Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org

docs/product-advisories/ADVISORY_INDEX.md

@@ -9,6 +9,8 @@ These are the authoritative advisories to reference for implementation:
 ### CVSS v4.0
 - **Canonical:** `25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md`
 - **Sprint:** SPRINT_0190_0001_0001_cvss_v4_receipts.md
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (CV1–CV10 remediation task CVSS-GAPS-190-013)
+- **Timing/UI:** `01-Dec-2025 - Time-to-Evidence (TTE) Metric.md` (archived)
 - **Status:** New sprint created
 
 ### CVSS v4.0 Momentum Briefing
@@ -17,6 +19,7 @@ These are the authoritative advisories to reference for implementation:
 - **Related Docs:**
   - `docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` (implementation focus)
   - `docs/product-advisories/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md` (this briefing)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (CVM1–CVM10 remediation task CVSS-GAPS-190-014)
 - **Status:** Summarises the industry adoption signals (NVD/GitHub/Microsoft/Snyk) and why Stella Ops should treat CVSS v4.0 as first-class now.
 
 ### SCA Failure Catalogue
@@ -25,22 +28,76 @@ These are the authoritative advisories to reference for implementation:
 - **Related Docs:**
   - `docs/product-advisories/29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md` (this catalogue)
   - `docs/implplan/SPRINT_300_documentation_process.md` (tracking sync)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (FC1–FC10 remediation task SCA-FIXTURE-GAPS-300-014)
 - **Status:** Captures five real-world regressions/ SBOM gaps for Trivy/Syft/Grype/Snyk and frames test vectors + alarm scenarios for StellaOps acceptance suites.
 
+### Mid-Level .NET Onboarding (Quick Start)
+- **Canonical:** `29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md`
+- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
+- **Related Docs:**
+  - `docs/onboarding/dev-quickstart.md` (to be updated)
+  - `docs/modules/platform/architecture-overview.md`
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (OB1–OB10 remediation task ONBOARD-GAPS-300-015)
+- **Status:** Onboarding brief for mid-level .NET devs; needs deterministic/offline/DSSE/secret-handling expansions and cross-links.
+
 ### Implementor Guidelines
 - **Canonical:** `30-Nov-2025 - Implementor Guidelines for Stella Ops.md`
 - **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
 - **Related Docs:**
   - `docs/product-advisories/30-Nov-2025 - Implementor Guidelines for Stella Ops.md` (this briefing)
   - `docs/05_SYSTEM_REQUIREMENTS_SPEC.md` / `docs/13_RELEASE_ENGINEERING_PLAYBOOK.md` (reference requirements)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (IG1–IG10 remediation task IMPLEMENTOR-GAPS-300-018)
 - **Status:** Operational checklist for contributors, plug-in authors, and implementors linking SRS/architecture to practical practices.
 
+### Rekor Receipt Checklist
+- **Canonical:** `30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md`
+- **Sprint:** SPRINT_0314_0001_0001_docs_modules_authority.md
+- **Related Docs:** Authority/Sbomer module docs; Rekor v2 / DSSE receipt schemas (to be published)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (RR1–RR10 remediation task REKOR-RECEIPT-GAPS-314-005)
+- **Status:** Needs signed/validated receipt schema/catalog, inclusion proof freshness policy, subject/policy binding, client provenance, TSA/time integrity, offline verifier, mirror snapshot rules, retention/observability, and tenant isolation.
+
+### Standup Sprint Kickstarters
+- **Canonical:** `30-Nov-2025 - Standup Sprint Kickstarters.md`
+- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
+- **Related Docs:** `docs/implplan/README.md` (sprint template)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (SK1–SK10 remediation task STANDUP-GAPS-300-019)
+- **Status:** Introduces ceremony primer but lacks template alignment, readiness evidence, dependency ledger, offline/async guidance, metrics/SLOs, and role/decision capture rules.
+
+### UI Micro-Interactions
+- **Canonical:** `30-Nov-2025 - UI Micro-Interactions for StellaOps.md`
+- **Sprint:** SPRINT_0209_0001_0001_ui_i.md (UI I; share with UI II/III as needed)
+- **Related Docs:** `docs/modules/ui/architecture.md`, Storybook token catalog (planned)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (MI1–MI10 remediation task UI-MICRO-GAPS-0209-011)
+- **Status:** Needs motion tokens, reduced-motion/a11y rules, perf budgets, offline/latency states, error/cancel patterns, component mapping, telemetry schema, deterministic tests/snapshots, micro-copy localisation, and theme/contrast guidance.
+
+### Proof-Linked VEX UI (Not-Affected Proof Drawer)
+- **Canonical:** Proof-linked VEX UI spec (chat-provided; to land as `docs/ui/proof-linked-vex.md`)
+- **Sprint:** SPRINT_0215_0001_0001_vuln_triage_ux.md
+- **Related Docs:** `docs/product-advisories/27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md`, `docs/product-advisories/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`, VexLens/Policy module docs
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (PVX1–PVX10 remediation task UI-PROOF-VEX-0215-010)
+- **Status:** Drawer/badge pattern defined but missing scoped auth, cache/staleness policy, stronger integrity verification, failure/offline UX, evidence precedence rules, telemetry privacy schema, signed permalinks, revision reconciliation, and fixtures/tests.
+
+### Time-to-Evidence (TTE) Metric
+- **Canonical:** `01-Dec-2025 - Time-to-Evidence (TTE) Metric.md`
+- **Sprint:** SPRINT_0215_0001_0001_vuln_triage_ux.md (UI) with telemetry alignment to SPRINT_0180_0001_0001_telemetry_core.md
+- **Related Docs:** UI sprints 0209/0215, telemetry architecture docs
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (TTE1–TTE10 remediation task TTE-GAPS-0215-011)
+- **Status:** Metric defined but needs event schema/versioning, proof eligibility rules, sampling/bot filters, per-surface SLO/error budgets, index/streaming requirements, offline-kit handling, alert/runbook, release gate, and a11y tests.
+
+### Archived Advisories (15–23 Nov 2025)
+- **Canonical:** `docs/product-advisories/archived/*.md` (embedded provenance events, function-level VEX explainability, binary reachability branches, SBOM-provenance spine, etc.)
+- **Sprint:** SPRINT_300_documentation_process.md (triage/decision)
+- **Related Docs:** None current (need revival + canonicalization)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (AR-EP1 … AR-VB1 remediation task ARCHIVED-GAPS-300-020)
+- **Status:** Archived set lacks schemas, determinism rules, redaction/licensing, changelog/signing, and duplication resolution; needs triage on which to revive into active advisories.
+
 ### SBOM → VEX Proof Blueprint
 - **Canonical:** `29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md`
 - **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
 - **Related Docs:**
   - `docs/product-advisories/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md` (itself)
   - `docs/modules/platform/architecture-overview.md` (platform dossier link)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (BP1–BP10 remediation task SBOM-VEX-GAPS-300-013)
 - **Status:** Diagram-first guide showing DSSE → Rekor v2 tiles → VEX linkage plus online/offline verification notes for StellaOps proofs.
 
 ### UI Micro-Interactions
@@ -53,12 +110,19 @@ These are the authoritative advisories to reference for implementation:
 
 ### Rekor Receipt Checklist
 - **Canonical:** `30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md`
-- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
+- **Sprint:** SPRINT_0314_0001_0001_docs_modules_authority.md (PRIMARY)
 - **Related Docs:**
   - `docs/product-advisories/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md`
   - `docs/modules/platform/architecture-overview.md`
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (RR1–RR10 remediation task REKOR-RECEIPT-GAPS-314-005)
 - **Status:** Field-level ownership map for receipts, bundles, and offline metadata so Authority/Sbomer/Vexer keep deterministic proofs.
 
+### Air-Gap Deployment Playbook
+- **Canonical:** `25-Nov-2025 - Air-gap deployment playbook for StellaOps.md`
+- **Sprint:** SPRINT_0510_0001_0001_airgap.md (Ops & Offline)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (AG1–AG12 remediation task AIRGAP-GAPS-510-009)
+- **Status:** Implementation guided by Ops/Offline sprint; gaps cover trust roots, Rekor mirrors, feed freezing, tooling hashes, AV scans, policy/graph hash verification, tenant scoping, ingress receipts, replay depth, and offline observability.
+
 ### Ecosystem Reality Tests
 - **Canonical:** `30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md`
 - **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
@@ -68,9 +132,10 @@ These are the authoritative advisories to reference for implementation:
 
 ### Unknowns Decay & Triage Heuristics
 - **Canonical:** `30-Nov-2025 - Unknowns Decay & Triage Heuristics.md`
-- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
+- **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (Signals/Unknowns)
 - **Related Docs:**
   - `docs/product-advisories/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md`
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (UT1–UT10 remediation task UNKNOWN-HEUR-GAPS-140-007)
 - **Status:** Confidence decay card + triage queue artifacts that feed UI + ops exports for stale unknowns.
 
 ### Standup Sprint Kickstarters
@@ -85,13 +150,23 @@ These are the authoritative advisories to reference for implementation:
 - **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
 - **Related Docs:**
   - `docs/product-advisories/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md`
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (CE1–CE10 remediation task EVIDENCE-PATTERNS-GAPS-300-016)
 - **Status:** Snapshot of how Snyk, GitHub, Aqua, Anchore/Grype, and Prisma Cloud handle evidence, suppression, and audit/export primitives.
 
+### Ecosystem Reality Test Cases
+- **Canonical:** `30-Nov-2025 - Ecosystem Reality Test Cases.md`
+- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
+- **Related Docs:**
+  - `docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases.md`
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (ET1–ET10 remediation task ECOSYS-FIXTURES-GAPS-300-017)
+- **Status:** Five public incidents mapped to acceptance tests (credential leak, Trivy offline schema error, SBOM parity, Grype version drift, inconsistent detection); informs SCA acceptance packs.
+
 ### Reachability Benchmark Fixtures
 - **Canonical:** `30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md`
-- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
+- **Sprint:** SPRINT_0513_0001_0001_public_reachability_benchmark.md (PRIMARY)
 - **Related Docs:**
   - `docs/product-advisories/30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md`
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (RB1–RB10 remediation task REACH-FIXTURE-GAPS-513-020)
 - **Status:** SV-COMP + OSS-Fuzz grounded fixture plan plus Tier-2 guidance for Java/Python, packages, containers, call-graph corpora.
 
 ### SBOM/VEX Pipeline
@@ -113,6 +188,7 @@ These are the authoritative advisories to reference for implementation:
 ### Graph Revision IDs
 - **Canonical:** `26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md`
 - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (existing tasks)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (GR1–GR10 remediation task GRAPHREV-GAPS-401-063)
 - **Supersedes:**
   - `25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md` → archive (earlier version)
 
@@ -121,16 +197,20 @@ These are the authoritative advisories to reference for implementation:
 - **Sprint:** SPRINT_0513_0001_0001_public_reachability_benchmark.md
 - **Related:**
   - `26-Nov-2025 - Opening Up a Reachability Dataset.md` → complementary (dataset focus)
+  - `31-Nov-2025 FINDINGS.md` → gap analysis (G1–G12) with remediation task BENCH-GAPS-513-018
+- **Gaps (dataset):** `31-Nov-2025 FINDINGS.md` (RD1–RD10 remediation task DATASET-GAPS-513-019)
 
 ### Unknowns Registry
 - **Canonical:** `27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md`
 - **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (existing implementation)
 - **Extends:** `archived/18-Nov-2025 - Unknowns-Registry.md`
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (UN1–UN10 remediation task UNKNOWN-GAPS-140-006)
 - **Status:** Already implemented in Signals module; advisory validates design
 
 ### Confidence Decay for Prioritization
 - **Canonical:** `25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md`
 - **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (integration point)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (U1–U10 remediation task DECAY-GAPS-140-005)
 - **Related:** Unknowns Registry (time-based decay complements ambiguity tracking)
 - **Status:** Design advisory - provides exponential decay formula for priority freshness
 
@@ -138,21 +218,37 @@ These are the authoritative advisories to reference for implementation:
 - **Canonical (Graphs):** `27-Nov-2025 - Making Graphs Understandable to Humans.md`
 - **Canonical (Verdicts):** `27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md`
 - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (UI-CLI tasks)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (EX1–EX10 remediation task EXPLAIN-GAPS-401-064)
 - **Status:** Complementary advisories - graphs cover edge reasons, verdicts cover audit trails
 
 ### VEX Proofs
 - **Canonical:** `25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md`
 - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (POLICY-VEX tasks)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (VEX1–VEX10 remediation task VEX-GAPS-401-062)
 
 ### Binary Reachability
 - **Canonical:** `27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md`
 - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (GRAPH-HYBRID tasks)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (BR1–BR10 remediation task BINARY-GAPS-401-066)
 
 ### Scanner Roadmap
 - **Canonical:** `27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md`
 - **Sprint:** Multiple sprints (0186, 0401, 0512)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (SC1–SC10 remediation task SCANNER-GAPS-186-018)
 - **Status:** High-level roadmap document
 
+### SBOM-First, VEX-Ready Spine
+- **Canonical:** `27-Nov-2025 - Deep Architecture Brief - SBOM-First, VEX-Ready Spine.md`
+- **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (spine contracts) and related VEX/graph tasks in SPRINT_0401_0001_0001
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (SP1–SP10 remediation task SPINE-GAPS-186-019)
+- **Status:** Architecture brief; needs formalized schemas/contracts and DSSE/bundle enforcement.
+
+### SBOM & VEX Competitor Snapshot
+- **Canonical:** `27-Nov-2025 - Late‑November SBOM & VEX competitor.md`
+- **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (ingest/normalization)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (CM1–CM10 remediation task COMPETITOR-GAPS-186-020)
+- **Status:** Competitive intelligence; requires hardened external ingest, signatures, and offline kit parity.
+
 ### Vulnerability Triage UX & VEX-First Decisioning
 - **Canonical:** `28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`
 - **Sprint:** SPRINT_0215_0001_0001_vuln_triage_ux.md (NEW)
@@ -163,6 +259,7 @@ These are the authoritative advisories to reference for implementation:
   - `27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md` (evidence chain)
   - `27-Nov-2025 - Making Graphs Understandable to Humans.md` (graph UX)
   - `25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md` (VEX proofs)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (VT1–VT10 remediation task TRIAGE-GAPS-215-042)
 - **Status:** New - defines converged triage UX across Snyk/GitLab/Harbor/Anchore patterns
 - **Schemas:**
   - `docs/schemas/vex-decision.schema.json`
@@ -176,6 +273,7 @@ These are the authoritative advisories to reference for implementation:
   - `docs/security/rootpack_ru_*.md` - RootPack RU documentation
   - `docs/security/crypto-registry-decision-2025-11-18.md` - Registry design
   - `docs/security/pq-provider-options.md` - Post-quantum options
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (SC1–SC10 remediation task SC-GAPS-514-010)
 - **Status:** Fills HIGH-priority gap - covers eIDAS, FIPS, GOST, SM algorithm support
 - **Compliance:** EU (eIDAS), US (FIPS 140-2/3), Russia (GOST), China (SM2/3/4)
 
@@ -187,6 +285,7 @@ These are the authoritative advisories to reference for implementation:
   - `docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md` - Concelier connectors
   - `docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md` - Authority plugins
   - `docs/modules/scanner/guides/surface-validation-extensibility.md` - Scanner extensibility
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (PL1–PL10 remediation task Plugin architecture gaps remediation — Sprint 300)
 - **Status:** Fills MEDIUM-priority gap - consolidates extensibility patterns across modules
 
 ### Evidence Bundle & Replay Contracts
@@ -199,13 +298,22 @@ These are the authoritative advisories to reference for implementation:
   - `docs/modules/evidence-locker/bundle-packaging.md` - Bundle spec
   - `docs/modules/evidence-locker/attestation-contract.md` - DSSE contract
   - `docs/modules/evidence-locker/replay-payload-contract.md` - Replay schema
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (EB1–EB10 remediation task EVID-GAPS-161-007)
 - **Status:** Fills HIGH-priority gap - covers deterministic bundles, attestations, replay, incident mode
+
+### Export Center & Reporting
+- **Canonical:** `28-Nov-2025 - Export Center and Reporting Strategy.md`
+- **Sprint:** SPRINT_0162_0001_0001_exportcenter_i.md (ExportCenter I)
+- **Related Sprints:** SPRINT_0163_0001_0001_exportcenter_ii.md, SPRINT_0164_0001_0001_exportcenter_iii.md
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (EC1–EC10 remediation task EXPORT-GAPS-162-013)
+- **Status:** Export profiles/adapters; determinism, provenance, and offline kit parity need gap remediation.
 ### Acceptance Tests Pack for Guardrails
 - **Canonical:** `29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md`
 - **Sprint:** SPRINT_300_documentation_process.md (Docs Governance)
 - **Related Docs:**
   - `docs/product-advisories/29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md` (itself)
   - `docs/implplan/SPRINT_300_documentation_process.md` (tracking the sync)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (AT1–AT10 remediation task AT-GAPS-300-012)
 - **Status:** Captures feed resiliency, SBOM validation, snapshot/replay rehearsals, reachability fallbacks, and pipeline swap guardrails for acceptance tests.
 
 ### Mirror & Offline Kit Strategy
@@ -219,8 +327,15 @@ These are the authoritative advisories to reference for implementation:
   - `docs/modules/mirror/dsse-tuf-profile.md` - DSSE/TUF spec
   - `docs/modules/mirror/thin-bundle-assembler.md` - Thin bundle spec
   - `docs/airgap/time-anchor-schema.json` - Time anchor schema
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (OK1–OK10 remediation task OFFKIT-GAPS-125-011; RK1–RK10 task REKOR-GAPS-125-012; MS1–MS10 task MIRROR-GAPS-125-013)
 - **Status:** Fills HIGH-priority gap - covers thin bundles, DSSE/TUF signing, time anchoring
 
+### Rekor v2 / DSSE Limits
+- **Canonical:** `26-Nov-2025 - Handling Rekor v2 and DSSE Air-Gap Limits.md`
+- **Sprint:** SPRINT_0125_0001_0001_mirror.md (mirror/offline log handling) and linked to reachability evidence chain where DSSE predicates are used.
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (RK1–RK10 remediation task REKOR-GAPS-125-012)
+- **Status:** Guides policy for public/private Rekor use, payload limits, chunking, and shard-aware checkpoints.
+
 ### Task Pack Orchestration & Automation
 - **Canonical:** `28-Nov-2025 - Task Pack Orchestration and Automation.md`
 - **Sprint:** SPRINT_0157_0001_0001_taskrunner_i.md (PRIMARY)
@@ -231,6 +346,7 @@ These are the authoritative advisories to reference for implementation:
   - `docs/task-packs/spec.md` - Pack manifest specification
   - `docs/task-packs/authoring-guide.md` - Authoring workflow
   - `docs/task-packs/registry.md` - Registry architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (TP1–TP10 remediation task TASKRUN-GAPS-157-014)
 - **Status:** Fills HIGH-priority gap - covers pack DSL, approvals, evidence capture
 
 ### Authentication & Authorization Architecture
@@ -240,6 +356,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_100_identity_signing.md (CLOSED - historical)
   - SPRINT_314_docs_modules_authority.md (Docs)
   - SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (Crypto)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (AU1–AU10 remediation task AUTH-GAPS-314-004)
 - **Related Docs:**
   - `docs/modules/authority/architecture.md` - Module architecture
   - `docs/11_AUTHORITY.md` - Overview
@@ -256,6 +373,7 @@ These are the authoritative advisories to reference for implementation:
 - **Related Docs:**
   - `docs/modules/cli/architecture.md` - Module architecture
   - `docs/09_API_CLI_REFERENCE.md` - Command reference
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (CL1–CL10 remediation task CLI-GAPS-201-003)
 - **Status:** Fills HIGH-priority gap - covers command surface, auth model, Buildx integration
 
 ### Orchestrator Event Model & Job Lifecycle
@@ -266,6 +384,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_0152_0001_0002_orchestrator_ii.md
 - **Related Docs:**
   - `docs/modules/orchestrator/architecture.md` - Module architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (OR1–OR10 remediation task ORCH-GAPS-151-016)
 - **Status:** Fills HIGH-priority gap - covers job lifecycle, quota governance, replay semantics
 
 ### Export Center & Reporting Strategy
@@ -285,6 +404,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_0143_0000_0001_signals.md
 - **Related Docs:**
   - `docs/modules/zastava/architecture.md` - Module architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (ZR1–ZR10 remediation task ZASTAVA-GAPS-144-007)
 - **Status:** Fills MEDIUM-priority gap - covers runtime events, admission control, drift detection
 
 ### Notification Rules & Alerting Engine
@@ -295,6 +415,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_0172_0001_0003_notify_ack_tokens.md
 - **Related Docs:**
   - `docs/modules/notify/architecture.md` - Module architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (NR1–NR10 remediation task NOTIFY-GAPS-171-014)
 - **Status:** Fills MEDIUM-priority gap - covers rules engine, channels, noise control, ack tokens
 
 ### Graph Analytics & Dependency Insights
@@ -305,6 +426,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_0140_0001_0001_runtime_signals.md
 - **Related Docs:**
   - `docs/modules/graph/architecture.md` - Module architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (GA1–GA10 remediation task GRAPH-ANALYTICS-GAPS-207-013)
 - **Status:** Fills MEDIUM-priority gap - covers graph model, overlays, analytics, visualization
 
 ### Telemetry & Observability Patterns
@@ -315,6 +437,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_0182_0001_0003_telemetry_offline.md
 - **Related Docs:**
   - `docs/modules/telemetry/architecture.md` - Module architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (TO1–TO10 remediation task TELEM-GAPS-180-001)
 - **Status:** Fills MEDIUM-priority gap - covers collector topology, forensic mode, offline bundles
 
 ### Policy Simulation & Shadow Gates
@@ -325,6 +448,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_0121_0001_0001_policy_reasoning.md
 - **Related Docs:**
   - `docs/modules/policy/architecture.md` - Module architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (PS1–PS10 remediation task POLICY-GAPS-185-006)
 - **Status:** Fills MEDIUM-priority gap - covers shadow runs, coverage fixtures, promotion gates
 
 ### Findings Ledger & Immutable Audit Trail
@@ -335,6 +459,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_311_docs_tasks_md_xi.md
 - **Related Docs:**
   - `docs/modules/findings-ledger/openapi/findings-ledger.v1.yaml` - OpenAPI spec
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (FL1–FL10 remediation task LEDGER-GAPS-121-009)
 - **Status:** Fills MEDIUM-priority gap - covers append-only events, Merkle anchoring, projections
 
 ### Concelier Advisory Ingestion Model
@@ -345,6 +470,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_0114_0001_0003_concelier_iii.md
 - **Related Docs:**
   - `docs/modules/concelier/architecture.md` - Module architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (CI1–CI10 remediation task CONCELIER-GAPS-115-014)
   - `docs/modules/concelier/link-not-merge-schema.md` - LNM schema
 - **Status:** Fills MEDIUM-priority gap - covers AOC, Link-Not-Merge, connectors, deterministic exports
 
@@ -508,4 +634,4 @@ Several filenames use en-dash (U+2011) instead of regular hyphen (-). This may c
 
 ---
 *Index created: 2025-11-27*
-*Last updated: 2025-11-30 (added Implementor Guidelines, UI micro-interactions brief, Rekor receipt checklist, Ecosystem test cases, Unknowns decay/triage heuristics, Standup Sprint Kickstarters, Comparative Evidence Patterns, and prior references)*
+*Last updated: 2025-12-01 (added Rekor Receipt, Standup Kickstarters, UI Micro-Interactions, Proof-Linked VEX UI entries, plus new gap task IDs)*

docs/product-advisories/archived/27-Nov-2025-superseded/01-Dec-2025 - DSSE-Signed Offline Scanner Updates.md

@@ -0,0 +1,224 @@
+# DSSE‑Signed Offline Scanner Updates — Developer Guidelines
+
+> **Date:** 2025-12-01
+> **Status:** Advisory draft (from user-provided guidance)
+> **Scope:** Offline vulnerability DB bundles (Scanner), DSSE+Rekor v2 verification, offline kit alignment, activation rules, ops playbook.
+
+Here’s a tight, practical pattern to make your scanner’s vuln‑DB updates rock‑solid even when feeds hiccup:
+
+## Offline, verifiable update bundles (DSSE + Rekor v2)
+
+**Idea:** distribute DB updates as offline tarballs. Each tarball ships with:
+
+* a **DSSE‑signed** statement (e.g., in‑toto style) over the bundle hash
+* a **Rekor v2 receipt** proving the signature/statement was logged
+* a small **manifest.json** (version, created_at, content hashes)
+
+**Startup flow (happy path):**
+
+1. Load latest tarball from your local `updates/` cache.
+2. Verify DSSE signature against your trusted public keys.
+3. Verify Rekor v2 receipt (inclusion proof) matches the DSSE payload hash.
+4. If both pass, unpack/activate; record the bundle’s **trust_id** (e.g., statement digest).
+5. If anything fails, **keep using the last good bundle**. No service disruption.
+
+**Why this helps**
+
+* **Air‑gap friendly:** no live network needed at activation time.
+* **Tamper‑evident:** DSSE + Rekor receipt proves provenance and transparency.
+* **Operational stability:** feed outages become non‑events—scanner just keeps the last good state.
+
+---
+
+## File layout inside each bundle
+
+```
+/bundle-2025-11-29/
+  manifest.json            # { version, created_at, entries[], sha256s }
+  payload.tar.zst          # the actual DB/indices
+  payload.tar.zst.sha256
+  statement.dsse.json      # DSSE-wrapped statement over payload hash
+  rekor-receipt.json       # Rekor v2 inclusion/verification material
+```
+
+---
+
+## Acceptance/Activation rules
+
+* **Trust root:** pin one (or more) publisher public keys; rotate via separate, out‑of‑band process.
+* **Monotonicity:** only activate if `manifest.version > current.version` (or if trust policy explicitly allows replay for rollback testing).
+* **Atomic switch:** unpack to `db/staging/`, validate, then symlink‑flip to `db/active/`.
+* **Quarantine on failure:** move bad bundles to `updates/quarantine/` with a reason code.
+
+---
+
+## Minimal .NET 10 verifier sketch (C#)
+
+```csharp
+public sealed record BundlePaths(string Dir) {
+    public string Manifest => Path.Combine(Dir, "manifest.json");
+    public string Payload  => Path.Combine(Dir, "payload.tar.zst");
+    public string Dsse     => Path.Combine(Dir, "statement.dsse.json");
+    public string Receipt  => Path.Combine(Dir, "rekor-receipt.json");
+}
+
+public async Task<bool> ActivateBundleAsync(BundlePaths b, TrustConfig trust, string activeDir) {
+    var manifest = await Manifest.LoadAsync(b.Manifest);
+    if (!await Hashes.VerifyAsync(b.Payload, manifest.PayloadSha256)) return false;
+
+    // 1) DSSE verify (publisher keys pinned in trust)
+    var (okSig, dssePayloadDigest) = await Dsse.VerifyAsync(b.Dsse, trust.PublisherKeys);
+    if (!okSig || dssePayloadDigest != manifest.PayloadSha256) return false;
+
+    // 2) Rekor v2 receipt verify (inclusion + statement digest == dssePayloadDigest)
+    if (!await RekorV2.VerifyReceiptAsync(b.Receipt, dssePayloadDigest, trust.RekorPub)) return false;
+
+    // 3) Stage, validate, then atomically flip
+    var staging = Path.Combine(activeDir, "..", "staging");
+    DirUtil.Empty(staging);
+    await TarZstd.ExtractAsync(b.Payload, staging);
+    if (!await LocalDbSelfCheck.RunAsync(staging)) return false;
+
+    SymlinkUtil.AtomicSwap(source: staging, target: activeDir);
+    State.WriteLastGood(manifest.Version, dssePayloadDigest);
+    return true;
+}
+```
+
+---
+
+## Operational playbook
+
+* **On boot & daily at HH:MM:** try `ActivateBundleAsync()` on the newest bundle; on failure, log and continue.
+* **Telemetry (no PII):** reason codes (SIG_FAIL, RECEIPT_FAIL, HASH_MISMATCH, SELFTEST_FAIL), versions, last_good.
+* **Keys & rotation:** keep `publisher.pub` and `rekor.pub` in a root‑owned, read‑only path; rotate via a separate signed “trust bundle”.
+* **Defense‑in‑depth:** verify both the **payload hash** and each file’s hash listed in `manifest.entries[]`.
+* **Rollback:** allow `--force-activate <bundle>` for emergency testing, but mark as **non‑monotonic** in state.
+
+---
+
+## What to hand your release team
+
+* A Make/CI target that:
+  1. Builds `payload.tar.zst` and computes hashes
+  2. Generates `manifest.json`
+  3. Creates and signs the **DSSE statement**
+  4. Submits to Rekor (or your mirror) and saves the **v2 receipt**
+  5. Packages the bundle folder and publishes to your offline repo
+* A checksum file (`*.sha256sum`) for ops to verify out‑of‑band.
+
+---
+
+If you want, I can turn this into a Stella Ops spec page (`docs/modules/scanner/offline-bundles.md`) plus a small reference implementation (C# library + CLI) that drops right into your Scanner service.
+
+---
+
+# Drop‑in Stella Ops Dev Guide (seed for `docs/modules/scanner/development/dsse-offline-updates.md`)
+
+> **Audience**
+> Scanner, Export Center, Attestor, CLI, and DevOps engineers implementing DSSE‑signed offline vulnerability updates and integrating them into the Offline Update Kit (OUK).
+>
+> **Context**
+>
+> * OUK already ships **signed, atomic offline update bundles** with merged vulnerability feeds, container images, and an attested manifest.
+> * DSSE + Rekor is already used for **scan evidence** (SBOM attestations, Rekor proofs).
+> * Sprints 160/162 add **attestation bundles** with manifest, checksums, DSSE signature, and optional transparency log segments, and integrate them into OUK and CLI flows.
+
+These guidelines tell you how to **wire all of that together** for “offline scanner updates” (feeds, rules, packs) in a way that matches Stella Ops’ determinism + sovereignty promises.
+
+## 0. Mental model
+
+```text
+    Advisory mirrors / Feeds builders
+                 │
+                 ▼
+        ExportCenter.AttestationBundles
+        (creates DSSE + Rekor evidence
+         for each offline update snapshot)
+                 │
+                 ▼
+        Offline Update Kit (OUK) builder
+    (adds feeds + evidence to kit tarball)
+                 │
+                 ▼
+   stella offline kit import / admin CLI
+  (verifies Cosign + DSSE + Rekor segments,
+   then atomically swaps scanner feeds)
+```
+
+Online, Rekor is live; offline, you rely on **bundled Rekor segments / snapshots** and the existing OUK mechanics (import is atomic, old feeds kept until new bundle is fully verified).
+
+## 1. Goals & non‑goals
+
+### Goals
+
+1. **Authentic offline snapshots**: every offline scanner update (OUK or delta) must be verifiably tied to a DSSE envelope, a certificate chain, and a Rekor v2 inclusion proof or bundled log segment.
+2. **Deterministic replay**: given a kit + its DSSE attestation bundle, every verifier reaches the same verdict online or air‑gapped.
+3. **Separation of concerns**: Export Center builds attestations; Scanner verifies/imports; Signer/Attestor handle DSSE/Rekor.
+4. **Operational safety**: imports remain atomic/idempotent; old feeds stay live until full verification.
+
+### Non‑goals
+
+* Designing new crypto or log formats.
+* Per‑feed DSSE envelopes (minimum contract is bundle‑level attestation).
+
+## 2. Bundle contract for DSSE‑signed offline updates
+
+**Files to ship** (inside each offline kit or delta):
+
+```
+/attestations/
+  offline-update.dsse.json        # DSSE envelope
+  offline-update.rekor.json       # Rekor entry + inclusion proof (or segment descriptor)
+/manifest/
+  offline-manifest.json           # existing manifest
+  offline-manifest.json.jws       # existing detached JWS
+/feeds/
+  ...                             # existing feed payloads
+```
+
+**DSSE payload (minimum):** subject = kit name + tarball sha256; predicate fields include `offline_manifest_sha256`, feed entries, builder ID/commit, created_at UTC, and channel.
+
+**Rekor material:** submit DSSE to Rekor v2, store UUID/logIndex/inclusion proof as `offline-update.rekor.json`; for offline, embed a minimal log segment or rely on mirrored snapshots.
+
+## 3. Implementation by module
+
+### Export Center — attestation bundles
+* Compose attestation job: build DSSE payload, sign via Signer, submit to Rekor via Attestor, persist `offline-update.dsse.json` and `.rekor.json` (+ segments).
+* Integrate into offline kit packaging: place attestation files under `/attestations/`; list them in `offline-manifest.json` with sha256/size/capturedAt.
+* Define JSON schema for `offline-update.rekor.json`; version it and validate.
+
+### Offline Update Kit builder
+* Preserve idempotent, atomic imports; include DSSE/Rekor files in kit staging tree.
+* Keep manifests deterministic: ordered file lists, UTC timestamps.
+* For delta kits, attest the resulting snapshot state (not just diffs).
+
+### Scanner — import & activation
+* Verification sequence: Cosign tarball → manifest JWS → file digests (incl. attestation files) → DSSE verify → Rekor verify (online or offline segment) → atomic swap.
+* Config surface: `requireDsse`, `rekorOfflineMode`, `attestationVerifier` (env-var mirrored); allow observe→enforce rollout.
+* Failure behavior: keep old feeds; log structured failure fields; expose ProblemDetails.
+
+### Signer & Attestor
+* Add predicate type/schema for offline updates; submit DSSE to Rekor; emit verification routines usable by CLI/Scanner with offline snapshot support.
+
+### CLI & UI
+* CLI verbs to verify/import bundles with Rekor key; UI shows Cosign/JWS + DSSE/Rekor status and kit freshness.
+
+## 4. Determinism & offline‑safety rules
+* No hidden network dependencies; offline must succeed with kit + Rekor snapshot.
+* Stable JSON serialization; UTC timestamps.
+* Replayable imports (idempotent); DSSE payload for a snapshot must be immutable.
+* Explainable failures with precise mismatch points.
+
+## 5. Testing & CI expectations
+* Unit/integration: happy path, tampering cases (manifest/DSSE/Rekor), offline mode, rollback logic.
+* Metrics: `offlinekit_import_total{status}`, `attestation_verify_latency_seconds`, Rekor success/retry counts.
+* Golden fixtures: deterministic bundle + snapshot tests.
+
+## 6. Developer checklist (TL;DR)
+1. Read operator guides: `docs/modules/scanner/operations/dsse-rekor-operator-guide.md`, `docs/24_OFFLINE_KIT.md`, relevant sprints.
+2. Implement: generate DSSE in Export Center; include attestation in kit; Scanner verifies before swap.
+3. Test: bundle composition, import rollback, determinism.
+4. Telemetry: counters + latency; log digests/UUIDs.
+5. Document: update Export Center and Scanner architecture docs, OUK docs when flows/contracts change.
+

docs/product-advisories/archived/27-Nov-2025-superseded/01-Dec-2025 - Proof-Linked VEX UI Developer Guidelines.md

@@ -0,0 +1,130 @@
+# Proof-Linked VEX UI Developer Guidelines
+
+Compiled: 2025-12-01 (UTC)
+
+## Purpose
+Any VEX-influenced verdict a user sees (Findings, Advisories & VEX, Vuln Explorer, etc.) must be directly traceable to concrete evidence: normalized VEX claims, their DSSE/signatures, and the policy explain trace. Every "Not Affected" badge is a verifiable link to the proof.
+
+## What this solves (in one line)
+Every "Not Affected" badge becomes a verifiable link to why it is safe.
+
+## UX pattern (at a glance)
+- Badge: `Not Affected` (green pill) always renders as a link.
+- On click: open a right-side drawer with three tabs:
+  1. Evidence (DSSE / in-toto / Sigstore)
+  2. Attestation (predicate details + signer)
+  3. Reasoning Graph (the node + edges that justify the verdict)
+- Hover state: mini popover showing proof types available (e.g., "DSSE, SLSA attestation, Graph node").
+
+## Data model (API & DB)
+Canonical object returned by VEX API for each finding:
+
+```json
+{
+  "findingId": "vuln:CVE-2024-12345@pkg:docker/alpine@3.19",
+  "status": "not_affected",
+  "justificationCode": "vex:not_present",
+  "proof": {
+    "dsse": {
+      "envelopeDigest": "sha256-…",
+      "rekorEntryId": "e3f1…",
+      "downloadUrl": "https://…/dsse/e3f1…",
+      "signer": { "name": "StellaOps Authority", "keyId": "SHA256:…" }
+    },
+    "attestation": {
+      "predicateType": "slsa/v1",
+      "attestationId": "att:01H…",
+      "downloadUrl": "https://…/att/01H…"
+    },
+    "graph": {
+      "nodeId": "gx:NA-78f…",
+      "revision": "gx-r:2025-11-30T12:01:22Z",
+      "explainUrl": "https://…/graph?rev=gx-r:…&node=NA-78f…"
+    }
+  },
+  "receipt": {
+    "algorithm": "CVSS:4.0",
+    "inputsHash": "sha256-…",
+    "computedAt": "2025-11-30T12:01:22Z"
+  }
+}
+```
+
+Suggested Postgres tables:
+- vex_findings(finding_id, status, justification_code, graph_node_id, graph_rev, dsse_digest, rekor_id, attestation_id, created_at, updated_at)
+- proof_artifacts(id, type, digest, url, signer_keyid, meta jsonb)
+- graph_revisions(revision_id, created_at, root_hash)
+
+## API contract (minimal)
+- GET /vex/findings/:id -> returns the object above.
+- GET /proofs/:type/:id -> streams artifact (with Content-Disposition: attachment).
+- GET /graph/explain?rev=…&node=… -> returns a JSON justification subgraph.
+- Security headers: Content-SHA256, Digest, X-Proof-Root (graph root hash), and X-Signer-KeyId.
+
+## Angular UI spec (drop-in)
+Component: FindingStatusBadge
+
+```html
+<button class="badge badge--ok" (click)="drawer.open(finding.proof)">
+  Not Affected
+</button>
+```
+
+Drawer layout (3 tabs):
+1) Evidence
+   - DSSE digest (copy button)
+   - Rekor entry (open in new tab)
+   - "Download envelope"
+2) Attestation
+   - Predicate type
+   - Attestation ID
+   - "Download attestation"
+3) Reasoning Graph
+   - Node ID + Revision
+   - Inline explainer ("Why safe?" bullets)
+   - "Open full graph" (routes to /graph?rev=…&node=…)
+
+Micro-interactions:
+- Copy-to-clipboard with toast ("Digest copied").
+- If any artifact missing, show a yellow "Partial Proof" ribbon listing what is absent.
+
+Visual language:
+- Badges: Not Affected = solid green; Partial Proof = olive with warning dot; No Proof = gray outline (still clickable, explains absence).
+- Proof chips: small caps labels `DSSE`, `ATTESTATION`, `GRAPH`; each chip opens its subsection.
+
+Validation (trust & integrity):
+- On drawer open, the UI calls HEAD /proofs/... to fetch Digest header and X-Proof-Root; compare to stored digests. If mismatch, show red "Integrity Mismatch" banner with retry and report.
+
+Telemetry (debugging):
+- Emit events: proof_drawer_opened, proof_artifact_downloaded, graph_explain_viewed (include findingId, artifactType, latencyMs, integrityStatus).
+
+Developer checklist:
+- Every not_affected status must include at least one proof artifact.
+- Badge is never a dead label; always clickable.
+- Drawer validates artifact digests before rendering contents.
+- "Open full graph" deep-links with rev + node (stable and shareable).
+- Graceful partials: show what is present and what is missing.
+- Accessibility: focus trap in drawer, aria-labels for chips, keyboard nav.
+
+Test cases (quick):
+1) Happy path: all three proofs present; digests match; downloads work.
+2) Partial proof: DSSE present, attestation missing; drawer shows warning ribbon.
+3) Integrity fail: server returns different digest; red banner appears; badge stays clickable.
+4) Graph only: reasoning node present; DSSE/attestation absent; explains rationale clearly.
+
+Optional nice-to-haves:
+- Permalinks: copyable URL that re-opens the drawer to the same tab.
+- QR export: downloadable "proof card" PNG with digests + signer (for audit packets).
+- Offline kit: bundle DSSE, attestation, and a compact graph slice in a .tar.zst for air-gapped review.
+
+If needed, this can be turned into:
+- A small Angular module (ProofDrawerModule) + styles.
+- A .NET 10 controller stub with integrity headers.
+- Fixture JSON so teams can wire it up quickly.
+
+## Context links (from source conversation)
+- docs/ui/console-overview.md
+- docs/ui/advisories-and-vex.md
+- docs/ui/findings.md
+- src/VexLens/StellaOps.VexLens/AGENTS.md and TASKS.md
+- docs/policy/overview.md

docs/product-advisories/archived/27-Nov-2025-superseded/01-Dec-2025 - Storage Blueprint for PostgreSQL Modules.md

@@ -0,0 +1,95 @@
+# 01-Dec-2025 - Storage Blueprint for PostgreSQL Modules
+
+## Summary
+A crisp, opinionated storage blueprint for StellaOps modules with zero-downtime conversion tactics. Covers module-to-store mapping, PostgreSQL patterns, JSONB/RLS scaffolds, materialized views, temporal tables, CAS usage for SBOM/VEX blobs, and phased cutover guidance.
+
+## Module → Store Map (deterministic by default)
+- **Authority / OAuth / Accounts & Audit**: PostgreSQL source of truth; tables `users`, `clients`, `oauth_tokens`, `roles`, `grants`, `audit_log`; RLS on `users`, `grants`, `audit_log`; strict FK/CHECK; immutable UUID PKs; audit table with actor/action/entity/diff and timestamptz default now().
+- **VEX & Vulnerability Writes**: PostgreSQL with JSONB facts plus relational decisions; tables `vuln_fact(jsonb)`, `vex_decision(package_id, vuln_id, status, rationale, proof_ref, updated_at)`; materialized views like `mv_triage_hotset` refreshed on commit or schedule.
+- **Routing / Feature Flags / Rate-limits**: PostgreSQL truth plus Redis cache; tables `feature_flag(key, rules jsonb, version)`, `route(domain, service, instance_id, last_heartbeat)`, `rate_limiter(bucket, quota, interval)`; Redis keys `flag:{key}:{version}`, `route:{domain}`, `rl:{bucket}` with short TTLs.
+- **Unknowns Registry**: PostgreSQL with temporal tables (bitemporal via `valid_from/valid_to`, `sys_from/ sys_to`); view `unknowns_current` for open rows.
+- **Artifacts / SBOM / VEX files**: OCI-compatible CAS (e.g., self-hosted registry or MinIO) keyed by digest; metadata in Postgres `artifact_index(digest, media_type, size, signatures)`.
+
+## PostgreSQL Implementation Essentials
+- **RLS scaffold (Authority)**
+```sql
+alter table audit_log enable row level security;
+create policy p_audit_read_self
+  on audit_log for select
+  using (
+    actor_id = current_setting('app.user_id')::uuid
+    or exists (
+      select 1 from grants g
+      where g.user_id = current_setting('app.user_id')::uuid
+        and g.role = 'auditor'
+    )
+  );
+```
+
+- **JSONB facts + relational decisions**
+```sql
+create table vuln_fact (
+  id uuid primary key default gen_random_uuid(),
+  source text not null,
+  payload jsonb not null,
+  received_at timestamptz default now()
+);
+
+create table vex_decision (
+  package_id uuid not null,
+  vuln_id text not null,
+  status text check (status in ('not_affected','affected','fixed','under_investigation')),
+  rationale text,
+  proof_ref text,
+  decided_at timestamptz default now(),
+  primary key (package_id, vuln_id)
+);
+```
+
+- **Materialized view for triage**
+```sql
+create materialized view mv_triage_hotset as
+select v.id as fact_id, v.payload->>'vuln' as vuln, v.received_at
+from vuln_fact v
+where (now() - v.received_at) < interval '7 days';
+-- refresh concurrently via job
+```
+
+- **Temporal pattern (Unknowns)**
+```sql
+create table unknowns (
+  id uuid primary key default gen_random_uuid(),
+  subject_hash text not null,
+  kind text not null,
+  context jsonb not null,
+  valid_from timestamptz not null default now(),
+  valid_to   timestamptz,
+  sys_from   timestamptz not null default now(),
+  sys_to     timestamptz
+);
+
+create view unknowns_current as
+select * from unknowns where valid_to is null;
+```
+
+## Conversion (not migration): zero-downtime, prototype-friendly
+1. Encode Mongo-shaped docs into JSONB with versioned schemas and forward-compatible projection views.
+2. Outbox pattern for exactly-once side-effects (`outbox(id, topic, key, payload jsonb, created_at, dispatched bool default false)`).
+3. Parallel read adapters behind feature flags with read-diff monitoring.
+4. CDC for analytics without coupling (logical replication).
+5. Materialized views with fixed refresh cadence; cold-path analytics in separate schemas.
+6. Phased cutover playbook: Dark Read → Shadow Serve → Authoritative → Retire (with auto-rollback).
+
+## Rate-limits & Flags: single truth, fast edges
+- Truth in Postgres with versioned flag docs; history table for changes; Redis edge cache keyed by version; rate-limit quotas in Postgres, counters in Redis with reconciliation jobs.
+
+## CAS for SBOM/VEX/attestations
+- Store blobs in OCI/MinIO by digest; keep pointer metadata in Postgres `artifact_index`; benefits: immutability, dedup, easy offline mirroring.
+
+## Guardrails
+- Wrap multi-table writes in single transactions; prefer `jsonb_path_query` for targeted reads; enforce RLS and least-privilege roles; version everything (schemas, flags, materialized views); expose observability for statements, MV refresh latency, outbox lag, Redis hit ratio, and RLS hits.
+
+## Optional Next Steps (from advisory)
+- Generate ready-to-run EF Core 10 migrations.
+- Add `/docs/architecture/store-map.md` summarizing these patterns.
+- Provide a small Docker-based dev seed with sample data.

docs/product-advisories/archived/27-Nov-2025-superseded/01-Dec-2025 - Time-to-Evidence (TTE) Metric.md

@@ -0,0 +1,80 @@
+# Time-to-Evidence (TTE) Metric
+
+Compiled: 2025-12-01 (UTC)
+
+## What it is
+
+**Definition:** `TTE = t_first_proof_rendered − t_open_finding`.
+
+**Proof** = the exact artifact or path that justifies the claim (e.g., `package-lock.json: line 214 → openssl@1.1.1`, `reachability: A → B → C sink`, or `VEX: not_affected due to unreachable code`).
+
+**Target:** **P95 ≤ 15s** (stretch: **P99 ≤ 30s**). If 95% of findings show proof within 15 seconds, the UI stays honest: evidence before opinion, low noise, fast explainability.
+
+## Why it matters
+
+- **Trust:** People accept decisions they can verify quickly.
+- **Triage speed:** Proof-first UIs cut back-and-forth and guesswork.
+- **Noise control:** If you can’t surface proof fast, you probably shouldn’t surface the finding yet.
+
+## How to measure (engineering-ready)
+
+Emit two stamps per finding view:
+
+- `t_open_finding` (on route enter or modal open).
+- `t_first_proof_rendered` (first DOM paint of SBOM line / path list / VEX clause).
+
+Store as `tte_ms` in a lightweight events table (Postgres) with tags: `tenant`, `finding_id`, `proof_kind` (`sbom|reachability|vex`), `source` (`local|remote|cache`).
+
+Nightly rollup: compute P50/P90/P95/P99 by proof_kind and page. Alert when **P95 > 15s** for 15 minutes.
+
+## UI contract (keeps the UX honest)
+
+- **Above the fold:** always show a compact **Proof panel** first (not hidden behind tabs).
+- **Skeletons over spinners:** reserve space; render partial proof as soon as any piece is ready.
+- **Plain text copy affordance:** “Copy SBOM line / path” button right next to the proof.
+- **Defer non-proof widgets:** CVSS badges, remediation prose, and charts load *after* proof.
+- **Empty-state truth:** if no proof exists, say “No proof available yet” and show the loader for *that* proof type only (don’t pretend with summaries).
+
+## Backend rules of thumb
+
+- **Pre-index for first paint:** cache top N proof items per hot finding (e.g., first SBOM hit + shortest path).
+- **Bound queries:** proof queries must be *O(log n)* on indexed columns (pkg name@version, file hash, graph node id).
+- **Chunked streaming:** send first proof chunk <200 ms after backend hit; don’t hold for the full set.
+- **Timeout budget:** 12s backend budget + 3s UI/render margin = 15s P95.
+
+## Minimal contract to add in your code
+
+```ts
+// Frontend: fire on open
+metrics.emit('finding_open', { findingId, t: performance.now() });
+
+// When the first real proof node/line hits the DOM:
+metrics.emit('proof_rendered', { findingId, proofKind, t: performance.now() });
+```
+
+```sql
+-- Rollup (hourly)
+SELECT
+  proof_kind,
+  percentile_cont(0.95) WITHIN GROUP (ORDER BY tte_ms) AS p95_ms
+FROM tte_events
+WHERE ts >= now() - interval '1 hour'
+GROUP BY proof_kind;
+```
+
+## What to put on the team dashboard
+
+- **TTE P95 by page** (Findings list, Finding details).
+- **TTE P95 by proof_kind** (sbom / reachability / vex).
+- **Error budget burn**: minutes over target per day.
+- **Top regressions**: last 7 days vs prior 7.
+
+## Acceptance checklist for any finding view
+
+- [ ] First paint shows a real proof snippet (not a summary).
+- [ ] “Copy proof” button works within 1 click.
+- [ ] TTE P95 in staging ≤ 10s; in prod ≤ 15s.
+- [ ] If proof missing, explicit empty-state + retry path.
+- [ ] Telemetry sampled ≥ 50% of sessions (or 100% for internal).
+
+## Ready-to-drop implementation notes

docs/product-advisories/archived/27-Nov-2025-superseded/01-Dec-2025 - Verifiable Proof Spine Receipts and Benchmarks.md

@@ -0,0 +1,38 @@
+# Verifiable Proof Spine: Receipts + Benchmarks
+
+Compiled: 2025-12-01 (UTC)
+
+## Why this matters
+Move from “trust the scanner” to “prove every verdict.” Each finding and every “not affected” claim must carry cryptographic, replayable evidence that anyone can verify offline or online.
+
+## Differentiators to build in
+- **Graph Revision ID on every verdict**: stable Merkle root over SBOM nodes/edges, policies, feeds, scan params, and tool versions. Any data change → new graph hash → new revisioned verdicts; surface the ID in UI/API.
+- **Machine-verifiable receipts (DSSE)**: emit a DSSE-wrapped in-toto statement per verdict (predicate `stellaops.dev/verdict@v1`) including graphRevisionId, artifact digests, rule id/version, inputs, and timestamps; sign with Authority keys (offline mode supported) and keep receipts queryable/exportable; mirror to Rekor-compatible ledger when online.
+- **Reachability evidence**: attach call-stack slices (entry→sink, symbols, file:line) for code-level cases; for binaries, include symbol presence proofs (bitmap/offsets) hashed and referenced from DSSE payloads.
+- **Deterministic replay manifests**: publish `replay.manifest.json` with inputs, feeds, rule/tool/container digests so auditors can recompute the same graph hash and verdicts offline.
+
+## Benchmarks to publish (headline KPIs)
+- **False-positive reduction vs baseline scanners**: run public corpus across 3–4 popular scanners; label ground truth once; report mean and p95 FP reduction.
+- **Proof coverage**: percentage of findings/VEX items carrying valid DSSE receipts; break out reachable vs unreachable and “not affected.”
+- **Triage time saved**: analyst minutes from alert to final disposition with receipts visible vs hidden; publish p50/p95 deltas.
+- **Determinism stability**: re-run identical scans across nodes; publish % identical graph hashes and explain drift causes when different.
+
+## Minimal implementation plan (week-by-week)
+- **Week 1 – Primitives**: add Graph Revision ID generator in scanner.webservice (Merkle over normalized SBOM+edges+policies+toolVersions); define `VerdictReceipt` schema (protobuf/JSON) and DSSE envelope types.
+- **Week 2 – Signing + storage**: wire DSSE signing via Authority with offline key support/rotation; persist receipts in `Receipts` table keyed by (graphRevisionId, verdictId); enable JSONL export and ledger mirror.
+- **Week 3 – Reachability proofs**: capture call-stack slices in reachability engine; serialize and hash; add binary symbol proof module (ELF/PE bitmap + digest) and reference from receipts.
+- **Week 4 – Replay + UX**: emit replay.manifest per scan (inputs, tool digests); UI shows “Verified” badge, graph hash, signature issuer, and one-click “Copy receipt”; API: `GET /verdicts/{id}/receipt`, `GET /graphs/{rev}/replay`.
+- **Week 5 – Benchmarks harness**: create `bench/` fixtures and runner with baseline scanner adapters, ground-truth labels, metrics export for FP%, proof coverage, triage time capture hooks.
+
+## Developer guardrails (non-negotiable)
+- **No receipt, no ship**: any surfaced verdict must carry a DSSE receipt; fail closed otherwise.
+- **Schema freeze windows**: changes to rule inputs or policy logic must bump rule version and therefore graph hash.
+- **Replay-first CI**: PRs touching scanning/rules must pass a replay test that reproduces prior graph hashes on gold fixtures.
+- **Clock safety**: use monotonic time for receipts; include UTC wall-time separately.
+
+## What to show buyers/auditors
+- Audit kit: sample container + receipts + replay manifest + one command to reproduce the same graph hash.
+- One-page benchmark readout: FP reduction, proof coverage, triage time saved (p50/p95), corpus description.
+
+## Optional follow-ons
+- Provide DSSE predicate schema, Postgres DDL for `Receipts` and `Graphs`, and a minimal .NET verification CLI (`stellaops-verify`) that replays a manifest and validates signatures.