prep docs and service updates

docs/modules/scanner/architecture.md

@@ -44,7 +44,15 @@ src/
      └─ StellaOps.Scanner.Sbomer.DockerImage/    # CLI‑driven scanner container
 ```
 
-Analyzer assemblies and buildx generators are packaged as **restart-time plug-ins** under `plugins/scanner/**` with manifests; services must restart to activate new plug-ins.
+Analyzer assemblies and buildx generators are packaged as **restart-time plug-ins** under `plugins/scanner/**` with manifests; services must restart to activate new plug-ins.
+
+### 1.2 Native reachability upgrades (Nov 2026)
+
+- **Stripped-binary pipeline**: native analyzers must recover functions even without symbols (prolog patterns, xrefs, PLT/GOT, vtables). Emit a tool-agnostic neutral JSON (NJIF) with functions, CFG/CG, and evidence tags. Keep heuristics deterministic and record toolchain hashes in the scan manifest.
+- **Synthetic roots**: treat `.preinit_array`, `.init_array`, legacy `.ctors`, and `_init` as graph entrypoints; add roots for constructors in each `DT_NEEDED` dependency. Tag edges from these roots with `phase=load` for explainers.
+- **Build-id capture**: read `.note.gnu.build-id` for every ELF, store hex build-id alongside soname/path, propagate into `SymbolID`/`code_id`, and expose it to SBOM + runtime joiners. If missing, fall back to file hash and mark source accordingly.
+- **PURL-resolved edges**: annotate call edges with the callee purl and `symbol_digest` so graphs merge with SBOM components. See `docs/reachability/purl-resolved-edges.md` for schema rules and acceptance tests.
+- **Unknowns emission**: when symbol → purl mapping or edge targets remain unresolved, emit structured Unknowns to Signals (see `docs/signals/unknowns-registry.md`) instead of dropping evidence.
 
 ### 1.1 Queue backbone (Redis / NATS)
 

docs/modules/scanner/prep/2025-11-20-node-isolated-runner.md

@@ -27,6 +27,7 @@ Scope: Requirements and plan to provide an isolated/scoped runner so targeted No
 - Document usage in `src/Scanner/__Tests/README.md`.
 
 ## Blocking items
-- None identified; all inputs are local to the repo/offline feeds.
+- Upstream Concelier projects in solution filter currently do not build (`StellaOps.Concelier.Storage.Mongo` duplicate `AdvisoryObservationSourceDocument` definition and missing `NatsJSContext` type), so `dotnet test` fails before Node analyzer tests execute. Needs Concelier fix or temporary exclusion to validate runner.
+- 2025-11-20 follow-up: deduplication + JetStream package added in Concelier.Storage.Mongo and Scanner tests now set `UseConcelierTestInfra=false`, but the shared Directory.Build.props still injects Concelier connectors into the restore/build graph; Node tests remain blocked until Concelier test infra is fully detachable or those projects are excluded from the filter.
 
 This note satisfies PREP-SCANNER-ANALYZERS-NODE-22-001-NEEDS-ISOL by defining the isolated runner plan and artefact locations.

docs/modules/scanner/prep/2025-11-21-scanner-records-prep.md

@@ -0,0 +1,16 @@
+# Scanner Record Payloads Prep — PREP-SCANNER-RECORDS
+
+Status: Draft (2025-11-21)
+Owners: Scanner Guild · Policy Guild
+Scope: Stabilize record/observation payload schema for scanner workers so downstream policy/graph pipelines can rely on consistent envelopes.
+
+Needs
+- Confirm per-language analyzer output fields (package coordinates, vuln refs, evidence hashes) and common envelope keys.
+- Decide deterministic ordering for findings within a record to support replay/air-gap.
+- Define maximum payload size, chunking rules, and checksum strategy (SHA256 over canonical JSON).
+- Align timestamp format (UTC, RFC3339) and monotonic sequencing for job-level ordering.
+
+Next actions
+- Pull latest analyzer outputs from scanner worker prototypes and normalize into a shared JSON Schema.
+- Share sample NDJSON record set for Policy/Graph consumers.
+- Publish links into relevant sprints once schema draft is frozen.