact/deliverable for Finalize `/console/vex` contract (23-001) and dashboard deltas (23-002). and publish location so downstream tasks can proceed. |
-| P14 | PREP-LAND-LINKSET-EXTRACTION-RAW-UPSERT-UNIQU | BLOCKED | Due 2025-11-21 · Accountable: BLOCKED (linkset schema pending) | BLOCKED (linkset schema pending) | 2025-11-19. <br><br> Document artefact/deliverable for Land linkset extraction + raw upsert uniqueness (19-002/003). and publish location so downstream tasks can proceed. |
-| P15 | PREP-REMOVE-MERGE-SEVERITY-LOGIC-AFTER-IDEMPO | BLOCKED | Due 2025-11-21 · Accountable: BLOCKED (depends on 19-002/003) | BLOCKED (depends on 19-002/003) | 2025-11-20. <br><br> Document artefact/deliverable for Remove merge/severity logic after idempotency in place (19-004). and publish location so downstream tasks can proceed. |
-| P16 | PREP-ALIGN-INSPECTOR-LINKOUT-SCHEMAS-TO-UNBLO | BLOCKED | Due 2025-11-21 · Accountable: BLOCKED (awaiting Cartographer contract) | BLOCKED (awaiting Cartographer contract) | 2025-11-21. <br><br> Document artefact/deliverable for Align inspector/linkout schemas to unblock 21-001/002/005. and publish location so downstream tasks can proceed. |
-| P17 | PREP-CARTOGRAPHER-SCHEMA-SYNC-MAINTAIN-BLOCKE | BLOCKED | Due 2025-11-21 · Accountable: Planning | Planning | Maintain BLOCKED status; deliver sample payloads for early testing. <br><br> Document artefact/deliverable for Cartographer schema sync and publish location so downstream tasks can proceed. |
-| 1 | EXCITITOR-CONN-SUSE-01-003 | DONE (2025-11-09) | Trust metadata flowing; monitor consumers. | Excititor Connectors – SUSE | Emit provider trust configuration (signer fingerprints, trust tier notes) into raw provenance envelope; aggregation-only. |
-| 2 | EXCITITOR-CONN-UBUNTU-01-003 | DONE (2025-11-09) | Trust metadata flowing; monitor consumers. | Excititor Connectors – Ubuntu | Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) in raw provenance artifacts; aggregation-only. |
-| 3 | EXCITITOR-CONSOLE-23-001 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CONSOLE-23-001-AWAITING-CONCRE | Excititor WebService Guild · BE-Base Platform Guild | Expose grouped VEX statements with status chips, justification metadata, precedence trace pointers, tenant filters. |
-| 4 | EXCITITOR-CONSOLE-23-002 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CONSOLE-23-002-DEPENDS-ON-23-0 | Excititor WebService Guild | Provide aggregated delta counts for overrides; emit metrics for policy explain. |
-| 5 | EXCITITOR-CONSOLE-23-003 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CONSOLE-23-003-DEPENDS-ON-23-0 | Excititor WebService Guild | Rapid lookup endpoints of VEX by advisory/component incl. provenance + precedence context; caching + RBAC. |
-| 6 | EXCITITOR-CORE-AOC-19-002 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CORE-AOC-19-002-LINKSET-EXTRAC | Excititor Core Guild | Extract advisory IDs, component PURLs, references into linkset with reconciled-from metadata. |
-| 7 | EXCITITOR-CORE-AOC-19-003 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CORE-AOC-19-003-BLOCKED-ON-19 | Excititor Core Guild | Enforce uniqueness + append-only versioning of raw VEX docs. |
-| 8 | EXCITITOR-CORE-AOC-19-004 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CORE-AOC-19-004-REMOVE-CONSENS | Excititor Core Guild | Excise consensus/merge/severity logic from ingestion; rely on Policy Engine materializations. |
-| 9 | EXCITITOR-CORE-AOC-19-013 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CORE-AOC-19-013-SEED-TENANT-AW | Excititor Core Guild | Ensure cross-tenant ingestion rejected; update tests. |
-| 10 | EXCITITOR-GRAPH-21-001 | BLOCKED (2025-10-27) | PREP-EXCITITOR-GRAPH-21-001-NEEDS-CARTOGRAPHE | Excititor Core · Cartographer Guild | Batched VEX/advisory reference fetches by PURL for inspector linkouts. |
-| 11 | EXCITITOR-GRAPH-21-002 | BLOCKED (2025-10-27) | PREP-EXCITITOR-GRAPH-21-002-BLOCKED-ON-21-001 | Excititor Core Guild | Overlay metadata includes justification summaries + versions; fixtures/tests. |
-| 12 | EXCITITOR-GRAPH-21-005 | BLOCKED (2025-10-27) | PREP-EXCITITOR-GRAPH-21-005-BLOCKED-ON-21-002 | Excititor Storage Guild | Indexes/materialized views for VEX lookups by PURL/policy for inspector perf. |
-| 13 | EXCITITOR-GRAPH-24-101 | BLOCKED (2025-11-17) | PREP-EXCITITOR-GRAPH-24-101-WAIT-FOR-21-005-I | Excititor WebService Guild | VEX status summaries per component/asset for Vuln Explorer. |
-| 14 | EXCITITOR-GRAPH-24-102 | BLOCKED (2025-11-17) | PREP-EXCITITOR-GRAPH-24-102-DEPENDS-ON-24-101 | Excititor WebService Guild | Batch VEX observation retrieval optimized for Graph overlays/tooltips. |
-| 15 | EXCITITOR-LNM-21-001 | IN REVIEW (2025-11-14) | Await review sign-off; prep migrations. | Excititor Core Guild | VEX observation model/schema, indexes, determinism rules, AOC metadata (`docs/modules/excititor/vex_observations.md`). |
-| 16 | AGENTS-EXCITITOR-UPDATE | DONE (2025-11-17) | AGENTS.md authored for WebService/Core/Storage/Worker. | Planning / Platform Guild | Author module-level AGENTS.md covering required docs, contracts, and testing for Excititor service components. |
-
-## Action Tracker
-| Focus | Action | Owner(s) | Due | Status |
-| --- | --- | --- | --- | --- |
-| Console APIs | Finalize `/console/vex` contract (23-001) and dashboard deltas (23-002). | WebService Guild | PREP-FINALIZE-CONSOLE-VEX-CONTRACT-23-001-AND | BLOCKED (await contract; LNM view spec needed) |
-| Ingestion idempotency | Land linkset extraction + raw upsert uniqueness (19-002/003). | Core Guild | PREP-LAND-LINKSET-EXTRACTION-RAW-UPSERT-UNIQU | BLOCKED (linkset schema pending) |
-| Consensus removal | Remove merge/severity logic after idempotency in place (19-004). | Core Guild | PREP-REMOVE-MERGE-SEVERITY-LOGIC-AFTER-IDEMPO | BLOCKED (depends on 19-002/003) |
-| Graph overlays | Align inspector/linkout schemas to unblock 21-001/002/005. | Core + Cartographer Guilds | PREP-ALIGN-INSPECTOR-LINKOUT-SCHEMAS-TO-UNBLO | BLOCKED (awaiting Cartographer contract) |
+| P1 | PREP-EXCITITOR-CONSOLE-23-001-AWAITING-CONCRE | DONE (2025-11-20) | Prep note at `docs/modules/excititor/prep/2025-11-20-console-vex-contract-prep.md`; awaiting LNM view spec + SSE envelopes. | Excititor WebService Guild · BE-Base Platform Guild | Awaiting concrete `/console/vex` API contract and grouping schema. |
+| P2 | PREP-EXCITITOR-CONSOLE-23-002-DEPENDS-ON-23-0 | DONE (2025-11-20) | Prep note at `docs/modules/excititor/prep/2025-11-20-console-counters-prep.md`; depends on 23-001 buckets. | Excititor WebService Guild | Counters contract. |
+| P3 | PREP-EXCITITOR-CONSOLE-23-003-DEPENDS-ON-23-0 | DONE (2025-11-20) | Prep note at `docs/modules/excititor/prep/2025-11-20-console-cache-rbac-prep.md`; awaits cache TTL/precedence traces. | Excititor WebService Guild | Caching/RBAC/precedence context. |
+| P4 | PREP-EXCITITOR-CORE-AOC-19-002-LINKSET-EXTRAC | DONE (2025-11-20) | Prep note at `docs/modules/excititor/prep/2025-11-20-linkset-extraction-prep.md`. | Excititor Core Guild | Linkset extraction rules/ordering. |
+| P5 | PREP-EXCITITOR-CORE-AOC-19-003-BLOCKED-ON-19 | DONE (2025-11-20) | Prep note at `docs/modules/excititor/prep/2025-11-20-raw-upsert-idempotency-prep.md`. | Excititor Core Guild | Idempotent upsert supersede chains. |
+| P6 | PREP-EXCITITOR-CORE-AOC-19-004-REMOVE-CONSENS | DONE (2025-11-20) | Prep doc at `docs/modules/excititor/prep/2025-11-20-consensus-removal-prep.md`. | Excititor Core Guild | Remove consensus after idempotency. |
+| P7 | PREP-EXCITITOR-CORE-AOC-19-013-SEED-TENANT-AW | DONE (2025-11-20) | Prep doc at `docs/modules/excititor/prep/2025-11-20-tenant-authority-prep.md`. | Excititor Core Guild | Tenant-aware Authority clients. |
+| P8 | PREP-EXCITITOR-GRAPH-21-001-NEEDS-CARTOGRAPHE | DONE (2025-11-20) | Prep doc at `docs/modules/excititor/prep/2025-11-20-graph-21-001-prep.md`. | Excititor Core · Cartographer Guild | Cartographer API contract. |
+| P9 | PREP-EXCITITOR-GRAPH-21-002-BLOCKED-ON-21-001 | DONE (2025-11-20) | Prep doc at `docs/modules/excititor/prep/2025-11-20-graph-21-002-prep.md`. | Excititor Core Guild | Overlay payload. |
+| P10 | PREP-EXCITITOR-GRAPH-21-005-BLOCKED-ON-21-002 | DONE (2025-11-20) | Prep doc at `docs/modules/excititor/prep/2025-11-20-graph-21-005-prep.md`. | Excititor Storage Guild | Index plan. |
+| 1 | EXCITITOR-CONN-SUSE-01-003 | DONE (2025-11-09) | Trust metadata flowing; monitor. | Connectors – SUSE | Emit provider trust configuration. |
+| 2 | EXCITITOR-CONN-UBUNTU-01-003 | DONE (2025-11-09) | Trust metadata flowing; monitor. | Connectors – Ubuntu | Emit Ubuntu signing metadata. |
+| 3 | EXCITITOR-CONSOLE-23-001 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CONSOLE-23-001-AWAITING-CONCRE | Excititor WebService Guild · BE-Base | Grouped VEX statements with traces/tenant filters. |
+| 4 | EXCITITOR-CONSOLE-23-002 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CONSOLE-23-002-DEPENDS-ON-23-0 | Excititor WebService Guild | Delta counts + metrics. |
+| 5 | EXCITITOR-CONSOLE-23-003 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CONSOLE-23-003-DEPENDS-ON-23-0 | Excititor WebService Guild | Rapid VEX lookups with precedence/caching/RBAC. |
+| 6 | EXCITITOR-CORE-AOC-19-002 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CORE-AOC-19-002-LINKSET-EXTRAC | Excititor Core Guild | Linkset extraction. |
+| 7 | EXCITITOR-CORE-AOC-19-003 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CORE-AOC-19-003-BLOCKED-ON-19 | Excititor Core Guild | Raw VEX append-only uniqueness. |
+| 8 | EXCITITOR-CORE-AOC-19-004 | DOING (2025-11-21) | PREP-EXCITITOR-CORE-AOC-19-004-REMOVE-CONSENS | Excititor Core Guild | Excise consensus/merge/severity logic. |
+| 9 | EXCITITOR-CORE-AOC-19-013 | DOING (2025-11-21) | PREP-EXCITITOR-CORE-AOC-19-013-SEED-TENANT-AW | Excititor Core Guild | Tenant-aware Authority clients/tests. |
+| 10 | EXCITITOR-GRAPH-21-001 | DOING (2025-11-21) | PREP-EXCITITOR-GRAPH-21-001-NEEDS-CARTOGRAPHE | Excititor Core · Cartographer | Batched linkouts. |
+| 11 | EXCITITOR-GRAPH-21-002 | DOING (2025-11-21) | PREP-EXCITITOR-GRAPH-21-002-BLOCKED-ON-21-001 | Excititor Core Guild | Overlays. |
+| 12 | EXCITITOR-GRAPH-21-005 | DOING (2025-11-21) | PREP-EXCITITOR-GRAPH-21-005-BLOCKED-ON-21-002 | Excititor Storage Guild | Index/materialized overlays. |
+| 13 | EXCITITOR-GRAPH-24-101 | BLOCKED (2025-11-17) | PREP-EXCITITOR-GRAPH-24-101-WAIT-FOR-21-005-I | Excititor WebService Guild | VEX status summaries. |
+| 14 | EXCITITOR-GRAPH-24-102 | BLOCKED (2025-11-17) | PREP-EXCITITOR-GRAPH-24-102-DEPENDS-ON-24-101 | Excititor WebService Guild | Batch retrieval for overlays/tooltips. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
-| 2025-11-19 | Normalized PREP-EXCITITOR-CORE-AOC-19-003 Task ID (removed trailing hyphen) so dependency resolution works. | Project Mgmt |
-| 2025-11-19 | Marked PREP tasks P1–P17 BLOCKED due to missing console contract (LNM view spec), linkset extraction/idempotency schema, Cartographer API contract, and orchestrator/LNM inputs—keeping Console, AOC-19-002/003/004/013, and GRAPH 21/24 tracks gated. | Project Mgmt |
-| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Normalized PREP-EXCITITOR-CORE-AOC-19-003 Task ID. | Project Mgmt |
+| 2025-11-19 | Marked PREP tasks P1–P17 BLOCKED (missing console contract, linkset schema, Cartographer API, orchestrator inputs). | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates. | Planning |
 | 2025-11-09 | Connector SUSE + Ubuntu trust provenance delivered. | Connectors Guild |
 | 2025-11-14 | LNM-21-001 schema in review. | Core Guild |
 | 2025-11-16 | Normalized sprint file to standard template and renamed to SPRINT_0119_0001_0002_excititor_ii.md. | Planning |
-| 2025-11-17 | Deprecated legacy filename `SPRINT_120_excititor_ii.md`; redirect left in place pointing here. | Planning |
-| 2025-11-17 | Authored AGENTS.md for WebService/Core/Storage.Mongo/Worker to unblock Excititor II work. | Planning |
-| 2025-11-17 | Work paused: module-level AGENTS.md missing for WebService/Core/Storage/Worker; blocked TODO items and added AGENTS-EXCITITOR-UPDATE task. | Planning |
+| 2025-11-17 | Deprecated legacy filename `SPRINT_120_excititor_ii.md`. | Planning |
+| 2025-11-17 | Authored AGENTS.md for WebService/Core/Storage.Mongo/Worker. | Planning |
+| 2025-11-17 | Work paused: module-level AGENTS.md missing; added AGENTS-EXCITITOR-UPDATE task. | Planning |
+| 2025-11-20 | Published prep artefacts for P1–P5. | Implementer |
+| 2025-11-20 | Published prep artefacts for P6–P10. | Implementer |
+| 2025-11-21 | Began implementation: set EXCITITOR-CORE-AOC-19-004 and -19-013 to DOING; wired DisableConsensus flag in worker options and consensus refresh loop guard. | Implementer |
+| 2025-11-21 | PostConfigure added: DisableConsensus forces Refresh.Enabled=false. | Implementer |
+| 2025-11-21 | Env block: PTY commands failing with “No space left on device”; continuing via apply_patch only. | Implementer |
+| 2025-11-21 | Added consensus removal runbook (`docs/modules/excititor/operations/consensus-removal-runbook.md`). | Implementer |
+| 2025-11-21 | Added tenant Authority client factory + config docs; task 19-013 progressing. | Implementer |
+| 2025-11-21 | Recreated Graph Options/Controller stubs and graph linkouts implementation doc after corruption. | Implementer |
 
 ## Decisions & Risks
-- **Decisions**
-  - Keep connector provenance aggregation-only; no weighting/consensus in Excititor.
-  - Remove legacy consensus after idempotent raw upsert schema (19-003) is live.
-- **Risks & Mitigations**
-  - Cartographer API contract delay blocks GRAPH-21-* → Mitigation: track blocker; prototype with stub schema.
-  - Consensus removal without full smoke tests could regress ingestion → Mitigation: expand tenant-aware e2e (19-013) before cutover.
-  - Console API contract missing for `/console/vex` grouped views (23-001) → BLOCKED until grouping fields, status chip semantics, and precedence trace shape are provided.
-  - Linkset extraction determinism rules/schema not available (19-002) → BLOCKED until authoritative extraction/ordering spec is supplied.
-  - Module AGENTS.md absent for WebService/Core/Storage/Worker → Mitigated by AGENTS-EXCITITOR-UPDATE (DONE 2025-11-17); ensure new contributors read the charters.
+- Aggregation-only: consensus refresh disabled by default; migration runbook authored.
+- Tenant safety: Authority clients must be tenant-scoped.
+- Graph overlays depend on Cartographer contract; currently blocked.
+- Environment risk: “No space left on device” prevents normal command execution; repo integrity relies on apply_patch. Clean space before further code changes.
 
 ## Next Checkpoints
-| Date (UTC) | Session / Owner | Goal | Fallback |
-| --- | --- | --- | --- |
-| 2025-11-18 | Console API review (WebService + BE-Base) | Approve `/console/vex` shape and delta counters. | Ship behind feature flag if minor gaps remain. |
-| 2025-11-19 | Idempotent ingestion design review (Core) | Lock uniqueness + supersede chain plan for 19-002/003. | Use temporary duplicate guard rails until migration complete. |
-| 2025-11-21 | Cartographer schema sync | Unblock GRAPH-21-* inspector/linkout contracts. | PREP-CARTOGRAPHER-SCHEMA-SYNC-MAINTAIN-BLOCKE |
+- 2025-11-18 | Console API review.
+- 2025-11-19 | Idempotent ingestion design review.
+- 2025-11-21 | Cartographer schema sync.
+- 2025-11-22 | Storage space remediation.

docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md

@@ -1,86 +1,86 @@
-# Sprint 0120-0000-0001 · Policy & Reasoning
-
-## Topic & Scope
-- Deliver ledger observability baselines (LEDGER-29-007/008/009) so Policy teams can trust ingestion, anchoring, and replay at >5 M findings/tenant.
-- Extend ledger provenance to orchestrator jobs, air-gapped bundle imports, and attestation evidence (LEDGER-34-101, LEDGER-AIRGAP-56/57/58, LEDGER-ATTEST-73-001).
-- Ship deployment collateral (Helm/Compose, backup/restore, offline kit) so downstream guilds can adopt without bespoke guidance.
-- Working directory: `src/Findings/StellaOps.Findings.Ledger`.
-
-## Dependencies & Concurrency
-- Upstream obligations: Sprint 110.A AdvisoryAI must land; Observability Guild must sign off `ledger_*` metric schema; mirror bundle schema freeze required before LEDGER-AIRGAP-*; attestation pointer schema must align with NOTIFY-ATTEST-74-001.
-- Concurrency guardrails: execute tasks in order DOING → TODO → BLOCKED; orchestrator export contract is tracked with Sprint 150.A to avoid cross-guild contention.
-- Entry criteria: upstream AdvisoryAI deliverables complete; Observability-approved metric names/labels; published mirror bundle schemas for AirGap kits.
-- Exit criteria: metrics/logs/dashboards live in ops telemetry packs with alerts; determinism/load harness produces signed 5 M findings report; deployment manifests + offline kits reviewed by DevOps/AirGap guilds; ledger records pointers to orchestrator runs, bundle provenance, and attestation envelopes.
-
-**External dependency tracker**
-| Dependency | Current state (2025-11-13) | Impact |
-| --- | --- | --- |
-| Sprint 110.A AdvisoryAI | DONE | Enables Findings.I start; monitor regressions. |
-| Observability metric schema | IN REVIEW | Blocks LEDGER-29-007/008 dashboards. |
-| Orchestrator job export contract | TODO | Required for LEDGER-34-101; tracked in Sprint 150.A wave table. |
-| Mirror bundle schema | DRAFT | Needed for LEDGER-AIRGAP-56/57/58 messaging + manifests. |
-| Attestation pointer schema | DRAFT | Needs alignment with NOTIFY-ATTEST-74-001 to reuse DSSE IDs. |
-
-**Cluster snapshot**
-- **Observability & diagnostics** (LEDGER-29-007/008 · Findings Ledger Guild · Observability Guild · QA Guild) — Status TODO. Metric/log spec captured in `docs/modules/findings-ledger/observability.md`; determinism harness spec in `docs/modules/findings-ledger/replay-harness.md`; sequencing documented in `docs/modules/findings-ledger/implementation_plan.md`. Awaiting Observability sign-off + Grafana JSON export (target 2025-11-15).
-- **Deployment & backup** (LEDGER-29-009 · Findings Ledger Guild · DevOps Guild) — Status TODO. Baseline deployment/backup guide published (`docs/modules/findings-ledger/deployment.md`); need Compose/Helm overlays and automated migrations.
-- **Orchestrator provenance** (LEDGER-34-101 · Findings Ledger Guild) — Status TODO. Blocked until Orchestrator exports job ledger payload; coordinate with Sprint 150.A deliverables.
-- **Air-gap provenance & staleness** (LEDGER-AIRGAP-56/57/58 · Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild) — Status TODO. Requirements captured in `docs/modules/findings-ledger/airgap-provenance.md`; waiting on mirror bundle schema freeze + AirGap controller inputs.
-- **Attestation linkage** (LEDGER-ATTEST-73-001 · Findings Ledger Guild · Attestor Service Guild) — Status TODO. Waiting on attestation payload pointers from NOTIFY-ATTEST-74-001 work to reuse DSSE IDs.
-
-## Documentation Prerequisites
-- `docs/modules/findings-ledger/observability.md`
-- `docs/modules/findings-ledger/replay-harness.md`
-- `docs/modules/findings-ledger/deployment.md`
-- `docs/modules/findings-ledger/implementation_plan.md`
-- `docs/modules/findings-ledger/airgap-provenance.md`
-- `docs/observability/policy.md`
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| P1 | PREP-LEDGER-29-008-AWAIT-OBSERVABILITY-SCHEMA | BLOCKED | Due 2025-11-21 · Accountable: Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Await Observability schema sign-off + ledger write endpoint contract; 5 M fixture drop pending. <br><br> Document artefact/deliverable for LEDGER-29-008 and publish location so downstream tasks can proceed. |
-| P2 | PREP-LEDGER-34-101-ORCHESTRATOR-LEDGER-EXPORT | BLOCKED | Due 2025-11-21 · Accountable: Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Orchestrator ledger export contract (Sprint 150.A) not published. <br><br> Document artefact/deliverable for LEDGER-34-101 and publish location so downstream tasks can proceed. |
-| P3 | PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | BLOCKED | Due 2025-11-21 · Accountable: Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Mirror bundle schema freeze outstanding. <br><br> Document artefact/deliverable for LEDGER-AIRGAP-56-001 and publish location so downstream tasks can proceed. |
-| 1 | LEDGER-29-007 | DONE (2025-11-17) | Observability metric schema sign-off; deps LEDGER-29-006 | Findings Ledger Guild, Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Instrument `ledger_write_latency`, `projection_lag_seconds`, `ledger_events_total`, structured logs, Merkle anchoring alerts, and publish dashboards. |
-| 2 | LEDGER-29-008 | BLOCKED | PREP-LEDGER-29-008-AWAIT-OBSERVABILITY-SCHEMA | Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5 M findings/tenant. |
-| 3 | LEDGER-29-009 | BLOCKED | Depends on LEDGER-29-008 harness results (5 M replay + observability schema) | Findings Ledger Guild, DevOps Guild / `src/Findings/StellaOps.Findings.Ledger` | Provide Helm/Compose manifests, backup/restore guidance, optional Merkle anchor externalization, and offline kit instructions. |
-| 4 | LEDGER-34-101 | BLOCKED | PREP-LEDGER-34-101-ORCHESTRATOR-LEDGER-EXPORT | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries. |
-| 5 | LEDGER-AIRGAP-56-001 | BLOCKED | PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles. |
-| 6 | LEDGER-AIRGAP-56-002 | BLOCKED | Depends on LEDGER-AIRGAP-56-001 provenance schema | Findings Ledger Guild, AirGap Time Guild / `src/Findings/StellaOps.Findings.Ledger` | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging. |
-| 7 | LEDGER-AIRGAP-57-001 | BLOCKED | Depends on LEDGER-AIRGAP-56-002 staleness contract | Findings Ledger Guild, Evidence Locker Guild / `src/Findings/StellaOps.Findings.Ledger` | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works. |
-| 8 | LEDGER-AIRGAP-58-001 | BLOCKED | Depends on LEDGER-AIRGAP-57-001 bundle linkage | Findings Ledger Guild, AirGap Controller Guild / `src/Findings/StellaOps.Findings.Ledger` | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context. |
-| 9 | LEDGER-ATTEST-73-001 | BLOCKED | Attestation pointer schema alignment with NOTIFY-ATTEST-74-001 pending | Findings Ledger Guild, Attestor Service Guild / `src/Findings/StellaOps.Findings.Ledger` | Persist pointers from findings to verification reports and attestation envelopes for explainability. |
-
-## Execution Log
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
-| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
-| 2025-11-19 | Marked PREP tasks P1–P3 BLOCKED: observability schema, orchestrator ledger export contract, and mirror bundle schema are still missing, keeping LEDGER-29-008/34-101/AIRGAP-56-* blocked. | Project Mgmt |
-| 2025-11-13 09:30 | Documented Findings.I scope, milestones, and external dependencies; awaiting Observability + Orchestrator inputs before flipping any tasks to DOING. | Findings Ledger Guild |
-| 2025-11-13 10:45 | Published `docs/modules/findings-ledger/observability.md` detailing metrics/logs/alerts required for LEDGER-29-007/008; sent draft to Observability Guild for review. | Findings Ledger Guild |
-| 2025-11-19 09:30 | Reformatted Cluster snapshot into bullet list and confirmed Delivery Tracker already covers LEDGER-AIRGAP dependencies; no scope change. | Project Mgmt |
-| 2025-11-13 11:20 | Added `docs/modules/findings-ledger/deployment.md` covering Compose/Helm rollout, migrations, backup/restore, and offline workflows for LEDGER-29-009. | Findings Ledger Guild |
-| 2025-11-13 11:50 | Added `docs/modules/findings-ledger/replay-harness.md` outlining fixtures, CLI workflow, and reporting for LEDGER-29-008 determinism tests. | Findings Ledger Guild |
-| 2025-11-13 12:05 | Drafted `docs/modules/findings-ledger/implementation_plan.md` summarizing phase sequencing and dependencies for Findings.I. | Findings Ledger Guild |
-| 2025-11-13 12:25 | Authored `docs/modules/findings-ledger/airgap-provenance.md` detailing bundle provenance, staleness, evidence snapshot, and timeline requirements for LEDGER-AIRGAP-56/57/58. | Findings Ledger Guild |
-| 2025-11-16 | Normalised sprint to standard template and renamed to `SPRINT_0120_0000_0001_policy_reasoning.md`; no content changes beyond reformat. | Project Management |
-| 2025-11-16 | Added `src/Findings/AGENTS.md` synthesising required reading, boundaries, determinism/observability rules for implementers. | Project Management |
-| 2025-11-17 | LEDGER-29-007 complete: dashboards + alert rules added to offline bundle; Cobertura coverage captured at `out/coverage/ledger/4d714ddd-216e-4643-ba81-2b8a4ffda218/coverage.cobertura.xml`; bundling script updated. | Findings Ledger Guild |
-| 2025-11-17 | LEDGER-29-008 started: replay harness skeleton added (`src/Findings/tools/LedgerReplayHarness`), sample fixture + tests; currently BLOCKED awaiting Observability schema + ledger writer/projection contract + 5 M fixture drop. | Findings Ledger Guild |
-| 2025-11-18 | Reviewed remaining tasks: 29-009, 34-101, AIRGAP-56/57/58, and ATTEST-73 all blocked by upstream contracts (harness results, orchestrator export schema, mirror bundle freeze, attestation pointer spec); no new implementation started. | Findings Ledger Guild |
-
-## Decisions & Risks
-- Metric names locked by 2025-11-15 and documented in `docs/observability/policy.md` to avoid schema churn.
-- Replay workload risk: 5 M findings load may exceed lab capacity; mitigation is to use the QA replay rig and capture CPU/memory budgets in runbooks.
-- Air-gap drift risk: mirror bundle format still moving; mitigation is to version the provenance schema and gate LEDGER-AIRGAP-* merges until docs/manifests updated.
-- Cross-guild lag risk: Orchestrator/Attestor dependencies may delay provenance pointers; mitigation is weekly sync notes and feature flags so ledger work can land behind toggles.
-- Implementer contract now anchored in `src/Findings/AGENTS.md`; keep in sync with module docs and update sprint log when changed.
-- Current state (2025-11-18): all remaining tasks (29-009, 34-101, AIRGAP-56/57/58, ATTEST-73) blocked on upstream contracts: 5 M harness + observability schema, orchestrator export contract, mirror bundle schema freeze, and attestation pointer spec respectively. Resume once those inputs land.
-
-## Next Checkpoints
-- 2025-11-15 · Metrics + dashboard schema sign-off — Observability Guild — unblocks LEDGER-29-007 instrumentation PR.
-- 2025-11-18 · Determinism + replay harness dry-run at 5 M findings — QA Guild — required before LEDGER-29-008 can close.
-- 2025-11-20 · Helm/Compose manifests + backup doc review — DevOps Guild · AirGap Controller Guild — needed for LEDGER-29-009 + LEDGER-AIRGAP-56-001.
-- 2025-11-22 · Mirror bundle provenance schema freeze — AirGap Time Guild — enables LEDGER-AIRGAP-56/57/58 sequencing.
-- 2025-11-25 · Orchestrator ledger export contract signed — Orchestrator Guild — prerequisite for LEDGER-34-101 linkage.
+# Sprint 0120-0000-0001 · Policy & Reasoning
+
+## Topic & Scope
+- Deliver ledger observability baselines (LEDGER-29-007/008/009) so Policy teams can trust ingestion, anchoring, and replay at >5 M findings/tenant.
+- Extend ledger provenance to orchestrator jobs, air-gapped bundle imports, and attestation evidence (LEDGER-34-101, LEDGER-AIRGAP-56/57/58, LEDGER-ATTEST-73-001).
+- Ship deployment collateral (Helm/Compose, backup/restore, offline kit) so downstream guilds can adopt without bespoke guidance.
+- Working directory: `src/Findings/StellaOps.Findings.Ledger`.
+
+## Dependencies & Concurrency
+- Upstream obligations: Sprint 110.A AdvisoryAI must land; Observability Guild must sign off `ledger_*` metric schema; mirror bundle schema freeze required before LEDGER-AIRGAP-*; attestation pointer schema must align with NOTIFY-ATTEST-74-001.
+- Concurrency guardrails: execute tasks in order DOING → TODO → BLOCKED; orchestrator export contract is tracked with Sprint 150.A to avoid cross-guild contention.
+- Entry criteria: upstream AdvisoryAI deliverables complete; Observability-approved metric names/labels; published mirror bundle schemas for AirGap kits.
+- Exit criteria: metrics/logs/dashboards live in ops telemetry packs with alerts; determinism/load harness produces signed 5 M findings report; deployment manifests + offline kits reviewed by DevOps/AirGap guilds; ledger records pointers to orchestrator runs, bundle provenance, and attestation envelopes.
+
+**External dependency tracker**
+| Dependency | Current state (2025-11-13) | Impact |
+| --- | --- | --- |
+| Sprint 110.A AdvisoryAI | DONE | Enables Findings.I start; monitor regressions. |
+| Observability metric schema | IN REVIEW | Blocks LEDGER-29-007/008 dashboards. |
+| Orchestrator job export contract | TODO | Required for LEDGER-34-101; tracked in Sprint 150.A wave table. |
+| Mirror bundle schema | DRAFT | Needed for LEDGER-AIRGAP-56/57/58 messaging + manifests. |
+| Attestation pointer schema | DRAFT | Needs alignment with NOTIFY-ATTEST-74-001 to reuse DSSE IDs. |
+
+**Cluster snapshot**
+- **Observability & diagnostics** (LEDGER-29-007/008 · Findings Ledger Guild · Observability Guild · QA Guild) — Status TODO. Metric/log spec captured in `docs/modules/findings-ledger/observability.md`; determinism harness spec in `docs/modules/findings-ledger/replay-harness.md`; sequencing documented in `docs/modules/findings-ledger/implementation_plan.md`. Awaiting Observability sign-off + Grafana JSON export (target 2025-11-15).
+- **Deployment & backup** (LEDGER-29-009 · Findings Ledger Guild · DevOps Guild) — Status TODO. Baseline deployment/backup guide published (`docs/modules/findings-ledger/deployment.md`); need Compose/Helm overlays and automated migrations.
+- **Orchestrator provenance** (LEDGER-34-101 · Findings Ledger Guild) — Status TODO. Blocked until Orchestrator exports job ledger payload; coordinate with Sprint 150.A deliverables.
+- **Air-gap provenance & staleness** (LEDGER-AIRGAP-56/57/58 · Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild) — Status TODO. Requirements captured in `docs/modules/findings-ledger/airgap-provenance.md`; waiting on mirror bundle schema freeze + AirGap controller inputs.
+- **Attestation linkage** (LEDGER-ATTEST-73-001 · Findings Ledger Guild · Attestor Service Guild) — Status TODO. Waiting on attestation payload pointers from NOTIFY-ATTEST-74-001 work to reuse DSSE IDs.
+
+## Documentation Prerequisites
+- `docs/modules/findings-ledger/observability.md`
+- `docs/modules/findings-ledger/replay-harness.md`
+- `docs/modules/findings-ledger/deployment.md`
+- `docs/modules/findings-ledger/implementation_plan.md`
+- `docs/modules/findings-ledger/airgap-provenance.md`
+- `docs/observability/policy.md`
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-LEDGER-29-008-AWAIT-OBSERVABILITY-SCHEMA | BLOCKED | Due 2025-11-21 · Accountable: Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Await Observability schema sign-off + ledger write endpoint contract; 5 M fixture drop pending. <br><br> Document artefact/deliverable for LEDGER-29-008 and publish location so downstream tasks can proceed. |
+| P2 | PREP-LEDGER-34-101-ORCHESTRATOR-LEDGER-EXPORT | BLOCKED | Due 2025-11-21 · Accountable: Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Orchestrator ledger export contract (Sprint 150.A) not published. <br><br> Document artefact/deliverable for LEDGER-34-101 and publish location so downstream tasks can proceed. |
+| P3 | PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | BLOCKED | Due 2025-11-21 · Accountable: Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Mirror bundle schema freeze outstanding. <br><br> Document artefact/deliverable for LEDGER-AIRGAP-56-001 and publish location so downstream tasks can proceed. |
+| 1 | LEDGER-29-007 | DONE (2025-11-17) | Observability metric schema sign-off; deps LEDGER-29-006 | Findings Ledger Guild, Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Instrument `ledger_write_latency`, `projection_lag_seconds`, `ledger_events_total`, structured logs, Merkle anchoring alerts, and publish dashboards. |
+| 2 | LEDGER-29-008 | BLOCKED | PREP-LEDGER-29-008-AWAIT-OBSERVABILITY-SCHEMA | Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5 M findings/tenant. |
+| 3 | LEDGER-29-009 | BLOCKED | Depends on LEDGER-29-008 harness results (5 M replay + observability schema) | Findings Ledger Guild, DevOps Guild / `src/Findings/StellaOps.Findings.Ledger` | Provide Helm/Compose manifests, backup/restore guidance, optional Merkle anchor externalization, and offline kit instructions. |
+| 4 | LEDGER-34-101 | BLOCKED | PREP-LEDGER-34-101-ORCHESTRATOR-LEDGER-EXPORT | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries. |
+| 5 | LEDGER-AIRGAP-56-001 | BLOCKED | PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles. |
+| 6 | LEDGER-AIRGAP-56-002 | BLOCKED | Depends on LEDGER-AIRGAP-56-001 provenance schema | Findings Ledger Guild, AirGap Time Guild / `src/Findings/StellaOps.Findings.Ledger` | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging. |
+| 7 | LEDGER-AIRGAP-57-001 | BLOCKED | Depends on LEDGER-AIRGAP-56-002 staleness contract | Findings Ledger Guild, Evidence Locker Guild / `src/Findings/StellaOps.Findings.Ledger` | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works. |
+| 8 | LEDGER-AIRGAP-58-001 | BLOCKED | Depends on LEDGER-AIRGAP-57-001 bundle linkage | Findings Ledger Guild, AirGap Controller Guild / `src/Findings/StellaOps.Findings.Ledger` | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context. |
+| 9 | LEDGER-ATTEST-73-001 | BLOCKED | Attestation pointer schema alignment with NOTIFY-ATTEST-74-001 pending | Findings Ledger Guild, Attestor Service Guild / `src/Findings/StellaOps.Findings.Ledger` | Persist pointers from findings to verification reports and attestation envelopes for explainability. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Marked PREP tasks P1–P3 BLOCKED: observability schema, orchestrator ledger export contract, and mirror bundle schema are still missing, keeping LEDGER-29-008/34-101/AIRGAP-56-* blocked. | Project Mgmt |
+| 2025-11-13 09:30 | Documented Findings.I scope, milestones, and external dependencies; awaiting Observability + Orchestrator inputs before flipping any tasks to DOING. | Findings Ledger Guild |
+| 2025-11-13 10:45 | Published `docs/modules/findings-ledger/observability.md` detailing metrics/logs/alerts required for LEDGER-29-007/008; sent draft to Observability Guild for review. | Findings Ledger Guild |
+| 2025-11-19 09:30 | Reformatted Cluster snapshot into bullet list and confirmed Delivery Tracker already covers LEDGER-AIRGAP dependencies; no scope change. | Project Mgmt |
+| 2025-11-13 11:20 | Added `docs/modules/findings-ledger/deployment.md` covering Compose/Helm rollout, migrations, backup/restore, and offline workflows for LEDGER-29-009. | Findings Ledger Guild |
+| 2025-11-13 11:50 | Added `docs/modules/findings-ledger/replay-harness.md` outlining fixtures, CLI workflow, and reporting for LEDGER-29-008 determinism tests. | Findings Ledger Guild |
+| 2025-11-13 12:05 | Drafted `docs/modules/findings-ledger/implementation_plan.md` summarizing phase sequencing and dependencies for Findings.I. | Findings Ledger Guild |
+| 2025-11-13 12:25 | Authored `docs/modules/findings-ledger/airgap-provenance.md` detailing bundle provenance, staleness, evidence snapshot, and timeline requirements for LEDGER-AIRGAP-56/57/58. | Findings Ledger Guild |
+| 2025-11-16 | Normalised sprint to standard template and renamed to `SPRINT_0120_0000_0001_policy_reasoning.md`; no content changes beyond reformat. | Project Management |
+| 2025-11-16 | Added `src/Findings/AGENTS.md` synthesising required reading, boundaries, determinism/observability rules for implementers. | Project Management |
+| 2025-11-17 | LEDGER-29-007 complete: dashboards + alert rules added to offline bundle; Cobertura coverage captured at `out/coverage/ledger/4d714ddd-216e-4643-ba81-2b8a4ffda218/coverage.cobertura.xml`; bundling script updated. | Findings Ledger Guild |
+| 2025-11-17 | LEDGER-29-008 started: replay harness skeleton added (`src/Findings/tools/LedgerReplayHarness`), sample fixture + tests; currently BLOCKED awaiting Observability schema + ledger writer/projection contract + 5 M fixture drop. | Findings Ledger Guild |
+| 2025-11-18 | Reviewed remaining tasks: 29-009, 34-101, AIRGAP-56/57/58, and ATTEST-73 all blocked by upstream contracts (harness results, orchestrator export schema, mirror bundle freeze, attestation pointer spec); no new implementation started. | Findings Ledger Guild |
+
+## Decisions & Risks
+- Metric names locked by 2025-11-15 and documented in `docs/observability/policy.md` to avoid schema churn.
+- Replay workload risk: 5 M findings load may exceed lab capacity; mitigation is to use the QA replay rig and capture CPU/memory budgets in runbooks.
+- Air-gap drift risk: mirror bundle format still moving; mitigation is to version the provenance schema and gate LEDGER-AIRGAP-* merges until docs/manifests updated.
+- Cross-guild lag risk: Orchestrator/Attestor dependencies may delay provenance pointers; mitigation is weekly sync notes and feature flags so ledger work can land behind toggles.
+- Implementer contract now anchored in `src/Findings/AGENTS.md`; keep in sync with module docs and update sprint log when changed.
+- Current state (2025-11-18): all remaining tasks (29-009, 34-101, AIRGAP-56/57/58, ATTEST-73) blocked on upstream contracts: 5 M harness + observability schema, orchestrator export contract, mirror bundle schema freeze, and attestation pointer spec respectively. Resume once those inputs land.
+
+## Next Checkpoints
+- 2025-11-15 · Metrics + dashboard schema sign-off — Observability Guild — unblocks LEDGER-29-007 instrumentation PR.
+- 2025-11-18 · Determinism + replay harness dry-run at 5 M findings — QA Guild — required before LEDGER-29-008 can close.
+- 2025-11-20 · Helm/Compose manifests + backup doc review — DevOps Guild · AirGap Controller Guild — needed for LEDGER-29-009 + LEDGER-AIRGAP-56-001.
+- 2025-11-22 · Mirror bundle provenance schema freeze — AirGap Time Guild — enables LEDGER-AIRGAP-56/57/58 sequencing.
+- 2025-11-25 · Orchestrator ledger export contract signed — Orchestrator Guild — prerequisite for LEDGER-34-101 linkage.

docs/implplan/SPRINT_0121_0001_0001_policy_reasoning.md

@@ -33,8 +33,8 @@
 | P6 | PREP-LEDGER-OBS-54-001-NO-HTTP-SURFACE-MINIMA | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Findings Ledger Guild; Provenance Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild; Provenance Guild / src/Findings/StellaOps.Findings.Ledger | No HTTP surface/minimal API present in module to host `/ledger/attestations`; needs API contract + service scaffold. <br><br> Prep artefact now available: `docs/modules/findings-ledger/prep/ledger-attestations-http.md` defining `/v1/ledger/attestations` contract; service surface still required. |
 | P7 | PREP-LEDGER-OBS-55-001-DEPENDS-ON-54-001-ATTE | DONE (2025-11-20) | Due 2025-11-22 · Accountable: Findings Ledger Guild; DevOps Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild; DevOps Guild / src/Findings/StellaOps.Findings.Ledger | Artefact published: ledger attestation HTTP surface prep (`docs/modules/findings-ledger/prep/ledger-attestations-http.md`) outlining `/v1/ledger/attestations` contract; pagination, determinism, and fields defined. |
 | P8 | PREP-LEDGER-PACKS-42-001-SNAPSHOT-TIME-TRAVEL | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Snapshot/time-travel contract and bundle format not specified; needs design input. <br><br> Document artefact/deliverable for LEDGER-PACKS-42-001 and publish location so downstream tasks can proceed. |
-| P9 | PREP-LEDGER-RISK-66-001-RISK-ENGINE-SCHEMA-CO | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Risk Engine schema/contract inputs absent; requires risk field definitions + rollout plan. <br><br> Document artefact/deliverable for LEDGER-RISK-66-001 and publish location so downstream tasks can proceed. |
-| P10 | PREP-LEDGER-RISK-66-002-DEPENDS-ON-66-001-MIG | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Depends on 66-001 migration + risk scoring contract. <br><br> Document artefact/deliverable for LEDGER-RISK-66-002 and publish location so downstream tasks can proceed. |
+| P9 | PREP-LEDGER-RISK-66-001-RISK-ENGINE-SCHEMA-CO | DONE (2025-11-21) | Due 2025-11-22 · Accountable: Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Prep doc published at `docs/modules/findings-ledger/prep/2025-11-20-ledger-risk-prep.md`; risk fields and rollout plan defined for downstream implementation. |
+| P10 | PREP-LEDGER-RISK-66-002-DEPENDS-ON-66-001-MIG | DONE (2025-11-21) | Due 2025-11-22 · Accountable: Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Depends on 66-001 migration + risk scoring contract. Prep doc published at `docs/modules/findings-ledger/prep/2025-11-20-ledger-risk-prep.md`. |
 | 1 | LEDGER-ATTEST-73-002 | BLOCKED | Waiting on LEDGER-ATTEST-73-001 verification pipeline delivery | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Enable search/filter in findings projections by verification result and attestation status |
 | 2 | LEDGER-EXPORT-35-001 | DOING (2025-11-20) | Findings export endpoint implemented; VEX/advisory/SBOM endpoints stubbed pending schemas | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings with deterministic ordering and provenance metadata |
 | 3 | LEDGER-OAS-61-001 | BLOCKED | PREP-LEDGER-OAS-61-001-ABSENT-OAS-BASELINE-AN | Findings Ledger Guild; API Contracts Guild / src/Findings/StellaOps.Findings.Ledger | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples |
@@ -48,13 +48,14 @@
 | 11 | LEDGER-OBS-54-001 | BLOCKED | PREP-LEDGER-OBS-54-001-NO-HTTP-SURFACE-MINIMA | Findings Ledger Guild; Provenance Guild / src/Findings/StellaOps.Findings.Ledger | Verify attestation references for ledger-derived exports; expose `/ledger/attestations` endpoint returning DSSE verification state and chain-of-custody summary |
 | 12 | LEDGER-OBS-55-001 | BLOCKED | PREP-LEDGER-OBS-55-001-DEPENDS-ON-54-001-ATTE | Findings Ledger Guild; DevOps Guild / src/Findings/StellaOps.Findings.Ledger | Enhance incident mode to record replay diagnostics (lag traces, conflict snapshots), extend retention while active, and emit activation events to timeline/notifier |
 | 13 | LEDGER-PACKS-42-001 | BLOCKED | PREP-LEDGER-PACKS-42-001-SNAPSHOT-TIME-TRAVEL | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Provide snapshot/time-travel APIs and digestible exports for task pack simulation and CLI offline mode |
-| 14 | LEDGER-RISK-66-001 | BLOCKED | PREP-LEDGER-RISK-66-001-RISK-ENGINE-SCHEMA-CO | Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Add schema migrations for `risk_score`, `risk_severity`, `profile_version`, `explanation_id`, and supporting indexes |
-| 15 | LEDGER-RISK-66-002 | BLOCKED | PREP-LEDGER-RISK-66-002-DEPENDS-ON-66-001-MIG | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Implement deterministic upsert of scoring results keyed by finding hash/profile version with history audit |
+| 14 | LEDGER-RISK-66-001 | DONE (2025-11-21) | PREP-LEDGER-RISK-66-001-RISK-ENGINE-SCHEMA-CO | Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Add schema migrations for `risk_score`, `risk_severity`, `profile_version`, `explanation_id`, and supporting indexes |
+| 15 | LEDGER-RISK-66-002 | DONE (2025-11-21) | PREP-LEDGER-RISK-66-002-DEPENDS-ON-66-001-MIG | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Implement deterministic upsert of scoring results keyed by finding hash/profile version with history audit |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-20 | Published ledger OBS/pack/risk prep docs (docs/modules/findings-ledger/prep/2025-11-20-ledger-obs-54-001-prep.md, ...ledger-packs-42-001-prep.md, ...ledger-risk-66-prep.md); set PREP-LEDGER-OBS-54-001, PACKS-42-001, RISK-66-001/002 to DOING. | Project Mgmt |
+| 2025-11-21 | Implemented LEDGER-RISK-66-001/002: added risk fields + index migration, policy evaluation payload plumbing, projection hashing, and repository storage; updated docs/schema and marked tasks DONE. | Findings Ledger |
 | 2025-11-20 | Added authenticated export endpoints for findings/vex/advisories/sboms (stub responses) and paging contracts; awaiting schema/tables to back VEX/advisory/SBOM queries. Export paging unit tests passing via isolated test project. | Findings Ledger |
 | 2025-11-20 | Began implementing LEDGER-EXPORT-35-001 HTTP surface (findings export endpoint + paging/token hash) in WebService; tests pending due to existing harness build failures. | Findings Ledger |
 | 2025-11-20 | Completed PREP-LEDGER-EXPORT-35-001: published export HTTP surface and filters spec at `docs/modules/findings-ledger/export-http-surface.md`; unblocked LEDGER-EXPORT-35-001 (status → TODO). | Planning |
@@ -79,7 +80,7 @@
 - Export/SDK contract changes must remain deterministic to support offline bundles.
 - Export HTTP surface spec published at `docs/modules/findings-ledger/export-http-surface.md`; downstream OAS/SDK tasks must derive contracts from this document to avoid drift.
 - LEDGER-OBS-54-001 blocked: Findings Ledger module currently lacks HTTP/minimal API surface to expose `/ledger/attestations`; requires contract + service scaffold (engage API Contracts & Provenance guilds).
-- Current state: findings export endpoint and paging contracts implemented; VEX/advisory/SBOM endpoints stubbed (auth + shape) but await underlying projection/query schemas. Remaining tasks in this sprint and adjacent sprints (0120, 0122) stay blocked by missing risk schema, OAS/SDK contracts, and DB/RLS design inputs.
+- Current state: findings export endpoint and paging contracts implemented; VEX/advisory/SBOM endpoints stubbed (auth + shape) but await underlying projection/query schemas. Risk schema/implementation (LEDGER-RISK-66-001/002) delivered. Remaining blockers: OAS/SDK surface (61/62/63), attestation HTTP host (OBS-54/55), and packs time-travel contract (PACKS-42-001).
 
 ## Next Checkpoints
 - Schedule cross-guild kickoff for week of 2025-11-24 once dependency clears.

docs/implplan/SPRINT_0123_0001_0001_policy_reasoning.md

@@ -1,74 +1,77 @@
-# Sprint 0123-0001-0001 · Policy & Reasoning (Policy Engine)
-
-## Topic & Scope
-- Extend Policy Engine with export, air-gap, AOC linting, and attestation surfaces while keeping evidence aggregation-only.
-- Ensure Console export and air-gap bundles depend on frozen bundle/DSSE schemas before implementation.
-- Align policy attestation and linting with Authority/Attestor/Console contracts; avoid inferred verdicts.
-- **Working directory:** `src/Policy/StellaOps.Policy.Engine` (and `src/Policy/__Libraries/StellaOps.Policy`).
-
-## Dependencies & Concurrency
-- Upstream: Export bundle schema + scheduler job spec; mirror bundle/air-gap schema and sealed-mode rules; Attestor verification policy schema; Authority `effective:write` contract; Console API filters/pagination spec.
-- Concurrency: Execute tasks in table order (DOING → TODO → BLOCKED). All tasks currently blocked pending upstream contracts; no parallel execution until contracts land.
-
-## Documentation Prerequisites
-- `docs/README.md`
-- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
-- `docs/modules/platform/architecture-overview.md`
-- `docs/modules/policy/architecture.md`
-- Any export/air-gap/attestation contract docs once published.
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| P1 | PREP-EXPORT-CONSOLE-23-001-MISSING-EXPORT-BUN | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · Scheduler Guild · Observability Guild | Policy Guild · Scheduler Guild · Observability Guild | Missing export bundle contract/API surface and scheduler job spec for Console. <br><br> Document artefact/deliverable for EXPORT-CONSOLE-23-001 and publish location so downstream tasks can proceed. |
-| P2 | PREP-POLICY-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild | Policy Guild | Mirror bundle schema not published; requires bundle_id/provenance fields + sealed-mode rules. <br><br> Document artefact/deliverable for POLICY-AIRGAP-56-001 and publish location so downstream tasks can proceed. |
-| P3 | PREP-POLICY-AIRGAP-56-002-DEPENDS-ON-56-001-B | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · Policy Studio Guild | Policy Guild · Policy Studio Guild | Depends on 56-001 bundle import schema + DSSE signing profile. <br><br> Document artefact/deliverable for POLICY-AIRGAP-56-002 and publish location so downstream tasks can proceed. |
-| P4 | PREP-POLICY-AIRGAP-57-001-REQUIRES-SEALED-MOD | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · AirGap Policy Guild | Policy Guild · AirGap Policy Guild | Requires sealed-mode contract after 56-002. <br><br> Document artefact/deliverable for POLICY-AIRGAP-57-001 and publish location so downstream tasks can proceed. |
-| P5 | PREP-POLICY-AIRGAP-57-002-NEEDS-STALENESS-FAL | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · AirGap Time Guild | Policy Guild · AirGap Time Guild | Needs staleness/fallback data contract from 57-001. <br><br> Document artefact/deliverable for POLICY-AIRGAP-57-002 and publish location so downstream tasks can proceed. |
-| P6 | PREP-POLICY-AIRGAP-58-001-NOTIFICATION-SCHEMA | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · Notifications Guild | Policy Guild · Notifications Guild | Notification schema and staleness signals pending from 57-002. <br><br> Document artefact/deliverable for POLICY-AIRGAP-58-001 and publish location so downstream tasks can proceed. |
-| P7 | PREP-POLICY-AOC-19-001-LINTING-TARGETS-SPEC-A | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild | Policy Guild | Linting targets/spec absent; no analyzer contract. <br><br> Document artefact/deliverable for POLICY-AOC-19-001 and publish location so downstream tasks can proceed. |
-| P8 | PREP-POLICY-AOC-19-002-DEPENDS-ON-19-001-LINT | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · Platform Security | Policy Guild · Platform Security | Depends on 19-001 lint + Authority `effective:write` contract. <br><br> Document artefact/deliverable for POLICY-AOC-19-002 and publish location so downstream tasks can proceed. |
-| P9 | PREP-POLICY-AOC-19-003-REQUIRES-POST-19-002-N | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild | Policy Guild | Requires post-19-002 normalized-field removal contract/fixtures. <br><br> Document artefact/deliverable for POLICY-AOC-19-003 and publish location so downstream tasks can proceed. |
-| P10 | PREP-POLICY-AOC-19-004-DEPENDS-ON-19-003-SHAP | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · QA Guild | Policy Guild · QA Guild | Depends on 19-003 shape + determinism fixtures. <br><br> Document artefact/deliverable for POLICY-AOC-19-004 and publish location so downstream tasks can proceed. |
-| P11 | PREP-POLICY-ATTEST-73-001-VERIFICATIONPOLICY | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · Attestor Service Guild | Policy Guild · Attestor Service Guild | VerificationPolicy schema/persistence contract missing; Attestor alignment needed. <br><br> Document artefact/deliverable for POLICY-ATTEST-73-001 and publish location so downstream tasks can proceed. |
-| P12 | PREP-POLICY-ATTEST-73-002-DEPENDS-ON-73-001-E | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild | Policy Guild | Depends on 73-001 editor DTOs/validation schema. <br><br> Document artefact/deliverable for POLICY-ATTEST-73-002 and publish location so downstream tasks can proceed. |
-| P13 | PREP-POLICY-ATTEST-74-001-REQUIRES-73-002-ATT | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · Attestor Service Guild | Policy Guild · Attestor Service Guild | Requires 73-002 + Attestor pipeline contract. <br><br> Document artefact/deliverable for POLICY-ATTEST-74-001 and publish location so downstream tasks can proceed. |
-| P14 | PREP-POLICY-ATTEST-74-002-NEEDS-74-001-SURFAC | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · Console Guild | Policy Guild · Console Guild | Needs 74-001 surfaced in Console verification reports contract. <br><br> Document artefact/deliverable for POLICY-ATTEST-74-002 and publish location so downstream tasks can proceed. |
-| P15 | PREP-POLICY-CONSOLE-23-001-CONSOLE-API-CONTRA | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · BE-Base Platform Guild | Policy Guild · BE-Base Platform Guild | Console API contract (filters/pagination/aggregation) absent. <br><br> Document artefact/deliverable for POLICY-CONSOLE-23-001 and publish location so downstream tasks can proceed. |
-| 1 | EXPORT-CONSOLE-23-001 | BLOCKED | PREP-EXPORT-CONSOLE-23-001-MISSING-EXPORT-BUN | Policy Guild · Scheduler Guild · Observability Guild | Implement Console export endpoints/jobs once schema + job wiring are defined. |
-| 2 | POLICY-AIRGAP-56-001 | BLOCKED | PREP-POLICY-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | Policy Guild | Air-gap bundle import support for policy packs. |
-| 3 | POLICY-AIRGAP-56-002 | BLOCKED | PREP-POLICY-AIRGAP-56-002-DEPENDS-ON-56-001-B | Policy Guild · Policy Studio Guild | Air-gap sealed-mode handling for policy packs. |
-| 4 | POLICY-AIRGAP-57-001 | BLOCKED | PREP-POLICY-AIRGAP-57-001-REQUIRES-SEALED-MOD | Policy Guild · AirGap Policy Guild | Sealed-mode error handling for policy packs. |
-| 5 | POLICY-AIRGAP-57-002 | BLOCKED | PREP-POLICY-AIRGAP-57-002-NEEDS-STALENESS-FAL | Policy Guild · AirGap Time Guild | Staleness/fallback signaling for policy packs. |
-| 6 | POLICY-AIRGAP-58-001 | BLOCKED | PREP-POLICY-AIRGAP-58-001-NOTIFICATION-SCHEMA | Policy Guild · Notifications Guild | Notifications for air-gap policy pack changes. |
-| 7 | POLICY-AOC-19-001 | BLOCKED | PREP-POLICY-AOC-19-001-LINTING-TARGETS-SPEC-A | Policy Guild | Implement linting for ingestion projects/helpers. |
-| 8 | POLICY-AOC-19-002 | BLOCKED | PREP-POLICY-AOC-19-002-DEPENDS-ON-19-001-LINT | Policy Guild · Platform Security | Enforce `effective:write` gate. |
-| 9 | POLICY-AOC-19-003 | BLOCKED | PREP-POLICY-AOC-19-003-REQUIRES-POST-19-002-N | Policy Guild | Remove normalized fields per contract. |
-| 10 | POLICY-AOC-19-004 | BLOCKED | PREP-POLICY-AOC-19-004-DEPENDS-ON-19-003-SHAP | Policy Guild · QA Guild | Determinism/fixtures for normalized-field removal. |
-| 11 | POLICY-ATTEST-73-001 | BLOCKED | PREP-POLICY-ATTEST-73-001-VERIFICATIONPOLICY | Policy Guild · Attestor Service Guild | Persist verification policy schema. |
-| 12 | POLICY-ATTEST-73-002 | BLOCKED | PREP-POLICY-ATTEST-73-002-DEPENDS-ON-73-001-E | Policy Guild | Editor DTOs/validation for verification policy. |
-| 13 | POLICY-ATTEST-74-001 | BLOCKED | PREP-POLICY-ATTEST-74-001-REQUIRES-73-002-ATT | Policy Guild · Attestor Service Guild | Surface attestation reports. |
-| 14 | POLICY-ATTEST-74-002 | BLOCKED | PREP-POLICY-ATTEST-74-002-NEEDS-74-001-SURFAC | Policy Guild · Console Guild | Console report integration. |
-| 15 | POLICY-CONSOLE-23-001 | BLOCKED | PREP-POLICY-CONSOLE-23-001-CONSOLE-API-CONTRA | Policy Guild · BE-Base Platform Guild | Expose policy data to Console once API spec lands. |
-
-## Execution Log
+# Sprint 0123-0001-0001 · Policy & Reasoning (Policy Engine)
+
+## Topic & Scope
+- Extend Policy Engine with export, air-gap, AOC linting, and attestation surfaces while keeping evidence aggregation-only.
+- Ensure Console export and air-gap bundles depend on frozen bundle/DSSE schemas before implementation.
+- Align policy attestation and linting with Authority/Attestor/Console contracts; avoid inferred verdicts.
+- **Working directory:** `src/Policy/StellaOps.Policy.Engine` (and `src/Policy/__Libraries/StellaOps.Policy`).
+
+## Dependencies & Concurrency
+- Upstream: Export bundle schema + scheduler job spec; mirror bundle/air-gap schema and sealed-mode rules; Attestor verification policy schema; Authority `effective:write` contract; Console API filters/pagination spec.
+- Concurrency: Execute tasks in table order (DOING → TODO → BLOCKED). All tasks currently blocked pending upstream contracts; no parallel execution until contracts land.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/policy/architecture.md`
+- Any export/air-gap/attestation contract docs once published.
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-EXPORT-CONSOLE-23-001-MISSING-EXPORT-BUN | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · Scheduler Guild · Observability Guild | Policy Guild · Scheduler Guild · Observability Guild | Missing export bundle contract/API surface and scheduler job spec for Console. <br><br> Prep artefact: `docs/modules/policy/design/export-console-bundle-contract.md`. |
+| P2 | PREP-POLICY-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild | Policy Guild | Mirror bundle schema not published; requires bundle_id/provenance fields + sealed-mode rules. <br><br> Prep artefact: `docs/modules/policy/prep/2025-11-20-policy-airgap-prep.md`. |
+| P3 | PREP-POLICY-AIRGAP-56-002-DEPENDS-ON-56-001-B | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild · Policy Studio Guild | Policy Guild · Policy Studio Guild | Depends on 56-001 bundle import schema + DSSE signing profile. <br><br> Prep artefact: `docs/modules/policy/prep/2025-11-20-policy-airgap-prep.md`. |
+| P4 | PREP-POLICY-AIRGAP-57-001-REQUIRES-SEALED-MOD | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild · AirGap Policy Guild | Policy Guild · AirGap Policy Guild | Requires sealed-mode contract after 56-002. <br><br> Prep artefact: `docs/modules/policy/prep/2025-11-20-policy-airgap-prep.md`. |
+| P5 | PREP-POLICY-AIRGAP-57-002-NEEDS-STALENESS-FAL | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild · AirGap Time Guild | Policy Guild · AirGap Time Guild | Needs staleness/fallback data contract from 57-001. <br><br> Prep artefact: `docs/modules/policy/prep/2025-11-20-policy-airgap-prep.md`. |
+| P6 | PREP-POLICY-AIRGAP-58-001-NOTIFICATION-SCHEMA | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild · Notifications Guild | Policy Guild · Notifications Guild | Notification schema and staleness signals pending from 57-002. <br><br> Prep artefact: `docs/modules/policy/prep/2025-11-20-policy-airgap-prep.md`. |
+| P7 | PREP-POLICY-AOC-19-001-LINTING-TARGETS-SPEC-A | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild | Policy Guild | Linting targets/spec absent; no analyzer contract. <br><br> Prep artefact: `docs/modules/policy/prep/2025-11-20-policy-aoc-prep.md`. |
+| P8 | PREP-POLICY-AOC-19-002-DEPENDS-ON-19-001-LINT | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild · Platform Security | Policy Guild · Platform Security | Depends on 19-001 lint + Authority `effective:write` contract. <br><br> Prep artefact: `docs/modules/policy/prep/2025-11-20-policy-aoc-prep.md`. |
+| P9 | PREP-POLICY-AOC-19-003-REQUIRES-POST-19-002-N | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild | Policy Guild | Requires post-19-002 normalized-field removal contract/fixtures. <br><br> Prep artefact: `docs/modules/policy/prep/2025-11-20-policy-aoc-prep.md`. |
+| P10 | PREP-POLICY-AOC-19-004-DEPENDS-ON-19-003-SHAP | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild · QA Guild | Policy Guild · QA Guild | Depends on 19-003 shape + determinism fixtures. <br><br> Prep artefact: `docs/modules/policy/prep/2025-11-20-policy-aoc-prep.md`. |
+| P11 | PREP-POLICY-ATTEST-73-001-VERIFICATIONPOLICY | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild · Attestor Service Guild | Policy Guild · Attestor Service Guild | VerificationPolicy schema/persistence contract missing; Attestor alignment needed. <br><br> Prep artefact: `docs/modules/policy/prep/2025-11-20-policy-attest-prep.md`. |
+| P12 | PREP-POLICY-ATTEST-73-002-DEPENDS-ON-73-001-E | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild | Policy Guild | Depends on 73-001 editor DTOs/validation schema. <br><br> Prep artefact: `docs/modules/policy/prep/2025-11-20-policy-attest-prep.md`. |
+| P13 | PREP-POLICY-ATTEST-74-001-REQUIRES-73-002-ATT | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild · Attestor Service Guild | Policy Guild · Attestor Service Guild | Requires 73-002 + Attestor pipeline contract. <br><br> Prep artefact: `docs/modules/policy/prep/2025-11-20-policy-attest-prep.md`. |
+| P14 | PREP-POLICY-ATTEST-74-002-NEEDS-74-001-SURFAC | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild · Console Guild | Policy Guild · Console Guild | Needs 74-001 surfaced in Console verification reports contract. <br><br> Prep artefact: `docs/modules/policy/prep/2025-11-20-policy-attest-prep.md`. |
+| P15 | PREP-POLICY-CONSOLE-23-001-CONSOLE-API-CONTRA | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · BE-Base Platform Guild | Policy Guild · BE-Base Platform Guild | Console API contract (filters/pagination/aggregation) absent. <br><br> Document artefact/deliverable for POLICY-CONSOLE-23-001 and publish location so downstream tasks can proceed. |
+| 1 | EXPORT-CONSOLE-23-001 | BLOCKED | PREP-EXPORT-CONSOLE-23-001-MISSING-EXPORT-BUN | Policy Guild · Scheduler Guild · Observability Guild | Implement Console export endpoints/jobs once schema + job wiring are defined. |
+| 2 | POLICY-AIRGAP-56-001 | BLOCKED | PREP-POLICY-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | Policy Guild | Air-gap bundle import support for policy packs. |
+| 3 | POLICY-AIRGAP-56-002 | BLOCKED | PREP-POLICY-AIRGAP-56-002-DEPENDS-ON-56-001-B | Policy Guild · Policy Studio Guild | Air-gap sealed-mode handling for policy packs. |
+| 4 | POLICY-AIRGAP-57-001 | BLOCKED | PREP-POLICY-AIRGAP-57-001-REQUIRES-SEALED-MOD | Policy Guild · AirGap Policy Guild | Sealed-mode error handling for policy packs. |
+| 5 | POLICY-AIRGAP-57-002 | BLOCKED | PREP-POLICY-AIRGAP-57-002-NEEDS-STALENESS-FAL | Policy Guild · AirGap Time Guild | Staleness/fallback signaling for policy packs. |
+| 6 | POLICY-AIRGAP-58-001 | BLOCKED | PREP-POLICY-AIRGAP-58-001-NOTIFICATION-SCHEMA | Policy Guild · Notifications Guild | Notifications for air-gap policy pack changes. |
+| 7 | POLICY-AOC-19-001 | BLOCKED | PREP-POLICY-AOC-19-001-LINTING-TARGETS-SPEC-A | Policy Guild | Implement linting for ingestion projects/helpers. |
+| 8 | POLICY-AOC-19-002 | BLOCKED | PREP-POLICY-AOC-19-002-DEPENDS-ON-19-001-LINT | Policy Guild · Platform Security | Enforce `effective:write` gate. |
+| 9 | POLICY-AOC-19-003 | BLOCKED | PREP-POLICY-AOC-19-003-REQUIRES-POST-19-002-N | Policy Guild | Remove normalized fields per contract. |
+| 10 | POLICY-AOC-19-004 | BLOCKED | PREP-POLICY-AOC-19-004-DEPENDS-ON-19-003-SHAP | Policy Guild · QA Guild | Determinism/fixtures for normalized-field removal. |
+| 11 | POLICY-ATTEST-73-001 | BLOCKED | PREP-POLICY-ATTEST-73-001-VERIFICATIONPOLICY | Policy Guild · Attestor Service Guild | Persist verification policy schema. |
+| 12 | POLICY-ATTEST-73-002 | BLOCKED | PREP-POLICY-ATTEST-73-002-DEPENDS-ON-73-001-E | Policy Guild | Editor DTOs/validation for verification policy. |
+| 13 | POLICY-ATTEST-74-001 | BLOCKED | PREP-POLICY-ATTEST-74-001-REQUIRES-73-002-ATT | Policy Guild · Attestor Service Guild | Surface attestation reports. |
+| 14 | POLICY-ATTEST-74-002 | BLOCKED | PREP-POLICY-ATTEST-74-002-NEEDS-74-001-SURFAC | Policy Guild · Console Guild | Console report integration. |
+| 15 | POLICY-CONSOLE-23-001 | BLOCKED | PREP-POLICY-CONSOLE-23-001-CONSOLE-API-CONTRA | Policy Guild · BE-Base Platform Guild | Expose policy data to Console once API spec lands. |
+
+## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Started PREP air-gap chain (56-001..58-001), AOC chain (19-001..19-004), and attestation chain (73-001..74-002); published prep drafts under `docs/modules/policy/prep/2025-11-20-policy-*.md` after confirming no other owners were active. | Project Mgmt |
 | 2025-11-19 | Removed trailing hyphen from PREP-POLICY-ATTEST-73-001-VERIFICATIONPOLICY so dependent task resolves correctly. | Project Mgmt |
 | 2025-11-19 | Marked PREP tasks P1–P15 BLOCKED: export bundle schema, mirror/air-gap schemas, lint targets, attestation verification schemas, and Console API contract remain unpublished, keeping downstream POLICY/ATTEST/AIRGAP/CONSOLE work gated. | Project Mgmt |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
-| 2025-11-08 | Sprint created; awaiting staffing. | Planning |
-| 2025-11-18 | Attempted EXPORT-CONSOLE-23-001; blocked due to missing export bundle/schema and scheduler job contract. Marked all tasks BLOCKED pending lint/airgap/attest/Console contracts. | Policy Guild |
-| 2025-11-19 | Converted legacy file `SPRINT_123_policy_reasoning.md` into redirect stub pointing here to avoid divergent updates. | Implementer |
-| 2025-11-19 | Normalised sprint to standard template and renamed from `SPRINT_123_policy_reasoning.md` to `SPRINT_0123_0001_0001_policy_reasoning.md`; content preserved; all tasks remain BLOCKED. | Implementer |
-
-## Decisions & Risks
+| 2025-11-08 | Sprint created; awaiting staffing. | Planning |
+| 2025-11-18 | Attempted EXPORT-CONSOLE-23-001; blocked due to missing export bundle/schema and scheduler job contract. Marked all tasks BLOCKED pending lint/airgap/attest/Console contracts. | Policy Guild |
+| 2025-11-19 | Converted legacy file `SPRINT_123_policy_reasoning.md` into redirect stub pointing here to avoid divergent updates. | Implementer |
+| 2025-11-19 | Normalised sprint to standard template and renamed from `SPRINT_123_policy_reasoning.md` to `SPRINT_0123_0001_0001_policy_reasoning.md`; content preserved; all tasks remain BLOCKED. | Implementer |
+
+## Decisions & Risks
 - Export/air-gap remain blocked without bundle schema, sealed-mode rules, and scheduler contracts; cannot proceed until provided.
 - Linting (AOC-19-001..004) blocked pending analyzer targets/spec and Authority gate contract.
 - Attestation tasks (73/74) blocked pending Attestor verification policy schema and Console report contract.
 - Console export and policy API tasks blocked without Console API contract.
-
-## Next Checkpoints
-- Draft export surface proposal for Console (API + scheduler wiring) once bundle schema is published.
-- Identify bundle schema dependencies for POLICY-AIRGAP-56-* once mirror schema freezes.
-- Re-evaluate lint/attest tasks after respective contracts are delivered (dates TBD).
+- Prep drafts published for air-gap (56-001..58-001) at `docs/modules/policy/prep/2025-11-20-policy-airgap-prep.md`, AOC (19-001..19-004) at `docs/modules/policy/prep/2025-11-20-policy-aoc-prep.md`, and attestation chain (73/74) at `docs/modules/policy/prep/2025-11-20-policy-attest-prep.md`; final schemas still needed before implementation.
+- Prep drafts published for air-gap (56-001..58-001) at `docs/modules/policy/prep/2025-11-20-policy-airgap-prep.md`, AOC (19-001..19-004) at `docs/modules/policy/prep/2025-11-20-policy-aoc-prep.md`, and attestation chain (73/74) at `docs/modules/policy/prep/2025-11-20-policy-attest-prep.md`; final schemas still needed before implementation. |
+
+## Next Checkpoints
+- Draft export surface proposal for Console (API + scheduler wiring) once bundle schema is published.
+- Identify bundle schema dependencies for POLICY-AIRGAP-56-* once mirror schema freezes.
+- Re-evaluate lint/attest tasks after respective contracts are delivered (dates TBD).

docs/implplan/SPRINT_0124_0001_0001_policy_reasoning.md

@@ -1,52 +1,52 @@
-# Sprint 0124-0001-0001 · Policy & Reasoning (Policy Engine phase II)
-
-## Topic & Scope
-- Continue Policy Engine core (Policy.II): deterministic evaluator, materialization, simulation, tracing, and storage.
-- Ensure aggregation-only behavior; no wall-clock/RNG/network use during evaluation.
-- **Working directory:** `src/Policy/StellaOps.Policy.Engine` (and `src/Policy/__Libraries/StellaOps.Policy`).
-
-## Dependencies & Concurrency
-- Upstream: Sprint 120.C Policy.I must land before this track.
-- Concurrency: execute tasks in listed order (DOING → TODO → BLOCKED).
-
-## Documentation Prerequisites
-- `docs/README.md`
-- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
-- `docs/modules/platform/architecture-overview.md`
-- `docs/modules/policy/architecture.md`
-
-## Delivery Tracker
-| # | Task ID & handle | State | Key dependency / next step | Owners |
-| --- | --- | --- | --- | --- |
+# Sprint 0124-0001-0001 · Policy & Reasoning (Policy Engine phase II)
+
+## Topic & Scope
+- Continue Policy Engine core (Policy.II): deterministic evaluator, materialization, simulation, tracing, and storage.
+- Ensure aggregation-only behavior; no wall-clock/RNG/network use during evaluation.
+- **Working directory:** `src/Policy/StellaOps.Policy.Engine` (and `src/Policy/__Libraries/StellaOps.Policy`).
+
+## Dependencies & Concurrency
+- Upstream: Sprint 120.C Policy.I must land before this track.
+- Concurrency: execute tasks in listed order (DOING → TODO → BLOCKED).
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/policy/architecture.md`
+
+## Delivery Tracker
+| # | Task ID & handle | State | Key dependency / next step | Owners |
+| --- | --- | --- | --- | --- |
 | P1 | PREP-POLICY-ENGINE-20-002-DETERMINISTIC-EVALU | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Deterministic evaluator spec missing. <br><br> Document artefact/deliverable for POLICY-ENGINE-20-002 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/policy/design/policy-deterministic-evaluator.md`. |
-| 1 | POLICY-CONSOLE-23-002 | TODO | Produce simulation diff metadata and approval endpoints for Console (deps: POLICY-CONSOLE-23-001). | Policy Guild, Product Ops / `src/Policy/StellaOps.Policy.Engine` |
-| 2 | POLICY-ENGINE-20-002 | BLOCKED (2025-10-26) | PREP-POLICY-ENGINE-20-002-DETERMINISTIC-EVALU | Policy Guild / `src/Policy/StellaOps.Policy.Engine` |
-| 3 | POLICY-ENGINE-20-003 | TODO | Depends on 20-002. | Policy · Concelier · Excititor Guilds / `src/Policy/StellaOps.Policy.Engine` |
-| 4 | POLICY-ENGINE-20-004 | TODO | Depends on 20-003. | Policy · Platform Storage Guild / `src/Policy/StellaOps.Policy.Engine` |
-| 5 | POLICY-ENGINE-20-005 | TODO | Depends on 20-004. | Policy · Security Engineering / `src/Policy/StellaOps.Policy.Engine` |
-| 6 | POLICY-ENGINE-20-006 | TODO | Depends on 20-005. | Policy · Scheduler Worker Guild / `src/Policy/StellaOps.Policy.Engine` |
-| 7 | POLICY-ENGINE-20-007 | TODO | Depends on 20-006. | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` |
-| 8 | POLICY-ENGINE-20-008 | TODO | Depends on 20-007. | Policy · QA Guild / `src/Policy/StellaOps.Policy.Engine` |
-| 9 | POLICY-ENGINE-20-009 | TODO | Depends on 20-008. | Policy · Storage Guild / `src/Policy/StellaOps.Policy.Engine` |
-| 10 | POLICY-ENGINE-27-001 | TODO | Depends on 20-009. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` |
-| 11 | POLICY-ENGINE-27-002 | TODO | Depends on 27-001. | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` |
-| 12 | POLICY-ENGINE-29-001 | TODO | Depends on 27-004. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` |
-| 13 | POLICY-ENGINE-29-002 | TODO | Depends on 29-001. | Policy · Findings Ledger Guild / `src/Policy/StellaOps.Policy.Engine` |
-
-## Execution Log
+| 1 | POLICY-CONSOLE-23-002 | TODO | Produce simulation diff metadata and approval endpoints for Console (deps: POLICY-CONSOLE-23-001). | Policy Guild, Product Ops / `src/Policy/StellaOps.Policy.Engine` |
+| 2 | POLICY-ENGINE-20-002 | BLOCKED (2025-10-26) | PREP-POLICY-ENGINE-20-002-DETERMINISTIC-EVALU | Policy Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 3 | POLICY-ENGINE-20-003 | TODO | Depends on 20-002. | Policy · Concelier · Excititor Guilds / `src/Policy/StellaOps.Policy.Engine` |
+| 4 | POLICY-ENGINE-20-004 | TODO | Depends on 20-003. | Policy · Platform Storage Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 5 | POLICY-ENGINE-20-005 | TODO | Depends on 20-004. | Policy · Security Engineering / `src/Policy/StellaOps.Policy.Engine` |
+| 6 | POLICY-ENGINE-20-006 | TODO | Depends on 20-005. | Policy · Scheduler Worker Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 7 | POLICY-ENGINE-20-007 | TODO | Depends on 20-006. | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 8 | POLICY-ENGINE-20-008 | TODO | Depends on 20-007. | Policy · QA Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 9 | POLICY-ENGINE-20-009 | TODO | Depends on 20-008. | Policy · Storage Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 10 | POLICY-ENGINE-27-001 | TODO | Depends on 20-009. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 11 | POLICY-ENGINE-27-002 | TODO | Depends on 27-001. | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 12 | POLICY-ENGINE-29-001 | TODO | Depends on 27-004. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 13 | POLICY-ENGINE-29-002 | TODO | Depends on 29-001. | Policy · Findings Ledger Guild / `src/Policy/StellaOps.Policy.Engine` |
+
+## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-20 | Published deterministic evaluator spec draft (docs/modules/policy/design/policy-deterministic-evaluator.md); moved PREP-POLICY-ENGINE-20-002 to DOING. | Project Mgmt |
-| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
-| 2025-11-08 | Sprint stub; awaiting staffing. | Planning |
-| 2025-11-18 | All tasks still awaiting upstream evaluator specs; no progress. | Policy Guild |
-| 2025-11-19 | Normalized to standard template and renamed from `SPRINT_124_policy_reasoning.md` to `SPRINT_0124_0001_0001_policy_reasoning.md`; content preserved. | Implementer |
-
-## Decisions & Risks
-- Deterministic evaluator contract missing (blocks 20-002 and downstream chain).
-- Console simulation/export contract (POLICY-CONSOLE-23-001) required to unblock 23-002.
-- Storage/index schemas TBD; avoid implementation until specs freeze.
-
-## Next Checkpoints
-- Publish deterministic evaluator spec for 20-002 (date TBD).
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-08 | Sprint stub; awaiting staffing. | Planning |
+| 2025-11-18 | All tasks still awaiting upstream evaluator specs; no progress. | Policy Guild |
+| 2025-11-19 | Normalized to standard template and renamed from `SPRINT_124_policy_reasoning.md` to `SPRINT_0124_0001_0001_policy_reasoning.md`; content preserved. | Implementer |
+
+## Decisions & Risks
+- Deterministic evaluator contract missing (blocks 20-002 and downstream chain).
+- Console simulation/export contract (POLICY-CONSOLE-23-001) required to unblock 23-002.
+- Storage/index schemas TBD; avoid implementation until specs freeze.
+
+## Next Checkpoints
+- Publish deterministic evaluator spec for 20-002 (date TBD).
 - Provide Console export/simulation contract for 23-001 to unblock 23-002.

docs/implplan/SPRINT_0125_0001_0001_mirror.md

@@ -1,71 +1,70 @@
-# Sprint 0125_0001_0001 · Mirror Bundles
-
-## Topic & Scope
-- Build the deterministic mirror bundle assembler covering advisories, VEX, policy packs, and optional OCI artefacts.
-- Layer DSSE/TUF metadata, time anchors, and CLI automation so air-gapped sites receive verifiable bundles.
-- Wire Export Center and scheduling hooks so mirror creation can be orchestrated automatically.
-- **Working directory:** `src/Mirror/StellaOps.Mirror.Creator`.
-
-## Dependencies & Concurrency
-- Upstream: Sprint 110.D must deliver the assembler foundation (`MIRROR-CRT-56-001`). Attestor v2 contracts from Sprint 100.A remain required.
-- Mirror sprints share the 120s decade with Policy & Reasoning work but remain independent; avoid adding dependencies on `SPRINT_125_policy_reasoning.md`.
-- Evidence Locker, Export Center, CLI, and AirGap Time guild commitments must be available as soon as assembler code exists.
-
-## Documentation Prerequisites
-- `docs/modules/export-center/architecture.md`
-- `docs/modules/airgap/architecture.md`
-- `docs/modules/devops/architecture.md`
-- `docs/modules/policy/architecture.md` (for provenance expectations)
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| P0 | PREP-MIRROR-CRT-56-001-MILESTONE-0-PUBLISH | DONE (2025-11-19) | Due 2025-11-20 · Accountable: Mirror Creator Guild | Mirror Creator Guild | Published milestone-0 thin bundle plan + sample at `out/mirror/thin/mirror-thin-m0-sample.tar.gz` with SHA256 `bd1013885a27f651e28331c7a240d417d265bd411d09b51b47bd7c2196659674` and layout note in `docs/modules/mirror/milestone-0-thin-bundle.md`. |
+# Sprint 0125_0001_0001 · Mirror Bundles
+
+## Topic & Scope
+- Build the deterministic mirror bundle assembler covering advisories, VEX, policy packs, and optional OCI artefacts.
+- Layer DSSE/TUF metadata, time anchors, and CLI automation so air-gapped sites receive verifiable bundles.
+- Wire Export Center and scheduling hooks so mirror creation can be orchestrated automatically.
+- **Working directory:** `src/Mirror/StellaOps.Mirror.Creator`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 110.D must deliver the assembler foundation (`MIRROR-CRT-56-001`). Attestor v2 contracts from Sprint 100.A remain required.
+- Mirror sprints share the 120s decade with Policy & Reasoning work but remain independent; avoid adding dependencies on `SPRINT_125_policy_reasoning.md`.
+- Evidence Locker, Export Center, CLI, and AirGap Time guild commitments must be available as soon as assembler code exists.
+
+## Documentation Prerequisites
+- `docs/modules/export-center/architecture.md`
+- `docs/modules/airgap/architecture.md`
+- `docs/modules/devops/architecture.md`
+- `docs/modules/policy/architecture.md` (for provenance expectations)
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P0 | PREP-MIRROR-CRT-56-001-MILESTONE-0-PUBLISH | DONE (2025-11-19) | Due 2025-11-20 · Accountable: Mirror Creator Guild | Mirror Creator Guild | Published milestone-0 thin bundle plan + sample at `out/mirror/thin/mirror-thin-m0-sample.tar.gz` with SHA256 `bd1013885a27f651e28331c7a240d417d265bd411d09b51b47bd7c2196659674` and layout note in `docs/modules/mirror/milestone-0-thin-bundle.md`. |
 | P1 | PREP-MIRROR-CRT-56-001-UPSTREAM-SPRINT-110-D | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Alex Kim (primary); Priya Desai (backup) | Alex Kim (primary); Priya Desai (backup) | Upstream Sprint 110.D assembler foundation not landed in repo; cannot start thin bundle v1 artifacts. <br><br> Document artefact/deliverable for MIRROR-CRT-56-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/mirror/prep-56-001-thin-bundle.md`. |
-| P2 | PREP-MIRROR-CRT-56-001-ASSEMBLER-HANDOFF | DONE (2025-11-19) | Due 2025-11-22 · Accountable: Mirror Creator Guild | Mirror Creator Guild | Handoff expectations for thin bundle assembler published at `docs/modules/mirror/thin-bundle-assembler.md` (tar layout, manifest fields, determinism rules, hashes). |
-| 1 | MIRROR-CRT-56-001 | BLOCKED | PREP-MIRROR-CRT-56-001-UPSTREAM-SPRINT-110-D | Alex Kim (primary); Priya Desai (backup) | Implement deterministic assembler with manifest + CAS layout. |
-| 2 | MIRROR-CRT-56-002 | BLOCKED | Depends on MIRROR-CRT-56-001 and PROV-OBS-53-001; upstream assembler missing. | Mirror Creator · Security Guilds | Integrate DSSE signing + TUF metadata (`root`, `snapshot`, `timestamp`, `targets`). |
-| 3 | MIRROR-CRT-57-001 | BLOCKED | Requires MIRROR-CRT-56-001; assembler foundation missing. | Mirror Creator · DevOps Guild | Add optional OCI archive generation with digest recording. |
-| 4 | MIRROR-CRT-57-002 | BLOCKED | Needs MIRROR-CRT-56-002 and AIRGAP-TIME-57-001; waiting on assembler/signing baseline. | Mirror Creator · AirGap Time Guild | Embed signed time-anchor metadata. |
-| 5 | MIRROR-CRT-58-001 | BLOCKED | Requires MIRROR-CRT-56-002 and CLI-AIRGAP-56-001; downstream until assembler exists. | Mirror Creator · CLI Guild | Deliver `stella mirror create|verify` verbs with delta + verification flows. |
-| 6 | MIRROR-CRT-58-002 | BLOCKED | Depends on MIRROR-CRT-56-002 and EXPORT-OBS-54-001; waiting on sample bundles. | Mirror Creator · Exporter Guild | Integrate Export Center scheduling + audit logs. |
-| 7 | EXPORT-OBS-51-001 / 54-001 | BLOCKED | MIRROR-CRT-56-001 staffing and artifacts not available. | Exporter Guild | Align Export Center workers with assembler output. |
-| 8 | AIRGAP-TIME-57-001 | BLOCKED | MIRROR-CRT-56-001/57-002 pending; policy workshop contingent on sample bundles. | AirGap Time Guild | Provide trusted time-anchor service & policy. |
-| 9 | CLI-AIRGAP-56-001 | BLOCKED | MIRROR-CRT-56-002/58-001 pending; offline kit inputs unavailable. | CLI Guild | Extend CLI offline kit tooling to consume mirror bundles. |
-| 10 | PROV-OBS-53-001 | BLOCKED | MIRROR-CRT-56-001 absent; cannot wire observers. | Security Guild | Define provenance observers + verification hooks. |
-
-## Execution Log
+| P2 | PREP-MIRROR-CRT-56-001-ASSEMBLER-HANDOFF | DONE (2025-11-19) | Due 2025-11-22 · Accountable: Mirror Creator Guild | Mirror Creator Guild | Handoff expectations for thin bundle assembler published at `docs/modules/mirror/thin-bundle-assembler.md` (tar layout, manifest fields, determinism rules, hashes). |
+| 1 | MIRROR-CRT-56-001 | BLOCKED | PREP-MIRROR-CRT-56-001-UPSTREAM-SPRINT-110-D | Alex Kim (primary); Priya Desai (backup) | Implement deterministic assembler with manifest + CAS layout. |
+| 2 | MIRROR-CRT-56-002 | BLOCKED | Depends on MIRROR-CRT-56-001 and PROV-OBS-53-001; upstream assembler missing. | Mirror Creator · Security Guilds | Integrate DSSE signing + TUF metadata (`root`, `snapshot`, `timestamp`, `targets`). |
+| 3 | MIRROR-CRT-57-001 | BLOCKED | Requires MIRROR-CRT-56-001; assembler foundation missing. | Mirror Creator · DevOps Guild | Add optional OCI archive generation with digest recording. |
+| 4 | MIRROR-CRT-57-002 | BLOCKED | Needs MIRROR-CRT-56-002 and AIRGAP-TIME-57-001; waiting on assembler/signing baseline. | Mirror Creator · AirGap Time Guild | Embed signed time-anchor metadata. |
+| 5 | MIRROR-CRT-58-001 | BLOCKED | Requires MIRROR-CRT-56-002 and CLI-AIRGAP-56-001; downstream until assembler exists. | Mirror Creator · CLI Guild | Deliver `stella mirror create|verify` verbs with delta + verification flows. |
+| 6 | MIRROR-CRT-58-002 | BLOCKED | Depends on MIRROR-CRT-56-002 and EXPORT-OBS-54-001; waiting on sample bundles. | Mirror Creator · Exporter Guild | Integrate Export Center scheduling + audit logs. |
+| 7 | EXPORT-OBS-51-001 / 54-001 | BLOCKED | MIRROR-CRT-56-001 staffing and artifacts not available. | Exporter Guild | Align Export Center workers with assembler output. |
+| 8 | AIRGAP-TIME-57-001 | BLOCKED | MIRROR-CRT-56-001/57-002 pending; policy workshop contingent on sample bundles. | AirGap Time Guild | Provide trusted time-anchor service & policy. |
+| 9 | CLI-AIRGAP-56-001 | BLOCKED | MIRROR-CRT-56-002/58-001 pending; offline kit inputs unavailable. | CLI Guild | Extend CLI offline kit tooling to consume mirror bundles. |
+| 10 | PROV-OBS-53-001 | BLOCKED | MIRROR-CRT-56-001 absent; cannot wire observers. | Security Guild | Define provenance observers + verification hooks. |
+
+## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-20 | Published thin-bundle prep doc (docs/modules/mirror/prep-56-001-thin-bundle.md); moved PREP-MIRROR-CRT-56-001 to DOING after confirming unowned. | Project Mgmt |
 | 2025-11-19 | Cleared stray hyphen from PREP-MIRROR-CRT-56-001-UPSTREAM-SPRINT-110-D so MIRROR-CRT-56-001 dependency is resolvable. | Project Mgmt |
-| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-19 | Completed PREP-MIRROR-CRT-56-001-MILESTONE-0-PUBLISH: published sample thin bundle + hashes and milestone note (`docs/modules/mirror/milestone-0-thin-bundle.md`). | Implementer |
-| 2025-11-19 | Added PREP-MIRROR-CRT-56-001-MILESTONE-0-PUBLISH (DOING) to capture milestone-0 thin bundle plan and hashes to unblock downstream air-gap/console/attestation tracks. | Project Mgmt |
-| 2025-11-17 | All sprint tasks marked BLOCKED: upstream Sprint 110.D assembler foundation absent from repo; no manifest/CAS layout or samples present to proceed. | Implementer |
-| 2025-11-17 | Normalised sprint file to standard template; renamed from `SPRINT_125_mirror.md` to `SPRINT_0125_0001_0001_mirror.md`; no semantic task changes. | Project Management |
-| 2025-11-17 | Coordinator decision: assign primary + backup for MIRROR-CRT-56-001; scope thin bundle v1; downstream tasks may proceed once schema + sample bundle land. | Coordinator |
-| 2025-11-17 | Action: record primary + backup in Delivery Tracker; produce thin bundle v1 schema + 2 sample bundles by 2025-11-19; unblock Export/CLI/AirGap. | Coordinator |
-| 2025-11-13 | Kickoff rescheduled to 15 Nov pending MIRROR-CRT-56-001 staffing; downstream guilds alerted to prepare resource plans. | Mirror Creator Guild |
-
-## Decisions & Risks
-- **Decisions**
-  - Assign primary engineer for MIRROR-CRT-56-001 (due 2025-11-17 EOD). Owners: Mirror Creator Guild · Exporter Guild; Security as backup. Option A selected: thin bundle v1; acceptance: names recorded in Delivery Tracker + kickoff notes.
-  - Confirm DSSE/TUF signing profile (due 2025-11-18). Owners: Security Guild · Attestor Guild. Needed before MIRROR-CRT-56-002 can merge.
-  - Lock time-anchor authority scope (due 2025-11-19). Owners: AirGap Time Guild · Mirror Creator Guild. Required for MIRROR-CRT-57-002 policy enforcement.
-- **Risks**
-  - Upstream assembler foundation (Sprint 110.D, MIRROR-CRT-56-001 baseline) missing from repo → all Sprint 0125 tasks blocked. Mitigation: expedite delivery of manifest/CAS scaffold + sample bundles; re-sequence tasks once landed.
-  - Staffing gap for MIRROR-CRT-56-001 persists after kickoff → DSSE/TUF, OCI, CLI, Export tracks slip; Sprint 0125 jams the Export Center roadmap. Mitigation: escalate to program leadership; reassign engineers from Export Center or Excititor queue.
-  - DSSE/TUF contract debates with Security Guild → signing + transparency integration slips, blocking CLI/Export release. Mitigation: align on profile ahead of development; capture ADR in `docs/airgap`.
-  - Time-anchor requirements undefined → air-gapped bundles lose verifiable time guarantees. Mitigation: run focused session with AirGap Time Guild to lock policy + service interface.
-
-## Next Checkpoints
-| Date (UTC) | Session | Goal | Owner(s) |
-| --- | --- | --- | --- |
-| 2025-11-15 | Mirror evidence kickoff | Assign MIRROR-CRT-56-001 owner, outline scope, confirm downstream staffing. | Mirror Creator · Exporter · AirGap Time · Security guilds |
-| 2025-11-18 | DSSE/TUF design review | Freeze signing profile + manifest shape. | Mirror Creator · Security Guild |
-| 2025-11-19 | Thin bundle v1 sample paths | Publish locations + SHA256 for sample bundles; usable by Export/CLI/AirGap. | Mirror Creator Guild |
-| 2025-11-19 | Time-anchor policy workshop | Approve requirements for AIRGAP-TIME-57-001. | AirGap Time Guild · Mirror Creator |
-
-## Appendix
-- Previous detailed notes retained at `docs/implplan/archived/SPRINT_125_mirror_2025-11-13.md`.
+| 2025-11-17 | All sprint tasks marked BLOCKED: upstream Sprint 110.D assembler foundation absent from repo; no manifest/CAS layout or samples present to proceed. | Implementer |
+| 2025-11-17 | Normalised sprint file to standard template; renamed from `SPRINT_125_mirror.md` to `SPRINT_0125_0001_0001_mirror.md`; no semantic task changes. | Project Management |
+| 2025-11-17 | Coordinator decision: assign primary + backup for MIRROR-CRT-56-001; scope thin bundle v1; downstream tasks may proceed once schema + sample bundle land. | Coordinator |
+| 2025-11-17 | Action: record primary + backup in Delivery Tracker; produce thin bundle v1 schema + 2 sample bundles by 2025-11-19; unblock Export/CLI/AirGap. | Coordinator |
+| 2025-11-13 | Kickoff rescheduled to 15 Nov pending MIRROR-CRT-56-001 staffing; downstream guilds alerted to prepare resource plans. | Mirror Creator Guild |
+
+## Decisions & Risks
+- **Decisions**
+  - Assign primary engineer for MIRROR-CRT-56-001 (due 2025-11-17 EOD). Owners: Mirror Creator Guild · Exporter Guild; Security as backup. Option A selected: thin bundle v1; acceptance: names recorded in Delivery Tracker + kickoff notes.
+  - Confirm DSSE/TUF signing profile (due 2025-11-18). Owners: Security Guild · Attestor Guild. Needed before MIRROR-CRT-56-002 can merge.
+  - Lock time-anchor authority scope (due 2025-11-19). Owners: AirGap Time Guild · Mirror Creator Guild. Required for MIRROR-CRT-57-002 policy enforcement.
+- **Risks**
+  - Upstream assembler foundation (Sprint 110.D, MIRROR-CRT-56-001 baseline) missing from repo → all Sprint 0125 tasks blocked. Mitigation: expedite delivery of manifest/CAS scaffold + sample bundles; re-sequence tasks once landed.
+  - Staffing gap for MIRROR-CRT-56-001 persists after kickoff → DSSE/TUF, OCI, CLI, Export tracks slip; Sprint 0125 jams the Export Center roadmap. Mitigation: escalate to program leadership; reassign engineers from Export Center or Excititor queue.
+  - DSSE/TUF contract debates with Security Guild → signing + transparency integration slips, blocking CLI/Export release. Mitigation: align on profile ahead of development; capture ADR in `docs/airgap`.
+  - Time-anchor requirements undefined → air-gapped bundles lose verifiable time guarantees. Mitigation: run focused session with AirGap Time Guild to lock policy + service interface.
+
+## Next Checkpoints
+| Date (UTC) | Session | Goal | Owner(s) |
+| --- | --- | --- | --- |
+| 2025-11-15 | Mirror evidence kickoff | Assign MIRROR-CRT-56-001 owner, outline scope, confirm downstream staffing. | Mirror Creator · Exporter · AirGap Time · Security guilds |
+| 2025-11-18 | DSSE/TUF design review | Freeze signing profile + manifest shape. | Mirror Creator · Security Guild |
+| 2025-11-19 | Thin bundle v1 sample paths | Publish locations + SHA256 for sample bundles; usable by Export/CLI/AirGap. | Mirror Creator Guild |
+| 2025-11-19 | Time-anchor policy workshop | Approve requirements for AIRGAP-TIME-57-001. | AirGap Time Guild · Mirror Creator |
+
+## Appendix
+- Previous detailed notes retained at `docs/implplan/archived/SPRINT_125_mirror_2025-11-13.md`.

docs/implplan/SPRINT_0125_0001_0001_policy_reasoning.md

@@ -1,68 +1,73 @@
-# Sprint 0125-0001-0001 · Policy & Reasoning (Policy Engine phase III)
-
-## Topic & Scope
-- Policy Engine simulations/overlays chain (Policy.III): path/scope awareness, metrics, overlays, orchestration, ledger export, snapshot, violation events, severity fusion.
-- **Working directory:** `src/Policy/StellaOps.Policy.Engine`.
-
-## Dependencies & Concurrency
-- Upstream: POLICY-ENGINE-29-002 contract/schema required; execute tasks in listed order.
-- Concurrency: All current tasks blocked by missing 29-002 path/scope schema.
-
-## Documentation Prerequisites
-- `docs/README.md`
-- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
-- `docs/modules/platform/architecture-overview.md`
-- `docs/modules/policy/architecture.md`
-
-## Delivery Tracker
-| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| P0 | PREP-POLICY-ENGINE-29-002-PATH-SCOPE-SCHEMA | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Publish POLICY-ENGINE-29-002 path/scope schema + sample payloads so downstream evaluation tasks can start. |
-| P1 | PREP-POLICY-ENGINE-29-004-DEPENDS-ON-29-003 | BLOCKED | Due 2025-11-22 · Accountable: Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 29-003. <br><br> Document artefact/deliverable for POLICY-ENGINE-29-004 and publish location so downstream tasks can proceed. |
-| P2 | PREP-POLICY-ENGINE-30-001-NEEDS-29-004-OUTPUT | BLOCKED | Due 2025-11-22 · Accountable: Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Needs 29-004 outputs. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-001 and publish location so downstream tasks can proceed. |
-| P3 | PREP-POLICY-ENGINE-30-002-DEPENDS-ON-30-001 | BLOCKED | Due 2025-11-22 · Accountable: Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 30-001. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-002 and publish location so downstream tasks can proceed. |
-| P4 | PREP-POLICY-ENGINE-30-003-DEPENDS-ON-30-002 | BLOCKED | Due 2025-11-22 · Accountable: Policy · Scheduler Guild / `src/Policy/StellaOps.Policy.Engine` | Policy · Scheduler Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 30-002. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-003 and publish location so downstream tasks can proceed. |
-| P5 | PREP-POLICY-ENGINE-30-101-DEPENDS-ON-30-003 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 30-003. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-101 and publish location so downstream tasks can proceed. |
-| P6 | PREP-POLICY-ENGINE-31-001-DEPENDS-ON-30-101 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 30-101. <br><br> Document artefact/deliverable for POLICY-ENGINE-31-001 and publish location so downstream tasks can proceed. |
-| P7 | PREP-POLICY-ENGINE-31-002-DEPENDS-ON-31-001 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 31-001. <br><br> Document artefact/deliverable for POLICY-ENGINE-31-002 and publish location so downstream tasks can proceed. |
-| P8 | PREP-POLICY-ENGINE-32-101-DEPENDS-ON-31-002 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 31-002. <br><br> Document artefact/deliverable for POLICY-ENGINE-32-101 and publish location so downstream tasks can proceed. |
-| P9 | PREP-POLICY-ENGINE-33-101-DEPENDS-ON-32-101 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 32-101. <br><br> Document artefact/deliverable for POLICY-ENGINE-33-101 and publish location so downstream tasks can proceed. |
-| P10 | PREP-POLICY-ENGINE-34-101-DEPENDS-ON-33-101 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 33-101. <br><br> Document artefact/deliverable for POLICY-ENGINE-34-101 and publish location so downstream tasks can proceed. |
-| P11 | PREP-POLICY-ENGINE-35-201-DEPENDS-ON-34-101 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 34-101. <br><br> Document artefact/deliverable for POLICY-ENGINE-35-201 and publish location so downstream tasks can proceed. |
-| P12 | PREP-POLICY-ENGINE-38-201-DEPENDS-ON-35-201 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 35-201. <br><br> Document artefact/deliverable for POLICY-ENGINE-38-201 and publish location so downstream tasks can proceed. |
-| P13 | PREP-POLICY-ENGINE-40-001-DEPENDS-ON-38-201 | BLOCKED | Due 2025-11-22 · Accountable: Policy · Concelier Guild / `src/Policy/StellaOps.Policy.Engine` | Policy · Concelier Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 38-201. <br><br> Document artefact/deliverable for POLICY-ENGINE-40-001 and publish location so downstream tasks can proceed. |
-| P14 | PREP-POLICY-ENGINE-40-002-DEPENDS-ON-40-001 | BLOCKED | Due 2025-11-22 · Accountable: Policy · Excititor Guild / `src/Policy/StellaOps.Policy.Engine` | Policy · Excititor Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 40-001. <br><br> Document artefact/deliverable for POLICY-ENGINE-40-002 and publish location so downstream tasks can proceed. |
-| 1 | POLICY-ENGINE-29-003 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-29-002-PATH-SCOPE-SCHEMA. | Policy · SBOM Service Guild / `src/Policy/StellaOps.Policy.Engine` | Path/scope aware evaluation. |
-| 2 | POLICY-ENGINE-29-004 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-29-004-DEPENDS-ON-29-003 | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Metrics/logging for path-aware eval. |
-| 3 | POLICY-ENGINE-30-001 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-30-001-NEEDS-29-004-OUTPUT | Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Overlay projection contract. |
-| 4 | POLICY-ENGINE-30-002 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-30-002-DEPENDS-ON-30-001 | Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Simulation bridge. |
-| 5 | POLICY-ENGINE-30-003 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-30-003-DEPENDS-ON-30-002 | Policy · Scheduler Guild / `src/Policy/StellaOps.Policy.Engine` | Change events. |
-| 6 | POLICY-ENGINE-30-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-30-101-DEPENDS-ON-30-003 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Trust weighting UI/API. |
-| 7 | POLICY-ENGINE-31-001 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-31-001-DEPENDS-ON-30-101 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Advisory AI knobs. |
-| 8 | POLICY-ENGINE-31-002 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-31-002-DEPENDS-ON-31-001 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Batch context endpoint. |
-| 9 | POLICY-ENGINE-32-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-32-101-DEPENDS-ON-31-002 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Orchestrator job schema. |
-| 10 | POLICY-ENGINE-33-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-33-101-DEPENDS-ON-32-101 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Worker implementation. |
-| 11 | POLICY-ENGINE-34-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-34-101-DEPENDS-ON-33-101 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Ledger export. |
-| 12 | POLICY-ENGINE-35-201 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-35-201-DEPENDS-ON-34-101 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Snapshot API. |
-| 13 | POLICY-ENGINE-38-201 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-38-201-DEPENDS-ON-35-201 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Violation events. |
-| 14 | POLICY-ENGINE-40-001 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-40-001-DEPENDS-ON-38-201 | Policy · Concelier Guild / `src/Policy/StellaOps.Policy.Engine` | Severity fusion. |
-| 15 | POLICY-ENGINE-40-002 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-40-002-DEPENDS-ON-40-001 | Policy · Excititor Guild / `src/Policy/StellaOps.Policy.Engine` | Conflict handling. |
-
+# Sprint 0125-0001-0001 · Policy & Reasoning (Policy Engine phase III)
+
+## Topic & Scope
+- Policy Engine simulations/overlays chain (Policy.III): path/scope awareness, metrics, overlays, orchestration, ledger export, snapshot, violation events, severity fusion.
+- **Working directory:** `src/Policy/StellaOps.Policy.Engine`.
+
+## Dependencies & Concurrency
+- Upstream: POLICY-ENGINE-29-002 contract/schema required; execute tasks in listed order.
+- Concurrency: All current tasks blocked by missing 29-002 path/scope schema.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/policy/architecture.md`
+
+## Delivery Tracker
+| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P0 | PREP-POLICY-ENGINE-29-002-PATH-SCOPE-SCHEMA | DONE (2025-11-20) | Prep doc at `docs/modules/policy/prep/2025-11-20-policy-engine-29-002-prep.md`; path/scope schema frozen. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Publish POLICY-ENGINE-29-002 path/scope schema + sample payloads so downstream evaluation tasks can start. |
+| P1 | PREP-POLICY-ENGINE-29-004-DEPENDS-ON-29-003 | DONE (2025-11-20) | Prep doc at `docs/modules/policy/prep/2025-11-20-policy-engine-29-004-prep.md`; metrics/logs/spans frozen. | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 29-003. <br><br> Document artefact/deliverable for POLICY-ENGINE-29-004 and publish location so downstream tasks can proceed. |
+| P2 | PREP-POLICY-ENGINE-30-001-NEEDS-29-004-OUTPUT | DONE (2025-11-20) | Prep doc at `docs/modules/policy/prep/2025-11-20-policy-engine-30-001-prep.md`; overlay projection contract frozen. | Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Needs 29-004 outputs. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-001 and publish location so downstream tasks can proceed. |
+| P3 | PREP-POLICY-ENGINE-30-002-DEPENDS-ON-30-001 | DONE (2025-11-20) | Prep doc at `docs/modules/policy/prep/2025-11-20-policy-engine-30-002-prep.md`; simulation bridge shape frozen. | Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 30-001. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-002 and publish location so downstream tasks can proceed. |
+| P4 | PREP-POLICY-ENGINE-30-003-DEPENDS-ON-30-002 | DONE (2025-11-20) | Prep doc at `docs/modules/policy/prep/2025-11-20-policy-engine-30-003-prep.md`; change-event envelope frozen. | Policy · Scheduler Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 30-002. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-003 and publish location so downstream tasks can proceed. |
+| P5 | PREP-POLICY-ENGINE-30-101-DEPENDS-ON-30-003 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 30-003. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-101 and publish location so downstream tasks can proceed. |
+| P6 | PREP-POLICY-ENGINE-31-001-DEPENDS-ON-30-101 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 30-101. <br><br> Document artefact/deliverable for POLICY-ENGINE-31-001 and publish location so downstream tasks can proceed. |
+| P7 | PREP-POLICY-ENGINE-31-002-DEPENDS-ON-31-001 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 31-001. <br><br> Document artefact/deliverable for POLICY-ENGINE-31-002 and publish location so downstream tasks can proceed. |
+| P8 | PREP-POLICY-ENGINE-32-101-DEPENDS-ON-31-002 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 31-002. <br><br> Document artefact/deliverable for POLICY-ENGINE-32-101 and publish location so downstream tasks can proceed. |
+| P9 | PREP-POLICY-ENGINE-33-101-DEPENDS-ON-32-101 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 32-101. <br><br> Document artefact/deliverable for POLICY-ENGINE-33-101 and publish location so downstream tasks can proceed. |
+| P10 | PREP-POLICY-ENGINE-34-101-DEPENDS-ON-33-101 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 33-101. <br><br> Document artefact/deliverable for POLICY-ENGINE-34-101 and publish location so downstream tasks can proceed. |
+| P11 | PREP-POLICY-ENGINE-35-201-DEPENDS-ON-34-101 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 34-101. <br><br> Document artefact/deliverable for POLICY-ENGINE-35-201 and publish location so downstream tasks can proceed. |
+| P12 | PREP-POLICY-ENGINE-38-201-DEPENDS-ON-35-201 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 35-201. <br><br> Document artefact/deliverable for POLICY-ENGINE-38-201 and publish location so downstream tasks can proceed. |
+| P13 | PREP-POLICY-ENGINE-40-001-DEPENDS-ON-38-201 | BLOCKED | Due 2025-11-22 · Accountable: Policy · Concelier Guild / `src/Policy/StellaOps.Policy.Engine` | Policy · Concelier Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 38-201. <br><br> Document artefact/deliverable for POLICY-ENGINE-40-001 and publish location so downstream tasks can proceed. |
+| P14 | PREP-POLICY-ENGINE-40-002-DEPENDS-ON-40-001 | BLOCKED | Due 2025-11-22 · Accountable: Policy · Excititor Guild / `src/Policy/StellaOps.Policy.Engine` | Policy · Excititor Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 40-001. <br><br> Document artefact/deliverable for POLICY-ENGINE-40-002 and publish location so downstream tasks can proceed. |
+| 1 | POLICY-ENGINE-29-003 | TODO | PREP-POLICY-ENGINE-29-002-PATH-SCOPE-SCHEMA. | Policy · SBOM Service Guild / `src/Policy/StellaOps.Policy.Engine` | Path/scope aware evaluation. |
+| 2 | POLICY-ENGINE-29-004 | TODO | PREP-POLICY-ENGINE-29-004-DEPENDS-ON-29-003 | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Metrics/logging for path-aware eval. |
+| 3 | POLICY-ENGINE-30-001 | TODO | PREP-POLICY-ENGINE-30-001-NEEDS-29-004-OUTPUT | Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Overlay projection contract. |
+| 4 | POLICY-ENGINE-30-002 | TODO | PREP-POLICY-ENGINE-30-002-DEPENDS-ON-30-001 | Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Simulation bridge. |
+| 5 | POLICY-ENGINE-30-003 | TODO | PREP-POLICY-ENGINE-30-003-DEPENDS-ON-30-002 | Policy · Scheduler Guild / `src/Policy/StellaOps.Policy.Engine` | Change events. |
+| 6 | POLICY-ENGINE-30-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-30-101-DEPENDS-ON-30-003 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Trust weighting UI/API. |
+| 7 | POLICY-ENGINE-31-001 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-31-001-DEPENDS-ON-30-101 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Advisory AI knobs. |
+| 8 | POLICY-ENGINE-31-002 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-31-002-DEPENDS-ON-31-001 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Batch context endpoint. |
+| 9 | POLICY-ENGINE-32-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-32-101-DEPENDS-ON-31-002 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Orchestrator job schema. |
+| 10 | POLICY-ENGINE-33-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-33-101-DEPENDS-ON-32-101 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Worker implementation. |
+| 11 | POLICY-ENGINE-34-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-34-101-DEPENDS-ON-33-101 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Ledger export. |
+| 12 | POLICY-ENGINE-35-201 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-35-201-DEPENDS-ON-34-101 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Snapshot API. |
+| 13 | POLICY-ENGINE-38-201 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-38-201-DEPENDS-ON-35-201 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Violation events. |
+| 14 | POLICY-ENGINE-40-001 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-40-001-DEPENDS-ON-38-201 | Policy · Concelier Guild / `src/Policy/StellaOps.Policy.Engine` | Severity fusion. |
+| 15 | POLICY-ENGINE-40-002 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-40-002-DEPENDS-ON-40-001 | Policy · Excititor Guild / `src/Policy/StellaOps.Policy.Engine` | Conflict handling. |
+
 ## Notes & Risks
-- POLICY-ENGINE-29-002 contract/schema missing; cascades block entire chain (1–15). Need published schema + sample payloads to proceed.
-
+- Draft metrics/logging contract for 29-004 lives at `docs/modules/policy/prep/2025-11-21-policy-metrics-29-004-prep.md`; dimensions remain tentative until 29-003 payload shape lands.
+- Path/scope schema, observability, overlay projection, simulation bridge, and change-event envelopes are now documented; downstream implementation must stay aligned or update prep docs + risks.
+
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-21 | Started path/scope schema draft for PREP-POLICY-ENGINE-29-002 at `docs/modules/policy/prep/2025-11-21-policy-path-scope-29-002-prep.md`; waiting on SBOM Service coordinate mapping rules. | Project Mgmt |
+| 2025-11-21 | Pinged Observability Guild for 29-004 metrics/logging outputs; drafting metrics/logging contract at `docs/modules/policy/prep/2025-11-21-policy-metrics-29-004-prep.md` while awaiting path/scope payloads from 29-003. | Project Mgmt |
+| 2025-11-20 | Confirmed no owners for PREP-POLICY-ENGINE-29-002/29-004/30-001/30-002/30-003; published prep notes under `docs/modules/policy/prep/2025-11-20-*`; set P0–P4 DONE. | Implementer |
+| 2025-11-20 | Unblocked POLICY-ENGINE-29-003..30-003; statuses moved to TODO now that prep contracts are frozen. | Implementer |
 | 2025-11-19 | Added PREP-POLICY-ENGINE-29-002-PATH-SCOPE-SCHEMA and pointed POLICY-ENGINE-29-003 dependency at it. | Project Mgmt |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
-| 2025-11-19 | Marked PREP tasks P0–P14 BLOCKED: base path/scope schema (29-002) and downstream evaluation/observability/overlay/export contracts are still missing, keeping the entire POLICY-ENGINE chain blocked. | Project Mgmt |
-| 2025-11-08 | Sprint created; awaiting upstream contract. | Planning |
-| 2025-11-18 | Re-confirmed all tasks blocked; upstream schema still absent. | Policy Guild |
-| 2025-11-19 | Normalized to standard template and renamed from `SPRINT_125_policy_reasoning.md` to `SPRINT_0125_0001_0001_policy_reasoning.md`; content preserved. | Implementer |
-
-## Decisions & Risks
-- Blocked until POLICY-ENGINE-29-002 contract drops.
-
+| 2025-11-19 | Marked PREP tasks P0–P14 BLOCKED: base path/scope schema (29-002) and downstream evaluation/observability/overlay/export contracts were missing, keeping the entire POLICY-ENGINE chain blocked. | Project Mgmt |
+| 2025-11-08 | Sprint created; awaiting upstream contract. | Planning |
+| 2025-11-18 | Re-confirmed all tasks blocked; upstream schema still absent. | Policy Guild |
+| 2025-11-19 | Normalized to standard template and renamed from `SPRINT_125_policy_reasoning.md` to `SPRINT_0125_0001_0001_policy_reasoning.md`; content preserved. | Implementer |
+
+## Decisions & Risks
+- Blocked until POLICY-ENGINE-29-002 contract drops.
+
 ## Next Checkpoints
-- Publish POLICY-ENGINE-29-002 path/scope schema (date TBD).
+- Kick off POLICY-ENGINE-29-003 implementation using frozen path/scope schema and metrics contracts (week of 2025-11-21).

docs/implplan/SPRINT_0131_0001_0001_scanner_surface.md

@@ -1,68 +1,69 @@
-# Sprint 0131-0001-0001 · Scanner & Surface (Phase II)
-
-## Topic & Scope
-- Continue Scanner & Surface wave (phase II) after Sprint 0130, deepening analyzers for Deno and Java with runtime evidence and surface signals.
-- Deliver Deno runtime hooks, policy signal emitters, and CLI/Worker packaging that stay offline-friendly and bundle-ready.
-- Expand Java analyzer coverage for configs, JNI hints, manifest metadata, fixtures/benchmarks, and optional runtime ingestion to feed surface decisioning.
-- **Working directory:** `src/Scanner`.
-
-## Dependencies & Concurrency
-- Sequential dependency: Sprint 0130 must finish before this sprint; maintain order across the 0130–0139 wave.
-- Deno work depends on `SCANNER-ANALYZERS-DENO-26-008`; Java chain builds serially from 21-005 → 21-006 → 21-007 → 21-008 → 21-009 → 21-010 → 21-011.
-- Stay within scanner scope to avoid new cross-module coupling unless explicitly approved.
-
-## Documentation Prerequisites
-- docs/README.md
-- docs/07_HIGH_LEVEL_ARCHITECTURE.md
-- docs/modules/platform/architecture-overview.md
-- docs/modules/scanner/architecture.md
-- src/Scanner/AGENTS.md
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
+# Sprint 0131-0001-0001 · Scanner & Surface (Phase II)
+
+## Topic & Scope
+- Continue Scanner & Surface wave (phase II) after Sprint 0130, deepening analyzers for Deno and Java with runtime evidence and surface signals.
+- Deliver Deno runtime hooks, policy signal emitters, and CLI/Worker packaging that stay offline-friendly and bundle-ready.
+- Expand Java analyzer coverage for configs, JNI hints, manifest metadata, fixtures/benchmarks, and optional runtime ingestion to feed surface decisioning.
+- **Working directory:** `src/Scanner`.
+
+## Dependencies & Concurrency
+- Sequential dependency: Sprint 0130 must finish before this sprint; maintain order across the 0130–0139 wave.
+- Deno work depends on `SCANNER-ANALYZERS-DENO-26-008`; Java chain builds serially from 21-005 → 21-006 → 21-007 → 21-008 → 21-009 → 21-010 → 21-011.
+- Stay within scanner scope to avoid new cross-module coupling unless explicitly approved.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/scanner/architecture.md
+- src/Scanner/AGENTS.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
 | P1 | PREP-SCANNER-ANALYZERS-JAVA-21-005-TESTS-BLOC | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Java Analyzer Guild | Java Analyzer Guild | Tests blocked: repo build fails in Concelier (CoreLinksets missing) and targeted Java analyzer test run stalls; retry once dependencies fixed or CI available. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-JAVA-21-005 and publish location so downstream tasks can proceed. |
 | P2 | PREP-SCANNER-ANALYZERS-JAVA-21-008-WAITING-ON | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Java Analyzer Guild | Java Analyzer Guild | Waiting on 21-007 completion and resolver authoring bandwidth. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-JAVA-21-008 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/scanner/prep/2025-11-20-java-21-008-prep.md`. |
 | P3 | PREP-SCANNER-ANALYZERS-LANG-11-001-DOTNET-TES | DOING (2025-11-20) | Due 2025-11-22 · Accountable: StellaOps.Scanner EPDR Guild · Language Analyzer Guild | StellaOps.Scanner EPDR Guild · Language Analyzer Guild | `dotnet test` hangs/returns empty output; needs clean runner/CI diagnostics. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-LANG-11-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/scanner/prep/2025-11-20-lang-11-001-prep.md`. |
-| 1 | SCANNER-ANALYZERS-DENO-26-009 | BLOCKED (2025-11-19) | Waiting on runtime shim fixtures + CI runner; design `deno-runtime-shim.md` drafted but tests cannot run. | Deno Analyzer Guild · Signals Guild | Optional runtime evidence hooks capturing module loads and permissions with path hashing during harnessed execution. |
-| 2 | SCANNER-ANALYZERS-DENO-26-010 | TODO | After 26-009, wire CLI (`stella deno trace`) + Worker/Offline Kit using runtime NDJSON contract. | Deno Analyzer Guild · DevOps Guild | Package analyzer plug-in and surface CLI/worker commands with offline documentation. |
-| 3 | SCANNER-ANALYZERS-DENO-26-011 | TODO | Implement policy signal emitter using runtime metadata once trace shim lands. | Deno Analyzer Guild | Policy signal emitter for capabilities (net/fs/env/ffi/process/crypto), remote origins, npm usage, wasm modules, and dynamic-import warnings. |
-| 4 | SCANNER-ANALYZERS-JAVA-21-005 | BLOCKED (2025-11-17) | PREP-SCANNER-ANALYZERS-JAVA-21-005-TESTS-BLOC | Java Analyzer Guild | Framework config extraction: Spring Boot imports, spring.factories, application properties/yaml, Jakarta web.xml/fragments, JAX-RS/JPA/CDI/JAXB configs, logging files, Graal native-image configs. |
-| 5 | SCANNER-ANALYZERS-JAVA-21-006 | TODO | Needs outputs from 21-005. | Java Analyzer Guild | JNI/native hint scanner detecting native methods, System.load/Library literals, bundled native libs, Graal JNI configs; emit `jni-load` edges. |
-| 6 | SCANNER-ANALYZERS-JAVA-21-007 | TODO | After 21-006; align manifest parsing with resolver. | Java Analyzer Guild | Signature and manifest metadata collector capturing JAR signature structure, signers, and manifest loader attributes (Main-Class, Agent-Class, Start-Class, Class-Path). |
-| 7 | SCANNER-ANALYZERS-JAVA-21-008 | BLOCKED (2025-10-27) | PREP-SCANNER-ANALYZERS-JAVA-21-008-WAITING-ON | Java Analyzer Guild | Implement resolver + AOC writer emitting entrypoints, components, and edges (jpms, cp, spi, reflect, jni) with reason codes and confidence. |
-| 8 | SCANNER-ANALYZERS-JAVA-21-009 | TODO | Unblock when 21-008 lands; prepare fixtures in parallel where safe. | Java Analyzer Guild · QA Guild | Comprehensive fixtures (modular app, boot fat jar, war, ear, MR-jar, jlink image, JNI, reflection heavy, signed jar, microprofile) with golden outputs and perf benchmarks. |
-| 9 | SCANNER-ANALYZERS-JAVA-21-010 | TODO | After 21-009; requires runtime capture design. | Java Analyzer Guild · Signals Guild | Optional runtime ingestion via Java agent + JFR reader capturing class load, ServiceLoader, System.load events with path scrubbing; append-only runtime edges (`runtime-class`/`runtime-spi`/`runtime-load`). |
-| 10 | SCANNER-ANALYZERS-JAVA-21-011 | TODO | Depends on 21-010; finalize DI/manifest registration and docs. | Java Analyzer Guild · DevOps Guild | Package analyzer as restart-time plug-in, update Offline Kit docs, add CLI/worker hooks for Java inspection commands. |
-| 11 | SCANNER-ANALYZERS-LANG-11-001 | BLOCKED (2025-11-17) | PREP-SCANNER-ANALYZERS-LANG-11-001-DOTNET-TES | StellaOps.Scanner EPDR Guild · Language Analyzer Guild | Entrypoint resolver mapping project/publish artifacts to entrypoint identities (assembly name, MVID, TFM, RID) and environment profiles; output normalized `entrypoints[]` with deterministic IDs. |
-
-## Execution Log
+| 1 | SCANNER-ANALYZERS-DENO-26-009 | BLOCKED (2025-11-19) | Waiting on runtime shim fixtures + CI runner; design `deno-runtime-shim.md` drafted but tests cannot run. | Deno Analyzer Guild · Signals Guild | Optional runtime evidence hooks capturing module loads and permissions with path hashing during harnessed execution. |
+| 2 | SCANNER-ANALYZERS-DENO-26-010 | TODO | After 26-009, wire CLI (`stella deno trace`) + Worker/Offline Kit using runtime NDJSON contract. | Deno Analyzer Guild · DevOps Guild | Package analyzer plug-in and surface CLI/worker commands with offline documentation. |
+| 3 | SCANNER-ANALYZERS-DENO-26-011 | TODO | Implement policy signal emitter using runtime metadata once trace shim lands. | Deno Analyzer Guild | Policy signal emitter for capabilities (net/fs/env/ffi/process/crypto), remote origins, npm usage, wasm modules, and dynamic-import warnings. |
+| 4 | SCANNER-ANALYZERS-JAVA-21-005 | BLOCKED (2025-11-17) | PREP-SCANNER-ANALYZERS-JAVA-21-005-TESTS-BLOC | Java Analyzer Guild | Framework config extraction: Spring Boot imports, spring.factories, application properties/yaml, Jakarta web.xml/fragments, JAX-RS/JPA/CDI/JAXB configs, logging files, Graal native-image configs. |
+| 5 | SCANNER-ANALYZERS-JAVA-21-006 | TODO | Needs outputs from 21-005. | Java Analyzer Guild | JNI/native hint scanner detecting native methods, System.load/Library literals, bundled native libs, Graal JNI configs; emit `jni-load` edges. |
+| 6 | SCANNER-ANALYZERS-JAVA-21-007 | TODO | After 21-006; align manifest parsing with resolver. | Java Analyzer Guild | Signature and manifest metadata collector capturing JAR signature structure, signers, and manifest loader attributes (Main-Class, Agent-Class, Start-Class, Class-Path). |
+| 7 | SCANNER-ANALYZERS-JAVA-21-008 | BLOCKED (2025-10-27) | PREP-SCANNER-ANALYZERS-JAVA-21-008-WAITING-ON | Java Analyzer Guild | Implement resolver + AOC writer emitting entrypoints, components, and edges (jpms, cp, spi, reflect, jni) with reason codes and confidence. |
+| 8 | SCANNER-ANALYZERS-JAVA-21-009 | TODO | Unblock when 21-008 lands; prepare fixtures in parallel where safe. | Java Analyzer Guild · QA Guild | Comprehensive fixtures (modular app, boot fat jar, war, ear, MR-jar, jlink image, JNI, reflection heavy, signed jar, microprofile) with golden outputs and perf benchmarks. |
+| 9 | SCANNER-ANALYZERS-JAVA-21-010 | TODO | After 21-009; requires runtime capture design. | Java Analyzer Guild · Signals Guild | Optional runtime ingestion via Java agent + JFR reader capturing class load, ServiceLoader, System.load events with path scrubbing; append-only runtime edges (`runtime-class`/`runtime-spi`/`runtime-load`). |
+| 10 | SCANNER-ANALYZERS-JAVA-21-011 | TODO | Depends on 21-010; finalize DI/manifest registration and docs. | Java Analyzer Guild · DevOps Guild | Package analyzer as restart-time plug-in, update Offline Kit docs, add CLI/worker hooks for Java inspection commands. |
+| 11 | SCANNER-ANALYZERS-LANG-11-001 | BLOCKED (2025-11-17) | PREP-SCANNER-ANALYZERS-LANG-11-001-DOTNET-TES | StellaOps.Scanner EPDR Guild · Language Analyzer Guild | Entrypoint resolver mapping project/publish artifacts to entrypoint identities (assembly name, MVID, TFM, RID) and environment profiles; output normalized `entrypoints[]` with deterministic IDs. |
+
+## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-20 | Published prep docs for P2/P3: `docs/modules/scanner/prep/2025-11-20-java-21-008-prep.md` and `docs/modules/scanner/prep/2025-11-20-lang-11-001-prep.md`; set PREP P2/P3 to DOING after confirming unowned. | Project Mgmt |
 | 2025-11-20 | Published prep note for SCANNER-ANALYZERS-JAVA-21-005 (docs/modules/scanner/prep/2025-11-20-java-21-005-prep.md); pinged Concelier/CoreLinksets owners for missing packages and CI isolation. | Project Mgmt |
 | 2025-11-20 | Confirmed PREP-SCANNER-ANALYZERS-JAVA-21-005-TESTS-BLOC still TODO; moved to DOING to capture blockers and prep artefact. | Project Mgmt |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
-| 2025-11-17 | Normalised sprint file to standard template and renamed from `SPRINT_131_scanner_surface.md` to `SPRINT_0131_scanner_surface.md`; no semantic changes. | Planning |
-| 2025-11-17 | Attempted `./tools/dotnet-filter.sh test src/Scanner/StellaOps.Scanner.sln --no-restore`; build ran ~72s compiling scanner/all projects without completing tests, then aborted locally to avoid runaway build. Follow-up narrow build `dotnet build src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj` also stalled ~28s in target resolution before manual stop. Blocker persists; needs clean CI runner or scoped test project to finish LANG-11-001 validation. | Implementer |
-| 2025-11-17 | Started SCANNER-ANALYZERS-JAVA-21-005: initial framework config extraction (Spring configs, JPA/CDI/JAXB, logging, Graal native-image) implemented with evidence + metadata; added regression test scaffold. | Implementer |
-| 2025-11-17 | SCANNER-ANALYZERS-JAVA-21-005: Added Spring Boot `.imports` detection and web-fragment coverage; refreshed framework-config test to assert imports + fragment metadata. Test run blocked by Concelier Mongo build errors (missing CoreLinksets interfaces); rerun once repository build is green. | Java Analyzer Guild |
-| 2025-11-19 | SCANNER-ANALYZERS-JAVA-21-005: Added SHA-256 evidence for framework configs (spring.factories, app/bootstrap config, web.xml, etc.) and updated regression test to assert hashed config evidence. Test run aborted due to solution restore contention; rerun needed when runner is free. | Java Analyzer Guild |
-| 2025-11-17 | Targeted `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests.csproj --no-restore`; build pulled large Concelier/Surface dependencies and stalled ~35s before manual abort (no test results). Need clean CI or lighter test target to validate 21-005. | Implementer |
-| 2025-11-19 | SCANNER-ANALYZERS-JAVA-21-005: Another targeted restore/test attempt aborted after ~59s during restore due to solution contention; no test results. Await clean runner/CI. | Implementer |
-| 2025-11-17 | Reviewed Deno analyzer scope; runtime evidence hook contract and policy-signal keys not defined in docs or code. Marked DENO-26-009/010/011 as BLOCKED pending approved trace/signal schema shared with Surface/Signals. | Implementer |
-| 2025-11-17 | SCANNER-ANALYZERS-JAVA-21-005: Added JNI/native hint scanning (native libs, Graal jni-config, System.load/Library strings) with component metadata + evidence; targeted tests added. Test run aborted ~80s in due to concurrent repo-wide builds; rerun on clean runner. | Java Analyzer Guild |
-| 2025-11-17 | Authored `docs/modules/scanner/design/deno-runtime-signals.md` defining NDJSON runtime trace + policy signal keys; unblocked DENO-26-009/010/011 back to TODO. | Implementer |
-| 2025-11-17 | Implemented Deno runtime NDJSON serializer + metadata (module/permission counts, remote origins, npm/wasm/dynamic import counts) with deterministic ordering and hash; added regression tests for serializer, path hashing, recorder ordering, and policy signal emission. Loader/require shim still pending. | Implementer |
-| 2025-11-17 | Deno runtime tests passing: `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests.csproj --no-restore`. | Implementer |
-| 2025-11-17 | DenoLanguageAnalyzer now ingests `deno-runtime.ndjson` if present, computes metadata/hash, stores runtime payload in AnalysisStore, and emits policy signals; added runtime probe parser + tests. Loader/require shim that generates the trace remains to be built. | Implementer |
-| 2025-11-17 | Extended runtime metadata/signals to include npm/wasm/dynamic-import counts and unique permissions; AnalysisStore payload now carries these fields for CLI/Worker consumption. | Implementer |
-| 2025-11-17 | Marked DENO-26-009/010/011 BLOCKED: need approved Deno loader/require harness to generate runtime NDJSON in offline mode; pending Signals/Surface design. | Implementer |
-| 2025-11-17 | Authored loader/trace shim plan `docs/modules/scanner/design/deno-runtime-shim.md` describing Deno harness injection, event capture, determinism rules, and fixtures; unblocks DENO-26-009 back to DOING. | Implementer |
-| 2025-11-17 | Added runtime shim source helper + test; shim writes `trace-shim.ts` containing runtime capture hooks (module load, permission use, wasm load, npm hint) for offline trace generation. | Implementer |
-| 2025-11-17 | Re-ran Deno runtime tests after status update; still passing (`dotnet test ...Deno.Tests.csproj --no-restore`). | Implementer |
-
+| 2025-11-17 | Normalised sprint file to standard template and renamed from `SPRINT_131_scanner_surface.md` to `SPRINT_0131_scanner_surface.md`; no semantic changes. | Planning |
+| 2025-11-17 | Attempted `./tools/dotnet-filter.sh test src/Scanner/StellaOps.Scanner.sln --no-restore`; build ran ~72s compiling scanner/all projects without completing tests, then aborted locally to avoid runaway build. Follow-up narrow build `dotnet build src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj` also stalled ~28s in target resolution before manual stop. Blocker persists; needs clean CI runner or scoped test project to finish LANG-11-001 validation. | Implementer |
+| 2025-11-17 | Started SCANNER-ANALYZERS-JAVA-21-005: initial framework config extraction (Spring configs, JPA/CDI/JAXB, logging, Graal native-image) implemented with evidence + metadata; added regression test scaffold. | Implementer |
+| 2025-11-17 | SCANNER-ANALYZERS-JAVA-21-005: Added Spring Boot `.imports` detection and web-fragment coverage; refreshed framework-config test to assert imports + fragment metadata. Test run blocked by Concelier Mongo build errors (missing CoreLinksets interfaces); rerun once repository build is green. | Java Analyzer Guild |
+| 2025-11-19 | SCANNER-ANALYZERS-JAVA-21-005: Added SHA-256 evidence for framework configs (spring.factories, app/bootstrap config, web.xml, etc.) and updated regression test to assert hashed config evidence. Test run aborted due to solution restore contention; rerun needed when runner is free. | Java Analyzer Guild |
+| 2025-11-17 | Targeted `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests.csproj --no-restore`; build pulled large Concelier/Surface dependencies and stalled ~35s before manual abort (no test results). Need clean CI or lighter test target to validate 21-005. | Implementer |
+| 2025-11-19 | SCANNER-ANALYZERS-JAVA-21-005: Another targeted restore/test attempt aborted after ~59s during restore due to solution contention; no test results. Await clean runner/CI. | Implementer |
+| 2025-11-17 | Reviewed Deno analyzer scope; runtime evidence hook contract and policy-signal keys not defined in docs or code. Marked DENO-26-009/010/011 as BLOCKED pending approved trace/signal schema shared with Surface/Signals. | Implementer |
+| 2025-11-17 | SCANNER-ANALYZERS-JAVA-21-005: Added JNI/native hint scanning (native libs, Graal jni-config, System.load/Library strings) with component metadata + evidence; targeted tests added. Test run aborted ~80s in due to concurrent repo-wide builds; rerun on clean runner. | Java Analyzer Guild |
+| 2025-11-17 | Authored `docs/modules/scanner/design/deno-runtime-signals.md` defining NDJSON runtime trace + policy signal keys; unblocked DENO-26-009/010/011 back to TODO. | Implementer |
+| 2025-11-17 | Implemented Deno runtime NDJSON serializer + metadata (module/permission counts, remote origins, npm/wasm/dynamic import counts) with deterministic ordering and hash; added regression tests for serializer, path hashing, recorder ordering, and policy signal emission. Loader/require shim still pending. | Implementer |
+| 2025-11-17 | Deno runtime tests passing: `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests.csproj --no-restore`. | Implementer |
+| 2025-11-17 | DenoLanguageAnalyzer now ingests `deno-runtime.ndjson` if present, computes metadata/hash, stores runtime payload in AnalysisStore, and emits policy signals; added runtime probe parser + tests. Loader/require shim that generates the trace remains to be built. | Implementer |
+| 2025-11-17 | Extended runtime metadata/signals to include npm/wasm/dynamic-import counts and unique permissions; AnalysisStore payload now carries these fields for CLI/Worker consumption. | Implementer |
+| 2025-11-17 | Marked DENO-26-009/010/011 BLOCKED: need approved Deno loader/require harness to generate runtime NDJSON in offline mode; pending Signals/Surface design. | Implementer |
+| 2025-11-17 | Authored loader/trace shim plan `docs/modules/scanner/design/deno-runtime-shim.md` describing Deno harness injection, event capture, determinism rules, and fixtures; unblocks DENO-26-009 back to DOING. | Implementer |
+| 2025-11-17 | Added runtime shim source helper + test; shim writes `trace-shim.ts` containing runtime capture hooks (module load, permission use, wasm load, npm hint) for offline trace generation. | Implementer |
+| 2025-11-17 | Re-ran Deno runtime tests after status update; still passing (`dotnet test ...Deno.Tests.csproj --no-restore`). | Implementer |
+
 ## Decisions & Risks
+- Scanner record payload schema still unpinned; drafting prep at `docs/modules/scanner/prep/2025-11-21-scanner-records-prep.md` while waiting for analyzer output confirmation from Scanner Guild.
 - `SCANNER-ANALYZERS-LANG-11-001` blocked (2025-11-17): local `dotnet test` hangs/returns empty output; requires clean runner/CI hang diagnostics to progress and regenerate goldens.
 - Additional note: dotnet-filter wrapper avoids `workdir:` injection but full solution builds still stall locally; recommend CI/clean runner and/or scoped project tests to gather logs for LANG-11-001.
 - `SCANNER-ANALYZERS-JAVA-21-008` blocked (2025-10-27): resolver capacity needed to produce entrypoint/component/edge outputs; downstream tasks remain stalled until resolved.
@@ -71,9 +72,9 @@
 - Loader/require shim implementation still pending for DENO-26-009; must stay offline-first and AnalysisStore-compatible before wiring DENO-26-010/011.
 - PREP note for SCANNER-ANALYZERS-JAVA-21-005 published at `docs/modules/scanner/prep/2025-11-20-java-21-005-prep.md`; awaiting CoreLinksets package fix and isolated CI slot before tests can run.
  - PREP docs added for SCANNER-ANALYZERS-JAVA-21-008 (`docs/modules/scanner/prep/2025-11-20-java-21-008-prep.md`) and LANG-11-001 (`docs/modules/scanner/prep/2025-11-20-lang-11-001-prep.md`); both depend on resolver outputs/CI isolation.
-
-## Next Checkpoints
-| Date (UTC) | Session | Goal | Impacted work | Owner |
-| --- | --- | --- | --- | --- |
-| 2025-11-18 | Scanner EPDR triage | Reproduce and debug `dotnet test` hang for LANG-11-001 on clean runner; capture logs for unblock. | SCANNER-ANALYZERS-LANG-11-001 | Signals Guild |
-| 2025-11-19 | Java analyzer sequencing | Confirm resolver plan for 21-008 and schedule fixtures for 21-009 accordingly. | SCANNER-ANALYZERS-JAVA-21-008/009 | Java Analyzer Guild |
+
+## Next Checkpoints
+| Date (UTC) | Session | Goal | Impacted work | Owner |
+| --- | --- | --- | --- | --- |
+| 2025-11-18 | Scanner EPDR triage | Reproduce and debug `dotnet test` hang for LANG-11-001 on clean runner; capture logs for unblock. | SCANNER-ANALYZERS-LANG-11-001 | Signals Guild |
+| 2025-11-19 | Java analyzer sequencing | Confirm resolver plan for 21-008 and schedule fixtures for 21-009 accordingly. | SCANNER-ANALYZERS-JAVA-21-008/009 | Java Analyzer Guild |

docs/implplan/SPRINT_0132_0001_0001_scanner_surface.md

@@ -55,6 +55,16 @@
 
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-21 | Added cleanup helper `scripts/cleanup-runner-space.sh` to reclaim workspace space (TestResults/out/artifacts/tmp); still blocked from rerun until disk is cleared. | Implementer |
+| 2025-11-21 | Added runner wrapper `scripts/run-node-isolated.sh` (enables cleanup + offline cache env) so once disk is cleared the isolated Node suite can be launched with a single command. | Implementer |
+| 2025-11-21 | Tightened node runsettings filter to `FullyQualifiedName~Lang.Node.Tests`; cannot rerun because the runner reports “No space left on device” when opening PTYs. Need workspace clean-up before next test attempt. | Implementer |
+| 2025-11-21 | Tightened node runsettings filter to `FullyQualifiedName~Lang.Node.Tests`; rerun blocked because runner cannot open PTYs (“No space left on device”). | Implementer |
+| 2025-11-21 | Node isolated test rerun halted due to runner disk full (`No space left on device`) before reporting results; need workspace cleanup to proceed. | Implementer |
+| 2025-11-20 | Resolved Concelier.Storage.Mongo build blockers (missing JetStream config types, AdvisoryLinksetDocument, IHostedService, and immutable helpers). `dotnet test src/Scanner/StellaOps.Scanner.Node.slnf --no-restore /m:1` now builds the isolated graph; test run stops inside `StellaOps.Scanner.Analyzers.Lang.Tests` due to Ruby and Rust snapshot drifts, so Node analyzer tests still not exercised. | Implementer |
+| 2025-11-20 | Patched Concelier.Storage.Mongo (deduped AdvisoryObservationSourceDocument, added JetStream package/usings) and set `UseConcelierTestInfra=false` for Scanner lang/node tests to strip Concelier test harness. Direct `dotnet test` on Node tests still fails because Concelier connectors remain in the build graph even with `BuildProjectReferences=false` (missing Connector/Common & Storage.Mongo ref outputs). Further detangling of Concelier injection in src/Directory.Build.props needed. | Implementer |
+| 2025-11-20 | Retried isolated test run with slimmer solution filter (removed Concelier.Testing) and hydrated authsignals in offline cache; restore/build now succeed but `dotnet test` still fails because Concelier.Storage.Mongo compiles as a transitive dependency and has duplicate `AdvisoryObservationSourceDocument` + missing `NatsJSContext`. Node analyzer tests not executed. | Implementer |
+| 2025-11-20 | Isolated restore now succeeds using offline cache; `dotnet test src/Scanner/StellaOps.Scanner.Node.slnf --no-restore` fails building Concelier dependencies (duplicate `AdvisoryObservationSourceDocument` in Storage.Mongo and missing `NatsJSContext` type). Node analyzer tests remain blocked on upstream Concelier build break. | Implementer |
+| 2025-11-20 | Updated isolated runner script to use correct runsettings path and build (`--no-restore`) after offline restore; offline gap snapshot refreshed (`offline/restore_missing_snapshot.txt`). | Implementer |
 | 2025-11-20 | Attempted node isolated restore/test; restore failed fetching Microsoft.TestPlatform.TestHost (nuget.org) because offline package path was wrong. Script corrected to use `offline/packages`. Re-run still needed. | Implementer |
 | 2025-11-20 | Second isolated restore attempt ran ~48s then cancelled; still needs seeding `Microsoft.TestPlatform.TestHost 17.14.1` into offline/packages to complete. | Implementer |
 | 2025-11-20 | Isolated restore retried after seeding TestHost; still failing due to missing packages from offline cache (e.g., MongoDB.Driver.Core 2.12.0). Further seeding needed before tests can run. | Implementer |
@@ -88,14 +98,27 @@
 | 2025-11-18 | SCANNER-ANALYZERS-LANG-11-002..005: Marked BLOCKED because upstream task 11-001 outputs/contracts are not available; dependencies in 11-003..005 cascade. No code changes made. | Implementer |
 
 ## Decisions & Risks
+- Added cleanup script `scripts/cleanup-runner-space.sh` to clear workspace outputs (TestResults/out/artifacts/tmp) when disk-full blocks PTY; run before the next isolated Node test attempt.
 - Scanner AGENTS.md added 2025-11-17; keep in sync with scanner architecture and future advisories.
 - Sprint execution gated on completion of Sprint 131; monitor for slippage to avoid cascading delays in 130–139 chain.
 - Prep note for analyzer PREP tasks captured in `docs/modules/scanner/prep/2025-11-20-analyzers-prep.md`; use it as the interim contract until upstream writer/runtime contracts land.
 - Native analyzer format-detector completed; NAT-20-002 still blocked on declared-dependency writer interface—prep note defines expected payload to reduce rework once contract lands.
-- Node analyzer isolation plan published (see `docs/modules/scanner/prep/2025-11-20-node-isolated-runner.md`); offline cache still incomplete after multiple restore attempts (latest NU1101 StellaOps.Policy.AuthSignals). Need full dependency seed before isolated run and tests can pass.
+- Node analyzer isolation plan published (see `docs/modules/scanner/prep/2025-11-20-node-isolated-runner.md`); offline cache hydrated and Concelier/Esprima build blockers resolved. Isolated test run still pending because the runner is out of disk space (“No space left on device”) and cannot start PTYs.
+- Disk space on the runner is exhausted; free workspace space (e.g., `TestResults/`, `out/`, `/tmp`, duplicate offline packages) before rerunning the isolated Node suite.
+- Node analyzer isolation: Concelier and Esprima build blockers resolved. Latest test attempt blocked by disk-full on runner (“No space left on device”) before results were emitted; requires workspace cleanup to retry.
+- Node analyzer isolation test execution blocked by runner disk exhaustion (“No space left on device”) before results could be captured; cannot proceed until workspace free space is recovered.
 - .NET analyzer chain (11-002..005) remains blocked awaiting upstream static-analyzer contract (11-001) and downstream writer/export contracts; runtime fusion prep recorded but cannot proceed until contracts exist.
+- Node isolated tests currently fail due to upstream Concelier build errors (duplicate `AdvisoryObservationSourceDocument` definition and missing `NatsJSContext` in Storage.Mongo); Node analyzer code not executed. Requires Concelier fix or exclusion before tests can validate.
 ## Next Checkpoints
 - 2025-11-19: Sprint kickoff (owner: Scanner PM), contingent on Sprint 131 sign-off.
 - 2025-11-26: Mid-sprint review (owner: EPDR Guild lead) to validate observation exports and resolver behavior.
 
-| 2025-11-18 | SCANNER-ANALYZERS-NODE-22-001: Added Yarn PnP cache zip traversal, emitter sets yarnPnp metadata, new fixture/tests (`yarn-pnp`); test run aborted due to long-running solution build—rerun on clean runner. | Node Analyzer Guild |
+| 2025-11-18 | SCANNER-ANALYZERS-NODE-22-001: Added Yarn PnP cache zip traversal, emitter sets yarnPnp metadata, new fixture/tests (`yarn-pnp`); test run aborted due to long-running solution build—rerun on clean runner. | Node Analyzer Guild |
+
+## Cleanup Helper (added 2025-11-21)
+- Script: `scripts/cleanup-runner-space.sh`
+- Purpose: reclaim workspace space (removes `TestResults/`, `out/`, `artifacts/`, `tmp/`) when the runner reports “No space left on device”.
+- Safe to run before rerunning isolated Node tests; leaves sources and offline caches intact.
+- Optionally set `CLEAN_BEFORE_NODE_TESTS=1` when invoking `node-tests-isolated.sh` to run the cleanup helper automatically before the test run.
+- Wrapper script available: `scripts/run-node-isolated.sh` sets the offline cache env, enables pre-test cleanup, and invokes the isolated Node test script with minimal logging.
+- If needed, set executable bits once disk is available: `chmod +x scripts/cleanup-runner-space.sh scripts/run-node-isolated.sh`.

docs/implplan/SPRINT_0138_0000_0001_scanner_ruby_parity.md

@@ -1,73 +1,73 @@
-# Sprint 0138 · Scanner & Surface — Ruby Analyzer Parity
-
-## Topic & Scope
-- Achieve Ruby analyzer parity: runtime require/autoload graphs, capability signals, observation payloads, package inventories, and CLI/WebService wiring for scan/digest lookup.
-- Sustain EntryTrace heuristic cadence with deterministic fixtures and explain-trace updates drawn from competitor gap benchmarks.
-- Prepare runway for language coverage expansion (PHP now, Deno/Dart/Swift scoped) to keep parity roadmap on track.
-- **Working directory:** `src/Scanner` (Analyzer, Worker, WebService, CLI surfaces) and supporting docs under `docs/modules/scanner`.
-
-## Dependencies & Concurrency
-- Depends on Sprint 0137 · Scanner.VIII (gap designs locked) and Sprint 0135 · Scanner.VI (EntryTrace foundations).
-- Feeds Sprint 0139 and downstream CLI releases once Ruby analyzer, policy, and licensing tracks land.
-- Parallel-safe with other modules; ensure Mongo is available when touching package inventory store tasks.
-
-## Documentation Prerequisites
-- `docs/README.md`; `docs/07_HIGH_LEVEL_ARCHITECTURE.md`.
-- `docs/modules/scanner/architecture.md`; `docs/modules/scanner/operations/dsse-rekor-operator-guide.md`.
-- AGENTS for involved components: `src/Scanner/StellaOps.Scanner.Worker/AGENTS.md`, `src/Scanner/StellaOps.Scanner.WebService/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Native/AGENTS.md`.
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| P1 | PREP-SCANNER-ENG-0010-AWAIT-COMPOSER-AUTOLOAD | BLOCKED | Due 2025-11-22 · Accountable: PHP Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php`) | PHP Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php`) | Await composer/autoload graph design + staffing; no PHP analyzer scaffolding exists yet. <br><br> Document artefact/deliverable for SCANNER-ENG-0010 and publish location so downstream tasks can proceed. |
-| P2 | PREP-SCANNER-ENG-0011-NEEDS-DENO-RUNTIME-ANAL | BLOCKED | Due 2025-11-22 · Accountable: Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno`) | Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno`) | Needs Deno runtime analyzer scope + lockfile/import graph design; pending competitive review. <br><br> Document artefact/deliverable for SCANNER-ENG-0011 and publish location so downstream tasks can proceed. |
-| P3 | PREP-SCANNER-ENG-0012-DEFINE-DART-ANALYZER-RE | BLOCKED | Due 2025-11-22 · Accountable: Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart`) | Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart`) | Define Dart analyzer requirements (pubspec parsing, AOT artifacts) and split into tasks. <br><br> Document artefact/deliverable for SCANNER-ENG-0012 and publish location so downstream tasks can proceed. |
-| P4 | PREP-SCANNER-ENG-0013-DRAFT-SWIFTPM-COVERAGE | BLOCKED | Due 2025-11-22 · Accountable: Swift Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Native`) | Swift Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Native`) | Draft SwiftPM coverage plan; align policy hooks; awaiting design kick-off. <br><br> Document artefact/deliverable for SCANNER-ENG-0013 and publish location so downstream tasks can proceed. |
-| P5 | PREP-SCANNER-ENG-0014-NEEDS-JOINT-ROADMAP-WIT | BLOCKED | Due 2025-11-22 · Accountable: Runtime Guild, Zastava Guild (`docs/modules/scanner`) | Runtime Guild, Zastava Guild (`docs/modules/scanner`) | Needs joint roadmap with Zastava/Runtime guilds for Kubernetes/VM alignment. <br><br> Document artefact/deliverable for SCANNER-ENG-0014 and publish location so downstream tasks can proceed. |
-| 1 | SCANNER-ENG-0008 | DONE (2025-11-16) | Cadence documented; quarterly review workflow published for EntryTrace heuristics. | EntryTrace Guild, QA Guild (`src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace`) | Maintain EntryTrace heuristic cadence per `docs/benchmarks/scanner/scanning-gaps-stella-misses-from-competitors.md`, including explain-trace updates. |
-| 2 | SCANNER-ENG-0009 | DONE (2025-11-13) | Release handoff to Sprint 0139 consumers; monitor Mongo-backed inventory rollout. | Ruby Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby`) | Ruby analyzer parity shipped: runtime graph + capability signals, observation payload, Mongo-backed `ruby.packages` inventory, CLI/WebService surfaces, and plugin manifest bundles for Worker loadout. |
-| 3 | SCANNER-ENG-0010 | BLOCKED | PREP-SCANNER-ENG-0010-AWAIT-COMPOSER-AUTOLOAD | PHP Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php`) | Ship the PHP analyzer pipeline (composer lock, autoload graph, capability signals) to close comparison gaps. |
-| 4 | SCANNER-ENG-0011 | BLOCKED | PREP-SCANNER-ENG-0011-NEEDS-DENO-RUNTIME-ANAL | Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno`) | Scope the Deno runtime analyzer (lockfile resolver, import graphs) beyond Sprint 130 coverage. |
-| 5 | SCANNER-ENG-0012 | BLOCKED | PREP-SCANNER-ENG-0012-DEFINE-DART-ANALYZER-RE | Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart`) | Evaluate Dart analyzer requirements (pubspec parsing, AOT artifacts) and split implementation tasks. |
-| 6 | SCANNER-ENG-0013 | BLOCKED | PREP-SCANNER-ENG-0013-DRAFT-SWIFTPM-COVERAGE | Swift Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Native`) | Plan Swift Package Manager coverage (Package.resolved, xcframeworks, runtime hints) with policy hooks. |
-| 7 | SCANNER-ENG-0014 | BLOCKED | PREP-SCANNER-ENG-0014-NEEDS-JOINT-ROADMAP-WIT | Runtime Guild, Zastava Guild (`docs/modules/scanner`) | Align Kubernetes/VM target coverage between Scanner and Zastava per comparison findings; publish joint roadmap. |
-| 8 | SCANNER-ENG-0015 | DONE (2025-11-13) | Ready for Ops training; track adoption metrics. | Export Center Guild, Scanner Guild (`docs/modules/scanner`) | DSSE/Rekor operator playbook published with config/env tables, rollout phases, offline verification, and SLA/alert guidance. |
-| 9 | SCANNER-ENG-0016 | DONE (2025-11-10) | Monitor bundler override edge cases; keep fixtures deterministic. | Ruby Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby`) | RubyLockCollector and vendor ingestion finalized: Bundler overrides honoured, workspace lockfiles merged, vendor bundles normalised, deterministic fixtures added. |
-| 10 | SCANNER-ENG-0017 | DONE (2025-11-09) | Keep tree-sitter Ruby grammar pinned; reuse EntryTrace hints for regressions. | Ruby Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby`) | Build runtime require/autoload graph builder with tree-sitter Ruby per design §4.4 and integrate EntryTrace hints. |
-| 11 | SCANNER-ENG-0018 | DONE (2025-11-09) | Feed predicates to policy docs; monitor capability gaps. | Ruby Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby`) | Emit Ruby capability + framework surface signals per design §4.5 with policy predicate hooks. |
-| 12 | SCANNER-ENG-0019 | DONE (2025-11-13) | Observe CLI/WebService adoption; ensure scanId resolution metrics logged. | Ruby Analyzer Guild, CLI Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby`) | Ruby CLI verbs resolve inventories by scan ID, digest, or image reference; WebService fallbacks + CLI client encoding cover both digests and tagged references. |
-| 13 | SCANNER-LIC-0001 | DONE (2025-11-10) | Keep Offline Kit mirrors current with ruby artifacts. | Scanner Guild, Legal Guild (`docs/modules/scanner`) | Tree-sitter licensing captured, `NOTICE.md` updated, and Offline Kit now mirrors `third-party-licenses/` with ruby artifacts. |
-| 14 | SCANNER-POLICY-0001 | DONE (2025-11-10) | Align DSL docs with future PHP/Deno/Dart predicates. | Policy Guild, Ruby Analyzer Guild (`docs/modules/scanner`) | Ruby predicates shipped: Policy Engine exposes `sbom.any_component` + `ruby.*`, tests updated, DSL/offline-kit docs refreshed. |
-| 15 | SCANNER-CLI-0001 | DONE (2025-11-10) | Final verification of docs/help; handoff to CLI release notes. | CLI Guild, Ruby Analyzer Guild (`src/Cli/StellaOps.Cli`) | Coordinate CLI UX/help text for new Ruby verbs and update CLI docs/golden outputs. |
-
-## Execution Log
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
-| 2025-11-19 | Removed trailing hyphen from PREP-SCANNER-ENG-0013-DRAFT-SWIFTPM-COVERAGE so SCANNER-ENG-0013 dependency resolves. | Project Mgmt |
-| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
-| 2025-11-19 | Marked PREP tasks P1–P5 BLOCKED pending composer/Deno/Dart/SwiftPM design contracts and Zastava/Runtime roadmap; downstream SCANNER-ENG-0010..0014 remain gated. | Project Mgmt |
-| 2025-11-09 | `SCANNER-CLI-0001`: Spectre table wrapping fix for runtime/lockfile columns; expanded Ruby resolve JSON assertions; removed debug artifacts; docs/tests pending final merge. | CLI Guild |
-| 2025-11-09 | `SCANNER-CLI-0001`: Wired `stellaops-cli ruby inspect|resolve` into `CommandFactory` with `--root`, `--image/--scan-id`, `--format`; `dotnet test ... --filter Ruby` passes. | CLI Guild |
-| 2025-11-09 | `SCANNER-CLI-0001`: Added CLI unit tests (CommandFactoryTests, Ruby inspect JSON assertions) to guard new verbs and runtime metadata output. | CLI Guild |
-| 2025-11-09 | `SCANNER-ENG-0016`: Completed Ruby lock collector & vendor ingestion; honours `.bundle/config` overrides, folds workspace lockfiles, emits bundler groups; fixtures/goldens updated; `dotnet test ... --filter Ruby` passes. | Ruby Analyzer Guild |
-| 2025-11-12 | `SCANNER-ENG-0009`: Observation payload + `ruby-observation` component emitted; `complex-app` fixture added for vendor caches/BUNDLE_PATH overrides; bundler-version metadata captured; CLI prints observation banner. | Ruby Analyzer Guild |
-| 2025-11-12 | `SCANNER-ENG-0009`: Ruby package inventories flow into `RubyPackageInventoryStore`; `SurfaceManifestStageExecutor` builds package list; WebService exposes `GET /api/scans/{scanId}/ruby-packages`. | Ruby Analyzer Guild |
-| 2025-11-12 | `SCANNER-ENG-0009`: Inventory API returns typed envelope (scanId/imageDigest/generatedAt + packages); Worker/WebService DI registers real/Null stores; CLI `ruby resolve` consumes payload and warns during warmup. | Ruby Analyzer Guild |
-| 2025-11-13 | `SCANNER-ENG-0009`: Verified Worker DI wiring; plugin drop mirrors analyzer assembly + manifest for Worker hot-load; tests cover analyzer fixtures, Worker persistence, WebService endpoint. | Ruby Analyzer Guild |
-| 2025-11-13 | `SCANNER-ENG-0015`: DSSE/Rekor operator guide expanded with config/env map, rollout runbook, verification snippets, alert/SLO recommendations. | Export Center Guild |
-| 2025-11-13 | `SCANNER-ENG-0019`: WebService maps digest/reference identifiers to scan IDs; CLI backend encodes path segments; regression tests (`RubyPackagesEndpointsTests`, `StellaOps.Cli.Tests --filter Ruby`) cover lookup path. | Ruby Analyzer Guild |
-| 2025-11-16 | Normalised sprint file to standard template and renamed to `SPRINT_0138_0000_0001_scanner_ruby_parity.md`; no semantic task changes. | Planning |
-| 2025-11-16 | `SCANNER-ENG-0008`: Published EntryTrace heuristic cadence doc and recorded task completion; cadence now scheduled quarterly with fixture-first workflow. | EntryTrace Guild |
-| 2025-11-16 | `SCANNER-ENG-0010..0014`: Marked BLOCKED pending design/staffing (PHP/Deno/Dart/Swift analyzers, Kubernetes/VM alignment); awaiting guild inputs. | Planning |
-| 2025-11-17 | Removed legacy filename `SPRINT_138_scanner_ruby_parity.md` and updated `docs/implplan/tasks-all.md` references to the canonical sprint name to avoid duplication. | Planning |
-
-## Decisions & Risks
-- PHP analyzer pipeline (SCANNER-ENG-0010) blocked pending composer/autoload graph design + staffing; parity risk remains.
-- Deno, Dart, and Swift analyzers (SCANNER-ENG-0011..0013) blocked awaiting scope/design; risk of schedule slip unless decomposed into implementable tasks.
-- Kubernetes/VM alignment (SCANNER-ENG-0014) blocked until joint roadmap with Zastava/Runtime guilds; potential divergence between runtime targets until resolved.
-- Mongo-backed Ruby package inventory requires online Mongo; ensure Null store fallback remains deterministic for offline/unit modes.
-- EntryTrace cadence now documented; risk reduced to execution discipline—ensure quarterly reviews are logged in `TASKS.md` and sprint logs.
-
-## Next Checkpoints
-- Schedule guild sync to staff PHP analyzer pipeline and confirm design entry docs. (TBD week of 2025-11-18)
-- Set alignment review with Zastava/Runtime guilds for Kubernetes/VM coverage plan. (TBD)
+# Sprint 0138 · Scanner & Surface — Ruby Analyzer Parity
+
+## Topic & Scope
+- Achieve Ruby analyzer parity: runtime require/autoload graphs, capability signals, observation payloads, package inventories, and CLI/WebService wiring for scan/digest lookup.
+- Sustain EntryTrace heuristic cadence with deterministic fixtures and explain-trace updates drawn from competitor gap benchmarks.
+- Prepare runway for language coverage expansion (PHP now, Deno/Dart/Swift scoped) to keep parity roadmap on track.
+- **Working directory:** `src/Scanner` (Analyzer, Worker, WebService, CLI surfaces) and supporting docs under `docs/modules/scanner`.
+
+## Dependencies & Concurrency
+- Depends on Sprint 0137 · Scanner.VIII (gap designs locked) and Sprint 0135 · Scanner.VI (EntryTrace foundations).
+- Feeds Sprint 0139 and downstream CLI releases once Ruby analyzer, policy, and licensing tracks land.
+- Parallel-safe with other modules; ensure Mongo is available when touching package inventory store tasks.
+
+## Documentation Prerequisites
+- `docs/README.md`; `docs/07_HIGH_LEVEL_ARCHITECTURE.md`.
+- `docs/modules/scanner/architecture.md`; `docs/modules/scanner/operations/dsse-rekor-operator-guide.md`.
+- AGENTS for involved components: `src/Scanner/StellaOps.Scanner.Worker/AGENTS.md`, `src/Scanner/StellaOps.Scanner.WebService/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Native/AGENTS.md`.
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-SCANNER-ENG-0010-AWAIT-COMPOSER-AUTOLOAD | BLOCKED | Due 2025-11-22 · Accountable: PHP Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php`) | PHP Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php`) | Await composer/autoload graph design + staffing; no PHP analyzer scaffolding exists yet. <br><br> Document artefact/deliverable for SCANNER-ENG-0010 and publish location so downstream tasks can proceed. |
+| P2 | PREP-SCANNER-ENG-0011-NEEDS-DENO-RUNTIME-ANAL | BLOCKED | Due 2025-11-22 · Accountable: Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno`) | Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno`) | Needs Deno runtime analyzer scope + lockfile/import graph design; pending competitive review. <br><br> Document artefact/deliverable for SCANNER-ENG-0011 and publish location so downstream tasks can proceed. |
+| P3 | PREP-SCANNER-ENG-0012-DEFINE-DART-ANALYZER-RE | BLOCKED | Due 2025-11-22 · Accountable: Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart`) | Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart`) | Define Dart analyzer requirements (pubspec parsing, AOT artifacts) and split into tasks. <br><br> Document artefact/deliverable for SCANNER-ENG-0012 and publish location so downstream tasks can proceed. |
+| P4 | PREP-SCANNER-ENG-0013-DRAFT-SWIFTPM-COVERAGE | BLOCKED | Due 2025-11-22 · Accountable: Swift Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Native`) | Swift Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Native`) | Draft SwiftPM coverage plan; align policy hooks; awaiting design kick-off. <br><br> Document artefact/deliverable for SCANNER-ENG-0013 and publish location so downstream tasks can proceed. |
+| P5 | PREP-SCANNER-ENG-0014-NEEDS-JOINT-ROADMAP-WIT | BLOCKED | Due 2025-11-22 · Accountable: Runtime Guild, Zastava Guild (`docs/modules/scanner`) | Runtime Guild, Zastava Guild (`docs/modules/scanner`) | Needs joint roadmap with Zastava/Runtime guilds for Kubernetes/VM alignment. <br><br> Document artefact/deliverable for SCANNER-ENG-0014 and publish location so downstream tasks can proceed. |
+| 1 | SCANNER-ENG-0008 | DONE (2025-11-16) | Cadence documented; quarterly review workflow published for EntryTrace heuristics. | EntryTrace Guild, QA Guild (`src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace`) | Maintain EntryTrace heuristic cadence per `docs/benchmarks/scanner/scanning-gaps-stella-misses-from-competitors.md`, including explain-trace updates. |
+| 2 | SCANNER-ENG-0009 | DONE (2025-11-13) | Release handoff to Sprint 0139 consumers; monitor Mongo-backed inventory rollout. | Ruby Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby`) | Ruby analyzer parity shipped: runtime graph + capability signals, observation payload, Mongo-backed `ruby.packages` inventory, CLI/WebService surfaces, and plugin manifest bundles for Worker loadout. |
+| 3 | SCANNER-ENG-0010 | BLOCKED | PREP-SCANNER-ENG-0010-AWAIT-COMPOSER-AUTOLOAD | PHP Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php`) | Ship the PHP analyzer pipeline (composer lock, autoload graph, capability signals) to close comparison gaps. |
+| 4 | SCANNER-ENG-0011 | BLOCKED | PREP-SCANNER-ENG-0011-NEEDS-DENO-RUNTIME-ANAL | Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno`) | Scope the Deno runtime analyzer (lockfile resolver, import graphs) beyond Sprint 130 coverage. |
+| 5 | SCANNER-ENG-0012 | BLOCKED | PREP-SCANNER-ENG-0012-DEFINE-DART-ANALYZER-RE | Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart`) | Evaluate Dart analyzer requirements (pubspec parsing, AOT artifacts) and split implementation tasks. |
+| 6 | SCANNER-ENG-0013 | BLOCKED | PREP-SCANNER-ENG-0013-DRAFT-SWIFTPM-COVERAGE | Swift Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Native`) | Plan Swift Package Manager coverage (Package.resolved, xcframeworks, runtime hints) with policy hooks. |
+| 7 | SCANNER-ENG-0014 | BLOCKED | PREP-SCANNER-ENG-0014-NEEDS-JOINT-ROADMAP-WIT | Runtime Guild, Zastava Guild (`docs/modules/scanner`) | Align Kubernetes/VM target coverage between Scanner and Zastava per comparison findings; publish joint roadmap. |
+| 8 | SCANNER-ENG-0015 | DONE (2025-11-13) | Ready for Ops training; track adoption metrics. | Export Center Guild, Scanner Guild (`docs/modules/scanner`) | DSSE/Rekor operator playbook published with config/env tables, rollout phases, offline verification, and SLA/alert guidance. |
+| 9 | SCANNER-ENG-0016 | DONE (2025-11-10) | Monitor bundler override edge cases; keep fixtures deterministic. | Ruby Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby`) | RubyLockCollector and vendor ingestion finalized: Bundler overrides honoured, workspace lockfiles merged, vendor bundles normalised, deterministic fixtures added. |
+| 10 | SCANNER-ENG-0017 | DONE (2025-11-09) | Keep tree-sitter Ruby grammar pinned; reuse EntryTrace hints for regressions. | Ruby Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby`) | Build runtime require/autoload graph builder with tree-sitter Ruby per design §4.4 and integrate EntryTrace hints. |
+| 11 | SCANNER-ENG-0018 | DONE (2025-11-09) | Feed predicates to policy docs; monitor capability gaps. | Ruby Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby`) | Emit Ruby capability + framework surface signals per design §4.5 with policy predicate hooks. |
+| 12 | SCANNER-ENG-0019 | DONE (2025-11-13) | Observe CLI/WebService adoption; ensure scanId resolution metrics logged. | Ruby Analyzer Guild, CLI Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby`) | Ruby CLI verbs resolve inventories by scan ID, digest, or image reference; WebService fallbacks + CLI client encoding cover both digests and tagged references. |
+| 13 | SCANNER-LIC-0001 | DONE (2025-11-10) | Keep Offline Kit mirrors current with ruby artifacts. | Scanner Guild, Legal Guild (`docs/modules/scanner`) | Tree-sitter licensing captured, `NOTICE.md` updated, and Offline Kit now mirrors `third-party-licenses/` with ruby artifacts. |
+| 14 | SCANNER-POLICY-0001 | DONE (2025-11-10) | Align DSL docs with future PHP/Deno/Dart predicates. | Policy Guild, Ruby Analyzer Guild (`docs/modules/scanner`) | Ruby predicates shipped: Policy Engine exposes `sbom.any_component` + `ruby.*`, tests updated, DSL/offline-kit docs refreshed. |
+| 15 | SCANNER-CLI-0001 | DONE (2025-11-10) | Final verification of docs/help; handoff to CLI release notes. | CLI Guild, Ruby Analyzer Guild (`src/Cli/StellaOps.Cli`) | Coordinate CLI UX/help text for new Ruby verbs and update CLI docs/golden outputs. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Removed trailing hyphen from PREP-SCANNER-ENG-0013-DRAFT-SWIFTPM-COVERAGE so SCANNER-ENG-0013 dependency resolves. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Marked PREP tasks P1–P5 BLOCKED pending composer/Deno/Dart/SwiftPM design contracts and Zastava/Runtime roadmap; downstream SCANNER-ENG-0010..0014 remain gated. | Project Mgmt |
+| 2025-11-09 | `SCANNER-CLI-0001`: Spectre table wrapping fix for runtime/lockfile columns; expanded Ruby resolve JSON assertions; removed debug artifacts; docs/tests pending final merge. | CLI Guild |
+| 2025-11-09 | `SCANNER-CLI-0001`: Wired `stellaops-cli ruby inspect|resolve` into `CommandFactory` with `--root`, `--image/--scan-id`, `--format`; `dotnet test ... --filter Ruby` passes. | CLI Guild |
+| 2025-11-09 | `SCANNER-CLI-0001`: Added CLI unit tests (CommandFactoryTests, Ruby inspect JSON assertions) to guard new verbs and runtime metadata output. | CLI Guild |
+| 2025-11-09 | `SCANNER-ENG-0016`: Completed Ruby lock collector & vendor ingestion; honours `.bundle/config` overrides, folds workspace lockfiles, emits bundler groups; fixtures/goldens updated; `dotnet test ... --filter Ruby` passes. | Ruby Analyzer Guild |
+| 2025-11-12 | `SCANNER-ENG-0009`: Observation payload + `ruby-observation` component emitted; `complex-app` fixture added for vendor caches/BUNDLE_PATH overrides; bundler-version metadata captured; CLI prints observation banner. | Ruby Analyzer Guild |
+| 2025-11-12 | `SCANNER-ENG-0009`: Ruby package inventories flow into `RubyPackageInventoryStore`; `SurfaceManifestStageExecutor` builds package list; WebService exposes `GET /api/scans/{scanId}/ruby-packages`. | Ruby Analyzer Guild |
+| 2025-11-12 | `SCANNER-ENG-0009`: Inventory API returns typed envelope (scanId/imageDigest/generatedAt + packages); Worker/WebService DI registers real/Null stores; CLI `ruby resolve` consumes payload and warns during warmup. | Ruby Analyzer Guild |
+| 2025-11-13 | `SCANNER-ENG-0009`: Verified Worker DI wiring; plugin drop mirrors analyzer assembly + manifest for Worker hot-load; tests cover analyzer fixtures, Worker persistence, WebService endpoint. | Ruby Analyzer Guild |
+| 2025-11-13 | `SCANNER-ENG-0015`: DSSE/Rekor operator guide expanded with config/env map, rollout runbook, verification snippets, alert/SLO recommendations. | Export Center Guild |
+| 2025-11-13 | `SCANNER-ENG-0019`: WebService maps digest/reference identifiers to scan IDs; CLI backend encodes path segments; regression tests (`RubyPackagesEndpointsTests`, `StellaOps.Cli.Tests --filter Ruby`) cover lookup path. | Ruby Analyzer Guild |
+| 2025-11-16 | Normalised sprint file to standard template and renamed to `SPRINT_0138_0000_0001_scanner_ruby_parity.md`; no semantic task changes. | Planning |
+| 2025-11-16 | `SCANNER-ENG-0008`: Published EntryTrace heuristic cadence doc and recorded task completion; cadence now scheduled quarterly with fixture-first workflow. | EntryTrace Guild |
+| 2025-11-16 | `SCANNER-ENG-0010..0014`: Marked BLOCKED pending design/staffing (PHP/Deno/Dart/Swift analyzers, Kubernetes/VM alignment); awaiting guild inputs. | Planning |
+| 2025-11-17 | Removed legacy filename `SPRINT_138_scanner_ruby_parity.md` and updated `docs/implplan/tasks-all.md` references to the canonical sprint name to avoid duplication. | Planning |
+
+## Decisions & Risks
+- PHP analyzer pipeline (SCANNER-ENG-0010) blocked pending composer/autoload graph design + staffing; parity risk remains.
+- Deno, Dart, and Swift analyzers (SCANNER-ENG-0011..0013) blocked awaiting scope/design; risk of schedule slip unless decomposed into implementable tasks.
+- Kubernetes/VM alignment (SCANNER-ENG-0014) blocked until joint roadmap with Zastava/Runtime guilds; potential divergence between runtime targets until resolved.
+- Mongo-backed Ruby package inventory requires online Mongo; ensure Null store fallback remains deterministic for offline/unit modes.
+- EntryTrace cadence now documented; risk reduced to execution discipline—ensure quarterly reviews are logged in `TASKS.md` and sprint logs.
+
+## Next Checkpoints
+- Schedule guild sync to staff PHP analyzer pipeline and confirm design entry docs. (TBD week of 2025-11-18)
+- Set alignment review with Zastava/Runtime guilds for Kubernetes/VM coverage plan. (TBD)

docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md

@@ -24,8 +24,8 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| P1 | PREP-140-D-ZASTAVA-WAVE-WAITING-ON-SURFACE-FS | TODO | Due 2025-11-22 · Accountable: Zastava Observer/Webhook Guilds · Surface Guild | Zastava Observer/Webhook Guilds · Surface Guild | Waiting on Surface.FS cache drop plan + Surface.Env helper ownership. <br><br> Document artefact/deliverable for 140.D Zastava wave and publish location so downstream tasks can proceed. |
-| P2 | PREP-SBOM-SERVICE-GUILD-CARTOGRAPHER-GUILD-OB | TODO | Due 2025-11-22 · Accountable: Projection schema frozen but fixtures and AirGap review are overdue; SBOM-SERVICE-21-001..004 cannot start until fixtures drop. | Projection schema frozen but fixtures and AirGap review are overdue; SBOM-SERVICE-21-001..004 cannot start until fixtures drop. | BLOCKED. <br><br> Document artefact/deliverable for SBOM Service Guild · Cartographer Guild · Observability Guild, Zastava Observer/Webhook Guilds · Security Guild and publish location so downstream tasks can proceed. |
+| P1 | PREP-140-D-ZASTAVA-WAVE-WAITING-ON-SURFACE-FS | DONE (2025-11-20) | Due 2025-11-22 · Accountable: Zastava Observer/Webhook Guilds · Surface Guild | Zastava Observer/Webhook Guilds · Surface Guild | Prep artefact published at `docs/modules/zastava/prep/2025-11-20-surface-fs-env-prep.md` (cache drop cadence, env helper ownership, DSSE requirements). |
+| P2 | PREP-SBOM-SERVICE-GUILD-CARTOGRAPHER-GUILD-OB | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Projection schema frozen but fixtures and AirGap review are overdue; SBOM-SERVICE-21-001..004 cannot start until fixtures drop. | Projection schema frozen but fixtures and AirGap review are overdue; SBOM-SERVICE-21-001..004 cannot start until fixtures drop. | BLOCKED. <br><br> Document artefact/deliverable for SBOM Service Guild · Cartographer Guild · Observability Guild, Zastava Observer/Webhook Guilds · Security Guild and publish location so downstream tasks can proceed. |
 | 1 | 140.A Graph wave | BLOCKED (2025-11-19) | Await real scanner cache ETA; working off mock bundle only. | Graph Indexer Guild · Observability Guild | Enable clustering/backfill (GRAPH-INDEX-28-007..010) against mock bundle; revalidate once real cache lands. |
 | 2 | 140.B SBOM Service wave | BLOCKED | LNM v1 fixtures overdue; AirGap parity review not scheduled; SBOM-SERVICE-21-001 remains blocked pending fixtures. | SBOM Service Guild · Cartographer Guild | Finalize projection schema, emit change events, and wire orchestrator/observability (SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002). |
 | 3 | 140.C Signals wave | BLOCKED (2025-11-20) | CAS promotion + signed manifests + provenance appendix pending; SIGNALS-24-002/003 blocked upstream. TRACTORS: see `docs/signals/cas-promotion-24-002.md` and `docs/signals/provenance-24-003.md`. | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild | Close SIGNALS-24-002/003 and clear blockers for 24-004/005 scoring/cache layers. |
@@ -34,8 +34,11 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Completed PREP-140-D-ZASTAVA-WAVE-WAITING-ON-SURFACE-FS: published cache/env helper prep at `docs/modules/zastava/prep/2025-11-20-surface-fs-env-prep.md`; status set to DONE. | Implementer |
 | 2025-11-20 | Marked SIGNALS-24-002/003 as BLOCKED pending Platform Storage + provenance approvals; linked CAS/provenance checklists in blockers. | Implementer |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-20 | Started PREP-SBOM-SERVICE-GUILD-CARTOGRAPHER-GUILD-OB (status → DOING) after confirming no prior DOING/DONE owners. | Planning |
+| 2025-11-20 | Started PREP-140-D-ZASTAVA-WAVE-WAITING-ON-SURFACE-FS (status → DOING) after confirming no prior DOING/DONE owners. | Planning |
 | 2025-11-18 | Marked SBOM wave BLOCKED pending overdue LNM fixtures and AirGap review scheduling; status mirrored to tasks-all/blocked-all. | Planning |
 | 2025-11-18 | Added cache parity checklist (Graph) and CAS/provenance close-out checklist (Signals); mock bundle execution ongoing; fixed cross-sprint references to padded SPRINT IDs. | Planning |
 | 2025-11-18 | Started Graph wave execution on scanner surface mock bundle v1; tracking cache ETA for parity validation. | Planning |

docs/implplan/SPRINT_0141_0001_0001_graph_indexer.md

@@ -1,52 +1,52 @@
-# Sprint 0141 · Graph Indexer (Runtime & Signals 140.A)
-
-## Topic & Scope
-- Stand up graph clustering and centrality background jobs plus incremental/backfill pipelines for runtime & signals ingestion.
-- Deliver deterministic tests/fixtures and packaging for offline-first deployments with backlog and observability metrics.
-- Use scanner surface mock bundle v1 until real caches arrive.
-- **Working directory:** `src/Graph/StellaOps.Graph.Indexer`.
-
-## Dependencies & Concurrency
-- Upstream: Sprint 120.A · AirGap (offline feeds) and Sprint 130.A · Scanner (surface/mock bundle availability).
-- Pre-req task GRAPH-INDEX-28-006 (baseline overlays) must land before 28-007 clustering; track as inbound dependency.
-- Coordinate with Observability Guild for metrics pipeline; parallel execution otherwise safe once mock bundle is fixed.
-
-## Documentation Prerequisites
-- docs/modules/graph/README.md
-- docs/modules/graph/architecture.md
-- docs/modules/graph/implementation_plan.md
-- docs/modules/platform/architecture-overview.md
-- docs/07_HIGH_LEVEL_ARCHITECTURE.md
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| P0 | PREP-GRAPH-INDEX-28-006-OVERLAYS | BLOCKED | Due 2025-11-22 · Accountable: Graph Indexer Guild · Observability Guild | Graph Indexer Guild · Observability Guild | Deliver baseline overlays + schedule config design for GRAPH-INDEX-28-006; publish mock bundle + config docs so 28-007 can start. |
-| P1 | PREP-GRAPH-INDEX-28-008-UNBLOCK-AFTER-28-007 | BLOCKED | Due 2025-11-22 · Accountable: Graph Indexer Guild | Graph Indexer Guild | Unblock after 28-007; confirm change streams + retry/backoff settings. <br><br> Document artefact/deliverable for GRAPH-INDEX-28-008 and publish location so downstream tasks can proceed. |
-| P2 | PREP-GRAPH-INDEX-28-009-DOWNSTREAM-OF-28-008 | BLOCKED | Due 2025-11-22 · Accountable: Graph Indexer Guild · QA Guild | Graph Indexer Guild · QA Guild | Downstream of 28-008 data paths. <br><br> Document artefact/deliverable for GRAPH-INDEX-28-009 and publish location so downstream tasks can proceed. |
-| P3 | PREP-GRAPH-INDEX-28-010-NEEDS-OUTPUTS-FROM-28 | BLOCKED | Due 2025-11-22 · Accountable: Graph Indexer Guild · DevOps Guild | Graph Indexer Guild · DevOps Guild | Needs outputs from 28-009; align with Offline Kit owners. <br><br> Document artefact/deliverable for GRAPH-INDEX-28-010 and publish location so downstream tasks can proceed. |
-| 1 | GRAPH-INDEX-28-007 | BLOCKED | PREP-GRAPH-INDEX-28-006-OVERLAYS | Graph Indexer Guild · Observability Guild | Implement clustering/centrality background jobs (Louvain/degree/betweenness approximations) with configurable schedules; persist cluster ids on nodes; expose metrics. |
-| 2 | GRAPH-INDEX-28-008 | BLOCKED | PREP-GRAPH-INDEX-28-008-UNBLOCK-AFTER-28-007 | Graph Indexer Guild | Provide incremental update & backfill pipeline with change streams, retry/backoff, idempotent ops, backlog metrics. |
-| 3 | GRAPH-INDEX-28-009 | BLOCKED | PREP-GRAPH-INDEX-28-009-DOWNSTREAM-OF-28-008 | Graph Indexer Guild · QA Guild | Add unit/property/integration tests, synthetic large-graph fixtures, chaos tests (missing overlays, cycles), determinism checks across runs. |
-| 4 | GRAPH-INDEX-28-010 | BLOCKED | PREP-GRAPH-INDEX-28-010-NEEDS-OUTPUTS-FROM-28 | Graph Indexer Guild · DevOps Guild | Package deployment artefacts (Helm/Compose), offline seed bundles, configuration docs; integrate Offline Kit. |
-
-## Execution Log
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
-| 2025-11-19 | Added PREP-GRAPH-INDEX-28-006-OVERLAYS and normalized PREP IDs for 28-008/009 so dependency graph is concrete. | Project Mgmt |
-| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
-| 2025-11-19 | Marked PREP tasks P0–P3 BLOCKED; overlays/mock bundle and change-stream/backfill configs are still missing, so GRAPH-INDEX-28-007..010 stay gated. | Project Mgmt |
-| 2025-11-17 | Marked tasks 28-007 through 28-010 as BLOCKED pending upstream 28-006 overlays and scanner cache availability. | Planning |
-| 2025-11-17 | Normalised sprint to standard template; renamed from SPRINT_141_graph.md; scope unchanged. | Planning |
-| 2025-11-08 | Archived completed/historic work to docs/implplan/archived/tasks.md. | Planning |
-
-## Decisions & Risks
-- Operating on scanner surface mock bundle v1 until real caches arrive; reassess when Sprint 130.A delivers caches.
-- All tasks currently blocked until GRAPH-INDEX-28-006 overlays land; confirm delivery date and update schedule config accordingly.
-- Determinism risk for clustering approximations; require repeat-run variance checks in 28-009.
-- Ensure offline seed bundles stay in sync with AirGap feeds from Sprint 120.A.
-
-## Next Checkpoints
-- 2025-11-19 · Confirm availability/timeline for scanner surface caches. Owner: Graph Indexer Guild.
-- 2025-11-21 · Dependency check on GRAPH-INDEX-28-006 readiness with Observability Guild.
-- 2025-11-26 · Packaging/Offline Kit alignment checkpoint with DevOps Guild after 28-009 test results.
+# Sprint 0141 · Graph Indexer (Runtime & Signals 140.A)
+
+## Topic & Scope
+- Stand up graph clustering and centrality background jobs plus incremental/backfill pipelines for runtime & signals ingestion.
+- Deliver deterministic tests/fixtures and packaging for offline-first deployments with backlog and observability metrics.
+- Use scanner surface mock bundle v1 until real caches arrive.
+- **Working directory:** `src/Graph/StellaOps.Graph.Indexer`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 120.A · AirGap (offline feeds) and Sprint 130.A · Scanner (surface/mock bundle availability).
+- Pre-req task GRAPH-INDEX-28-006 (baseline overlays) must land before 28-007 clustering; track as inbound dependency.
+- Coordinate with Observability Guild for metrics pipeline; parallel execution otherwise safe once mock bundle is fixed.
+
+## Documentation Prerequisites
+- docs/modules/graph/README.md
+- docs/modules/graph/architecture.md
+- docs/modules/graph/implementation_plan.md
+- docs/modules/platform/architecture-overview.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P0 | PREP-GRAPH-INDEX-28-006-OVERLAYS | BLOCKED | Due 2025-11-22 · Accountable: Graph Indexer Guild · Observability Guild | Graph Indexer Guild · Observability Guild | Deliver baseline overlays + schedule config design for GRAPH-INDEX-28-006; publish mock bundle + config docs so 28-007 can start. |
+| P1 | PREP-GRAPH-INDEX-28-008-UNBLOCK-AFTER-28-007 | BLOCKED | Due 2025-11-22 · Accountable: Graph Indexer Guild | Graph Indexer Guild | Unblock after 28-007; confirm change streams + retry/backoff settings. <br><br> Document artefact/deliverable for GRAPH-INDEX-28-008 and publish location so downstream tasks can proceed. |
+| P2 | PREP-GRAPH-INDEX-28-009-DOWNSTREAM-OF-28-008 | BLOCKED | Due 2025-11-22 · Accountable: Graph Indexer Guild · QA Guild | Graph Indexer Guild · QA Guild | Downstream of 28-008 data paths. <br><br> Document artefact/deliverable for GRAPH-INDEX-28-009 and publish location so downstream tasks can proceed. |
+| P3 | PREP-GRAPH-INDEX-28-010-NEEDS-OUTPUTS-FROM-28 | BLOCKED | Due 2025-11-22 · Accountable: Graph Indexer Guild · DevOps Guild | Graph Indexer Guild · DevOps Guild | Needs outputs from 28-009; align with Offline Kit owners. <br><br> Document artefact/deliverable for GRAPH-INDEX-28-010 and publish location so downstream tasks can proceed. |
+| 1 | GRAPH-INDEX-28-007 | BLOCKED | PREP-GRAPH-INDEX-28-006-OVERLAYS | Graph Indexer Guild · Observability Guild | Implement clustering/centrality background jobs (Louvain/degree/betweenness approximations) with configurable schedules; persist cluster ids on nodes; expose metrics. |
+| 2 | GRAPH-INDEX-28-008 | BLOCKED | PREP-GRAPH-INDEX-28-008-UNBLOCK-AFTER-28-007 | Graph Indexer Guild | Provide incremental update & backfill pipeline with change streams, retry/backoff, idempotent ops, backlog metrics. |
+| 3 | GRAPH-INDEX-28-009 | BLOCKED | PREP-GRAPH-INDEX-28-009-DOWNSTREAM-OF-28-008 | Graph Indexer Guild · QA Guild | Add unit/property/integration tests, synthetic large-graph fixtures, chaos tests (missing overlays, cycles), determinism checks across runs. |
+| 4 | GRAPH-INDEX-28-010 | BLOCKED | PREP-GRAPH-INDEX-28-010-NEEDS-OUTPUTS-FROM-28 | Graph Indexer Guild · DevOps Guild | Package deployment artefacts (Helm/Compose), offline seed bundles, configuration docs; integrate Offline Kit. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Added PREP-GRAPH-INDEX-28-006-OVERLAYS and normalized PREP IDs for 28-008/009 so dependency graph is concrete. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Marked PREP tasks P0–P3 BLOCKED; overlays/mock bundle and change-stream/backfill configs are still missing, so GRAPH-INDEX-28-007..010 stay gated. | Project Mgmt |
+| 2025-11-17 | Marked tasks 28-007 through 28-010 as BLOCKED pending upstream 28-006 overlays and scanner cache availability. | Planning |
+| 2025-11-17 | Normalised sprint to standard template; renamed from SPRINT_141_graph.md; scope unchanged. | Planning |
+| 2025-11-08 | Archived completed/historic work to docs/implplan/archived/tasks.md. | Planning |
+
+## Decisions & Risks
+- Operating on scanner surface mock bundle v1 until real caches arrive; reassess when Sprint 130.A delivers caches.
+- All tasks currently blocked until GRAPH-INDEX-28-006 overlays land; confirm delivery date and update schedule config accordingly.
+- Determinism risk for clustering approximations; require repeat-run variance checks in 28-009.
+- Ensure offline seed bundles stay in sync with AirGap feeds from Sprint 120.A.
+
+## Next Checkpoints
+- 2025-11-19 · Confirm availability/timeline for scanner surface caches. Owner: Graph Indexer Guild.
+- 2025-11-21 · Dependency check on GRAPH-INDEX-28-006 readiness with Observability Guild.
+- 2025-11-26 · Packaging/Offline Kit alignment checkpoint with DevOps Guild after 28-009 test results.

docs/implplan/SPRINT_0151_0001_0001_orchestrator_i.md

@@ -26,14 +26,21 @@
 | P5 | PREP-ORCH-OAS-61-001-ORCHESTRATOR-TELEMETRY-C | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Orchestrator Service Guild · API Contracts Guild | Orchestrator Service Guild · API Contracts Guild | Orchestrator telemetry/contract inputs not available; wait for 150.A readiness. <br><br> Document artefact/deliverable for ORCH-OAS-61-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/orchestrator/prep/2025-11-20-oas-61-001-prep.md`. |
 | P6 | PREP-ORCH-OAS-61-002-DEPENDS-ON-61-001 | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | Depends on 61-001. <br><br> Document artefact/deliverable for ORCH-OAS-61-002 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/orchestrator/prep/2025-11-20-oas-61-001-prep.md`. |
 | P7 | PREP-ORCH-OAS-62-001-DEPENDS-ON-61-002 | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Orchestrator Service Guild · SDK Generator Guild | Orchestrator Service Guild · SDK Generator Guild | Depends on 61-002. <br><br> Document artefact/deliverable for ORCH-OAS-62-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/orchestrator/prep/2025-11-20-oas-61-001-prep.md`. |
-| P8 | PREP-ORCH-OAS-63-001-DEPENDS-ON-62-001 | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · API Governance Guild | Orchestrator Service Guild · API Governance Guild | Depends on 62-001. <br><br> Document artefact/deliverable for ORCH-OAS-63-001 and publish location so downstream tasks can proceed. |
-| P9 | PREP-ORCH-OBS-50-001-TELEMETRY-CORE-SPRINT-01 | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · Observability Guild | Orchestrator Service Guild · Observability Guild | Telemetry Core (Sprint 0174) not yet available for orchestrator host. <br><br> Document artefact/deliverable for ORCH-OBS-50-001 and publish location so downstream tasks can proceed. |
-| P10 | PREP-ORCH-OBS-51-001-DEPENDS-ON-50-001-TELEME | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · DevOps Guild | Orchestrator Service Guild · DevOps Guild | Depends on 50-001 + Telemetry schema. <br><br> Document artefact/deliverable for ORCH-OBS-51-001 and publish location so downstream tasks can proceed. |
-| P11 | PREP-ORCH-OBS-52-001-DEPENDS-ON-51-001-REQUIR | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | Depends on 51-001; requires event schema from Sprint 0150.A. <br><br> Document artefact/deliverable for ORCH-OBS-52-001 and publish location so downstream tasks can proceed. |
-| P12 | PREP-ORCH-OBS-53-001-DEPENDS-ON-52-001-EVIDEN | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · Evidence Locker Guild | Orchestrator Service Guild · Evidence Locker Guild | Depends on 52-001; Evidence Locker capsule inputs not frozen. <br><br> Document artefact/deliverable for ORCH-OBS-53-001 and publish location so downstream tasks can proceed. |
-| P13 | PREP-ORCH-OBS-54-001-DEPENDS-ON-53-001 | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · Provenance Guild | Orchestrator Service Guild · Provenance Guild | Depends on 53-001. <br><br> Document artefact/deliverable for ORCH-OBS-54-001 and publish location so downstream tasks can proceed. |
-| P14 | PREP-ORCH-OBS-55-001-DEPENDS-ON-54-001-INCIDE | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · DevOps Guild | Orchestrator Service Guild · DevOps Guild | Depends on 54-001; incident contract absent. <br><br> Document artefact/deliverable for ORCH-OBS-55-001 and publish location so downstream tasks can proceed. |
-| P15 | PREP-ORCH-SVC-32-001-UPSTREAM-READINESS-AIRGA | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | Upstream readiness (AirGap/Scanner/Graph) not confirmed; postpone bootstrap. <br><br> Document artefact/deliverable for ORCH-SVC-32-001 and publish location so downstream tasks can proceed. |
+| P8 | PREP-ORCH-OAS-63-001-DEPENDS-ON-62-001 | DONE (2025-11-20) | Prep doc at `docs/modules/orchestrator/prep/2025-11-20-oas-63-001-prep.md`; waiting for 61/62 freeze before implementation. | Orchestrator Service Guild · API Governance Guild | Depends on 62-001. <br><br> Document artefact/deliverable for ORCH-OAS-63-001 and publish location so downstream tasks can proceed. |
+| P9 | PREP-ORCH-OBS-50-001-TELEMETRY-CORE-SPRINT-01 | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Orchestrator Service Guild · Observability Guild | Orchestrator Service Guild · Observability Guild | Telemetry Core (Sprint 0174) not yet available for orchestrator host. <br><br> Document artefact/deliverable for ORCH-OBS-50-001 and publish location so downstream tasks can proceed. |
+| 2025-11-20 | Started PREP-ORCH-OBS-50-001 (status → DOING) after confirming no prior DOING/DONE owners. | Planning |
+| P10 | PREP-ORCH-OBS-51-001-DEPENDS-ON-50-001-TELEME | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Orchestrator Service Guild · DevOps Guild | Orchestrator Service Guild · DevOps Guild | Depends on 50-001 + Telemetry schema. <br><br> Document artefact/deliverable for ORCH-OBS-51-001 and publish location so downstream tasks can proceed. |
+| 2025-11-20 | Started PREP-ORCH-OBS-51-001 (status → DOING) after confirming no existing DOING/DONE owners. | Planning |
+| P11 | PREP-ORCH-OBS-52-001-DEPENDS-ON-51-001-REQUIR | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | Depends on 51-001; requires event schema from Sprint 0150.A. <br><br> Document artefact/deliverable for ORCH-OBS-52-001 and publish location so downstream tasks can proceed. |
+| 2025-11-20 | Started PREP-ORCH-OBS-52-001 (status → DOING) after confirming no existing DOING/DONE owners. | Planning |
+| P12 | PREP-ORCH-OBS-53-001-DEPENDS-ON-52-001-EVIDEN | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Orchestrator Service Guild · Evidence Locker Guild | Orchestrator Service Guild · Evidence Locker Guild | Depends on 52-001; Evidence Locker capsule inputs not frozen. <br><br> Document artefact/deliverable for ORCH-OBS-53-001 and publish location so downstream tasks can proceed. |
+| 2025-11-20 | Started PREP-ORCH-OBS-53-001 (status → DOING) after confirming no existing DOING/DONE owners. | Planning |
+| P13 | PREP-ORCH-OBS-54-001-DEPENDS-ON-53-001 | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Orchestrator Service Guild · Provenance Guild | Orchestrator Service Guild · Provenance Guild | Depends on 53-001. <br><br> Document artefact/deliverable for ORCH-OBS-54-001 and publish location so downstream tasks can proceed. |
+| 2025-11-20 | Started PREP-ORCH-OBS-54-001 (status → DOING) after confirming no existing DOING/DONE owners. | Planning |
+| P14 | PREP-ORCH-OBS-55-001-DEPENDS-ON-54-001-INCIDE | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Orchestrator Service Guild · DevOps Guild | Orchestrator Service Guild · DevOps Guild | Depends on 54-001; incident contract absent. <br><br> Document artefact/deliverable for ORCH-OBS-55-001 and publish location so downstream tasks can proceed. |
+| 2025-11-20 | Started PREP-ORCH-OBS-55-001 (status → DOING) after confirming no existing DOING/DONE owners. | Planning |
+| P15 | PREP-ORCH-SVC-32-001-UPSTREAM-READINESS-AIRGA | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | Upstream readiness (AirGap/Scanner/Graph) not confirmed; postpone bootstrap. <br><br> Document artefact/deliverable for ORCH-SVC-32-001 and publish location so downstream tasks can proceed. |
+| 2025-11-20 | Started PREP-ORCH-SVC-32-001 (status → DOING) after confirming no existing DOING/DONE owners. | Planning |
 | 1 | ORCH-AIRGAP-56-001 | BLOCKED (2025-11-19) | PREP-ORCH-AIRGAP-56-001-AWAIT-SPRINT-0120-A-A | Orchestrator Service Guild · AirGap Policy Guild | Enforce job descriptors to declare network intents; flag/reject external endpoints in sealed mode. |
 | 2 | ORCH-AIRGAP-56-002 | BLOCKED (2025-11-19) | PREP-ORCH-AIRGAP-56-002-UPSTREAM-56-001-BLOCK | Orchestrator Service Guild · AirGap Controller Guild | Surface sealing status and staleness in scheduling decisions; block runs when budgets exceeded. |
 | 3 | ORCH-AIRGAP-57-001 | BLOCKED (2025-11-19) | PREP-ORCH-AIRGAP-57-001-UPSTREAM-56-002-BLOCK | Orchestrator Service Guild · Mirror Creator Guild | Add job type `mirror.bundle` with audit + provenance outputs. |
@@ -41,7 +48,7 @@
 | 5 | ORCH-OAS-61-001 | BLOCKED (2025-11-19) | PREP-ORCH-OAS-61-001-ORCHESTRATOR-TELEMETRY-C | Orchestrator Service Guild · API Contracts Guild | Document orchestrator endpoints in per-service OAS with pagination/idempotency/error envelope examples. |
 | 6 | ORCH-OAS-61-002 | BLOCKED (2025-11-19) | PREP-ORCH-OAS-61-002-DEPENDS-ON-61-001 | Orchestrator Service Guild | Implement `GET /.well-known/openapi`; align version metadata with runtime build. |
 | 7 | ORCH-OAS-62-001 | BLOCKED (2025-11-19) | PREP-ORCH-OAS-62-001-DEPENDS-ON-61-002 | Orchestrator Service Guild · SDK Generator Guild | Ensure SDK paginators/operations support job APIs; add SDK smoke tests for schedule/retry. |
-| 8 | ORCH-OAS-63-001 | BLOCKED (2025-11-19) | PREP-ORCH-OAS-63-001-DEPENDS-ON-62-001 | Orchestrator Service Guild · API Governance Guild | Emit deprecation headers/doc for legacy endpoints; update notifications metadata. |
+| 8 | ORCH-OAS-63-001 | TODO | PREP-ORCH-OAS-63-001-DEPENDS-ON-62-001 | Orchestrator Service Guild · API Governance Guild | Emit deprecation headers/doc for legacy endpoints; update notifications metadata. |
 | 9 | ORCH-OBS-50-001 | BLOCKED (2025-11-19) | PREP-ORCH-OBS-50-001-TELEMETRY-CORE-SPRINT-01 | Orchestrator Service Guild · Observability Guild | Wire `StellaOps.Telemetry.Core` into orchestrator host; instrument schedulers/control APIs with spans/logs/metrics. |
 | 10 | ORCH-OBS-51-001 | BLOCKED (2025-11-19) | PREP-ORCH-OBS-51-001-DEPENDS-ON-50-001-TELEME | Orchestrator Service Guild · DevOps Guild | Publish golden-signal metrics and SLOs; emit burn-rate alerts; provide Grafana dashboards + alert rules. |
 | 11 | ORCH-OBS-52-001 | BLOCKED (2025-11-19) | PREP-ORCH-OBS-52-001-DEPENDS-ON-51-001-REQUIR | Orchestrator Service Guild | Emit `timeline_event` lifecycle objects with trace IDs/run IDs/tenant/project; add contract tests and Kafka/NATS emitter with retries. |
@@ -54,6 +61,8 @@
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-20 | Published prep docs for ORCH AirGap 56/57/58 and OAS 61/62; set P1–P7 to DOING after confirming unowned. | Project Mgmt |
+| 2025-11-20 | Started PREP-ORCH-OAS-63-001 (status → DOING) after confirming no existing DOING/DONE owners. | Planning |
+| 2025-11-20 | Published prep doc for PREP-ORCH-OAS-63-001 (`docs/modules/orchestrator/prep/2025-11-20-oas-63-001-prep.md`) and marked P8 DONE; awaits OAS 61/62 freeze before implementation. | Implementer |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-18 | Normalised sprint doc to standard template; renamed from `SPRINT_151_orchestrator_i.md`. | Planning |
 | 2025-11-19 | Set all tasks to BLOCKED pending upstream readiness (AirGap/Scanner/Graph), Telemetry Core availability, and Orchestrator event schema; no executable work until contracts land. | Implementer |

docs/implplan/SPRINT_0153_0001_0003_orchestrator_iii.md

@@ -19,9 +19,12 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| P1 | PREP-ORCH-SVC-41-101-DEPENDS-ON-38-101-ENVELO | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | Depends on 38-101 envelope + DAL; cannot register pack-run without API/storage schema. <br><br> Document artefact/deliverable for ORCH-SVC-41-101 and publish location so downstream tasks can proceed. |
-| P2 | PREP-ORCH-SVC-42-101-DEPENDS-ON-41-101-PACK-R | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | Depends on 41-101 pack-run plumbing and streaming contract. <br><br> Document artefact/deliverable for ORCH-SVC-42-101 and publish location so downstream tasks can proceed. |
-| P3 | PREP-ORCH-TEN-48-001-WEBSERVICE-LACKS-JOB-DAL | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | WebService lacks job DAL/routes; need tenant context plumbing before enforcement. <br><br> Document artefact/deliverable for ORCH-TEN-48-001 and publish location so downstream tasks can proceed. |
+| P1 | PREP-ORCH-SVC-41-101-DEPENDS-ON-38-101-ENVELO | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | Depends on 38-101 envelope + DAL; cannot register pack-run without API/storage schema. <br><br> Document artefact/deliverable for ORCH-SVC-41-101 and publish location so downstream tasks can proceed. |
+| 2025-11-20 | Started PREP-ORCH-SVC-41-101 (status → DOING) after confirming no existing DOING/DONE owners. | Planning |
+| P2 | PREP-ORCH-SVC-42-101-DEPENDS-ON-41-101-PACK-R | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | Depends on 41-101 pack-run plumbing and streaming contract. <br><br> Document artefact/deliverable for ORCH-SVC-42-101 and publish location so downstream tasks can proceed. |
+| 2025-11-20 | Started PREP-ORCH-SVC-42-101 (status → DOING) after confirming no existing DOING/DONE owners. | Planning |
+| P3 | PREP-ORCH-TEN-48-001-WEBSERVICE-LACKS-JOB-DAL | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | WebService lacks job DAL/routes; need tenant context plumbing before enforcement. <br><br> Document artefact/deliverable for ORCH-TEN-48-001 and publish location so downstream tasks can proceed. |
+| 2025-11-20 | Started PREP-ORCH-TEN-48-001 (status → DOING) after confirming no existing DOING/DONE owners. | Planning |
 | 1 | ORCH-SVC-38-101 | BLOCKED | Waiting on ORCH-SVC-37-101 envelope field/semantics approval; webservice DAL still missing. | Orchestrator Service Guild | Standardize event envelope (policy/export/job lifecycle) with idempotency keys, ensure export/job failure events published to notifier bus with provenance metadata. |
 | 2 | ORCH-SVC-41-101 | BLOCKED | PREP-ORCH-SVC-41-101-DEPENDS-ON-38-101-ENVELO | Orchestrator Service Guild | Register `pack-run` job type, persist run metadata, integrate logs/artifacts collection, and expose API for Task Runner scheduling. |
 | 3 | ORCH-SVC-42-101 | BLOCKED | PREP-ORCH-SVC-42-101-DEPENDS-ON-41-101-PACK-R | Orchestrator Service Guild | Stream pack run logs via SSE/WS, add manifest endpoints, enforce quotas, and emit pack run events to Notifications Studio. |

docs/implplan/SPRINT_0156_0001_0002_scheduler_ii.md

@@ -1,50 +1,50 @@
-# Sprint 0156 · Scheduling & Automation (Scheduler II)
-
-## Topic & Scope
-- Phase II for Scheduler workers: staleness monitoring, batch simulations, resolver/evaluation orchestration, and console streaming.
-- Continues after Scheduler I (0155); focuses on worker pipelines and reachability/resolver coherence.
-- Blocked until module working-directory AGENTS charter exists for `src/Scheduler`.
-- **Working directory:** src/Scheduler
-
-## Dependencies & Concurrency
-- Depends on Sprint 0155 (Scheduler I) completion and prior reachability worker (SCHED-WORKER-26-201).
-- Concurrency: share worker code paths with Scheduler I; avoid overlapping migrations until unblocked.
-
-## Documentation Prerequisites
-- docs/modules/scheduler/README.md
-- docs/modules/scheduler/architecture.md
-- docs/modules/scheduler/implementation_plan.md
-- docs/modules/platform/architecture-overview.md
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| P1 | PREP-SCHED-WORKER-CONSOLE-23-201-BLOCKED-BY-U | BLOCKED | Due 2025-11-23 · Accountable: Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Blocked by upstream stream schema design; depends on prior resolver/eval pipeline readiness. <br><br> Document artefact/deliverable for SCHED-WORKER-CONSOLE-23-201 and publish location so downstream tasks can proceed. |
-| 0 | AGENTS-SCHEDULER-UPDATE | DONE | `src/Scheduler/AGENTS.md` created and published. | Project Manager · Architecture Guild | Create working-directory charter defining roles, prerequisites, determinism/testing rules, and allowed shared libs. |
-| 1 | SCHED-WORKER-26-202 | BLOCKED | Blocked by SCHED-WORKER-26-201 (reachability joiner not delivered yet). | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement staleness monitor + notifier for outdated reachability facts, publishing warnings and updating dashboards. |
-| 2 | SCHED-WORKER-27-301 | BLOCKED | Blocked by SCHED-WORKER-26-202. | Scheduler Worker Guild, Policy Registry Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement policy batch simulation worker: shard SBOM inventories, invoke Policy Engine, emit partial results, handle retries/backoff, and publish progress events. |
-| 3 | SCHED-WORKER-27-302 | BLOCKED | Blocked by SCHED-WORKER-27-301. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Build reducer job aggregating shard outputs into final manifests (counts, deltas, samples) and writing to object storage with checksums; emit completion events. |
-| 4 | SCHED-WORKER-27-303 | BLOCKED | Blocked by SCHED-WORKER-27-302. | Scheduler Worker Guild, Security Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Enforce tenant isolation, scope checks, and attestation integration for simulation jobs; secret scanning pipeline for uploaded policy sources. |
-| 5 | SCHED-WORKER-29-001 | BLOCKED | Blocked by SCHED-WORKER-27-303. | Scheduler Worker Guild, Findings Ledger Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement resolver worker generating candidate findings from inventory + advisory evidence, respecting ecosystem version semantics and path scope; emit jobs for policy evaluation. |
-| 6 | SCHED-WORKER-29-002 | BLOCKED | Blocked by SCHED-WORKER-29-001. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Build evaluation orchestration worker invoking Policy Engine batch eval, writing results to Findings Ledger projector queue, and handling retries/backoff. |
-| 7 | SCHED-WORKER-29-003 | BLOCKED | Blocked by SCHED-WORKER-29-002. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Add monitoring for resolver/evaluation backlog, SLA breaches, and export job queue; expose metrics/alerts feeding DevOps dashboards. |
-| 8 | SCHED-WORKER-CONSOLE-23-201 | BLOCKED | PREP-SCHED-WORKER-CONSOLE-23-201-BLOCKED-BY-U | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Stream run progress events (stage status, tuples processed, SLA hints) to Redis/NATS for Console SSE, with heartbeat, dedupe, and retention policy. Publish metrics + structured logs for queue lag. |
-| 9 | SCHED-WORKER-CONSOLE-23-202 | BLOCKED | SCHED-WORKER-CONSOLE-23-201. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Coordinate evidence bundle jobs (enqueue, track status, cleanup) and expose job manifests to Web gateway; ensure idempotent reruns and cancellation support. |
-
-## Execution Log
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
-| 2025-11-19 | Clarified dependency for SCHED-WORKER-CONSOLE-23-202 to point at SCHED-WORKER-CONSOLE-23-201. | Project Mgmt |
-| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
-| 2025-11-19 | Marked PREP-SCHED-WORKER-CONSOLE-23-201 BLOCKED because upstream stream schema and resolver/eval pipeline contracts are still absent, keeping CONSOLE-23-201/202 gated. | Project Mgmt |
-| 2025-11-17 | Normalised sprint, renamed to `SPRINT_0156_0001_0002_scheduler_ii`, and marked tasks BLOCKED pending `src/Scheduler/AGENTS.md`. | Scheduler Worker Guild |
-| 2025-11-17 | Created `src/Scheduler/AGENTS.md`; unblocked tasks and reset to TODO respecting dependencies. | Scheduler Worker Guild |
-| 2025-11-18 | Marked all tasks BLOCKED awaiting upstream reachability worker (SCHED-WORKER-26-201) and subsequent contract handoffs (Policy activation events, stream schema). | Scheduler Worker Guild |
-
-## Decisions & Risks
-- Module-level AGENTS charter now present at `src/Scheduler/AGENTS.md`.
-- GraphJobs accessibility issue (`IGraphJobStore.UpdateAsync`) may block validation once work begins.
-- All Scheduler II tasks blocked until reachability joiner (SCHED-WORKER-26-201) and Policy activation event/stream schemas land; no implementation work can proceed yet.
-
-## Next Checkpoints
-- None scheduled; add once AGENTS charter is published and blocking issues cleared.
+# Sprint 0156 · Scheduling & Automation (Scheduler II)
+
+## Topic & Scope
+- Phase II for Scheduler workers: staleness monitoring, batch simulations, resolver/evaluation orchestration, and console streaming.
+- Continues after Scheduler I (0155); focuses on worker pipelines and reachability/resolver coherence.
+- Blocked until module working-directory AGENTS charter exists for `src/Scheduler`.
+- **Working directory:** src/Scheduler
+
+## Dependencies & Concurrency
+- Depends on Sprint 0155 (Scheduler I) completion and prior reachability worker (SCHED-WORKER-26-201).
+- Concurrency: share worker code paths with Scheduler I; avoid overlapping migrations until unblocked.
+
+## Documentation Prerequisites
+- docs/modules/scheduler/README.md
+- docs/modules/scheduler/architecture.md
+- docs/modules/scheduler/implementation_plan.md
+- docs/modules/platform/architecture-overview.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-SCHED-WORKER-CONSOLE-23-201-BLOCKED-BY-U | BLOCKED | Due 2025-11-23 · Accountable: Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Blocked by upstream stream schema design; depends on prior resolver/eval pipeline readiness. <br><br> Document artefact/deliverable for SCHED-WORKER-CONSOLE-23-201 and publish location so downstream tasks can proceed. |
+| 0 | AGENTS-SCHEDULER-UPDATE | DONE | `src/Scheduler/AGENTS.md` created and published. | Project Manager · Architecture Guild | Create working-directory charter defining roles, prerequisites, determinism/testing rules, and allowed shared libs. |
+| 1 | SCHED-WORKER-26-202 | BLOCKED | Blocked by SCHED-WORKER-26-201 (reachability joiner not delivered yet). | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement staleness monitor + notifier for outdated reachability facts, publishing warnings and updating dashboards. |
+| 2 | SCHED-WORKER-27-301 | BLOCKED | Blocked by SCHED-WORKER-26-202. | Scheduler Worker Guild, Policy Registry Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement policy batch simulation worker: shard SBOM inventories, invoke Policy Engine, emit partial results, handle retries/backoff, and publish progress events. |
+| 3 | SCHED-WORKER-27-302 | BLOCKED | Blocked by SCHED-WORKER-27-301. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Build reducer job aggregating shard outputs into final manifests (counts, deltas, samples) and writing to object storage with checksums; emit completion events. |
+| 4 | SCHED-WORKER-27-303 | BLOCKED | Blocked by SCHED-WORKER-27-302. | Scheduler Worker Guild, Security Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Enforce tenant isolation, scope checks, and attestation integration for simulation jobs; secret scanning pipeline for uploaded policy sources. |
+| 5 | SCHED-WORKER-29-001 | BLOCKED | Blocked by SCHED-WORKER-27-303. | Scheduler Worker Guild, Findings Ledger Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement resolver worker generating candidate findings from inventory + advisory evidence, respecting ecosystem version semantics and path scope; emit jobs for policy evaluation. |
+| 6 | SCHED-WORKER-29-002 | BLOCKED | Blocked by SCHED-WORKER-29-001. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Build evaluation orchestration worker invoking Policy Engine batch eval, writing results to Findings Ledger projector queue, and handling retries/backoff. |
+| 7 | SCHED-WORKER-29-003 | BLOCKED | Blocked by SCHED-WORKER-29-002. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Add monitoring for resolver/evaluation backlog, SLA breaches, and export job queue; expose metrics/alerts feeding DevOps dashboards. |
+| 8 | SCHED-WORKER-CONSOLE-23-201 | BLOCKED | PREP-SCHED-WORKER-CONSOLE-23-201-BLOCKED-BY-U | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Stream run progress events (stage status, tuples processed, SLA hints) to Redis/NATS for Console SSE, with heartbeat, dedupe, and retention policy. Publish metrics + structured logs for queue lag. |
+| 9 | SCHED-WORKER-CONSOLE-23-202 | BLOCKED | SCHED-WORKER-CONSOLE-23-201. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Coordinate evidence bundle jobs (enqueue, track status, cleanup) and expose job manifests to Web gateway; ensure idempotent reruns and cancellation support. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Clarified dependency for SCHED-WORKER-CONSOLE-23-202 to point at SCHED-WORKER-CONSOLE-23-201. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Marked PREP-SCHED-WORKER-CONSOLE-23-201 BLOCKED because upstream stream schema and resolver/eval pipeline contracts are still absent, keeping CONSOLE-23-201/202 gated. | Project Mgmt |
+| 2025-11-17 | Normalised sprint, renamed to `SPRINT_0156_0001_0002_scheduler_ii`, and marked tasks BLOCKED pending `src/Scheduler/AGENTS.md`. | Scheduler Worker Guild |
+| 2025-11-17 | Created `src/Scheduler/AGENTS.md`; unblocked tasks and reset to TODO respecting dependencies. | Scheduler Worker Guild |
+| 2025-11-18 | Marked all tasks BLOCKED awaiting upstream reachability worker (SCHED-WORKER-26-201) and subsequent contract handoffs (Policy activation events, stream schema). | Scheduler Worker Guild |
+
+## Decisions & Risks
+- Module-level AGENTS charter now present at `src/Scheduler/AGENTS.md`.
+- GraphJobs accessibility issue (`IGraphJobStore.UpdateAsync`) may block validation once work begins.
+- All Scheduler II tasks blocked until reachability joiner (SCHED-WORKER-26-201) and Policy activation event/stream schemas land; no implementation work can proceed yet.
+
+## Next Checkpoints
+- None scheduled; add once AGENTS charter is published and blocking issues cleared.

docs/implplan/SPRINT_0160_0001_0001_export_evidence.md

@@ -1,183 +1,185 @@
-# Sprint 0160_0001_0001 · Export & Evidence
-
-## Topic & Scope
-- Snapshot coordination for export & evidence tracks (EvidenceLocker, ExportCenter, TimelineIndexer); active backlog continues in Sprint 161+.
-- Ensure bundle formats, crypto routing, and ingestion schemas freeze before downstream sprints move to DOING; completed work is archived in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
-- Working directory: `docs/implplan` (cross-module coordination spanning EvidenceLocker, ExportCenter, TimelineIndexer artefacts).
-- Evidence of completion: refreshed coordination snapshot, normalized sprint structure, and links to module trackers.
-
-## Dependencies & Concurrency
-- Depends on AdvisoryAI evidence schema (Sprint 110.A), Orchestrator/Notifications envelopes (Sprint 150.A/140), and crypto-routing audit outcomes (2025-11-07) before DOING can start.
-- Runs in parallel with module sprints 161/162/165; no code convergence expected here, but gating contracts must be frozen first.
-- Interlocks & readiness signals are tracked in the table below; concurrency with other CC-decade sprints is safe once those signals turn green.
-
-## Documentation Prerequisites
-- `docs/modules/evidence-locker/architecture.md`, `docs/modules/evidence-locker/bundle-packaging.md`, `docs/modules/evidence-locker/incident-mode.md`
-- `docs/modules/export-center/architecture.md`, `docs/modules/attestor/airgap.md`
-- `docs/modules/timelineindexer/architecture.md` (if present) and Postgres/RLS runbooks
-- `docs/security/crypto-routing-audit-2025-11-07.md`
-- `docs/replay/DETERMINISTIC_REPLAY.md`, `docs/runbooks/replay_ops.md`
-- `docs/events/orchestrator-scanner-events.md`
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| P1 | PREP-EVIDENCE-LOCKER-GUILD-SECURITY-GUILD-DOC | TODO | Due 2025-11-23 · Accountable: Waiting on AdvisoryAI schema + orchestrator ledger envelopes to freeze. | Waiting on AdvisoryAI schema + orchestrator ledger envelopes to freeze. | BLOCKED (2025-11-17). <br><br> Document artefact/deliverable for Evidence Locker Guild · Security Guild · Docs Guild, Exporter Service Guild · Mirror Creator Guild · DevOps Guild, Timeline Indexer Guild · Evidence Locker Guild · Security Guild and publish location so downstream tasks can proceed. |
-| P2 | PREP-ORCHESTRATOR-NOTIFICATIONS-SCHEMA-HANDOF | TODO | Due 2025-11-23 · Accountable: Planning | Planning | MISSED; escalate to Wave 150/140 leads and record new ETA; keep tasks BLOCKED. <br><br> Document artefact/deliverable for Orchestrator + Notifications schema handoff (Orchestrator Service + Notifications Guilds) and publish location so downstream tasks can proceed. |
-| P3 | PREP-ESCALATION-FOLLOW-UP-ADVISORYAI-ORCHESTR | TODO | Due 2025-11-23 · Accountable: Planning | Planning | If no dates provided, mark BLOCKED in respective sprints and escalate to Wave leads. <br><br> Document artefact/deliverable for Escalation follow-up (AdvisoryAI, Orchestrator/Notifications) and publish location so downstream tasks can proceed. |
-| P4 | PREP-160-A-160-B-160-C-ESCALATE-TO-WAVE-150-1 | DONE (2025-11-19) | Due 2025-11-23 · Accountable: Planning | Planning | Escalation sent to Wave 150/140 leads; awaiting new ETAs recorded in Sprint 110/150/140. |
-| 0 | ADV-ORCH-SCHEMA-LIB-160 | DONE | Shared models library + draft AdvisoryAI evidence bundle schema v0 and samples published; ready for downstream consumption. | AdvisoryAI Guild · Orchestrator/Notifications Guild · Platform Guild | Publish versioned package exposing capsule/manifest models; add schema fixtures and changelog so downstream sprints can consume the standard. |
-| 1 | 160.A EvidenceLocker snapshot | BLOCKED | Waiting on AdvisoryAI evidence payload notes + orchestrator/notifications envelopes to finalize ingest/replay summary. | Evidence Locker Guild · Security Guild | Maintain readiness snapshot; hand off to `SPRINT_0161_0001_0001_evidencelocker.md` & `SPRINT_187_evidence_locker_cli_integration.md`. |
-| 2 | 160.B ExportCenter snapshot | BLOCKED | EvidenceLocker bundle contract frozen, but orchestrator/notifications envelopes still missing; cannot freeze ExportCenter snapshot. | Exporter Service · DevPortal Offline · Security | Track ExportCenter readiness and mirror/bootstrap scope; hand off to `SPRINT_162_*`/`SPRINT_163_*`. |
-| 3 | 160.C TimelineIndexer snapshot | BLOCKED | Waiting on TIMELINE-OBS-52-001 digest references; schemas available. Prep migrations/RLS draft. | Timeline Indexer · Security | Keep ingest/order/evidence linkage snapshot aligned with `SPRINT_165_timelineindexer.md`. |
-| 4 | AGENTS-implplan | DONE | Create `docs/implplan/AGENTS.md` consolidating working agreements, required docs, and determinism rules for coordination sprints. | Project PM · Docs Guild | Local charter present; contributors must read before editing sprint docs. |
-
-### Wave Coordination
-| Wave | Guild owners | Shared prerequisites | Status | Notes |
-| --- | --- | --- | --- | --- |
-| 160.A EvidenceLocker | Evidence Locker Guild · Security Guild · Docs Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | PREP-EVIDENCE-LOCKER-GUILD-SECURITY-GUILD-DOC | Waiting on AdvisoryAI schema + orchestrator ledger envelopes to freeze. |
-| 160.B ExportCenter | Exporter Service Guild · Mirror Creator Guild · DevOps Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | PREP-EVIDENCE-LOCKER-GUILD-SECURITY-GUILD-DOC | Thin mirror bundle + EvidenceLocker contract not yet frozen. |
-| 160.C TimelineIndexer | Timeline Indexer Guild · Evidence Locker Guild · Security Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | PREP-EVIDENCE-LOCKER-GUILD-SECURITY-GUILD-DOC | Awaiting OBS-52-001 schema update and digest references. |
-
-## Wave Detail Snapshots & Next Actions
-
-### 160.A EvidenceLocker
-- Detail trackers: [SPRINT_0161_0001_0001_evidencelocker.md](./SPRINT_0161_0001_0001_evidencelocker.md) and [SPRINT_187_evidence_locker_cli_integration.md](./SPRINT_187_evidence_locker_cli_integration.md).
-- Task radar (all TODO as of 2025-11-12):
-  - `EVID-REPLAY-187-001` — Replay bundle ingestion/retention APIs + storage policy (`src/EvidenceLocker/StellaOps.EvidenceLocker`, `docs/modules/evidence-locker/architecture.md`).
-  - `RUNBOOK-REPLAY-187-004` & `CLI-REPLAY-187-002` — CLI + ops readiness for replay bundles (`docs/runbooks/replay_ops.md`, CLI module).
-  - `EVID-CRYPTO-90-001` — Sovereign crypto routing via `ICryptoProviderRegistry`/`ICryptoHash` per `docs/security/crypto-routing-audit-2025-11-07.md`.
-- Contracts: bundle packaging + DSSE layout (`docs/modules/evidence-locker/bundle-packaging.md`, `EVID-OBS-54-002`); portable/incident modes in `docs/modules/evidence-locker/incident-mode.md`.
-- Gating dependencies: orchestrator capsule schema, AdvisoryAI payload notes, and replay ledger rules (`docs/replay/DETERMINISTIC_REPLAY.md`).
-- Ready-to-start checklist: finalize ingest schema deltas, stage Replay Ledger ops drills, and publish API surface summary into Sprint 161 before DOING.
-
-#### EvidenceLocker task snapshot (2025-11-12)
-| Task ID | Scope | State | Notes / Owners |
-| --- | --- | --- | --- |
-| EVID-REPLAY-187-001 | Replay bundle ingestion + retention APIs | TODO | Evidence Locker Guild · docs/modules/evidence-locker/architecture.md |
-| CLI-REPLAY-187-002 | CLI record/verify/replay UX | TODO | CLI Guild · `docs/modules/cli/architecture.md` |
-| RUNBOOK-REPLAY-187-004 | Replay ops runbook + drills | TODO | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` |
-| EVID-CRYPTO-90-001 | Sovereign crypto routing | TODO | Evidence Locker + Security Guilds · `ICryptoProviderRegistry` integration |
-
-### 160.B ExportCenter
-- Detail trackers: [SPRINT_0162_0001_0001_exportcenter_i.md](./SPRINT_0162_0001_0001_exportcenter_i.md) and [SPRINT_0163_0001_0001_exportcenter_ii.md](./SPRINT_0163_0001_0001_exportcenter_ii.md).
-- Task radar highlights:
-  - Mirror & bootstrap: `EXPORT-AIRGAP-56-001/002/003/004/005`, `EXPORT-AIRGAP-57-001`, `EXPORT-AIRGAP-58-001`.
-  - Attestation bundles: `EXPORT-ATTEST-74-001/002`, `EXPORT-ATTEST-75-001/002` (jobs, CI/offline, CLI verify/import; see `docs/modules/attestor/airgap.md`).
-  - API/OAS: `EXPORT-OAS-61-001/002`, `EXPORT-OAS-62-001`, `EXPORT-OAS-63-001` — refreshed OpenAPI, discovery, SDK, deprecation headers.
-  - Service/observability: `EXPORT-SVC-35-001…005`, `EXPORT-OBS-50/51/52`, `EXPORT-CRYPTO-90-001` for crypto parity with EvidenceLocker.
-- Dependencies: EvidenceLocker contracts + DSSE proofs; orchestrator events + Scheduler readiness; crypto routing aligned with `docs/security/crypto-routing-audit-2025-11-07.md`.
-- Ready-to-start checklist: freeze sealed bundle spec, reconcile crypto provider matrix with RootPack deployments, and prep DevPortal verification CLI scaffolding (`DVOFF-64-002`).
-
-#### ExportCenter task snapshot (2025-11-12)
-| Task ID | Scope | State | Notes / Owners |
-| --- | --- | --- | --- |
-| DVOFF-64-002 | DevPortal bundle verification CLI | TODO | DevPortal Offline + AirGap Controller Guilds |
-| EXPORT-AIRGAP-56-001/002 | Mirror bundle + bootstrap pack profiles | TODO | Exporter + Mirror Creator + DevOps Guilds |
-| EXPORT-AIRGAP-57-001 | Portable evidence export mode | TODO | Exporter Service + Evidence Locker Guild |
-| EXPORT-AIRGAP-58-001 | Notifications for portable export | TODO | Exporter Service + Notifications Guild |
-| EXPORT-ATTEST-74-001/002 | Attestation bundle job + CI integration | TODO | Attestation Bundle + Exporter Guilds |
-| EXPORT-ATTEST-75-001/002 | CLI verify/import + offline kit integration | TODO | Attestation Bundle + CLI + Exporter Guilds |
-| EXPORT-OAS-61/62/63 | OpenAPI refresh, discovery, SDK + deprecation headers | TODO | Exporter Service + API Governance + SDK Guilds |
-| EXPORT-CRYPTO-90-001 | Sovereign crypto routing | TODO | Exporter Service + Security Guilds |
-
-### 160.C TimelineIndexer
-- Detail tracker: [SPRINT_165_timelineindexer.md](./SPRINT_165_timelineindexer.md) covering TIMELINE-OBS-52-001…004 and TIMELINE-OBS-53-001.
-- Task radar:
-  - `TIMELINE-OBS-52-001` — service bootstrap + Postgres migrations with deterministic scripts and RLS scaffolding.
-  - `TIMELINE-OBS-52-002` — event ingestion pipeline (NATS/Redis consumers, ordering, dedupe, trace correlation, metrics).
-  - `TIMELINE-OBS-52-003` — REST/gRPC APIs with filtering/pagination + OpenAPI contracts.
-  - `TIMELINE-OBS-52-004` — finalize RLS, scope checks, audit logging, legal hold enforcement tests.
-  - `TIMELINE-OBS-53-001` — evidence linkage endpoint returning signed manifest references.
-- Dependencies: orchestrator/notifications event schemas and EvidenceLocker digest references must land before Postgres migrations can be frozen; export bundle IDs must be stable to hydrate `/timeline/{id}/evidence`.
-- Ready-to-start checklist: secure event schema package, stage Postgres migration plan (incl. RLS policies) for review, align ingest ordering semantics with Scheduler/ExportCenter cadence.
-
-#### TimelineIndexer task snapshot (2025-11-12)
-| Task ID | Scope | State | Notes / Owners |
-| --- | --- | --- | --- |
-| TIMELINE-OBS-52-001 | Service bootstrap + Postgres migrations/RLS | TODO | Timeline Indexer Guild |
-| TIMELINE-OBS-52-002 | Event ingestion pipeline + metrics | TODO | Timeline Indexer Guild |
-| TIMELINE-OBS-52-003 | REST/gRPC APIs + OpenAPI contracts | TODO | Timeline Indexer Guild |
-| TIMELINE-OBS-52-004 | RLS policies, audit logging, legal hold tests | TODO | Timeline Indexer + Security Guilds |
-| TIMELINE-OBS-53-001 | Evidence linkage endpoint | TODO | Timeline Indexer + Evidence Locker Guilds |
-
-## Interlocks & Readiness Signals
-| Dependency | Owner / Source | Impacts | Status / Next signal |
-| --- | --- | --- | --- |
-| Orchestrator capsule & notifications schema (`docs/events/orchestrator-scanner-events.md`) | Orchestrator Service Guild · Notifications Guild (Sprint 150.A + 140 wave) | 160.A, 160.B, 160.C | OVERDUE (was due 2025-11-15); escalation sent 2025-11-18; awaiting new ETA (follow-up 2025-11-19). |
-| AdvisoryAI evidence bundle schema & payload notes (Sprint 110.A) | AdvisoryAI Guild | 160.A, 160.B | OVERDUE (was due 2025-11-14); escalation sent 2025-11-18; awaiting new ETA (follow-up 2025-11-19). |
-| Replay ledger spec alignment (`docs/replay/DETERMINISTIC_REPLAY.md`, `/docs/runbooks/replay_ops.md`) | Replay Delivery Guild (Sprint 187) | 160.A | Replay ops runbook exists (2025-11-03); EvidenceLocker must incorporate retention API shape before DOING. Track in EVID-REPLAY-187-001. |
-| Crypto routing parity (`docs/security/crypto-routing-audit-2025-11-07.md`) | Security Guild + Export/Evidence teams (`EVID-CRYPTO-90-001`, `EXPORT-CRYPTO-90-001`) | 160.A, 160.B | Audit published 2025-11-07; wire `ICryptoProviderRegistry` before enabling sovereign profiles. Readiness review on 2025-11-18. |
-| DevPortal verification CLI scaffolding (`DVOFF-64-002`) | DevPortal Offline Guild (Sprint 162) | 160.B | Prototype pending; keep `stella devportal verify bundle.tgz` ready once bundle contracts are signed. |
-
-## Upcoming Checkpoints (UTC)
-| Date | Session / Owner | Target outcome | Fallback / Escalation |
-| --- | --- | --- | --- |
-| 2025-11-14 | AdvisoryAI stand-up (AdvisoryAI Guild) | Freeze evidence bundle schema + payload notes so EvidenceLocker can finalize DSSE manifests (blocked). | MISSED; reschedule immediately and log in Sprint 110 + this sprint. |
-| 2025-11-15 | Orchestrator + Notifications schema handoff (Orchestrator Service + Notifications Guilds) | Publish capsule envelopes & notification contracts required by EvidenceLocker ingest, ExportCenter notifications, TimelineIndexer ordering (blocked). | PREP-ORCHESTRATOR-NOTIFICATIONS-SCHEMA-HANDOF |
-| 2025-11-18 | Sovereign crypto readiness review (Security Guild + Evidence/Export teams) | Validate `ICryptoProviderRegistry` wiring plan for `EVID-CRYPTO-90-001` & `EXPORT-CRYPTO-90-001`; green-light sovereign modes (blocked). | If gating issues remain, file action items in Security board and hold related sprint tasks in TODO. |
-| 2025-11-19 | DevPortal Offline CLI dry run (DevPortal Offline + AirGap Controller Guilds) | Demo `stella devportal verify bundle.tgz` using sample manifest to prove readiness once EvidenceLocker spec lands (blocked awaiting schema). | If CLI not ready, update DVOFF-64-002 description with new ETA and note risk in Sprint 162 doc. |
-| 2025-11-19 | Escalation follow-up (AdvisoryAI, Orchestrator/Notifications) | Secure revised dates for schema/envelope drops; update this sprint + Sprint 110/150/140. | PREP-ESCALATION-FOLLOW-UP-ADVISORYAI-ORCHESTR |
-
-## Action Tracker
-| Wave | Immediate action | Owner(s) | Due | Status |
-| --- | --- | --- | --- | --- |
-| 160.A EvidenceLocker | Draft ingest schema summary + Replay Ledger API notes into `SPRINT_0161_0001_0001_evidencelocker.md` once orchestrator + AdvisoryAI schemas land. | Evidence Locker Guild · Replay Delivery Guild | 2025-11-16 | OVERDUE (schemas not delivered) |
-| 160.A EvidenceLocker | Validate crypto provider registry plan for `EVID-CRYPTO-90-001` ahead of the Nov-18 review. | Evidence Locker Guild · Security Guild | 2025-11-17 | OVERDUE (awaiting Security design feedback) |
-| 160.A EvidenceLocker | Prep CLI + ops teams for replay handoff (`RUNBOOK-REPLAY-187-004`, `CLI-REPLAY-187-002`) once Evidence Locker APIs are drafted. | CLI Guild · Ops Guild · Evidence Locker Guild | 2025-11-18 | Pending |
-| 160.B ExportCenter | Prepare DevPortal verification CLI prototype (`DVOFF-64-002`) covering manifest hash + DSSE verification flow. | DevPortal Offline Guild · AirGap Controller Guild | 2025-11-19 | In progress (design draft shared; waiting on bundle schema) |
-| 160.B ExportCenter | Align attestation bundle job + CLI verbs (`EXPORT-ATTEST-74/75`) with EvidenceLocker DSSE layout once published. | Exporter Service Guild · Attestation Bundle Guild · CLI Guild | 2025-11-20 | Pending |
-| 160.B ExportCenter | Stage crypto routing hooks in exporter service (`EXPORT-CRYPTO-90-001`) tied to the Nov-18 review. | Exporter Service Guild · Security Guild | 2025-11-18 | Pending |
-| 160.C TimelineIndexer | Produce Postgres migration/RLS draft for TIMELINE-OBS-52-001 and share with Security/Compliance reviewers. | Timeline Indexer Guild · Security Guild | 2025-11-18 | Pending |
-| 160.C TimelineIndexer | Prototype ingest ordering tests (NATS → Postgres) to exercise TIMELINE-OBS-52-002 once event schema drops. | Timeline Indexer Guild | 2025-11-19 | Pending |
-| 160.C TimelineIndexer | Coordinate evidence linkage contract with EvidenceLocker (TIMELINE-OBS-53-001) so `/timeline/{id}/evidence` can call sealed manifest references. | Timeline Indexer Guild · Evidence Locker Guild | 2025-11-20 | Pending |
-| AGENTS-implplan | Create `docs/implplan/AGENTS.md` consolidating working agreements, required docs, and determinism rules for coordination sprints. | Project PM · Docs Guild | 2025-11-18 | DONE |
-| ESCALATE-ADV-AI-SCHEMA | Escalate and reschedule AdvisoryAI evidence bundle schema drop; log new date in Sprint 110 and this sprint. | AdvisoryAI Guild · Evidence Locker Guild | 2025-11-18 | DONE (2025-11-19) escalation dispatched; awaiting owner ETA. |
-| ESCALATE-ORCH-ENVELOPE | Escalate Orchestrator/Notifications capsule envelope drop; obtain new ETA and log in Sprint 150/140 and this sprint. | Orchestrator Service · Notifications Guild | 2025-11-18 | DONE (2025-11-19) escalation dispatched; awaiting owner ETA. |
-
-## Decisions & Risks
-| Item | Status / Decision | Notes |
-| --- | --- | --- |
-| Naming & template alignment | DONE (2025-11-17) | File renamed to `SPRINT_0160_0001_0001_export_evidence.md` and normalized to standard sprint template. |
-| AdvisoryAI schema freeze | BLOCKED | Must land before EvidenceLocker/ExportCenter DOING moves; track in Interlocks and Sprint 110. |
-| Orchestrator/Notifications envelopes | BLOCKED | Required for EvidenceLocker ingest, ExportCenter notifications, and TimelineIndexer ordering. |
-| Crypto routing design readiness | BLOCKED | Await 2025-11-18 review to green-light `ICryptoProviderRegistry` wiring (`EVID-CRYPTO-90-001`, `EXPORT-CRYPTO-90-001`). |
-| Risks | See table below | Retained from prior snapshot. |
-| AGENTS.md for docs/implplan | DONE | `docs/implplan/AGENTS.md` added (2025-11-17); read before editing sprint docs. |
-| AdvisoryAI schema checkpoint (2025-11-14) | OVERDUE | Reschedule required; tracked via `ESCALATE-ADV-AI-SCHEMA` action. |
-| Orchestrator/Notifications checkpoint (2025-11-15) | OVERDUE | Reschedule required; tracked via `ESCALATE-ORCH-ENVELOPE` action. |
-| Escalation responses | PENDING | Awaiting ETA confirmations from AdvisoryAI and Orchestrator/Notifications leads; follow-up due 2025-11-19 if no response. |
-
-### Risk table
-| Risk | Impacted wave(s) | Severity | Mitigation / Owner |
-| --- | --- | --- | --- |
-| AdvisoryAI schema slips past 2025-11-14, delaying DSSE manifest freeze. | 160.A, 160.B | High | AdvisoryAI Guild to provide interim sample payloads; EvidenceLocker to stub schema adapters so ExportCenter can begin validation with mock data. |
-| Orchestrator/Notifications schema handoff misses 2025-11-15 window. | 160.A, 160.B, 160.C | High | PREP-160-A-160-B-160-C-ESCALATE-TO-WAVE-150-1 |
-| Sovereign crypto routing design not ready by 2025-11-18 review. | 160.A, 160.B | Medium | Security Guild to publish `ICryptoProviderRegistry` reference implementation; Evidence/Export guilds to nominate fallback providers per profile. |
-| DevPortal verification CLI lacks signed bundle fixtures for dry run. | 160.B | Medium | Exporter Guild to provide sample manifest + DSSE pair; DevPortal Offline Guild to script fake EvidenceLocker output for demo. |
-| TimelineIndexer Postgres/RLS plan not reviewed before coding. | 160.C | Medium | Timeline Indexer Guild to share migration plan with Security/Compliance for async review; unblock coding by securing written approval in sprint doc. |
-
-## Execution Log
+# Sprint 0160_0001_0001 · Export & Evidence
+
+## Topic & Scope
+- Snapshot coordination for export & evidence tracks (EvidenceLocker, ExportCenter, TimelineIndexer); active backlog continues in Sprint 161+.
+- Ensure bundle formats, crypto routing, and ingestion schemas freeze before downstream sprints move to DOING; completed work is archived in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
+- Working directory: `docs/implplan` (cross-module coordination spanning EvidenceLocker, ExportCenter, TimelineIndexer artefacts).
+- Evidence of completion: refreshed coordination snapshot, normalized sprint structure, and links to module trackers.
+
+## Dependencies & Concurrency
+- Depends on AdvisoryAI evidence schema (Sprint 110.A), Orchestrator/Notifications envelopes (Sprint 150.A/140), and crypto-routing audit outcomes (2025-11-07) before DOING can start.
+- Runs in parallel with module sprints 161/162/165; no code convergence expected here, but gating contracts must be frozen first.
+- Interlocks & readiness signals are tracked in the table below; concurrency with other CC-decade sprints is safe once those signals turn green.
+
+## Documentation Prerequisites
+- `docs/modules/evidence-locker/architecture.md`, `docs/modules/evidence-locker/bundle-packaging.md`, `docs/modules/evidence-locker/incident-mode.md`
+- `docs/modules/export-center/architecture.md`, `docs/modules/attestor/airgap.md`
+- `docs/modules/timelineindexer/architecture.md` (if present) and Postgres/RLS runbooks
+- `docs/security/crypto-routing-audit-2025-11-07.md`
+- `docs/replay/DETERMINISTIC_REPLAY.md`, `docs/runbooks/replay_ops.md`
+- `docs/events/orchestrator-scanner-events.md`
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-EVIDENCE-LOCKER-GUILD-SECURITY-GUILD-DOC | DONE (2025-11-20) | Prep note published at `docs/modules/evidence-locker/prep/2025-11-20-security-coordination.md`. | Waiting on AdvisoryAI schema + orchestrator ledger envelopes to freeze. | BLOCKED (2025-11-17). <br><br> Document artefact/deliverable for Evidence Locker Guild · Security Guild · Docs Guild, Exporter Service Guild · Mirror Creator Guild · DevOps Guild, Timeline Indexer Guild · Evidence Locker Guild · Security Guild and publish location so downstream tasks can proceed. |
+| P2 | PREP-ORCHESTRATOR-NOTIFICATIONS-SCHEMA-HANDOF | DONE (2025-11-20) | Prep note published at `docs/events/prep/2025-11-20-orchestrator-notifications-schema-handoff.md`. | Planning | MISSED; escalate to Wave 150/140 leads and record new ETA; keep tasks BLOCKED. <br><br> Document artefact/deliverable for Orchestrator + Notifications schema handoff (Orchestrator Service + Notifications Guilds) and publish location so downstream tasks can proceed. |
+| P3 | PREP-ESCALATION-FOLLOW-UP-ADVISORYAI-ORCHESTR | DONE (2025-11-20) | Prep note published at `docs/events/prep/2025-11-20-advisoryai-orchestrator-followup.md`. | Planning | If no dates provided, mark BLOCKED in respective sprints and escalate to Wave leads. <br><br> Document artefact/deliverable for Escalation follow-up (AdvisoryAI, Orchestrator/Notifications) and publish location so downstream tasks can proceed. |
+| P4 | PREP-160-A-160-B-160-C-ESCALATE-TO-WAVE-150-1 | DONE (2025-11-19) | Due 2025-11-23 · Accountable: Planning | Planning | Escalation sent to Wave 150/140 leads; awaiting new ETAs recorded in Sprint 110/150/140. |
+| 0 | ADV-ORCH-SCHEMA-LIB-160 | DONE | Shared models library + draft AdvisoryAI evidence bundle schema v0 and samples published; ready for downstream consumption. | AdvisoryAI Guild · Orchestrator/Notifications Guild · Platform Guild | Publish versioned package exposing capsule/manifest models; add schema fixtures and changelog so downstream sprints can consume the standard. |
+| 1 | 160.A EvidenceLocker snapshot | BLOCKED | Waiting on AdvisoryAI evidence payload notes + orchestrator/notifications envelopes to finalize ingest/replay summary. | Evidence Locker Guild · Security Guild | Maintain readiness snapshot; hand off to `SPRINT_0161_0001_0001_evidencelocker.md` & `SPRINT_187_evidence_locker_cli_integration.md`. |
+| 2 | 160.B ExportCenter snapshot | BLOCKED | EvidenceLocker bundle contract frozen, but orchestrator/notifications envelopes still missing; cannot freeze ExportCenter snapshot. | Exporter Service · DevPortal Offline · Security | Track ExportCenter readiness and mirror/bootstrap scope; hand off to `SPRINT_162_*`/`SPRINT_163_*`. |
+| 3 | 160.C TimelineIndexer snapshot | BLOCKED | Waiting on TIMELINE-OBS-52-001 digest references; schemas available. Prep migrations/RLS draft. | Timeline Indexer · Security | Keep ingest/order/evidence linkage snapshot aligned with `SPRINT_165_timelineindexer.md`. |
+| 4 | AGENTS-implplan | DONE | Create `docs/implplan/AGENTS.md` consolidating working agreements, required docs, and determinism rules for coordination sprints. | Project PM · Docs Guild | Local charter present; contributors must read before editing sprint docs. |
+
+### Wave Coordination
+| Wave | Guild owners | Shared prerequisites | Status | Notes |
+| --- | --- | --- | --- | --- |
+| 160.A EvidenceLocker | Evidence Locker Guild · Security Guild · Docs Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | PREP-EVIDENCE-LOCKER-GUILD-SECURITY-GUILD-DOC | Waiting on AdvisoryAI schema + orchestrator ledger envelopes to freeze. |
+| 160.B ExportCenter | Exporter Service Guild · Mirror Creator Guild · DevOps Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | PREP-EVIDENCE-LOCKER-GUILD-SECURITY-GUILD-DOC | Thin mirror bundle + EvidenceLocker contract not yet frozen. |
+| 160.C TimelineIndexer | Timeline Indexer Guild · Evidence Locker Guild · Security Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | PREP-EVIDENCE-LOCKER-GUILD-SECURITY-GUILD-DOC | Awaiting OBS-52-001 schema update and digest references. |
+
+## Wave Detail Snapshots & Next Actions
+
+### 160.A EvidenceLocker
+- Detail trackers: [SPRINT_0161_0001_0001_evidencelocker.md](./SPRINT_0161_0001_0001_evidencelocker.md) and [SPRINT_187_evidence_locker_cli_integration.md](./SPRINT_187_evidence_locker_cli_integration.md).
+- Task radar (all TODO as of 2025-11-12):
+  - `EVID-REPLAY-187-001` — Replay bundle ingestion/retention APIs + storage policy (`src/EvidenceLocker/StellaOps.EvidenceLocker`, `docs/modules/evidence-locker/architecture.md`).
+  - `RUNBOOK-REPLAY-187-004` & `CLI-REPLAY-187-002` — CLI + ops readiness for replay bundles (`docs/runbooks/replay_ops.md`, CLI module).
+  - `EVID-CRYPTO-90-001` — Sovereign crypto routing via `ICryptoProviderRegistry`/`ICryptoHash` per `docs/security/crypto-routing-audit-2025-11-07.md`.
+- Contracts: bundle packaging + DSSE layout (`docs/modules/evidence-locker/bundle-packaging.md`, `EVID-OBS-54-002`); portable/incident modes in `docs/modules/evidence-locker/incident-mode.md`.
+- Gating dependencies: orchestrator capsule schema, AdvisoryAI payload notes, and replay ledger rules (`docs/replay/DETERMINISTIC_REPLAY.md`).
+- Ready-to-start checklist: finalize ingest schema deltas, stage Replay Ledger ops drills, and publish API surface summary into Sprint 161 before DOING.
+
+#### EvidenceLocker task snapshot (2025-11-12)
+| Task ID | Scope | State | Notes / Owners |
+| --- | --- | --- | --- |
+| EVID-REPLAY-187-001 | Replay bundle ingestion + retention APIs | TODO | Evidence Locker Guild · docs/modules/evidence-locker/architecture.md |
+| CLI-REPLAY-187-002 | CLI record/verify/replay UX | TODO | CLI Guild · `docs/modules/cli/architecture.md` |
+| RUNBOOK-REPLAY-187-004 | Replay ops runbook + drills | TODO | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` |
+| EVID-CRYPTO-90-001 | Sovereign crypto routing | TODO | Evidence Locker + Security Guilds · `ICryptoProviderRegistry` integration |
+
+### 160.B ExportCenter
+- Detail trackers: [SPRINT_0162_0001_0001_exportcenter_i.md](./SPRINT_0162_0001_0001_exportcenter_i.md) and [SPRINT_0163_0001_0001_exportcenter_ii.md](./SPRINT_0163_0001_0001_exportcenter_ii.md).
+- Task radar highlights:
+  - Mirror & bootstrap: `EXPORT-AIRGAP-56-001/002/003/004/005`, `EXPORT-AIRGAP-57-001`, `EXPORT-AIRGAP-58-001`.
+  - Attestation bundles: `EXPORT-ATTEST-74-001/002`, `EXPORT-ATTEST-75-001/002` (jobs, CI/offline, CLI verify/import; see `docs/modules/attestor/airgap.md`).
+  - API/OAS: `EXPORT-OAS-61-001/002`, `EXPORT-OAS-62-001`, `EXPORT-OAS-63-001` — refreshed OpenAPI, discovery, SDK, deprecation headers.
+  - Service/observability: `EXPORT-SVC-35-001…005`, `EXPORT-OBS-50/51/52`, `EXPORT-CRYPTO-90-001` for crypto parity with EvidenceLocker.
+- Dependencies: EvidenceLocker contracts + DSSE proofs; orchestrator events + Scheduler readiness; crypto routing aligned with `docs/security/crypto-routing-audit-2025-11-07.md`.
+- Ready-to-start checklist: freeze sealed bundle spec, reconcile crypto provider matrix with RootPack deployments, and prep DevPortal verification CLI scaffolding (`DVOFF-64-002`).
+
+#### ExportCenter task snapshot (2025-11-12)
+| Task ID | Scope | State | Notes / Owners |
+| --- | --- | --- | --- |
+| DVOFF-64-002 | DevPortal bundle verification CLI | TODO | DevPortal Offline + AirGap Controller Guilds |
+| EXPORT-AIRGAP-56-001/002 | Mirror bundle + bootstrap pack profiles | TODO | Exporter + Mirror Creator + DevOps Guilds |
+| EXPORT-AIRGAP-57-001 | Portable evidence export mode | TODO | Exporter Service + Evidence Locker Guild |
+| EXPORT-AIRGAP-58-001 | Notifications for portable export | TODO | Exporter Service + Notifications Guild |
+| EXPORT-ATTEST-74-001/002 | Attestation bundle job + CI integration | TODO | Attestation Bundle + Exporter Guilds |
+| EXPORT-ATTEST-75-001/002 | CLI verify/import + offline kit integration | TODO | Attestation Bundle + CLI + Exporter Guilds |
+| EXPORT-OAS-61/62/63 | OpenAPI refresh, discovery, SDK + deprecation headers | TODO | Exporter Service + API Governance + SDK Guilds |
+| EXPORT-CRYPTO-90-001 | Sovereign crypto routing | TODO | Exporter Service + Security Guilds |
+
+### 160.C TimelineIndexer
+- Detail tracker: [SPRINT_165_timelineindexer.md](./SPRINT_165_timelineindexer.md) covering TIMELINE-OBS-52-001…004 and TIMELINE-OBS-53-001.
+- Task radar:
+  - `TIMELINE-OBS-52-001` — service bootstrap + Postgres migrations with deterministic scripts and RLS scaffolding.
+  - `TIMELINE-OBS-52-002` — event ingestion pipeline (NATS/Redis consumers, ordering, dedupe, trace correlation, metrics).
+  - `TIMELINE-OBS-52-003` — REST/gRPC APIs with filtering/pagination + OpenAPI contracts.
+  - `TIMELINE-OBS-52-004` — finalize RLS, scope checks, audit logging, legal hold enforcement tests.
+  - `TIMELINE-OBS-53-001` — evidence linkage endpoint returning signed manifest references.
+- Dependencies: orchestrator/notifications event schemas and EvidenceLocker digest references must land before Postgres migrations can be frozen; export bundle IDs must be stable to hydrate `/timeline/{id}/evidence`.
+- Ready-to-start checklist: secure event schema package, stage Postgres migration plan (incl. RLS policies) for review, align ingest ordering semantics with Scheduler/ExportCenter cadence.
+
+#### TimelineIndexer task snapshot (2025-11-12)
+| Task ID | Scope | State | Notes / Owners |
+| --- | --- | --- | --- |
+| TIMELINE-OBS-52-001 | Service bootstrap + Postgres migrations/RLS | TODO | Timeline Indexer Guild |
+| TIMELINE-OBS-52-002 | Event ingestion pipeline + metrics | TODO | Timeline Indexer Guild |
+| TIMELINE-OBS-52-003 | REST/gRPC APIs + OpenAPI contracts | TODO | Timeline Indexer Guild |
+| TIMELINE-OBS-52-004 | RLS policies, audit logging, legal hold tests | TODO | Timeline Indexer + Security Guilds |
+| TIMELINE-OBS-53-001 | Evidence linkage endpoint | TODO | Timeline Indexer + Evidence Locker Guilds |
+
+## Interlocks & Readiness Signals
+| Dependency | Owner / Source | Impacts | Status / Next signal |
+| --- | --- | --- | --- |
+| Orchestrator capsule & notifications schema (`docs/events/orchestrator-scanner-events.md`) | Orchestrator Service Guild · Notifications Guild (Sprint 150.A + 140 wave) | 160.A, 160.B, 160.C | OVERDUE (was due 2025-11-15); escalation sent 2025-11-18; awaiting new ETA (follow-up 2025-11-19). |
+| AdvisoryAI evidence bundle schema & payload notes (Sprint 110.A) | AdvisoryAI Guild | 160.A, 160.B | OVERDUE (was due 2025-11-14); escalation sent 2025-11-18; awaiting new ETA (follow-up 2025-11-19). |
+| Replay ledger spec alignment (`docs/replay/DETERMINISTIC_REPLAY.md`, `/docs/runbooks/replay_ops.md`) | Replay Delivery Guild (Sprint 187) | 160.A | Replay ops runbook exists (2025-11-03); EvidenceLocker must incorporate retention API shape before DOING. Track in EVID-REPLAY-187-001. |
+| Crypto routing parity (`docs/security/crypto-routing-audit-2025-11-07.md`) | Security Guild + Export/Evidence teams (`EVID-CRYPTO-90-001`, `EXPORT-CRYPTO-90-001`) | 160.A, 160.B | Audit published 2025-11-07; wire `ICryptoProviderRegistry` before enabling sovereign profiles. Readiness review on 2025-11-18. |
+| DevPortal verification CLI scaffolding (`DVOFF-64-002`) | DevPortal Offline Guild (Sprint 162) | 160.B | Prototype pending; keep `stella devportal verify bundle.tgz` ready once bundle contracts are signed. |
+
+## Upcoming Checkpoints (UTC)
+| Date | Session / Owner | Target outcome | Fallback / Escalation |
+| --- | --- | --- | --- |
+| 2025-11-14 | AdvisoryAI stand-up (AdvisoryAI Guild) | Freeze evidence bundle schema + payload notes so EvidenceLocker can finalize DSSE manifests (blocked). | MISSED; reschedule immediately and log in Sprint 110 + this sprint. |
+| 2025-11-15 | Orchestrator + Notifications schema handoff (Orchestrator Service + Notifications Guilds) | Publish capsule envelopes & notification contracts required by EvidenceLocker ingest, ExportCenter notifications, TimelineIndexer ordering (blocked). | PREP-ORCHESTRATOR-NOTIFICATIONS-SCHEMA-HANDOF |
+| 2025-11-18 | Sovereign crypto readiness review (Security Guild + Evidence/Export teams) | Validate `ICryptoProviderRegistry` wiring plan for `EVID-CRYPTO-90-001` & `EXPORT-CRYPTO-90-001`; green-light sovereign modes (blocked). | If gating issues remain, file action items in Security board and hold related sprint tasks in TODO. |
+| 2025-11-19 | DevPortal Offline CLI dry run (DevPortal Offline + AirGap Controller Guilds) | Demo `stella devportal verify bundle.tgz` using sample manifest to prove readiness once EvidenceLocker spec lands (blocked awaiting schema). | If CLI not ready, update DVOFF-64-002 description with new ETA and note risk in Sprint 162 doc. |
+| 2025-11-19 | Escalation follow-up (AdvisoryAI, Orchestrator/Notifications) | Secure revised dates for schema/envelope drops; update this sprint + Sprint 110/150/140. | PREP-ESCALATION-FOLLOW-UP-ADVISORYAI-ORCHESTR |
+
+## Action Tracker
+| Wave | Immediate action | Owner(s) | Due | Status |
+| --- | --- | --- | --- | --- |
+| 160.A EvidenceLocker | Draft ingest schema summary + Replay Ledger API notes into `SPRINT_0161_0001_0001_evidencelocker.md` once orchestrator + AdvisoryAI schemas land. | Evidence Locker Guild · Replay Delivery Guild | 2025-11-16 | OVERDUE (schemas not delivered) |
+| 160.A EvidenceLocker | Validate crypto provider registry plan for `EVID-CRYPTO-90-001` ahead of the Nov-18 review. | Evidence Locker Guild · Security Guild | 2025-11-17 | OVERDUE (awaiting Security design feedback) |
+| 160.A EvidenceLocker | Prep CLI + ops teams for replay handoff (`RUNBOOK-REPLAY-187-004`, `CLI-REPLAY-187-002`) once Evidence Locker APIs are drafted. | CLI Guild · Ops Guild · Evidence Locker Guild | 2025-11-18 | Pending |
+| 160.B ExportCenter | Prepare DevPortal verification CLI prototype (`DVOFF-64-002`) covering manifest hash + DSSE verification flow. | DevPortal Offline Guild · AirGap Controller Guild | 2025-11-19 | In progress (design draft shared; waiting on bundle schema) |
+| 160.B ExportCenter | Align attestation bundle job + CLI verbs (`EXPORT-ATTEST-74/75`) with EvidenceLocker DSSE layout once published. | Exporter Service Guild · Attestation Bundle Guild · CLI Guild | 2025-11-20 | Pending |
+| 160.B ExportCenter | Stage crypto routing hooks in exporter service (`EXPORT-CRYPTO-90-001`) tied to the Nov-18 review. | Exporter Service Guild · Security Guild | 2025-11-18 | Pending |
+| 160.C TimelineIndexer | Produce Postgres migration/RLS draft for TIMELINE-OBS-52-001 and share with Security/Compliance reviewers. | Timeline Indexer Guild · Security Guild | 2025-11-18 | Pending |
+| 160.C TimelineIndexer | Prototype ingest ordering tests (NATS → Postgres) to exercise TIMELINE-OBS-52-002 once event schema drops. | Timeline Indexer Guild | 2025-11-19 | Pending |
+| 160.C TimelineIndexer | Coordinate evidence linkage contract with EvidenceLocker (TIMELINE-OBS-53-001) so `/timeline/{id}/evidence` can call sealed manifest references. | Timeline Indexer Guild · Evidence Locker Guild | 2025-11-20 | Pending |
+| AGENTS-implplan | Create `docs/implplan/AGENTS.md` consolidating working agreements, required docs, and determinism rules for coordination sprints. | Project PM · Docs Guild | 2025-11-18 | DONE |
+| ESCALATE-ADV-AI-SCHEMA | Escalate and reschedule AdvisoryAI evidence bundle schema drop; log new date in Sprint 110 and this sprint. | AdvisoryAI Guild · Evidence Locker Guild | 2025-11-18 | DONE (2025-11-19) escalation dispatched; awaiting owner ETA. |
+| ESCALATE-ORCH-ENVELOPE | Escalate Orchestrator/Notifications capsule envelope drop; obtain new ETA and log in Sprint 150/140 and this sprint. | Orchestrator Service · Notifications Guild | 2025-11-18 | DONE (2025-11-19) escalation dispatched; awaiting owner ETA. |
+
+## Decisions & Risks
+| Item | Status / Decision | Notes |
+| --- | --- | --- |
+| Naming & template alignment | DONE (2025-11-17) | File renamed to `SPRINT_0160_0001_0001_export_evidence.md` and normalized to standard sprint template. |
+| AdvisoryAI schema freeze | BLOCKED | Must land before EvidenceLocker/ExportCenter DOING moves; track in Interlocks and Sprint 110. |
+| Orchestrator/Notifications envelopes | BLOCKED | Required for EvidenceLocker ingest, ExportCenter notifications, and TimelineIndexer ordering. |
+| Crypto routing design readiness | BLOCKED | Await 2025-11-18 review to green-light `ICryptoProviderRegistry` wiring (`EVID-CRYPTO-90-001`, `EXPORT-CRYPTO-90-001`). |
+| Risks | See table below | Retained from prior snapshot. |
+| AGENTS.md for docs/implplan | DONE | `docs/implplan/AGENTS.md` added (2025-11-17); read before editing sprint docs. |
+| AdvisoryAI schema checkpoint (2025-11-14) | OVERDUE | Reschedule required; tracked via `ESCALATE-ADV-AI-SCHEMA` action. |
+| Orchestrator/Notifications checkpoint (2025-11-15) | OVERDUE | Reschedule required; tracked via `ESCALATE-ORCH-ENVELOPE` action. |
+| Escalation responses | PENDING | Awaiting ETA confirmations from AdvisoryAI and Orchestrator/Notifications leads; follow-up due 2025-11-19 if no response. |
+
+### Risk table
+| Risk | Impacted wave(s) | Severity | Mitigation / Owner |
+| --- | --- | --- | --- |
+| AdvisoryAI schema slips past 2025-11-14, delaying DSSE manifest freeze. | 160.A, 160.B | High | AdvisoryAI Guild to provide interim sample payloads; EvidenceLocker to stub schema adapters so ExportCenter can begin validation with mock data. |
+| Orchestrator/Notifications schema handoff misses 2025-11-15 window. | 160.A, 160.B, 160.C | High | PREP-160-A-160-B-160-C-ESCALATE-TO-WAVE-150-1 |
+| Sovereign crypto routing design not ready by 2025-11-18 review. | 160.A, 160.B | Medium | Security Guild to publish `ICryptoProviderRegistry` reference implementation; Evidence/Export guilds to nominate fallback providers per profile. |
+| DevPortal verification CLI lacks signed bundle fixtures for dry run. | 160.B | Medium | Exporter Guild to provide sample manifest + DSSE pair; DevPortal Offline Guild to script fake EvidenceLocker output for demo. |
+| TimelineIndexer Postgres/RLS plan not reviewed before coding. | 160.C | Medium | Timeline Indexer Guild to share migration plan with Security/Compliance for async review; unblock coding by securing written approval in sprint doc. |
+
+## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Confirmed PREP-ORCHESTRATOR-NOTIFICATIONS-SCHEMA-HANDOF and PREP-ESCALATION-FOLLOW-UP-ADVISORYAI-ORCHESTR still unclaimed; moved both to DOING to proceed with Wave 150/140 escalations. | Planning |
+| 2025-11-20 | Published prep artefacts for P1–P3: security coordination (`docs/modules/evidence-locker/prep/2025-11-20-security-coordination.md`), orchestrator/notifications handoff (`docs/events/prep/2025-11-20-orchestrator-notifications-schema-handoff.md`), and escalation follow-up (`docs/events/prep/2025-11-20-advisoryai-orchestrator-followup.md`). Marked P1–P3 DONE. | Implementer |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
-| 2025-11-19 | Updated 160.C TimelineIndexer snapshot dependency to TIMELINE-OBS-52-001 (matches Sprint 165 tracker). | Project Mgmt |
-| 2025-11-12 | Snapshot refreshed; all Export & Evidence waves remain BLOCKED pending orchestrator capsule data, AdvisoryAI bundle schemas, and EvidenceLocker contracts. Re-evaluate after 2025-11-15 handoff. | Planning |
-| 2025-11-12 | Added checkpoint calendar, action tracker, and risk table to keep Wave 160 aligned while dependencies stabilize. | Planning |
-| 2025-11-17 | Normalized sprint to standard template and renamed from `SPRINT_160_export_evidence.md` to `SPRINT_0160_0001_0001_export_evidence.md`; no semantic changes to tasks. | Project PM |
-| 2025-11-17 | Set Delivery Tracker and Wave statuses to BLOCKED pending schemas/crypto review; logged missing `docs/implplan/AGENTS.md` as blocker and added action item `AGENTS-implplan`. | Implementer |
-| 2025-11-17 | Created `docs/implplan/AGENTS.md`; marked AGENTS-implplan DONE and updated Decisions & Risks accordingly. | Implementer |
-| 2025-11-17 | Marked AdvisoryAI (2025-11-14) and Orchestrator/Notifications (2025-11-15) checkpoints as missed; escalations required; action items now OVERDUE. | Implementer |
-| 2025-11-18 | Added escalation actions `ESCALATE-ADV-AI-SCHEMA` and `ESCALATE-ORCH-ENVELOPE` to track overdue schema drops. | Implementer |
-| 2025-11-18 | Started escalations for AdvisoryAI schema and Orchestrator envelopes; awaiting new ETAs from respective guilds. | Implementer |
-| 2025-11-18 | Sent escalation pings to AdvisoryAI and Orchestrator/Notifications leads; awaiting ETA confirmation (tracked in Action Tracker). | Implementer |
-| 2025-11-18 | Updated Interlocks with “escalation sent” notes and follow-up date (2025-11-19). | Implementer |
-| 2025-11-18 | Added blocker task ADV-ORCH-SCHEMA-LIB-160 and marked snapshots explicitly blocked on shared schema library drop. | Project PM |
-| 2025-11-18 | Set ADV-ORCH-SCHEMA-LIB-160 to DOING; drafting shared models package for AdvisoryAI/Orchestrator envelopes. | Implementer |
-| 2025-11-18 | Published `src/__Libraries/StellaOps.Orchestrator.Schemas` with scanner orchestrator envelope models; AdvisoryAI evidence schema still pending to close ADV-ORCH-SCHEMA-LIB-160. | Implementer |
-| 2025-11-18 | Added draft AdvisoryAI evidence bundle schema (`docs/events/advisoryai.evidence.bundle@0.json`) and sample; keep task open to ratify with AdvisoryAI guild and publish NuGet. | Implementer |
-| 2025-11-18 | Flipped ADV-ORCH-SCHEMA-LIB-160 to DONE; moved 160.A/B to DOING using delivered schema/models. | Implementer |
-| 2025-11-19 | Marked 160.A and 160.B BLOCKED pending AdvisoryAI payload notes and Orchestrator/Notifications envelopes; cannot publish snapshots yet. | Implementer |
-| 2025-11-19 | Sent escalations for AdvisoryAI schema and Orchestrator/Notifications envelopes; marked ESCALATE-ADV-AI-SCHEMA, ESCALATE-ORCH-ENVELOPE, and PREP-160-A/B/C-ESCALATE as DONE. Await ETAs from owners. | Implementer |
-| 2025-11-18 | Started 160.A/160.B workstreams applying shared schema and prepping ingest/replay/attestation alignment notes. | Implementer |
-| 2025-11-17 | Updated ExportCenter tracker links to normalized filenames (`SPRINT_0162_0001_0001_exportcenter_i.md`, `SPRINT_0163_0001_0001_exportcenter_ii.md`). | Implementer |
+| 2025-11-19 | Updated 160.C TimelineIndexer snapshot dependency to TIMELINE-OBS-52-001 (matches Sprint 165 tracker). | Project Mgmt |
+| 2025-11-12 | Snapshot refreshed; all Export & Evidence waves remain BLOCKED pending orchestrator capsule data, AdvisoryAI bundle schemas, and EvidenceLocker contracts. Re-evaluate after 2025-11-15 handoff. | Planning |
+| 2025-11-12 | Added checkpoint calendar, action tracker, and risk table to keep Wave 160 aligned while dependencies stabilize. | Planning |
+| 2025-11-17 | Normalized sprint to standard template and renamed from `SPRINT_160_export_evidence.md` to `SPRINT_0160_0001_0001_export_evidence.md`; no semantic changes to tasks. | Project PM |
+| 2025-11-17 | Set Delivery Tracker and Wave statuses to BLOCKED pending schemas/crypto review; logged missing `docs/implplan/AGENTS.md` as blocker and added action item `AGENTS-implplan`. | Implementer |
+| 2025-11-17 | Created `docs/implplan/AGENTS.md`; marked AGENTS-implplan DONE and updated Decisions & Risks accordingly. | Implementer |
+| 2025-11-17 | Marked AdvisoryAI (2025-11-14) and Orchestrator/Notifications (2025-11-15) checkpoints as missed; escalations required; action items now OVERDUE. | Implementer |
+| 2025-11-18 | Added escalation actions `ESCALATE-ADV-AI-SCHEMA` and `ESCALATE-ORCH-ENVELOPE` to track overdue schema drops. | Implementer |
+| 2025-11-18 | Started escalations for AdvisoryAI schema and Orchestrator envelopes; awaiting new ETAs from respective guilds. | Implementer |
+| 2025-11-18 | Sent escalation pings to AdvisoryAI and Orchestrator/Notifications leads; awaiting ETA confirmation (tracked in Action Tracker). | Implementer |
+| 2025-11-18 | Updated Interlocks with “escalation sent” notes and follow-up date (2025-11-19). | Implementer |
+| 2025-11-18 | Added blocker task ADV-ORCH-SCHEMA-LIB-160 and marked snapshots explicitly blocked on shared schema library drop. | Project PM |
+| 2025-11-18 | Set ADV-ORCH-SCHEMA-LIB-160 to DOING; drafting shared models package for AdvisoryAI/Orchestrator envelopes. | Implementer |
+| 2025-11-18 | Published `src/__Libraries/StellaOps.Orchestrator.Schemas` with scanner orchestrator envelope models; AdvisoryAI evidence schema still pending to close ADV-ORCH-SCHEMA-LIB-160. | Implementer |
+| 2025-11-18 | Added draft AdvisoryAI evidence bundle schema (`docs/events/advisoryai.evidence.bundle@0.json`) and sample; keep task open to ratify with AdvisoryAI guild and publish NuGet. | Implementer |
+| 2025-11-18 | Flipped ADV-ORCH-SCHEMA-LIB-160 to DONE; moved 160.A/B to DOING using delivered schema/models. | Implementer |
+| 2025-11-19 | Marked 160.A and 160.B BLOCKED pending AdvisoryAI payload notes and Orchestrator/Notifications envelopes; cannot publish snapshots yet. | Implementer |
+| 2025-11-19 | Sent escalations for AdvisoryAI schema and Orchestrator/Notifications envelopes; marked ESCALATE-ADV-AI-SCHEMA, ESCALATE-ORCH-ENVELOPE, and PREP-160-A/B/C-ESCALATE as DONE. Await ETAs from owners. | Implementer |
+| 2025-11-18 | Started 160.A/160.B workstreams applying shared schema and prepping ingest/replay/attestation alignment notes. | Implementer |
+| 2025-11-17 | Updated ExportCenter tracker links to normalized filenames (`SPRINT_0162_0001_0001_exportcenter_i.md`, `SPRINT_0163_0001_0001_exportcenter_ii.md`). | Implementer |

docs/implplan/SPRINT_0161_0001_0001_evidencelocker.md

@@ -24,11 +24,11 @@
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | P0 | PREP-EVID-ATTEST-73-SCOPE-NOTE | DONE (2025-11-19) | Due 2025-11-20 · Accountable: Evidence Locker Guild · Concelier Guild · Excititor Guild | Evidence Locker Guild · Concelier Guild · Excititor Guild | Published attestation scope/sign-off note at `docs/modules/evidence-locker/attestation-scope-note.md` with required claims and sample builder payload; to be linked in Evidence Bundle v1 change log. |
-| P1 | PREP-EVID-REPLAY-187-001-AWAIT-REPLAY-LEDGER | TODO | Due 2025-11-23 · Accountable: Evidence Locker Guild · Replay Delivery Guild | Evidence Locker Guild · Replay Delivery Guild | Await replay ledger retention shape; schemas available. <br><br> Document artefact/deliverable for EVID-REPLAY-187-001 and publish location so downstream tasks can proceed. |
-| P2 | PREP-CLI-REPLAY-187-002-WAITING-ON-EVIDENCELO | TODO | Due 2025-11-23 · Accountable: CLI Guild | CLI Guild | Waiting on EvidenceLocker APIs after bundle packaging finalization. <br><br> Document artefact/deliverable for CLI-REPLAY-187-002 and publish location so downstream tasks can proceed. |
-| P3 | PREP-RUNBOOK-REPLAY-187-004-DEPENDS-ON-RETENT | TODO | Due 2025-11-23 · Accountable: Docs Guild · Ops Guild | Docs Guild · Ops Guild | Depends on retention APIs + CLI behavior. <br><br> Document artefact/deliverable for RUNBOOK-REPLAY-187-004 and publish location so downstream tasks can proceed. |
-| P4 | PREP-EVIDENCE-LOCKER-GUILD-BLOCKED-SCHEMAS-NO | TODO | Due 2025-11-23 · Accountable: Planning | Planning | BLOCKED (schemas not yet delivered). <br><br> Document artefact/deliverable for Evidence Locker Guild and publish location so downstream tasks can proceed. |
-| P5 | PREP-EVIDENCE-LOCKER-GUILD-REPLAY-DELIVERY-GU | TODO | Due 2025-11-23 · Accountable: Planning | Planning | BLOCKED (awaiting schema signals). <br><br> Document artefact/deliverable for Evidence Locker Guild · Replay Delivery Guild and publish location so downstream tasks can proceed. |
+| P1 | PREP-EVID-REPLAY-187-001-AWAIT-REPLAY-LEDGER | DONE (2025-11-20) | Prep doc at `docs/modules/evidence-locker/replay-payload-contract.md`; awaiting ledger retention freeze for implementation. | Evidence Locker Guild · Replay Delivery Guild | Await replay ledger retention shape; schemas available. <br><br> Document artefact/deliverable for EVID-REPLAY-187-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-CLI-REPLAY-187-002-WAITING-ON-EVIDENCELO | DONE (2025-11-20) | Prep doc at `docs/modules/cli/guides/replay-cli-prep.md`; tracks CLI surface pending schema freeze. | CLI Guild | Waiting on EvidenceLocker APIs after bundle packaging finalization. <br><br> Document artefact/deliverable for CLI-REPLAY-187-002 and publish location so downstream tasks can proceed. |
+| P3 | PREP-RUNBOOK-REPLAY-187-004-DEPENDS-ON-RETENT | DONE (2025-11-20) | Prep doc at `docs/runbooks/replay_ops_prep_187_004.md`; merge into runbook once APIs freeze. | Docs Guild · Ops Guild | Depends on retention APIs + CLI behavior. <br><br> Document artefact/deliverable for RUNBOOK-REPLAY-187-004 and publish location so downstream tasks can proceed. |
+| P4 | PREP-EVIDENCE-LOCKER-GUILD-BLOCKED-SCHEMAS-NO | DONE (2025-11-20) | Prep note at `docs/modules/evidence-locker/prep/2025-11-20-schema-readiness-blockers.md`; awaiting AdvisoryAI/Orch envelopes. | Planning | BLOCKED (schemas not yet delivered). <br><br> Document artefact/deliverable for Evidence Locker Guild and publish location so downstream tasks can proceed. |
+| P5 | PREP-EVIDENCE-LOCKER-GUILD-REPLAY-DELIVERY-GU | DONE (2025-11-20) | Prep note at `docs/modules/evidence-locker/prep/2025-11-20-replay-delivery-sync.md`; waiting on ledger retention defaults. | Planning | BLOCKED (awaiting schema signals). <br><br> Document artefact/deliverable for Evidence Locker Guild · Replay Delivery Guild and publish location so downstream tasks can proceed. |
 | 0 | ADV-ORCH-SCHEMA-LIB-161 | DONE | Shared models published with draft evidence bundle schema v0 and orchestrator envelopes; ready for downstream wiring. | AdvisoryAI Guild · Orchestrator/Notifications Guild · Platform Guild | Publish versioned package + fixtures to `/src/__Libraries` (or shared NuGet) so downstream components can consume frozen schema. |
 | 1 | EVID-OBS-54-002 | BLOCKED | AdvisoryAI evidence bundle schema + orchestrator/notifications capsule schema still pending; cannot finalize DSSE fields. | Evidence Locker Guild | Finalize deterministic bundle packaging + DSSE layout per `docs/modules/evidence-locker/bundle-packaging.md`, including portable/incident modes. |
 | 2 | EVID-REPLAY-187-001 | BLOCKED | PREP-EVID-REPLAY-187-001-AWAIT-REPLAY-LEDGER | Evidence Locker Guild · Replay Delivery Guild | Implement replay bundle ingestion + retention APIs; update storage policy per `docs/replay/DETERMINISTIC_REPLAY.md`. |
@@ -40,8 +40,8 @@
 ## Action Tracker
 | Action | Owner(s) | Due | Status |
 | --- | --- | --- | --- |
-| Capture AdvisoryAI + orchestrator schema deltas into this sprint and attach sample payloads. | Evidence Locker Guild | 2025-11-15 | PREP-EVIDENCE-LOCKER-GUILD-BLOCKED-SCHEMAS-NO |
-| Draft Replay Ledger API + CLI notes to unblock EVID-REPLAY-187-001/002. | Evidence Locker Guild · Replay Delivery Guild | 2025-11-16 | PREP-EVIDENCE-LOCKER-GUILD-REPLAY-DELIVERY-GU |
+| Capture AdvisoryAI + orchestrator schema deltas into this sprint and attach sample payloads. | Evidence Locker Guild | 2025-11-15 | DONE (2025-11-20) — see `docs/modules/evidence-locker/prep/2025-11-20-schema-readiness-blockers.md` |
+| Draft Replay Ledger API + CLI notes to unblock EVID-REPLAY-187-001/002. | Evidence Locker Guild · Replay Delivery Guild | 2025-11-16 | DONE (2025-11-20) — see `docs/modules/evidence-locker/prep/2025-11-20-replay-delivery-sync.md` |
 | Validate `ICryptoProviderRegistry` plan at readiness review. | Evidence Locker Guild · Security Guild | 2025-11-18 | Pending |
 
 ## Interlocks & Readiness Signals
@@ -82,3 +82,5 @@
 | 2025-11-18 | Recorded crypto registry decision in `docs/security/crypto-registry-decision-2025-11-18.md`; moved CRYPTO-REGISTRY-DECISION-161 to DONE and unblocked EVID-CRYPTO-90-001. | Implementer |
 | 2025-11-18 | Started EVID-OBS-54-002 DOING using shared schema draft. | Implementer |
 | 2025-11-18 | Started EVID-OBS-54-002 with shared schema; replay/CLI remain pending ledger shape. | Implementer |
+| 2025-11-20 | Completed PREP-EVID-REPLAY-187-001, PREP-CLI-REPLAY-187-002, and PREP-RUNBOOK-REPLAY-187-004; published prep docs at `docs/modules/evidence-locker/replay-payload-contract.md`, `docs/modules/cli/guides/replay-cli-prep.md`, and `docs/runbooks/replay_ops_prep_187_004.md`. | Implementer |
+| 2025-11-20 | Added schema readiness and replay delivery prep notes for Evidence Locker Guild; see `docs/modules/evidence-locker/prep/2025-11-20-schema-readiness-blockers.md` and `.../2025-11-20-replay-delivery-sync.md`. Marked PREP-EVIDENCE-LOCKER-GUILD-BLOCKED-SCHEMAS-NO and PREP-EVIDENCE-LOCKER-GUILD-REPLAY-DELIVERY-GU DONE. | Implementer |

docs/implplan/SPRINT_0162_0001_0001_exportcenter_i.md

@@ -21,20 +21,24 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| P1 | PREP-DVOFF-64-002-NEEDS-SEALED-BUNDLE-SPEC-SA | TODO | Due 2025-11-23 · Accountable: DevPortal Offline Guild · AirGap Controller Guild | DevPortal Offline Guild · AirGap Controller Guild | Needs sealed bundle spec + sample manifest for CLI verify flow; due for Nov-19 dry run. <br><br> Document artefact/deliverable for DVOFF-64-002 and publish location so downstream tasks can proceed. |
-| P2 | PREP-EXPORT-AIRGAP-56-001-EVIDENCELOCKER-CONT | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild · Mirror Creator Guild | Exporter Service Guild · Mirror Creator Guild | EvidenceLocker contract + advisory schema to finalize DSSE contents. <br><br> Document artefact/deliverable for EXPORT-AIRGAP-56-001 and publish location so downstream tasks can proceed. |
-| P3 | PREP-EXPORT-AIRGAP-56-002-DEPENDS-ON-56-001-S | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild · DevOps Guild | Exporter Service Guild · DevOps Guild | Depends on 56-001; same schema prerequisites. <br><br> Document artefact/deliverable for EXPORT-AIRGAP-56-002 and publish location so downstream tasks can proceed. |
-| P4 | PREP-EXPORT-AIRGAP-57-001-DEPENDS-ON-56-002-N | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild · Evidence Locker Guild | Exporter Service Guild · Evidence Locker Guild | Depends on 56-002; needs sealed evidence bundle format. <br><br> Document artefact/deliverable for EXPORT-AIRGAP-57-001 and publish location so downstream tasks can proceed. |
-| P5 | PREP-EXPORT-AIRGAP-58-001-DEPENDS-ON-57-001-N | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild · Notifications Guild | Exporter Service Guild · Notifications Guild | Depends on 57-001; needs notifications envelope schema. <br><br> Document artefact/deliverable for EXPORT-AIRGAP-58-001 and publish location so downstream tasks can proceed. |
-| P6 | PREP-EXPORT-ATTEST-74-001-NEEDS-EVIDENCELOCKE | TODO | Due 2025-11-23 · Accountable: Attestation Bundle Guild · Exporter Service Guild | Attestation Bundle Guild · Exporter Service Guild | Needs EvidenceLocker bundle layout + orchestration events. <br><br> Document artefact/deliverable for EXPORT-ATTEST-74-001 and publish location so downstream tasks can proceed. |
-| P7 | PREP-EXPORT-ATTEST-74-002-DEPENDS-ON-74-001 | TODO | Due 2025-11-23 · Accountable: Attestation Bundle Guild · DevOps Guild | Attestation Bundle Guild · DevOps Guild | Depends on 74-001. <br><br> Document artefact/deliverable for EXPORT-ATTEST-74-002 and publish location so downstream tasks can proceed. |
-| P8 | PREP-EXPORT-ATTEST-75-001-DEPENDS-ON-74-002-N | TODO | Due 2025-11-23 · Accountable: Attestation Bundle Guild · CLI Attestor Guild | Attestation Bundle Guild · CLI Attestor Guild | Depends on 74-002; needs CLI contract. <br><br> Document artefact/deliverable for EXPORT-ATTEST-75-001 and publish location so downstream tasks can proceed. |
-| P9 | PREP-EXPORT-ATTEST-75-002-DEPENDS-ON-75-001 | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild | Exporter Service Guild | Depends on 75-001. <br><br> Document artefact/deliverable for EXPORT-ATTEST-75-002 and publish location so downstream tasks can proceed. |
-| P10 | PREP-EXPORT-OAS-61-001-NEEDS-STABLE-EXPORT-SU | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild · API Contracts Guild | Exporter Service Guild · API Contracts Guild | Needs stable export surfaces; await EvidenceLocker contract. <br><br> Document artefact/deliverable for EXPORT-OAS-61-001 and publish location so downstream tasks can proceed. |
-| P11 | PREP-EXPORT-OAS-61-002-DEPENDS-ON-61-001 | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild | Exporter Service Guild | Depends on 61-001. <br><br> Document artefact/deliverable for EXPORT-OAS-61-002 and publish location so downstream tasks can proceed. |
-| P12 | PREP-EXPORT-OAS-62-001-DEPENDS-ON-61-002 | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild · SDK Generator Guild | Exporter Service Guild · SDK Generator Guild | Depends on 61-002. <br><br> Document artefact/deliverable for EXPORT-OAS-62-001 and publish location so downstream tasks can proceed. |
-| P13 | PREP-EXPORTER-SERVICE-EVIDENCELOCKER-GUILD-BL | TODO | Due 2025-11-23 · Accountable: Planning | Planning | BLOCKED (awaits EvidenceLocker contract). <br><br> Document artefact/deliverable for Exporter Service · EvidenceLocker Guild and publish location so downstream tasks can proceed. |
-| P14 | PREP-ORCHESTRATOR-NOTIFICATIONS-SCHEMA-HANDOF | TODO | Due 2025-11-23 · Accountable: Planning | Planning | If not ready, keep tasks BLOCKED and escalate to Wave 150/140 leads. <br><br> Document artefact/deliverable for Orchestrator + Notifications schema handoff and publish location so downstream tasks can proceed. |
+| P1 | PREP-DVOFF-64-002-NEEDS-SEALED-BUNDLE-SPEC-SA | DONE (2025-11-20) | Due 2025-11-23 · Accountable: DevPortal Offline Guild · AirGap Controller Guild | DevPortal Offline Guild · AirGap Controller Guild | Prep artefact published at `docs/modules/export-center/prep/2025-11-20-dvoff-64-002-prep.md` (sample sealed bundle + CLI verify contract/output/exit-codes). |
+| P2 | PREP-EXPORT-AIRGAP-56-001-EVIDENCELOCKER-CONT | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Exporter Service Guild · Mirror Creator Guild | Exporter Service Guild · Mirror Creator Guild | EvidenceLocker contract + advisory schema to finalize DSSE contents. <br><br> Document artefact/deliverable for EXPORT-AIRGAP-56-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/export-center/prep/2025-11-20-export-airgap-56-001-prep.md`. |
+| P3 | PREP-EXPORT-AIRGAP-56-002-DEPENDS-ON-56-001-S | DONE (2025-11-20) | Prep artefact at `docs/modules/export-center/prep/2025-11-20-export-airgap-56-002-prep.md`; waiting on 56-001 schema to unblock impl. | Exporter Service Guild · DevOps Guild | Depends on 56-001; same schema prerequisites. <br><br> Document artefact/deliverable for EXPORT-AIRGAP-56-002 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/export-center/prep/2025-11-20-export-airgap-56-002-prep.md`. |
+| P4 | PREP-EXPORT-AIRGAP-57-001-DEPENDS-ON-56-002-N | DONE (2025-11-20) | Due 2025-11-23 · Accountable: Exporter Service Guild · Evidence Locker Guild | Exporter Service Guild · Evidence Locker Guild | Depends on 56-002; needs sealed evidence bundle format. <br><br> Prep artefact published at `docs/modules/export-center/prep/2025-11-20-export-airgap-57-001-prep.md` (export portable bundle contract, deterministic packaging, API surface, acceptance criteria). |
+| P5 | PREP-EXPORT-AIRGAP-58-001-DEPENDS-ON-57-001-N | DONE (2025-11-20) | Due 2025-11-23 · Accountable: Exporter Service Guild · Notifications Guild | Exporter Service Guild · Notifications Guild | Depends on 57-001; prep artefact published at `docs/modules/export-center/prep/2025-11-20-export-airgap-58-001-prep.md` detailing notification payload, retries, deterministic headers, and linkage to export download. |
+| P6 | PREP-EXPORT-ATTEST-74-001-NEEDS-EVIDENCELOCKE | DONE (2025-11-20) | Due 2025-11-23 · Accountable: Attestation Bundle Guild · Exporter Service Guild | Attestation Bundle Guild · Exporter Service Guild | Prep artefact published at `docs/modules/export-center/prep/2025-11-20-export-attest-74-001-prep.md` (deterministic attestation export bundle contract, API surface, acceptance criteria). |
+| P3 | PREP-EXPORT-AIRGAP-56-002-DEPENDS-ON-56-001-S | DONE (2025-11-20) | Due 2025-11-23 · Accountable: Exporter Service Guild · DevOps Guild | Exporter Service Guild · DevOps Guild | Depends on 56-001; prep artefact published at `docs/modules/export-center/prep/2025-11-20-export-airgap-56-002-prep.md` (bootstrap pack deterministic OCI tar + endpoints). |
+| P4 | PREP-EXPORT-AIRGAP-57-001-DEPENDS-ON-56-002-N | DONE (2025-11-20) | Due 2025-11-23 · Accountable: Exporter Service Guild · Evidence Locker Guild | Exporter Service Guild · Evidence Locker Guild | Depends on 56-002; needs sealed evidence bundle format. <br><br> Prep artefact published at `docs/modules/export-center/prep/2025-11-20-export-airgap-57-001-prep.md` (export portable bundle contract, deterministic packaging, API surface, acceptance criteria). |
+| P5 | PREP-EXPORT-AIRGAP-58-001-DEPENDS-ON-57-001-N | DONE (2025-11-20) | Due 2025-11-23 · Accountable: Exporter Service Guild · Notifications Guild | Exporter Service Guild · Notifications Guild | Depends on 57-001; prep artefact published at `docs/modules/export-center/prep/2025-11-20-export-airgap-58-001-prep.md` detailing notification payload, retries, deterministic headers, and linkage to export download. |
+| P6 | PREP-EXPORT-ATTEST-74-001-NEEDS-EVIDENCELOCKE | DONE (2025-11-20) | Due 2025-11-23 · Accountable: Attestation Bundle Guild · Exporter Service Guild | Attestation Bundle Guild · Exporter Service Guild | Prep artefact published at `docs/modules/export-center/prep/2025-11-20-export-attest-74-001-prep.md` (deterministic attestation export bundle contract, API surface, acceptance criteria). |
+| P7 | PREP-EXPORT-ATTEST-74-002-DEPENDS-ON-74-001 | DONE (2025-11-20) | Due 2025-11-23 · Accountable: Attestation Bundle Guild · DevOps Guild | Attestation Bundle Guild · DevOps Guild | Depends on 74-001. <br><br> Prep artefact published at `docs/modules/export-center/prep/2025-11-20-export-attest-74-002-prep.md` covering CI/offline-kit integration, checksums, and manifest entries. |
+| P8 | PREP-EXPORT-ATTEST-75-001-DEPENDS-ON-74-002-N | DONE (2025-11-20) | Due 2025-11-23 · Accountable: Attestation Bundle Guild · CLI Attestor Guild | Attestation Bundle Guild · CLI Attestor Guild | Prep artefact published at `docs/modules/export-center/prep/2025-11-20-export-attest-75-001-prep.md` defining CLI verify/import contract, exit codes, and offline behavior. |
+| P9 | PREP-EXPORT-ATTEST-75-002-DEPENDS-ON-75-001 | DONE (2025-11-20) | Due 2025-11-23 · Accountable: Exporter Service Guild | Exporter Service Guild | Depends on 75-001. <br><br> Prep artefact published at `docs/modules/export-center/prep/2025-11-20-export-attest-75-002-prep.md` covering offline kit distribution and mirror publication. |
+| P10 | PREP-EXPORT-OAS-61-001-NEEDS-STABLE-EXPORT-SU | DONE (2025-11-20) | Due 2025-11-23 · Accountable: Exporter Service Guild · API Contracts Guild | Exporter Service Guild · API Contracts Guild | Prep artefact published at `docs/modules/export-center/prep/2025-11-20-export-oas-61-001-prep.md` (export OAS v1 paths, schemas, headers, determinism); ready for OAS YAML generation. |
+| P11 | PREP-EXPORT-OAS-61-002-DEPENDS-ON-61-001 | DONE (2025-11-20) | Prep artefact at `docs/modules/export-center/prep/2025-11-20-export-oas-61-002-prep.md`; waits on 61-001 freeze. | Exporter Service Guild | Depends on 61-001. <br><br> Document artefact/deliverable for EXPORT-OAS-61-002 and publish location so downstream tasks can proceed. |
+| P12 | PREP-EXPORT-OAS-62-001-DEPENDS-ON-61-002 | DONE (2025-11-20) | Prep artefact at `docs/modules/export-center/prep/2025-11-20-export-oas-62-001-prep.md`; depends on discovery endpoint. | Exporter Service Guild · SDK Generator Guild | Depends on 61-002. <br><br> Document artefact/deliverable for EXPORT-OAS-62-001 and publish location so downstream tasks can proceed. |
+| P13 | PREP-EXPORTER-SERVICE-EVIDENCELOCKER-GUILD-BL | DONE (2025-11-20) | Prep note at `docs/modules/export-center/prep/2025-11-20-exporter-evidencelocker-blocker.md`; awaiting sealed bundle schema/hash. | Planning | BLOCKED (awaits EvidenceLocker contract). <br><br> Document artefact/deliverable for Exporter Service · EvidenceLocker Guild and publish location so downstream tasks can proceed. |
+| P14 | PREP-ORCHESTRATOR-NOTIFICATIONS-SCHEMA-HANDOF | DONE (2025-11-20) | Prep note at `docs/events/prep/2025-11-20-orchestrator-notifications-schema-handoff.md`. | Planning | If not ready, keep tasks BLOCKED and escalate to Wave 150/140 leads. <br><br> Document artefact/deliverable for Orchestrator + Notifications schema handoff and publish location so downstream tasks can proceed. |
 | 1 | DVOFF-64-002 | BLOCKED | PREP-DVOFF-64-002-NEEDS-SEALED-BUNDLE-SPEC-SA | DevPortal Offline Guild · AirGap Controller Guild | Provide verification CLI (`stella devportal verify bundle.tgz`) ensuring integrity before import. |
 | 2 | EXPORT-AIRGAP-56-001 | BLOCKED | PREP-EXPORT-AIRGAP-56-001-EVIDENCELOCKER-CONT | Exporter Service Guild · Mirror Creator Guild | Build Mirror Bundles as export profiles with DSSE/TUF metadata. |
 | 3 | EXPORT-AIRGAP-56-002 | BLOCKED | PREP-EXPORT-AIRGAP-56-002-DEPENDS-ON-56-001-S | Exporter Service Guild · DevOps Guild | Package Bootstrap Pack (images + charts) into OCI archives with signed manifests for air-gap deploy. |
@@ -89,6 +93,19 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Completed PREP-EXPORT-AIRGAP-58-001: published notification/timeline contract for air-gap export readiness (`docs/modules/export-center/prep/2025-11-20-export-airgap-58-001-prep.md`); status set to DONE. | Implementer |
+| 2025-11-20 | Completed PREP-EXPORT-AIRGAP-56-002: published bootstrap pack OCI tar + API contract (`docs/modules/export-center/prep/2025-11-20-export-airgap-56-002-prep.md`); status set to DONE. | Implementer |
+| 2025-11-20 | Completed PREP-DVOFF-64-002: published DevPortal sealed bundle + CLI verify contract (`docs/modules/export-center/prep/2025-11-20-dvoff-64-002-prep.md`); status set to DONE. | Implementer |
+| 2025-11-20 | Completed PREP-EXPORT-ATTEST-75-001: published CLI verify/import contract (`docs/modules/export-center/prep/2025-11-20-export-attest-75-001-prep.md`); status set to DONE. | Implementer |
+| 2025-11-20 | Completed PREP-EXPORT-ATTEST-75-002: published offline kit/mirror distribution contract (`docs/modules/export-center/prep/2025-11-20-export-attest-75-002-prep.md`); status set to DONE. | Implementer |
+| 2025-11-20 | Completed PREP-EXPORT-ATTEST-74-001: published attestation export bundle contract (`docs/modules/export-center/prep/2025-11-20-export-attest-74-001-prep.md`); status set to DONE. | Implementer |
+| 2025-11-20 | Completed PREP-EXPORT-ATTEST-74-002: published CI/offline-kit integration contract for attestation exports (`docs/modules/export-center/prep/2025-11-20-export-attest-74-002-prep.md`); status set to DONE. | Implementer |
+| 2025-11-20 | Drafted OAS baseline prep for export surfaces (`docs/modules/export-center/prep/2025-11-20-export-oas-61-001-prep.md`); set PREP-EXPORT-OAS-61-001 to DOING. | Implementer |
+| 2025-11-20 | Published prep artefacts for PREP-EXPORT-AIRGAP-56-002, PREP-EXPORT-OAS-61-002, PREP-EXPORT-OAS-62-001, PREP-EXPORTER-SERVICE-EVIDENCELOCKER-GUILD-BL, and PREP-ORCHESTRATOR-NOTIFICATIONS-SCHEMA-HANDOF; marked P3 and P11–P14 DONE. | Implementer |
+| 2025-11-20 | Completed PREP-EXPORT-AIRGAP-57-001: published export portable bundle contract at `docs/modules/export-center/prep/2025-11-20-export-airgap-57-001-prep.md`; status set to DONE. | Implementer |
+| 2025-11-20 | Confirmed PREP-EXPORT-AIRGAP-57-001 unowned; set to DOING to begin airgap evidence export prep. | Planning |
+| 2025-11-20 | Published prep docs for EXPORT airgap chain and attest (56-001/002/57-001/58-001/74-001) plus DVOFF-64-002; set P1–P6 to DOING after confirming unowned. | Project Mgmt |
+| 2025-11-20 | Published prep docs for DVOFF-64-002 and EXPORT-AIRGAP-56-001; set P1/P2 to DOING after confirming unowned. | Project Mgmt |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-12 | Snapshot captured (pre-template) with tasks TODO. | Planning |
-| 2025-11-17 | Renamed to template-compliant filename, normalized structure, and set tasks BLOCKED pending upstream contracts. | Implementer |
+| 2025-11-17 | Renamed to template-compliant filename, normalized structure, and set tasks BLOCKED pending upstream contracts. | Implementer |

docs/implplan/SPRINT_0173_0001_0003_notifier_iii.md

@@ -18,12 +18,13 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| P1 | PREP-NOTIFY-TEN-48-001-NOTIFIER-II-SPRINT-017 | TODO | Due 2025-11-23 · Accountable: Notifications Service Guild (`src/Notifier/StellaOps.Notifier`) | Notifications Service Guild (`src/Notifier/StellaOps.Notifier`) | Notifier II (Sprint 0172) not started; tenancy model not finalized. <br><br> Document artefact/deliverable for NOTIFY-TEN-48-001 and publish location so downstream tasks can proceed. |
+| P1 | PREP-NOTIFY-TEN-48-001-NOTIFIER-II-SPRINT-017 | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Notifications Service Guild (`src/Notifier/StellaOps.Notifier`) | Notifications Service Guild (`src/Notifier/StellaOps.Notifier`) | Notifier II (Sprint 0172) not started; tenancy model not finalized. <br><br> Document artefact/deliverable for NOTIFY-TEN-48-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/notifier/prep/2025-11-20-ten-48-001-prep.md`. |
 | 1 | NOTIFY-TEN-48-001 | BLOCKED (2025-11-20) | PREP-NOTIFY-TEN-48-001-NOTIFIER-II-SPRINT-017 | Notifications Service Guild (`src/Notifier/StellaOps.Notifier`) | Tenant-scope rules/templates/incidents, RLS on storage, tenant-prefixed channels, include tenant context in notifications. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Published notifier tenancy prep (docs/modules/notifier/prep/2025-11-20-ten-48-001-prep.md); set PREP-NOTIFY-TEN-48-001 to DOING. | Project Mgmt |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_173_notifier_iii.md` to `SPRINT_0173_0001_0003_notifier_iii.md`; content preserved. | Implementer |
 | 2025-11-19 | Added legacy-file redirect stub to avoid divergent updates. | Implementer |
@@ -34,4 +35,4 @@
 - Ensure tenant scoping aligns with platform RLS and channel routing; avoid breaking existing templates.
 
 ## Next Checkpoints
-- Schedule kickoff post Notifier II completion (date TBD).
+- Schedule kickoff post Notifier II completion (date TBD).

docs/implplan/SPRINT_0174_0001_0001_telemetry.md

@@ -25,8 +25,8 @@
 | P4 | PREP-TELEMETRY-OBS-56-001-DEPENDS-ON-55-001 | DONE (2025-11-20) | Doc published at `docs/observability/telemetry-sealed-56-001.md`. | Telemetry Core Guild | Depends on 55-001. <br><br> Document artefact/deliverable for TELEMETRY-OBS-56-001 and publish location so downstream tasks can proceed. |
 | P5 | PREP-CLI-OBS-12-001-INCIDENT-TOGGLE-CONTRACT | DONE (2025-11-20) | Doc published at `docs/observability/cli-incident-toggle-12-001.md`. | CLI Guild · Notifications Service Guild · Telemetry Core Guild | CLI incident toggle contract (CLI-OBS-12-001) not published; required for TELEMETRY-OBS-55-001/56-001. Provide schema + CLI flag behavior. |
 | 1 | TELEMETRY-OBS-50-001 | DONE (2025-11-19) | Finalize bootstrap + sample host integration. | Telemetry Core Guild (`src/Telemetry/StellaOps.Telemetry.Core`) | Telemetry Core helper in place; sample host wiring + config published in `docs/observability/telemetry-bootstrap.md`. |
-| 2 | TELEMETRY-OBS-50-002 | TODO | PREP-TELEMETRY-OBS-50-002-AWAIT-PUBLISHED-50 (DONE) | Telemetry Core Guild | Context propagation middleware/adapters for HTTP, gRPC, background jobs, CLI; carry `trace_id`, `tenant_id`, `actor`, imposed-rule metadata; async resume harness. |
-| 3 | TELEMETRY-OBS-51-001 | TODO | PREP-TELEMETRY-OBS-51-001-TELEMETRY-PROPAGATI | Telemetry Core Guild · Observability Guild | Metrics helpers for golden signals with exemplar support and cardinality guards; Roslyn analyzer preventing unsanitised labels. |
+| 2 | TELEMETRY-OBS-50-002 | DOING (2025-11-20) | PREP-TELEMETRY-OBS-50-002-AWAIT-PUBLISHED-50 (DONE) | Telemetry Core Guild | Context propagation middleware/adapters for HTTP, gRPC, background jobs, CLI; carry `trace_id`, `tenant_id`, `actor`, imposed-rule metadata; async resume harness. Prep artefact: `docs/modules/telemetry/prep/2025-11-20-obs-50-002-prep.md`. |
+| 3 | TELEMETRY-OBS-51-001 | DOING (2025-11-20) | PREP-TELEMETRY-OBS-51-001-TELEMETRY-PROPAGATI | Telemetry Core Guild · Observability Guild | Metrics helpers for golden signals with exemplar support and cardinality guards; Roslyn analyzer preventing unsanitised labels. Prep artefact: `docs/modules/telemetry/prep/2025-11-20-obs-51-001-prep.md`. |
 | 4 | TELEMETRY-OBS-51-002 | BLOCKED (2025-11-20) | PREP-TELEMETRY-OBS-51-002-DEPENDS-ON-51-001 | Telemetry Core Guild · Security Guild | Redaction/scrubbing filters for secrets/PII at logger sink; per-tenant config with TTL; audit overrides; determinism tests. |
 | 5 | TELEMETRY-OBS-55-001 | BLOCKED (2025-11-20) | Depends on TELEMETRY-OBS-51-002 and PREP-CLI-OBS-12-001-INCIDENT-TOGGLE-CONTRACT. | Telemetry Core Guild | Incident mode toggle API adjusting sampling, retention tags; activation trail; honored by hosting templates + feature flags. |
 | 6 | TELEMETRY-OBS-56-001 | BLOCKED (2025-11-20) | PREP-TELEMETRY-OBS-56-001-DEPENDS-ON-55-001 | Telemetry Core Guild | Sealed-mode telemetry helpers (drift metrics, seal/unseal spans, offline exporters); disable external exporters when sealed. |
@@ -34,6 +34,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Published telemetry prep docs (context propagation + metrics helpers); set TELEMETRY-OBS-50-002/51-001 to DOING. | Project Mgmt |
 | 2025-11-20 | Added sealed-mode helper prep doc (`telemetry-sealed-56-001.md`); marked PREP-TELEMETRY-OBS-56-001 DONE. | Implementer |
 | 2025-11-20 | Published propagation and scrubbing prep docs (`telemetry-propagation-51-001.md`, `telemetry-scrub-51-002.md`) and CLI incident toggle contract; marked corresponding PREP tasks DONE and moved TELEMETRY-OBS-51-001 to TODO. | Implementer |
 | 2025-11-20 | Added PREP-CLI-OBS-12-001-INCIDENT-TOGGLE-CONTRACT and cleaned PREP-TELEMETRY-OBS-50-002 Task ID; updated TELEMETRY-OBS-55-001 dependency accordingly. | Project Mgmt |

docs/implplan/SPRINT_0187_0001_0001_evidence_locker_cli_integration.md

@@ -1,40 +1,42 @@
-# Sprint 0187-0001-0001 · Evidence Locker & CLI Integration (Replay Delivery 187.A)
-
-## Topic & Scope
-- Persist replay bundles in Evidence Locker, expose ledger-backed verification, and ship offline-ready CLI workflows with sovereign crypto support.
-- **Working directory:** `src/EvidenceLocker/StellaOps.EvidenceLocker`, `src/Cli/StellaOps.Cli`, `src/Attestor/StellaOps.Attestor`, relevant docs under `docs/replay`, `docs/modules/evidence-locker`, `docs/modules/cli`, `docs/runbooks`.
-
-## Dependencies & Concurrency
-- Upstream: Sprint 0186 (Scanner record mode), Sprint 0160 Export & Evidence, Sprint 0185 replay core, Sprint 0180 Experience & SDKs.
-- Concurrency: execute tasks in listed order; CLI/Attestor depend on EvidenceLocker API schema; crypto routing depends on provider registry readiness.
-
-## Documentation Prerequisites
-- docs/README.md
-- docs/07_HIGH_LEVEL_ARCHITECTURE.md
-- docs/replay/DETERMINISTIC_REPLAY.md
-- docs/replay/DEVS_GUIDE_REPLAY.md
-- docs/runbooks/replay_ops.md
-- docs/security/crypto-routing-audit-2025-11-07.md
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| P1 | PREP-EVID-REPLAY-187-001-SCANNER-RECORD-PAYLO | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Evidence Locker Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`, docs) | Evidence Locker Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`, docs) | Scanner record payloads (Sprint 0186) not available; EvidenceLocker API schema cannot be drafted. <br><br> Document artefact/deliverable for EVID-REPLAY-187-001 and publish location so downstream tasks can proceed. |
+# Sprint 0187-0001-0001 · Evidence Locker & CLI Integration (Replay Delivery 187.A)
+
+## Topic & Scope
+- Persist replay bundles in Evidence Locker, expose ledger-backed verification, and ship offline-ready CLI workflows with sovereign crypto support.
+- **Working directory:** `src/EvidenceLocker/StellaOps.EvidenceLocker`, `src/Cli/StellaOps.Cli`, `src/Attestor/StellaOps.Attestor`, relevant docs under `docs/replay`, `docs/modules/evidence-locker`, `docs/modules/cli`, `docs/runbooks`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 0186 (Scanner record mode), Sprint 0160 Export & Evidence, Sprint 0185 replay core, Sprint 0180 Experience & SDKs.
+- Concurrency: execute tasks in listed order; CLI/Attestor depend on EvidenceLocker API schema; crypto routing depends on provider registry readiness.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/replay/DETERMINISTIC_REPLAY.md
+- docs/replay/DEVS_GUIDE_REPLAY.md
+- docs/runbooks/replay_ops.md
+- docs/security/crypto-routing-audit-2025-11-07.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-EVID-REPLAY-187-001-SCANNER-RECORD-PAYLO | DONE (2025-11-20) | Due 2025-11-23 · Accountable: Evidence Locker Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`, docs) | Evidence Locker Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`, docs) | Prep artefact published at `docs/modules/evidence-locker/replay-payload-contract.md` (scanner record payload shape, determinism, sample expectations). |
 | P2 | PREP-CLI-REPLAY-187-002-DEPENDS-ON-187-001-SC | DOING (2025-11-20) | Due 2025-11-23 · Accountable: DevEx/CLI Guild (`src/Cli/StellaOps.Cli`, docs) | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`, docs) | Depends on 187-001 schema freeze. <br><br> Document artefact/deliverable for CLI-REPLAY-187-002 and publish location so downstream tasks can proceed. |
 | P3 | PREP-ATTEST-REPLAY-187-003-DEPENDS-ON-187-001 | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Attestor Guild (`src/Attestor/StellaOps.Attestor`, docs) | Attestor Guild (`src/Attestor/StellaOps.Attestor`, docs) | Depends on 187-001 payloads. <br><br> Document artefact/deliverable for ATTEST-REPLAY-187-003 and publish location so downstream tasks can proceed. |
 | P4 | PREP-RUNBOOK-REPLAY-187-004-NEEDS-APIS-DEFINE | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Docs Guild · Ops Guild (docs/runbooks) | Docs Guild · Ops Guild (docs/runbooks) | Needs APIs defined from 187-001. <br><br> Document artefact/deliverable for RUNBOOK-REPLAY-187-004 and publish location so downstream tasks can proceed. |
 | P5 | PREP-VALIDATE-BUNDLE-187-005-DEPENDS-ON-187-0 | DOING (2025-11-20) | Due 2025-11-23 · Accountable: QA Guild · CLI Guild · Docs Guild | QA Guild · CLI Guild · Docs Guild | Depends on 187-001/002/003; no payloads yet. <br><br> Document artefact/deliverable for VALIDATE-BUNDLE-187-005 and publish location so downstream tasks can proceed. |
-| P6 | PREP-EVID-CRYPTO-90-001-ICRYPTOPROVIDERREGIST | DOING (2025-11-20) | Due 2025-11-23 · Accountable: Evidence Locker Guild · Security Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`) | Evidence Locker Guild · Security Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`) | ICryptoProviderRegistry readiness not confirmed; sovereign crypto profiles pending. <br><br> Document artefact/deliverable for EVID-CRYPTO-90-001 and publish location so downstream tasks can proceed. |
-| 1 | EVID-REPLAY-187-001 | BLOCKED (2025-11-20) | PREP-EVID-REPLAY-187-001-SCANNER-RECORD-PAYLO | Evidence Locker Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`, docs) | Implement replay bundle ingestion/retention APIs; document storage/retention rules referencing replay doc §§2 & 8. |
-| 2 | CLI-REPLAY-187-002 | BLOCKED (2025-11-20) | PREP-CLI-REPLAY-187-002-DEPENDS-ON-187-001-SC | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`, docs) | Add `scan --record`, `verify`, `replay`, `diff` commands with offline bundle resolution; update CLI architecture and replay appendix. |
-| 3 | ATTEST-REPLAY-187-003 | BLOCKED (2025-11-20) | PREP-ATTEST-REPLAY-187-003-DEPENDS-ON-187-001 | Attestor Guild (`src/Attestor/StellaOps.Attestor`, docs) | Wire Attestor/Rekor anchoring for replay manifests; extend attestor architecture with replay ledger flow. |
-| 4 | RUNBOOK-REPLAY-187-004 | BLOCKED (2025-11-20) | PREP-RUNBOOK-REPLAY-187-004-NEEDS-APIS-DEFINE | Docs Guild · Ops Guild (docs/runbooks) | Publish `/docs/runbooks/replay_ops.md` covering retention enforcement, RootPack rotation, offline kits, verification drills. |
-| 5 | VALIDATE-BUNDLE-187-005 | BLOCKED (2025-11-20) | PREP-VALIDATE-BUNDLE-187-005-DEPENDS-ON-187-0 | QA Guild · CLI Guild · Docs Guild | Deliver `VALIDATION_PLAN.md`, harness scripts (quiet vs baseline, provenance bundle export), `stella bundle verify` subcommand checking DSSE/Rekor/SBOM/policy/replay claims end-to-end. |
-| 6 | EVID-CRYPTO-90-001 | BLOCKED (2025-11-20) | PREP-EVID-CRYPTO-90-001-ICRYPTOPROVIDERREGIST | Evidence Locker Guild · Security Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`) | Route Evidence Locker hashing/signing (manifest digests, DSSE assembly, bundle encryption) through crypto provider registry for sovereign profiles. |
-
-## Execution Log
+| P6 | PREP-EVID-CRYPTO-90-001-ICRYPTOPROVIDERREGIST | DONE (2025-11-20) | Due 2025-11-23 · Accountable: Evidence Locker Guild · Security Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`) | Evidence Locker Guild · Security Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`) | Prep artefact published at `docs/modules/evidence-locker/crypto-provider-registry-prep.md` (provider registry expectations, config, JWKS caching). |
+| 1 | EVID-REPLAY-187-001 | BLOCKED (2025-11-20) | PREP-EVID-REPLAY-187-001-SCANNER-RECORD-PAYLO | Evidence Locker Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`, docs) | Implement replay bundle ingestion/retention APIs; document storage/retention rules referencing replay doc §§2 & 8. |
+| 2 | CLI-REPLAY-187-002 | BLOCKED (2025-11-20) | PREP-CLI-REPLAY-187-002-DEPENDS-ON-187-001-SC | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`, docs) | Add `scan --record`, `verify`, `replay`, `diff` commands with offline bundle resolution; update CLI architecture and replay appendix. |
+| 3 | ATTEST-REPLAY-187-003 | BLOCKED (2025-11-20) | PREP-ATTEST-REPLAY-187-003-DEPENDS-ON-187-001 | Attestor Guild (`src/Attestor/StellaOps.Attestor`, docs) | Wire Attestor/Rekor anchoring for replay manifests; extend attestor architecture with replay ledger flow. |
+| 4 | RUNBOOK-REPLAY-187-004 | BLOCKED (2025-11-20) | PREP-RUNBOOK-REPLAY-187-004-NEEDS-APIS-DEFINE | Docs Guild · Ops Guild (docs/runbooks) | Publish `/docs/runbooks/replay_ops.md` covering retention enforcement, RootPack rotation, offline kits, verification drills. |
+| 5 | VALIDATE-BUNDLE-187-005 | BLOCKED (2025-11-20) | PREP-VALIDATE-BUNDLE-187-005-DEPENDS-ON-187-0 | QA Guild · CLI Guild · Docs Guild | Deliver `VALIDATION_PLAN.md`, harness scripts (quiet vs baseline, provenance bundle export), `stella bundle verify` subcommand checking DSSE/Rekor/SBOM/policy/replay claims end-to-end. |
+| 6 | EVID-CRYPTO-90-001 | BLOCKED (2025-11-20) | PREP-EVID-CRYPTO-90-001-ICRYPTOPROVIDERREGIST | Evidence Locker Guild · Security Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`) | Route Evidence Locker hashing/signing (manifest digests, DSSE assembly, bundle encryption) through crypto provider registry for sovereign profiles. |
+
+## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Completed PREP-EVID-REPLAY-187-001: published replay payload contract at `docs/modules/evidence-locker/replay-payload-contract.md`; status set to DONE. | Implementer |
+| 2025-11-20 | Completed PREP-EVID-CRYPTO-90-001: published crypto provider registry prep at `docs/modules/evidence-locker/crypto-provider-registry-prep.md`; status set to DONE. | Implementer |
 | 2025-11-20 | Published prep docs: CLI replay (`docs/modules/cli/guides/replay-cli-prep.md`), Attestor replay (`docs/modules/attestor/replay-prep.md`), runbook prep (`docs/runbooks/replay_ops_prep_187_004.md`), bundle validation (`docs/modules/evidence-locker/validate-bundle-prep.md`), crypto registry (`docs/modules/evidence-locker/crypto-provider-registry-prep.md`); set P2–P6 to DOING after confirming unowned. | Project Mgmt |
 | 2025-11-20 | Drafted replay payload contract doc (docs/modules/evidence-locker/replay-payload-contract.md); pinged Scanner Guild for sample payloads from Sprint 0186. | Project Mgmt |
 | 2025-11-20 | Confirmed PREP-EVID-REPLAY-187-001 still TODO; moved to DOING to gather needed payload contracts despite upstream block. | Project Mgmt |
@@ -43,13 +45,13 @@
 | 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_187_evidence_locker_cli_integration.md` to `SPRINT_0187_0001_0001_evidence_locker_cli_integration.md`; content preserved. | Implementer |
 | 2025-11-19 | Added legacy-file redirect stub to avoid divergent updates. | Implementer |
 | 2025-11-20 | Marked all tasks BLOCKED: waiting on Scanner record payloads (Sprint 0186) and ICryptoProviderRegistry readiness; no executable work in this sprint until upstream artefacts land. | Implementer |
-
-## Decisions & Risks
+
+## Decisions & Risks
 - EvidenceLocker API schema must align with replay bundles and sovereign crypto routing; approval review on 2025-11-18.
 - CLI/Attestor work blocked until Scanner record payloads and EvidenceLocker schema freeze.
 - Provider registry must support sovereign profiles (`ru-offline`, etc.) before wiring EVID-CRYPTO-90-001.
 - Draft replay payload contract published at `docs/modules/evidence-locker/replay-payload-contract.md`; awaiting Sprint 0186 sample payloads and DSSE profile.
  - Prep docs published for CLI replay, Attestor replay, runbook, bundle validation, and crypto provider registry (see Execution Log for paths); still blocked on upstream payloads and profile lists.
-
-## Next Checkpoints
+
+## Next Checkpoints
 - Schedule joint review of replay_ops runbook and EvidenceLocker API (date TBD).

docs/implplan/SPRINT_0215_0001_0001_web_iv.md

@@ -1,52 +1,52 @@
-# Sprint 0215-0001-0001 · Web IV (Experience & SDKs 180.F)
-
-## Topic & Scope
-- Phase IV web gateway work: orchestrator controls and Policy Studio CRUD/simulation endpoints aligned with Policy Engine.
-- Complete policy pack lifecycle (CRUD → activation → publish/promote) with deterministic pagination, RBAC, and telemetry.
-- Wire console/CLI consumers by keeping API docs and rate limits in sync with Sprint 180.F deliverables.
-- **Working directory:** `src/Web/StellaOps.Web`.
-
-## Dependencies & Concurrency
-- Upstream Sprint 180.F (Web III) must land shared components before these endpoints go live.
-- Policy endpoints (20-001 → 20-004) must complete in order; Policy pack tracks (23-001/002) stay BLOCKED until 20-004 ships.
-- Policy registry/Studio extensions (27-001…27-005) are sequential; avoid parallel development without shared schema updates.
-
-## Documentation Prerequisites
-- `docs/README.md`
-- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
-- `docs/modules/platform/architecture-overview.md`
-- `docs/modules/policy/architecture.md`
-- `src/Web/StellaOps.Web/AGENTS.md`
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| 1 | WEB-ORCH-33-001 | TODO | WEB-ORCH-32-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add POST action routes (pause/resume/backfill) for orchestrator-run control, honoring RBAC and audit logging. |
-| 2 | WEB-ORCH-34-001 | TODO | WEB-ORCH-33-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose quotas/backfill APIs plus queue/backpressure metrics with admin scopes and error clustering. |
-| 3 | WEB-POLICY-20-001 | TODO | — | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI + tenant scoping. |
-| 4 | WEB-POLICY-20-002 | TODO | WEB-POLICY-20-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add pagination/filtering/sorting + tenant guards to policy listings with deterministic ordering diagnostics. |
-| 5 | WEB-POLICY-20-003 | TODO | WEB-POLICY-20-002 | BE-Base Platform Guild · QA Guild (`src/Web/StellaOps.Web`) | Map engine errors to `ERR_POL_*` payloads with contract tests and correlation IDs. |
-| 6 | WEB-POLICY-20-004 | TODO | WEB-POLICY-20-003 | Platform Reliability Guild (`src/Web/StellaOps.Web`) | Introduce adaptive rate limits/quotas for simulations, expose metrics, and document retry headers. |
-| 7 | WEB-POLICY-23-001 | BLOCKED (2025-10-29) | WEB-POLICY-20-004 | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Create/list/fetch policy packs and revisions with pagination, RBAC, and AOC metadata exposure. |
-| 8 | WEB-POLICY-23-002 | BLOCKED (2025-10-29) | WEB-POLICY-23-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add activation endpoints with scope windows, conflict checks, optional two-person approvals, and events. |
-| 9 | WEB-POLICY-23-003 | TODO | WEB-POLICY-23-002 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide `/policy/simulate` + `/policy/evaluate` streaming APIs with rate limiting and error mapping. |
-| 10 | WEB-POLICY-23-004 | TODO | WEB-POLICY-23-003 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose explain history endpoints showing decision trees, consulted sources, and AOC chain. |
-| 11 | WEB-POLICY-27-001 | TODO | WEB-POLICY-23-004 | BE-Base Platform Guild · Policy Registry Guild (`src/Web/StellaOps.Web`) | Proxy Policy Registry APIs (workspaces/versions/reviews) with tenant scoping, RBAC, and streaming downloads. |
-| 12 | WEB-POLICY-27-002 | TODO | WEB-POLICY-27-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement review lifecycle endpoints (open/comment/approve/reject) with audit headers and pagination. |
-| 13 | WEB-POLICY-27-003 | TODO | WEB-POLICY-27-002 | BE-Base Platform Guild · Scheduler Guild (`src/Web/StellaOps.Web`) | Expose quick/batch simulation endpoints with SSE progress streams, cursor pagination, and manifest downloads. |
-| 14 | WEB-POLICY-27-004 | TODO | WEB-POLICY-27-003 | BE-Base Platform Guild · Security Guild (`src/Web/StellaOps.Web`) | Add publish/sign/promote/rollback endpoints with idempotent IDs, canary params, environment bindings, and events. |
-| 15 | WEB-POLICY-27-005 | TODO | WEB-POLICY-27-004 | BE-Base Platform Guild · Observability Guild (`src/Web/StellaOps.Web`) | Instrument Policy Studio metrics/logs (compile latency, simulation queue depth, approvals, promotions) and dashboards. |
-
-## Execution Log
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
-| 2025-11-19 | Normalized sprint to standard template and migrated content from `SPRINT_215_web_iv.md`. | Project Mgmt |
-
-## Decisions & Risks
-- Policy pack CRUD/activation (WEB-POLICY-23-001/002) remain BLOCKED until WEB-POLICY-20-004 rate-limit work lands.
-- Registry/Studio chain (WEB-POLICY-27-001..005) must stay in order to keep schemas stable; avoid parallel merges without shared reviews.
-- Ensure RBAC + tenant-scoping docs stay aligned with Policy Engine contracts to prevent drift during promotions.
-
-## Next Checkpoints
-- 2025-11-22 · Verify WEB-POLICY-20-004 rate-limit design review completed (Platform Reliability Guild).
-- 2025-11-25 · Policy pack CRUD kickoff pending unblock from WEB-POLICY-20-004 (Policy Guild + BE-Base Platform Guild).
+# Sprint 0215-0001-0001 · Web IV (Experience & SDKs 180.F)
+
+## Topic & Scope
+- Phase IV web gateway work: orchestrator controls and Policy Studio CRUD/simulation endpoints aligned with Policy Engine.
+- Complete policy pack lifecycle (CRUD → activation → publish/promote) with deterministic pagination, RBAC, and telemetry.
+- Wire console/CLI consumers by keeping API docs and rate limits in sync with Sprint 180.F deliverables.
+- **Working directory:** `src/Web/StellaOps.Web`.
+
+## Dependencies & Concurrency
+- Upstream Sprint 180.F (Web III) must land shared components before these endpoints go live.
+- Policy endpoints (20-001 → 20-004) must complete in order; Policy pack tracks (23-001/002) stay BLOCKED until 20-004 ships.
+- Policy registry/Studio extensions (27-001…27-005) are sequential; avoid parallel development without shared schema updates.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/policy/architecture.md`
+- `src/Web/StellaOps.Web/AGENTS.md`
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | WEB-ORCH-33-001 | TODO | WEB-ORCH-32-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add POST action routes (pause/resume/backfill) for orchestrator-run control, honoring RBAC and audit logging. |
+| 2 | WEB-ORCH-34-001 | TODO | WEB-ORCH-33-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose quotas/backfill APIs plus queue/backpressure metrics with admin scopes and error clustering. |
+| 3 | WEB-POLICY-20-001 | TODO | — | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI + tenant scoping. |
+| 4 | WEB-POLICY-20-002 | TODO | WEB-POLICY-20-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add pagination/filtering/sorting + tenant guards to policy listings with deterministic ordering diagnostics. |
+| 5 | WEB-POLICY-20-003 | TODO | WEB-POLICY-20-002 | BE-Base Platform Guild · QA Guild (`src/Web/StellaOps.Web`) | Map engine errors to `ERR_POL_*` payloads with contract tests and correlation IDs. |
+| 6 | WEB-POLICY-20-004 | TODO | WEB-POLICY-20-003 | Platform Reliability Guild (`src/Web/StellaOps.Web`) | Introduce adaptive rate limits/quotas for simulations, expose metrics, and document retry headers. |
+| 7 | WEB-POLICY-23-001 | BLOCKED (2025-10-29) | WEB-POLICY-20-004 | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Create/list/fetch policy packs and revisions with pagination, RBAC, and AOC metadata exposure. |
+| 8 | WEB-POLICY-23-002 | BLOCKED (2025-10-29) | WEB-POLICY-23-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add activation endpoints with scope windows, conflict checks, optional two-person approvals, and events. |
+| 9 | WEB-POLICY-23-003 | TODO | WEB-POLICY-23-002 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide `/policy/simulate` + `/policy/evaluate` streaming APIs with rate limiting and error mapping. |
+| 10 | WEB-POLICY-23-004 | TODO | WEB-POLICY-23-003 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose explain history endpoints showing decision trees, consulted sources, and AOC chain. |
+| 11 | WEB-POLICY-27-001 | TODO | WEB-POLICY-23-004 | BE-Base Platform Guild · Policy Registry Guild (`src/Web/StellaOps.Web`) | Proxy Policy Registry APIs (workspaces/versions/reviews) with tenant scoping, RBAC, and streaming downloads. |
+| 12 | WEB-POLICY-27-002 | TODO | WEB-POLICY-27-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement review lifecycle endpoints (open/comment/approve/reject) with audit headers and pagination. |
+| 13 | WEB-POLICY-27-003 | TODO | WEB-POLICY-27-002 | BE-Base Platform Guild · Scheduler Guild (`src/Web/StellaOps.Web`) | Expose quick/batch simulation endpoints with SSE progress streams, cursor pagination, and manifest downloads. |
+| 14 | WEB-POLICY-27-004 | TODO | WEB-POLICY-27-003 | BE-Base Platform Guild · Security Guild (`src/Web/StellaOps.Web`) | Add publish/sign/promote/rollback endpoints with idempotent IDs, canary params, environment bindings, and events. |
+| 15 | WEB-POLICY-27-005 | TODO | WEB-POLICY-27-004 | BE-Base Platform Guild · Observability Guild (`src/Web/StellaOps.Web`) | Instrument Policy Studio metrics/logs (compile latency, simulation queue depth, approvals, promotions) and dashboards. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Normalized sprint to standard template and migrated content from `SPRINT_215_web_iv.md`. | Project Mgmt |
+
+## Decisions & Risks
+- Policy pack CRUD/activation (WEB-POLICY-23-001/002) remain BLOCKED until WEB-POLICY-20-004 rate-limit work lands.
+- Registry/Studio chain (WEB-POLICY-27-001..005) must stay in order to keep schemas stable; avoid parallel merges without shared reviews.
+- Ensure RBAC + tenant-scoping docs stay aligned with Policy Engine contracts to prevent drift during promotions.
+
+## Next Checkpoints
+- 2025-11-22 · Verify WEB-POLICY-20-004 rate-limit design review completed (Platform Reliability Guild).
+- 2025-11-25 · Policy pack CRUD kickoff pending unblock from WEB-POLICY-20-004 (Policy Guild + BE-Base Platform Guild).

docs/implplan/SPRINT_0316_0001_0001_docs_modules_cli.md

@@ -21,7 +21,7 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| P1 | PREP-CLI-OPS-0001-WAITING-FOR-NEXT-DEMO-OUTPU | TODO | Due 2025-11-25 · Accountable: Ops Guild | Ops Guild | Waiting for next demo outputs. <br><br> Document artefact/deliverable for CLI-OPS-0001 and publish location so downstream tasks can proceed. |
+| P1 | PREP-CLI-OPS-0001-WAITING-FOR-NEXT-DEMO-OUTPU | DONE (2025-11-20) | Due 2025-11-25 · Accountable: Ops Guild | Ops Guild | Prep artefact published at `docs/modules/cli/prep/2025-11-20-ops-0001-prep.md`; contains required demo outputs, hashes, and runbook update checklist to unblock CLI-OPS-0001. |
 | 1 | CLI-DOCS-0001 | DONE | Synced sprint references on 2025-11-17 | Docs Guild | Update docs/AGENTS to reflect current CLI scope and sprint naming; align with template rules. |
 | 2 | CLI-ENG-0001 | DONE | Sprint normalized; statuses mirrored | Module Team | Update status via ./AGENTS.md workflow and ensure module docs reference current sprint. |
 | 3 | CLI-OPS-0001 | BLOCKED | PREP-CLI-OPS-0001-WAITING-FOR-NEXT-DEMO-OUTPU | Ops Guild | Sync outcomes back to ../.. ; refresh ops/runbook notes after demo. |
@@ -29,6 +29,8 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Completed PREP-CLI-OPS-0001: published ops demo prep at `docs/modules/cli/prep/2025-11-20-ops-0001-prep.md`; status set to DONE. | Implementer |
+| 2025-11-20 | Published CLI ops prep doc (docs/modules/cli/prep/2025-11-20-ops-0001-prep.md); set PREP-CLI-OPS-0001 to DOING. | Project Mgmt |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-17 | Normalised sprint to standard template; renamed from SPRINT_316_docs_modules_cli.md. | Docs |
 | 2025-11-17 | Completed CLI-DOCS-0001 and CLI-ENG-0001 by updating CLI docs to reference normalized sprint. | Module Team |
@@ -38,4 +40,4 @@
 - Keep sprint naming aligned with template to avoid broken references in CLI docs.
 
 ## Next Checkpoints
-- 2025-11-22 · Check for demo outputs to unblock CLI-OPS-0001. Owner: Ops Guild.
+- 2025-11-22 · Check for demo outputs to unblock CLI-OPS-0001. Owner: Ops Guild.

docs/implplan/SPRINT_0321_0001_0001_docs_modules_graph.md

@@ -20,7 +20,7 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| P1 | PREP-GRAPH-OPS-0001-WAITING-FOR-NEXT-DEMO-OUT | TODO | Due 2025-11-25 · Accountable: Ops Guild | Ops Guild | Waiting for next demo outputs to review dashboards/runbooks. <br><br> Document artefact/deliverable for GRAPH-OPS-0001 and publish location so downstream tasks can proceed. |
+| P1 | PREP-GRAPH-OPS-0001-WAITING-FOR-NEXT-DEMO-OUT | DOING (2025-11-20) | Due 2025-11-25 · Accountable: Ops Guild | Ops Guild | Waiting for next demo outputs to review dashboards/runbooks. <br><br> Document artefact/deliverable for GRAPH-OPS-0001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/graph/prep/2025-11-20-ops-0001-prep.md`. |
 | 1 | GRAPH-ENG-0001 | DONE | Synced docs to Sprint 0141 rename on 2025-11-17 | Module Team | Keep module milestones in sync with `/docs/implplan/SPRINT_0141_0001_0001_graph_indexer.md` and related files; update references and note deltas. |
 | 2 | GRAPH-DOCS-0002 | BLOCKED | Await DOCS-GRAPH-24-003 cross-links | Docs Guild | Add API/query doc cross-links once DOCS-GRAPH-24-003 lands. |
 | 3 | GRAPH-OPS-0001 | BLOCKED | PREP-GRAPH-OPS-0001-WAITING-FOR-NEXT-DEMO-OUT | Ops Guild | Review graph observability dashboards/runbooks after the next sprint demo; capture updates in runbooks. |
@@ -28,6 +28,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Published graph ops prep doc (docs/modules/graph/prep/2025-11-20-ops-0001-prep.md); set PREP-GRAPH-OPS-0001 to DOING. | Project Mgmt |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-17 | Marked GRAPH-DOCS-0002 and GRAPH-OPS-0001 as BLOCKED pending DOCS-GRAPH-24-003 + next demo outputs. | Module Team |
 | 2025-11-17 | Completed GRAPH-ENG-0001; README and implementation_plan now reference SPRINT_0141_0001_0001_graph_indexer.md. | Module Team |
@@ -41,4 +42,4 @@
 ## Next Checkpoints
 - 2025-11-17 · Milestone sync completed (GRAPH-ENG-0001). Owner: Module Team.
 - 2025-11-22 · Confirm DOCS-GRAPH-24-003 status; proceed with cross-links if available. Owner: Docs Guild.
-- 2025-11-25 · Runbook/observability review post-demo. Owner: Ops Guild.
+- 2025-11-25 · Runbook/observability review post-demo. Owner: Ops Guild.

docs/implplan/SPRINT_0400_0001_0001_reachability_runtime_static_union.md

@@ -29,17 +29,22 @@
 | 7 | QA-REACH-201-007 | TODO | Move fixtures + create evaluator harness | QA Guild | Integrate `reachbench-2025-expanded` fixture pack under `tests/reachability/fixtures/`, add evaluator harness tests that validate reachable vs unreachable cases, and wire CI guidance for deterministic runs. |
 | 8 | GAP-SCAN-001 | TODO | Align with task 2; binary symbolizers | Scanner Worker Guild | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical SymbolIDs and `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. |
 | 9 | GAP-ZAS-002 | TODO | Align with task 1; runtime NDJSON schema | Zastava Observer Guild | Stream runtime NDJSON batches carrying `{symbol_id, code_id, hit_count, loader_base}` plus CAS URIs, capture build-ids/entrypoints, and draft the operator runbook (`docs/runbooks/reachability-runtime.md`). Integrate with `/signals/runtime-facts` once Sprint 0401 lands ingestion. |
+| 10 | SIGNALS-UNKNOWN-201-008 | TODO | Needs schema alignment with reachability store | Signals Guild | Implement Unknowns Registry ingestion and storage for unresolved symbols/edges or purl gaps; expose `/unknowns/*` APIs, feed `unknowns_pressure` into scoring, and surface metrics/hooks for Policy/UI. |
+| 11 | GRAPH-PURL-201-009 | TODO | Align with GAP-SCAN-001; depends on `richgraph-v1` schema finalisation | Scanner Worker Guild · Signals Guild | Define and implement purl + symbol-digest edge annotations in `richgraph-v1`, update CAS metadata and SBOM join logic, and round-trip through Signals/Policy/CLI explainers. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-18 | Normalised sprint to standard template; renamed from SPRINT_400_runtime_facts_static_callgraph_union.md. | Docs |
 | 2025-11-19 | Marked tasks 201-002..201-005 BLOCKED pending runtime/static union schema (SymbolID+CAS layout); no implementation until schema is published. | Implementer |
+| 2025-11-20 | Added tasks 201-008 (Unknowns Registry) and 201-009 (purl + symbol-digest edge merge); awaiting schema freeze. | Planning |
 
 ## Decisions & Risks
 - Runtime/static schema alignment pending (SymbolID, CAS layout, overlay tags); blocks ingestion and scoring finalization.
 - reachbench fixtures not yet relocated into tests tree; QA task 201-007 must complete before CI enablement.
 - Offline posture: ensure reachability pipelines avoid external downloads; rely on sealed/mock bundles.
+- Unknowns Registry schema and API must align with Signals scoring before 201-008 can start; derive `unknowns_pressure` math from policy team.
+- purl + symbol-digest edge schema (201-009) depends on `richgraph-v1` finalization; may require updates to SBOM resolver and CLI explain flows.
 
 ## Next Checkpoints
 - 2025-11-19 · Runtime/static schema alignment session (Symbols, CAS layout). Owner: Signals Guild.

docs/implplan/SPRINT_0509_0001_0001_samples.md

@@ -19,8 +19,8 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| P1 | PREP-SAMPLES-LNM-22-001-WAITING-ON-FINALIZED | TODO | Due 2025-11-26 · Accountable: Samples Guild · Concelier Guild | Samples Guild · Concelier Guild | Waiting on finalized advisory linkset schema (Concelier). <br><br> Document artefact/deliverable for SAMPLES-LNM-22-001 and publish location so downstream tasks can proceed. |
-| P2 | PREP-SAMPLES-LNM-22-002-DEPENDS-ON-22-001-OUT | TODO | Due 2025-11-26 · Accountable: Samples Guild · Excititor Guild | Samples Guild · Excititor Guild | Depends on 22-001 outputs + Excititor observation/linkset implementation. <br><br> Document artefact/deliverable for SAMPLES-LNM-22-002 and publish location so downstream tasks can proceed. |
+| P1 | PREP-SAMPLES-LNM-22-001-WAITING-ON-FINALIZED | DONE (2025-11-20) | Due 2025-11-26 · Accountable: Samples Guild · Concelier Guild | Samples Guild · Concelier Guild | Prep artefact published at `docs/samples/linkset/prep-22-001.md` (fixtures plan aligned to frozen LNM schema; deterministic seeds/checksums). |
+| P2 | PREP-SAMPLES-LNM-22-002-DEPENDS-ON-22-001-OUT | DOING (2025-11-20) | Due 2025-11-26 · Accountable: Samples Guild · Excititor Guild | Samples Guild · Excititor Guild | Depends on 22-001 outputs; will build Excititor observation/VEX linkset fixtures once P1 samples land. Prep doc will extend `docs/samples/linkset/prep-22-001.md` with Excititor-specific payloads. |
 | 1 | SAMPLES-GRAPH-24-003 | BLOCKED | Await Graph overlay format decision + mock SBOM cache availability | Samples Guild · SBOM Service Guild | Generate large-scale SBOM graph fixture (~40k nodes) with policy overlay snapshot for perf/regression suites. |
 | 2 | SAMPLES-GRAPH-24-004 | TODO | Blocked on 24-003 fixture availability | Samples Guild · UI Guild | Create vulnerability explorer JSON/CSV fixtures capturing conflicting evidence and policy outputs for UI/CLI automated tests. |
 | 3 | SAMPLES-LNM-22-001 | BLOCKED | PREP-SAMPLES-LNM-22-001-WAITING-ON-FINALIZED | Samples Guild · Concelier Guild | Create advisory observation/linkset fixtures (NVD, GHSA, OSV disagreements) for API/CLI/UI tests with documented conflicts. |
@@ -29,6 +29,8 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Completed PREP-SAMPLES-LNM-22-001: published linkset fixtures prep at `docs/samples/linkset/prep-22-001.md`; status set to DONE. | Implementer |
+| 2025-11-20 | Started PREP-SAMPLES-LNM-22-002 (dependent on 22-001); status set to DOING. | Planning |
 | 2025-11-19 | Normalized PREP-SAMPLES-LNM-22-001 Task ID (removed trailing hyphen) for dependency tracking. | Project Mgmt |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-18 | Drafted fixture plan (`samples/graph/fixtures-plan.md`) outlining contents, assumptions, and blockers for SAMPLES-GRAPH-24-003. | Samples |

docs/implplan/SPRINT_0510_0001_0001_airgap.md

@@ -1,51 +1,65 @@
-# Sprint 0510 · Ops & Offline · AirGap (190.E)
-
-## Topic & Scope
-- Implement air-gap controller/importer/time components: seal/unseal state machine, status APIs, importer verification, and time-anchor telemetry for offline bundles.
-- Align with platform sealed-mode posture and ensure deterministic verification paths for offline kits.
-- **Working directory:** `src/AirGap`. 
-
-## Dependencies & Concurrency
-- Upstream: Attestor/Authority scopes for `airgap:*`, Offline Kit bundle formats, DevOps sealed-mode pipeline outputs.
-- AirGap Importer depends on Bundle trust roots and TUF metadata from release pipelines.
-
-## Documentation Prerequisites
-- docs/07_HIGH_LEVEL_ARCHITECTURE.md
-- docs/modules/platform/architecture-overview.md
-- docs/modules/devops/architecture.md
-- docs/modules/airgap/airgap-mode.md (if present)
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| P1 | PREP-AIRGAP-CTL-56-001-CONTROLLER-PROJECT-SCA | DOING (2025-11-20) | Due 2025-11-26 · Accountable: AirGap Controller Guild | AirGap Controller Guild | Controller project scaffold missing; need baseline service skeleton. <br><br> Document artefact/deliverable for AIRGAP-CTL-56-001 and publish location so downstream tasks can proceed. |
-| P2 | PREP-AIRGAP-CTL-56-002-BLOCKED-ON-56-001-SCAF | DOING (2025-11-20) | Due 2025-11-26 · Accountable: AirGap Controller Guild · DevOps Guild | AirGap Controller Guild · DevOps Guild | Blocked on 56-001 scaffolding. <br><br> Document artefact/deliverable for AIRGAP-CTL-56-002 and publish location so downstream tasks can proceed. |
+# Sprint 0510 · Ops & Offline · AirGap (190.E)
+
+## Topic & Scope
+- Implement air-gap controller/importer/time components: seal/unseal state machine, status APIs, importer verification, and time-anchor telemetry for offline bundles.
+- Align with platform sealed-mode posture and ensure deterministic verification paths for offline kits.
+- **Working directory:** `src/AirGap`. 
+
+## Dependencies & Concurrency
+- Upstream: Attestor/Authority scopes for `airgap:*`, Offline Kit bundle formats, DevOps sealed-mode pipeline outputs.
+- AirGap Importer depends on Bundle trust roots and TUF metadata from release pipelines.
+
+## Documentation Prerequisites
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/devops/architecture.md
+- docs/modules/airgap/airgap-mode.md (if present)
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-AIRGAP-CTL-56-001-CONTROLLER-PROJECT-SCA | DONE (2025-11-20) | Prep note at `docs/airgap/prep/2025-11-20-controller-scaffold-prep.md`; scaffold details in `docs/airgap/controller-scaffold.md`. | AirGap Controller Guild | Controller project scaffold missing; need baseline service skeleton. <br><br> Document artefact/deliverable for AIRGAP-CTL-56-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-AIRGAP-CTL-56-002-BLOCKED-ON-56-001-SCAF | DONE (2025-11-20) | Prep note at `docs/airgap/prep/2025-11-20-controller-scaffold-prep.md`; status endpoint sketch included. | AirGap Controller Guild · DevOps Guild | Blocked on 56-001 scaffolding. <br><br> Document artefact/deliverable for AIRGAP-CTL-56-002 and publish location so downstream tasks can proceed. |
 | P3 | PREP-AIRGAP-CTL-57-001-BLOCKED-ON-56-002 | DONE (2025-11-20) | Due 2025-11-26 · Accountable: AirGap Controller Guild | AirGap Controller Guild | Blocked on 56-002. <br><br> Deliverable: sealed-mode startup diagnostics spec at `docs/airgap/sealed-startup-diagnostics.md`; covers checks + telemetry for AIRGAP-CTL-57-001/57-002 and informs AIRGAP-IMP-57-001. |
 | P4 | PREP-AIRGAP-CTL-57-002-BLOCKED-ON-57-001 | DONE (2025-11-20) | Due 2025-11-26 · Accountable: AirGap Controller Guild · Observability Guild | AirGap Controller Guild · Observability Guild | Blocked on 57-001. <br><br> Deliverable: sealed-mode startup diagnostics + telemetry/timeline hooks defined in `docs/airgap/sealed-startup-diagnostics.md`; includes events `airgap.sealed`/`airgap.unsealed` and counters for anchor staleness. |
-| P5 | PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | DOING (2025-11-20) | Due 2025-11-26 · Accountable: AirGap Controller Guild · AirGap Time Guild | AirGap Controller Guild · AirGap Time Guild | Blocked on 57-002. <br><br> Document artefact/deliverable for AIRGAP-CTL-58-001, AIRGAP-IMP-58-001, AIRGAP-TIME-58-001 and publish location so downstream tasks can proceed. |
+| P5 | PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | DONE (2025-11-20) | Prep note at `docs/airgap/prep/2025-11-20-staleness-drift-prep.md`; ties to time anchor data. | AirGap Controller Guild · AirGap Time Guild | Blocked on 57-002. <br><br> Document artefact/deliverable for AIRGAP-CTL-58-001, AIRGAP-IMP-58-001, AIRGAP-TIME-58-001 and publish location so downstream tasks can proceed. |
 | P6 | PREP-AIRGAP-IMP-56-001-IMPORTER-PROJECT-SCAFF | DONE (2025-11-20) | Due 2025-11-26 · Accountable: AirGap Importer Guild | AirGap Importer Guild | Importer project scaffold missing; need trust-root inputs. <br><br> Deliverable: scaffold + doc at `docs/airgap/importer-scaffold.md`; project + tests under `src/AirGap/StellaOps.AirGap.Importer` and `tests/AirGap/StellaOps.AirGap.Importer.Tests`. |
 | P7 | PREP-AIRGAP-IMP-56-002-BLOCKED-ON-56-001 | DONE (2025-11-20) | Due 2025-11-26 · Accountable: AirGap Importer Guild · Security Guild | AirGap Importer Guild · Security Guild | Blocked on 56-001. <br><br> Deliverable shares scaffold above; downstream tasks now have deterministic plan and trust-root contract. |
 | P8 | PREP-AIRGAP-IMP-58-002-BLOCKED-ON-58-001 | DONE (2025-11-20) | Due 2025-11-26 · Accountable: AirGap Importer Guild · Observability Guild | AirGap Importer Guild · Observability Guild | Blocked on 58-001. <br><br> Deliverable shares scaffold above; includes plan steps + validation envelope for import timeline events. |
 | P9 | PREP-AIRGAP-TIME-57-001-TIME-COMPONENT-SCAFFO | DONE (2025-11-20) | Due 2025-11-26 · Accountable: AirGap Time Guild | AirGap Time Guild | Time component scaffold missing; need token format decision. <br><br> Deliverable: `src/AirGap/StellaOps.AirGap.Time` project + tests and doc `docs/airgap/time-anchor-scaffold.md` covering Roughtime/RFC3161 stub parser. |
-| 1 | AIRGAP-CTL-56-001 | BLOCKED | PREP-AIRGAP-CTL-56-001-CONTROLLER-PROJECT-SCA | AirGap Controller Guild | Implement `airgap_state` persistence, seal/unseal state machine, and Authority scope checks (`airgap:seal`, `airgap:status:read`). |
-| 2 | AIRGAP-CTL-56-002 | BLOCKED | PREP-AIRGAP-CTL-56-002-BLOCKED-ON-56-001-SCAF | AirGap Controller Guild · DevOps Guild | Expose `GET /system/airgap/status`, `POST /system/airgap/seal`, integrate policy hash validation, and return staleness/time anchor placeholders. |
-| 3 | AIRGAP-CTL-57-001 | BLOCKED | PREP-AIRGAP-CTL-57-001-BLOCKED-ON-56-002 | AirGap Controller Guild | Add startup diagnostics that block application run when sealed flag set but egress policies missing; emit audit + telemetry. |
-| 4 | AIRGAP-CTL-57-002 | BLOCKED | PREP-AIRGAP-CTL-57-002-BLOCKED-ON-57-001 | AirGap Controller Guild · Observability Guild | Instrument seal/unseal events with trace/log fields and timeline emission (`airgap.sealed`, `airgap.unsealed`). |
-| 5 | AIRGAP-CTL-58-001 | BLOCKED | PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | AirGap Controller Guild · AirGap Time Guild | Persist time anchor metadata, compute drift seconds, and surface staleness budgets in status API. |
+| 1 | AIRGAP-CTL-56-001 | BLOCKED | PREP-AIRGAP-CTL-56-001-CONTROLLER-PROJECT-SCA | AirGap Controller Guild | Implement `airgap_state` persistence, seal/unseal state machine, and Authority scope checks (`airgap:seal`, `airgap:status:read`). |
+| 2 | AIRGAP-CTL-56-002 | BLOCKED | PREP-AIRGAP-CTL-56-002-BLOCKED-ON-56-001-SCAF | AirGap Controller Guild · DevOps Guild | Expose `GET /system/airgap/status`, `POST /system/airgap/seal`, integrate policy hash validation, and return staleness/time anchor placeholders. |
+| 3 | AIRGAP-CTL-57-001 | BLOCKED | PREP-AIRGAP-CTL-57-001-BLOCKED-ON-56-002 | AirGap Controller Guild | Add startup diagnostics that block application run when sealed flag set but egress policies missing; emit audit + telemetry. |
+| 4 | AIRGAP-CTL-57-002 | BLOCKED | PREP-AIRGAP-CTL-57-002-BLOCKED-ON-57-001 | AirGap Controller Guild · Observability Guild | Instrument seal/unseal events with trace/log fields and timeline emission (`airgap.sealed`, `airgap.unsealed`). |
+| 5 | AIRGAP-CTL-58-001 | BLOCKED | PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | AirGap Controller Guild · AirGap Time Guild | Persist time anchor metadata, compute drift seconds, and surface staleness budgets in status API. |
 | 6 | AIRGAP-IMP-56-001 | DONE (2025-11-20) | PREP-AIRGAP-IMP-56-001-IMPORTER-PROJECT-SCAFF | AirGap Importer Guild | Implement DSSE verification helpers, TUF metadata parser (`root.json`, `snapshot.json`, `timestamp.json`), and Merkle root calculator. |
 | 7 | AIRGAP-IMP-56-002 | DONE (2025-11-20) | PREP-AIRGAP-IMP-56-002-BLOCKED-ON-56-001 | AirGap Importer Guild · Security Guild | Introduce root rotation policy validation (dual approval) and signer trust store management. |
 | 8 | AIRGAP-IMP-57-001 | DONE (2025-11-20) | PREP-AIRGAP-CTL-57-001-BLOCKED-ON-56-002 | AirGap Importer Guild | Write `bundle_catalog` and `bundle_items` repositories with RLS + deterministic migrations. Deliverable: in-memory ref impl + schema doc `docs/airgap/bundle-repositories.md`; tests cover RLS and deterministic ordering. |
-| 9 | AIRGAP-IMP-57-002 | BLOCKED | PREP-AIRGAP-CTL-57-002-BLOCKED-ON-57-001 | AirGap Importer Guild · DevOps Guild | Implement object-store loader storing artifacts under tenant/global mirror paths with Zstandard decompression and checksum validation. |
-| 10 | AIRGAP-IMP-58-001 | BLOCKED | PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | AirGap Importer Guild · CLI Guild | Implement API (`POST /airgap/import`, `/airgap/verify`) and CLI commands wiring verification + catalog updates, including diff preview. |
-| 11 | AIRGAP-IMP-58-002 | BLOCKED | PREP-AIRGAP-IMP-58-002-BLOCKED-ON-58-001 | AirGap Importer Guild · Observability Guild | Emit timeline events (`airgap.import.started`, `airgap.import.completed`) with staleness metrics. |
-| 12 | AIRGAP-TIME-57-001 | DOING | PREP-AIRGAP-TIME-57-001-TIME-COMPONENT-SCAFFO | AirGap Time Guild | Implement signed time token parser (Roughtime/RFC3161), verify signatures against bundle trust roots, and expose normalized anchor representation. Progress: staleness calculator/budgets, hex loader + fixtures, per-tenant TimeStatusService + store, verification pipeline with stub Roughtime/RFC3161 verifiers (require trust roots); crypto verification still pending guild inputs. |
-| 13 | AIRGAP-TIME-57-002 | BLOCKED | PREP-AIRGAP-CTL-57-002-BLOCKED-ON-57-001 | AirGap Time Guild · Observability Guild | Add telemetry counters for time anchors (`airgap_time_anchor_age_seconds`) and alerts for approaching thresholds. |
-| 14 | AIRGAP-TIME-58-001 | BLOCKED | PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | AirGap Time Guild | Persist drift baseline, compute per-content staleness (advisories, VEX, policy) based on bundle metadata, and surface through controller status API. |
-| 15 | AIRGAP-TIME-58-002 | BLOCKED | PREP-AIRGAP-IMP-58-002-BLOCKED-ON-58-001 | AirGap Time Guild · Notifications Guild | Emit notifications and timeline events when staleness budgets breached or approaching. |
-
-## Execution Log
+| 9 | AIRGAP-IMP-57-002 | BLOCKED | PREP-AIRGAP-CTL-57-002-BLOCKED-ON-57-001 | AirGap Importer Guild · DevOps Guild | Implement object-store loader storing artifacts under tenant/global mirror paths with Zstandard decompression and checksum validation. |
+| 10 | AIRGAP-IMP-58-001 | BLOCKED | PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | AirGap Importer Guild · CLI Guild | Implement API (`POST /airgap/import`, `/airgap/verify`) and CLI commands wiring verification + catalog updates, including diff preview. |
+| 11 | AIRGAP-IMP-58-002 | BLOCKED | PREP-AIRGAP-IMP-58-002-BLOCKED-ON-58-001 | AirGap Importer Guild · Observability Guild | Emit timeline events (`airgap.import.started`, `airgap.import.completed`) with staleness metrics. |
+| 12 | AIRGAP-TIME-57-001 | DONE (2025-11-20) | PREP-AIRGAP-TIME-57-001-TIME-COMPONENT-SCAFFO | AirGap Time Guild | Implement signed time token parser (Roughtime/RFC3161), verify signatures against bundle trust roots, and expose normalized anchor representation. Deliverables: Ed25519 Roughtime verifier, RFC3161 SignedCms verifier, loader/fixtures, TimeStatus API (GET/POST), sealed-startup validation hook, config sample `docs/airgap/time-config-sample.json`, tests passing. |
+| 13 | AIRGAP-TIME-57-002 | BLOCKED | PREP-AIRGAP-CTL-57-002-BLOCKED-ON-57-001 | AirGap Time Guild · Observability Guild | Add telemetry counters for time anchors (`airgap_time_anchor_age_seconds`) and alerts for approaching thresholds. |
+| 14 | AIRGAP-TIME-58-001 | BLOCKED | PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | AirGap Time Guild | Persist drift baseline, compute per-content staleness (advisories, VEX, policy) based on bundle metadata, and surface through controller status API. |
+| 15 | AIRGAP-TIME-58-002 | BLOCKED | PREP-AIRGAP-IMP-58-002-BLOCKED-ON-58-001 | AirGap Time Guild · Notifications Guild | Emit notifications and timeline events when staleness budgets breached or approaching. |
+
+## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Added curl example + healthcheck note to time API doc; tests still passing. | Implementer |
+| 2025-11-20 | Documented `/healthz/ready` behavior in `docs/airgap/time-api.md`; health depends on anchor presence/staleness. | Implementer |
+| 2025-11-20 | Added Time anchor healthcheck endpoint `/healthz/ready` (time-anchor HC uses staleness); options validator wired; tests green. | Implementer |
+| 2025-11-20 | Loader now rejects missing/incompatible trust roots; controller logs failures/success for POST /api/v1/time/anchor; tests remain passing. | Implementer |
+| 2025-11-20 | Added AirGap options validator tests (tenant/budget guardrails); test suite remains passing. | Implementer |
+| 2025-11-20 | Added AirGap options validator (tenant + staleness budgets) and kept Time tests passing. | Implementer |
+| 2025-11-20 | Hardened TimeAnchorLoader trust-root checks (format compatibility) and added verifier tests; Time tests still green. | Implementer |
+| 2025-11-20 | Added time API doc (`docs/airgap/time-api.md`) and AirGap docs index; tests still passing after doc updates. | Implementer |
+| 2025-11-20 | Added budget-mismatch guard test for sealed startup validator; Time tests remain passing. | Implementer |
+| 2025-11-20 | Added crypto-backed tests for Roughtime (Ed25519) and RFC3161 (SignedCms) verifiers; Time test suite still green. | Implementer |
+| 2025-11-20 | Wired config-driven tenant/staleness budgets into Time host; verifiers now real (Roughtime Ed25519, RFC3161 SignedCms); config sample added (`docs/airgap/time-config-sample.json`); tests remain green. | Implementer |
+| 2025-11-20 | Upgraded time verifiers: Roughtime Ed25519 signature check and RFC3161 SignedCms verification; docs updated. | Implementer |
+| 2025-11-20 | Added sealed startup validator hook; API POST `/api/v1/time/anchor`/GET `/api/v1/time/status` now exercised by tests; Time project builds standalone. | Implementer |
+| 2025-11-20 | Added sealed-startup validator for time anchors; POST `/api/v1/time/anchor` persists anchor + budgets, GET `/api/v1/time/status` returns staleness; tests passing. | Implementer |
 | 2025-11-20 | Added TimeStatusController + web host; exposed `/api/v1/time/status` and POST `/api/v1/time/anchor` using trust-root verified loader; tests still passing. | Implementer |
 | 2025-11-20 | Expanded AIRGAP-TIME-57-001: added TimeStatusService/store, verification pipeline stubs, DTO, fixtures; tests passing. Added API surface `/api/v1/time/status`. | Implementer |
 | 2025-11-20 | Moved AIRGAP-TIME-57-001 to DOING; added staleness calculator/budget models and tests in Time project; updated scaffold doc. | Implementer |
@@ -55,17 +69,19 @@
 | 2025-11-20 | Started AIRGAP-IMP-56-001/56-002 implementation (DSSE verifier, TUF validator, Merkle calculator; tests added). | Implementer |
 | 2025-11-20 | Completed PREP-AIRGAP-IMP-56-001/56-002/58-002 and PREP-AIRGAP-TIME-57-001: scaffolded importer/time projects + tests; published docs (`docs/airgap/importer-scaffold.md`, `docs/airgap/time-anchor-scaffold.md`). | Project Mgmt |
 | 2025-11-20 | Set PREP-AIRGAP-IMP-56-001/56-002/58-002 and PREP-AIRGAP-TIME-57-001 to DOING after confirming no existing owners. | Project Mgmt |
+| 2025-11-20 | Published prep notes for controller scaffold and staleness enrichment (`docs/airgap/prep/2025-11-20-controller-scaffold-prep.md`, `docs/airgap/prep/2025-11-20-staleness-drift-prep.md`); marked PREP-AIRGAP-CTL-56-001/56-002/58-001 DONE. | Implementer |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-18 | Marked all AIRGAP controller/importer/time tasks BLOCKED: no project scaffolds exist under src/AirGap; need baseline service skeletons and token format decisions before implementation. | Ops/Docs |
 | 2025-11-18 | Normalised sprint to standard template; renamed from SPRINT_510_airgap.md. | Ops/Docs |
-
+
 ## Decisions & Risks
 - Seal/unseal + importer rely on release pipeline outputs (trust roots, manifests); delays there delay this sprint.
 - Time anchor parsing depends on chosen token format (Roughtime vs RFC3161); must be confirmed with AirGap Time Guild.
 - Offline posture: ensure all verification runs without egress; CMK/KMS access must have offline-friendly configs.
- - Controller scaffold/telemetry plan published at `docs/airgap/controller-scaffold.md`; awaiting Authority scope confirmation and two-man rule decision for seal operations.
-
-## Next Checkpoints
-- 2025-11-20 · Confirm time token format and trust root delivery shape. Owner: AirGap Time Guild.
-- 2025-11-22 · Align on seal/unseal Authority scopes and baseline policy hash inputs. Owner: AirGap Controller Guild.
+- Controller scaffold/telemetry plan published at `docs/airgap/controller-scaffold.md`; awaiting Authority scope confirmation and two-man rule decision for seal operations.
+- Repo integrity risk: current git index appears corrupted (phantom deletions across repo). Requires repair before commit/merge to avoid data loss.
+
+## Next Checkpoints
+- 2025-11-20 · Confirm time token format and trust root delivery shape. Owner: AirGap Time Guild.
+- 2025-11-22 · Align on seal/unseal Authority scopes and baseline policy hash inputs. Owner: AirGap Controller Guild.
 - 2025-11-25 · Verify release pipeline exposes TUF metadata paths for importer (AIRGAP-IMP-56-001). Owner: AirGap Importer Guild.

docs/implplan/SPRINT_0512_0001_0001_bench.md

@@ -1,52 +1,56 @@
-# Sprint 0512 · Ops & Offline · Bench (190.G)
-
-## Topic & Scope
-- Build and capture performance benchmarks for graph, UI interactions, impact index, policy deltas, and reachability scoring to support offline/ops readiness.
-- Target harnesses under `src/Bench/StellaOps.Bench` with reproducible datasets.
-- **Working directory:** `src/Bench/StellaOps.Bench`.
-
-## Dependencies & Concurrency
-- Upstream data: graph fixtures (SAMPLES-GRAPH-24-003), reachability schema (Sprint 0400/0401), policy delta inputs.
-- UI bench depends on BENCH-GRAPH-21-001/002 harness foundation.
-
-## Documentation Prerequisites
-- docs/07_HIGH_LEVEL_ARCHITECTURE.md
-- docs/modules/platform/architecture-overview.md
-- docs/modules/graph/architecture.md (for graph bench scenarios)
-- docs/modules/signals/architecture.md (for reachability benches)
-- docs/modules/policy/architecture.md
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| P1 | PREP-BENCH-GRAPH-21-001-NEED-GRAPH-BENCH-HARN | TODO | Due 2025-11-26 · Accountable: Bench Guild · Graph Platform Guild | Bench Guild · Graph Platform Guild | Need graph bench harness scaffolding (50k/100k nodes). <br><br> Document artefact/deliverable for BENCH-GRAPH-21-001 and publish location so downstream tasks can proceed. |
-| P2 | PREP-BENCH-GRAPH-21-002-BLOCKED-ON-21-001-HAR | TODO | Due 2025-11-26 · Accountable: Bench Guild · UI Guild | Bench Guild · UI Guild | Blocked on 21-001 harness. <br><br> Document artefact/deliverable for BENCH-GRAPH-21-002 and publish location so downstream tasks can proceed. |
-| P3 | PREP-BENCH-IMPACT-16-001-IMPACT-INDEX-DATASET | TODO | Due 2025-11-26 · Accountable: Bench Guild · Scheduler Team | Bench Guild · Scheduler Team | Impact index dataset/replay inputs not provided. <br><br> Document artefact/deliverable for BENCH-IMPACT-16-001 and publish location so downstream tasks can proceed. |
-| P4 | PREP-BENCH-POLICY-20-002-POLICY-DELTA-SAMPLE | TODO | Due 2025-11-26 · Accountable: Bench Guild · Policy Guild · Scheduler Guild | Bench Guild · Policy Guild · Scheduler Guild | Policy delta sample inputs missing. <br><br> Document artefact/deliverable for BENCH-POLICY-20-002 and publish location so downstream tasks can proceed. |
-| P5 | PREP-BENCH-SIG-26-001-REACHABILITY-SCHEMA-FIX | TODO | Due 2025-11-26 · Accountable: Bench Guild · Signals Guild | Bench Guild · Signals Guild | Reachability schema/fixtures pending Sprint 0400/0401. <br><br> Document artefact/deliverable for BENCH-SIG-26-001 and publish location so downstream tasks can proceed. |
-| P6 | PREP-BENCH-SIG-26-002-BLOCKED-ON-26-001-OUTPU | TODO | Due 2025-11-26 · Accountable: Bench Guild · Policy Guild | Bench Guild · Policy Guild | Blocked on 26-001 outputs. <br><br> Document artefact/deliverable for BENCH-SIG-26-002 and publish location so downstream tasks can proceed. |
-| 1 | BENCH-GRAPH-21-001 | BLOCKED | PREP-BENCH-GRAPH-21-001-NEED-GRAPH-BENCH-HARN | Bench Guild · Graph Platform Guild | Build graph viewport/path benchmark harness (50k/100k nodes) measuring Graph API/Indexer latency, memory, and tile cache hit rates. |
-| 2 | BENCH-GRAPH-21-002 | BLOCKED | PREP-BENCH-GRAPH-21-002-BLOCKED-ON-21-001-HAR | Bench Guild · UI Guild | Add headless UI load benchmark (Playwright) for graph canvas interactions to track render times and FPS budgets. |
-| 3 | BENCH-GRAPH-24-002 | BLOCKED | Waiting for 50k/100k graph fixture (SAMPLES-GRAPH-24-003) | Bench Guild · UI Guild | Implement UI interaction benchmarks (filter/zoom/table operations) citing p95 latency; integrate with perf dashboards. |
-| 4 | BENCH-IMPACT-16-001 | BLOCKED | PREP-BENCH-IMPACT-16-001-IMPACT-INDEX-DATASET | Bench Guild · Scheduler Team | ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. |
-| 5 | BENCH-POLICY-20-002 | BLOCKED | PREP-BENCH-POLICY-20-002-POLICY-DELTA-SAMPLE | Bench Guild · Policy Guild · Scheduler Guild | Add incremental run benchmark measuring delta evaluation vs full; capture SLA compliance. |
-| 6 | BENCH-SIG-26-001 | BLOCKED | PREP-BENCH-SIG-26-001-REACHABILITY-SCHEMA-FIX | Bench Guild · Signals Guild | Develop benchmark for reachability scoring pipeline (facts/sec, latency, memory) using synthetic callgraphs/runtime batches. |
-| 7 | BENCH-SIG-26-002 | BLOCKED | PREP-BENCH-SIG-26-002-BLOCKED-ON-26-001-OUTPU | Bench Guild · Policy Guild | Measure policy evaluation overhead with reachability cache hot/cold; ensure ≤8 ms p95 added latency. |
-
-## Execution Log
+# Sprint 0512 · Ops & Offline · Bench (190.G)
+
+## Topic & Scope
+- Build and capture performance benchmarks for graph, UI interactions, impact index, policy deltas, and reachability scoring to support offline/ops readiness.
+- Target harnesses under `src/Bench/StellaOps.Bench` with reproducible datasets.
+- **Working directory:** `src/Bench/StellaOps.Bench`.
+
+## Dependencies & Concurrency
+- Upstream data: graph fixtures (SAMPLES-GRAPH-24-003), reachability schema (Sprint 0400/0401), policy delta inputs.
+- UI bench depends on BENCH-GRAPH-21-001/002 harness foundation.
+
+## Documentation Prerequisites
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/graph/architecture.md (for graph bench scenarios)
+- docs/modules/signals/architecture.md (for reachability benches)
+- docs/modules/policy/architecture.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-BENCH-GRAPH-21-001-NEED-GRAPH-BENCH-HARN | DONE (2025-11-20) | Prep doc at `docs/benchmarks/graph/bench-graph-21-001-prep.md`; awaits fixtures (SAMPLES-GRAPH-24-003). | Bench Guild · Graph Platform Guild | Need graph bench harness scaffolding (50k/100k nodes). <br><br> Document artefact/deliverable for BENCH-GRAPH-21-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-BENCH-GRAPH-21-002-BLOCKED-ON-21-001-HAR | DONE (2025-11-20) | Due 2025-11-26 · Accountable: Bench Guild · UI Guild | Bench Guild · UI Guild | Prep artefact published at `docs/benchmarks/graph/bench-graph-21-002-prep.md` (Playwright UI bench plan leveraging 50k/100k fixtures; scenarios, metrics, determinism). |
+| P3 | PREP-BENCH-IMPACT-16-001-IMPACT-INDEX-DATASET | DONE (2025-11-20) | Due 2025-11-26 · Accountable: Bench Guild · Scheduler Team | Bench Guild · Scheduler Team | Prep artefact published at `docs/benchmarks/impact/bench-impact-16-001-prep.md` (dataset shape, replay plan, deterministic metrics). |
+| P4 | PREP-BENCH-POLICY-20-002-POLICY-DELTA-SAMPLE | DONE (2025-11-20) | Due 2025-11-26 · Accountable: Bench Guild · Policy Guild · Scheduler Guild | Bench Guild · Policy Guild · Scheduler Guild | Prep artefact published at `docs/benchmarks/policy/bench-policy-20-002-prep.md` (baseline + delta datasets, deterministic harness plan, metrics). |
+| P5 | PREP-BENCH-SIG-26-001-REACHABILITY-SCHEMA-FIX | DONE (2025-11-20) | Prep doc at `docs/benchmarks/signals/bench-sig-26-001-prep.md`; awaits reachability schema hash. | Bench Guild · Signals Guild | Reachability schema/fixtures pending Sprint 0400/0401. <br><br> Document artefact/deliverable for BENCH-SIG-26-001 and publish location so downstream tasks can proceed. |
+| P6 | PREP-BENCH-SIG-26-002-BLOCKED-ON-26-001-OUTPU | DONE (2025-11-20) | Prep doc at `docs/benchmarks/signals/bench-sig-26-002-prep.md`; depends on 26-001 datasets. | Bench Guild · Policy Guild | Blocked on 26-001 outputs. <br><br> Document artefact/deliverable for BENCH-SIG-26-002 and publish location so downstream tasks can proceed. |
+| 1 | BENCH-GRAPH-21-001 | BLOCKED | PREP-BENCH-GRAPH-21-001-NEED-GRAPH-BENCH-HARN | Bench Guild · Graph Platform Guild | Build graph viewport/path benchmark harness (50k/100k nodes) measuring Graph API/Indexer latency, memory, and tile cache hit rates. |
+| 2 | BENCH-GRAPH-21-002 | BLOCKED | PREP-BENCH-GRAPH-21-002-BLOCKED-ON-21-001-HAR | Bench Guild · UI Guild | Add headless UI load benchmark (Playwright) for graph canvas interactions to track render times and FPS budgets. |
+| 3 | BENCH-GRAPH-24-002 | BLOCKED | Waiting for 50k/100k graph fixture (SAMPLES-GRAPH-24-003) | Bench Guild · UI Guild | Implement UI interaction benchmarks (filter/zoom/table operations) citing p95 latency; integrate with perf dashboards. |
+| 4 | BENCH-IMPACT-16-001 | BLOCKED | PREP-BENCH-IMPACT-16-001-IMPACT-INDEX-DATASET | Bench Guild · Scheduler Team | ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. |
+| 5 | BENCH-POLICY-20-002 | BLOCKED | PREP-BENCH-POLICY-20-002-POLICY-DELTA-SAMPLE | Bench Guild · Policy Guild · Scheduler Guild | Add incremental run benchmark measuring delta evaluation vs full; capture SLA compliance. |
+| 6 | BENCH-SIG-26-001 | BLOCKED | PREP-BENCH-SIG-26-001-REACHABILITY-SCHEMA-FIX | Bench Guild · Signals Guild | Develop benchmark for reachability scoring pipeline (facts/sec, latency, memory) using synthetic callgraphs/runtime batches. |
+| 7 | BENCH-SIG-26-002 | BLOCKED | PREP-BENCH-SIG-26-002-BLOCKED-ON-26-001-OUTPU | Bench Guild · Policy Guild | Measure policy evaluation overhead with reachability cache hot/cold; ensure ≤8 ms p95 added latency. |
+
+## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Completed PREP-BENCH-GRAPH-21-002: published UI bench prep doc at `docs/benchmarks/graph/bench-graph-21-002-prep.md`; status set to DONE. | Implementer |
+| 2025-11-20 | Completed PREP-BENCH-IMPACT-16-001: published impact index bench prep doc at `docs/benchmarks/impact/bench-impact-16-001-prep.md`; status set to DONE. | Implementer |
+| 2025-11-20 | Completed PREP-BENCH-POLICY-20-002: published policy delta bench prep doc at `docs/benchmarks/policy/bench-policy-20-002-prep.md`; status set to DONE. | Implementer |
+| 2025-11-20 | Published prep artefacts for PREP-BENCH-GRAPH-21-001, PREP-BENCH-SIG-26-001, and PREP-BENCH-SIG-26-002 under `docs/benchmarks/`; marked P1, P5, P6 DONE. | Implementer |
 | 2025-11-19 | Trimmed trailing hyphen from PREP-BENCH-POLICY-20-002 Task ID to keep BENCH-POLICY-20-002 blocker resolvable. | Project Mgmt |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-18 | Marked BENCH-GRAPH-24-002, BENCH-IMPACT-16-001, BENCH-POLICY-20-002, BENCH-SIG-26-001/002 as BLOCKED pending fixtures/datasets and reachability schema. | Bench |
-| 2025-11-18 | Normalised sprint to standard template; renamed from SPRINT_512_bench.md. | Ops/Docs |
-
-## Decisions & Risks
-- Graph/UI benches depend on large fixtures (SAMPLES-GRAPH-24-003) and graph overlay schema; risk until fixtures land.
-- Reachability benches depend on runtime/static schema alignment (Sprint 0400/0401) and fixture relocation.
-- Policy/Impact benches require deterministic datasets; ensure no online dependencies.
-
-## Next Checkpoints
-- 2025-11-22 · Confirm availability of graph fixtures for BENCH-GRAPH-21-001/002/24-002. Owner: Bench Guild.
-- 2025-11-24 · Reachability schema alignment outcome to unblock BENCH-SIG-26-001. Owner: Signals Guild.
-- 2025-11-26 · Decide impact index dataset for BENCH-IMPACT-16-001. Owner: Scheduler Team.
+| 2025-11-18 | Normalised sprint to standard template; renamed from SPRINT_512_bench.md. | Ops/Docs |
+
+## Decisions & Risks
+- Graph/UI benches depend on large fixtures (SAMPLES-GRAPH-24-003) and graph overlay schema; risk until fixtures land.
+- Reachability benches depend on runtime/static schema alignment (Sprint 0400/0401) and fixture relocation.
+- Policy/Impact benches require deterministic datasets; ensure no online dependencies.
+
+## Next Checkpoints
+- 2025-11-22 · Confirm availability of graph fixtures for BENCH-GRAPH-21-001/002/24-002. Owner: Bench Guild.
+- 2025-11-24 · Reachability schema alignment outcome to unblock BENCH-SIG-26-001. Owner: Signals Guild.
+- 2025-11-26 · Decide impact index dataset for BENCH-IMPACT-16-001. Owner: Scheduler Team.

docs/implplan/SPRINT_0514_0001_0001_sovereign_crypto_enablement.md

@@ -1,53 +1,54 @@
-# Sprint 0514 · Ops & Offline · Sovereign Crypto Enablement (190.K)
-
-## Topic & Scope
-- Deliver RootPack_RU-ready sovereign crypto providers (CryptoPro + PKCS#11), configuration knobs, deterministic tests, and repo-wide crypto routing audit.
-- Maintain quarantined fork for GostCryptography/CryptoPro plugin and ensure Authority/Scanner/Attestor route through registry-based providers.
-- **Working directory:** `src/__Libraries/StellaOps.Cryptography*`, `src/Authority`, `src/Scanner`, `src/Attestor`, `third_party/forks/AlexMAS.GostCryptography`.
-
-## Dependencies & Concurrency
-- Authority signing provider contract and JWKS export requirements (blocking AUTH-CRYPTO-90-001).
-- CI runners must support platform-specific CryptoPro/PKCS#11 tests (env/pin gated); may need opt-in pipelines.
-
-## Documentation Prerequisites
-- docs/security/rootpack_ru_*.md
-- docs/dev/crypto.md
-- docs/modules/platform/architecture-overview.md
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| P1 | PREP-AUTH-CRYPTO-90-001-NEEDS-AUTHORITY-PROVI | TODO | Due 2025-11-26 · Accountable: Authority Core & Security Guild | Authority Core & Security Guild | Needs Authority provider/key format spec & JWKS export requirements. <br><br> Document artefact/deliverable for AUTH-CRYPTO-90-001 and publish location so downstream tasks can proceed. |
-| 1 | SEC-CRYPTO-90-017 | TODO | Fork present; integrate into solution | Security Guild | Vendor `third_party/forks/AlexMAS.GostCryptography` into the solution build (solution filters, Directory.Build props, CI) so the library compiles with the repo and publishes artifacts. |
-| 2 | SEC-CRYPTO-90-018 | TODO | After 90-017 | Security & Docs Guilds | Update developer/RootPack documentation to describe the fork, sync steps, and licensing. |
-| 3 | SEC-CRYPTO-90-019 | TODO | After 90-017 | Security Guild | Patch the fork to drop vulnerable `System.Security.Cryptography.{Pkcs,Xml}` 6.0.0 deps; retarget .NET 8+, rerun tests. |
-| 4 | SEC-CRYPTO-90-020 | TODO | After 90-017/019 | Security Guild | Re-point `StellaOps.Cryptography.Plugin.CryptoPro` to the forked sources and prove end-to-end plugin wiring. |
-| 5 | SEC-CRYPTO-90-021 | TODO | After 90-020 | Security & QA Guilds | Validate forked library + plugin on Windows (CryptoPro CSP) and Linux (OpenSSL GOST fallback); document prerequisites. |
-| 6 | SEC-CRYPTO-90-012 | TODO | Env-gated | Security Guild | Add CryptoPro + PKCS#11 integration tests and hook into `scripts/crypto/run-rootpack-ru-tests.sh`. |
-| 7 | SEC-CRYPTO-90-013 | TODO | After 90-021 | Security Guild | Add Magma/Kuznyechik symmetric support via provider registry. |
-| 8 | SEC-CRYPTO-90-014 | TODO | After Authority contract confirmed | Security Guild + Service Guilds | Update runtime hosts (Authority, Scanner WebService/Worker, Concelier, etc.) to register RU providers and expose config toggles. |
-| 9 | SEC-CRYPTO-90-015 | TODO | After 90-012/021 | Security & Docs Guild | Refresh RootPack/validation documentation. |
-| 10 | AUTH-CRYPTO-90-001 | BLOCKED | PREP-AUTH-CRYPTO-90-001-NEEDS-AUTHORITY-PROVI | Authority Core & Security Guild | Sovereign signing provider contract for Authority; refactor loaders once contract is published. |
-| 11 | SCANNER-CRYPTO-90-001 | TODO | Needs registry wiring | Scanner WebService Guild · Security Guild | Route hashing/signing flows through `ICryptoProviderRegistry`. |
-| 12 | SCANNER-WORKER-CRYPTO-90-001 | TODO | After 11 | Scanner Worker Guild · Security Guild | Wire Scanner Worker/BuildX analyzers to registry/hash abstractions. |
-| 13 | SCANNER-CRYPTO-90-002 | TODO | PQ profile | Scanner WebService Guild · Security Guild | Enable PQ-friendly DSSE (Dilithium/Falcon) via provider options. |
-| 14 | SCANNER-CRYPTO-90-003 | TODO | After 13 | Scanner Worker Guild · QA Guild | Add regression tests for RU/PQ profiles validating Merkle roots + DSSE chains. |
-| 15 | ATTESTOR-CRYPTO-90-001 | TODO | Registry wiring | Attestor Service Guild · Security Guild | Migrate attestation hashing/witness flows to provider registry, enabling CryptoPro/PKCS#11 deployments. |
-
-## Execution Log
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
+# Sprint 0514 · Ops & Offline · Sovereign Crypto Enablement (190.K)
+
+## Topic & Scope
+- Deliver RootPack_RU-ready sovereign crypto providers (CryptoPro + PKCS#11), configuration knobs, deterministic tests, and repo-wide crypto routing audit.
+- Maintain quarantined fork for GostCryptography/CryptoPro plugin and ensure Authority/Scanner/Attestor route through registry-based providers.
+- **Working directory:** `src/__Libraries/StellaOps.Cryptography*`, `src/Authority`, `src/Scanner`, `src/Attestor`, `third_party/forks/AlexMAS.GostCryptography`.
+
+## Dependencies & Concurrency
+- Authority signing provider contract and JWKS export requirements (blocking AUTH-CRYPTO-90-001).
+- CI runners must support platform-specific CryptoPro/PKCS#11 tests (env/pin gated); may need opt-in pipelines.
+
+## Documentation Prerequisites
+- docs/security/rootpack_ru_*.md
+- docs/dev/crypto.md
+- docs/modules/platform/architecture-overview.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-AUTH-CRYPTO-90-001-NEEDS-AUTHORITY-PROVI | DONE (2025-11-20) | Prep note at `docs/modules/authority/prep/2025-11-20-auth-crypto-provider-prep.md`; awaiting contract publication. | Authority Core & Security Guild | Needs Authority provider/key format spec & JWKS export requirements. <br><br> Document artefact/deliverable for AUTH-CRYPTO-90-001 and publish location so downstream tasks can proceed. |
+| 1 | SEC-CRYPTO-90-017 | TODO | Fork present; integrate into solution | Security Guild | Vendor `third_party/forks/AlexMAS.GostCryptography` into the solution build (solution filters, Directory.Build props, CI) so the library compiles with the repo and publishes artifacts. |
+| 2 | SEC-CRYPTO-90-018 | TODO | After 90-017 | Security & Docs Guilds | Update developer/RootPack documentation to describe the fork, sync steps, and licensing. |
+| 3 | SEC-CRYPTO-90-019 | TODO | After 90-017 | Security Guild | Patch the fork to drop vulnerable `System.Security.Cryptography.{Pkcs,Xml}` 6.0.0 deps; retarget .NET 8+, rerun tests. |
+| 4 | SEC-CRYPTO-90-020 | TODO | After 90-017/019 | Security Guild | Re-point `StellaOps.Cryptography.Plugin.CryptoPro` to the forked sources and prove end-to-end plugin wiring. |
+| 5 | SEC-CRYPTO-90-021 | TODO | After 90-020 | Security & QA Guilds | Validate forked library + plugin on Windows (CryptoPro CSP) and Linux (OpenSSL GOST fallback); document prerequisites. |
+| 6 | SEC-CRYPTO-90-012 | TODO | Env-gated | Security Guild | Add CryptoPro + PKCS#11 integration tests and hook into `scripts/crypto/run-rootpack-ru-tests.sh`. |
+| 7 | SEC-CRYPTO-90-013 | TODO | After 90-021 | Security Guild | Add Magma/Kuznyechik symmetric support via provider registry. |
+| 8 | SEC-CRYPTO-90-014 | TODO | After Authority contract confirmed | Security Guild + Service Guilds | Update runtime hosts (Authority, Scanner WebService/Worker, Concelier, etc.) to register RU providers and expose config toggles. |
+| 9 | SEC-CRYPTO-90-015 | TODO | After 90-012/021 | Security & Docs Guild | Refresh RootPack/validation documentation. |
+| 10 | AUTH-CRYPTO-90-001 | BLOCKED | PREP-AUTH-CRYPTO-90-001-NEEDS-AUTHORITY-PROVI | Authority Core & Security Guild | Sovereign signing provider contract for Authority; refactor loaders once contract is published. |
+| 11 | SCANNER-CRYPTO-90-001 | TODO | Needs registry wiring | Scanner WebService Guild · Security Guild | Route hashing/signing flows through `ICryptoProviderRegistry`. |
+| 12 | SCANNER-WORKER-CRYPTO-90-001 | TODO | After 11 | Scanner Worker Guild · Security Guild | Wire Scanner Worker/BuildX analyzers to registry/hash abstractions. |
+| 13 | SCANNER-CRYPTO-90-002 | TODO | PQ profile | Scanner WebService Guild · Security Guild | Enable PQ-friendly DSSE (Dilithium/Falcon) via provider options. |
+| 14 | SCANNER-CRYPTO-90-003 | TODO | After 13 | Scanner Worker Guild · QA Guild | Add regression tests for RU/PQ profiles validating Merkle roots + DSSE chains. |
+| 15 | ATTESTOR-CRYPTO-90-001 | TODO | Registry wiring | Attestor Service Guild · Security Guild | Migrate attestation hashing/witness flows to provider registry, enabling CryptoPro/PKCS#11 deployments. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-18 | Normalised sprint to standard template; renamed from SPRINT_514_sovereign_crypto_enablement.md. | Security Docs |
 | 2025-11-18 | Downloaded MongoDB 4.4.4 binaries into `local-nuget/mongo2go/4.1.0/tools/mongodb-linux-4.4.4-database-tools-100.3.1/community-server/mongodb-linux-x86_64-ubuntu2004-4.4.4/bin/mongod`; reran `dotnet vstest …AdvisoryChunksEndpoint_ReturnsParagraphAnchors` but Mongo2Go still cannot connect (timeout/connection refused to 127.0.0.1). Concelier AOC tasks remain BLOCKED pending stable Mongo2Go startup. | Concelier WebService |
 | 2025-11-18 | Targeted `dotnet vstest ...StellaOps.Concelier.WebService.Tests.dll --TestCaseFilter:AdvisoryChunksEndpoint_ReturnsParagraphAnchors` failed: Mongo2Go cannot start (mongod binaries not found; connection refused 127.0.0.1:35961). Concelier AOC tasks remain BLOCKED pending usable Mongo2Go binary path. | Concelier WebService |
-
-## Decisions & Risks
-- AUTH-CRYPTO-90-001 blocking: Authority provider/key contract not yet published; SME needed to define mapping to registry + JWKS export.
-- CI coverage for CryptoPro/PKCS#11 may require optional pipelines; guard with env/pin gating to keep default CI green.
-- PQ support requires provider options design; keep deterministic hashing across providers.
-
-## Next Checkpoints
-- 2025-11-19 · Draft Authority provider/JWKS contract to unblock AUTH-CRYPTO-90-001. Owner: Authority Core.
-- 2025-11-21 · Decide CI gating approach for CryptoPro/PKCS#11 tests. Owner: Security Guild.
-- 2025-11-24 · Fork patch status (SEC-CRYPTO-90-019) and plugin rewire plan (SEC-CRYPTO-90-020). Owner: Security Guild.
+| 2025-11-20 | Published Authority crypto provider/JWKS prep note (`docs/modules/authority/prep/2025-11-20-auth-crypto-provider-prep.md`); marked PREP-AUTH-CRYPTO-90-001 DONE. | Implementer |
+
+## Decisions & Risks
+- AUTH-CRYPTO-90-001 blocking: Authority provider/key contract not yet published; SME needed to define mapping to registry + JWKS export.
+- CI coverage for CryptoPro/PKCS#11 may require optional pipelines; guard with env/pin gating to keep default CI green.
+- PQ support requires provider options design; keep deterministic hashing across providers.
+
+## Next Checkpoints
+- 2025-11-19 · Draft Authority provider/JWKS contract to unblock AUTH-CRYPTO-90-001. Owner: Authority Core.
+- 2025-11-21 · Decide CI gating approach for CryptoPro/PKCS#11 tests. Owner: Security Guild.
+- 2025-11-24 · Fork patch status (SEC-CRYPTO-90-019) and plugin rewire plan (SEC-CRYPTO-90-020). Owner: Security Guild.

docs/implplan/SPRINT_110_ingestion_evidence.md

@@ -1,102 +1,103 @@
-# Sprint 110 · Ingestion & Evidence
-
-## Topic & Scope
-- Finalise Advisory AI guardrail evidence (docs, SBOM feeds, policy knobs) while keeping customer rollout unblocked.
-- Land Concelier structured caching + telemetry so Link-Not-Merge schemas can feed downstream consoles, air-gap bundles, and attestations.
-- Prepare Excititor chunk API, telemetry, and attestation contracts for deterministic VEX evidence delivery.
-- Staff and kick off the Mirror assembler so deterministic bundles, DSSE/TUF metadata, and CLI/Export Center automation can start.
-
-## Dependencies & Concurrency
-- Upstream: Sprint 100.A (Attestor) must remain green; Excititor/Concelier depend on Link-Not-Merge schema set (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`). Advisory AI docs require SBOM/CLI/Policy/DevOps deliverables (`SBOM-AIAI-31-001`, `CLI-VULN-29-001`, `CLI-VEX-30-001`, `POLICY-ENGINE-31-001`, `DEVOPS-AIAI-31-001`).
-- Sprint 110 peers (111–119 range) stay independent; no intra-decade dependencies are permitted.
-- Evidence Locker contract and Mirror staffing decisions affect Excititor attestation work and Mirror tracks respectively.
-
-## Documentation Prerequisites
-- `docs/modules/advisory-ai/architecture.md`
-- `docs/modules/concelier/architecture.md`
-- `docs/modules/excititor/architecture.md`
-- `docs/modules/export-center/architecture.md`
-- `docs/modules/airgap/architecture.md` (timeline + bundle requirements)
-
-## Task Board
-| Wave | Task ID | Status | Owner(s) | Dependencies | Notes |
-| --- | --- | --- | --- | --- | --- |
-| 110.B Concelier | PREP-LNM-SCHEMA-APPROVAL | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Concelier Core · Cartographer Guild · SBOM Service Guild | — | Approve Link-Not-Merge schema plus fixtures (`CONCELIER-GRAPH-21-001/002`, `CARTO-GRAPH-21-002`) and publish canonical JSON samples + precedence rules for consuming modules. <br><br>Archive decision + artefacts under `docs/modules/concelier/link-not-merge-schema.md` so downstream Concelier/Excititor/Policy tasks can bind to the frozen payload shape. |
-| 110.B Concelier | PREP-EVIDENCE-LOCKER-CONTRACT | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Evidence Locker Guild · Concelier Core Guild | — | Freeze the Evidence Locker attestation scope + ingest contract (bundle predicates, transparency metadata, verification plan) and record DOI/location for Evidence Bundle v1. <br><br>Publish the signed decision in `docs/modules/evidence-locker/attestation-contract.md` and note required claim set plus validation fixtures. |
-| 110.B Concelier | PREP-FEEDCONN-ICS-KISA-PLAN | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Concelier Feed Owners · Product Advisory Guild | — | Provide remediation/refresh schedule and schema notes for ICSCISA/KISA feeds, covering provenance gaps and upcoming advisory drops. <br><br>Store the runbook in `docs/modules/concelier/feeds/icscisa-kisa.md` with owners and next review date so connector work can proceed deterministically. |
-| 110.C Excititor | PREP-EXCITITOR-ATTESTATION-PLAN | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Excititor Guild · Evidence Locker Guild | — | Align Excititor chunk/attestation plans with Evidence Locker scope: spell out ingestion contract, chunk schema, and DSSE bundling rules. <br><br>Publish the plan in `docs/modules/excititor/attestation-plan.md` and include sample payloads for `/vex/evidence/chunks` + attestation APIs. |
-| 110.D Mirror | PREP-MIRROR-STAFFING | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Mirror Creator Guild · Exporter Guild · AirGap Time Guild | — | Assign owner(s) for MIRROR-CRT-56-001, confirm DSSE/TUF milestone schedule, and record staffing commitments for follow-on CRT tasks. <br><br>Document the staffing decision and milestone plan in `docs/modules/mirror/assembler.md` so downstream automation (Export Center, AirGap Time, CLI) can execute. |
-| 110.A Advisory AI | DOCS-AIAI-31-004 | DOING | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-001/003 | Guardrail console doc drafted; screenshots + SBOM evidence pending. |
-| 110.A Advisory AI | AIAI-31-009 | DONE (2025-11-12) | Advisory AI Guild | — | Regression suite + `AdvisoryAI:Guardrails` config landed with perf budgets. |
-| 110.A Advisory AI | AIAI-31-008 | TODO | Advisory AI Guild | AIAI-31-006 (DONE 2025-11-04); AIAI-31-007 (DONE 2025-11-06) | Policy knob work landed; proceed with packaging and deployment steps. |
-| 110.A Advisory AI | SBOM-AIAI-31-003 | BLOCKED | SBOM Service Guild | SBOM-AIAI-31-001; CLI-VULN-29-001; CLI-VEX-30-001 | Needs SBOM delta kit + CLI deliverables before validation can proceed. |
-| 110.A Advisory AI | DOCS-AIAI-31-005/006/008/009 | BLOCKED | Docs Guild | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | CLI/policy/ops docs paused pending upstream artefacts. |
-| 110.B Concelier | CONCELIER-AIAI-31-002 | DONE (2025-11-20) | Concelier Core · Concelier WebService Guilds | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 | LNM cache plan published at docs/modules/concelier/operations/lnm-cache-plan.md aligned to frozen schema. |
-| 110.B Concelier | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | Concelier Observability Guild | — | Telemetry counters/histograms live for Advisory AI dashboards. |
-| 110.B Concelier | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | Concelier Core · AirGap Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EVIDENCE-LOCKER-CONTRACT | Blocked until schema approval + attestation scope sign-off. |
-| 110.B Concelier | CONCELIER-CONSOLE-23-001..003 | DONE (2025-11-20) | Concelier Console Guild | PREP-LNM-SCHEMA-APPROVAL | Console consumption contract published at docs/modules/concelier/operations/console-lnm-consumption.md. |
-| 110.B Concelier | CONCELIER-ATTEST-73-001/002 | BLOCKED | Concelier Core · Evidence Locker Guild | CONCELIER-AIAI-31-002; PREP-EVIDENCE-LOCKER-CONTRACT | Blocked until structured caching lands and Evidence Locker contract finalises. |
-| 110.B Concelier | FEEDCONN-ICSCISA-02-012 / FEEDCONN-KISA-02-008 | BLOCKED | Concelier Feed Owners | PREP-FEEDCONN-ICS-KISA-PLAN | Overdue provenance refreshes require schedule from feed owners. |
-| 110.C Excititor | EXCITITOR-AIAI-31-001 | DONE (2025-11-09) | Excititor Web/Core Guilds | — | Normalised VEX justification projections shipped. |
-| 110.C Excititor | EXCITITOR-AIAI-31-002 | DONE (2025-11-20) | Excititor Web/Core Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EVIDENCE-LOCKER-CONTRACT | Chunk ingestion API spec published (schemas/vex-chunk-api.yaml) aligned with attestation plan. |
-| 110.C Excititor | EXCITITOR-AIAI-31-003 | DONE (2025-11-20) | Excititor Observability Guild | EXCITITOR-AIAI-31-002 | Chunk telemetry added (meter StellaOps.Excititor.Chunks) and wired in /v1/vex/evidence/chunks handler. |
-| 110.C Excititor | EXCITITOR-AIAI-31-004 | DONE (2025-11-20) | Docs Guild · Excititor Guild | EXCITITOR-AIAI-31-002 | Chunk API user guide published at docs/modules/excititor/operations/chunk-api-user-guide.md. |
-| 110.C Excititor | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | DONE (2025-11-20) | Excititor Guild · Evidence Locker Guild | EXCITITOR-AIAI-31-002; PREP-EVIDENCE-LOCKER-CONTRACT | Attestation verify endpoint wired to Evidence Locker contract (`/v1/attestations/verify`), leveraging attestation verifier + telemetry. |
-| 110.C Excititor | EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | BLOCKED | Excititor Guild · AirGap Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EXCITITOR-ATTESTATION-PLAN | Blocked until schema + attestation readiness. |
-| 110.D Mirror | MIRROR-CRT-56-001 | BLOCKED | Mirror Creator Guild | PREP-MIRROR-STAFFING | Blocked: no owner assigned; kickoff slipped past 2025-11-15. |
-| 110.D Mirror | MIRROR-CRT-56-002 | BLOCKED | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | Blocked until MIRROR-CRT-56-001 staffed. |
-| 110.D Mirror | MIRROR-CRT-57-001/002 | BLOCKED | Mirror Creator Guild · AirGap Time Guild | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | Blocked; upstream staffing unresolved. |
-| 110.D Mirror | MIRROR-CRT-58-001/002 | BLOCKED | Mirror Creator Guild · CLI Guild · Exporter Guild | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | Blocked until assembler staffed and upstream contracts agreed. |
-| 110.D Mirror | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | BLOCKED | Exporter Guild · AirGap Time Guild · CLI Guild | PREP-MIRROR-STAFFING | Blocked pending MIRROR-CRT-56-001 ownership. |
-
-## Execution Log
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
-| 2025-11-20 | CONCELIER-CONSOLE-23-001..003 DONE: console consumption contract for LNM published (docs/modules/concelier/operations/console-lnm-consumption.md). | Implementer |
-| 2025-11-20 | CONCELIER-AIAI-31-002 DONE: LNM cache plan published (docs/modules/concelier/operations/lnm-cache-plan.md) using frozen schema + Evidence Locker contract. | Implementer |
-| 2025-11-20 | Concelier tasks CONCELIER-AIAI-31-002 and CONCELIER-CONSOLE-23-001..003 unblocked (LNM schema + evidence contract frozen); statuses set to TODO. | Implementer |
-| 2025-11-20 | EXCITITOR-ATTEST-01-003/73-001/73-002 DONE: added /v1/attestations/verify endpoint + contracts/docs; verifier wired to Evidence Locker contract. | Implementer |
-| 2025-11-20 | EXCITITOR-AIAI-31-004 DONE: published chunk API user guide (docs/modules/excititor/operations/chunk-api-user-guide.md). | Implementer |
-| 2025-11-20 | EXCITITOR-AIAI-31-003 DONE: chunk telemetry meter and metrics wiring landed in Program.cs; ops note at docs/modules/excititor/operations/chunk-telemetry.md. | Implementer |
-| 2025-11-20 | Marked EXCITITOR-AIAI-31-002 DONE; chunk API OpenAPI spec added at docs/modules/excititor/schemas/vex-chunk-api.yaml. | Implementer |
-| 2025-11-20 | EXCITITOR-AIAI-31-002 unblocked (prep complete); starting chunk API spec + schema under docs/modules/excititor/schemas. | Implementer |
-| 2025-11-20 | PREP-MIRROR-STAFFING completed; staffing/milestones recorded at docs/modules/mirror/assembler.md. | Implementer |
-| 2025-11-20 | PREP-EXCITITOR-ATTESTATION-PLAN completed; plan at docs/modules/excititor/attestation-plan.md. | Implementer |
-| 2025-11-20 | PREP-FEEDCONN-ICS-KISA-PLAN completed; remediation plan lives at docs/modules/concelier/feeds/icscisa-kisa.md (v0.1). | Implementer |
-| 2025-11-20 | PREP-EVIDENCE-LOCKER-CONTRACT completed; contract published at docs/modules/evidence-locker/attestation-contract.md. | Implementer |
-| 2025-11-20 | PREP-LNM-SCHEMA-APPROVAL completed; schema frozen in docs/modules/concelier/link-not-merge-schema.md; samples in docs/samples/lnm/*.json. | Implementer |
-| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
-| 2025-11-13 | Refreshed wave tracker, decisions, and contingency plan ahead of 14–15 Nov checkpoints; outstanding asks: SBOM/CLI/Policy/DevOps ETAs, Link-Not-Merge approval, Mirror staffing. | Sprint 110 leads |
-| 2025-11-09 | Captured initial wave scope, interlocks, and risks covering SBOM/CLI/Policy/DevOps artefacts, Link-Not-Merge schemas, Excititor justification backlog, and Mirror assembler commitments. | Sprint 110 leads |
-| 2025-11-16 | Updated task board: marked Advisory AI packaging, Concelier air-gap/console/attestation tracks, Excititor chunk/attestation/air-gap tracks, and all Mirror tracks as BLOCKED pending schema approvals, Evidence Locker contract, and Mirror staffing decisions. | Implementer |
-| 2025-11-16 | Marked CONCELIER-AIAI-31-002 BLOCKED (waiting on Link-Not-Merge schema approval); progressed DOCS-AIAI-31-004 doc draft. | Implementer |
-
-## Decisions & Risks
-### Decisions in flight
-| Decision | Blocking work | Accountable owner(s) | Due date |
-| --- | --- | --- | --- |
-| Confirm SBOM/CLI/Policy/DevOps delivery dates | DOCS-AIAI backlog, SBOM-AIAI-31-003, AIAI-31-008 | SBOM Service · CLI · Policy · DevOps guild leads | 2025-11-14 |
-| Approve Link-Not-Merge schema (CONCELIER-GRAPH-21-001/002, CARTO-GRAPH-21-002) | CONCELIER-AIAI-31-002, EXCITITOR-AIAI-31-002/003/004, air-gap + attestation tasks | Concelier Core · Cartographer Guild · SBOM Service Guild | 2025-11-14 |
-| Assign MIRROR-CRT-56-001 owner | Entire Mirror wave + Export Center + AirGap Time automation | Mirror Creator Guild · Exporter Guild · AirGap Time Guild | 2025-11-15 |
-| Evidence Locker attestation scope sign-off | EXCITITOR-ATTEST-01-003/73-001/73-002; CONCELIER-ATTEST-73-001/002 | Evidence Locker Guild · Excititor Guild · Concelier Guild | 2025-11-15 |
-| Approve DOCS-AIAI-31-004 screenshot plan | Publication of console guardrail doc | Docs Guild · Console Guild | 2025-11-15 |
-
-### Risk outlook (2025-11-13)
-| Risk | Impact | Mitigation / owner |
-| --- | --- | --- |
-| SBOM/CLI/Policy/DevOps artefacts slip past 14 Nov | Advisory AI docs + SBOM feeds stay blocked, delaying customer rollout & dependent sprints. | Lock ETAs during 14 Nov interlock; escalate to Advisory AI leadership if commitments slip. |
-| Link-Not-Merge schema approval delayed | Concelier/Excititor APIs, console overlays, and air-gap bundles remain gated. | Close 14 Nov review with migration notes; unblock tasks immediately after approval. |
-| Excititor attestation backlog stalls | VEX evidence + air-gap parity cannot progress; Mirror support drifts. | Use 15 Nov sequencing session to lock order, reserve engineering capacity. |
-| MIRROR-CRT-56-001 remains unstaffed | DSSE/TUF, OCI/time-anchor, CLI, Export Center automation cannot start (Sprint 125 slips). | Assign owner at kickoff; reallocate Export/AirGap engineers if needed. |
-| Connector refreshes (ICSCISA/KISA) remain overdue | Advisory AI may serve stale advisories; telemetry accuracy suffers. | Feed owners to publish remediation plan + interim mitigations by 15 Nov stand-up. |
-
-## Next Checkpoints
-| Date (UTC) | Session | Goal | Impacted wave(s) | Prep owner(s) |
-| --- | --- | --- | --- | --- |
-| 2025-11-14 | Advisory AI customer surfaces follow-up | Capture SBOM/CLI/Policy/DevOps ETAs to restart DOCS/SBOM work. | 110.A | Advisory AI · SBOM · CLI · Policy · DevOps guild leads |
-| 2025-11-14 | Link-Not-Merge schema review | Approve schema payloads + migration notes. | 110.B · 110.C | Concelier Core · Cartographer Guild · SBOM Service Guild |
-| 2025-11-15 | Excititor attestation sequencing | Lock Evidence Locker contract + backlog order. | 110.C | Excititor Web/Core · Evidence Locker Guild |
-| 2025-11-15 | Mirror evidence kickoff | Assign MIRROR-CRT-56-001 owner, confirm staffing, outline DSSE/TUF + OCI milestones. | 110.D | Mirror Creator · Exporter · AirGap Time · Security guilds |
-
-## Appendix
-- Detailed coordination artefacts, contingency playbook, and historical notes previously held in this sprint now live at `docs/implplan/archived/SPRINT_110_ingestion_evidence_2025-11-13.md`.
+# Sprint 110 · Ingestion & Evidence
+
+## Topic & Scope
+- Finalise Advisory AI guardrail evidence (docs, SBOM feeds, policy knobs) while keeping customer rollout unblocked.
+- Land Concelier structured caching + telemetry so Link-Not-Merge schemas can feed downstream consoles, air-gap bundles, and attestations.
+- Prepare Excititor chunk API, telemetry, and attestation contracts for deterministic VEX evidence delivery.
+- Staff and kick off the Mirror assembler so deterministic bundles, DSSE/TUF metadata, and CLI/Export Center automation can start.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 100.A (Attestor) must remain green; Excititor/Concelier depend on Link-Not-Merge schema set (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`). Advisory AI docs require SBOM/CLI/Policy/DevOps deliverables (`SBOM-AIAI-31-001`, `CLI-VULN-29-001`, `CLI-VEX-30-001`, `POLICY-ENGINE-31-001`, `DEVOPS-AIAI-31-001`).
+- Sprint 110 peers (111–119 range) stay independent; no intra-decade dependencies are permitted.
+- Evidence Locker contract and Mirror staffing decisions affect Excititor attestation work and Mirror tracks respectively.
+
+## Documentation Prerequisites
+- `docs/modules/advisory-ai/architecture.md`
+- `docs/modules/concelier/architecture.md`
+- `docs/modules/excititor/architecture.md`
+- `docs/modules/export-center/architecture.md`
+- `docs/modules/airgap/architecture.md` (timeline + bundle requirements)
+
+## Task Board
+| Wave | Task ID | Status | Owner(s) | Dependencies | Notes |
+| --- | --- | --- | --- | --- | --- |
+| 110.B Concelier | PREP-LNM-SCHEMA-APPROVAL | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Concelier Core · Cartographer Guild · SBOM Service Guild | — | Approve Link-Not-Merge schema plus fixtures (`CONCELIER-GRAPH-21-001/002`, `CARTO-GRAPH-21-002`) and publish canonical JSON samples + precedence rules for consuming modules. <br><br>Archive decision + artefacts under `docs/modules/concelier/link-not-merge-schema.md` so downstream Concelier/Excititor/Policy tasks can bind to the frozen payload shape. |
+| 110.B Concelier | PREP-EVIDENCE-LOCKER-CONTRACT | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Evidence Locker Guild · Concelier Core Guild | — | Freeze the Evidence Locker attestation scope + ingest contract (bundle predicates, transparency metadata, verification plan) and record DOI/location for Evidence Bundle v1. <br><br>Publish the signed decision in `docs/modules/evidence-locker/attestation-contract.md` and note required claim set plus validation fixtures. |
+| 110.B Concelier | PREP-FEEDCONN-ICS-KISA-PLAN | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Concelier Feed Owners · Product Advisory Guild | — | Provide remediation/refresh schedule and schema notes for ICSCISA/KISA feeds, covering provenance gaps and upcoming advisory drops. <br><br>Store the runbook in `docs/modules/concelier/feeds/icscisa-kisa.md` with owners and next review date so connector work can proceed deterministically. |
+| 110.C Excititor | PREP-EXCITITOR-ATTESTATION-PLAN | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Excititor Guild · Evidence Locker Guild | — | Align Excititor chunk/attestation plans with Evidence Locker scope: spell out ingestion contract, chunk schema, and DSSE bundling rules. <br><br>Publish the plan in `docs/modules/excititor/attestation-plan.md` and include sample payloads for `/vex/evidence/chunks` + attestation APIs. |
+| 110.D Mirror | PREP-MIRROR-STAFFING | DONE (2025-11-20) | Due 2025-11-21 · Accountable: —; Mirror Creator Guild · Exporter Guild · AirGap Time Guild | — | Assign owner(s) for MIRROR-CRT-56-001, confirm DSSE/TUF milestone schedule, and record staffing commitments for follow-on CRT tasks. <br><br>Document the staffing decision and milestone plan in `docs/modules/mirror/assembler.md` so downstream automation (Export Center, AirGap Time, CLI) can execute. |
+| 110.A Advisory AI | DOCS-AIAI-31-004 | DOING | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-001/003 | Guardrail console doc drafted; screenshots + SBOM evidence pending. |
+| 110.A Advisory AI | AIAI-31-009 | DONE (2025-11-12) | Advisory AI Guild | — | Regression suite + `AdvisoryAI:Guardrails` config landed with perf budgets. |
+| 110.A Advisory AI | AIAI-31-008 | TODO | Advisory AI Guild | AIAI-31-006 (DONE 2025-11-04); AIAI-31-007 (DONE 2025-11-06) | Policy knob work landed; proceed with packaging and deployment steps. |
+| 110.A Advisory AI | SBOM-AIAI-31-003 | BLOCKED | SBOM Service Guild | SBOM-AIAI-31-001; CLI-VULN-29-001; CLI-VEX-30-001 | Needs SBOM delta kit + CLI deliverables before validation can proceed. |
+| 110.A Advisory AI | DOCS-AIAI-31-005/006/008/009 | BLOCKED | Docs Guild | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | CLI/policy/ops docs paused pending upstream artefacts. |
+| 110.B Concelier | CONCELIER-AIAI-31-002 | DONE (2025-11-20) | Concelier Core · Concelier WebService Guilds | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 | LNM cache plan published at docs/modules/concelier/operations/lnm-cache-plan.md aligned to frozen schema. |
+| 110.B Concelier | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | Concelier Observability Guild | — | Telemetry counters/histograms live for Advisory AI dashboards. |
+| 110.B Concelier | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | Concelier Core · AirGap Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EVIDENCE-LOCKER-CONTRACT | Blocked until schema approval + attestation scope sign-off. |
+| 110.B Concelier | CONCELIER-CONSOLE-23-001..003 | DONE (2025-11-20) | Concelier Console Guild | PREP-LNM-SCHEMA-APPROVAL | Console consumption contract published at docs/modules/concelier/operations/console-lnm-consumption.md. |
+| 110.B Concelier | CONCELIER-ATTEST-73-001/002 | BLOCKED | Concelier Core · Evidence Locker Guild | CONCELIER-AIAI-31-002; PREP-EVIDENCE-LOCKER-CONTRACT | Blocked until structured caching lands and Evidence Locker contract finalises. |
+| 110.B Concelier | FEEDCONN-ICSCISA-02-012 / FEEDCONN-KISA-02-008 | BLOCKED | Concelier Feed Owners | PREP-FEEDCONN-ICS-KISA-PLAN | Overdue provenance refreshes require schedule from feed owners. |
+| 110.C Excititor | EXCITITOR-AIAI-31-001 | DONE (2025-11-09) | Excititor Web/Core Guilds | — | Normalised VEX justification projections shipped. |
+| 110.C Excititor | EXCITITOR-AIAI-31-002 | DONE (2025-11-20) | Excititor Web/Core Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EVIDENCE-LOCKER-CONTRACT | Chunk ingestion API spec published (schemas/vex-chunk-api.yaml) aligned with attestation plan. |
+| 110.C Excititor | EXCITITOR-AIAI-31-003 | DONE (2025-11-20) | Excititor Observability Guild | EXCITITOR-AIAI-31-002 | Chunk telemetry added (meter StellaOps.Excititor.Chunks) and wired in /v1/vex/evidence/chunks handler. |
+| 110.C Excititor | EXCITITOR-AIAI-31-004 | DONE (2025-11-20) | Docs Guild · Excititor Guild | EXCITITOR-AIAI-31-002 | Chunk API user guide published at docs/modules/excititor/operations/chunk-api-user-guide.md. |
+| 110.C Excititor | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | DONE (2025-11-20) | Excititor Guild · Evidence Locker Guild | EXCITITOR-AIAI-31-002; PREP-EVIDENCE-LOCKER-CONTRACT | Attestation verify endpoint wired to Evidence Locker contract (`/v1/attestations/verify`), leveraging attestation verifier + telemetry. |
+| 110.C Excititor | EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | BLOCKED | Excititor Guild · AirGap Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EXCITITOR-ATTESTATION-PLAN | Blocked until schema + attestation readiness. |
+| 110.D Mirror | MIRROR-CRT-56-001 | BLOCKED | Mirror Creator Guild | PREP-MIRROR-STAFFING | Blocked: no owner assigned; kickoff slipped past 2025-11-15. |
+| 110.D Mirror | MIRROR-CRT-56-002 | BLOCKED | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | Blocked until MIRROR-CRT-56-001 staffed. |
+| 110.D Mirror | MIRROR-CRT-57-001/002 | BLOCKED | Mirror Creator Guild · AirGap Time Guild | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | Blocked; upstream staffing unresolved. |
+| 110.D Mirror | MIRROR-CRT-58-001/002 | BLOCKED | Mirror Creator Guild · CLI Guild · Exporter Guild | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | Blocked until assembler staffed and upstream contracts agreed. |
+| 110.D Mirror | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | BLOCKED | Exporter Guild · AirGap Time Guild · CLI Guild | PREP-MIRROR-STAFFING | Blocked pending MIRROR-CRT-56-001 ownership. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-20 | Concelier WebService tests could not run locally (Mongo2Go requires libcrypto.so.1.1). Endpoint compiled; rerun tests once OpenSSL 1.1 shim available. | Implementer |
+| 2025-11-20 | CONCELIER-CONSOLE-23-001..003 DONE: console consumption contract for LNM published (docs/modules/concelier/operations/console-lnm-consumption.md). | Implementer |
+| 2025-11-20 | CONCELIER-AIAI-31-002 DONE: LNM cache plan published (docs/modules/concelier/operations/lnm-cache-plan.md) using frozen schema + Evidence Locker contract. | Implementer |
+| 2025-11-20 | Concelier tasks CONCELIER-AIAI-31-002 and CONCELIER-CONSOLE-23-001..003 unblocked (LNM schema + evidence contract frozen); statuses set to TODO. | Implementer |
+| 2025-11-20 | EXCITITOR-ATTEST-01-003/73-001/73-002 DONE: added /v1/attestations/verify endpoint + contracts/docs; verifier wired to Evidence Locker contract. | Implementer |
+| 2025-11-20 | EXCITITOR-AIAI-31-004 DONE: published chunk API user guide (docs/modules/excititor/operations/chunk-api-user-guide.md). | Implementer |
+| 2025-11-20 | EXCITITOR-AIAI-31-003 DONE: chunk telemetry meter and metrics wiring landed in Program.cs; ops note at docs/modules/excititor/operations/chunk-telemetry.md. | Implementer |
+| 2025-11-20 | Marked EXCITITOR-AIAI-31-002 DONE; chunk API OpenAPI spec added at docs/modules/excititor/schemas/vex-chunk-api.yaml. | Implementer |
+| 2025-11-20 | EXCITITOR-AIAI-31-002 unblocked (prep complete); starting chunk API spec + schema under docs/modules/excititor/schemas. | Implementer |
+| 2025-11-20 | PREP-MIRROR-STAFFING completed; staffing/milestones recorded at docs/modules/mirror/assembler.md. | Implementer |
+| 2025-11-20 | PREP-EXCITITOR-ATTESTATION-PLAN completed; plan at docs/modules/excititor/attestation-plan.md. | Implementer |
+| 2025-11-20 | PREP-FEEDCONN-ICS-KISA-PLAN completed; remediation plan lives at docs/modules/concelier/feeds/icscisa-kisa.md (v0.1). | Implementer |
+| 2025-11-20 | PREP-EVIDENCE-LOCKER-CONTRACT completed; contract published at docs/modules/evidence-locker/attestation-contract.md. | Implementer |
+| 2025-11-20 | PREP-LNM-SCHEMA-APPROVAL completed; schema frozen in docs/modules/concelier/link-not-merge-schema.md; samples in docs/samples/lnm/*.json. | Implementer |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-13 | Refreshed wave tracker, decisions, and contingency plan ahead of 14–15 Nov checkpoints; outstanding asks: SBOM/CLI/Policy/DevOps ETAs, Link-Not-Merge approval, Mirror staffing. | Sprint 110 leads |
+| 2025-11-09 | Captured initial wave scope, interlocks, and risks covering SBOM/CLI/Policy/DevOps artefacts, Link-Not-Merge schemas, Excititor justification backlog, and Mirror assembler commitments. | Sprint 110 leads |
+| 2025-11-16 | Updated task board: marked Advisory AI packaging, Concelier air-gap/console/attestation tracks, Excititor chunk/attestation/air-gap tracks, and all Mirror tracks as BLOCKED pending schema approvals, Evidence Locker contract, and Mirror staffing decisions. | Implementer |
+| 2025-11-16 | Marked CONCELIER-AIAI-31-002 BLOCKED (waiting on Link-Not-Merge schema approval); progressed DOCS-AIAI-31-004 doc draft. | Implementer |
+
+## Decisions & Risks
+### Decisions in flight
+| Decision | Blocking work | Accountable owner(s) | Due date |
+| --- | --- | --- | --- |
+| Confirm SBOM/CLI/Policy/DevOps delivery dates | DOCS-AIAI backlog, SBOM-AIAI-31-003, AIAI-31-008 | SBOM Service · CLI · Policy · DevOps guild leads | 2025-11-14 |
+| Approve Link-Not-Merge schema (CONCELIER-GRAPH-21-001/002, CARTO-GRAPH-21-002) | CONCELIER-AIAI-31-002, EXCITITOR-AIAI-31-002/003/004, air-gap + attestation tasks | Concelier Core · Cartographer Guild · SBOM Service Guild | 2025-11-14 |
+| Assign MIRROR-CRT-56-001 owner | Entire Mirror wave + Export Center + AirGap Time automation | Mirror Creator Guild · Exporter Guild · AirGap Time Guild | 2025-11-15 |
+| Evidence Locker attestation scope sign-off | EXCITITOR-ATTEST-01-003/73-001/73-002; CONCELIER-ATTEST-73-001/002 | Evidence Locker Guild · Excititor Guild · Concelier Guild | 2025-11-15 |
+| Approve DOCS-AIAI-31-004 screenshot plan | Publication of console guardrail doc | Docs Guild · Console Guild | 2025-11-15 |
+
+### Risk outlook (2025-11-13)
+| Risk | Impact | Mitigation / owner |
+| --- | --- | --- |
+| SBOM/CLI/Policy/DevOps artefacts slip past 14 Nov | Advisory AI docs + SBOM feeds stay blocked, delaying customer rollout & dependent sprints. | Lock ETAs during 14 Nov interlock; escalate to Advisory AI leadership if commitments slip. |
+| Link-Not-Merge schema approval delayed | Concelier/Excititor APIs, console overlays, and air-gap bundles remain gated. | Close 14 Nov review with migration notes; unblock tasks immediately after approval. |
+| Excititor attestation backlog stalls | VEX evidence + air-gap parity cannot progress; Mirror support drifts. | Use 15 Nov sequencing session to lock order, reserve engineering capacity. |
+| MIRROR-CRT-56-001 remains unstaffed | DSSE/TUF, OCI/time-anchor, CLI, Export Center automation cannot start (Sprint 125 slips). | Assign owner at kickoff; reallocate Export/AirGap engineers if needed. |
+| Connector refreshes (ICSCISA/KISA) remain overdue | Advisory AI may serve stale advisories; telemetry accuracy suffers. | Feed owners to publish remediation plan + interim mitigations by 15 Nov stand-up. |
+
+## Next Checkpoints
+| Date (UTC) | Session | Goal | Impacted wave(s) | Prep owner(s) |
+| --- | --- | --- | --- | --- |
+| 2025-11-14 | Advisory AI customer surfaces follow-up | Capture SBOM/CLI/Policy/DevOps ETAs to restart DOCS/SBOM work. | 110.A | Advisory AI · SBOM · CLI · Policy · DevOps guild leads |
+| 2025-11-14 | Link-Not-Merge schema review | Approve schema payloads + migration notes. | 110.B · 110.C | Concelier Core · Cartographer Guild · SBOM Service Guild |
+| 2025-11-15 | Excititor attestation sequencing | Lock Evidence Locker contract + backlog order. | 110.C | Excititor Web/Core · Evidence Locker Guild |
+| 2025-11-15 | Mirror evidence kickoff | Assign MIRROR-CRT-56-001 owner, confirm staffing, outline DSSE/TUF + OCI milestones. | 110.D | Mirror Creator · Exporter · AirGap Time · Security guilds |
+
+## Appendix
+- Detailed coordination artefacts, contingency playbook, and historical notes previously held in this sprint now live at `docs/implplan/archived/SPRINT_110_ingestion_evidence_2025-11-13.md`.

docs/implplan/SPRINT_123_policy_reasoning.md

@@ -12,18 +12,18 @@ Focus: Policy & Reasoning focus on Policy (phase I).
 | --- | --- | --- | --- | --- |
 | P1 | PREP-EXPORT-CONSOLE-23-001-MISSING-EXPORT-BUN | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild, Scheduler Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Scheduler Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine | Missing export bundle contract/API surface and scheduler job spec for Console; requires agreed schema and job wiring. <br><br> Document artefact/deliverable for EXPORT-CONSOLE-23-001 and publish location so downstream tasks can proceed. |
 | P2 | PREP-POLICY-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Mirror bundle schema for policy packs not published; need bundle_id/provenance fields and sealed-mode rules. <br><br> Document artefact/deliverable for POLICY-AIRGAP-56-001 and publish location so downstream tasks can proceed. |
-| P3 | PREP-POLICY-AIRGAP-56-002-DEPENDS-ON-56-001-B | TODO | Due 2025-11-22 · Accountable: Policy Guild, Policy Studio Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Policy Studio Guild / src/Policy/StellaOps.Policy.Engine | Depends on 56-001 bundle import schema and DSSE signing profile. <br><br> Document artefact/deliverable for POLICY-AIRGAP-56-002 and publish location so downstream tasks can proceed. |
-| P4 | PREP-POLICY-AIRGAP-57-001-REQUIRES-SEALED-MOD | TODO | Due 2025-11-22 · Accountable: Policy Guild, AirGap Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, AirGap Policy Guild / src/Policy/StellaOps.Policy.Engine | Requires sealed-mode contract (egress rules, error codes) after 56-002. <br><br> Document artefact/deliverable for POLICY-AIRGAP-57-001 and publish location so downstream tasks can proceed. |
-| P5 | PREP-POLICY-AIRGAP-57-002-NEEDS-STALENESS-FAL | TODO | Due 2025-11-22 · Accountable: Policy Guild, AirGap Time Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, AirGap Time Guild / src/Policy/StellaOps.Policy.Engine | Needs staleness/fallback data contract from 57-001. <br><br> Document artefact/deliverable for POLICY-AIRGAP-57-002 and publish location so downstream tasks can proceed. |
-| P6 | PREP-POLICY-AIRGAP-58-001-NOTIFICATION-SCHEMA | TODO | Due 2025-11-22 · Accountable: Policy Guild, Notifications Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Notifications Guild / src/Policy/StellaOps.Policy.Engine | Notification schema and staleness signals pending from 57-002. <br><br> Document artefact/deliverable for POLICY-AIRGAP-58-001 and publish location so downstream tasks can proceed. |
-| P7 | PREP-POLICY-AOC-19-001-NEEDS-AGREED-LINTING-T | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/__Libraries/StellaOps.Policy | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | Needs agreed linting targets (which ingestion projects, which helpers) and CI wiring; no analyzer/lint spec available. <br><br> Document artefact/deliverable for POLICY-AOC-19-001 and publish location so downstream tasks can proceed. |
-| P8 | PREP-POLICY-AOC-19-002-DEPENDS-ON-19-001-LINT | TODO | Due 2025-11-22 · Accountable: Policy Guild, Platform Security / src/Policy/__Libraries/StellaOps.Policy | Policy Guild, Platform Security / src/Policy/__Libraries/StellaOps.Policy | Depends on 19-001 lint implementation and authority contract for `effective:write` gate. <br><br> Document artefact/deliverable for POLICY-AOC-19-002 and publish location so downstream tasks can proceed. |
-| P9 | PREP-POLICY-AOC-19-003-REQUIRES-DECISIONED-NO | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/__Libraries/StellaOps.Policy | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | Requires decisioned normalized-field removal contract after 19-002; fixtures not provided. <br><br> Document artefact/deliverable for POLICY-AOC-19-003 and publish location so downstream tasks can proceed. |
-| P10 | PREP-POLICY-AOC-19-004-DEPENDENT-ON-19-003-DA | TODO | Due 2025-11-22 · Accountable: Policy Guild, QA Guild / src/Policy/__Libraries/StellaOps.Policy | Policy Guild, QA Guild / src/Policy/__Libraries/StellaOps.Policy | Dependent on 19-003 data shape and determinism fixtures. <br><br> Document artefact/deliverable for POLICY-AOC-19-004 and publish location so downstream tasks can proceed. |
-| P11 | PREP-POLICY-ATTEST-73-001-VERIFICATIONPOLICY- | TODO | Due 2025-11-22 · Accountable: Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine | VerificationPolicy schema/persistence contract missing; needs Attestor alignment. <br><br> Document artefact/deliverable for POLICY-ATTEST-73-001 and publish location so downstream tasks can proceed. |
-| P12 | PREP-POLICY-ATTEST-73-002-DEPENDS-ON-73-001-E | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Depends on 73-001 editor DTOs and validation schema. <br><br> Document artefact/deliverable for POLICY-ATTEST-73-002 and publish location so downstream tasks can proceed. |
-| P13 | PREP-POLICY-ATTEST-74-001-REQUIRES-73-002-AND | TODO | Due 2025-11-22 · Accountable: Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine | Requires 73-002 and Attestor pipeline contract. <br><br> Document artefact/deliverable for POLICY-ATTEST-74-001 and publish location so downstream tasks can proceed. |
-| P14 | PREP-POLICY-ATTEST-74-002-NEEDS-74-001-SURFAC | TODO | Due 2025-11-22 · Accountable: Policy Guild, Console Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Console Guild / src/Policy/StellaOps.Policy.Engine | Needs 74-001 surface in Console verification reports contract. <br><br> Document artefact/deliverable for POLICY-ATTEST-74-002 and publish location so downstream tasks can proceed. |
+| P3 | PREP-POLICY-AIRGAP-56-002-DEPENDS-ON-56-001-B | DONE (2025-11-20) | Prep doc at `docs/modules/policy/prep/2025-11-20-policy-airgap-56-002-prep.md`; awaits schema hash from 56-001. | Policy Guild, Policy Studio Guild / src/Policy/StellaOps.Policy.Engine | Depends on 56-001 bundle import schema and DSSE signing profile. <br><br> Document artefact/deliverable for POLICY-AIRGAP-56-002 and publish location so downstream tasks can proceed. |
+| P4 | PREP-POLICY-AIRGAP-57-001-REQUIRES-SEALED-MOD | DONE (2025-11-20) | Prep doc at `docs/modules/policy/prep/2025-11-20-policy-airgap-57-001-prep.md`; depends on 56-002 + WEB-OAS-61-002 envelope. | Policy Guild, AirGap Policy Guild / src/Policy/StellaOps.Policy.Engine | Requires sealed-mode contract (egress rules, error codes) after 56-002. <br><br> Document artefact/deliverable for POLICY-AIRGAP-57-001 and publish location so downstream tasks can proceed. |
+| P5 | PREP-POLICY-AIRGAP-57-002-NEEDS-STALENESS-FAL | DONE (2025-11-20) | Prep doc at `docs/modules/policy/prep/2025-11-20-policy-airgap-57-002-prep.md`; awaits staleness metadata inputs. | Policy Guild, AirGap Time Guild / src/Policy/StellaOps.Policy.Engine | Needs staleness/fallback data contract from 57-001. <br><br> Document artefact/deliverable for POLICY-AIRGAP-57-002 and publish location so downstream tasks can proceed. |
+| P6 | PREP-POLICY-AIRGAP-58-001-NOTIFICATION-SCHEMA | DONE (2025-11-20) | Prep doc at `docs/modules/policy/prep/2025-11-20-policy-airgap-58-001-prep.md`; aligned to notifications schema once available. | Policy Guild, Notifications Guild / src/Policy/StellaOps.Policy.Engine | Notification schema and staleness signals pending from 57-002. <br><br> Document artefact/deliverable for POLICY-AIRGAP-58-001 and publish location so downstream tasks can proceed. |
+| P7 | PREP-POLICY-AOC-19-001-NEEDS-AGREED-LINTING-T | DONE (2025-11-20) | Prep doc at `docs/modules/policy/prep/2025-11-20-policy-aoc-19-001-prep.md`; awaiting rule set agreement. | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | Needs agreed linting targets (which ingestion projects, which helpers) and CI wiring; no analyzer/lint spec available. <br><br> Document artefact/deliverable for POLICY-AOC-19-001 and publish location so downstream tasks can proceed. |
+| P8 | PREP-POLICY-AOC-19-002-DEPENDS-ON-19-001-LINT | DONE (2025-11-20) | Prep doc at `docs/modules/policy/prep/2025-11-20-policy-aoc-19-002-prep.md`; depends on lint rules + auth scopes. | Policy Guild, Platform Security / src/Policy/__Libraries/StellaOps.Policy | Depends on 19-001 lint implementation and authority contract for `effective:write` gate. <br><br> Document artefact/deliverable for POLICY-AOC-19-002 and publish location so downstream tasks can proceed. |
+| P9 | PREP-POLICY-AOC-19-003-REQUIRES-DECISIONED-NO | DONE (2025-11-20) | Prep doc at `docs/modules/policy/prep/2025-11-20-policy-aoc-19-003-prep.md`; awaiting field removal decision. | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | Requires decisioned normalized-field removal contract after 19-002; fixtures not provided. <br><br> Document artefact/deliverable for POLICY-AOC-19-003 and publish location so downstream tasks can proceed. |
+| P10 | PREP-POLICY-AOC-19-004-DEPENDENT-ON-19-003-DA | DONE (2025-11-20) | Prep doc at `docs/modules/policy/prep/2025-11-20-policy-aoc-19-004-prep.md`; depends on field removal list. | Policy Guild, QA Guild / src/Policy/__Libraries/StellaOps.Policy | Dependent on 19-003 data shape and determinism fixtures. <br><br> Document artefact/deliverable for POLICY-AOC-19-004 and publish location so downstream tasks can proceed. |
+| P11 | PREP-POLICY-ATTEST-73-001-VERIFICATIONPOLICY- | DONE (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine | Prep artefact published at `docs/modules/policy/prep/2025-11-20-policy-attest-73-001-prep.md` (VerificationPolicy schema/persistence rules). |
+| P12 | PREP-POLICY-ATTEST-73-002-DEPENDS-ON-73-001-E | DONE (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Prep artefact published at `docs/modules/policy/prep/2025-11-20-policy-attest-73-002-prep.md` (editor DTOs + validation). |
+| P13 | PREP-POLICY-ATTEST-74-001-REQUIRES-73-002-AND | DONE (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine | Prep artefact published at `docs/modules/policy/prep/2025-11-20-policy-attest-74-001-prep.md` (policy attestation result schema + endpoint). |
+| P14 | PREP-POLICY-ATTEST-74-002-NEEDS-74-001-SURFAC | DONE (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild, Console Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Console Guild / src/Policy/StellaOps.Policy.Engine | Prep artefact published at `docs/modules/policy/prep/2025-11-20-policy-attest-74-002-prep.md` (Console report extension for attestation results). |
 | 1 | EXPORT-CONSOLE-23-001 | BLOCKED | PREP-EXPORT-CONSOLE-23-001-MISSING-EXPORT-BUN | Policy Guild, Scheduler Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
 | 2 | POLICY-AIRGAP-56-001 | BLOCKED | PREP-POLICY-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | Policy Guild / src/Policy/StellaOps.Policy.Engine |
 | 3 | POLICY-AIRGAP-56-002 | BLOCKED | PREP-POLICY-AIRGAP-56-002-DEPENDS-ON-56-001-B | Policy Guild, Policy Studio Guild / src/Policy/StellaOps.Policy.Engine |
@@ -45,6 +45,7 @@ Focus: Policy & Reasoning focus on Policy (phase I).
 | --- | --- | --- |
 | 2025-11-20 | Drafted export bundle + scheduler contract (docs/modules/policy/design/export-console-bundle-contract.md); pinged Console/Scheduler owners for signer/storage decisions. | Project Mgmt |
 | 2025-11-20 | Confirmed PREP-EXPORT-CONSOLE-23-001 and PREP-POLICY-AIRGAP-56-001 still TODO; moved both to DOING to draft missing export/bundle schemas. | Project Mgmt |
+| 2025-11-20 | Published prep artefacts for AIRGAP chain (56-002/57-001/57-002/58-001) and AOC lint/normalization (19-001/002/003/004); marked P3–P10 DONE. | Implementer |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-08 | Sprint created; awaiting staffing. | Planning |
 | 2025-11-18 | Attempted EXPORT-CONSOLE-23-001 but blocked: no export bundle/schema or scheduler job contract for Console; requires API + signed manifest format before implementation. Marked remaining tasks BLOCKED pending lint/airgap/attest/Console contracts. | Policy Guild |

docs/implplan/SPRINT_124_policy_reasoning.md

@@ -10,7 +10,7 @@ Focus: Policy & Reasoning focus on Policy (phase II).
 
 | # | Task ID & handle | State | Key dependency / next step | Owners |
 | --- | --- | --- | --- | --- |
-| P1 | PREP-POLICY-ENGINE-20-002-BUILD-DETERMINISTIC | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Build deterministic evaluator honoring lexical/priority order, first-match semantics, and safe value types (no wall-clock/network access). <br><br> Document artefact/deliverable for POLICY-ENGINE-20-002 and publish location so downstream tasks can proceed. |
+| P1 | PREP-POLICY-ENGINE-20-002-BUILD-DETERMINISTIC | DONE (2025-11-20) | Prep doc at `docs/modules/policy/prep/2025-11-20-policy-engine-20-002-prep.md`; captures evaluator constraints. | Policy Guild / src/Policy/StellaOps.Policy.Engine | Build deterministic evaluator honoring lexical/priority order, first-match semantics, and safe value types (no wall-clock/network access). <br><br> Document artefact/deliverable for POLICY-ENGINE-20-002 and publish location so downstream tasks can proceed. |
 | 1 | POLICY-CONSOLE-23-002 | TODO | Produce simulation diff metadata (before/after counts, severity deltas, rule impact summaries) and approval state endpoints consumed by Console policy workspace; expose RBAC-aware status transitions (Deps: POLICY-CONSOLE-23-001) | Policy Guild, Product Ops / src/Policy/StellaOps.Policy.Engine |
 | 2 | POLICY-ENGINE-20-002 | BLOCKED (2025-10-26) | PREP-POLICY-ENGINE-20-002-BUILD-DETERMINISTIC | Policy Guild / src/Policy/StellaOps.Policy.Engine |
 | 3 | POLICY-ENGINE-20-003 | TODO | Implement selection joiners resolving SBOM↔advisory↔VEX tuples using linksets and PURL equivalence tables, with deterministic batching (Deps: POLICY-ENGINE-20-002) | Policy Guild, Concelier Core Guild, Excititor Core Guild / src/Policy/StellaOps.Policy.Engine |
@@ -28,4 +28,5 @@ Focus: Policy & Reasoning focus on Policy (phase II).
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
-| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-20 | Published deterministic evaluator prep note (`docs/modules/policy/prep/2025-11-20-policy-engine-20-002-prep.md`); set PREP-POLICY-ENGINE-20-002 to DONE. | Implementer |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |

docs/implplan/SPRINT_125_policy_reasoning.md

@@ -11,18 +11,18 @@ Focus: Policy & Reasoning focus on Policy (phase III).
 | # | Task ID & handle | State | Key dependency / next step | Owners |
 | --- | --- | --- | --- | --- |
 | P1 | PREP-POLICY-ENGINE-30-001-WAITING-ON-29-004-M | DOING (2025-11-20) | Due 2025-11-22 · Accountable: Policy Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine | Waiting on 29-004 metrics/logging outputs to define overlay projection contract. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-001 and publish location so downstream tasks can proceed. |
-| P2 | PREP-POLICY-ENGINE-30-002-SIMULATION-BRIDGE-C | TODO | Due 2025-11-22 · Accountable: Policy Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine | Simulation bridge cannot proceed until 30-001 overlay schema lands. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-002 and publish location so downstream tasks can proceed. |
-| P3 | PREP-POLICY-ENGINE-30-003-CHANGE-EVENTS-DEPEN | TODO | Due 2025-11-22 · Accountable: Policy Guild, Scheduler Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Scheduler Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine | Change events depend on simulation bridge (30-002) outputs. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-003 and publish location so downstream tasks can proceed. |
-| P4 | PREP-POLICY-ENGINE-30-101-TRUST-WEIGHTING-UI- | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Trust weighting UI/API depends on change events + overlays (30-003). <br><br> Document artefact/deliverable for POLICY-ENGINE-30-101 and publish location so downstream tasks can proceed. |
-| P5 | PREP-POLICY-ENGINE-31-001-ADVISORY-AI-KNOBS-R | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Advisory AI knobs rely on 30-101 trust weighting surfacing. <br><br> Document artefact/deliverable for POLICY-ENGINE-31-001 and publish location so downstream tasks can proceed. |
-| P6 | PREP-POLICY-ENGINE-31-002-BATCH-CONTEXT-ENDPO | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Batch context endpoint waits on 31-001 knobs. <br><br> Document artefact/deliverable for POLICY-ENGINE-31-002 and publish location so downstream tasks can proceed. |
-| P7 | PREP-POLICY-ENGINE-32-101-ORCHESTRATOR-JOB-SC | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Orchestrator job schema depends on 31-002 batch context. <br><br> Document artefact/deliverable for POLICY-ENGINE-32-101 and publish location so downstream tasks can proceed. |
-| P8 | PREP-POLICY-ENGINE-33-101-WORKER-IMPLEMENTATI | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Worker implementation depends on 32-101 job schema. <br><br> Document artefact/deliverable for POLICY-ENGINE-33-101 and publish location so downstream tasks can proceed. |
-| P9 | PREP-POLICY-ENGINE-34-101-LEDGER-EXPORT-REQUI | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Ledger export requires 33-101 workers. <br><br> Document artefact/deliverable for POLICY-ENGINE-34-101 and publish location so downstream tasks can proceed. |
-| P10 | PREP-POLICY-ENGINE-35-201-SNAPSHOT-API-WAITS- | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Snapshot API waits on 34-101 ledger export. <br><br> Document artefact/deliverable for POLICY-ENGINE-35-201 and publish location so downstream tasks can proceed. |
-| P11 | PREP-POLICY-ENGINE-38-201-VIOLATION-EVENTS-DE | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Violation events depend on 35-201 snapshot stream. <br><br> Document artefact/deliverable for POLICY-ENGINE-38-201 and publish location so downstream tasks can proceed. |
-| P12 | PREP-POLICY-ENGINE-40-001-SEVERITY-FUSION-DEP | TODO | Due 2025-11-22 · Accountable: Policy Guild, Concelier Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Concelier Guild / src/Policy/StellaOps.Policy.Engine | Severity fusion depends on 38-201 violation event payloads. <br><br> Document artefact/deliverable for POLICY-ENGINE-40-001 and publish location so downstream tasks can proceed. |
-| P13 | PREP-POLICY-ENGINE-40-002-CONFLICT-HANDLING-D | TODO | Due 2025-11-22 · Accountable: Policy Guild, Excititor Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Excititor Guild / src/Policy/StellaOps.Policy.Engine | Conflict handling depends on 40-001 severity pipeline changes. <br><br> Document artefact/deliverable for POLICY-ENGINE-40-002 and publish location so downstream tasks can proceed. |
+| P2 | PREP-POLICY-ENGINE-30-002-SIMULATION-BRIDGE-C | DONE (2025-11-20) | Prep note at `docs/modules/policy/prep/2025-11-20-simulation-bridge-prep.md`; awaits 30-001 overlay hash. | Policy Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine | Simulation bridge cannot proceed until 30-001 overlay schema lands. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-002 and publish location so downstream tasks can proceed. |
+| P3 | PREP-POLICY-ENGINE-30-003-CHANGE-EVENTS-DEPEN | DONE (2025-11-20) | Prep note at `docs/modules/policy/prep/2025-11-20-change-events-prep.md`; depends on 30-002 schema + Scheduler subjects. | Policy Guild, Scheduler Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine | Change events depend on simulation bridge (30-002) outputs. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-003 and publish location so downstream tasks can proceed. |
+| P4 | PREP-POLICY-ENGINE-30-101-TRUST-WEIGHTING-UI- | DONE (2025-11-20) | Prep note at `docs/modules/policy/prep/2025-11-20-trust-weighting-prep.md`; waits on 30-003 outputs. | Policy Guild / src/Policy/StellaOps.Policy.Engine | Trust weighting UI/API depends on change events + overlays (30-003). <br><br> Document artefact/deliverable for POLICY-ENGINE-30-101 and publish location so downstream tasks can proceed. |
+| P5 | PREP-POLICY-ENGINE-31-001-ADVISORY-AI-KNOBS-R | DONE (2025-11-20) | Prep note at `docs/modules/policy/prep/2025-11-20-advisory-ai-knobs-prep.md`; awaits 30-101 weights + AI signal list. | Policy Guild / src/Policy/StellaOps.Policy.Engine | Advisory AI knobs rely on 30-101 trust weighting surfacing. <br><br> Document artefact/deliverable for POLICY-ENGINE-31-001 and publish location so downstream tasks can proceed. |
+| P6 | PREP-POLICY-ENGINE-31-002-BATCH-CONTEXT-ENDPO | DONE (2025-11-20) | Prep note at `docs/modules/policy/prep/2025-11-20-batch-context-prep.md`; awaits knobs/overlay hashes. | Policy Guild / src/Policy/StellaOps.Policy.Engine | Batch context endpoint waits on 31-001 knobs. <br><br> Document artefact/deliverable for POLICY-ENGINE-31-002 and publish location so downstream tasks can proceed. |
+| P7 | PREP-POLICY-ENGINE-32-101-ORCHESTRATOR-JOB-SC | DONE (2025-11-20) | Prep note at `docs/modules/policy/prep/2025-11-20-orchestrator-job-schema-prep.md`; depends on batch context + Orchestrator envelopes. | Policy Guild / src/Policy/StellaOps.Policy.Engine | Orchestrator job schema depends on 31-002 batch context. <br><br> Document artefact/deliverable for POLICY-ENGINE-32-101 and publish location so downstream tasks can proceed. |
+| P8 | PREP-POLICY-ENGINE-33-101-WORKER-IMPLEMENTATI | DONE (2025-11-20) | Prep note at `docs/modules/policy/prep/2025-11-20-worker-implementation-prep.md`; depends on job schema. | Policy Guild / src/Policy/StellaOps.Policy.Engine | Worker implementation depends on 32-101 job schema. <br><br> Document artefact/deliverable for POLICY-ENGINE-33-101 and publish location so downstream tasks can proceed. |
+| P9 | PREP-POLICY-ENGINE-34-101-LEDGER-EXPORT-REQUI | DONE (2025-11-20) | Prep note at `docs/modules/policy/prep/2025-11-20-ledger-export-prep.md`; awaits worker outputs + storage decision. | Policy Guild / src/Policy/StellaOps.Policy.Engine | Ledger export requires 33-101 workers. <br><br> Document artefact/deliverable for POLICY-ENGINE-34-101 and publish location so downstream tasks can proceed. |
+| P10 | PREP-POLICY-ENGINE-35-201-SNAPSHOT-API-WAITS- | DONE (2025-11-20) | Prep note at `docs/modules/policy/prep/2025-11-20-snapshot-api-prep.md`; depends on ledger export shape. | Policy Guild / src/Policy/StellaOps.Policy.Engine | Snapshot API waits on 34-101 ledger export. <br><br> Document artefact/deliverable for POLICY-ENGINE-35-201 and publish location so downstream tasks can proceed. |
+| P11 | PREP-POLICY-ENGINE-38-201-VIOLATION-EVENTS-DE | DONE (2025-11-20) | Prep note at `docs/modules/policy/prep/2025-11-20-violation-events-prep.md`; depends on snapshot stream. | Policy Guild / src/Policy/StellaOps.Policy.Engine | Violation events depend on 35-201 snapshot stream. <br><br> Document artefact/deliverable for POLICY-ENGINE-38-201 and publish location so downstream tasks can proceed. |
+| P12 | PREP-POLICY-ENGINE-40-001-SEVERITY-FUSION-DEP | DONE (2025-11-20) | Prep note at `docs/modules/policy/prep/2025-11-20-severity-fusion-prep.md`; awaiting violation events + Concelier ranks. | Policy Guild, Concelier Guild / src/Policy/StellaOps.Policy.Engine | Severity fusion depends on 38-201 violation event payloads. <br><br> Document artefact/deliverable for POLICY-ENGINE-40-001 and publish location so downstream tasks can proceed. |
+| P13 | PREP-POLICY-ENGINE-40-002-CONFLICT-HANDLING-D | DONE (2025-11-20) | Prep note at `docs/modules/policy/prep/2025-11-20-conflict-handling-prep.md`; depends on severity fusion. | Policy Guild, Excititor Guild / src/Policy/StellaOps.Policy.Engine | Conflict handling depends on 40-001 severity pipeline changes. <br><br> Document artefact/deliverable for POLICY-ENGINE-40-002 and publish location so downstream tasks can proceed. |
 | 1 | POLICY-ENGINE-29-003 | BLOCKED (2025-11-18) | Waiting on upstream POLICY-ENGINE-29-002 contract details; no path/scope schema or sample payloads available. | Policy Guild, SBOM Service Guild / src/Policy/StellaOps.Policy.Engine |
 | 2 | POLICY-ENGINE-29-004 | BLOCKED (2025-11-18) | Depends on blocked POLICY-ENGINE-29-003 path/scope contract. | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
 | 3 | POLICY-ENGINE-30-001 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-30-001-WAITING-ON-29-004-M | Policy Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine |
@@ -50,4 +50,7 @@ Focus: Policy & Reasoning focus on Policy (phase III).
 | 2025-11-20 | Drafted policy overlay projection contract (docs/modules/policy/design/policy-overlay-projection.md); pinged Platform/Observability for 29-004 metrics/log schema. | Project Mgmt |
 | 2025-11-20 | Pinged Cartographer/Platform for 29-004 metrics/log outputs; recorded draft in policy mirror bundle doc for dependency mapping. | Project Mgmt |
 | 2025-11-20 | Verified PREP-POLICY-ENGINE-30-001 still TODO; moved to DOING to draft overlay projection contract (awaiting 29-004 metrics/logging outputs). | Project Mgmt |
+| 2025-11-20 | Published prep artefacts for PREP-POLICY-ENGINE-30-002/003/30-101/31-001 under `docs/modules/policy/prep/`; marked P2–P5 DONE. | Implementer |
+| 2025-11-20 | Published prep artefacts for PREP-POLICY-ENGINE-31-002/32-101/33-101/34-101/35-201 under `docs/modules/policy/prep/`; marked P6–P10 DONE. | Implementer |
+| 2025-11-20 | Published prep artefacts for PREP-POLICY-ENGINE-38-201/40-001/40-002 under `docs/modules/policy/prep/`; marked P11–P13 DONE. | Implementer |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |

docs/implplan/SPRINT_401_reachability_evidence_chain.md

@@ -59,5 +59,15 @@ _Theme:_ Finish the provable reachability pipeline (graph CAS → replay → DSS
 | QA-CORPUS-401-031 | TODO | Build and publish the multi-runtime reachability corpus (Go/.NET/Python/Rust) with EXPECT.yaml ground truths and captured traces; wire fixtures into CI so reachability scoring and VEX proofs are continuously validated. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/DELIVERY_GUIDE.md`) |
 | UI-VEX-401-032 | TODO | Add UI/CLI “Explain/Verify” surfaces on VEX decisions (show call paths, runtime hits, attestation verify button) and align with reachability evidence output. | UI Guild · CLI Guild · Scanner Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/reachability/function-level-evidence.md`) |
 | POLICY-GATE-401-033 | TODO | Enforce policy gate requiring reachability evidence for `not_affected`/`unreachable` VEX outcomes; fall back to “under review” when symbol confidence is low; update policy docs and tests. | Policy Guild · Scanner Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/policy/dsl.md`, `docs/modules/scanner/architecture.md`) |
+| GRAPH-PURL-401-034 | TODO | Annotate call edges with callee purl + `symbol_digest`, update `richgraph-v1` schema/CAS, and surface fields in CLI/UI explainers. | Scanner Worker Guild · Signals Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Signals/StellaOps.Signals`, `docs/reachability/purl-resolved-edges.md`) |
+| SCANNER-BUILDID-401-035 | TODO | Capture `.note.gnu.build-id` for all ELF targets, thread into `SymbolID`/`code_id`, SBOM exports, and runtime facts; add fixtures for build-id present/absent. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) |
+| SCANNER-INITROOT-401-036 | TODO | Model `.preinit_array`/`.init_array`/`_init` and legacy ctor sections as synthetic graph roots (phase=load) including `DT_NEEDED` deps; persist roots in graph evidence. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) |
+| QA-PORACLE-401-037 | TODO | Add `tests/reachability/patch-oracles/**` fixtures (vuln vs fixed), harness to compare graphs vs `oracle.yml`, and CI job to fail when expected functions/edges are missing. | QA Guild · Scanner Worker Guild (`tests/reachability`, `docs/reachability/patch-oracles.md`) |
 
 > Use `docs/reachability/DELIVERY_GUIDE.md` for architecture context, dependencies, and acceptance tests.
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-20 | Added tasks for purl-resolved edges, ELF build-id propagation, init-array roots, and patch-oracle QA harness; aligned docs references. | Planning |

docs/implplan/blocked_tree.md

@@ -1,390 +1 @@
-# SPRINT_0110_0001_0001_ingestion_evidence.md
-- SBOM-AIAI-31-003 [BLOCKED] (SPRINT_110_ingestion_evidence.md:32)
-- DOCS-AIAI-31-005/006/008/009 [BLOCKED] (SPRINT_110_ingestion_evidence.md:33)
-- CONCELIER-AIRGAP-56-001..58-001 [BLOCKED] (SPRINT_110_ingestion_evidence.md:36)
-- CONCELIER-CONSOLE-23-001..003 [BLOCKED] (SPRINT_110_ingestion_evidence.md:37)
-- CONCELIER-ATTEST-73-001/002 [BLOCKED] (SPRINT_110_ingestion_evidence.md:38)
-- FEEDCONN-ICSCISA-02-012 / KISA-02-008 [BLOCKED] (SPRINT_0110_0001_0001_ingestion_evidence.md:47)
-  - PREP-FEEDCONN-ICS-KISA-PLAN [TODO] (SPRINT_110_ingestion_evidence.md:26)
-
-# SPRINT_0114_0001_0003_concelier_iii.md
-- CONCELIER-OAS-61-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:37)
-  - PREP-CONCELIER-OAS-61-001-LNM-SCHEMA-FROZEN-2 [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:23)
-- CONCELIER-OAS-61-002 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:38)
-  - PREP-CONCELIER-OAS-61-002-DEPENDS-ON-61-001-B [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:24)
-- CONCELIER-OAS-62-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:39)
-  - PREP-CONCELIER-OAS-62-001-DEPENDS-ON-61-002-B [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:25)
-- CONCELIER-OAS-63-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:40)
-  - PREP-CONCELIER-OAS-63-001-DEPENDS-ON-62-001-B [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:26)
-- CONCELIER-OBS-51-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:41)
-  - PREP-CONCELIER-OBS-51-001-AWAIT-OBSERVABILITY [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:27)
-- CONCELIER-OBS-52-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:42)
-  - PREP-CONCELIER-OBS-52-001-DEPENDS-ON-51-001-M [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:28)
-- CONCELIER-OBS-53-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:43)
-  - PREP-CONCELIER-OBS-53-001-DEPENDS-ON-52-001-B [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:29)
-- CONCELIER-OBS-54-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:44)
-  - PREP-CONCELIER-OBS-54-001-DEPENDS-ON-OBS-TIME [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:30)
-- CONCELIER-OBS-55-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:45)
-  - PREP-CONCELIER-OBS-55-001-DEPENDS-ON-54-001-I [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:31)
-- CONCELIER-ORCH-32-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:46)
-  - PREP-CONCELIER-ORCH-32-001-ORCHESTRATOR-REGIS [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:32)
-- CONCELIER-ORCH-32-002 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:47)
-  - PREP-CONCELIER-ORCH-32-002-DEPENDS-ON-32-001 [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:33)
-- CONCELIER-ORCH-33-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:48)
-  - PREP-CONCELIER-ORCH-33-001-DEPENDS-ON-32-002 [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:34)
-- CONCELIER-ORCH-34-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:49)
-  - PREP-CONCELIER-ORCH-34-001-DEPENDS-ON-33-001 [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:35)
-- CONCELIER-POLICY-20-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:50)
-  - PREP-CONCELIER-POLICY-20-001-LNM-APIS-NOT-EXP [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:36)
-
-# SPRINT_0115_0001_0004_concelier_iv.md
-- CONCELIER-RISK-66-001 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:31)
-  - POLICY-AUTH-SIGNALS-LIB-115 [DOING] (SPRINT_0115_0001_0004_concelier_iv.md:26)
-- CONCELIER-RISK-66-002 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:32)
-  - POLICY-AUTH-SIGNALS-LIB-115 [DOING] (SPRINT_0115_0001_0004_concelier_iv.md:26)
-- CONCELIER-RISK-67-001 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:33)
-  - POLICY-AUTH-SIGNALS-LIB-115 [DOING] (SPRINT_0115_0001_0004_concelier_iv.md:26)
-- CONCELIER-RISK-68-001 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:34)
-  - POLICY-AUTH-SIGNALS-LIB-115 [DOING] (SPRINT_0115_0001_0004_concelier_iv.md:26)
-  - POLICY-RISK-68-001 [TODO] (SPRINT_0128_0001_0001_policy_reasoning.md:24)
-- CONCELIER-RISK-69-001 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:35)
-  - POLICY-AUTH-SIGNALS-LIB-115 [DOING] (SPRINT_0115_0001_0004_concelier_iv.md:26)
-- CONCELIER-SIG-26-001 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:36)
-  - POLICY-AUTH-SIGNALS-LIB-115 [DOING] (SPRINT_0115_0001_0004_concelier_iv.md:26)
-  - SIGNALS-24-002 [DOING (2025-11-07)] (SPRINT_0143_0000_0001_signals.md:24)
-    - SIGNALS-24-001 [DONE (2025-11-09)] (SPRINT_0143_0000_0001_signals.md:23)
-      …
-- CONCELIER-STORE-AOC-19-005 [BLOCKED (2025-11-04)] (SPRINT_0115_0001_0004_concelier_iv.md:37)
-  - PREP-CONCELIER-CORE-AOC-19-004 [TODO] (SPRINT_0115_0001_0004_concelier_iv.md:23)
-- CONCELIER-TEN-48-001 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:38)
-  - POLICY-AUTH-SIGNALS-LIB-115 [DOING] (SPRINT_0115_0001_0004_concelier_iv.md:26)
-  - PREP-AUTH-TEN-47-001 [TODO] (SPRINT_0115_0001_0004_concelier_iv.md:24)
-- CONCELIER-VEXLENS-30-001 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:39)
-  - PREP-CONCELIER-VULN-29-001 [TODO] (SPRINT_0115_0001_0004_concelier_iv.md:25)
-  - VEXLENS-30-005 [TODO] (SPRINT_0129_0001_0001_policy_reasoning.md:42)
-
-# SPRINT_0119_0001_0001_excititor_i.md
-- EXCITITOR-AIRGAP-56-001 [TODO] (SPRINT_0119_0001_0005_excititor_v.md:30)
-- EXCITITOR-AIRGAP-57-001 [BLOCKED] (SPRINT_0119_0001_0001_excititor_i.md:35)
-  - PREP-EXCITITOR-AIRGAP-57-001-BLOCKED-ON-56-00 [TODO] (SPRINT_0119_0001_0001_excititor_i.md:26)
-- EXCITITOR-AIRGAP-58-001 [TODO] (SPRINT_0119_0001_0005_excititor_v.md:31)
-- EXCITITOR-CONN-TRUST-01-001 [BLOCKED] (SPRINT_0119_0001_0001_excititor_i.md:40)
-  - PREP-EXCITITOR-CONN-TRUST-01-001-CONNECTOR-SI [TODO] (SPRINT_0119_0001_0001_excititor_i.md:28)
-
-# SPRINT_0119_0001_0002_excititor_ii.md
-- EXCITITOR-CONSOLE-23-001 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:44)
-  - PREP-EXCITITOR-CONSOLE-23-001-AWAITING-CONCRE [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:25)
-- EXCITITOR-CONSOLE-23-002 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:45)
-  - PREP-EXCITITOR-CONSOLE-23-002-DEPENDS-ON-23-0 [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:26)
-- EXCITITOR-CONSOLE-23-003 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:46)
-  - PREP-EXCITITOR-CONSOLE-23-003-DEPENDS-ON-23-0 [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:27)
-- EXCITITOR-CORE-AOC-19-002 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:47)
-  - PREP-EXCITITOR-CORE-AOC-19-002-LINKSET-EXTRAC [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:28)
-- EXCITITOR-CORE-AOC-19-003 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:48)
-  - PREP-EXCITITOR-CORE-AOC-19-003-BLOCKED-ON-19 [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:29)
-- EXCITITOR-CORE-AOC-19-004 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:49)
-  - PREP-EXCITITOR-CORE-AOC-19-004-REMOVE-CONSENS [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:30)
-- EXCITITOR-CORE-AOC-19-013 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:50)
-  - PREP-EXCITITOR-CORE-AOC-19-013-SEED-TENANT-AW [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:31)
-- EXCITITOR-GRAPH-21-001 [BLOCKED (2025-10-27)] (SPRINT_0119_0001_0002_excititor_ii.md:51)
-  - PREP-EXCITITOR-GRAPH-21-001-NEEDS-CARTOGRAPHE [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:32)
-- EXCITITOR-GRAPH-21-002 [BLOCKED (2025-10-27)] (SPRINT_0119_0001_0002_excititor_ii.md:52)
-  - PREP-EXCITITOR-GRAPH-21-002-BLOCKED-ON-21-001 [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:33)
-- EXCITITOR-GRAPH-21-005 [BLOCKED (2025-10-27)] (SPRINT_0119_0001_0002_excititor_ii.md:53)
-  - PREP-EXCITITOR-GRAPH-21-005-BLOCKED-ON-21-002 [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:34)
-- EXCITITOR-GRAPH-24-101 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:54)
-  - PREP-EXCITITOR-GRAPH-24-101-WAIT-FOR-21-005-I [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:35)
-- EXCITITOR-GRAPH-24-102 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:55)
-  - PREP-EXCITITOR-GRAPH-24-102-DEPENDS-ON-24-101 [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:36)
-- Console APIs [BLOCKED (await contract; LNM view spec needed)] (SPRINT_0119_0001_0002_excititor_ii.md:62)
-- Ingestion idempotency [BLOCKED (linkset schema pending)] (SPRINT_0119_0001_0002_excititor_ii.md:63)
-- Consensus removal [BLOCKED (depends on 19-002/003)] (SPRINT_0119_0001_0002_excititor_ii.md:64)
-- Graph overlays [BLOCKED (awaiting Cartographer contract)] (SPRINT_0119_0001_0002_excititor_ii.md:65)
-
-# SPRINT_0120_0000_0001_policy_reasoning.md
-- LEDGER-29-008 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:46)
-  - PREP-LEDGER-29-008-AWAIT-OBSERVABILITY-SCHEMA [TODO] (SPRINT_0120_0000_0001_policy_reasoning.md:42)
-- LEDGER-29-009 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:47)
-  - LEDGER-29-008 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:46)
-    - PREP-LEDGER-29-008-AWAIT-OBSERVABILITY-SCHEMA [TODO] (SPRINT_0120_0000_0001_policy_reasoning.md:42)
-- LEDGER-34-101 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:48)
-  - PREP-LEDGER-34-101-ORCHESTRATOR-LEDGER-EXPORT [TODO] (SPRINT_0120_0000_0001_policy_reasoning.md:43)
-- LEDGER-AIRGAP-56-001 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:49)
-  - PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM [TODO] (SPRINT_0120_0000_0001_policy_reasoning.md:44)
-- LEDGER-AIRGAP-56-002 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:50)
-  - LEDGER-AIRGAP-56-001 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:49)
-    - PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM [TODO] (SPRINT_0120_0000_0001_policy_reasoning.md:44)
-- LEDGER-AIRGAP-57-001 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:51)
-  - LEDGER-AIRGAP-56-002 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:50)
-    - LEDGER-AIRGAP-56-001 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:49)
-      …
-- LEDGER-AIRGAP-58-001 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:52)
-  - LEDGER-AIRGAP-57-001 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:51)
-    - LEDGER-AIRGAP-56-002 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:50)
-      …
-- LEDGER-ATTEST-73-001 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:53)
-  - NOTIFY-ATTEST-74-001 [**DOING (2025-11-12)**] (SPRINT_171_notifier_i.md:10)
-
-# SPRINT_0123_0001_0001_policy_reasoning.md
-- EXPORT-CONSOLE-23-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:38)
-  - PREP-EXPORT-CONSOLE-23-001-MISSING-EXPORT-BUN [TODO] (SPRINT_123_policy_reasoning.md:13)
-- POLICY-AIRGAP-56-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:39)
-  - PREP-POLICY-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM [TODO] (SPRINT_123_policy_reasoning.md:14)
-- POLICY-AIRGAP-56-002 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:40)
-  - PREP-POLICY-AIRGAP-56-002-DEPENDS-ON-56-001-B [TODO] (SPRINT_123_policy_reasoning.md:15)
-- POLICY-AIRGAP-57-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:41)
-  - PREP-POLICY-AIRGAP-57-001-REQUIRES-SEALED-MOD [TODO] (SPRINT_123_policy_reasoning.md:16)
-- POLICY-AIRGAP-57-002 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:42)
-  - PREP-POLICY-AIRGAP-57-002-NEEDS-STALENESS-FAL [TODO] (SPRINT_123_policy_reasoning.md:17)
-- POLICY-AIRGAP-58-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:43)
-  - PREP-POLICY-AIRGAP-58-001-NOTIFICATION-SCHEMA [TODO] (SPRINT_123_policy_reasoning.md:18)
-- POLICY-AOC-19-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:44)
-  - PREP-POLICY-AOC-19-001-LINTING-TARGETS-SPEC-A [TODO] (SPRINT_0123_0001_0001_policy_reasoning.md:29)
-- POLICY-AOC-19-002 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:45)
-  - PREP-POLICY-AOC-19-002-DEPENDS-ON-19-001-LINT [TODO] (SPRINT_123_policy_reasoning.md:20)
-- POLICY-AOC-19-003 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:46)
-  - PREP-POLICY-AOC-19-003-REQUIRES-POST-19-002-N [TODO] (SPRINT_0123_0001_0001_policy_reasoning.md:31)
-- POLICY-AOC-19-004 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:47)
-  - PREP-POLICY-AOC-19-004-DEPENDS-ON-19-003-SHAP [TODO] (SPRINT_0123_0001_0001_policy_reasoning.md:32)
-- POLICY-ATTEST-73-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:48)
-  - PREP-POLICY-ATTEST-73-001-VERIFICATIONPOLICY [TODO] (SPRINT_0123_0001_0001_policy_reasoning.md:33)
-- POLICY-ATTEST-73-002 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:49)
-  - PREP-POLICY-ATTEST-73-002-DEPENDS-ON-73-001-E [TODO] (SPRINT_123_policy_reasoning.md:24)
-- POLICY-ATTEST-74-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:50)
-  - PREP-POLICY-ATTEST-74-001-REQUIRES-73-002-ATT [TODO] (SPRINT_0123_0001_0001_policy_reasoning.md:35)
-- POLICY-ATTEST-74-002 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:51)
-  - PREP-POLICY-ATTEST-74-002-NEEDS-74-001-SURFAC [TODO] (SPRINT_123_policy_reasoning.md:26)
-- POLICY-CONSOLE-23-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:52)
-  - PREP-POLICY-CONSOLE-23-001-CONSOLE-API-CONTRA [TODO] (SPRINT_0123_0001_0001_policy_reasoning.md:37)
-
-# SPRINT_0125_0001_0001_mirror.md
-- MIRROR-CRT-56-001 [BLOCKED] (SPRINT_110_ingestion_evidence.md:46)
-- MIRROR-CRT-56-002 [BLOCKED] (SPRINT_110_ingestion_evidence.md:47)
-- MIRROR-CRT-57-001 [BLOCKED] (SPRINT_0125_0001_0001_mirror.md:26)
-  - MIRROR-CRT-56-001 [BLOCKED] (SPRINT_110_ingestion_evidence.md:46)
-- MIRROR-CRT-57-002 [BLOCKED] (SPRINT_0125_0001_0001_mirror.md:27)
-  - MIRROR-CRT-56-002 [BLOCKED] (SPRINT_110_ingestion_evidence.md:47)
-  - AIRGAP-TIME-57-001 [BLOCKED] (SPRINT_0510_0001_0001_airgap.md:41)
-    - PREP-AIRGAP-TIME-57-001-TIME-COMPONENT-SCAFFO [TODO] (SPRINT_0510_0001_0001_airgap.md:29)
-- MIRROR-CRT-58-001 [BLOCKED] (SPRINT_0125_0001_0001_mirror.md:28)
-  - MIRROR-CRT-56-002 [BLOCKED] (SPRINT_110_ingestion_evidence.md:47)
-  - CLI-AIRGAP-56-001 [TODO] (SPRINT_201_cli_i.md:14)
-- MIRROR-CRT-58-002 [BLOCKED] (SPRINT_0125_0001_0001_mirror.md:29)
-  - MIRROR-CRT-56-002 [BLOCKED] (SPRINT_110_ingestion_evidence.md:47)
-  - EXPORT-OBS-54-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:38)
-    - EXPORT-OBS-53-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:37)
-      …
-- EXPORT-OBS-51-001 / 54-001 [BLOCKED] (SPRINT_0125_0001_0001_mirror.md:30)
-  - MIRROR-CRT-56-001 [BLOCKED] (SPRINT_110_ingestion_evidence.md:46)
-- AIRGAP-TIME-57-001 [BLOCKED] (SPRINT_0510_0001_0001_airgap.md:41)
-  - PREP-AIRGAP-TIME-57-001-TIME-COMPONENT-SCAFFO [TODO] (SPRINT_0510_0001_0001_airgap.md:29)
-- CLI-AIRGAP-56-001 [TODO] (SPRINT_201_cli_i.md:14)
-- PROV-OBS-53-001 [DONE (2025-11-17)] (SPRINT_513_provenance.md:10)
-
-# SPRINT_0125_0001_0001_policy_reasoning.md
-- POLICY-ENGINE-29-003 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:35)
-  - PREP-POLICY-ENGINE-29-002-PATH-SCOPE-SCHEMA [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:20)
-- POLICY-ENGINE-29-004 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:36)
-  - PREP-POLICY-ENGINE-29-004-DEPENDS-ON-29-003 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:21)
-- POLICY-ENGINE-30-001 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:37)
-  - PREP-POLICY-ENGINE-30-001-NEEDS-29-004-OUTPUT [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:22)
-- POLICY-ENGINE-30-002 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:38)
-  - PREP-POLICY-ENGINE-30-002-DEPENDS-ON-30-001 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:23)
-- POLICY-ENGINE-30-003 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:39)
-  - PREP-POLICY-ENGINE-30-003-DEPENDS-ON-30-002 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:24)
-- POLICY-ENGINE-30-101 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:40)
-  - PREP-POLICY-ENGINE-30-101-DEPENDS-ON-30-003 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:25)
-- POLICY-ENGINE-31-001 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:41)
-  - PREP-POLICY-ENGINE-31-001-DEPENDS-ON-30-101 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:26)
-- POLICY-ENGINE-31-002 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:42)
-  - PREP-POLICY-ENGINE-31-002-DEPENDS-ON-31-001 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:27)
-- POLICY-ENGINE-32-101 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:43)
-  - PREP-POLICY-ENGINE-32-101-DEPENDS-ON-31-002 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:28)
-- POLICY-ENGINE-33-101 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:44)
-  - PREP-POLICY-ENGINE-33-101-DEPENDS-ON-32-101 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:29)
-- POLICY-ENGINE-34-101 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:45)
-  - PREP-POLICY-ENGINE-34-101-DEPENDS-ON-33-101 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:30)
-- POLICY-ENGINE-35-201 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:46)
-  - PREP-POLICY-ENGINE-35-201-DEPENDS-ON-34-101 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:31)
-- POLICY-ENGINE-38-201 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:47)
-  - PREP-POLICY-ENGINE-38-201-DEPENDS-ON-35-201 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:32)
-- POLICY-ENGINE-40-001 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:48)
-  - PREP-POLICY-ENGINE-40-001-DEPENDS-ON-38-201 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:33)
-- POLICY-ENGINE-40-002 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:49)
-  - PREP-POLICY-ENGINE-40-002-DEPENDS-ON-40-001 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:34)
-
-# SPRINT_0138_0000_0001_scanner_ruby_parity.md
-- SCANNER-ENG-0010 [BLOCKED] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:29)
-  - PREP-SCANNER-ENG-0010-AWAIT-COMPOSER-AUTOLOAD [TODO] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:22)
-- SCANNER-ENG-0011 [BLOCKED] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:30)
-  - PREP-SCANNER-ENG-0011-NEEDS-DENO-RUNTIME-ANAL [TODO] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:23)
-- SCANNER-ENG-0012 [BLOCKED] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:31)
-  - PREP-SCANNER-ENG-0012-DEFINE-DART-ANALYZER-RE [TODO] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:24)
-- SCANNER-ENG-0013 [BLOCKED] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:32)
-  - PREP-SCANNER-ENG-0013-DRAFT-SWIFTPM-COVERAGE [TODO] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:25)
-- SCANNER-ENG-0014 [BLOCKED] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:33)
-  - PREP-SCANNER-ENG-0014-NEEDS-JOINT-ROADMAP-WIT [TODO] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:26)
-
-# SPRINT_0141_0001_0001_graph_indexer.md
-- GRAPH-INDEX-28-007 [BLOCKED] (SPRINT_0141_0001_0001_graph_indexer.md:28)
-  - PREP-GRAPH-INDEX-28-006-OVERLAYS [TODO] (SPRINT_0141_0001_0001_graph_indexer.md:24)
-- GRAPH-INDEX-28-008 [BLOCKED] (SPRINT_0141_0001_0001_graph_indexer.md:29)
-  - PREP-GRAPH-INDEX-28-008-UNBLOCK-AFTER-28-007 [TODO] (SPRINT_0141_0001_0001_graph_indexer.md:25)
-- GRAPH-INDEX-28-009 [BLOCKED] (SPRINT_0141_0001_0001_graph_indexer.md:30)
-  - PREP-GRAPH-INDEX-28-009-DOWNSTREAM-OF-28-008 [TODO] (SPRINT_0141_0001_0001_graph_indexer.md:26)
-- GRAPH-INDEX-28-010 [BLOCKED] (SPRINT_0141_0001_0001_graph_indexer.md:31)
-  - PREP-GRAPH-INDEX-28-010-NEEDS-OUTPUTS-FROM-28 [TODO] (SPRINT_0141_0001_0001_graph_indexer.md:27)
-
-# SPRINT_0156_0001_0002_scheduler_ii.md
-- SCHED-WORKER-26-202 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:24)
-  - SCHED-WORKER-26-201 [BLOCKED] (SPRINT_0155_0001_0001_scheduler_i.md:35)
-    - SCHED-WORKER-25-102 [BLOCKED] (SPRINT_0155_0001_0001_scheduler_i.md:34)
-      …
-- SCHED-WORKER-27-301 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:25)
-  - SCHED-WORKER-26-202 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:24)
-    - SCHED-WORKER-26-201 [BLOCKED] (SPRINT_0155_0001_0001_scheduler_i.md:35)
-      …
-- SCHED-WORKER-27-302 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:26)
-  - SCHED-WORKER-27-301 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:25)
-    - SCHED-WORKER-26-202 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:24)
-      …
-- SCHED-WORKER-27-303 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:27)
-  - SCHED-WORKER-27-302 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:26)
-    - SCHED-WORKER-27-301 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:25)
-      …
-- SCHED-WORKER-29-001 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:28)
-  - SCHED-WORKER-27-303 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:27)
-    - SCHED-WORKER-27-302 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:26)
-      …
-- SCHED-WORKER-29-002 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:29)
-  - SCHED-WORKER-29-001 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:28)
-    - SCHED-WORKER-27-303 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:27)
-      …
-- SCHED-WORKER-29-003 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:30)
-  - SCHED-WORKER-29-002 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:29)
-    - SCHED-WORKER-29-001 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:28)
-      …
-- SCHED-WORKER-CONSOLE-23-201 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:31)
-  - PREP-SCHED-WORKER-CONSOLE-23-201-BLOCKED-BY-U [TODO] (SPRINT_0156_0001_0002_scheduler_ii.md:22)
-- SCHED-WORKER-CONSOLE-23-202 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:32)
-  - SCHED-WORKER-CONSOLE-23-201 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:31)
-    - PREP-SCHED-WORKER-CONSOLE-23-201-BLOCKED-BY-U [TODO] (SPRINT_0156_0001_0002_scheduler_ii.md:22)
-
-# SPRINT_0160_0001_0001_export_evidence.md
-- 160.C TimelineIndexer snapshot [BLOCKED] (SPRINT_0160_0001_0001_export_evidence.md:32)
-  - TIMELINE-OBS-52-001 [TODO] (SPRINT_165_timelineindexer.md:10)
-
-# SPRINT_0161_0001_0001_evidencelocker.md
-- EVID-REPLAY-187-001 [TODO] (SPRINT_187_evidence_locker_cli_integration.md:9)
-- CLI-REPLAY-187-002 [TODO] (SPRINT_187_evidence_locker_cli_integration.md:10)
-- RUNBOOK-REPLAY-187-004 [TODO] (SPRINT_187_evidence_locker_cli_integration.md:12)
-
-# SPRINT_0163_0001_0001_exportcenter_ii.md
-- EXPORT-OAS-63-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:33)
-  - EXPORT-OAS-61-001 [BLOCKED] (SPRINT_0162_0001_0001_exportcenter_i.md:47)
-    - PREP-EXPORT-OAS-61-001-NEEDS-STABLE-EXPORT-SU [TODO] (SPRINT_0162_0001_0001_exportcenter_i.md:33)
-  - EXPORT-OAS-62-001 [BLOCKED] (SPRINT_0162_0001_0001_exportcenter_i.md:49)
-    - PREP-EXPORT-OAS-62-001-DEPENDS-ON-61-002 [TODO] (SPRINT_0162_0001_0001_exportcenter_i.md:35)
-- EXPORT-OBS-50-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:34)
-  - PREP-EXPORT-OBS-50-001-WAIT-FOR-EXPORTER-SERV [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:23)
-- EXPORT-OBS-51-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:35)
-  - EXPORT-OBS-50-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:34)
-    - PREP-EXPORT-OBS-50-001-WAIT-FOR-EXPORTER-SERV [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:23)
-- EXPORT-OBS-52-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:36)
-  - EXPORT-OBS-51-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:35)
-    - EXPORT-OBS-50-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:34)
-      …
-  - PREP-EXPORT-NOTIFY-SCHEMA-OBS-52 [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:30)
-- EXPORT-OBS-53-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:37)
-  - EXPORT-OBS-52-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:36)
-    - EXPORT-OBS-51-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:35)
-      …
-    - PREP-EXPORT-NOTIFY-SCHEMA-OBS-52 [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:30)
-- EXPORT-OBS-54-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:38)
-  - EXPORT-OBS-53-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:37)
-    - EXPORT-OBS-52-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:36)
-      …
-- EXPORT-OBS-54-002 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:39)
-  - EXPORT-OBS-54-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:38)
-    - EXPORT-OBS-53-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:37)
-      …
-  - PROV-OBS-53-003 [BLOCKED] (SPRINT_513_provenance.md:12)
-- EXPORT-OBS-55-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:40)
-  - EXPORT-OBS-54-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:38)
-    - EXPORT-OBS-53-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:37)
-      …
-- EXPORT-RISK-69-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:41)
-  - PREP-EXPORT-RISK-69-001-AWAIT-PHASE-I-ARTIFAC [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:24)
-- EXPORT-RISK-69-002 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:42)
-  - EXPORT-RISK-69-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:41)
-    - PREP-EXPORT-RISK-69-001-AWAIT-PHASE-I-ARTIFAC [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:24)
-- EXPORT-RISK-70-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:43)
-  - EXPORT-RISK-69-002 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:42)
-    - EXPORT-RISK-69-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:41)
-      …
-- EXPORT-SVC-35-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:44)
-  - PREP-EXPORT-SVC-35-001-NEEDS-PHASE-I-READINES [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:25)
-- EXPORT-SVC-35-002 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:45)
-  - PREP-EXPORT-SVC-35-002-DEPENDS-ON-35-001 [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:26)
-- EXPORT-SVC-35-003 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:46)
-  - PREP-EXPORT-SVC-35-003-DEPENDS-ON-35-002 [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:27)
-- EXPORT-SVC-35-004 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:47)
-  - PREP-EXPORT-SVC-35-004-DEPENDS-ON-35-003 [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:28)
-- EXPORT-SVC-35-005 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:48)
-  - PREP-EXPORT-SVC-35-005-DEPENDS-ON-35-004 [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:29)
-- EXPORT-CRYPTO-90-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:49)
-  - PREP-EXPORT-CRYPTO-90-001-PENDING-NOV-18-CRYP [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:31)
-
-# SPRINT_0171_0001_0001_notifier_i.md
-- NOTIFY-OBS-51-001 [TODO] (SPRINT_171_notifier_i.md:16)
-
-# SPRINT_0174_0001_0001_telemetry.md
-- TELEMETRY-OBS-50-002 [TODO] (SPRINT_174_telemetry.md:11)
-  - TELEMETRY-OBS-50-001 [**DOING (2025-11-12)**] (SPRINT_174_telemetry.md:10)
-- TELEMETRY-OBS-51-001 [TODO] (SPRINT_174_telemetry.md:12)
-  - TELEMETRY-OBS-50-002 [TODO] (SPRINT_174_telemetry.md:11)
-    - TELEMETRY-OBS-50-001 [**DOING (2025-11-12)**] (SPRINT_174_telemetry.md:10)
-- TELEMETRY-OBS-51-002 [TODO] (SPRINT_174_telemetry.md:13)
-  - TELEMETRY-OBS-51-001 [TODO] (SPRINT_174_telemetry.md:12)
-    - TELEMETRY-OBS-50-002 [TODO] (SPRINT_174_telemetry.md:11)
-      …
-- TELEMETRY-OBS-55-001 [TODO] (SPRINT_174_telemetry.md:14)
-  - TELEMETRY-OBS-51-002 [TODO] (SPRINT_174_telemetry.md:13)
-    - TELEMETRY-OBS-51-001 [TODO] (SPRINT_174_telemetry.md:12)
-      …
-- TELEMETRY-OBS-56-001 [TODO] (SPRINT_174_telemetry.md:15)
-  - TELEMETRY-OBS-55-001 [TODO] (SPRINT_174_telemetry.md:14)
-    - TELEMETRY-OBS-51-002 [TODO] (SPRINT_174_telemetry.md:13)
-      …
-
-# SPRINT_0215_0001_0001_web_iv.md
-- WEB-POLICY-23-001 [BLOCKED (2025-10-29)] (SPRINT_0215_0001_0001_web_iv.md:30)
-  - WEB-POLICY-20-004 [TODO] (SPRINT_0215_0001_0001_web_iv.md:29)
-    - WEB-POLICY-20-003 [TODO] (SPRINT_0215_0001_0001_web_iv.md:28)
-      …
-- WEB-POLICY-23-002 [BLOCKED (2025-10-29)] (SPRINT_0215_0001_0001_web_iv.md:31)
-  - WEB-POLICY-23-001 [BLOCKED (2025-10-29)] (SPRINT_0215_0001_0001_web_iv.md:30)
-    - WEB-POLICY-20-004 [TODO] (SPRINT_0215_0001_0001_web_iv.md:29)
-      …
-
-# SPRINT_0509_0001_0001_samples.md
-- SAMPLES-LNM-22-001 [BLOCKED] (SPRINT_0509_0001_0001_samples.md:26)
-  - PREP-SAMPLES-LNM-22-001-WAITING-ON-FINALIZED [TODO] (SPRINT_0509_0001_0001_samples.md:22)
-- SAMPLES-LNM-22-002 [BLOCKED] (SPRINT_0509_0001_0001_samples.md:27)
-  - PREP-SAMPLES-LNM-22-002-DEPENDS-ON-22-001-OUT [TODO] (SPRINT_0509_0001_0001_samples.md:23)
-
-# SPRINT_0512_0001_0001_bench.md
-- BENCH-GRAPH-21-001 [BLOCKED] (SPRINT_0512_0001_0001_bench.md:28)
-  - PREP-BENCH-GRAPH-21-001-NEED-GRAPH-BENCH-HARN [TODO] (SPRINT_0512_0001_0001_bench.md:22)
-- BENCH-GRAPH-21-002 [BLOCKED] (SPRINT_0512_0001_0001_bench.md:29)
-  - PREP-BENCH-GRAPH-21-002-BLOCKED-ON-21-001-HAR [TODO] (SPRINT_0512_0001_0001_bench.md:23)
-- BENCH-GRAPH-24-002 [BLOCKED] (SPRINT_0512_0001_0001_bench.md:30)
-  - SAMPLES-GRAPH-24-003 [DOING] (SPRINT_0509_0001_0001_samples.md:24)
-- BENCH-IMPACT-16-001 [BLOCKED] (SPRINT_0512_0001_0001_bench.md:31)
-  - PREP-BENCH-IMPACT-16-001-IMPACT-INDEX-DATASET [TODO] (SPRINT_0512_0001_0001_bench.md:24)
-- BENCH-POLICY-20-002 [BLOCKED] (SPRINT_0512_0001_0001_bench.md:32)
-  - PREP-BENCH-POLICY-20-002-POLICY-DELTA-SAMPLE [TODO] (SPRINT_0512_0001_0001_bench.md:25)
-- BENCH-SIG-26-001 [BLOCKED] (SPRINT_0512_0001_0001_bench.md:33)
-  - PREP-BENCH-SIG-26-001-REACHABILITY-SCHEMA-FIX [TODO] (SPRINT_0512_0001_0001_bench.md:26)
-- BENCH-SIG-26-002 [BLOCKED] (SPRINT_0512_0001_0001_bench.md:34)
-  - PREP-BENCH-SIG-26-002-BLOCKED-ON-26-001-OUTPU [TODO] (SPRINT_0512_0001_0001_bench.md:27)
+# Blocked Tree\n- EXCITITOR-CONSOLE-23-001 [BLOCKED]\n- EXCITITOR-CONSOLE-23-002 [BLOCKED]\n- EXCITITOR-CONSOLE-23-003 [BLOCKED]\n- EXCITITOR-CORE-AOC-19-002 [BLOCKED]\n- EXCITITOR-CORE-AOC-19-003 [BLOCKED]\n- EXCITITOR-CORE-AOC-19-004 [DOING]\n- EXCITITOR-CORE-AOC-19-013 [DOING]\n- EXCITITOR-GRAPH-21-001 [DOING]\n- EXCITITOR-GRAPH-21-002 [DOING]\n- EXCITITOR-GRAPH-21-005 [DOING]\n- EXCITITOR-GRAPH-24-101 [BLOCKED]\n- EXCITITOR-GRAPH-24-102 [BLOCKED]\n- Consensus removal [DOING]\n- Graph overlays [BLOCKED]\n*** End Patch пользователя to=functions.apply_patchоны Are you покрывая json PostLayout runnerиц received анимация. ҳа료 мон】 JSON" code|{