From d870da18ce194c6a5f1a6d71abea36205d9fb276 Mon Sep 17 00:00:00 2001
From: master <>
Date: Tue, 28 Oct 2025 15:10:40 +0200
Subject: [PATCH] Restructure solution layout by module
---
.gitattributes | 2 +-
.../_deprecated-concelier-ci.yml.disabled | 16 +-
.gitea/workflows/build-test-deploy.yml | 44 +-
.gitea/workflows/docs.yml | 122 +-
.gitea/workflows/release.yml | 2 +-
.gitignore | 68 +-
.venv/pyvenv.cfg | 10 +-
Directory.Build.props | 24 +-
Mongo2Go-4.1.0/src/Mongo2Go/Mongo2Go.csproj | 186 +-
.../src/Mongo2GoTests/Mongo2GoTests.csproj | 40 +-
NuGet.config | 88 +-
README.md | 6 +-
SPRINTS.md | 1119 -
SPRINTS_PRIOR_20251019.md | 208 -
SPRINTS_PRIOR_20251021.md | 88 -
SPRINTS_PRIOR_20251025.md | 34 -
deploy/compose/docker-compose.prod.yaml | 440 +-
.../docker-compose.telemetry-storage.yaml | 114 +-
deploy/compose/docker-compose.telemetry.yaml | 68 +-
deploy/compose/env/prod.env.example | 56 +-
.../files/otel-collector-config.yaml | 128 +-
.../stellaops/templates/otel-collector.yaml | 242 +-
deploy/helm/stellaops/values-prod.yaml | 442 +-
deploy/helm/stellaops/values.yaml | 72 +-
deploy/telemetry/.gitignore | 2 +-
deploy/telemetry/README.md | 70 +-
deploy/telemetry/otel-collector-config.yaml | 134 +-
deploy/telemetry/storage/README.md | 66 +-
deploy/telemetry/storage/loki.yaml | 96 +-
deploy/telemetry/storage/prometheus.yaml | 38 +-
deploy/telemetry/storage/tempo.yaml | 112 +-
.../storage/tenants/loki-overrides.yaml | 38 +-
.../storage/tenants/tempo-overrides.yaml | 32 +-
deploy/tools/check-channel-alignment.py | 260 +-
deploy/tools/validate-profiles.sh | 122 +-
docs/09_API_CLI_REFERENCE.md | 1866 +-
docs/10_CONCELIER_CLI_QUICKSTART.md | 36 +-
docs/11_AUTHORITY.md | 760 +-
docs/11_DATA_SCHEMAS.md | 348 +-
docs/12_PERFORMANCE_WORKBOOK.md | 2 +-
docs/19_TEST_SUITE_OVERVIEW.md | 138 +-
docs/21_INSTALL_GUIDE.md | 380 +-
docs/ARCHITECTURE_AUTHORITY.md | 878 +-
docs/ARCHITECTURE_CLI.md | 812 +-
docs/ARCHITECTURE_CONCELIER.md | 1036 +-
docs/ARCHITECTURE_DEVOPS.md | 2 +-
docs/ARCHITECTURE_SCANNER.md | 974 +-
docs/ARCHITECTURE_VEXER.md | 926 +-
docs/README.md | 6 +-
docs/TASKS.md | 762 +-
docs/accessibility.md | 262 +-
docs/advisories/aggregation.md | 436 +-
docs/airgap/EPIC_16_AIRGAP_MODE.md | 858 +-
docs/aoc/aoc-guardrails.md | 26 +-
docs/api/EPIC_17_SDKS_OPENAPI.md | 20 +-
docs/api/policy.md | 4 +-
docs/architecture/console.md | 4 +-
docs/architecture/overview.md | 336 +-
docs/architecture/policy-engine.md | 486 +-
docs/assets/ui/tours/README.md | 26 +-
docs/attestor/EPIC_19_ATTESTOR_CONSOLE.md | 2 +-
docs/backlog/2025-10-cleanup.md | 4 +-
docs/cli-vs-ui-parity.md | 2 +-
docs/cli/cli-reference.md | 632 +-
docs/cli/policy.md | 2 +-
docs/deploy/console.md | 456 +-
docs/deploy/containers.md | 320 +-
docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md | 440 +-
docs/dev/30_VEXER_CONNECTOR_GUIDE.md | 2 +-
.../31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md | 424 +-
docs/dev/BUILDX_PLUGIN_QUICKSTART.md | 206 +-
docs/dev/EXCITITOR_STATEMENT_BACKFILL.md | 172 +-
docs/dev/authority-dpop-mtls-plan.md | 284 +-
docs/dev/authority-plugin-di-coordination.md | 92 +-
docs/dev/fixtures.md | 18 +-
docs/dev/kisa_connector_notes.md | 2 +-
docs/dev/merge_semver_playbook.md | 308 +-
docs/dev/normalized_versions_rollout.md | 14 +-
docs/devops/policy-schema-export.md | 54 +-
docs/events/orchestrator-scanner-events.md | 242 +-
.../scanner.event.report.ready@1.sample.json | 186 +-
...scanner.event.scan.completed@1.sample.json | 198 +-
...cheduler.graph.job.completed@1.sample.json | 72 +-
docs/events/scanner.event.report.ready@1.json | 328 +-
.../scanner.event.scan.completed@1.json | 348 +-
.../scheduler.graph.job.completed@1.json | 392 +-
docs/examples/policies/README.md | 32 +-
docs/examples/policies/baseline.md | 158 +-
docs/examples/policies/baseline.stella | 92 +-
docs/examples/policies/baseline.yaml | 68 +-
docs/examples/policies/internal-only.md | 144 +-
docs/examples/policies/internal-only.stella | 78 +-
docs/examples/policies/internal-only.yaml | 62 +-
docs/examples/policies/serverless.md | 144 +-
docs/examples/policies/serverless.stella | 78 +-
docs/examples/policies/serverless.yaml | 82 +-
docs/examples/ui-tours.md | 308 +-
docs/export-center/api.md | 674 +-
docs/export-center/architecture.md | 250 +-
docs/export-center/cli.md | 462 +-
docs/export-center/mirror-bundles.md | 404 +-
docs/export-center/overview.md | 126 +-
docs/export-center/profiles.md | 278 +-
docs/export-center/provenance-and-signing.md | 300 +-
docs/export-center/trivy-adapter.md | 492 +-
docs/faq/policy-faq.md | 192 +-
AGENTS.md => docs/implplan/AGENTS.md | 0
EPIC_1.md => docs/implplan/EPIC_1.md | 1048 +-
EPIC_10.md => docs/implplan/EPIC_10.md | 4 +-
EPIC_11.md => docs/implplan/EPIC_11.md | Bin 38558 -> 38590 bytes
EPIC_12.md => docs/implplan/EPIC_12.md | Bin 41202 -> 40398 bytes
EPIC_13.md => docs/implplan/EPIC_13.md | Bin
EPIC_14.md => docs/implplan/EPIC_14.md | Bin
EPIC_15.md => docs/implplan/EPIC_15.md | Bin
EPIC_16.md => docs/implplan/EPIC_16.md | 2 +-
EPIC_17.md => docs/implplan/EPIC_17.md | 2 +-
EPIC_18.md => docs/implplan/EPIC_18.md | 2 +-
EPIC_19.md => docs/implplan/EPIC_19.md | 2 +-
EPIC_2.md => docs/implplan/EPIC_2.md | 1134 +-
EPIC_4.md => docs/implplan/EPIC_4.md | 818 +-
EPIC_5.md => docs/implplan/EPIC_5.md | 862 +-
EPIC_6.md => docs/implplan/EPIC_6.md | 6 +-
EPIC_7.md => docs/implplan/EPIC_7.md | 10 +-
EPIC_8.md => docs/implplan/EPIC_8.md | 2 +-
EPIC_9.md => docs/implplan/EPIC_9.md | 4 +-
EXECPLAN.md => docs/implplan/EXECPLAN.md | 800 +-
docs/implplan/SPRINTS.md | 1096 +
docs/implplan/SPRINTS_PRIOR_20251019.md | 208 +
docs/implplan/SPRINTS_PRIOR_20251021.md | 88 +
docs/implplan/SPRINTS_PRIOR_20251025.md | 34 +
.../implplan/SPRINTS_PRIOR_20251027.md | 64 +-
docs/implplan/SPRINTS_PRIOR_20251028.md | 26 +
docs/ingestion/aggregation-only-contract.md | 360 +-
docs/install/docker.md | 414 +-
docs/notifications/architecture.md | 236 +-
docs/notifications/digests.md | 184 +-
docs/notifications/overview.md | 152 +-
.../pack-approvals-integration.md | 124 +-
docs/notifications/rules.md | 294 +-
docs/notifications/templates.md | 260 +-
docs/observability/policy.md | 332 +-
docs/observability/ui-telemetry.md | 382 +-
docs/operations/cli-release-and-packaging.md | 268 +-
docs/operations/export-runbook.md | 406 +-
docs/ops/authority-backup-restore.md | 194 +-
docs/ops/authority-key-rotation.md | 188 +-
docs/ops/authority-monitoring.md | 166 +-
docs/ops/concelier-apple-operations.md | 154 +-
docs/ops/concelier-authority-audit-runbook.md | 318 +-
docs/ops/concelier-cccs-operations.md | 144 +-
docs/ops/concelier-conflict-resolution.md | 320 +-
docs/ops/concelier-cve-kev-operations.md | 2 +-
docs/ops/concelier-kisa-operations.md | 148 +-
docs/ops/concelier-mirror-operations.md | 476 +-
docs/ops/concelier-nkcki-operations.md | 96 +-
docs/ops/concelier-osv-operations.md | 48 +-
docs/ops/deployment-upgrade-runbook.md | 302 +-
docs/ops/launch-cutover.md | 256 +-
docs/ops/launch-readiness.md | 98 +-
docs/ops/nuget-preview-bootstrap.md | 2 +-
docs/ops/registry-token-service.md | 4 +-
docs/ops/scanner-analyzers-operations.md | 4 +-
docs/ops/telemetry-collector.md | 226 +-
docs/ops/ui-auth-smoke.md | 64 +-
.../zastava-runtime-grafana-dashboard.json | 410 +-
docs/ops/zastava-runtime-operations.md | 348 +-
.../ops/zastava-runtime-prometheus-rules.yaml | 62 +-
docs/policy/dsl.md | 588 +-
docs/policy/exception-effects.md | 12 +-
docs/policy/gateway.md | 248 +-
docs/policy/lifecycle.md | 476 +-
docs/policy/overview.md | 346 +-
docs/policy/runs.md | 2 +-
docs/risk/EPIC_18_RISK_PROFILES.md | 12 +-
docs/scanner-core-contracts.md | 294 +-
docs/schemas/policy-diff-summary.schema.json | 142 +-
docs/schemas/policy-explain-trace.schema.json | 516 +-
docs/schemas/policy-run-request.schema.json | 260 +-
docs/schemas/policy-run-status.schema.json | 434 +-
docs/security/authority-scopes.md | 522 +-
docs/security/authority-threat-model.md | 212 +-
docs/security/console-security.md | 366 +-
docs/security/pack-signing-and-rbac.md | 330 +-
docs/security/policy-governance.md | 224 +-
docs/task-packs/authoring-guide.md | 416 +-
docs/task-packs/registry.md | 348 +-
docs/task-packs/runbook.md | 324 +-
docs/task-packs/spec.md | 498 +-
docs/ui/admin.md | 348 +-
docs/ui/advisories-and-vex.md | 398 +-
docs/ui/console-overview.md | 260 +-
docs/ui/console.md | 288 +-
docs/ui/downloads.md | 424 +-
docs/ui/findings.md | 358 +-
docs/ui/navigation.md | 326 +-
docs/ui/policies.md | 384 +-
docs/ui/policy-editor.md | 358 +-
docs/ui/runs.md | 338 +-
docs/ui/sbom-explorer.md | 390 +-
.../2025-10-20-authority-identity-registry.md | 28 +-
docs/updates/2025-10-20-scanner-events.md | 2 +-
docs/updates/2025-10-22-docs-guild.md | 26 +-
.../2025-10-26-authority-graph-scopes.md | 30 +-
.../2025-10-26-scheduler-graph-jobs.md | 6 +-
.../2025-10-27-console-security-signoff.md | 96 +-
.../updates/2025-10-27-orch-operator-scope.md | 30 +-
.../2025-10-27-policy-scope-migration.md | 30 +-
docs/updates/2025-10-27-task-packs-docs.md | 30 +-
docs/updates/2025-10-28-docs-guild.md | 52 +-
.../2025-10-29-export-center-provenance.md | 18 +-
docs/updates/2025-10-29-notify-docs.md | 20 +-
...2025-10-29-scheduler-policy-doc-refresh.md | 4 +-
.../2025-10-31-console-security-refresh.md | 22 +-
docs/vex/aggregation.md | 458 +-
etc/authority.yaml | 412 +-
etc/authority.yaml.sample | 674 +-
etc/concelier.yaml.sample | 238 +-
etc/policy-engine.yaml.sample | 66 +-
etc/policy-gateway.yaml.sample | 78 +-
etc/registry-signing-sample.pem | 54 +-
etc/registry-token.yaml | 60 +-
etc/secrets/cartographer-service.secret | 4 +-
etc/secrets/concelier-ingest.secret | 4 +-
etc/secrets/console-web.secret | 4 +-
etc/secrets/excitor-ingest.secret | 4 +-
etc/secrets/graph-api-cli.secret | 4 +-
etc/secrets/graph-api.secret | 4 +-
etc/secrets/policy-cli.secret | 4 +-
etc/secrets/policy-engine.secret | 4 +-
etc/signals.yaml.sample | 56 +-
ops/authority/Dockerfile | 2 +-
ops/authority/README.md | 124 +-
ops/devops/README.md | 184 +-
ops/devops/TASKS.md | 344 +-
ops/devops/check_cli_parity.py | 106 +-
ops/devops/nuget-preview-packages.csv | 60 +-
ops/devops/release/build_release.py | 2206 +-
ops/devops/release/components.json | 18 +-
.../release/docker/Dockerfile.angular-ui | 4 +-
.../release/docker/Dockerfile.dotnet-service | 104 +-
ops/devops/release/docker/nginx-default.conf | 44 +-
ops/devops/release/test_verify_release.py | 464 +-
ops/devops/release/verify_release.py | 668 +-
.../scripts/check-advisory-raw-duplicates.js | 154 +-
ops/devops/sync-preview-nuget.sh | 142 +-
ops/devops/telemetry/generate_dev_tls.sh | 154 +-
.../telemetry/package_offline_bundle.py | 272 +-
ops/devops/telemetry/smoke_otel_collector.py | 394 +-
ops/devops/validate_restore_sources.py | 366 +-
ops/offline-kit/build_offline_kit.py | 890 +-
ops/offline-kit/mirror_debug_store.py | 442 +-
ops/offline-kit/run-python-analyzer-smoke.sh | 2 +-
ops/offline-kit/test_build_offline_kit.py | 512 +-
.../python/StellaOps.Auth.Abstractions.xml | 844 +-
.../python/StellaOps.Auth.Client.xml | 466 +-
...ps.Scanner.Analyzers.Lang.Python.deps.json | 1714 +-
out/linknotmerge-bench.csv | 8 +-
out/linknotmerge-bench.json | 166 +-
out/linknotmerge-bench.prom | 120 +-
out/linknotmerge-vex-bench.csv | 8 +-
out/linknotmerge-vex-bench.json | 166 +-
out/linknotmerge-vex-bench.prom | 100 +-
out/notify-bench.csv | 8 +-
out/notify-bench.json | 166 +-
out/notify-bench.prom | 78 +-
out/policy-bench.csv | 4 +-
out/policy-bench.json | 48 +-
out/policy-bench.prom | 34 +-
.../policy-simulation-summary.json | 62 +-
out/tmp-cdx/Program.cs | 8 +-
.../manifest.json | 42 +-
plugins/notify/email/notify-plugin.json | 36 +-
plugins/notify/slack/notify-plugin.json | 38 +-
plugins/notify/teams/notify-plugin.json | 38 +-
plugins/notify/webhook/notify-plugin.json | 36 +-
.../manifest.json | 46 +-
.../manifest.json | 46 +-
.../manifest.json | 44 +-
.../manifest.json | 46 +-
.../manifest.json | 46 +-
samples/api/scheduler/graph-build-job.json | 38 +-
samples/api/scheduler/graph-overlay-job.json | 42 +-
.../api/scheduler/policy-diff-summary.json | 62 +-
.../api/scheduler/policy-explain-trace.json | 166 +-
samples/api/scheduler/policy-run-request.json | 58 +-
samples/api/scheduler/policy-run-status.json | 82 +-
samples/api/scheduler/run-summary.json | 202 +-
samples/ci/buildx-demo/README.md | 84 +-
.../github-actions-buildx-demo.yml | 186 +-
samples/policy/README.md | 50 +-
samples/policy/baseline/diffs.json | 24 +-
samples/policy/baseline/findings.json | 28 +-
samples/policy/internal-only/diffs.json | 24 +-
samples/policy/internal-only/findings.json | 30 +-
samples/policy/serverless/diffs.json | 24 +-
samples/policy/serverless/findings.json | 30 +-
samples/policy/simulations/baseline/diff.json | 46 +-
.../policy/simulations/baseline/scenario.json | 42 +-
.../simulations/internal-only/diff.json | 46 +-
.../simulations/internal-only/scenario.json | 46 +-
.../policy/simulations/serverless/diff.json | 46 +-
.../simulations/serverless/scenario.json | 46 +-
samples/runtime/java-demo/README.md | 10 +-
scripts/export-policy-schemas.sh | 22 +-
scripts/rotate-policy-cli-secret.sh | 126 +-
scripts/update-apple-fixtures.ps1 | 38 +-
scripts/update-apple-fixtures.sh | 28 +-
scripts/update-model-goldens.ps1 | 18 +-
scripts/update-model-goldens.sh | 16 +-
scripts/verify-notify-plugins.ps1 | 114 +-
scripts/verify-notify-plugins.sh | 112 +-
scripts/verify-policy-scopes.py | 172 +-
.../StellaOps.AdvisoryAI/AGENTS.md | 2 +-
.../StellaOps.AdvisoryAI/TASKS.md | 24 +-
.../StellaOps.AirGap.Controller/AGENTS.md | 32 +-
.../StellaOps.AirGap.Controller/TASKS.md | 36 +-
.../StellaOps.AirGap.Importer/AGENTS.md | 32 +-
.../StellaOps.AirGap.Importer/TASKS.md | 38 +-
.../StellaOps.AirGap.Policy/AGENTS.md | 32 +-
.../StellaOps.AirGap.Policy/TASKS.md | 38 +-
.../StellaOps.AirGap.Time/AGENTS.md | 30 +-
.../StellaOps.AirGap.Time/TASKS.md | 26 +-
src/Aoc/StellaOps.Aoc.sln | 56 +
.../StellaOps.Aoc/AocForbiddenKeys.cs | 50 +-
.../StellaOps.Aoc/AocGuardException.cs | 34 +-
.../StellaOps.Aoc/AocGuardExtensions.cs | 44 +-
.../StellaOps.Aoc/AocGuardOptions.cs | 58 +-
.../StellaOps.Aoc/AocGuardResult.cs | 28 +-
.../StellaOps.Aoc/AocViolation.cs | 26 +-
.../StellaOps.Aoc/AocViolationCode.cs | 68 +-
.../StellaOps.Aoc/AocWriteGuard.cs | 254 +-
.../ServiceCollectionExtensions.cs | 34 +-
.../StellaOps.Aoc/StellaOps.Aoc.csproj | 24 +-
.../StellaOps.Aoc.Tests/AocWriteGuardTests.cs | 226 +-
.../StellaOps.Aoc.Tests.csproj | 42 +
.../__Tests}/StellaOps.Aoc.Tests/UnitTest1.cs | 20 +-
.../StellaOps.Aoc.Tests}/xunit.runner.json | 0
.../StellaOps.Api.Governance/AGENTS.md | 30 +-
.../StellaOps.Api.Governance/TASKS.md | 2 +-
src/{ => Api}/StellaOps.Api.OpenApi/AGENTS.md | 4 +-
src/{ => Api}/StellaOps.Api.OpenApi/TASKS.md | 38 +-
.../authority/openapi.yaml | 1378 +-
.../StellaOps.Attestor.Envelope/AGENTS.md | 30 +-
.../StellaOps.Attestor.Envelope/TASKS.md | 26 +-
.../StellaOps.Attestor.Types/AGENTS.md | 28 +-
.../StellaOps.Attestor.Types/TASKS.md | 26 +-
.../StellaOps.Attestor.Verify/AGENTS.md | 28 +-
.../StellaOps.Attestor.Verify/TASKS.md | 26 +-
src/Attestor/StellaOps.Attestor.sln | 182 +
.../StellaOps.Attestor/AGENTS.md | 40 +-
.../Audit/AttestorAuditRecord.cs | 0
.../Observability/AttestorMetrics.cs | 0
.../Options/AttestorOptions.cs | 0
.../Rekor/IRekorClient.cs | 0
.../Rekor/RekorBackend.cs | 0
.../Rekor/RekorProofResponse.cs | 0
.../Rekor/RekorSubmissionResponse.cs | 0
.../StellaOps.Attestor.Core.csproj | 0
.../Storage/AttestorArchiveBundle.cs | 0
.../Storage/AttestorEntry.cs | 0
.../Storage/IAttestorArchiveStore.cs | 0
.../Storage/IAttestorAuditSink.cs | 0
.../Storage/IAttestorDedupeStore.cs | 0
.../Storage/IAttestorEntryRepository.cs | 0
.../Submission/AttestorSubmissionRequest.cs | 0
.../Submission/AttestorSubmissionResult.cs | 0
.../AttestorSubmissionValidationResult.cs | 0
.../Submission/AttestorSubmissionValidator.cs | 0
.../Submission/AttestorValidationException.cs | 0
.../Submission/IAttestorSubmissionService.cs | 0
.../Submission/IDsseCanonicalizer.cs | 0
.../Submission/SubmissionContext.cs | 0
.../AttestorVerificationException.cs | 0
.../AttestorVerificationRequest.cs | 0
.../AttestorVerificationResult.cs | 0
.../IAttestorVerificationService.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../Rekor/HttpRekorClient.cs | 0
.../Rekor/StubRekorClient.cs | 0
.../ServiceCollectionExtensions.cs | 0
.../StellaOps.Attestor.Infrastructure.csproj | 42 +-
.../Storage/InMemoryAttestorDedupeStore.cs | 0
.../Storage/MongoAttestorAuditSink.cs | 0
.../Storage/MongoAttestorEntryRepository.cs | 0
.../Storage/NullAttestorArchiveStore.cs | 0
.../Storage/RedisAttestorDedupeStore.cs | 0
.../Storage/S3AttestorArchiveStore.cs | 0
.../Submission/AttestorSubmissionService.cs | 0
.../Submission/DefaultDsseCanonicalizer.cs | 0
.../AttestorVerificationService.cs | 0
.../AttestorSubmissionServiceTests.cs | 0
.../AttestorVerificationServiceTests.cs | 0
.../HttpRekorClientTests.cs | 0
.../StellaOps.Attestor.Tests.csproj | 7 +-
.../StellaOps.Attestor.Tests/TestDoubles.cs | 0
.../StellaOps.Attestor.WebService/Program.cs | 0
.../StellaOps.Attestor.WebService.csproj | 15 +-
.../StellaOps.Attestor/StellaOps.Attestor.sln | 0
.../StellaOps.Attestor/TASKS.md | 0
src/Authority/StellaOps.Authority.sln | 303 +
.../StellaOps.Authority/AGENTS.md | 8 +-
.../NetworkMaskMatcherTests.cs | 0
.../StellaOps.Auth.Abstractions.Tests.csproj | 0
.../StellaOpsPrincipalBuilderTests.cs | 0
.../StellaOpsProblemResultFactoryTests.cs | 0
.../StellaOpsScopesTests.cs | 108 +-
.../AuthorityTelemetry.cs | 0
.../NetworkMask.cs | 0
.../NetworkMaskMatcher.cs | 0
.../README.NuGet.md | 0
.../StellaOps.Auth.Abstractions.csproj | 0
.../StellaOpsAuthenticationDefaults.cs | 0
.../StellaOpsClaimTypes.cs | 124 +-
.../StellaOpsPrincipalBuilder.cs | 0
.../StellaOpsProblemResultFactory.cs | 0
.../StellaOpsScopes.cs | 578 +-
.../StellaOpsServiceIdentities.cs | 54 +-
.../StellaOpsTenancyDefaults.cs | 24 +-
.../ServiceCollectionExtensionsTests.cs | 0
.../StellaOps.Auth.Client.Tests.csproj | 30 +-
.../StellaOpsAuthClientOptionsTests.cs | 0
.../StellaOpsDiscoveryCacheTests.cs | 0
.../StellaOpsTokenClientTests.cs | 0
.../TokenCacheTests.cs | 0
.../StellaOps.Auth.Client/FileTokenCache.cs | 0
.../IStellaOpsTokenCache.cs | 0
.../IStellaOpsTokenClient.cs | 84 +-
.../InMemoryTokenCache.cs | 0
.../StellaOps.Auth.Client/README.NuGet.md | 0
.../ServiceCollectionExtensions.cs | 0
.../StellaOps.Auth.Client.csproj | 7 +-
.../StellaOpsAuthClientOptions.cs | 0
.../StellaOpsDiscoveryCache.cs | 0
.../StellaOpsJwksCache.cs | 0
.../StellaOpsTokenCacheEntry.cs | 0
.../StellaOpsTokenClient.cs | 472 +-
.../StellaOpsTokenResult.cs | 0
.../ServiceCollectionExtensionsTests.cs | 0
...llaOps.Auth.ServerIntegration.Tests.csproj | 0
.../StellaOpsResourceServerOptionsTests.cs | 110 +-
...StellaOpsScopeAuthorizationHandlerTests.cs | 398 +-
.../README.NuGet.md | 0
.../ServiceCollectionExtensions.cs | 184 +-
.../StellaOps.Auth.ServerIntegration.csproj | 9 +-
.../StellaOpsAuthorityConfigurationManager.cs | 232 +-
...OpsAuthorizationPolicyBuilderExtensions.cs | 0
.../StellaOpsBypassEvaluator.cs | 0
.../StellaOpsResourceServerOptions.cs | 356 +-
.../StellaOpsScopeAuthorizationHandler.cs | 404 +-
.../StellaOpsScopeRequirement.cs | 0
.../Security/CryptoPasswordHasherTests.cs | 0
.../StandardClientProvisioningStoreTests.cs | 370 +-
.../StandardPluginOptionsTests.cs | 0
.../StandardPluginRegistrarTests.cs | 708 +-
.../StandardUserCredentialStoreTests.cs | 0
...Ops.Authority.Plugin.Standard.Tests.csproj | 0
.../AGENTS.md | 0
.../Bootstrap/StandardPluginBootstrapper.cs | 88 +-
.../Properties/AssemblyInfo.cs | 0
.../Security/IPasswordHasher.cs | 0
.../StandardClaimsEnricher.cs | 0
.../StandardIdentityProviderPlugin.cs | 0
.../StandardPluginOptions.cs | 0
.../StandardPluginRegistrar.cs | 224 +-
...StellaOps.Authority.Plugin.Standard.csproj | 11 +-
.../StandardClientProvisioningStore.cs | 0
.../Storage/StandardUserCredentialStore.cs | 0
.../Storage/StandardUserDocument.cs | 0
.../TASKS.md | 40 +-
.../AuthorityClientRegistrationTests.cs | 64 +-
...horityCredentialVerificationResultTests.cs | 0
...horityIdentityProviderCapabilitiesTests.cs | 0
.../AuthorityPluginHealthResultTests.cs | 0
.../AuthorityPluginOperationResultTests.cs | 0
.../AuthorityUserDescriptorTests.cs | 0
.../AuthorityUserRegistrationTests.cs | 0
...uthority.Plugins.Abstractions.Tests.csproj | 0
.../AuthorityClientMetadataKeys.cs | 0
.../AuthorityPluginContracts.cs | 422 +-
.../AuthorityPluginRegistrationContext.cs | 0
.../AuthoritySecretHasher.cs | 0
.../IdentityProviderContracts.cs | 1794 +-
...aOps.Authority.Plugins.Abstractions.csproj | 7 +-
.../AuthorityMongoDefaults.cs | 0
.../Class1.cs | 0
.../AuthorityBootstrapInviteDocument.cs | 0
.../AuthorityClientCertificateBinding.cs | 0
.../Documents/AuthorityClientDocument.cs | 0
.../AuthorityLoginAttemptDocument.cs | 164 +-
.../Documents/AuthorityRevocationDocument.cs | 0
.../AuthorityRevocationExportStateDocument.cs | 0
.../Documents/AuthorityScopeDocument.cs | 0
.../Documents/AuthorityTokenDocument.cs | 184 +-
.../Documents/AuthorityUserDocument.cs | 0
.../Extensions/ServiceCollectionExtensions.cs | 0
...ityBootstrapInviteCollectionInitializer.cs | 0
.../AuthorityClientCollectionInitializer.cs | 0
...horityLoginAttemptCollectionInitializer.cs | 70 +-
.../AuthorityMongoInitializer.cs | 0
...uthorityRevocationCollectionInitializer.cs | 0
.../AuthorityScopeCollectionInitializer.cs | 0
.../AuthorityTokenCollectionInitializer.cs | 0
.../AuthorityUserCollectionInitializer.cs | 0
.../IAuthorityCollectionInitializer.cs | 0
.../AuthorityMongoMigrationRunner.cs | 0
.../EnsureAuthorityCollectionsMigration.cs | 0
.../Migrations/IAuthorityMongoMigration.cs | 0
.../Options/AuthorityMongoOptions.cs | 0
.../Sessions/AuthorityMongoSessionAccessor.cs | 0
.../StellaOps.Authority.Storage.Mongo.csproj | 7 +-
.../Stores/AuthorityBootstrapInviteStore.cs | 0
.../Stores/AuthorityClientStore.cs | 0
.../Stores/AuthorityLoginAttemptStore.cs | 0
.../AuthorityRevocationExportStateStore.cs | 0
.../Stores/AuthorityRevocationStore.cs | 0
.../Stores/AuthorityScopeStore.cs | 0
.../Stores/AuthorityTokenStore.cs | 0
.../Stores/AuthorityUserStore.cs | 0
.../Stores/IAuthorityBootstrapInviteStore.cs | 0
.../Stores/IAuthorityClientStore.cs | 0
.../Stores/IAuthorityLoginAttemptStore.cs | 0
.../IAuthorityRevocationExportStateStore.cs | 0
.../Stores/IAuthorityRevocationStore.cs | 0
.../Stores/IAuthorityScopeStore.cs | 0
.../Stores/IAuthorityTokenStore.cs | 0
.../Stores/IAuthorityUserStore.cs | 0
.../BootstrapInviteCleanupServiceTests.cs | 0
.../Console/ConsoleEndpointsTests.cs | 678 +-
.../AuthorityIdentityProviderRegistryTests.cs | 420 +-
.../AuthorityIdentityProviderSelectorTests.cs | 250 +-
.../AuthorityWebApplicationFactory.cs | 96 +-
.../OpenApi/OpenApiDiscoveryEndpointTests.cs | 180 +-
.../ClientCredentialsAndTokenHandlersTests.cs | 5350 +--
.../OpenIddict/PasswordGrantHandlersTests.cs | 1032 +-
.../TokenPersistenceIntegrationTests.cs | 792 +-
.../Permalinks/VulnPermalinkServiceTests.cs | 302 +-
.../Plugins/AuthorityPluginLoaderTests.cs | 386 +-
.../AuthorityRateLimiterIntegrationTests.cs | 0
...thorityRateLimiterMetadataAccessorTests.cs | 72 +-
...orityRateLimiterMetadataMiddlewareTests.cs | 0
.../RateLimiting/AuthorityRateLimiterTests.cs | 0
.../AuthoritySigningKeyManagerTests.cs | 0
.../StellaOps.Authority.Tests.csproj | 33 +-
.../TestEnvironment.cs | 26 +-
.../StellaOps.Authority.sln | 0
.../Audit/AuthorityAuditSink.cs | 474 +-
.../AuthorityHttpHeaders.cs | 14 +-
.../AuthorityIdentityProviderRegistry.cs | 292 +-
.../AuthorityPluginRegistry.cs | 0
.../AuthorityRateLimiter.cs | 0
.../AuthorityTelemetryConfiguration.cs | 0
.../Bootstrap/BootstrapApiKeyFilter.cs | 0
.../BootstrapInviteCleanupService.cs | 0
.../Bootstrap/BootstrapRequests.cs | 0
.../Console/ConsoleEndpointExtensions.cs | 1094 +-
.../Console/TenantHeaderFilter.cs | 150 +-
.../AuthorityOpenApiDocumentProvider.cs | 628 +-
.../OpenApiDiscoveryEndpointExtensions.cs | 282 +-
.../AuthorityIdentityProviderSelector.cs | 128 +-
.../AuthorityOpenIddictConstants.cs | 0
.../Handlers/ClientCredentialsAuditHelper.cs | 538 +-
.../Handlers/ClientCredentialsHandlers.cs | 0
.../OpenIddict/Handlers/DpopHandlers.cs | 0
.../Handlers/PasswordGrantHandlers.cs | 1752 +-
.../OpenIddict/Handlers/RevocationHandlers.cs | 0
.../Handlers/TokenPersistenceHandlers.cs | 0
.../Handlers/TokenValidationHandlers.cs | 988 +-
.../OpenIddict/TokenRequestTamperInspector.cs | 228 +-
.../Permalinks/VulnPermalinkRequest.cs | 22 +-
.../Permalinks/VulnPermalinkResponse.cs | 22 +-
.../Permalinks/VulnPermalinkService.cs | 362 +-
.../Plugins/AuthorityPluginLoader.cs | 684 +-
.../AuthorityPluginRegistrationSummary.cs | 0
.../StellaOps.Authority/Program.Partial.cs | 6 +-
.../StellaOps.Authority/Program.cs | 2670 +-
.../Properties/AssemblyInfo.cs | 0
.../Properties/launchSettings.json | 0
.../AuthorityRateLimiterFeature.cs | 0
.../AuthorityRateLimiterMetadata.cs | 160 +-
.../AuthorityRateLimiterMetadataAccessor.cs | 258 +-
.../AuthorityRateLimiterMetadataMiddleware.cs | 0
...uthorityRateLimiterPartitionKeyResolver.cs | 0
...ateLimitingApplicationBuilderExtensions.cs | 0
.../AuthorityRevocationExportService.cs | 0
.../Revocation/RevocationBundleBuildResult.cs | 0
.../Revocation/RevocationBundleBuilder.cs | 0
.../Revocation/RevocationBundleModel.cs | 0
.../Revocation/RevocationBundleSignature.cs | 0
.../Revocation/RevocationBundleSigner.cs | 0
.../Revocation/RevocationEntryModel.cs | 0
.../Revocation/RevocationExportPackage.cs | 0
.../Revocation/RevocationExportResponse.cs | 0
...horityClientCertificateValidationResult.cs | 0
.../AuthorityClientCertificateValidator.cs | 0
.../AuthoritySenderConstraintKinds.cs | 0
.../IAuthorityClientCertificateValidator.cs | 0
.../Signing/AuthorityJwksService.cs | 0
.../Signing/AuthoritySigningKeyManager.cs | 0
.../Signing/AuthoritySigningKeyRequest.cs | 0
.../Signing/AuthoritySigningKeyStatus.cs | 0
.../Signing/FileAuthoritySigningKeySource.cs | 0
.../Signing/IAuthoritySigningKeySource.cs | 0
.../Signing/SigningRotationRequest.cs | 0
.../StellaOps.Authority.csproj | 43 +-
.../Tenants/AuthorityTenantCatalog.cs | 86 +-
.../appsettings.Development.json | 0
.../StellaOps.Authority/appsettings.json | 0
.../StellaOps.Authority/TASKS.md | 4 +-
src/Bench/StellaOps.Bench.sln | 412 +
.../LinkNotMerge.Vex/README.md | 2 +-
.../BaselineLoaderTests.cs | 74 +-
.../BenchmarkScenarioReportTests.cs | 166 +-
...llaOps.Bench.LinkNotMerge.Vex.Tests.csproj | 56 +-
.../VexScenarioRunnerTests.cs | 68 +-
.../Baseline/BaselineEntry.cs | 36 +-
.../Baseline/BaselineLoader.cs | 174 +-
.../Program.cs | 752 +-
.../Properties/AssemblyInfo.cs | 6 +-
.../Reporting/BenchmarkJsonWriter.cs | 302 +-
.../Reporting/BenchmarkScenarioReport.cs | 178 +-
.../Reporting/PrometheusWriter.cs | 188 +-
.../Statistics.cs | 168 +-
.../StellaOps.Bench.LinkNotMerge.Vex.csproj | 32 +-
.../VexLinksetAggregator.cs | 332 +-
.../VexObservationGenerator.cs | 504 +-
.../VexScenarioConfig.cs | 366 +-
.../VexScenarioExecutionResult.cs | 28 +-
.../VexScenarioResult.cs | 86 +-
.../VexScenarioRunner.cs | 276 +-
.../LinkNotMerge.Vex/baseline.csv | 8 +-
.../LinkNotMerge.Vex/config.json | 108 +-
.../StellaOps.Bench/LinkNotMerge/README.md | 2 +-
.../BaselineLoaderTests.cs | 76 +-
.../BenchmarkScenarioReportTests.cs | 162 +-
.../LinkNotMergeScenarioRunnerTests.cs | 76 +-
.../StellaOps.Bench.LinkNotMerge.Tests.csproj | 56 +-
.../Baseline/BaselineEntry.cs | 36 +-
.../Baseline/BaselineLoader.cs | 174 +-
.../BenchmarkConfig.cs | 420 +-
.../LinkNotMergeScenarioRunner.cs | 270 +-
.../LinksetAggregator.cs | 280 +-
.../ObservationData.cs | 540 +-
.../StellaOps.Bench.LinkNotMerge/Program.cs | 750 +-
.../Properties/AssemblyInfo.cs | 6 +-
.../Reporting/BenchmarkJsonWriter.cs | 302 +-
.../Reporting/BenchmarkScenarioReport.cs | 178 +-
.../Reporting/PrometheusWriter.cs | 202 +-
.../ScenarioExecutionResult.cs | 28 +-
.../ScenarioResult.cs | 84 +-
.../ScenarioStatistics.cs | 168 +-
.../StellaOps.Bench.LinkNotMerge.csproj | 32 +-
.../StellaOps.Bench/LinkNotMerge/baseline.csv | 8 +-
.../StellaOps.Bench/LinkNotMerge/config.json | 114 +-
.../StellaOps.Bench/Notify/README.md | 2 +-
.../BaselineLoaderTests.cs | 76 +-
.../BenchmarkScenarioReportTests.cs | 170 +-
.../NotifyScenarioRunnerTests.cs | 66 +-
.../PrometheusWriterTests.cs | 128 +-
.../StellaOps.Bench.Notify.Tests.csproj | 54 +-
.../Baseline/BaselineEntry.cs | 26 +-
.../Baseline/BaselineLoader.cs | 174 +-
.../StellaOps.Bench.Notify/BenchmarkConfig.cs | 440 +-
.../DispatchAccumulator.cs | 52 +-
.../NotifyScenarioRunner.cs | 772 +-
.../Notify/StellaOps.Bench.Notify/Program.cs | 728 +-
.../Properties/AssemblyInfo.cs | 6 +-
.../Reporting/BenchmarkJsonWriter.cs | 294 +-
.../Reporting/BenchmarkScenarioReport.cs | 168 +-
.../Reporting/PrometheusWriter.cs | 172 +-
.../ScenarioExecutionResult.cs | 34 +-
.../StellaOps.Bench.Notify/ScenarioResult.cs | 92 +-
.../ScenarioStatistics.cs | 174 +-
.../StellaOps.Bench.Notify.csproj | 5 +-
.../StellaOps.Bench/Notify/baseline.csv | 8 +-
.../StellaOps.Bench/Notify/config.json | 94 +-
.../StellaOps.Bench/PolicyEngine/README.md | 2 +-
.../Baseline/BaselineEntry.cs | 24 +-
.../Baseline/BaselineLoader.cs | 172 +-
.../BenchmarkConfig.cs | 310 +-
.../PathUtilities.cs | 30 +-
.../PolicyScenarioRunner.cs | 498 +-
.../StellaOps.Bench.PolicyEngine/Program.cs | 746 +-
.../Reporting/BenchmarkJsonWriter.cs | 250 +-
.../Reporting/BenchmarkScenarioReport.cs | 164 +-
.../Reporting/PrometheusWriter.cs | 166 +-
.../ScenarioResult.cs | 220 +-
.../StellaOps.Bench.PolicyEngine.csproj | 5 +-
.../StellaOps.Bench/PolicyEngine/baseline.csv | 4 +-
.../StellaOps.Bench/PolicyEngine/config.json | 38 +-
.../Scanner.Analyzers/README.md | 4 +-
.../BaselineLoaderTests.cs | 74 +-
.../BenchmarkJsonWriterTests.cs | 82 +-
.../BenchmarkScenarioReportTests.cs | 116 +-
.../PrometheusWriterTests.cs | 64 +-
...llaOps.Bench.ScannerAnalyzers.Tests.csproj | 52 +-
.../Baseline/BaselineEntry.cs | 18 +-
.../Baseline/BaselineLoader.cs | 176 +-
.../BenchmarkConfig.cs | 208 +-
.../Program.cs | 786 +-
.../Reporting/BenchmarkJsonWriter.cs | 216 +-
.../Reporting/BenchmarkScenarioReport.cs | 110 +-
.../Reporting/PrometheusWriter.cs | 118 +-
.../ScenarioResult.cs | 48 +-
.../ScenarioRunners.cs | 570 +-
.../StellaOps.Bench.ScannerAnalyzers.csproj | 24 +
.../Scanner.Analyzers/baseline.csv | 14 +-
.../Scanner.Analyzers/config.json | 6 +-
.../Scanner.Analyzers/lang/README.md | 4 +-
.../lang/dotnet/syft-comparison-20251023.csv | 4 +-
.../lang/go/syft-comparison-20251021.csv | 4 +-
.../lang/python/hash-throughput-20251023.csv | 6 +-
src/{ => Bench}/StellaOps.Bench/TASKS.md | 2 +-
src/Cartographer/StellaOps.Cartographer.sln | 179 +
.../StellaOps.Cartographer/AGENTS.md | 36 +-
.../Options/CartographerAuthorityOptions.cs | 202 +-
...artographerAuthorityOptionsConfigurator.cs | 74 +-
.../StellaOps.Cartographer/Program.cs | 78 +-
.../Properties/AssemblyInfo.cs | 6 +-
.../StellaOps.Cartographer.csproj | 18 +
.../StellaOps.Cartographer/TASKS.md | 12 +-
...rapherAuthorityOptionsConfiguratorTests.cs | 102 +-
.../StellaOps.Cartographer.Tests.csproj | 5 +-
src/Cli/StellaOps.Cli.sln | 169 +
src/{ => Cli}/StellaOps.Cli/AGENTS.md | 50 +-
.../StellaOps.Cli/Commands/CommandFactory.cs | 0
.../StellaOps.Cli/Commands/CommandHandlers.cs | 11276 +++----
.../Configuration/AuthorityTokenUtilities.cs | 116 +-
.../Configuration/CliBootstrapper.cs | 836 +-
.../Configuration/StellaOpsCliOptions.cs | 174 +-
.../Plugins/CliCommandModuleLoader.cs | 556 +-
.../Plugins/CliPluginManifest.cs | 78 +-
.../Plugins/CliPluginManifestLoader.cs | 300 +-
.../Plugins/ICliCommandModule.cs | 40 +-
.../Plugins/RestartOnlyCliPluginGuard.cs | 82 +-
src/{ => Cli}/StellaOps.Cli/Program.cs | 0
.../Prompts/TrivyDbExportPrompt.cs | 0
.../StellaOps.Cli/Properties/AssemblyInfo.cs | 0
.../Services/AuthorityDiagnosticsReporter.cs | 0
.../Services/AuthorityRevocationClient.cs | 446 +-
.../Services/BackendOperationsClient.cs | 4972 +--
.../Services/ConcelierObservationsClient.cs | 500 +-
.../Services/IAuthorityRevocationClient.cs | 0
.../Services/IBackendOperationsClient.cs | 0
.../Services/IConcelierObservationsClient.cs | 24 +-
.../Services/IScannerExecutor.cs | 0
.../Services/IScannerInstaller.cs | 0
.../Models/AdvisoryObservationsModels.cs | 234 +-
.../Services/Models/AocIngestDryRunModels.cs | 186 +-
.../Services/Models/AocVerifyModels.cs | 200 +-
.../Models/AuthorityRevocationExportResult.cs | 0
.../Models/ExcititorExportDownloadResult.cs | 0
.../Models/ExcititorOperationResult.cs | 0
.../Models/ExcititorProviderSummary.cs | 0
.../Services/Models/JobTriggerResult.cs | 0
.../Services/Models/OfflineKitModels.cs | 222 +-
.../Services/Models/PolicyActivationModels.cs | 60 +-
.../Services/Models/PolicyFindingsModels.cs | 100 +-
.../Services/Models/PolicySimulationModels.cs | 52 +-
.../Models/RuntimePolicyEvaluationModels.cs | 0
.../Services/Models/ScannerArtifactResult.cs | 0
.../Models/Transport/JobRunResponse.cs | 0
.../Models/Transport/JobTriggerRequest.cs | 0
.../Models/Transport/OfflineKitTransport.cs | 206 +-
.../Transport/PolicyActivationTransport.cs | 104 +-
.../Transport/PolicyFindingsTransport.cs | 164 +-
.../Transport/PolicySimulationTransport.cs | 114 +-
.../Models/Transport/ProblemDocument.cs | 0
.../RuntimePolicyEvaluationTransport.cs | 0
.../Services/PolicyApiException.cs | 36 +-
.../Services/ScannerExecutionResult.cs | 0
.../StellaOps.Cli/Services/ScannerExecutor.cs | 0
.../Services/ScannerInstaller.cs | 0
.../StellaOps.Cli/StellaOps.Cli.csproj | 13 +-
src/{ => Cli}/StellaOps.Cli/TASKS.md | 2 +-
.../Telemetry/CliActivitySource.cs | 0
.../StellaOps.Cli/Telemetry/CliMetrics.cs | 0
.../StellaOps.Cli/Telemetry/VerbosityState.cs | 0
src/{ => Cli}/StellaOps.Cli/appsettings.json | 0
.../NonCoreCliCommandModule.cs | 832 +-
.../StellaOps.Cli.Plugins.NonCore.csproj | 44 +-
.../Commands/CommandHandlersTests.cs | 4978 +--
.../Configuration/CliBootstrapperTests.cs | 0
.../Plugins/CliCommandModuleLoaderTests.cs | 86 +-
.../Plugins/RestartOnlyCliPluginGuardTests.cs | 58 +-
.../AuthorityDiagnosticsReporterTests.cs | 0
.../Services/BackendOperationsClientTests.cs | 2262 +-
.../StellaOps.Cli.Tests.csproj | 30 +
.../Testing/TestHelpers.cs | 0
.../__Tests}/StellaOps.Cli.Tests/UnitTest1.cs | 0
.../StellaOps.Cli.Tests}/xunit.runner.json | 0
.../AssemblyInfo.cs | 0
.../MongoFixtureCollection.cs | 0
.../StellaOps.Concelier.WebService/AGENTS.md | 0
.../Contracts/AdvisoryObservationContracts.cs | 32 +-
.../Contracts/AdvisoryRawContracts.cs | 254 +-
.../Diagnostics/HealthContracts.cs | 0
.../Diagnostics/IngestionMetrics.cs | 44 +-
.../Diagnostics/JobMetrics.cs | 0
.../Diagnostics/ProblemTypes.cs | 0
.../Diagnostics/ServiceStatus.cs | 0
.../Extensions/AdvisoryRawRequestMapper.cs | 314 +-
.../Extensions/ConfigurationExtensions.cs | 0
.../Extensions/JobRegistrationExtensions.cs | 0
.../Extensions/MirrorEndpointExtensions.cs | 0
.../Extensions/TelemetryExtensions.cs | 0
.../Filters/JobAuthorizationAuditFilter.cs | 0
.../Jobs/JobDefinitionResponse.cs | 0
.../Jobs/JobRunResponse.cs | 0
.../Jobs/JobTriggerRequest.cs | 0
.../Options/ConcelierOptions.cs | 0
.../Options/ConcelierOptionsPostConfigure.cs | 0
.../Options/ConcelierOptionsValidator.cs | 0
.../StellaOps.Concelier.WebService/Program.cs | 0
.../Properties/launchSettings.json | 0
.../Services/MirrorFileLocator.cs | 0
.../Services/MirrorRateLimiter.cs | 0
.../StellaOps.Concelier.WebService.csproj | 38 +
.../StellaOps.Concelier.WebService/TASKS.md | 190 +-
src/Concelier/StellaOps.Concelier.sln | 1336 +
.../AGENTS.md | 0
.../AcscConnector.cs | 0
.../AcscConnectorPlugin.cs | 0
.../AcscDependencyInjectionRoutine.cs | 0
.../AcscServiceCollectionExtensions.cs | 0
.../Configuration/AcscFeedOptions.cs | 0
.../Configuration/AcscOptions.cs | 0
.../Internal/AcscCursor.cs | 0
.../Internal/AcscDiagnostics.cs | 0
.../Internal/AcscDocumentMetadata.cs | 0
.../Internal/AcscDto.cs | 0
.../Internal/AcscFeedParser.cs | 0
.../Internal/AcscMapper.cs | 0
.../Jobs.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../README.md | 136 +-
.../StellaOps.Concelier.Connector.Acsc.csproj | 24 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../CccsConnector.cs | 0
.../CccsConnectorPlugin.cs | 0
.../CccsDependencyInjectionRoutine.cs | 0
.../CccsServiceCollectionExtensions.cs | 0
.../Configuration/CccsOptions.cs | 0
.../Internal/CccsAdvisoryDto.cs | 0
.../Internal/CccsCursor.cs | 0
.../Internal/CccsDiagnostics.cs | 0
.../Internal/CccsFeedClient.cs | 0
.../Internal/CccsFeedModels.cs | 0
.../Internal/CccsHtmlParser.cs | 0
.../Internal/CccsMapper.cs | 0
.../Internal/CccsRawAdvisoryDocument.cs | 0
.../Jobs.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../StellaOps.Concelier.Connector.Cccs.csproj | 21 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../CertBundConnector.cs | 0
.../CertBundConnectorPlugin.cs | 0
.../CertBundDependencyInjectionRoutine.cs | 0
.../CertBundServiceCollectionExtensions.cs | 0
.../Configuration/CertBundOptions.cs | 0
.../Internal/CertBundAdvisoryDto.cs | 0
.../Internal/CertBundCursor.cs | 0
.../Internal/CertBundDetailParser.cs | 0
.../Internal/CertBundDetailResponse.cs | 0
.../Internal/CertBundDiagnostics.cs | 0
.../Internal/CertBundDocumentMetadata.cs | 0
.../Internal/CertBundFeedClient.cs | 0
.../Internal/CertBundFeedItem.cs | 0
.../Internal/CertBundMapper.cs | 0
.../Jobs.cs | 0
.../README.md | 0
...llaOps.Concelier.Connector.CertBund.csproj | 21 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../CertCcConnector.cs | 0
.../CertCcConnectorPlugin.cs | 0
.../CertCcDependencyInjectionRoutine.cs | 0
.../CertCcServiceCollectionExtensions.cs | 0
.../Configuration/CertCcOptions.cs | 0
.../FEEDCONN-CERTCC-02-009_PLAN.md | 118 +-
.../FEEDCONN-CERTCC-02-012_HANDOFF.md | 40 +-
.../Internal/CertCcCursor.cs | 0
.../Internal/CertCcDiagnostics.cs | 0
.../Internal/CertCcMapper.cs | 0
.../Internal/CertCcNoteDto.cs | 0
.../Internal/CertCcNoteParser.cs | 0
.../Internal/CertCcSummaryParser.cs | 0
.../Internal/CertCcSummaryPlan.cs | 0
.../Internal/CertCcSummaryPlanner.cs | 0
.../Internal/CertCcVendorStatementParser.cs | 0
.../Jobs.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../README.md | 126 +-
...tellaOps.Concelier.Connector.CertCc.csproj | 17 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../CertFrConnector.cs | 0
.../CertFrConnectorPlugin.cs | 0
.../CertFrDependencyInjectionRoutine.cs | 0
.../CertFrServiceCollectionExtensions.cs | 0
.../Configuration/CertFrOptions.cs | 0
.../Internal/CertFrCursor.cs | 0
.../Internal/CertFrDocumentMetadata.cs | 0
.../Internal/CertFrDto.cs | 0
.../Internal/CertFrFeedClient.cs | 0
.../Internal/CertFrFeedItem.cs | 0
.../Internal/CertFrMapper.cs | 0
.../Internal/CertFrParser.cs | 0
.../Jobs.cs | 0
...tellaOps.Concelier.Connector.CertFr.csproj | 27 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../CertInConnector.cs | 0
.../CertInConnectorPlugin.cs | 0
.../CertInDependencyInjectionRoutine.cs | 0
.../CertInServiceCollectionExtensions.cs | 0
.../Configuration/CertInOptions.cs | 0
.../Internal/CertInAdvisoryDto.cs | 0
.../Internal/CertInClient.cs | 0
.../Internal/CertInCursor.cs | 0
.../Internal/CertInDetailParser.cs | 0
.../Internal/CertInListingItem.cs | 0
.../Jobs.cs | 0
...tellaOps.Concelier.Connector.CertIn.csproj | 33 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../Cursors/PaginationPlanner.cs | 0
.../Cursors/TimeWindowCursorOptions.cs | 0
.../Cursors/TimeWindowCursorPlanner.cs | 0
.../Cursors/TimeWindowCursorState.cs | 0
.../DocumentStatuses.cs | 0
.../Fetch/CryptoJitterSource.cs | 0
.../Fetch/IJitterSource.cs | 0
.../Fetch/RawDocumentStorage.cs | 0
.../Fetch/SourceFetchContentResult.cs | 0
.../Fetch/SourceFetchRequest.cs | 0
.../Fetch/SourceFetchResult.cs | 0
.../Fetch/SourceFetchService.cs | 0
.../Fetch/SourceRetryPolicy.cs | 0
.../Html/HtmlContentSanitizer.cs | 0
.../Http/AllowlistedHttpMessageHandler.cs | 0
.../Http/ServiceCollectionExtensions.cs | 412 +-
.../SourceHttpClientConfigurationBinder.cs | 0
.../Http/SourceHttpClientOptions.cs | 0
.../Json/IJsonSchemaValidator.cs | 0
.../Json/JsonSchemaValidationError.cs | 0
.../Json/JsonSchemaValidationException.cs | 0
.../Json/JsonSchemaValidator.cs | 0
.../Packages/PackageCoordinateHelper.cs | 0
.../Pdf/PdfTextExtractor.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../State/SourceStateSeedModels.cs | 0
.../State/SourceStateSeedProcessor.cs | 0
...tellaOps.Concelier.Connector.Common.csproj | 5 +-
.../TASKS.md | 0
.../Telemetry/SourceDiagnostics.cs | 0
.../Testing/CannedHttpMessageHandler.cs | 0
.../Url/UrlNormalizer.cs | 0
.../Xml/IXmlSchemaValidator.cs | 0
.../Xml/XmlSchemaValidationError.cs | 0
.../Xml/XmlSchemaValidationException.cs | 0
.../Xml/XmlSchemaValidator.cs | 0
.../AGENTS.md | 0
.../Configuration/CveOptions.cs | 0
.../CveConnector.cs | 0
.../CveConnectorPlugin.cs | 0
.../CveDependencyInjectionRoutine.cs | 0
.../CveServiceCollectionExtensions.cs | 0
.../Internal/CveCursor.cs | 0
.../Internal/CveDiagnostics.cs | 0
.../Internal/CveListParser.cs | 0
.../Internal/CveMapper.cs | 0
.../Internal/CveRecordDto.cs | 0
.../Internal/CveRecordParser.cs | 0
.../StellaOps.Concelier.Connector.Cve/Jobs.cs | 0
.../StellaOps.Concelier.Connector.Cve.csproj | 32 +-
.../TASKS.md | 2 +-
.../AssemblyInfo.cs | 0
.../Configuration/DebianOptions.cs | 0
.../DebianConnector.cs | 0
.../DebianConnectorPlugin.cs | 0
.../DebianDependencyInjectionRoutine.cs | 0
.../DebianServiceCollectionExtensions.cs | 0
.../Internal/DebianAdvisoryDto.cs | 0
.../Internal/DebianCursor.cs | 0
.../Internal/DebianDetailMetadata.cs | 0
.../Internal/DebianFetchCacheEntry.cs | 0
.../Internal/DebianHtmlParser.cs | 0
.../Internal/DebianListEntry.cs | 0
.../Internal/DebianListParser.cs | 0
.../Internal/DebianMapper.cs | 0
.../Jobs.cs | 0
...s.Concelier.Connector.Distro.Debian.csproj | 35 +-
.../AGENTS.md | 0
.../CONFLICT_RESOLVER_NOTES.md | 50 +-
.../Configuration/RedHatOptions.cs | 0
.../Internal/Models/RedHatCsafModels.cs | 0
.../Internal/RedHatCursor.cs | 0
.../Internal/RedHatMapper.cs | 0
.../Internal/RedHatSummaryItem.cs | 0
.../Jobs.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../RedHatConnector.cs | 0
.../RedHatConnectorPlugin.cs | 0
.../RedHatDependencyInjectionRoutine.cs | 0
.../RedHatServiceCollectionExtensions.cs | 0
...s.Concelier.Connector.Distro.RedHat.csproj | 31 +-
.../TASKS.md | 0
.../AssemblyInfo.cs | 0
.../Configuration/SuseOptions.cs | 0
.../Internal/SuseAdvisoryDto.cs | 0
.../Internal/SuseChangeRecord.cs | 0
.../Internal/SuseChangesParser.cs | 0
.../Internal/SuseCsafParser.cs | 0
.../Internal/SuseCursor.cs | 0
.../Internal/SuseFetchCacheEntry.cs | 0
.../Internal/SuseMapper.cs | 0
.../Jobs.cs | 0
...Ops.Concelier.Connector.Distro.Suse.csproj | 35 +-
.../SuseConnector.cs | 0
.../SuseConnectorPlugin.cs | 0
.../SuseDependencyInjectionRoutine.cs | 0
.../SuseServiceCollectionExtensions.cs | 0
.../Configuration/UbuntuOptions.cs | 0
.../Internal/UbuntuCursor.cs | 0
.../Internal/UbuntuFetchCacheEntry.cs | 0
.../Internal/UbuntuMapper.cs | 0
.../Internal/UbuntuNoticeDto.cs | 0
.../Internal/UbuntuNoticeParser.cs | 0
.../Jobs.cs | 0
...s.Concelier.Connector.Distro.Ubuntu.csproj | 35 +-
.../TASKS.md | 0
.../UbuntuConnector.cs | 0
.../UbuntuConnectorPlugin.cs | 0
.../UbuntuDependencyInjectionRoutine.cs | 0
.../UbuntuServiceCollectionExtensions.cs | 0
.../AGENTS.md | 0
.../Configuration/GhsaOptions.cs | 0
.../GhsaConnector.cs | 0
.../GhsaConnectorPlugin.cs | 0
.../GhsaDependencyInjectionRoutine.cs | 0
.../GhsaServiceCollectionExtensions.cs | 0
.../Internal/GhsaCursor.cs | 0
.../Internal/GhsaDiagnostics.cs | 0
.../Internal/GhsaListParser.cs | 0
.../Internal/GhsaMapper.cs | 0
.../Internal/GhsaRateLimitParser.cs | 0
.../Internal/GhsaRateLimitSnapshot.cs | 0
.../Internal/GhsaRecordDto.cs | 0
.../Internal/GhsaRecordParser.cs | 0
.../Jobs.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../StellaOps.Concelier.Connector.Ghsa.csproj | 26 +-
.../TASKS.md | 4 +-
.../AGENTS.md | 0
.../Configuration/IcsCisaOptions.cs | 0
.../HANDOVER.md | 42 +-
.../IcsCisaConnector.cs | 0
.../IcsCisaConnectorPlugin.cs | 0
.../IcsCisaDependencyInjectionRoutine.cs | 0
.../IcsCisaServiceCollectionExtensions.cs | 0
.../Internal/IcsCisaAdvisoryDto.cs | 0
.../Internal/IcsCisaAttachmentDto.cs | 0
.../Internal/IcsCisaCursor.cs | 0
.../Internal/IcsCisaDiagnostics.cs | 0
.../Internal/IcsCisaFeedDto.cs | 0
.../Internal/IcsCisaFeedParser.cs | 0
.../Jobs.cs | 0
...llaOps.Concelier.Connector.Ics.Cisa.csproj | 57 +-
.../TASKS.md | 30 +-
.../AGENTS.md | 0
.../Configuration/KasperskyOptions.cs | 0
.../Internal/KasperskyAdvisoryDto.cs | 0
.../Internal/KasperskyAdvisoryParser.cs | 0
.../Internal/KasperskyCursor.cs | 0
.../Internal/KasperskyFeedClient.cs | 0
.../Internal/KasperskyFeedItem.cs | 0
.../Jobs.cs | 0
.../KasperskyConnector.cs | 0
.../KasperskyConnectorPlugin.cs | 0
.../KasperskyDependencyInjectionRoutine.cs | 0
.../KasperskyServiceCollectionExtensions.cs | 0
...s.Concelier.Connector.Ics.Kaspersky.csproj | 33 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../Configuration/JvnOptions.cs | 0
.../Internal/JvnAdvisoryMapper.cs | 0
.../Internal/JvnConstants.cs | 0
.../Internal/JvnCursor.cs | 0
.../Internal/JvnDetailDto.cs | 0
.../Internal/JvnDetailParser.cs | 0
.../Internal/JvnOverviewItem.cs | 0
.../Internal/JvnOverviewPage.cs | 0
.../Internal/JvnSchemaProvider.cs | 0
.../Internal/JvnSchemaValidationException.cs | 0
.../Internal/MyJvnClient.cs | 0
.../StellaOps.Concelier.Connector.Jvn/Jobs.cs | 0
.../JvnConnector.cs | 0
.../JvnConnectorPlugin.cs | 0
.../JvnDependencyInjectionRoutine.cs | 0
.../JvnServiceCollectionExtensions.cs | 0
.../Schemas/data_marking.xsd | 0
.../Schemas/jvnrss_3.2.xsd | 0
.../Schemas/mod_sec_3.0.xsd | 0
.../Schemas/status_3.3.xsd | 0
.../Schemas/tlp_marking.xsd | 0
.../Schemas/vuldef_3.2.xsd | 0
.../Schemas/xml.xsd | 0
.../StellaOps.Concelier.Connector.Jvn.csproj | 31 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../Configuration/KevOptions.cs | 0
.../Internal/KevCatalogDto.cs | 0
.../Internal/KevCursor.cs | 0
.../Internal/KevDiagnostics.cs | 0
.../Internal/KevMapper.cs | 0
.../Internal/KevSchemaProvider.cs | 0
.../StellaOps.Concelier.Connector.Kev/Jobs.cs | 0
.../KevConnector.cs | 0
.../KevConnectorPlugin.cs | 0
.../KevDependencyInjectionRoutine.cs | 0
.../KevServiceCollectionExtensions.cs | 0
.../Schemas/kev-catalog.schema.json | 0
.../StellaOps.Concelier.Connector.Kev.csproj | 22 +-
.../TASKS.md | 24 +-
.../AGENTS.md | 0
.../Configuration/KisaOptions.cs | 0
.../Internal/KisaCursor.cs | 0
.../Internal/KisaDetailParser.cs | 0
.../Internal/KisaDetailResponse.cs | 0
.../Internal/KisaDiagnostics.cs | 0
.../Internal/KisaDocumentMetadata.cs | 0
.../Internal/KisaFeedClient.cs | 0
.../Internal/KisaFeedItem.cs | 0
.../Internal/KisaMapper.cs | 0
.../Jobs.cs | 0
.../KisaConnector.cs | 0
.../KisaConnectorPlugin.cs | 0
.../KisaDependencyInjectionRoutine.cs | 0
.../KisaServiceCollectionExtensions.cs | 0
.../StellaOps.Concelier.Connector.Kisa.csproj | 26 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../Configuration/NvdOptions.cs | 0
.../Internal/NvdCursor.cs | 0
.../Internal/NvdDiagnostics.cs | 0
.../Internal/NvdMapper.cs | 0
.../Internal/NvdSchemaProvider.cs | 0
.../NvdConnector.cs | 0
.../NvdConnectorPlugin.cs | 0
.../NvdServiceCollectionExtensions.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../Schemas/nvd-vulnerability.schema.json | 0
.../StellaOps.Concelier.Connector.Nvd.csproj | 35 +-
.../TASKS.md | 18 +-
.../AGENTS.md | 0
.../Configuration/OsvOptions.cs | 0
.../Internal/OsvCursor.cs | 0
.../Internal/OsvDiagnostics.cs | 0
.../Internal/OsvMapper.cs | 0
.../Internal/OsvVulnerabilityDto.cs | 0
.../StellaOps.Concelier.Connector.Osv/Jobs.cs | 0
.../OsvConnector.cs | 0
.../OsvConnectorPlugin.cs | 0
.../OsvDependencyInjectionRoutine.cs | 0
.../OsvServiceCollectionExtensions.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../StellaOps.Concelier.Connector.Osv.csproj | 47 +-
.../TASKS.md | 6 +-
.../AGENTS.md | 0
.../Configuration/RuBduOptions.cs | 0
.../Internal/RuBduCursor.cs | 0
.../Internal/RuBduDiagnostics.cs | 0
.../Internal/RuBduMapper.cs | 0
.../Internal/RuBduVulnerabilityDto.cs | 0
.../Internal/RuBduXmlParser.cs | 0
.../Jobs.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../README.md | 4 +-
.../RuBduConnector.cs | 0
.../RuBduConnectorPlugin.cs | 0
.../RuBduDependencyInjectionRoutine.cs | 0
.../RuBduServiceCollectionExtensions.cs | 0
...tellaOps.Concelier.Connector.Ru.Bdu.csproj | 37 +-
.../TASKS.md | 22 +-
.../AGENTS.md | 0
.../Configuration/RuNkckiOptions.cs | 0
.../Internal/RuNkckiCursor.cs | 0
.../Internal/RuNkckiDiagnostics.cs | 0
.../Internal/RuNkckiJsonParser.cs | 0
.../Internal/RuNkckiMapper.cs | 0
.../Internal/RuNkckiVulnerabilityDto.cs | 0
.../Jobs.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../RuNkckiConnector.cs | 0
.../RuNkckiConnectorPlugin.cs | 0
.../RuNkckiDependencyInjectionRoutine.cs | 0
.../RuNkckiServiceCollectionExtensions.cs | 0
...llaOps.Concelier.Connector.Ru.Nkcki.csproj | 45 +-
.../TASKS.md | 0
.../Client/MirrorManifestClient.cs | 0
.../Internal/MirrorAdvisoryMapper.cs | 406 +-
.../Internal/MirrorBundleDocument.cs | 28 +-
.../Internal/MirrorIndexDocument.cs | 0
.../Internal/StellaOpsMirrorCursor.cs | 0
.../Jobs.cs | 0
.../Properties/AssemblyInfo.cs | 6 +-
.../Security/MirrorSignatureVerifier.cs | 546 +-
.../StellaOpsMirrorConnectorOptions.cs | 0
...Concelier.Connector.StellaOpsMirror.csproj | 33 +-
.../StellaOpsMirrorConnector.cs | 1146 +-
.../StellaOpsMirrorConnectorPlugin.cs | 0
...ellaOpsMirrorDependencyInjectionRoutine.cs | 0
.../TASKS.md | 10 +-
.../AGENTS.md | 0
.../AdobeConnector.cs | 0
.../AdobeConnectorPlugin.cs | 0
.../AdobeDiagnostics.cs | 0
.../AdobeServiceCollectionExtensions.cs | 0
.../Configuration/AdobeOptions.cs | 0
.../Internal/AdobeBulletinDto.cs | 0
.../Internal/AdobeCursor.cs | 0
.../Internal/AdobeDetailParser.cs | 0
.../Internal/AdobeDocumentMetadata.cs | 0
.../Internal/AdobeIndexEntry.cs | 0
.../Internal/AdobeIndexParser.cs | 0
.../Internal/AdobeSchemaProvider.cs | 0
.../Schemas/adobe-bulletin.schema.json | 0
...aOps.Concelier.Connector.Vndr.Adobe.csproj | 50 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../AppleConnector.cs | 0
.../AppleDependencyInjectionRoutine.cs | 0
.../AppleOptions.cs | 0
.../AppleServiceCollectionExtensions.cs | 0
.../Internal/AppleCursor.cs | 0
.../Internal/AppleDetailDto.cs | 0
.../Internal/AppleDetailParser.cs | 0
.../Internal/AppleDiagnostics.cs | 0
.../Internal/AppleIndexEntry.cs | 0
.../Internal/AppleMapper.cs | 0
.../Jobs.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../README.md | 98 +-
...aOps.Concelier.Connector.Vndr.Apple.csproj | 26 +-
.../TASKS.md | 0
.../VndrAppleConnectorPlugin.cs | 0
.../AGENTS.md | 0
.../ChromiumConnector.cs | 0
.../ChromiumConnectorPlugin.cs | 0
.../ChromiumDiagnostics.cs | 0
.../ChromiumServiceCollectionExtensions.cs | 0
.../Configuration/ChromiumOptions.cs | 0
.../Internal/ChromiumCursor.cs | 0
.../Internal/ChromiumDocumentMetadata.cs | 0
.../Internal/ChromiumDto.cs | 0
.../Internal/ChromiumFeedEntry.cs | 0
.../Internal/ChromiumFeedLoader.cs | 0
.../Internal/ChromiumMapper.cs | 0
.../Internal/ChromiumParser.cs | 0
.../Internal/ChromiumSchemaProvider.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../Schemas/chromium-post.schema.json | 0
...s.Concelier.Connector.Vndr.Chromium.csproj | 64 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../CiscoConnector.cs | 0
.../CiscoDependencyInjectionRoutine.cs | 0
.../CiscoServiceCollectionExtensions.cs | 0
.../Configuration/CiscoOptions.cs | 0
.../Internal/CiscoAccessTokenProvider.cs | 0
.../Internal/CiscoAdvisoryDto.cs | 0
.../Internal/CiscoCsafClient.cs | 0
.../Internal/CiscoCsafData.cs | 0
.../Internal/CiscoCsafParser.cs | 0
.../Internal/CiscoCursor.cs | 0
.../Internal/CiscoDiagnostics.cs | 0
.../Internal/CiscoDtoFactory.cs | 0
.../Internal/CiscoMapper.cs | 0
.../Internal/CiscoOAuthMessageHandler.cs | 0
.../Internal/CiscoOpenVulnClient.cs | 0
.../Internal/CiscoRawAdvisory.cs | 0
.../Jobs.cs | 0
...aOps.Concelier.Connector.Vndr.Cisco.csproj | 21 +-
.../TASKS.md | 0
.../VndrCiscoConnectorPlugin.cs | 0
.../AGENTS.md | 0
.../Configuration/MsrcOptions.cs | 0
.../Internal/MsrcAdvisoryDto.cs | 0
.../Internal/MsrcApiClient.cs | 0
.../Internal/MsrcCursor.cs | 0
.../Internal/MsrcDetailDto.cs | 0
.../Internal/MsrcDetailParser.cs | 0
.../Internal/MsrcDiagnostics.cs | 0
.../Internal/MsrcDocumentMetadata.cs | 0
.../Internal/MsrcMapper.cs | 0
.../Internal/MsrcSummaryResponse.cs | 0
.../Internal/MsrcTokenProvider.cs | 0
.../Jobs.cs | 0
.../MsrcConnector.cs | 0
.../MsrcConnectorPlugin.cs | 0
.../MsrcDependencyInjectionRoutine.cs | 0
.../MsrcServiceCollectionExtensions.cs | 0
.../README.md | 0
...laOps.Concelier.Connector.Vndr.Msrc.csproj | 32 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../Configuration/OracleOptions.cs | 0
.../Internal/OracleAffectedEntry.cs | 0
.../Internal/OracleCalendarFetcher.cs | 0
.../Internal/OracleCursor.cs | 0
.../Internal/OracleDocumentMetadata.cs | 0
.../Internal/OracleDto.cs | 0
.../Internal/OracleDtoValidator.cs | 0
.../Internal/OracleMapper.cs | 0
.../Internal/OracleParser.cs | 0
.../Internal/OraclePatchDocument.cs | 0
.../Jobs.cs | 0
.../OracleConnector.cs | 0
.../OracleDependencyInjectionRoutine.cs | 0
.../OracleServiceCollectionExtensions.cs | 0
.../Properties/AssemblyInfo.cs | 0
...Ops.Concelier.Connector.Vndr.Oracle.csproj | 34 +-
.../TASKS.md | 0
.../VndrOracleConnectorPlugin.cs | 0
.../AGENTS.md | 0
.../Configuration/VmwareOptions.cs | 0
.../Internal/VmwareCursor.cs | 0
.../Internal/VmwareDetailDto.cs | 0
.../Internal/VmwareFetchCacheEntry.cs | 0
.../Internal/VmwareIndexItem.cs | 0
.../Internal/VmwareMapper.cs | 0
.../Jobs.cs | 0
.../Properties/AssemblyInfo.cs | 0
...Ops.Concelier.Connector.Vndr.Vmware.csproj | 46 +-
.../TASKS.md | 0
.../VmwareConnector.cs | 0
.../VmwareConnectorPlugin.cs | 0
.../VmwareDependencyInjectionRoutine.cs | 0
.../VmwareDiagnostics.cs | 0
.../VmwareServiceCollectionExtensions.cs | 0
.../StellaOps.Concelier.Core/AGENTS.md | 0
.../Aoc/AdvisoryRawWriteGuard.cs | 70 +-
.../Aoc/AocServiceCollectionExtensions.cs | 80 +-
.../Aoc/ConcelierAocGuardException.cs | 64 +-
.../Aoc/IAdvisoryRawWriteGuard.cs | 32 +-
.../CanonicalMergeResult.cs | 0
.../CanonicalMerger.cs | 0
.../Events/AdvisoryEventContracts.cs | 0
.../Events/AdvisoryEventLog.cs | 0
.../Events/IAdvisoryEventLog.cs | 0
.../Events/IAdvisoryEventRepository.cs | 0
.../StellaOps.Concelier.Core/Jobs/IJob.cs | 0
.../Jobs/IJobCoordinator.cs | 0
.../Jobs/IJobStore.cs | 0
.../Jobs/ILeaseStore.cs | 0
.../Jobs/JobCoordinator.cs | 0
.../Jobs/JobDefinition.cs | 0
.../Jobs/JobDiagnostics.cs | 0
.../Jobs/JobExecutionContext.cs | 0
.../StellaOps.Concelier.Core/Jobs/JobLease.cs | 0
.../Jobs/JobPluginRegistrationExtensions.cs | 0
.../Jobs/JobRunCompletion.cs | 0
.../Jobs/JobRunCreateRequest.cs | 0
.../Jobs/JobRunSnapshot.cs | 0
.../Jobs/JobRunStatus.cs | 0
.../Jobs/JobSchedulerBuilder.cs | 0
.../Jobs/JobSchedulerHostedService.cs | 0
.../Jobs/JobSchedulerOptions.cs | 0
.../Jobs/JobTriggerResult.cs | 0
.../Jobs/ServiceCollectionExtensions.cs | 0
.../Linksets/AdvisoryLinksetMapper.cs | 616 +-
.../Linksets/AdvisoryObservationFactory.cs | 576 +-
.../Linksets/IAdvisoryLinksetMapper.cs | 32 +-
.../Linksets/IAdvisoryObservationFactory.cs | 20 +-
.../Linksets/LinksetNormalization.cs | 190 +-
.../LinksetServiceCollectionExtensions.cs | 38 +-
.../Noise/INoisePriorRepository.cs | 52 +-
.../Noise/INoisePriorService.cs | 50 +-
.../Noise/NoisePriorComputationRequest.cs | 20 +-
.../Noise/NoisePriorComputationResult.cs | 20 +-
.../Noise/NoisePriorService.cs | 800 +-
.../NoisePriorServiceCollectionExtensions.cs | 48 +-
.../Noise/NoisePriorSummary.cs | 48 +-
.../Observations/AdvisoryObservationCursor.cs | 16 +-
.../AdvisoryObservationQueryModels.cs | 164 +-
.../AdvisoryObservationQueryService.cs | 488 +-
.../IAdvisoryObservationLookup.cs | 78 +-
.../IAdvisoryObservationQueryService.cs | 32 +-
.../Properties/AssemblyInfo.cs | 6 +-
.../Raw/AdvisoryRawQueryOptions.cs | 166 +-
.../Raw/AdvisoryRawRecord.cs | 38 +-
.../Raw/AdvisoryRawService.cs | 878 +-
.../Raw/IAdvisoryRawRepository.cs | 74 +-
.../Raw/IAdvisoryRawService.cs | 112 +-
.../Raw/RawServiceCollectionExtensions.cs | 32 +-
.../StellaOps.Concelier.Core.csproj | 7 +-
.../StellaOps.Concelier.Core/TASKS.md | 238 +-
.../Unknown/IUnknownStateLedger.cs | 0
.../Unknown/IUnknownStateRepository.cs | 0
.../Unknown/UnknownStateLedger.cs | 0
.../Unknown/UnknownStateLedgerRequest.cs | 0
.../Unknown/UnknownStateLedgerResult.cs | 0
.../Unknown/UnknownStateMarkerKinds.cs | 0
.../Unknown/UnknownStateSnapshot.cs | 0
.../AGENTS.md | 0
.../ExportDigestCalculator.cs | 0
.../ExporterVersion.cs | 0
.../IJsonExportPathResolver.cs | 0
.../JsonExportFile.cs | 0
.../JsonExportJob.cs | 0
.../JsonExportManifestWriter.cs | 0
.../JsonExportOptions.cs | 0
.../JsonExportResult.cs | 0
.../JsonExportSnapshotBuilder.cs | 0
.../JsonExporterDependencyInjectionRoutine.cs | 0
.../JsonExporterPlugin.cs | 0
.../JsonFeedExporter.cs | 0
.../JsonMirrorBundleWriter.cs | 0
.../StellaOps.Concelier.Exporter.Json.csproj | 8 +-
.../TASKS.md | 22 +-
.../VulnListJsonExportPathResolver.cs | 0
.../AGENTS.md | 0
.../ITrivyDbBuilder.cs | 0
.../ITrivyDbOrasPusher.cs | 0
.../OciDescriptor.cs | 0
.../OciIndex.cs | 0
.../OciManifest.cs | 0
...tellaOps.Concelier.Exporter.TrivyDb.csproj | 6 +-
.../TASKS.md | 4 +-
.../TrivyConfigDocument.cs | 0
.../TrivyDbBlob.cs | 0
.../TrivyDbBoltBuilder.cs | 0
.../TrivyDbBuilderResult.cs | 0
.../TrivyDbExportJob.cs | 0
.../TrivyDbExportMode.cs | 0
.../TrivyDbExportOptions.cs | 0
.../TrivyDbExportOverrides.cs | 0
.../TrivyDbExportPlan.cs | 0
.../TrivyDbExportPlanner.cs | 0
...ivyDbExporterDependencyInjectionRoutine.cs | 0
.../TrivyDbExporterPlugin.cs | 0
.../TrivyDbFeedExporter.cs | 0
.../TrivyDbMediaTypes.cs | 0
.../TrivyDbMirrorBundleWriter.cs | 0
.../TrivyDbOciWriteResult.cs | 0
.../TrivyDbOciWriter.cs | 0
.../TrivyDbOrasPusher.cs | 0
.../TrivyDbPackage.cs | 0
.../TrivyDbPackageBuilder.cs | 0
.../TrivyDbPackageRequest.cs | 0
.../StellaOps.Concelier.Merge/AGENTS.md | 0
.../StellaOps.Concelier.Merge/Class1.cs | 0
.../Comparers/DebianEvr.cs | 0
.../Comparers/Nevra.cs | 0
.../Comparers/SemanticVersionRangeResolver.cs | 0
.../Identity/AdvisoryIdentityCluster.cs | 0
.../Identity/AdvisoryIdentityResolver.cs | 0
.../Identity/AliasIdentity.cs | 0
.../Jobs/MergeJobKinds.cs | 0
.../Jobs/MergeReconcileJob.cs | 0
.../MergeServiceCollectionExtensions.cs | 0
.../Options/AdvisoryPrecedenceDefaults.cs | 0
.../Options/AdvisoryPrecedenceOptions.cs | 0
.../Options/AdvisoryPrecedenceTable.cs | 0
.../RANGE_PRIMITIVES_COORDINATION.md | 194 +-
.../Services/AdvisoryMergeService.cs | 878 +-
.../Services/AdvisoryPrecedenceMerger.cs | 0
.../AffectedPackagePrecedenceResolver.cs | 0
.../Services/AliasGraphResolver.cs | 0
.../Services/CanonicalHashCalculator.cs | 0
.../Services/ConflictDetailPayload.cs | 88 +-
.../Services/MergeConflictDetail.cs | 0
.../Services/MergeConflictExplainerPayload.cs | 0
.../Services/MergeConflictSummary.cs | 0
.../Services/MergeEventWriter.cs | 0
.../Services/PrecedenceMergeResult.cs | 0
.../StellaOps.Concelier.Merge.csproj | 36 +-
.../StellaOps.Concelier.Merge/TASKS.md | 66 +-
.../StellaOps.Concelier.Models/AGENTS.md | 0
.../StellaOps.Concelier.Models/Advisory.cs | 0
.../AdvisoryCredit.cs | 0
.../AdvisoryProvenance.cs | 0
.../AdvisoryReference.cs | 0
.../AdvisoryWeakness.cs | 0
.../AffectedPackage.cs | 0
.../AffectedPackageStatus.cs | 0
.../AffectedPackageStatusCatalog.cs | 0
.../AffectedVersionRange.cs | 0
.../AffectedVersionRangeExtensions.cs | 0
.../AliasSchemeRegistry.cs | 0
.../AliasSchemes.cs | 0
.../BACKWARD_COMPATIBILITY.md | 0
.../CANONICAL_RECORDS.md | 0
.../CanonicalJsonSerializer.cs | 0
.../StellaOps.Concelier.Models/CvssMetric.cs | 0
.../EvrPrimitiveExtensions.cs | 0
.../NevraPrimitiveExtensions.cs | 0
.../NormalizedVersionRule.cs | 0
.../Observations/AdvisoryObservation.cs | 566 +-
.../OsvGhsaParityDiagnostics.cs | 0
.../OsvGhsaParityInspector.cs | 0
.../PROVENANCE_GUIDELINES.md | 0
.../ProvenanceFieldMasks.cs | 0
.../ProvenanceInspector.cs | 0
.../RangePrimitives.cs | 0
.../SemVerPrimitiveExtensions.cs | 0
.../SeverityNormalization.cs | 0
.../SnapshotSerializer.cs | 0
.../StellaOps.Concelier.Models.csproj | 24 +-
.../StellaOps.Concelier.Models/TASKS.md | 0
.../StellaOps.Concelier.Models/Validation.cs | 0
.../AssemblyInfo.cs | 0
.../Cvss/CvssMetricNormalizer.cs | 0
.../Distro/DebianEvr.cs | 0
.../Distro/Nevra.cs | 0
.../Identifiers/Cpe23.cs | 0
.../Identifiers/IdentifierNormalizer.cs | 0
.../Identifiers/PackageUrl.cs | 0
.../SemVer/SemVerRangeRuleBuilder.cs | 0
.../StellaOps.Concelier.Normalization.csproj | 0
.../TASKS.md | 0
.../Text/DescriptionNormalizer.cs | 0
.../AdvisoryRawDocument.cs | 152 +-
.../StellaOps.Concelier.RawModels/Class1.cs | 12 +-
.../JsonElementExtensions.cs | 24 +-
.../RawDocumentFactory.cs | 78 +-
.../StellaOps.Concelier.RawModels.csproj | 24 +-
.../VexRawDocument.cs | 48 +-
.../AGENTS.md | 0
.../Advisories/AdvisoryDocument.cs | 0
.../Advisories/AdvisoryStore.cs | 0
.../Advisories/IAdvisoryStore.cs | 0
.../Advisories/NormalizedVersionDocument.cs | 0
.../NormalizedVersionDocumentFactory.cs | 0
.../Aliases/AliasDocument.cs | 0
.../Aliases/AliasStore.cs | 0
.../Aliases/AliasStoreConstants.cs | 0
.../Aliases/AliasStoreMetrics.cs | 0
.../Aliases/IAliasStore.cs | 0
.../ChangeHistory/ChangeHistoryDocument.cs | 0
.../ChangeHistoryDocumentExtensions.cs | 0
.../ChangeHistory/ChangeHistoryFieldChange.cs | 0
.../ChangeHistory/ChangeHistoryRecord.cs | 0
.../ChangeHistory/IChangeHistoryStore.cs | 0
.../ChangeHistory/MongoChangeHistoryStore.cs | 0
.../Conflicts/AdvisoryConflictDocument.cs | 0
.../Conflicts/AdvisoryConflictRecord.cs | 0
.../Conflicts/AdvisoryConflictStore.cs | 0
.../Documents/DocumentDocument.cs | 0
.../Documents/DocumentRecord.cs | 0
.../Documents/DocumentStore.cs | 0
.../Documents/IDocumentStore.cs | 0
.../Dtos/DtoDocument.cs | 0
.../Dtos/DtoRecord.cs | 0
.../Dtos/DtoStore.cs | 0
.../Dtos/IDtoStore.cs | 0
.../Events/MongoAdvisoryEventRepository.cs | 0
.../Exporting/ExportStateDocument.cs | 0
.../Exporting/ExportStateManager.cs | 0
.../Exporting/ExportStateRecord.cs | 0
.../Exporting/ExportStateStore.cs | 0
.../Exporting/IExportStateStore.cs | 0
.../ISourceStateRepository.cs | 0
.../JobLeaseDocument.cs | 0
.../JobRunDocument.cs | 0
.../JpFlags/IJpFlagStore.cs | 0
.../JpFlags/JpFlagDocument.cs | 0
.../JpFlags/JpFlagRecord.cs | 0
.../JpFlags/JpFlagStore.cs | 0
.../MIGRATIONS.md | 0
.../MergeEvents/IMergeEventStore.cs | 0
.../MergeEvents/MergeEventDocument.cs | 0
.../MergeEvents/MergeEventRecord.cs | 0
.../MergeEvents/MergeEventStore.cs | 0
.../MergeEvents/MergeFieldDecision.cs | 0
...EnsureAdvisoryEventCollectionsMigration.cs | 0
...ureAdvisoryRawIdempotencyIndexMigration.cs | 312 +-
.../EnsureAdvisoryRawValidatorMigration.cs | 744 +-
...sureAdvisorySupersedesBackfillMigration.cs | 484 +-
.../EnsureDocumentExpiryIndexesMigration.cs | 0
.../EnsureGridFsExpiryIndexesMigration.cs | 0
.../Migrations/IMongoMigration.cs | 0
.../Migrations/MongoMigrationDocument.cs | 0
.../Migrations/MongoMigrationRunner.cs | 0
.../SemVerStyleBackfillMigration.cs | 0
.../MongoBootstrapper.cs | 0
.../MongoCollectionValidatorOptions.cs | 42 +-
.../MongoJobStore.cs | 0
.../MongoLeaseStore.cs | 0
.../MongoSessionProvider.cs | 0
.../MongoSourceStateRepository.cs | 0
.../MongoStorageDefaults.cs | 0
.../MongoStorageOptions.cs | 0
.../AdvisoryObservationDocument.cs | 326 +-
.../AdvisoryObservationDocumentFactory.cs | 184 +-
.../Observations/AdvisoryObservationLookup.cs | 120 +-
.../Observations/AdvisoryObservationStore.cs | 274 +-
.../Observations/IAdvisoryObservationStore.cs | 40 +-
.../Properties/AssemblyInfo.cs | 0
.../PsirtFlags/IPsirtFlagStore.cs | 0
.../PsirtFlags/PsirtFlagDocument.cs | 0
.../PsirtFlags/PsirtFlagRecord.cs | 0
.../PsirtFlags/PsirtFlagStore.cs | 0
.../Raw/MongoAdvisoryRawRepository.cs | 1440 +-
.../RawDocumentRetentionService.cs | 0
.../ServiceCollectionExtensions.cs | 0
.../SourceStateDocument.cs | 0
.../SourceStateRecord.cs | 0
.../SourceStateRepositoryExtensions.cs | 0
.../Statements/AdvisoryStatementDocument.cs | 0
.../Statements/AdvisoryStatementRecord.cs | 0
.../Statements/AdvisoryStatementStore.cs | 0
.../StellaOps.Concelier.Storage.Mongo.csproj | 36 +-
.../TASKS.md | 60 +-
.../ConnectorTestHarness.cs | 0
.../MongoIntegrationFixture.cs | 0
.../StellaOps.Concelier.Testing.csproj | 40 +-
.../Acsc/AcscConnectorFetchTests.cs | 0
.../Acsc/AcscConnectorParseTests.cs | 0
.../Acsc/AcscHttpClientConfigurationTests.cs | 0
.../acsc-advisories-multi.snapshot.json | 0
.../Fixtures/acsc-advisories.snapshot.json | 0
...aOps.Concelier.Connector.Acsc.Tests.csproj | 20 +
.../CccsConnectorTests.cs | 0
.../Fixtures/cccs-feed-en.json | 0
.../Fixtures/cccs-raw-advisory-fr.json | 0
.../Fixtures/cccs-raw-advisory.json | 0
.../Fixtures/cccs-taxonomy-en.json | 0
.../Internal/CccsHtmlParserTests.cs | 0
.../Internal/CccsMapperTests.cs | 0
...aOps.Concelier.Connector.Cccs.Tests.csproj | 39 +-
.../CertBundConnectorTests.cs | 0
.../Fixtures/certbund-detail.json | 0
.../Fixtures/certbund-feed.xml | 0
....Concelier.Connector.CertBund.Tests.csproj | 45 +-
.../CertCc/CertCcConnectorFetchTests.cs | 0
.../CertCc/CertCcConnectorSnapshotTests.cs | 0
.../CertCc/CertCcConnectorTests.cs | 0
.../Fixtures/certcc-advisories.snapshot.json | 0
.../Fixtures/certcc-documents.snapshot.json | 0
.../Fixtures/certcc-requests.snapshot.json | 0
.../Fixtures/certcc-state.snapshot.json | 0
.../Fixtures/summary-2025-09.json | 0
.../Fixtures/summary-2025-10.json | 0
.../Fixtures/summary-2025-11.json | 0
.../Fixtures/summary-2025.json | 0
.../Fixtures/vendor-statuses-294418.json | 0
.../Fixtures/vendors-294418.json | 0
.../Fixtures/vu-257161.json | 0
.../Fixtures/vu-294418-vendors.json | 0
.../Fixtures/vu-294418-vuls.json | 0
.../Fixtures/vu-294418.json | 0
.../Fixtures/vulnerabilities-294418.json | 0
.../Internal/CertCcMapperTests.cs | 0
.../Internal/CertCcSummaryParserTests.cs | 0
.../Internal/CertCcSummaryPlannerTests.cs | 0
.../CertCcVendorStatementParserTests.cs | 0
...ps.Concelier.Connector.CertCc.Tests.csproj | 39 +-
.../CertFr/CertFrConnectorTests.cs | 0
.../Fixtures/certfr-advisories.snapshot.json | 0
.../Fixtures/certfr-detail-AV-2024-001.html | 0
.../Fixtures/certfr-detail-AV-2024-002.html | 0
.../CertFr/Fixtures/certfr-feed.xml | 0
...ps.Concelier.Connector.CertFr.Tests.csproj | 17 +
.../CertIn/CertInConnectorTests.cs | 0
.../CertIn/Fixtures/alerts-page1.json | 0
.../Fixtures/detail-CIAD-2024-0005.html | 0
.../CertIn/Fixtures/expected-advisory.json | 0
...ps.Concelier.Connector.CertIn.Tests.csproj | 17 +
.../Common/CannedHttpMessageHandlerTests.cs | 0
.../Common/HtmlContentSanitizerTests.cs | 0
.../Common/PackageCoordinateHelperTests.cs | 0
.../Common/PdfTextExtractorTests.cs | 0
.../Common/SourceFetchServiceGuardTests.cs | 508 +-
.../Common/SourceFetchServiceTests.cs | 0
.../Common/SourceHttpClientBuilderTests.cs | 654 +-
.../Common/TimeWindowCursorPlannerTests.cs | 0
.../Common/UrlNormalizerTests.cs | 0
.../Json/JsonSchemaValidatorTests.cs | 0
...ps.Concelier.Connector.Common.Tests.csproj | 21 +-
.../Xml/XmlSchemaValidatorTests.cs | 0
.../Cve/CveConnectorTests.cs | 0
.../Fixtures/cve-CVE-2024-0001.json | 0
.../Fixtures/cve-list.json | 0
.../Fixtures/expected-CVE-2024-0001.json | 0
...laOps.Concelier.Connector.Cve.Tests.csproj | 18 +
.../DebianConnectorTests.cs | 0
.../DebianMapperTests.cs | 0
.../Fixtures/debian-detail-dsa-2024-123.html | 0
.../Fixtures/debian-detail-dsa-2024-124.html | 0
.../Distro/Debian/Fixtures/debian-list.txt | 0
...elier.Connector.Distro.Debian.Tests.csproj | 14 +
.../RedHat/Fixtures/csaf-rhsa-2025-0001.json | 0
.../RedHat/Fixtures/csaf-rhsa-2025-0002.json | 0
.../RedHat/Fixtures/csaf-rhsa-2025-0003.json | 0
.../Fixtures/rhsa-2025-0001.snapshot.json | 0
.../Fixtures/rhsa-2025-0002.snapshot.json | 0
.../Fixtures/rhsa-2025-0003.snapshot.json | 0
.../RedHat/Fixtures/summary-page1-repeat.json | 0
.../RedHat/Fixtures/summary-page1.json | 0
.../RedHat/Fixtures/summary-page2.json | 0
.../RedHat/Fixtures/summary-page3.json | 0
.../RedHat/RedHatConnectorHarnessTests.cs | 0
.../RedHat/RedHatConnectorTests.cs | 0
...elier.Connector.Distro.RedHat.Tests.csproj | 17 +
.../Distro/Suse/Fixtures/suse-changes.csv | 0
.../Suse/Fixtures/suse-su-2025_0001-1.json | 0
.../Suse/Fixtures/suse-su-2025_0002-1.json | 0
...ncelier.Connector.Distro.Suse.Tests.csproj | 19 +
.../SuseConnectorTests.cs | 0
.../SuseCsafParserTests.cs | 0
.../SuseMapperTests.cs | 0
.../Fixtures/ubuntu-notices-page0.json | 0
.../Fixtures/ubuntu-notices-page1.json | 0
...elier.Connector.Distro.Ubuntu.Tests.csproj | 19 +
.../UbuntuConnectorTests.cs | 0
.../Fixtures/conflict-ghsa.canonical.json | 0
.../Fixtures/credit-parity.ghsa.json | 0
.../Fixtures/credit-parity.nvd.json | 0
.../Fixtures/credit-parity.osv.json | 0
.../expected-GHSA-xxxx-yyyy-zzzz.json | 0
.../Fixtures/ghsa-GHSA-xxxx-yyyy-zzzz.json | 0
.../Fixtures/ghsa-list.json | 0
.../Ghsa/GhsaConflictFixtureTests.cs | 0
.../Ghsa/GhsaConnectorTests.cs | 0
.../Ghsa/GhsaCreditParityRegressionTests.cs | 0
.../GhsaDependencyInjectionRoutineTests.cs | 0
.../Ghsa/GhsaDiagnosticsTests.cs | 0
.../Ghsa/GhsaMapperTests.cs | 0
.../Ghsa/GhsaRateLimitParserTests.cs | 0
...aOps.Concelier.Connector.Ghsa.Tests.csproj | 18 +
.../IcsCisa/Fixtures/icsa-25-123-01.html | 0
.../IcsCisa/Fixtures/icsma-25-045-01.html | 0
.../IcsCisa/Fixtures/sample-feed.xml | 0
.../IcsCisa/IcsCisaConnectorMappingTests.cs | 0
.../IcsCisa/IcsCisaFeedParserTests.cs | 0
.../IcsCisaConnectorTests.cs | 0
....Concelier.Connector.Ics.Cisa.Tests.csproj | 17 +
.../Fixtures/detail-acme-controller-2024.html | 0
.../Kaspersky/Fixtures/expected-advisory.json | 0
.../Kaspersky/Fixtures/feed-page1.xml | 0
.../Kaspersky/KasperskyConnectorTests.cs | 0
...elier.Connector.Ics.Kaspersky.Tests.csproj | 17 +
.../Jvn/Fixtures/expected-advisory.json | 0
.../Jvn/Fixtures/jvnrss-window1.xml | 0
.../Jvn/Fixtures/vuldef-JVNDB-2024-123456.xml | 0
.../Jvn/JvnConnectorTests.cs | 0
...laOps.Concelier.Connector.Jvn.Tests.csproj | 17 +
.../Kev/Fixtures/kev-advisories.snapshot.json | 0
.../Kev/Fixtures/kev-catalog.json | 0
.../Kev/KevConnectorTests.cs | 0
.../Kev/KevMapperTests.cs | 0
...laOps.Concelier.Connector.Kev.Tests.csproj | 20 +
.../Fixtures/kisa-detail.json | 0
.../Fixtures/kisa-feed.xml | 0
.../KisaConnectorTests.cs | 0
...aOps.Concelier.Connector.Kisa.Tests.csproj | 49 +-
.../Nvd/Fixtures/conflict-nvd.canonical.json | 0
.../Nvd/Fixtures/credit-parity.ghsa.json | 0
.../Nvd/Fixtures/credit-parity.nvd.json | 0
.../Nvd/Fixtures/credit-parity.osv.json | 0
.../Nvd/Fixtures/nvd-invalid-schema.json | 0
.../Nvd/Fixtures/nvd-multipage-1.json | 0
.../Nvd/Fixtures/nvd-multipage-2.json | 0
.../Nvd/Fixtures/nvd-multipage-3.json | 0
.../Nvd/Fixtures/nvd-window-1.json | 0
.../Nvd/Fixtures/nvd-window-2.json | 0
.../Nvd/Fixtures/nvd-window-update.json | 0
.../Nvd/NvdConflictFixtureTests.cs | 0
.../Nvd/NvdConnectorHarnessTests.cs | 0
.../Nvd/NvdConnectorTests.cs | 0
.../Nvd/NvdMergeExportParityTests.cs | 0
...laOps.Concelier.Connector.Nvd.Tests.csproj | 19 +
.../Fixtures/conflict-osv.canonical.json | 0
.../Fixtures/osv-ghsa.ghsa.json | 0
.../Fixtures/osv-ghsa.osv.json | 0
.../Fixtures/osv-ghsa.raw-ghsa.json | 0
.../Fixtures/osv-ghsa.raw-osv.json | 0
.../Fixtures/osv-npm.snapshot.json | 0
.../Fixtures/osv-pypi.snapshot.json | 0
.../Osv/OsvConflictFixtureTests.cs | 0
.../Osv/OsvGhsaParityRegressionTests.cs | 0
.../Osv/OsvMapperTests.cs | 0
.../Osv/OsvSnapshotTests.cs | 0
...laOps.Concelier.Connector.Osv.Tests.csproj | 19 +
.../Fixtures/export-sample.xml | 0
.../Fixtures/ru-bdu-advisories.snapshot.json | 0
.../Fixtures/ru-bdu-documents.snapshot.json | 0
.../Fixtures/ru-bdu-dtos.snapshot.json | 0
.../Fixtures/ru-bdu-requests.snapshot.json | 0
.../Fixtures/ru-bdu-state.snapshot.json | 0
.../RuBduConnectorSnapshotTests.cs | 0
.../RuBduMapperTests.cs | 0
.../RuBduXmlParserTests.cs | 0
...ps.Concelier.Connector.Ru.Bdu.Tests.csproj | 14 +
.../Fixtures/bulletin-legacy.json.zip | Bin
.../Fixtures/bulletin-sample.json.zip | Bin
.../Fixtures/listing-page2.html | 0
.../Fixtures/listing.html | 0
.../Fixtures/nkcki-advisories.snapshot.json | 0
.../RuNkckiConnectorTests.cs | 0
.../RuNkckiJsonParserTests.cs | 0
.../RuNkckiMapperTests.cs | 0
....Concelier.Connector.Ru.Nkcki.Tests.csproj | 14 +
.../FixtureLoader.cs | 66 +-
.../Fixtures/mirror-advisory.expected.json | 424 +-
.../Fixtures/mirror-bundle.sample.json | 404 +-
.../MirrorAdvisoryMapperTests.cs | 94 +-
.../MirrorSignatureVerifierTests.cs | 378 +-
.../SampleData.cs | 530 +-
...ier.Connector.StellaOpsMirror.Tests.csproj | 19 +-
.../StellaOpsMirrorConnectorTests.cs | 928 +-
.../Adobe/AdobeConnectorFetchTests.cs | 0
.../Fixtures/adobe-advisories.snapshot.json | 0
.../Fixtures/adobe-detail-apsb25-85.html | 0
.../Fixtures/adobe-detail-apsb25-87.html | 0
.../Adobe/Fixtures/adobe-index.html | 0
...oncelier.Connector.Vndr.Adobe.Tests.csproj | 18 +
.../Apple/AppleConnectorTests.cs | 0
.../Apple/AppleFixtureManager.cs | 0
.../Apple/AppleLiveRegressionTests.cs | 0
.../Apple/Fixtures/106355.expected.json | 0
.../Apple/Fixtures/106355.html | 0
.../Apple/Fixtures/125326.expected.json | 0
.../Apple/Fixtures/125326.html | 0
.../Apple/Fixtures/125328.expected.json | 0
.../Apple/Fixtures/125328.html | 0
.../Apple/Fixtures/HT214108.expected.json | 0
.../Apple/Fixtures/HT215500.expected.json | 0
.../Apple/Fixtures/ht214108.html | 0
.../Apple/Fixtures/ht215500.html | 0
.../Apple/Fixtures/index.json | 0
...oncelier.Connector.Vndr.Apple.Tests.csproj | 19 +
.../Chromium/ChromiumConnectorTests.cs | 0
.../Chromium/ChromiumMapperTests.cs | 0
.../Fixtures/chromium-advisory.snapshot.json | 0
.../Chromium/Fixtures/chromium-detail.html | 0
.../Chromium/Fixtures/chromium-feed.xml | 0
...elier.Connector.Vndr.Chromium.Tests.csproj | 19 +
.../CiscoDtoFactoryTests.cs | 0
.../CiscoMapperTests.cs | 0
...oncelier.Connector.Vndr.Cisco.Tests.csproj | 18 +
.../Fixtures/msrc-detail.json | 0
.../Fixtures/msrc-summary.json | 0
.../MsrcConnectorTests.cs | 0
...Concelier.Connector.Vndr.Msrc.Tests.csproj | 25 +
.../Fixtures/oracle-advisories.snapshot.json | 0
.../oracle-calendar-cpuapr2024-single.html | 0
.../Fixtures/oracle-calendar-cpuapr2024.html | 0
.../Fixtures/oracle-detail-cpuapr2024-01.html | 0
.../Fixtures/oracle-detail-cpuapr2024-02.html | 0
.../Fixtures/oracle-detail-invalid.html | 0
.../Oracle/OracleConnectorTests.cs | 0
...ncelier.Connector.Vndr.Oracle.Tests.csproj | 18 +
...ncelier.Connector.Vndr.Vmware.Tests.csproj | 19 +
.../Fixtures/vmware-advisories.snapshot.json | 0
.../vmware-detail-vmsa-2024-0001.json | 0
.../vmware-detail-vmsa-2024-0002.json | 0
.../vmware-detail-vmsa-2024-0003.json | 0
.../Vmware/Fixtures/vmware-index-initial.json | 0
.../Vmware/Fixtures/vmware-index-second.json | 0
.../Vmware/VmwareConnectorTests.cs | 0
.../Vmware/VmwareMapperTests.cs | 0
.../Aoc/AdvisoryRawWriteGuardTests.cs | 166 +-
.../CanonicalMergerTests.cs | 0
.../Events/AdvisoryEventLogTests.cs | 0
.../JobCoordinatorTests.cs | 0
.../JobPluginRegistrationExtensionsTests.cs | 0
.../JobSchedulerBuilderTests.cs | 0
.../Linksets/AdvisoryLinksetMapperTests.cs | 250 +-
.../AdvisoryObservationFactoryTests.cs | 302 +-
.../Noise/NoisePriorServiceTests.cs | 640 +-
.../AdvisoryObservationQueryServiceTests.cs | 652 +-
.../PluginRoutineFixtures.cs | 0
.../Raw/AdvisoryRawServiceTests.cs | 286 +-
.../StellaOps.Concelier.Core.Tests.csproj | 13 +
.../Unknown/UnknownStateLedgerTests.cs | 0
.../JsonExportSnapshotBuilderTests.cs | 0
...ExporterDependencyInjectionRoutineTests.cs | 0
.../JsonExporterParitySmokeTests.cs | 0
.../JsonFeedExporterTests.cs | 0
...laOps.Concelier.Exporter.Json.Tests.csproj | 14 +
.../VulnListJsonExportPathResolverTests.cs | 0
...ps.Concelier.Exporter.TrivyDb.Tests.csproj | 14 +
.../TrivyDbExportPlannerTests.cs | 0
.../TrivyDbFeedExporterTests.cs | 0
.../TrivyDbOciWriterTests.cs | 0
.../TrivyDbPackageBuilderTests.cs | 0
.../AdvisoryIdentityResolverTests.cs | 0
.../AdvisoryMergeServiceTests.cs | 0
.../AdvisoryPrecedenceMergerTests.cs | 0
.../AffectedPackagePrecedenceResolverTests.cs | 0
.../AliasGraphResolverTests.cs | 0
.../CanonicalHashCalculatorTests.cs | 0
.../DebianEvrComparerTests.cs | 0
.../MergeEventWriterTests.cs | 0
.../MergePrecedenceIntegrationTests.cs | 0
.../MetricCollector.cs | 0
.../NevraComparerTests.cs | 0
.../SemanticVersionRangeResolverTests.cs | 0
.../StellaOps.Concelier.Merge.Tests.csproj | 14 +
.../TestLogger.cs | 0
.../AdvisoryProvenanceTests.cs | 0
.../AdvisoryTests.cs | 0
.../AffectedPackageStatusTests.cs | 0
.../AffectedVersionRangeExtensionsTests.cs | 0
.../AliasSchemeRegistryTests.cs | 0
.../CanonicalExampleFactory.cs | 0
.../CanonicalExamplesTests.cs | 0
.../CanonicalJsonSerializerTests.cs | 0
.../EvrPrimitiveExtensionsTests.cs | 0
.../Fixtures/ghsa-semver.actual.json | 252 +-
.../Fixtures/ghsa-semver.json | 0
.../Fixtures/kev-flag.actual.json | 88 +-
.../Fixtures/kev-flag.json | 0
.../Fixtures/nvd-basic.actual.json | 242 +-
.../Fixtures/nvd-basic.json | 0
.../Fixtures/psirt-overlay.actual.json | 248 +-
.../Fixtures/psirt-overlay.json | 0
.../NevraPrimitiveExtensionsTests.cs | 0
.../NormalizedVersionRuleTests.cs | 0
.../Observations/AdvisoryObservationTests.cs | 122 +-
.../OsvGhsaParityDiagnosticsTests.cs | 0
.../OsvGhsaParityInspectorTests.cs | 0
.../ProvenanceDiagnosticsTests.cs | 0
.../RangePrimitivesTests.cs | 0
.../SemVerPrimitiveTests.cs | 0
.../SerializationDeterminismTests.cs | 0
.../SeverityNormalizationTests.cs | 0
.../StellaOps.Concelier.Models.Tests.csproj | 17 +-
.../CpeNormalizerTests.cs | 0
.../CvssMetricNormalizerTests.cs | 0
.../DebianEvrParserTests.cs | 0
.../DescriptionNormalizerTests.cs | 0
.../NevraParserTests.cs | 0
.../PackageUrlNormalizerTests.cs | 0
.../SemVerRangeRuleBuilderTests.cs | 0
...laOps.Concelier.Normalization.Tests.csproj | 12 +
...StellaOps.Concelier.RawModels.Tests.csproj | 7 +-
.../UnitTest1.cs | 20 +-
.../xunit.runner.json | 6 +-
.../AdvisoryConflictStoreTests.cs | 0
.../AdvisoryStatementStoreTests.cs | 0
.../AdvisoryStorePerformanceTests.cs | 0
.../AdvisoryStoreTests.cs | 0
.../AliasStoreTests.cs | 0
.../DocumentStoreTests.cs | 0
.../DtoStoreTests.cs | 0
.../ExportStateManagerTests.cs | 0
.../ExportStateStoreTests.cs | 0
.../MergeEventStoreTests.cs | 0
.../Migrations/MongoMigrationRunnerTests.cs | 0
.../MongoAdvisoryEventRepositoryTests.cs | 0
.../MongoBootstrapperTests.cs | 0
.../MongoJobStoreTests.cs | 0
.../MongoSourceStateRepositoryTests.cs | 0
...AdvisoryObservationDocumentFactoryTests.cs | 136 +-
.../AdvisoryObservationStoreTests.cs | 444 +-
.../RawDocumentRetentionServiceTests.cs | 0
...laOps.Concelier.Storage.Mongo.Tests.csproj | 16 +
.../ConcelierOptionsPostConfigureTests.cs | 0
.../PluginLoaderTests.cs | 0
...tellaOps.Concelier.WebService.Tests.csproj | 14 +
.../WebServiceEndpointsTests.cs | 3580 +-
.../StellaOps.DevPortal.Site/AGENTS.md | 30 +-
.../StellaOps.DevPortal.Site/TASKS.md | 38 +-
src/Directory.Build.props | 98 +-
.../StellaOps.EvidenceLocker.sln | 99 +
.../StellaOps.EvidenceLocker/AGENTS.md | 56 +-
.../StellaOps.EvidenceLocker.Core/Class1.cs | 12 +-
.../StellaOps.EvidenceLocker.Core.csproj | 36 +-
.../Class1.cs | 12 +-
...laOps.EvidenceLocker.Infrastructure.csproj | 56 +-
.../StellaOps.EvidenceLocker.Tests.csproj | 270 +-
.../UnitTest1.cs | 20 +-
.../xunit.runner.json | 6 +-
.../Program.cs | 82 +-
.../Properties/launchSettings.json | 46 +-
...StellaOps.EvidenceLocker.WebService.csproj | 82 +-
.../StellaOps.EvidenceLocker.WebService.http | 12 +-
.../appsettings.Development.json | 16 +-
.../appsettings.json | 18 +-
.../Program.cs | 14 +-
.../Properties/launchSettings.json | 24 +-
.../StellaOps.EvidenceLocker.Worker.csproj | 86 +-
.../StellaOps.EvidenceLocker.Worker/Worker.cs | 32 +-
.../appsettings.Development.json | 16 +-
.../appsettings.json | 16 +-
.../StellaOps.EvidenceLocker.sln | 180 +-
.../StellaOps.EvidenceLocker/TASKS.md | 48 +-
.../TASKS.md | 0
.../StellaOps.Excititor.WebService/AGENTS.md | 0
.../Endpoints/IngestEndpoints.cs | 0
.../Endpoints/MirrorEndpoints.cs | 0
.../Endpoints/ResolveEndpoint.cs | 0
.../StellaOps.Excititor.WebService/Program.cs | 0
.../Properties/AssemblyInfo.cs | 6 +-
.../Services/MirrorRateLimiter.cs | 0
.../Services/ScopeAuthorization.cs | 0
.../Services/VexIngestOrchestrator.cs | 0
.../StellaOps.Excititor.WebService.csproj | 23 +
.../StellaOps.Excititor.WebService/TASKS.md | 188 +-
.../StellaOps.Excititor.Worker/AGENTS.md | 0
.../Options/VexWorkerOptions.cs | 0
.../Options/VexWorkerOptionsValidator.cs | 0
.../Options/VexWorkerPluginOptions.cs | 0
.../Options/VexWorkerRefreshOptions.cs | 180 +-
.../Options/VexWorkerRetryOptions.cs | 0
.../StellaOps.Excititor.Worker/Program.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../Scheduling/DefaultVexProviderRunner.cs | 542 +-
.../IVexConsensusRefreshScheduler.cs | 12 +-
.../Scheduling/IVexProviderRunner.cs | 0
.../Scheduling/VexConsensusRefreshService.cs | 1244 +-
.../Scheduling/VexWorkerHostedService.cs | 0
.../Scheduling/VexWorkerSchedule.cs | 0
.../Signature/VerifyingVexRawDocumentSink.cs | 138 +-
.../Signature/WorkerSignatureVerifier.cs | 728 +-
.../StellaOps.Excititor.Worker.csproj | 25 +
.../StellaOps.Excititor.Worker/TASKS.md | 38 +-
src/Excititor/StellaOps.Excititor.sln | 705 +
.../Extensions/ServiceCollectionExtensions.cs | 0
.../S3ArtifactClient.cs | 0
...ellaOps.Excititor.ArtifactStores.S3.csproj | 34 +-
.../StellaOps.Excititor.Attestation/AGENTS.md | 0
.../Dsse/DsseEnvelope.cs | 0
.../Dsse/VexDsseBuilder.cs | 0
.../EXCITITOR-ATTEST-01-003-plan.md | 0
.../Extensions/ServiceCollectionExtensions.cs | 0
.../Models/VexAttestationPredicate.cs | 0
.../Signing/IVexSigner.cs | 0
.../StellaOps.Excititor.Attestation.csproj | 34 +-
.../StellaOps.Excititor.Attestation/TASKS.md | 0
.../Transparency/ITransparencyLogClient.cs | 0
.../Transparency/RekorHttpClient.cs | 0
.../Transparency/RekorHttpClientOptions.cs | 0
.../Verification/IVexAttestationVerifier.cs | 0
.../Verification/VexAttestationMetrics.cs | 0
.../VexAttestationVerificationOptions.cs | 0
.../Verification/VexAttestationVerifier.cs | 942 +-
.../VexAttestationClient.cs | 0
.../AGENTS.md | 0
.../IVexConnectorOptionsValidator.cs | 0
...s.Excititor.Connectors.Abstractions.csproj | 34 +-
.../TASKS.md | 0
.../VexConnectorBase.cs | 0
.../VexConnectorDescriptor.cs | 0
.../VexConnectorLogScope.cs | 0
.../VexConnectorMetadataBuilder.cs | 0
.../VexConnectorOptionsBinder.cs | 0
.../VexConnectorOptionsBinderOptions.cs | 0
.../VexConnectorOptionsValidationException.cs | 0
.../AGENTS.md | 0
.../CiscoCsafConnector.cs | 0
.../Configuration/CiscoConnectorOptions.cs | 0
.../CiscoConnectorOptionsValidator.cs | 0
...scoConnectorServiceCollectionExtensions.cs | 0
.../Metadata/CiscoProviderMetadataLoader.cs | 0
...Ops.Excititor.Connectors.Cisco.CSAF.csproj | 40 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../Authentication/MsrcTokenProvider.cs | 0
.../Configuration/MsrcConnectorOptions.cs | 0
...srcConnectorServiceCollectionExtensions.cs | 0
.../MsrcCsafConnector.cs | 0
...aOps.Excititor.Connectors.MSRC.CSAF.csproj | 38 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../Authentication/OciCosignAuthority.cs | 0
.../OciRegistryAuthorization.cs | 0
.../OciOpenVexAttestationConnectorOptions.cs | 0
...VexAttestationConnectorOptionsValidator.cs | 0
...ionConnectorServiceCollectionExtensions.cs | 0
.../OciAttestationDiscoveryResult.cs | 0
.../OciAttestationDiscoveryService.cs | 0
.../Discovery/OciAttestationTarget.cs | 0
.../Discovery/OciImageReference.cs | 0
.../Discovery/OciImageReferenceParser.cs | 0
.../Discovery/OciOfflineBundleReference.cs | 0
.../Fetch/OciArtifactDescriptor.cs | 0
.../Fetch/OciAttestationDocument.cs | 0
.../Fetch/OciAttestationFetcher.cs | 0
.../Fetch/OciRegistryClient.cs | 0
.../OciOpenVexAttestationConnector.cs | 0
...titor.Connectors.OCI.OpenVEX.Attest.csproj | 38 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../Configuration/OracleConnectorOptions.cs | 0
.../OracleConnectorOptionsValidator.cs | 0
...cleConnectorServiceCollectionExtensions.cs | 0
.../Metadata/OracleCatalogLoader.cs | 0
.../OracleCsafConnector.cs | 0
...ps.Excititor.Connectors.Oracle.CSAF.csproj | 40 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../Configuration/RedHatConnectorOptions.cs | 0
...HatConnectorServiceCollectionExtensions.cs | 0
.../Metadata/RedHatProviderMetadataLoader.cs | 0
.../RedHatCsafConnector.cs | 0
...ps.Excititor.Connectors.RedHat.CSAF.csproj | 38 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../Authentication/RancherHubTokenProvider.cs | 0
.../RancherHubConnectorOptions.cs | 0
.../RancherHubConnectorOptionsValidator.cs | 0
...HubConnectorServiceCollectionExtensions.cs | 0
.../Design/EXCITITOR-CONN-SUSE-01-002.md | 0
.../Events/RancherHubEventClient.cs | 0
.../Events/RancherHubEventModels.cs | 0
.../Metadata/RancherHubMetadataLoader.cs | 0
.../RancherHubConnector.cs | 0
.../State/RancherHubCheckpointManager.cs | 0
...titor.Connectors.SUSE.RancherVEXHub.csproj | 38 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../Configuration/UbuntuConnectorOptions.cs | 0
.../UbuntuConnectorOptionsValidator.cs | 0
...ntuConnectorServiceCollectionExtensions.cs | 0
.../Metadata/UbuntuCatalogLoader.cs | 0
...ps.Excititor.Connectors.Ubuntu.CSAF.csproj | 40 +-
.../TASKS.md | 0
.../UbuntuCsafConnector.cs | 0
.../StellaOps.Excititor.Core/AGENTS.md | 0
.../Aoc/AocServiceCollectionExtensions.cs | 76 +-
.../Aoc/ExcititorAocGuardException.cs | 44 +-
.../Aoc/IVexRawWriteGuard.cs | 32 +-
.../Aoc/VexRawWriteGuard.cs | 70 +-
.../BaselineVexConsensusPolicy.cs | 0
.../IVexConsensusPolicy.cs | 0
.../MirrorDistributionOptions.cs | 0
.../MirrorExportPlanner.cs | 0
.../Observations/IVexObservationLookup.cs | 64 +-
.../IVexObservationQueryService.cs | 22 +-
.../Observations/VexObservation.cs | 874 +-
.../Observations/VexObservationQueryModels.cs | 158 +-
.../VexObservationQueryService.cs | 622 +-
.../StellaOps.Excititor.Core.csproj | 7 +-
.../StellaOps.Excititor.Core/TASKS.md | 202 +-
.../VexAttestationAbstractions.cs | 0
.../StellaOps.Excititor.Core/VexCacheEntry.cs | 0
.../VexCanonicalJsonSerializer.cs | 0
.../StellaOps.Excititor.Core/VexClaim.cs | 0
.../VexConnectorAbstractions.cs | 0
.../StellaOps.Excititor.Core/VexConsensus.cs | 0
.../VexConsensusHold.cs | 94 +-
.../VexConsensusPolicyOptions.cs | 0
.../VexConsensusResolver.cs | 0
.../VexExportManifest.cs | 0
.../VexExporterAbstractions.cs | 0
.../VexNormalizerAbstractions.cs | 0
.../StellaOps.Excititor.Core/VexProvider.cs | 0
.../StellaOps.Excititor.Core/VexQuery.cs | 0
.../VexQuietProvenance.cs | 0
.../VexScoreEnvelope.cs | 0
.../StellaOps.Excititor.Core/VexSignals.cs | 0
.../VexSignatureVerifiers.cs | 0
.../StellaOps.Excititor.Export/AGENTS.md | 0
.../ExportEngine.cs | 0
.../FileSystemArtifactStore.cs | 0
.../IVexArtifactStore.cs | 0
.../OfflineBundleArtifactStore.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../S3ArtifactStore.cs | 0
.../StellaOps.Excititor.Export.csproj | 5 +-
.../StellaOps.Excititor.Export/TASKS.md | 0
.../VexExportCacheService.cs | 0
.../VexExportEnvelopeBuilder.cs | 0
.../VexMirrorBundlePublisher.cs | 0
.../AGENTS.md | 0
.../CsafNormalizer.cs | 0
.../ServiceCollectionExtensions.cs | 0
.../StellaOps.Excititor.Formats.CSAF.csproj | 32 +-
.../StellaOps.Excititor.Formats.CSAF/TASKS.md | 0
.../AGENTS.md | 0
.../CycloneDxNormalizer.cs | 0
.../ServiceCollectionExtensions.cs | 0
...ellaOps.Excititor.Formats.CycloneDX.csproj | 32 +-
.../TASKS.md | 0
.../AGENTS.md | 0
.../OpenVexNormalizer.cs | 0
.../ServiceCollectionExtensions.cs | 0
...StellaOps.Excititor.Formats.OpenVEX.csproj | 32 +-
.../TASKS.md | 0
.../StellaOps.Excititor.Policy/AGENTS.md | 0
.../IVexPolicyProvider.cs | 0
.../StellaOps.Excititor.Policy.csproj | 34 +-
.../StellaOps.Excititor.Policy/TASKS.md | 22 +-
.../VexPolicyBinder.cs | 0
.../VexPolicyDiagnostics.cs | 0
.../VexPolicyDigest.cs | 0
.../VexPolicyOptions.cs | 0
.../VexPolicyProcessing.cs | 0
.../VexPolicyTelemetry.cs | 0
.../AGENTS.md | 0
.../IVexExportStore.cs | 0
.../IVexRawStore.cs | 0
.../IVexStorageContracts.cs | 0
.../Migrations/IVexMongoMigration.cs | 0
.../Migrations/VexConsensusHoldMigration.cs | 58 +-
.../VexConsensusSignalsMigration.cs | 0
.../Migrations/VexInitialIndexMigration.cs | 0
.../Migrations/VexMigrationRecord.cs | 0
.../VexMongoMigrationHostedService.cs | 0
.../Migrations/VexMongoMigrationRunner.cs | 0
.../MongoVexCacheIndex.cs | 0
.../MongoVexCacheMaintenance.cs | 0
.../MongoVexClaimStore.cs | 0
.../MongoVexConnectorStateRepository.cs | 0
.../MongoVexConsensusHoldStore.cs | 176 +-
.../MongoVexConsensusStore.cs | 0
.../MongoVexExportStore.cs | 0
.../MongoVexProviderStore.cs | 0
.../MongoVexRawStore.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../ServiceCollectionExtensions.cs | 0
.../StellaOps.Excititor.Storage.Mongo.csproj | 36 +-
.../StorageBackedVexNormalizerRouter.cs | 0
.../TASKS.md | 56 +-
.../VexMongoMappingRegistry.cs | 0
.../VexMongoModels.cs | 0
.../VexMongoSessionProvider.cs | 0
.../VexMongoStorageOptions.cs | 0
.../VexStatementBackfillService.cs | 0
.../S3ArtifactClientTests.cs | 0
...s.Excititor.ArtifactStores.S3.Tests.csproj | 31 +-
...ellaOps.Excititor.Attestation.Tests.csproj | 27 +-
.../VexAttestationClientTests.cs | 0
.../VexAttestationVerifierTests.cs | 0
.../VexDsseBuilderTests.cs | 0
.../Connectors/CiscoCsafConnectorTests.cs | 430 +-
.../CiscoProviderMetadataLoaderTests.cs | 0
...cititor.Connectors.Cisco.CSAF.Tests.csproj | 33 +-
.../Authentication/MsrcTokenProviderTests.cs | 0
.../Connectors/MsrcCsafConnectorTests.cs | 734 +-
...xcititor.Connectors.MSRC.CSAF.Tests.csproj | 5 +-
...testationConnectorOptionsValidatorTests.cs | 0
.../OciOpenVexAttestationConnectorTests.cs | 430 +-
.../OciAttestationDiscoveryServiceTests.cs | 0
...Connectors.OCI.OpenVEX.Attest.Tests.csproj | 5 +-
.../Connectors/OracleCsafConnectorTests.cs | 628 +-
.../Metadata/OracleCatalogLoaderTests.cs | 0
...ititor.Connectors.Oracle.CSAF.Tests.csproj | 5 +-
.../Connectors/RedHatCsafConnectorTests.cs | 0
.../RedHatProviderMetadataLoaderTests.cs | 0
...ititor.Connectors.RedHat.CSAF.Tests.csproj | 35 +-
.../RancherHubTokenProviderTests.cs | 0
.../Metadata/RancherHubMetadataLoaderTests.cs | 0
...Connectors.SUSE.RancherVEXHub.Tests.csproj | 35 +-
.../Connectors/UbuntuCsafConnectorTests.cs | 620 +-
.../Metadata/UbuntuCatalogLoaderTests.cs | 0
...ititor.Connectors.Ubuntu.CSAF.Tests.csproj | 5 +-
.../Aoc/VexRawWriteGuardTests.cs | 136 +-
.../VexObservationQueryServiceTests.cs | 614 +-
.../StellaOps.Excititor.Core.Tests.csproj | 16 +
.../VexCanonicalJsonSerializerTests.cs | 0
.../VexConsensusResolverTests.cs | 0
.../VexPolicyBinderTests.cs | 0
.../VexPolicyDiagnosticsTests.cs | 0
.../VexQuerySignatureTests.cs | 0
.../VexSignalSnapshotTests.cs | 0
.../ExportEngineTests.cs | 0
.../FileSystemArtifactStoreTests.cs | 0
.../MirrorBundlePublisherTests.cs | 0
.../OfflineBundleArtifactStoreTests.cs | 0
.../S3ArtifactStoreTests.cs | 0
.../StellaOps.Excititor.Export.Tests.csproj | 31 +-
.../VexExportCacheServiceTests.cs | 0
.../CsafNormalizerTests.cs | 0
.../Fixtures/rhsa-sample.json | 0
...llaOps.Excititor.Formats.CSAF.Tests.csproj | 41 +-
.../CycloneDxNormalizerTests.cs | 0
...s.Excititor.Formats.CycloneDX.Tests.csproj | 35 +-
.../OpenVexNormalizerTests.cs | 0
...Ops.Excititor.Formats.OpenVEX.Tests.csproj | 35 +-
.../StellaOps.Excititor.Policy.Tests.csproj | 25 +-
.../VexPolicyProviderTests.cs | 0
.../MongoVexCacheMaintenanceTests.cs | 0
.../MongoVexRepositoryTests.cs | 0
.../MongoVexSessionConsistencyTests.cs | 0
.../MongoVexStatementBackfillServiceTests.cs | 0
.../MongoVexStoreMappingTests.cs | 0
...laOps.Excititor.Storage.Mongo.Tests.csproj | 16 +
.../VexMongoMigrationRunnerTests.cs | 0
.../IngestEndpointsTests.cs | 548 +-
.../MirrorEndpointsTests.cs | 422 +-
.../ResolveEndpointTests.cs | 750 +-
.../StatusEndpointTests.cs | 194 +-
...tellaOps.Excititor.WebService.Tests.csproj | 5 +-
.../TestAuthentication.cs | 122 +-
.../TestServiceOverrides.cs | 360 +-
.../TestWebApplicationFactory.cs | 84 +-
...efaultVexProviderRunnerIntegrationTests.cs | 726 +-
.../DefaultVexProviderRunnerTests.cs | 1434 +-
.../Signature/WorkerSignatureVerifierTests.cs | 458 +-
.../StellaOps.Excititor.Worker.Tests.csproj | 9 +-
.../VexWorkerOptionsTests.cs | 0
.../AGENTS.md | 28 +-
.../TASKS.md | 26 +-
.../AGENTS.md | 28 +-
.../TASKS.md | 14 +-
.../AGENTS.md | 28 +-
.../TASKS.md | 26 +-
src/ExportCenter/StellaOps.ExportCenter.sln | 99 +
.../StellaOps.ExportCenter/AGENTS.md | 36 +-
.../StellaOps.ExportCenter.Core/Class1.cs | 12 +-
.../StellaOps.ExportCenter.Core.csproj | 36 +-
.../Class1.cs | 12 +-
...ellaOps.ExportCenter.Infrastructure.csproj | 56 +-
.../StellaOps.ExportCenter.Tests.csproj | 270 +-
.../StellaOps.ExportCenter.Tests/UnitTest1.cs | 20 +-
.../xunit.runner.json | 6 +-
.../Program.cs | 82 +-
.../Properties/launchSettings.json | 46 +-
.../StellaOps.ExportCenter.WebService.csproj | 82 +-
.../StellaOps.ExportCenter.WebService.http | 12 +-
.../appsettings.Development.json | 16 +-
.../appsettings.json | 18 +-
.../StellaOps.ExportCenter.Worker/Program.cs | 14 +-
.../Properties/launchSettings.json | 24 +-
.../StellaOps.ExportCenter.Worker.csproj | 86 +-
.../StellaOps.ExportCenter.Worker/Worker.cs | 32 +-
.../appsettings.Development.json | 16 +-
.../appsettings.json | 16 +-
.../StellaOps.ExportCenter.sln | 180 +-
.../StellaOps.ExportCenter/TASKS.md | 154 +-
.../StellaOps.Findings.Ledger/AGENTS.md | 4 +-
.../StellaOps.Findings.Ledger/TASKS.md | 146 +-
src/{ => Graph}/StellaOps.Graph.Api/AGENTS.md | 4 +-
src/{ => Graph}/StellaOps.Graph.Api/TASKS.md | 32 +-
.../StellaOps.Graph.Indexer/AGENTS.md | 4 +-
.../StellaOps.Graph.Indexer/TASKS.md | 26 +-
.../StellaOps.IssuerDirectory/AGENTS.md | 2 +-
.../StellaOps.IssuerDirectory/TASKS.md | 18 +-
.../StellaOps.Mirror.Creator/AGENTS.md | 30 +-
.../StellaOps.Mirror.Creator/TASKS.md | 38 +-
src/Notifier/StellaOps.Notifier.sln | 125 +
.../StellaOps.Notifier/AGENTS.md | 34 +-
.../EventProcessorTests.cs | 166 +-
.../RuleEvaluatorTests.cs | 120 +-
.../StellaOps.Notifier.Tests.csproj | 66 +-
.../Support/InMemoryStores.cs | 346 +-
.../xunit.runner.json | 6 +-
.../StellaOps.Notifier.WebService/Program.cs | 48 +-
.../Properties/launchSettings.json | 46 +-
.../Setup/MongoInitializationHostedService.cs | 120 +-
.../StellaOps.Notifier.WebService.csproj | 6 +-
.../StellaOps.Notifier.WebService.http | 12 +-
.../appsettings.Development.json | 16 +-
.../appsettings.json | 18 +-
.../Options/NotifierWorkerOptions.cs | 38 +-
.../Processing/DefaultNotifyRuleEvaluator.cs | 600 +-
.../Processing/IdempotencyKeyBuilder.cs | 60 +-
.../MongoInitializationHostedService.cs | 120 +-
.../Processing/NotifierEventProcessor.cs | 388 +-
.../Processing/NotifierEventWorker.cs | 240 +-
.../StellaOps.Notifier.Worker/Program.cs | 76 +-
.../Properties/AssemblyInfo.cs | 6 +-
.../Properties/launchSettings.json | 24 +-
.../StellaOps.Notifier.Worker.csproj | 12 +-
.../appsettings.Development.json | 16 +-
.../appsettings.json | 16 +-
.../StellaOps.Notifier/StellaOps.Notifier.sln | 124 +-
.../StellaOps.Notifier/TASKS.md | 148 +-
.../docs/NOTIFY-SVC-38-001-FOUNDATIONS.md | 46 +-
.../StellaOps.Notify.WebService/AGENTS.md | 0
.../Contracts/ChannelHealthResponse.cs | 34 +-
.../Contracts/ChannelTestSendRequest.cs | 0
.../Contracts/ChannelTestSendResponse.cs | 0
.../Contracts/LockRequests.cs | 0
.../Diagnostics/ServiceStatus.cs | 0
.../Extensions/ConfigurationExtensions.cs | 0
.../Hosting/NotifyPluginHostFactory.cs | 0
.../Internal/JsonHttpResult.cs | 0
.../Options/NotifyWebServiceOptions.cs | 0
.../NotifyWebServiceOptionsPostConfigure.cs | 0
.../NotifyWebServiceOptionsValidator.cs | 0
.../Plugins/NotifyPluginRegistry.cs | 0
.../Program.Partial.cs | 0
.../StellaOps.Notify.WebService/Program.cs | 0
.../Security/NotifyPolicies.cs | 0
.../Security/NotifyRateLimitPolicies.cs | 0
.../Services/NotifyChannelHealthService.cs | 364 +-
.../Services/NotifyChannelTestService.cs | 0
.../Services/NotifySchemaMigrationService.cs | 0
.../StellaOps.Notify.WebService.csproj | 28 +
.../Storage/InMemory/InMemoryStorageModule.cs | 0
.../StellaOps.Notify.WebService/TASKS.md | 2 +
.../StellaOps.Notify.Worker/AGENTS.md | 0
.../Handlers/INotifyEventHandler.cs | 20 +-
.../Handlers/NoOpNotifyEventHandler.cs | 50 +-
.../NotifyWorkerOptions.cs | 104 +-
.../Processing/NotifyEventLeaseProcessor.cs | 292 +-
.../Processing/NotifyEventLeaseWorker.cs | 126 +-
.../StellaOps.Notify.Worker/Program.cs | 66 +-
.../Properties/AssemblyInfo.cs | 6 +-
.../StellaOps.Notify.Worker.csproj | 48 +-
.../StellaOps.Notify.Worker/TASKS.md | 2 +-
.../StellaOps.Notify.Worker/appsettings.json | 86 +-
src/Notify/StellaOps.Notify.sln | 422 +
.../AGENTS.md | 0
.../EmailChannelHealthProvider.cs | 118 +-
.../EmailChannelTestProvider.cs | 0
.../EmailMetadataBuilder.cs | 108 +-
.../StellaOps.Notify.Connectors.Email.csproj | 19 +-
.../TASKS.md | 2 +
.../notify-plugin.json | 36 +-
.../ConnectorHashing.cs | 62 +-
.../ConnectorMetadataBuilder.cs | 294 +-
.../ConnectorValueRedactor.cs | 150 +-
.../StellaOps.Notify.Connectors.Shared.csproj | 24 +-
.../AGENTS.md | 0
.../SlackChannelHealthProvider.cs | 112 +-
.../SlackChannelTestProvider.cs | 0
.../SlackMetadataBuilder.cs | 154 +-
.../StellaOps.Notify.Connectors.Slack.csproj | 19 +-
.../TASKS.md | 2 +
.../notify-plugin.json | 38 +-
.../AGENTS.md | 0
.../StellaOps.Notify.Connectors.Teams.csproj | 19 +-
.../TASKS.md | 2 +-
.../TeamsChannelHealthProvider.cs | 114 +-
.../TeamsChannelTestProvider.cs | 0
.../TeamsMetadataBuilder.cs | 178 +-
.../notify-plugin.json | 38 +-
.../AGENTS.md | 0
...StellaOps.Notify.Connectors.Webhook.csproj | 19 +-
.../TASKS.md | 2 +
.../WebhookChannelTestProvider.cs | 0
.../WebhookMetadataBuilder.cs | 106 +-
.../notify-plugin.json | 36 +-
.../StellaOps.Notify.Engine/AGENTS.md | 0
.../ChannelHealthContracts.cs | 102 +-
.../ChannelTestPreviewContracts.cs | 0
.../INotifyRuleEvaluator.cs | 56 +-
.../NotifyRuleEvaluationOutcome.cs | 88 +-
.../StellaOps.Notify.Engine.csproj | 0
.../StellaOps.Notify.Engine/TASKS.md | 2 +-
.../StellaOps.Notify.Models/AGENTS.md | 0
.../Iso8601DurationConverter.cs | 0
.../NotifyCanonicalJsonSerializer.cs | 0
.../StellaOps.Notify.Models/NotifyChannel.cs | 0
.../StellaOps.Notify.Models/NotifyDelivery.cs | 0
.../StellaOps.Notify.Models/NotifyEnums.cs | 0
.../StellaOps.Notify.Models/NotifyEvent.cs | 0
.../NotifyEventKinds.cs | 0
.../StellaOps.Notify.Models/NotifyRule.cs | 0
.../NotifySchemaMigration.cs | 0
.../NotifySchemaVersions.cs | 0
.../StellaOps.Notify.Models/NotifyTemplate.cs | 0
.../NotifyValidation.cs | 0
.../StellaOps.Notify.Models.csproj | 0
.../StellaOps.Notify.Models/TASKS.md | 2 +
.../StellaOps.Notify.Queue/AGENTS.md | 0
.../Nats/NatsNotifyDeliveryLease.cs | 160 +-
.../Nats/NatsNotifyDeliveryQueue.cs | 1394 +-
.../Nats/NatsNotifyEventLease.cs | 166 +-
.../Nats/NatsNotifyEventQueue.cs | 1396 +-
.../NotifyDeliveryQueueHealthCheck.cs | 110 +-
.../NotifyDeliveryQueueOptions.cs | 138 +-
.../NotifyEventQueueOptions.cs | 354 +-
.../NotifyQueueContracts.cs | 462 +-
.../NotifyQueueFields.cs | 36 +-
.../NotifyQueueHealthCheck.cs | 110 +-
.../NotifyQueueMetrics.cs | 78 +-
.../NotifyQueueServiceCollectionExtensions.cs | 292 +-
.../NotifyQueueTransportKind.cs | 20 +-
.../Properties/AssemblyInfo.cs | 6 +-
.../Redis/RedisNotifyDeliveryLease.cs | 152 +-
.../Redis/RedisNotifyDeliveryQueue.cs | 1576 +-
.../Redis/RedisNotifyEventLease.cs | 152 +-
.../Redis/RedisNotifyEventQueue.cs | 1310 +-
.../StellaOps.Notify.Queue.csproj | 46 +-
.../StellaOps.Notify.Queue/TASKS.md | 2 +-
.../StellaOps.Notify.Storage.Mongo/AGENTS.md | 0
.../Documents/NotifyAuditEntryDocument.cs | 0
.../Documents/NotifyDigestDocument.cs | 0
.../Documents/NotifyLockDocument.cs | 0
.../Internal/NotifyMongoContext.cs | 0
.../Internal/NotifyMongoInitializer.cs | 0
.../EnsureNotifyCollectionsMigration.cs | 0
.../EnsureNotifyIndexesMigration.cs | 0
.../Migrations/INotifyMongoMigration.cs | 0
.../Migrations/NotifyMongoMigrationRecord.cs | 0
.../Migrations/NotifyMongoMigrationRunner.cs | 0
.../Options/NotifyMongoOptions.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../Repositories/INotifyAuditRepository.cs | 0
.../Repositories/INotifyChannelRepository.cs | 0
.../Repositories/INotifyDeliveryRepository.cs | 0
.../Repositories/INotifyDigestRepository.cs | 0
.../Repositories/INotifyLockRepository.cs | 0
.../Repositories/INotifyRuleRepository.cs | 0
.../Repositories/INotifyTemplateRepository.cs | 0
.../Repositories/NotifyAuditRepository.cs | 0
.../Repositories/NotifyChannelRepository.cs | 0
.../Repositories/NotifyDeliveryQueryResult.cs | 0
.../Repositories/NotifyDeliveryRepository.cs | 0
.../Repositories/NotifyDigestRepository.cs | 0
.../Repositories/NotifyLockRepository.cs | 0
.../Repositories/NotifyRuleRepository.cs | 0
.../Repositories/NotifyTemplateRepository.cs | 0
.../BsonDocumentJsonExtensions.cs | 0
.../NotifyChannelDocumentMapper.cs | 0
.../NotifyDeliveryDocumentMapper.cs | 0
.../Serialization/NotifyRuleDocumentMapper.cs | 0
.../NotifyTemplateDocumentMapper.cs | 0
.../ServiceCollectionExtensions.cs | 0
.../StellaOps.Notify.Storage.Mongo.csproj | 36 +-
.../StellaOps.Notify.Storage.Mongo/TASKS.md | 2 +-
.../EmailChannelHealthProviderTests.cs | 200 +-
...laOps.Notify.Connectors.Email.Tests.csproj | 9 +-
.../SlackChannelHealthProviderTests.cs | 192 +-
.../SlackChannelTestProviderTests.cs | 226 +-
...laOps.Notify.Connectors.Slack.Tests.csproj | 9 +-
...laOps.Notify.Connectors.Teams.Tests.csproj | 9 +-
.../TeamsChannelHealthProviderTests.cs | 196 +-
.../TeamsChannelTestProviderTests.cs | 270 +-
.../DocSampleTests.cs | 0
.../NotifyCanonicalJsonSerializerTests.cs | 0
.../NotifyDeliveryTests.cs | 0
.../NotifyRuleTests.cs | 0
.../NotifySchemaMigrationTests.cs | 0
.../PlatformEventSamplesTests.cs | 0
.../PlatformEventSchemaValidationTests.cs | 0
.../StellaOps.Notify.Models.Tests.csproj | 19 +-
.../NatsNotifyDeliveryQueueTests.cs | 446 +-
.../NatsNotifyEventQueueTests.cs | 450 +-
.../RedisNotifyDeliveryQueueTests.cs | 394 +-
.../RedisNotifyEventQueueTests.cs | 440 +-
.../StellaOps.Notify.Queue.Tests.csproj | 7 +-
.../AssemblyInfo.cs | 0
.../GlobalUsings.cs | 0
.../Internal/NotifyMongoMigrationTests.cs | 0
.../NotifyAuditRepositoryTests.cs | 0
.../NotifyChannelRepositoryTests.cs | 0
.../NotifyDeliveryRepositoryTests.cs | 0
.../NotifyDigestRepositoryTests.cs | 0
.../Repositories/NotifyLockRepositoryTests.cs | 0
.../Repositories/NotifyRuleRepositoryTests.cs | 0
.../NotifyTemplateRepositoryTests.cs | 0
.../NotifyChannelDocumentMapperTests.cs | 0
.../NotifyRuleDocumentMapperTests.cs | 0
.../NotifyTemplateDocumentMapperTests.cs | 0
...tellaOps.Notify.Storage.Mongo.Tests.csproj | 7 +-
.../CrudEndpointsTests.cs | 0
.../NormalizeEndpointsTests.cs | 0
.../StellaOps.Notify.WebService.Tests.csproj | 37 +-
.../NotifyEventLeaseProcessorTests.cs | 334 +-
.../StellaOps.Notify.Worker.Tests.csproj | 9 +-
.../AGENTS.md | 20 +-
.../TASKS.md | 18 +-
.../AGENTS.md | 20 +-
.../TASKS.md | 18 +-
src/Orchestrator/StellaOps.Orchestrator.sln | 99 +
.../StellaOps.Orchestrator/AGENTS.md | 36 +-
.../StellaOps.Orchestrator.Core/Class1.cs | 12 +-
.../StellaOps.Orchestrator.Core.csproj | 36 +-
.../Class1.cs | 12 +-
...ellaOps.Orchestrator.Infrastructure.csproj | 56 +-
.../StellaOps.Orchestrator.Tests.csproj | 270 +-
.../StellaOps.Orchestrator.Tests/UnitTest1.cs | 20 +-
.../xunit.runner.json | 3 +
.../Program.cs | 82 +-
.../Properties/launchSettings.json | 46 +-
.../StellaOps.Orchestrator.WebService.csproj | 82 +-
.../StellaOps.Orchestrator.WebService.http | 12 +-
.../appsettings.Development.json | 16 +-
.../appsettings.json | 18 +-
.../StellaOps.Orchestrator.Worker/Program.cs | 14 +-
.../Properties/launchSettings.json | 24 +-
.../StellaOps.Orchestrator.Worker.csproj | 86 +-
.../StellaOps.Orchestrator.Worker/Worker.cs | 32 +-
.../appsettings.Development.json | 16 +-
.../appsettings.json | 16 +-
.../StellaOps.Orchestrator.sln | 180 +-
.../StellaOps.Orchestrator/TASKS.md | 152 +-
src/PacksRegistry/StellaOps.PacksRegistry.sln | 99 +
.../StellaOps.PacksRegistry/AGENTS.md | 34 +-
.../StellaOps.PacksRegistry.Core/Class1.cs | 12 +-
.../StellaOps.PacksRegistry.Core.csproj | 36 +-
.../Class1.cs | 12 +-
...llaOps.PacksRegistry.Infrastructure.csproj | 56 +-
.../StellaOps.PacksRegistry.Tests.csproj | 270 +-
.../UnitTest1.cs | 20 +-
.../xunit.runner.json | 3 +
.../Program.cs | 82 +-
.../Properties/launchSettings.json | 46 +-
.../StellaOps.PacksRegistry.WebService.csproj | 82 +-
.../StellaOps.PacksRegistry.WebService.http | 12 +-
.../appsettings.Development.json | 8 +
.../appsettings.json | 9 +
.../StellaOps.PacksRegistry.Worker/Program.cs | 14 +-
.../Properties/launchSettings.json | 24 +-
.../StellaOps.PacksRegistry.Worker.csproj | 86 +-
.../StellaOps.PacksRegistry.Worker/Worker.cs | 32 +-
.../appsettings.Development.json | 8 +
.../appsettings.json | 8 +
.../StellaOps.PacksRegistry.sln | 180 +-
.../StellaOps.PacksRegistry/TASKS.md | 32 +-
.../StellaOps.Policy.Engine/AGENTS.md | 36 +-
.../Compilation/DslToken.cs | 320 +-
.../Compilation/DslTokenizer.cs | 1152 +-
.../Compilation/PolicyCompiler.cs | 338 +-
.../Compilation/PolicyDslDiagnosticCodes.cs | 38 +-
.../Compilation/PolicyIr.cs | 122 +-
.../Compilation/PolicyIrSerializer.cs | 830 +-
.../Compilation/PolicyParser.cs | 1356 +-
.../Compilation/PolicySyntaxNodes.cs | 282 +-
.../Domain/PolicyPackRecord.cs | 202 +-
.../Endpoints/PolicyCompilationEndpoints.cs | 214 +-
.../Endpoints/PolicyPackEndpoints.cs | 534 +-
.../Evaluation/PolicyEvaluationContext.cs | 284 +-
.../Evaluation/PolicyEvaluator.cs | 840 +-
.../Evaluation/PolicyExpressionEvaluator.cs | 1018 +-
.../Hosting/PolicyEngineStartupDiagnostics.cs | 24 +-
.../Options/PolicyEngineOptions.cs | 336 +-
.../StellaOps.Policy.Engine/Program.cs | 278 +-
.../Properties/AssemblyInfo.cs | 6 +-
.../StellaOps.Policy.Engine/README.md | 28 +-
.../Services/IPolicyPackRepository.cs | 58 +-
.../Services/InMemoryPolicyPackRepository.cs | 186 +-
.../Services/PolicyCompilationService.cs | 240 +-
.../Services/PolicyEvaluationService.cs | 52 +-
.../Services/ScopeAuthorization.cs | 106 +-
.../StellaOps.Policy.Engine.csproj | 20 +
.../StellaOps.Policy.Engine/TASKS.md | 2 +-
.../Workers/PolicyEngineBootstrapWorker.cs | 70 +-
.../Clients/IPolicyEngineClient.cs | 30 +-
.../Clients/PolicyEngineClient.cs | 398 +-
.../Clients/PolicyEngineResponse.cs | 62 +-
.../Clients/PolicyEngineResponseExtensions.cs | 142 +-
.../Contracts/PolicyPackContracts.cs | 90 +-
.../GatewayForwardingContext.cs | 118 +-
.../Options/PolicyGatewayOptions.cs | 646 +-
.../StellaOps.Policy.Gateway/Program.cs | 812 +-
.../Properties/AssemblyInfo.cs | 6 +-
.../Services/PolicyEngineTokenProvider.cs | 246 +-
.../Services/PolicyGatewayAuthorization.cs | 48 +-
.../Services/PolicyGatewayDpopHandler.cs | 84 +-
.../PolicyGatewayDpopProofGenerator.cs | 470 +-
.../Services/PolicyGatewayMetrics.cs | 102 +-
.../StellaOps.Policy.Gateway.csproj | 23 +
.../StellaOps.Policy.Registry/AGENTS.md | 8 +-
.../StellaOps.Policy.Registry/TASKS.md | 34 +-
.../StellaOps.Policy.RiskProfile/AGENTS.md | 30 +-
.../StellaOps.Policy.RiskProfile/TASKS.md | 40 +-
src/Policy/StellaOps.Policy.sln | 212 +
.../__Libraries}/StellaOps.Policy/AGENTS.md | 0
.../Audit/IPolicyAuditRepository.cs | 0
.../Audit/InMemoryPolicyAuditRepository.cs | 0
.../StellaOps.Policy/PolicyAuditEntry.cs | 0
.../StellaOps.Policy/PolicyBinder.cs | 0
.../StellaOps.Policy/PolicyDiagnostics.cs | 0
.../StellaOps.Policy/PolicyDigest.cs | 0
.../StellaOps.Policy/PolicyDocument.cs | 0
.../StellaOps.Policy/PolicyEvaluation.cs | 0
.../StellaOps.Policy/PolicyFinding.cs | 0
.../StellaOps.Policy/PolicyIssue.cs | 0
.../StellaOps.Policy/PolicyPreviewModels.cs | 0
.../StellaOps.Policy/PolicyPreviewService.cs | 0
.../StellaOps.Policy/PolicySchemaResource.cs | 0
.../StellaOps.Policy/PolicyScoringConfig.cs | 0
.../PolicyScoringConfigBinder.cs | 0
.../PolicyScoringConfigDigest.cs | 0
.../StellaOps.Policy/PolicyScoringSchema.cs | 0
.../StellaOps.Policy/PolicySnapshot.cs | 0
.../StellaOps.Policy/PolicySnapshotStore.cs | 0
.../PolicyUnknownConfidenceConfig.cs | 0
.../StellaOps.Policy/PolicyValidationCli.cs | 0
.../StellaOps.Policy/PolicyVerdict.cs | 0
.../Schemas/policy-schema@1.json | 0
.../Schemas/policy-scoring-default.json | 0
.../Schemas/policy-scoring-schema@1.json | 0
.../StellaOps.Policy/StellaOps.Policy.csproj | 44 +-
.../Storage/IPolicySnapshotRepository.cs | 0
.../InMemoryPolicySnapshotRepository.cs | 0
.../__Libraries}/StellaOps.Policy/TASKS.md | 2 +-
.../PolicyCompilerTests.cs | 208 +-
.../PolicyEvaluatorTests.cs | 582 +-
.../PolicyPackRepositoryTests.cs | 88 +-
.../StellaOps.Policy.Engine.Tests.csproj | 5 +-
.../GatewayActivationTests.cs | 1096 +-
.../PolicyEngineClientTests.cs | 424 +-
.../PolicyGatewayDpopProofGeneratorTests.cs | 334 +-
.../StellaOps.Policy.Gateway.Tests.csproj | 5 +-
.../PolicyBinderTests.cs | 0
.../PolicyEvaluationTests.cs | 0
.../PolicyPreviewServiceTests.cs | 0
.../PolicyScoringConfigTests.cs | 0
.../PolicySnapshotStoreTests.cs | 0
.../StellaOps.Policy.Tests.csproj | 27 +-
.../AGENTS.md | 40 +-
.../StellaOps.Provenance.Attestation/TASKS.md | 26 +-
.../Observability/RegistryTokenMetrics.cs | 68 +-
.../PlanRegistry.cs | 300 +-
.../Program.cs | 342 +-
.../Properties/launchSettings.json | 28 +-
.../RegistryAccessModels.cs | 26 +-
.../RegistryScopeParser.cs | 186 +-
.../RegistryTokenIssuer.cs | 258 +-
.../RegistryTokenServiceOptions.cs | 642 +-
.../Security/SigningKeyLoader.cs | 132 +-
.../StellaOps.Registry.TokenService.csproj | 11 +-
.../appsettings.Development.json | 8 +
.../appsettings.json | 9 +
src/Registry/StellaOps.Registry.sln | 137 +
.../PlanRegistryTests.cs | 218 +-
.../RegistryScopeParserTests.cs | 76 +-
.../RegistryTokenIssuerTests.cs | 220 +-
...ellaOps.Registry.TokenService.Tests.csproj | 29 +
.../UnitTest1.cs | 20 +-
.../xunit.runner.json | 3 +
src/RiskEngine/StellaOps.RiskEngine.sln | 99 +
.../StellaOps.RiskEngine/AGENTS.md | 46 +-
.../StellaOps.RiskEngine.Core/Class1.cs | 12 +-
.../StellaOps.RiskEngine.Core.csproj | 36 +-
.../Class1.cs | 12 +-
...StellaOps.RiskEngine.Infrastructure.csproj | 56 +-
.../StellaOps.RiskEngine.Tests.csproj | 270 +-
.../StellaOps.RiskEngine.Tests/UnitTest1.cs | 20 +-
.../xunit.runner.json | 3 +
.../Program.cs | 41 +
.../Properties/launchSettings.json | 46 +-
.../StellaOps.RiskEngine.WebService.csproj | 82 +-
.../StellaOps.RiskEngine.WebService.http | 12 +-
.../appsettings.Development.json | 8 +
.../appsettings.json | 9 +
.../StellaOps.RiskEngine.Worker/Program.cs | 14 +-
.../Properties/launchSettings.json | 24 +-
.../StellaOps.RiskEngine.Worker.csproj | 86 +-
.../StellaOps.RiskEngine.Worker/Worker.cs | 32 +-
.../appsettings.Development.json | 8 +
.../appsettings.json | 8 +
.../StellaOps.RiskEngine.sln | 180 +-
.../StellaOps.RiskEngine/TASKS.md | 64 +-
src/SbomService/StellaOps.SbomService.sln | 104 +
.../StellaOps.SbomService/AGENTS.md | 30 +-
.../StellaOps.SbomService/Program.cs | 34 +-
.../StellaOps.SbomService.csproj | 7 +-
.../StellaOps.SbomService/TASKS.md | 94 +-
.../TASKS.md | 42 +-
.../TASKS.md | 44 +-
.../TASKS.md | 44 +-
.../TASKS.md | 40 +-
.../AGENTS.md | 0
.../Attestation/AttestorClient.cs | 0
.../Attestation/AttestorProvenanceRequest.cs | 0
.../BuildxPluginException.cs | 0
.../Cas/CasWriteResult.cs | 0
.../Cas/LocalCasClient.cs | 0
.../Cas/LocalCasOptions.cs | 0
.../Descriptor/DescriptorArtifact.cs | 0
.../Descriptor/DescriptorDocument.cs | 0
.../Descriptor/DescriptorGenerator.cs | 0
.../Descriptor/DescriptorGeneratorMetadata.cs | 0
.../Descriptor/DescriptorProvenance.cs | 0
.../Descriptor/DescriptorRequest.cs | 0
.../Descriptor/DescriptorSubject.cs | 0
.../Manifest/BuildxPluginCas.cs | 0
.../Manifest/BuildxPluginEntryPoint.cs | 0
.../Manifest/BuildxPluginImage.cs | 0
.../Manifest/BuildxPluginManifest.cs | 0
.../Manifest/BuildxPluginManifestLoader.cs | 0
.../Program.cs | 0
...ellaOps.Scanner.Sbomer.BuildXPlugin.csproj | 0
.../TASKS.md | 0
.../stellaops.sbom-indexer.manifest.json | 0
.../AssemblyInfo.cs | 0
.../Constants/ProblemTypes.cs | 0
.../Contracts/OrchestratorEventContracts.cs | 554 +-
.../Contracts/PolicyDiagnosticsContracts.cs | 0
.../Contracts/PolicyPreviewContracts.cs | 0
.../Contracts/ReportContracts.cs | 0
.../Contracts/RuntimeEventsContracts.cs | 44 +-
.../Contracts/RuntimePolicyContracts.cs | 182 +-
.../Contracts/ScanStatusResponse.cs | 0
.../Contracts/ScanSubmitRequest.cs | 0
.../Contracts/ScanSubmitResponse.cs | 0
.../Diagnostics/ServiceStatus.cs | 0
.../Domain/ScanId.cs | 0
.../Domain/ScanProgressEvent.cs | 0
.../Domain/ScanSnapshot.cs | 0
.../Domain/ScanStatus.cs | 0
.../Domain/ScanSubmission.cs | 0
.../Domain/ScanTarget.cs | 0
.../Endpoints/HealthEndpoints.cs | 0
.../Endpoints/PolicyEndpoints.cs | 0
.../Endpoints/ReportEndpoints.cs | 0
.../Endpoints/RuntimeEndpoints.cs | 506 +-
.../Endpoints/ScanEndpoints.cs | 0
.../Extensions/ConfigurationExtensions.cs | 0
.../OpenApiRegistrationExtensions.cs | 0
.../Hosting/ScannerPluginHostFactory.cs | 0
.../Infrastructure/ProblemResultFactory.cs | 0
.../Options/ScannerWebServiceOptions.cs | 0
.../ScannerWebServiceOptionsPostConfigure.cs | 0
.../ScannerWebServiceOptionsValidator.cs | 0
.../StellaOps.Scanner.WebService/Program.cs | 0
.../AnonymousAuthenticationHandler.cs | 0
.../Security/ScannerAuthorityScopes.cs | 0
.../Security/ScannerPolicies.cs | 0
.../OrchestratorEventSerializer.cs | 396 +-
.../Services/IPlatformEventPublisher.cs | 0
.../Services/IRedisConnectionFactory.cs | 26 +-
.../Services/IReportEventDispatcher.cs | 0
.../Services/IScanCoordinator.cs | 0
.../Services/InMemoryScanCoordinator.cs | 0
.../Services/NullPlatformEventPublisher.cs | 0
.../Services/PolicyDtoMapper.cs | 0
.../Services/RedisConnectionFactory.cs | 38 +-
.../Services/RedisPlatformEventPublisher.cs | 0
.../Services/ReportEventDispatcher.cs | 1166 +-
.../Services/ReportSigner.cs | 0
.../Services/RuntimeEventIngestionService.cs | 430 +-
.../Services/RuntimeEventRateLimiter.cs | 346 +-
.../Services/RuntimePolicyService.cs | 1026 +-
.../Services/ScanProgressStream.cs | 0
.../StellaOps.Scanner.WebService.csproj | 34 +
.../StellaOps.Scanner.WebService/TASKS.md | 26 +-
.../Utilities/ScanIdGenerator.cs | 0
.../StellaOps.Scanner.Worker/AGENTS.md | 0
.../ScannerWorkerInstrumentation.cs | 0
.../Diagnostics/ScannerWorkerMetrics.cs | 0
.../Diagnostics/TelemetryExtensions.cs | 0
.../Hosting/ScannerWorkerHostedService.cs | 0
.../Options/ScannerWorkerOptions.cs | 0
.../Options/ScannerWorkerOptionsValidator.cs | 0
.../Processing/AnalyzerStageExecutor.cs | 0
.../CompositeScanAnalyzerDispatcher.cs | 562 +-
.../Processing/EntryTraceExecutionService.cs | 604 +-
.../Processing/IDelayScheduler.cs | 0
.../Processing/IEntryTraceExecutionService.cs | 18 +-
.../Processing/IScanAnalyzerDispatcher.cs | 0
.../Processing/IScanJobLease.cs | 0
.../Processing/IScanJobSource.cs | 0
.../Processing/IScanStageExecutor.cs | 0
.../Processing/LeaseHeartbeatService.cs | 0
.../Processing/NoOpStageExecutor.cs | 0
.../Processing/NullScanJobSource.cs | 0
.../Processing/PollDelayStrategy.cs | 0
.../Processing/ScanJobContext.cs | 0
.../Processing/ScanJobProcessor.cs | 0
.../Processing/ScanProgressReporter.cs | 0
.../Processing/ScanStageNames.cs | 0
.../Processing/SystemDelayScheduler.cs | 0
.../StellaOps.Scanner.Worker/Program.cs | 0
.../Properties/AssemblyInfo.cs | 6 +-
.../StellaOps.Scanner.Worker.csproj | 45 +-
.../StellaOps.Scanner.Worker/TASKS.md | 0
src/Scanner/StellaOps.Scanner.sln | 775 +
.../AGENTS.md | 0
.../DotNetAnalyzerPlugin.cs | 34 +-
.../DotNetLanguageAnalyzer.cs | 74 +-
.../GlobalUsings.cs | 0
.../IDotNetAuthenticodeInspector.cs | 0
.../Internal/DotNetDependencyCollector.cs | 0
.../Internal/DotNetDepsFile.cs | 572 +-
.../Internal/DotNetFileCaches.cs | 664 +-
.../Internal/DotNetRuntimeConfig.cs | 316 +-
...laOps.Scanner.Analyzers.Lang.DotNet.csproj | 0
.../TASKS.md | 38 +-
.../manifest.json | 46 +-
.../AGENTS.md | 2 +-
.../GlobalUsings.cs | 0
.../GoAnalyzerPlugin.cs | 34 +-
.../GoLanguageAnalyzer.cs | 770 +-
.../Internal/GoAnalyzerMetrics.cs | 60 +-
.../Internal/GoBinaryScanner.cs | 528 +-
.../Internal/GoBuildInfo.cs | 160 +-
.../Internal/GoBuildInfoDecoder.cs | 318 +-
.../Internal/GoBuildInfoParser.cs | 468 +-
.../Internal/GoBuildInfoProvider.cs | 164 +-
.../Internal/GoDwarfMetadata.cs | 66 +-
.../Internal/GoDwarfReader.cs | 240 +-
.../Internal/GoModule.cs | 134 +-
.../GoStrippedBinaryClassification.cs | 0
...StellaOps.Scanner.Analyzers.Lang.Go.csproj | 0
.../TASKS.md | 0
.../manifest.json | 46 +-
.../GlobalUsings.cs | 0
.../Internal/ClassPath/JavaClassLocation.cs | 124 +-
.../ClassPath/JavaClassPathAnalysis.cs | 204 +-
.../ClassPath/JavaClassPathBuilder.cs | 1320 +-
.../ClassPath/JavaModuleDescriptor.cs | 44 +-
.../ClassPath/JavaModuleInfoParser.cs | 734 +-
.../Internal/JavaArchive.cs | 528 +-
.../Internal/JavaArchiveEntry.cs | 16 +-
.../Internal/JavaPackagingKind.cs | 24 +-
.../Internal/JavaReleaseFileParser.cs | 136 +-
.../Internal/JavaRuntimeImage.cs | 14 +-
.../Internal/JavaWorkspace.cs | 56 +-
.../Internal/JavaWorkspaceNormalizer.cs | 202 +-
.../Internal/JavaZipEntryUtilities.cs | 104 +-
.../Reflection/JavaReflectionAnalysis.cs | 88 +-
.../Reflection/JavaReflectionAnalyzer.cs | 1432 +-
.../JavaServiceProviderScanner.cs | 320 +-
.../ServiceProviders/JavaSpiCatalog.cs | 206 +-
.../ServiceProviders/java-spi-catalog.json | 104 +-
.../JavaLanguageAnalyzer.cs | 0
.../Properties/AssemblyInfo.cs | 6 +-
...ellaOps.Scanner.Analyzers.Lang.Java.csproj | 0
.../TASKS.md | 62 +-
.../manifest.json | 0
.../AGENTS.md | 2 +-
.../GlobalUsings.cs | 0
.../Internal/NodeAnalyzerMetrics.cs | 0
.../Internal/NodeLifecycleScript.cs | 0
.../Internal/NodeLockData.cs | 0
.../Internal/NodeLockEntry.cs | 0
.../Internal/NodePackage.cs | 0
.../Internal/NodePackageCollector.cs | 0
.../Internal/NodeWorkspaceIndex.cs | 0
.../NodeAnalyzerPlugin.cs | 36 +-
.../NodeLanguageAnalyzer.cs | 0
...ellaOps.Scanner.Analyzers.Lang.Node.csproj | 0
.../TASKS.md | 62 +-
.../manifest.json | 44 +-
.../AGENTS.md | 0
.../GlobalUsings.cs | 0
.../Internal/PythonDistributionLoader.cs | 1856 +-
.../PythonAnalyzerPlugin.cs | 34 +-
.../PythonLanguageAnalyzer.cs | 144 +-
...laOps.Scanner.Analyzers.Lang.Python.csproj | 0
.../TASKS.md | 62 +-
.../manifest.json | 46 +-
.../AGENTS.md | 0
.../GlobalUsings.cs | 0
.../Internal/RustAnalyzerCollector.cs | 0
.../Internal/RustBinaryClassifier.cs | 0
.../Internal/RustCargoLockParser.cs | 0
.../Internal/RustFingerprintScanner.cs | 0
.../RustAnalyzerPlugin.cs | 28 +-
.../RustLanguageAnalyzer.cs | 6 +-
...ellaOps.Scanner.Analyzers.Lang.Rust.csproj | 0
.../TASKS.md | 0
.../manifest.json | 46 +-
.../AGENTS.md | 0
.../Core/ILanguageAnalyzer.cs | 0
.../Core/Internal/LanguageAnalyzerJson.cs | 0
.../Core/LanguageAnalyzerContext.cs | 0
.../Core/LanguageAnalyzerEngine.cs | 0
.../Core/LanguageAnalyzerResult.cs | 0
.../Core/LanguageComponentEvidence.cs | 0
.../Core/LanguageComponentMapper.cs | 0
.../Core/LanguageComponentRecord.cs | 0
.../Core/LanguageUsageHints.cs | 0
.../GlobalUsings.cs | 0
.../Plugin/ILanguageAnalyzerPlugin.cs | 30 +-
.../Plugin/LanguageAnalyzerPluginCatalog.cs | 294 +-
.../SPRINTS_LANG_IMPLEMENTATION_PLAN.md | 8 +-
.../StellaOps.Scanner.Analyzers.Lang.csproj | 35 +-
.../StellaOps.Scanner.Analyzers.Lang/TASKS.md | 0
.../ApkAnalyzerPlugin.cs | 0
.../ApkDatabaseParser.cs | 0
.../ApkPackageAnalyzer.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../StellaOps.Scanner.Analyzers.OS.Apk.csproj | 30 +-
.../manifest.json | 0
.../DpkgAnalyzerPlugin.cs | 0
.../DpkgPackageAnalyzer.cs | 0
.../DpkgStatusParser.cs | 0
.../Properties/AssemblyInfo.cs | 0
...StellaOps.Scanner.Analyzers.OS.Dpkg.csproj | 30 +-
.../manifest.json | 0
.../IRpmDatabaseReader.cs | 0
.../Internal/RpmHeader.cs | 0
.../Internal/RpmHeaderParser.cs | 0
.../Internal/RpmTags.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../RpmAnalyzerPlugin.cs | 0
.../RpmDatabaseReader.cs | 0
.../RpmPackageAnalyzer.cs | 0
.../StellaOps.Scanner.Analyzers.OS.Rpm.csproj | 32 +-
.../manifest.json | 0
.../StellaOps.Scanner.Analyzers.OS/AGENTS.md | 0
.../Abstractions/IOSPackageAnalyzer.cs | 0
.../Analyzers/OsPackageAnalyzerBase.cs | 0
.../Helpers/CveHintExtractor.cs | 0
.../Helpers/PackageUrlBuilder.cs | 0
.../Helpers/PackageVersionParser.cs | 0
.../Mapping/OsComponentMapper.cs | 0
.../Model/AnalyzerWarning.cs | 0
.../Model/OSAnalyzerTelemetry.cs | 0
.../Model/OSPackageAnalyzerContext.cs | 0
.../Model/OSPackageAnalyzerResult.cs | 0
.../Model/OSPackageFileEvidence.cs | 0
.../Model/OSPackageRecord.cs | 0
.../Model/PackageEvidenceSource.cs | 0
.../Plugin/IOSAnalyzerPlugin.cs | 0
.../Plugin/OsAnalyzerPluginCatalog.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../StellaOps.Scanner.Analyzers.OS.csproj | 5 +-
.../StellaOps.Scanner.Analyzers.OS/TASKS.md | 0
.../StellaOps.Scanner.Cache/AGENTS.md | 0
.../IFileContentAddressableStore.cs | 0
.../Abstractions/ILayerCacheStore.cs | 0
.../Abstractions/LayerCacheEntry.cs | 0
.../Abstractions/LayerCachePutRequest.cs | 0
.../FileCas/FileContentAddressableStore.cs | 0
.../NullFileContentAddressableStore.cs | 0
.../LayerCache/LayerCacheStore.cs | 0
.../ScannerCacheMaintenanceService.cs | 0
.../ScannerCacheMetrics.cs | 0
.../ScannerCacheOptions.cs | 0
...ScannerCacheServiceCollectionExtensions.cs | 0
.../StellaOps.Scanner.Cache.csproj | 38 +-
.../StellaOps.Scanner.Cache/TASKS.md | 0
.../StellaOps.Scanner.Core/AGENTS.md | 0
.../Contracts/ComponentGraph.cs | 0
.../Contracts/ComponentModels.cs | 0
.../Contracts/SbomView.cs | 0
.../Contracts/ScanAnalysisKeys.cs | 0
.../Contracts/ScanAnalysisStore.cs | 0
.../Contracts/ScanAnalysisStoreExtensions.cs | 0
.../Contracts/ScanJob.cs | 0
.../Contracts/ScanJobIdJsonConverter.cs | 0
.../Contracts/ScanMetadataKeys.cs | 0
.../Contracts/ScanProgressEvent.cs | 0
.../Contracts/ScannerError.cs | 0
.../ScannerCorrelationContext.cs | 0
.../Observability/ScannerDiagnostics.cs | 0
.../Observability/ScannerLogExtensions.cs | 0
.../Observability/ScannerMetricNames.cs | 0
.../Security/AuthorityTokenSource.cs | 0
.../Security/IAuthorityTokenSource.cs | 0
.../Security/IPluginCatalogGuard.cs | 0
.../Security/RestartOnlyPluginGuard.cs | 0
.../Security/ScannerOperationalToken.cs | 0
.../Security/ServiceCollectionExtensions.cs | 0
.../Serialization/ScannerJsonOptions.cs | 0
.../StellaOps.Scanner.Core.csproj | 7 +-
.../StellaOps.Scanner.Core/TASKS.md | 0
.../Utility/ScannerIdentifiers.cs | 0
.../Utility/ScannerTimestamps.cs | 0
.../StellaOps.Scanner.Diff/AGENTS.md | 0
.../ComponentDiffModels.cs | 0
.../StellaOps.Scanner.Diff/ComponentDiffer.cs | 0
.../DiffJsonSerializer.cs | 0
.../StellaOps.Scanner.Diff.csproj | 0
.../StellaOps.Scanner.Diff/TASKS.md | 0
.../StellaOps.Scanner.Emit/AGENTS.md | 0
.../Composition/CycloneDxComposer.cs | 0
.../Composition/SbomCompositionRequest.cs | 0
.../Composition/SbomCompositionResult.cs | 0
.../Composition/SbomPolicyFinding.cs | 130 +-
.../ScanAnalysisCompositionBuilder.cs | 0
.../Index/BomIndexBuilder.cs | 0
.../ScannerArtifactPackageBuilder.cs | 0
.../StellaOps.Scanner.Emit.csproj | 0
.../StellaOps.Scanner.Emit/TASKS.md | 0
.../StellaOps.Scanner.EntryTrace/AGENTS.md | 0
.../Diagnostics/EntryTraceMetrics.cs | 0
.../EntryTraceAnalyzer.cs | 0
.../EntryTraceAnalyzerOptions.cs | 0
.../EntryTraceContext.cs | 0
.../EntryTraceImageContextFactory.cs | 356 +-
.../EntryTraceTypes.cs | 0
.../EntrypointSpecification.cs | 0
.../FileSystem/IRootFileSystem.cs | 0
.../FileSystem/LayeredRootFileSystem.cs | 1542 +-
.../IEntryTraceAnalyzer.cs | 0
.../Oci/OciImageConfig.cs | 258 +-
.../Parsing/ShellNodes.cs | 0
.../Parsing/ShellParser.cs | 0
.../Parsing/ShellToken.cs | 0
.../Parsing/ShellTokenizer.cs | 0
.../ServiceCollectionExtensions.cs | 0
.../StellaOps.Scanner.EntryTrace.csproj | 5 +-
.../StellaOps.Scanner.EntryTrace/TASKS.md | 0
.../StellaOps.Scanner.Queue/AGENTS.md | 0
.../StellaOps.Scanner.Queue/IScanQueue.cs | 0
.../IScanQueueLease.cs | 0
.../Nats/NatsScanQueue.cs | 0
.../Nats/NatsScanQueueLease.cs | 0
.../QueueEnvelopeFields.cs | 0
.../StellaOps.Scanner.Queue/QueueMetrics.cs | 0
.../QueueTransportKind.cs | 0
.../Redis/RedisScanQueue.cs | 0
.../Redis/RedisScanQueueLease.cs | 0
.../ScanQueueContracts.cs | 0
.../ScannerQueueHealthCheck.cs | 0
.../ScannerQueueOptions.cs | 0
...ScannerQueueServiceCollectionExtensions.cs | 0
.../StellaOps.Scanner.Queue.csproj | 42 +-
.../StellaOps.Scanner.Queue/TASKS.md | 0
.../StellaOps.Scanner.Storage/AGENTS.md | 0
.../Catalog/ArtifactDocument.cs | 0
.../Catalog/CatalogIdFactory.cs | 0
.../Catalog/ImageDocument.cs | 0
.../Catalog/JobDocument.cs | 0
.../Catalog/LayerDocument.cs | 0
.../Catalog/LifecycleRuleDocument.cs | 0
.../Catalog/LinkDocument.cs | 0
.../Catalog/RuntimeEventDocument.cs | 178 +-
.../Extensions/ServiceCollectionExtensions.cs | 0
.../EnsureLifecycleRuleTtlMigration.cs | 0
.../Migrations/IMongoMigration.cs | 0
.../Migrations/MongoMigrationDocument.cs | 0
.../Migrations/MongoMigrationRunner.cs | 0
.../Mongo/MongoBootstrapper.cs | 0
.../Mongo/MongoCollectionProvider.cs | 0
.../ObjectStore/IArtifactObjectStore.cs | 0
.../ObjectStore/RustFsArtifactObjectStore.cs | 0
.../ObjectStore/S3ArtifactObjectStore.cs | 0
.../Repositories/ArtifactRepository.cs | 0
.../Repositories/ImageRepository.cs | 0
.../Repositories/JobRepository.cs | 0
.../Repositories/LayerRepository.cs | 0
.../Repositories/LifecycleRuleRepository.cs | 0
.../Repositories/LinkRepository.cs | 0
.../Repositories/RuntimeEventRepository.cs | 264 +-
.../ScannerStorageDefaults.cs | 0
.../ScannerStorageOptions.cs | 0
.../Services/ArtifactStorageService.cs | 0
.../StellaOps.Scanner.Storage.csproj | 36 +-
.../StellaOps.Scanner.Storage/TASKS.md | 0
.../Fixtures/lang/go/basic/app | Bin
.../Fixtures/lang/go/basic/expected.json | 234 +-
.../Fixtures/lang/go/dwarf-only/app | Bin
.../Fixtures/lang/go/dwarf-only/expected.json | 158 +-
.../Fixtures/lang/go/stripped/app | 0
.../Fixtures/lang/go/stripped/expected.json | 60 +-
.../Go/GoLanguageAnalyzerTests.cs | 268 +-
...Ops.Scanner.Analyzers.Lang.Go.Tests.csproj | 9 +-
.../Fixtures/java/basic/expected.json | 70 +-
.../Java/JavaClassPathBuilderTests.cs | 344 +-
.../Java/JavaLanguageAnalyzerTests.cs | 66 +-
.../Java/JavaReflectionAnalyzerTests.cs | 204 +-
.../Java/JavaServiceProviderScannerTests.cs | 294 +-
.../Java/JavaWorkspaceNormalizerTests.cs | 186 +-
...s.Scanner.Analyzers.Lang.Java.Tests.csproj | 9 +-
.../lang/node/workspaces/expected.json | 268 +-
.../lang/node/workspaces/package-lock.json | 98 +-
.../lang/node/workspaces/package.json | 20 +-
.../node/workspaces/packages/app/package.json | 22 +-
.../workspaces/packages/app/scripts/setup.js | 2 +-
.../node/workspaces/packages/lib/package.json | 14 +-
.../workspaces/packages/shared/package.json | 14 +-
.../Node/NodeLanguageAnalyzerTests.cs | 54 +-
...s.Scanner.Analyzers.Lang.Node.Tests.csproj | 9 +-
.../python/layered-editable/expected.json | 0
.../layered-2.0.dist-info/INSTALLER | 0
.../layered-2.0.dist-info/METADATA | 0
.../layered-2.0.dist-info/RECORD | 0
.../site-packages/layered-2.0.dist-info/WHEEL | 0
.../layered-2.0.dist-info/entry_points.txt | 0
.../site-packages/layered/__init__.py | 0
.../python3.11/site-packages/layered/cli.py | 0
.../python3.11/site-packages/layered/core.py | 0
.../usr/lib/python3.11/site-packages/LICENSE | 0
.../layered-2.0.dist-info/INSTALLER | 0
.../layered-2.0.dist-info/METADATA | 0
.../layered-2.0.dist-info/RECORD | 0
.../site-packages/layered-2.0.dist-info/WHEEL | 0
.../layered-2.0.dist-info/direct_url.json | 0
.../layered-2.0.dist-info/entry_points.txt | 0
.../site-packages/layered/plugins/__init__.py | 0
.../site-packages/layered/plugins/plugin.py | 0
.../lang/python/pip-cache/expected.json | 0
.../cache_pkg-1.2.3.data/scripts/cache-tool | 0
.../cache_pkg-1.2.3.dist-info/INSTALLER | 0
.../cache_pkg-1.2.3.dist-info/METADATA | 0
.../cache_pkg-1.2.3.dist-info/RECORD | 0
.../cache_pkg-1.2.3.dist-info/WHEEL | 0
.../entry_points.txt | 0
.../site-packages/cache_pkg/LICENSE | 0
.../site-packages/cache_pkg/__init__.py | 0
.../site-packages/cache_pkg/data/config.json | 0
.../site-packages/cache_pkg/md5only.txt | 0
.../lang/python/simple-venv/expected.json | 0
.../simple-1.0.0.dist-info/INSTALLER | 0
.../simple-1.0.0.dist-info/METADATA | 0
.../simple-1.0.0.dist-info/RECORD | 0
.../simple-1.0.0.dist-info/WHEEL | 0
.../simple-1.0.0.dist-info/direct_url.json | 0
.../simple-1.0.0.dist-info/entry_points.txt | 0
.../site-packages/simple/__init__.py | 0
.../site-packages/simple/__main__.py | 0
.../python3.11/site-packages/simple/core.py | 0
.../Python/PythonLanguageAnalyzerTests.cs | 48 +-
...Scanner.Analyzers.Lang.Python.Tests.csproj | 9 +-
.../Core/LanguageAnalyzerResultTests.cs | 0
.../Core/LanguageComponentMapperTests.cs | 0
.../LanguageAnalyzerHarnessTests.cs | 0
.../DotNet/DotNetLanguageAnalyzerTests.cs | 0
.../Fixtures/determinism/basic/expected.json | 0
.../determinism/basic/input/placeholder.txt | 0
.../Fixtures/lang/dotnet/multi/AppA.deps.json | 168 +-
.../lang/dotnet/multi/AppA.runtimeconfig.json | 78 +-
.../Fixtures/lang/dotnet/multi/AppB.deps.json | 152 +-
.../lang/dotnet/multi/AppB.runtimeconfig.json | 76 +-
.../Fixtures/lang/dotnet/multi/expected.json | 238 +-
.../stellaops.logging/2.5.1/LICENSE.txt | 30 +-
.../2.5.1/stellaops.logging.nuspec | 24 +-
.../stellaops.toolkit/1.2.3/LICENSE.txt | 14 +-
.../1.2.3/stellaops.toolkit.nuspec | 22 +-
.../lang/dotnet/selfcontained/MyApp.deps.json | 0
.../selfcontained/MyApp.runtimeconfig.json | 0
.../lang/dotnet/selfcontained/expected.json | 186 +-
.../stellaops.runtime.selfcontained.nuspec | 22 +-
.../stellaops.toolkit/1.2.3/LICENSE.txt | 12 +-
.../1.2.3/stellaops.toolkit.nuspec | 22 +-
.../linux-x64/native/libstellaopsnative.so | 0
.../lang/dotnet/signed/Signed.App.deps.json | 0
.../signed/Signed.App.runtimeconfig.json | 0
.../Fixtures/lang/dotnet/signed/expected.json | 78 +-
.../9.0.0/microsoft.extensions.logging.nuspec | 22 +-
.../lang/dotnet/simple/Sample.App.deps.json | 146 +-
.../simple/Sample.App.runtimeconfig.json | 70 +-
.../Fixtures/lang/dotnet/simple/expected.json | 172 +-
.../9.0.0/microsoft.extensions.logging.nuspec | 22 +-
.../stellaops.toolkit/1.2.3/LICENSE.txt | 14 +-
.../1.2.3/stellaops.toolkit.nuspec | 22 +-
.../Fixtures/lang/rust/simple/Cargo.lock | 0
.../Fixtures/lang/rust/simple/expected.json | 122 +-
.../bin-my_app-1234567890abcdef.json | 0
.../libserde-abcdef1234567890.json | 0
.../Harness/LanguageAnalyzerTestHarness.cs | 0
.../Rust/RustLanguageAnalyzerTests.cs | 0
...llaOps.Scanner.Analyzers.Lang.Tests.csproj | 13 +-
.../TestUtilities/JavaClassFileFactory.cs | 404 +-
.../TestUtilities/JavaFixtureBuilder.cs | 0
.../TestUtilities/TestPaths.cs | 0
.../xunit.runner.json | 3 +
.../Fixtures/apk/lib/apk/db/installed | 0
.../dpkg/var/lib/dpkg/info/bash.conffiles | 0
.../Fixtures/dpkg/var/lib/dpkg/info/bash.list | 0
.../dpkg/var/lib/dpkg/info/bash.md5sums | 0
.../Fixtures/dpkg/var/lib/dpkg/status | 0
.../Fixtures/goldens/apk.json | 0
.../Fixtures/goldens/dpkg.json | 0
.../Fixtures/goldens/rpm.json | 0
.../Mapping/OsComponentMapperTests.cs | 0
.../OsAnalyzerDeterminismTests.cs | 0
...tellaOps.Scanner.Analyzers.OS.Tests.csproj | 11 +-
.../TestUtilities/FixtureManager.cs | 0
.../TestUtilities/GoldenAssert.cs | 0
.../TestUtilities/SnapshotSerializer.cs | 0
.../LayerCacheRoundTripTests.cs | 0
.../StellaOps.Scanner.Cache.Tests.csproj | 5 +-
.../Contracts/ComponentGraphBuilderTests.cs | 0
.../Contracts/ComponentModelsTests.cs | 0
.../Contracts/ScanJobTests.cs | 0
.../Contracts/ScannerCoreContractsTests.cs | 0
.../Fixtures/scan-job.json | 0
.../Fixtures/scan-progress-event.json | 0
.../Fixtures/scanner-error.json | 0
.../ScannerLogExtensionsPerformanceTests.cs | 0
.../ScannerLogExtensionsTests.cs | 0
.../Security/AuthorityTokenSourceTests.cs | 190 +-
.../Security/DpopProofValidatorTests.cs | 0
.../Security/RestartOnlyPluginGuardTests.cs | 0
.../StellaOps.Scanner.Core.Tests.csproj | 16 +
.../Utility/ScannerIdentifiersTests.cs | 0
.../Utility/ScannerTimestampsTests.cs | 0
.../ComponentDifferTests.cs | 0
.../StellaOps.Scanner.Diff.Tests.csproj | 23 +-
.../Composition/CycloneDxComposerTests.cs | 0
.../ScanAnalysisCompositionBuilderTests.cs | 0
.../Index/BomIndexBuilderTests.cs | 0
.../ScannerArtifactPackageBuilderTests.cs | 0
.../StellaOps.Scanner.Emit.Tests.csproj | 23 +-
.../EntryTraceAnalyzerTests.cs | 0
.../EntryTraceImageContextFactoryTests.cs | 172 +-
.../LayeredRootFileSystemTests.cs | 352 +-
.../ShellParserTests.cs | 0
.../StellaOps.Scanner.EntryTrace.Tests.csproj | 27 +-
.../TestRootFileSystem.cs | 0
.../QueueLeaseIntegrationTests.cs | 0
.../StellaOps.Scanner.Queue.Tests.csproj | 29 +-
.../Attestation/AttestorClientTests.cs | 0
.../Cas/LocalCasClientTests.cs | 0
.../Descriptor/DescriptorGeneratorTests.cs | 0
.../Descriptor/DescriptorGoldenTests.cs | 0
.../Fixtures/descriptor.baseline.json | 0
.../BuildxPluginManifestLoaderTests.cs | 0
...s.Scanner.Sbomer.BuildXPlugin.Tests.csproj | 19 +-
.../TestUtilities/TempDirectory.cs | 0
.../InMemoryArtifactObjectStore.cs | 0
.../RustFsArtifactObjectStoreTests.cs | 0
.../ScannerMongoFixture.cs | 0
.../StellaOps.Scanner.Storage.Tests.csproj | 21 +-
.../StorageDualWriteFixture.cs | 0
.../AuthorizationTests.cs | 0
.../HealthEndpointsTests.cs | 0
...PlatformEventPublisherRegistrationTests.cs | 0
.../PlatformEventSamplesTests.cs | 0
.../PolicyEndpointsTests.cs | 0
.../ReportEventDispatcherTests.cs | 0
.../ReportSamplesTests.cs | 0
.../ReportsEndpointsTests.cs | 0
.../RuntimeEndpointsTests.cs | 726 +-
.../ScannerApplicationFactory.cs | 0
.../ScansEndpointsTests.cs | 0
.../StellaOps.Scanner.WebService.Tests.csproj | 21 +-
.../CompositeScanAnalyzerDispatcherTests.cs | 346 +-
.../EntryTraceExecutionServiceTests.cs | 358 +-
.../LeaseHeartbeatServiceTests.cs | 0
.../RedisWorkerSmokeTests.cs | 0
.../ScannerWorkerOptionsValidatorTests.cs | 0
.../StellaOps.Scanner.Worker.Tests.csproj | 27 +-
.../StaticOptionsMonitor.cs | 0
.../WorkerBasicScanScenarioTests.cs | 0
.../StellaOps.Scheduler.WebService/AGENTS.md | 0
.../Auth/AnonymousAuthenticationHandler.cs | 52 +-
.../Auth/ClaimsTenantContextAccessor.cs | 54 +-
.../Auth/HeaderScopeAuthorizer.cs | 62 +-
.../Auth/HeaderTenantContextAccessor.cs | 48 +-
.../Auth/IScopeAuthorizer.cs | 16 +-
.../Auth/ITenantContextAccessor.cs | 20 +-
.../Auth/TokenScopeAuthorizer.cs | 122 +-
.../EventWebhookEndpointExtensions.cs | 346 +-
.../EventWebhooks/IInboundExportEventSink.cs | 22 +-
.../EventWebhooks/IWebhookRateLimiter.cs | 16 +-
.../IWebhookRequestAuthenticator.cs | 214 +-
.../InMemoryWebhookRateLimiter.cs | 126 +-
.../EventWebhooks/LoggingExportEventSink.cs | 66 +-
.../EventWebhooks/WebhookPayloads.cs | 212 +-
.../GraphJobs/CartographerWebhookClient.cs | 204 +-
.../Events/GraphJobCompletedEvent.cs | 92 +-
.../GraphJobs/Events/GraphJobEventFactory.cs | 86 +-
.../GraphJobs/Events/GraphJobEventKinds.cs | 12 +-
.../Events/GraphJobEventPublisher.cs | 82 +-
.../GraphJobs/GraphBuildJobRequest.cs | 52 +-
.../GraphJobCompletionNotification.cs | 26 +-
.../GraphJobs/GraphJobCompletionRequest.cs | 60 +-
.../GraphJobs/GraphJobEndpointExtensions.cs | 322 +-
.../GraphJobs/GraphJobQuery.cs | 54 +-
.../GraphJobs/GraphJobResponse.cs | 90 +-
.../GraphJobs/GraphJobService.cs | 676 +-
.../GraphJobs/GraphOverlayJobRequest.cs | 58 +-
.../GraphJobs/ICartographerWebhookClient.cs | 12 +-
.../GraphJobs/IGraphJobCompletionPublisher.cs | 12 +-
.../GraphJobs/IGraphJobService.cs | 32 +-
.../GraphJobs/IGraphJobStore.cs | 44 +-
.../GraphJobs/InMemoryGraphJobStore.cs | 166 +-
.../GraphJobs/MongoGraphJobStore.cs | 110 +-
.../NullCartographerWebhookClient.cs | 34 +-
.../NullGraphJobCompletionPublisher.cs | 34 +-
.../GraphJobs/OverlayLagMetricsResponse.cs | 40 +-
.../Hosting/SchedulerPluginHostFactory.cs | 152 +-
.../ISystemClock.cs | 22 +-
.../Options/SchedulerAuthorityOptions.cs | 142 +-
.../Options/SchedulerCartographerOptions.cs | 38 +-
.../Options/SchedulerEventsOptions.cs | 218 +-
.../Options/SchedulerOptions.cs | 140 +-
.../PolicyRuns/IPolicyRunService.cs | 24 +-
.../PolicyRuns/InMemoryPolicyRunService.cs | 276 +-
.../PolicyRuns/PolicyRunEndpointExtensions.cs | 394 +-
.../PolicyRuns/PolicyRunQueryOptions.cs | 240 +-
.../PolicyRuns/PolicyRunService.cs | 426 +-
.../StellaOps.Scheduler.WebService/Program.cs | 404 +-
.../Properties/AssemblyInfo.cs | 6 +-
.../Runs/InMemoryRunRepository.cs | 260 +-
.../Runs/RunContracts.cs | 80 +-
.../Runs/RunEndpoints.cs | 838 +-
.../SchedulerEndpointHelpers.cs | 254 +-
.../Schedules/InMemorySchedulerServices.cs | 306 +-
.../Schedules/ScheduleContracts.cs | 68 +-
.../Schedules/ScheduleEndpoints.cs | 794 +-
.../StellaOps.Scheduler.WebService.csproj | 16 +
.../StellaOps.Scheduler.WebService/TASKS.md | 2 +-
.../docs/SCHED-WEB-16-103-RUN-APIS.md | 366 +-
.../docs/SCHED-WEB-16-104-WEBHOOKS.md | 116 +-
.../docs/SCHED-WEB-20-001-POLICY-RUNS.md | 2 +-
.../docs/SCHED-WEB-21-001-GRAPH-APIS.md | 274 +-
.../Program.cs | 0
.../StellaOps.Scheduler.Worker.Host.csproj | 0
src/Scheduler/StellaOps.Scheduler.sln | 416 +
.../StellaOps.Scheduler.ImpactIndex/AGENTS.md | 0
.../FixtureImpactIndex.cs | 1230 +-
.../IImpactIndex.cs | 92 +-
.../ImpactImageRecord.cs | 34 +-
.../ImpactIndexServiceCollectionExtensions.cs | 52 +-
.../ImpactIndexStubOptions.cs | 38 +-
.../Ingestion/BomIndexReader.cs | 238 +-
.../Ingestion/ImpactIndexIngestionRequest.cs | 56 +-
.../REMOVAL_NOTE.md | 30 +-
.../RoaringImpactIndex.cs | 962 +-
.../StellaOps.Scheduler.ImpactIndex.csproj | 0
.../StellaOps.Scheduler.ImpactIndex/TASKS.md | 10 +-
.../StellaOps.Scheduler.Models/AGENTS.md | 0
.../AssemblyInfo.cs | 6 +-
.../StellaOps.Scheduler.Models/AuditRecord.cs | 0
.../CanonicalJsonSerializer.cs | 0
.../EnumConverters.cs | 0
.../StellaOps.Scheduler.Models/Enums.cs | 0
.../GraphBuildJob.cs | 264 +-
.../GraphJobStateMachine.cs | 482 +-
.../GraphOverlayJob.cs | 264 +-
.../StellaOps.Scheduler.Models/ImpactSet.cs | 0
.../PolicyRunJob.cs | 370 +-
.../PolicyRunModels.cs | 1860 +-
.../StellaOps.Scheduler.Models/Run.cs | 0
.../RunReasonExtensions.cs | 0
.../RunStateMachine.cs | 0
.../RunStatsBuilder.cs | 0
.../StellaOps.Scheduler.Models/Schedule.cs | 0
.../SchedulerSchemaMigration.cs | 0
.../SchedulerSchemaMigrationResult.cs | 0
.../SchedulerSchemaVersions.cs | 0
.../StellaOps.Scheduler.Models/Selector.cs | 0
.../StellaOps.Scheduler.Models.csproj | 0
.../StellaOps.Scheduler.Models/TASKS.md | 14 +-
.../StellaOps.Scheduler.Models/Validation.cs | 0
.../docs/SCHED-MODELS-16-103-DESIGN.md | 0
.../docs/SCHED-MODELS-20-001-POLICY-RUNS.md | 296 +-
.../docs/SCHED-MODELS-21-001-GRAPH-JOBS.md | 214 +-
.../StellaOps.Scheduler.Queue/AGENTS.md | 0
.../StellaOps.Scheduler.Queue/AssemblyInfo.cs | 0
.../ISchedulerQueueTransportDiagnostics.cs | 18 +-
.../Nats/INatsSchedulerQueuePayload.cs | 52 +-
.../Nats/NatsSchedulerPlannerQueue.cs | 132 +-
.../Nats/NatsSchedulerQueueBase.cs | 1384 +-
.../Nats/NatsSchedulerQueueLease.cs | 202 +-
.../Nats/NatsSchedulerRunnerQueue.cs | 148 +-
.../StellaOps.Scheduler.Queue/README.md | 0
.../Redis/IRedisSchedulerQueuePayload.cs | 0
.../Redis/RedisSchedulerPlannerQueue.cs | 0
.../Redis/RedisSchedulerQueueBase.cs | 0
.../Redis/RedisSchedulerQueueLease.cs | 0
.../Redis/RedisSchedulerRunnerQueue.cs | 0
.../SchedulerQueueContracts.cs | 0
.../SchedulerQueueFields.cs | 0
.../SchedulerQueueHealthCheck.cs | 144 +-
.../SchedulerQueueMetrics.cs | 0
.../SchedulerQueueOptions.cs | 0
...hedulerQueueServiceCollectionExtensions.cs | 0
.../SchedulerQueueTransportKind.cs | 0
.../StellaOps.Scheduler.Queue.csproj | 42 +-
.../StellaOps.Scheduler.Queue/TASKS.md | 0
.../AGENTS.md | 0
.../Documents/RunSummaryDocument.cs | 176 +-
.../Internal/SchedulerMongoContext.cs | 0
.../Internal/SchedulerMongoInitializer.cs | 0
.../SchedulerMongoInitializerHostedService.cs | 0
.../EnsureSchedulerCollectionsMigration.cs | 0
.../EnsureSchedulerIndexesMigration.cs | 0
.../Migrations/ISchedulerMongoMigration.cs | 0
.../SchedulerMongoMigrationRecord.cs | 0
.../SchedulerMongoMigrationRunner.cs | 0
.../Options/SchedulerMongoOptions.cs | 0
.../Projections/RunSummaryProjection.cs | 72 +-
.../Properties/AssemblyInfo.cs | 0
.../README.md | 0
.../Repositories/AuditQueryOptions.cs | 64 +-
.../Repositories/AuditRepository.cs | 198 +-
.../Repositories/GraphJobRepository.cs | 400 +-
.../Repositories/IAuditRepository.cs | 36 +-
.../Repositories/IGraphJobRepository.cs | 64 +-
.../Repositories/IImpactSnapshotRepository.cs | 44 +-
.../Repositories/IPolicyRunJobRepository.cs | 96 +-
.../Repositories/IRunRepository.cs | 70 +-
.../Repositories/IRunSummaryRepository.cs | 38 +-
.../Repositories/IScheduleRepository.cs | 64 +-
.../Repositories/ImpactSnapshotRepository.cs | 188 +-
.../Repositories/PolicyRunJobRepository.cs | 498 +-
.../Repositories/RunQueryOptions.cs | 70 +-
.../Repositories/RunRepository.cs | 352 +-
.../Repositories/RunSummaryRepository.cs | 158 +-
.../Repositories/ScheduleQueryOptions.cs | 44 +-
.../Repositories/ScheduleRepository.cs | 360 +-
.../AuditRecordDocumentMapper.cs | 46 +-
.../BsonDocumentJsonExtensions.cs | 288 +-
.../Serialization/GraphJobDocumentMapper.cs | 250 +-
.../Serialization/ImpactSetDocumentMapper.cs | 114 +-
.../PolicyRunJobDocumentMapper.cs | 46 +-
.../Serialization/RunDocumentMapper.cs | 46 +-
.../Serialization/ScheduleDocumentMapper.cs | 50 +-
.../ServiceCollectionExtensions.cs | 0
.../Services/IRunSummaryService.cs | 40 +-
.../Services/ISchedulerAuditService.cs | 20 +-
.../Services/RunSummaryService.cs | 408 +-
.../Services/SchedulerAuditEvent.cs | 36 +-
.../Services/SchedulerAuditService.cs | 124 +-
.../Sessions/ISchedulerMongoSessionFactory.cs | 36 +-
.../Sessions/SchedulerMongoSessionFactory.cs | 64 +-
.../Sessions/SchedulerMongoSessionOptions.cs | 38 +-
.../StellaOps.Scheduler.Storage.Mongo.csproj | 38 +-
.../TASKS.md | 0
.../StellaOps.Scheduler.Worker/AGENTS.md | 0
...edulerWorkerServiceCollectionExtensions.cs | 204 +-
.../Events/SchedulerEventPublisher.cs | 0
.../Execution/HttpScannerReportClient.cs | 0
.../Execution/RunnerBackgroundService.cs | 0
.../Execution/RunnerExecutionService.cs | 0
.../Execution/ScannerReportClient.cs | 0
.../HttpCartographerBuildClient.cs | 468 +-
.../HttpCartographerOverlayClient.cs | 454 +-
.../Cartographer/ICartographerBuildClient.cs | 34 +-
.../ICartographerOverlayClient.cs | 32 +-
.../Graph/GraphBuildBackgroundService.cs | 258 +-
.../Graph/GraphBuildExecutionService.cs | 454 +-
.../Graph/GraphOverlayBackgroundService.cs | 256 +-
.../Graph/GraphOverlayExecutionService.cs | 416 +-
.../Scheduler/HttpGraphJobCompletionClient.cs | 198 +-
.../Scheduler/IGraphJobCompletionClient.cs | 42 +-
.../StellaOps.Scheduler.Worker/ImpactShard.cs | 0
.../ImpactShardPlanner.cs | 0
.../ImpactTargetingService.cs | 0
.../Observability/SchedulerWorkerMetrics.cs | 472 +-
.../Options/SchedulerWorkerOptions.cs | 1298 +-
.../Planning/PlannerBackgroundService.cs | 0
.../Planning/PlannerExecutionResult.cs | 0
.../Planning/PlannerExecutionService.cs | 0
.../Planning/PlannerQueueDispatchService.cs | 0
...PlannerQueueDispatcherBackgroundService.cs | 0
.../Policy/HttpPolicyRunClient.cs | 308 +-
.../Policy/IPolicyRunClient.cs | 20 +-
.../Policy/IPolicyRunTargetingService.cs | 20 +-
.../PolicyRunDispatchBackgroundService.cs | 376 +-
.../Policy/PolicyRunExecutionResult.cs | 66 +-
.../Policy/PolicyRunExecutionService.cs | 496 +-
.../Policy/PolicyRunSubmissionResult.cs | 56 +-
.../Policy/PolicyRunTargetingResult.cs | 50 +-
.../Policy/PolicyRunTargetingService.cs | 910 +-
.../Properties/AssemblyInfo.cs | 0
.../StellaOps.Scheduler.Worker.csproj | 7 +-
.../StellaOps.Scheduler.Worker/TASKS.md | 2 +-
.../docs/SCHED-WORKER-16-201-PLANNER.md | 0
.../SCHED-WORKER-16-202-IMPACT-TARGETING.md | 0
.../docs/SCHED-WORKER-16-203-RUNNER.md | 0
.../docs/SCHED-WORKER-16-204-EVENTS.md | 0
.../docs/SCHED-WORKER-16-205-OBSERVABILITY.md | 0
.../docs/SCHED-WORKER-20-301-POLICY-RUNS.md | 78 +-
...ED-WORKER-20-302-POLICY-DELTA-TARGETING.md | 154 +-
.../docs/SCHED-WORKER-21-201-GRAPH-BUILD.md | 2 +-
.../docs/SCHED-WORKER-21-202-GRAPH-OVERLAY.md | 2 +-
.../FixtureImpactIndexTests.cs | 284 +-
.../RoaringImpactIndexTests.cs | 390 +-
...ellaOps.Scheduler.ImpactIndex.Tests.csproj | 9 +-
.../AuditRecordTests.cs | 0
.../GraphJobStateMachineTests.cs | 342 +-
.../ImpactSetTests.cs | 0
.../PolicyRunModelsTests.cs | 166 +-
.../RescanDeltaEventSampleTests.cs | 0
.../RunStateMachineTests.cs | 0
.../RunValidationTests.cs | 0
.../SamplePayloadTests.cs | 0
.../ScheduleSerializationTests.cs | 0
.../SchedulerSchemaMigrationTests.cs | 0
.../StellaOps.Scheduler.Models.Tests.csproj | 37 +-
.../PlannerAndRunnerMessageTests.cs | 0
.../RedisSchedulerQueueTests.cs | 0
...erQueueServiceCollectionExtensionsTests.cs | 230 +-
.../StellaOps.Scheduler.Queue.Tests.csproj | 7 +-
.../GlobalUsings.cs | 0
.../SchedulerMongoRoundTripTests.cs | 0
.../SchedulerMongoMigrationTests.cs | 0
.../Repositories/AuditRepositoryTests.cs | 120 +-
.../ImpactSnapshotRepositoryTests.cs | 82 +-
.../Repositories/RunRepositoryTests.cs | 152 +-
.../Repositories/ScheduleRepositoryTests.cs | 148 +-
.../SchedulerMongoTestHarness.cs | 72 +-
.../Services/RunSummaryServiceTests.cs | 232 +-
.../Services/SchedulerAuditServiceTests.cs | 164 +-
.../SchedulerMongoSessionFactoryTests.cs | 70 +-
...laOps.Scheduler.Storage.Mongo.Tests.csproj | 7 +-
.../TestDataFactory.cs | 196 +-
.../CartographerWebhookClientTests.cs | 280 +-
.../EventWebhookEndpointTests.cs | 256 +-
.../GlobalUsings.cs | 12 +-
.../GraphJobEndpointTests.cs | 220 +-
.../GraphJobEventPublisherTests.cs | 302 +-
.../PolicyRunEndpointTests.cs | 142 +-
.../RunEndpointTests.cs | 208 +-
.../ScheduleEndpointTests.cs | 176 +-
.../SchedulerPluginHostFactoryTests.cs | 146 +-
.../SchedulerWebApplicationFactory.cs | 92 +-
...tellaOps.Scheduler.WebService.Tests.csproj | 5 +-
.../GlobalUsings.cs | 10 +-
.../GraphBuildExecutionServiceTests.cs | 486 +-
.../GraphOverlayExecutionServiceTests.cs | 474 +-
.../HttpScannerReportClientTests.cs | 0
.../ImpactShardPlannerTests.cs | 0
.../ImpactTargetingServiceTests.cs | 0
.../PlannerBackgroundServiceTests.cs | 822 +-
.../PlannerExecutionServiceTests.cs | 0
.../PlannerQueueDispatchServiceTests.cs | 0
.../PolicyRunExecutionServiceTests.cs | 656 +-
.../PolicyRunTargetingServiceTests.cs | 510 +-
.../RunnerExecutionServiceTests.cs | 0
.../SchedulerEventPublisherTests.cs | 0
.../StellaOps.Scheduler.Worker.Tests.csproj | 11 +-
.../StellaOps.Sdk.Generator/AGENTS.md | 30 +-
.../StellaOps.Sdk.Generator/TASKS.md | 42 +-
src/{ => Sdk}/StellaOps.Sdk.Release/AGENTS.md | 30 +-
src/{ => Sdk}/StellaOps.Sdk.Release/TASKS.md | 26 +-
src/Signals/StellaOps.Signals.sln | 118 +
src/{ => Signals}/StellaOps.Signals/AGENTS.md | 22 +-
.../AnonymousAuthenticationHandler.cs | 58 +-
.../Authentication/HeaderScopeAuthorizer.cs | 122 +-
.../Authentication/TokenScopeAuthorizer.cs | 82 +-
.../Hosting/SignalsStartupState.cs | 24 +-
.../Models/CallgraphArtifactMetadata.cs | 42 +-
.../Models/CallgraphDocument.cs | 82 +-
.../StellaOps.Signals/Models/CallgraphEdge.cs | 18 +-
.../Models/CallgraphIngestRequest.cs | 32 +-
.../Models/CallgraphIngestResponse.cs | 18 +-
.../StellaOps.Signals/Models/CallgraphNode.cs | 24 +-
.../Options/SignalsArtifactStorageOptions.cs | 52 +-
.../Options/SignalsAuthorityOptions.cs | 202 +-
.../SignalsAuthorityOptionsConfigurator.cs | 76 +-
.../Options/SignalsMongoOptions.cs | 90 +-
.../Options/SignalsOptions.cs | 74 +-
.../Parsing/CallgraphParseResult.cs | 24 +-
.../CallgraphParserNotFoundException.cs | 34 +-
.../CallgraphParserValidationException.cs | 28 +-
.../Parsing/ICallgraphParser.cs | 42 +-
.../Parsing/ICallgraphParserResolver.cs | 90 +-
.../Parsing/SimpleJsonCallgraphParser.cs | 238 +-
.../Persistence/ICallgraphRepository.cs | 26 +-
.../Persistence/MongoCallgraphRepository.cs | 96 +-
.../StellaOps.Signals/Program.cs | 626 +-
.../Routing/SignalsPolicies.cs | 44 +-
.../Services/CallgraphIngestionService.cs | 324 +-
.../Services/ICallgraphIngestionService.cs | 32 +-
.../StellaOps.Signals.csproj | 9 +-
.../FileSystemCallgraphArtifactStore.cs | 120 +-
.../Storage/ICallgraphArtifactStore.cs | 28 +-
.../Models/CallgraphArtifactSaveRequest.cs | 24 +-
.../Storage/Models/StoredCallgraphArtifact.cs | 20 +-
src/{ => Signals}/StellaOps.Signals/TASKS.md | 26 +-
src/Signer/StellaOps.Signer.sln | 182 +
src/{ => Signer}/StellaOps.Signer/AGENTS.md | 42 +-
.../SignerAbstractions.cs | 0
.../StellaOps.Signer.Core/SignerContracts.cs | 0
.../StellaOps.Signer.Core/SignerExceptions.cs | 0
.../StellaOps.Signer.Core/SignerPipeline.cs | 0
.../SignerStatementBuilder.cs | 0
.../StellaOps.Signer.Core.csproj | 0
.../Auditing/InMemorySignerAuditSink.cs | 0
.../Options/SignerCryptoOptions.cs | 0
.../Options/SignerEntitlementOptions.cs | 0
.../SignerReleaseVerificationOptions.cs | 0
.../InMemoryProofOfEntitlementIntrospector.cs | 0
.../Quotas/InMemoryQuotaService.cs | 0
.../DefaultReleaseIntegrityVerifier.cs | 0
.../ServiceCollectionExtensions.cs | 0
.../Signing/HmacDsseSigner.cs | 0
.../StellaOps.Signer.Infrastructure.csproj | 40 +-
.../SignerEndpointsTests.cs | 254 +-
.../StellaOps.Signer.Tests.csproj | 9 +-
.../Contracts/SignDsseContracts.cs | 0
.../Endpoints/SignerEndpoints.cs | 0
.../StellaOps.Signer.WebService/Program.cs | 0
.../StubBearerAuthenticationDefaults.cs | 12 +-
.../StubBearerAuthenticationHandler.cs | 110 +-
.../StellaOps.Signer.WebService.csproj | 15 +-
.../StellaOps.Signer/StellaOps.Signer.sln | 0
src/{ => Signer}/StellaOps.Signer/TASKS.md | 20 +-
.../StellaOps.Aoc.Tests.csproj | 41 -
.../StellaOps.Bench.ScannerAnalyzers.csproj | 23 -
.../StellaOps.Cartographer.csproj | 17 -
.../StellaOps.Cli.Tests.csproj | 29 -
...aOps.Concelier.Connector.Acsc.Tests.csproj | 19 -
...ps.Concelier.Connector.CertFr.Tests.csproj | 16 -
...ps.Concelier.Connector.CertIn.Tests.csproj | 16 -
...laOps.Concelier.Connector.Cve.Tests.csproj | 17 -
...elier.Connector.Distro.Debian.Tests.csproj | 13 -
...elier.Connector.Distro.RedHat.Tests.csproj | 18 -
...ncelier.Connector.Distro.Suse.Tests.csproj | 18 -
...elier.Connector.Distro.Ubuntu.Tests.csproj | 18 -
...aOps.Concelier.Connector.Ghsa.Tests.csproj | 17 -
....Concelier.Connector.Ics.Cisa.Tests.csproj | 16 -
...elier.Connector.Ics.Kaspersky.Tests.csproj | 16 -
...laOps.Concelier.Connector.Jvn.Tests.csproj | 16 -
...laOps.Concelier.Connector.Kev.Tests.csproj | 19 -
...laOps.Concelier.Connector.Nvd.Tests.csproj | 18 -
...laOps.Concelier.Connector.Osv.Tests.csproj | 18 -
...ps.Concelier.Connector.Ru.Bdu.Tests.csproj | 13 -
....Concelier.Connector.Ru.Nkcki.Tests.csproj | 13 -
...oncelier.Connector.Vndr.Adobe.Tests.csproj | 17 -
...oncelier.Connector.Vndr.Apple.Tests.csproj | 18 -
...elier.Connector.Vndr.Chromium.Tests.csproj | 18 -
...oncelier.Connector.Vndr.Cisco.Tests.csproj | 17 -
...Concelier.Connector.Vndr.Msrc.Tests.csproj | 24 -
...ncelier.Connector.Vndr.Oracle.Tests.csproj | 17 -
...ncelier.Connector.Vndr.Vmware.Tests.csproj | 18 -
.../StellaOps.Concelier.Core.Tests.csproj | 12 -
...laOps.Concelier.Exporter.Json.Tests.csproj | 13 -
...ps.Concelier.Exporter.TrivyDb.Tests.csproj | 13 -
.../StellaOps.Concelier.Merge.Tests.csproj | 13 -
...laOps.Concelier.Normalization.Tests.csproj | 11 -
...laOps.Concelier.Storage.Mongo.Tests.csproj | 15 -
...tellaOps.Concelier.WebService.Tests.csproj | 13 -
.../StellaOps.Concelier.WebService.csproj | 37 -
src/StellaOps.Concelier.sln | 1000 -
.../StellaOps.Configuration.Tests.csproj | 11 -
.../StellaOps.Excititor.Core.Tests.csproj | 15 -
...laOps.Excititor.Storage.Mongo.Tests.csproj | 15 -
.../StellaOps.Excititor.WebService.csproj | 22 -
.../StellaOps.Excititor.Worker.csproj | 24 -
.../xunit.runner.json | 3 -
.../TASKS.md | 2 -
.../TASKS.md | 2 -
.../TASKS.md | 2 -
src/StellaOps.Notify.Models/TASKS.md | 2 -
.../StellaOps.Notify.WebService.csproj | 27 -
src/StellaOps.Notify.WebService/TASKS.md | 2 -
.../xunit.runner.json | 3 -
.../xunit.runner.json | 3 -
.../appsettings.Development.json | 8 -
.../appsettings.json | 9 -
.../appsettings.Development.json | 8 -
.../appsettings.json | 8 -
.../StellaOps.Policy.Engine.csproj | 19 -
.../StellaOps.Policy.Gateway.csproj | 22 -
...ellaOps.Registry.TokenService.Tests.csproj | 28 -
.../xunit.runner.json | 3 -
.../appsettings.Development.json | 8 -
.../appsettings.json | 9 -
.../xunit.runner.json | 3 -
.../Program.cs | 41 -
.../appsettings.Development.json | 8 -
.../appsettings.json | 9 -
.../appsettings.Development.json | 8 -
.../appsettings.json | 8 -
.../app/node_modules/left-pad/package.json | 5 -
.../app/node_modules/lib/package.json | 5 -
.../app/node_modules/shared/package.json | 5 -
.../StellaOps.Scanner.Core.Tests.csproj | 15 -
.../StellaOps.Scanner.WebService.csproj | 33 -
.../StellaOps.Scheduler.WebService.csproj | 15 -
.../xunit.runner.json | 3 -
.../Program.cs | 41 -
.../appsettings.Development.json | 8 -
.../appsettings.json | 9 -
.../appsettings.Development.json | 8 -
.../xunit.runner.json | 3 -
.../Program.cs | 41 -
.../appsettings.Development.json | 8 -
.../appsettings.json | 9 -
.../appsettings.Development.json | 8 -
.../appsettings.json | 8 -
.../StellaOps.Zastava.Core.Tests.csproj | 14 -
src/StellaOps.sln | 5292 +--
src/TaskRunner/StellaOps.TaskRunner.sln | 99 +
.../StellaOps.TaskRunner/AGENTS.md | 34 +-
.../Execution/IPackRunApprovalStore.cs | 20 +-
.../Execution/IPackRunJobDispatcher.cs | 12 +-
.../IPackRunNotificationPublisher.cs | 16 +-
.../Execution/PackRunApprovalCoordinator.cs | 354 +-
.../Execution/PackRunApprovalState.cs | 168 +-
.../Execution/PackRunApprovalStatus.cs | 18 +-
.../Execution/PackRunExecutionContext.cs | 44 +-
.../Execution/PackRunProcessor.cs | 168 +-
.../Execution/PackRunProcessorResult.cs | 10 +-
.../Expressions/TaskPackExpressions.cs | 1192 +-
.../Planning/TaskPackPlan.cs | 190 +-
.../Planning/TaskPackPlanHasher.cs | 224 +-
.../Planning/TaskPackPlanInsights.cs | 370 +-
.../Planning/TaskPackPlanner.cs | 862 +-
.../Serialization/CanonicalJson.cs | 136 +-
.../StellaOps.TaskRunner.Core.csproj | 44 +-
.../TaskPacks/TaskPackManifest.cs | 500 +-
.../TaskPacks/TaskPackManifestLoader.cs | 336 +-
.../TaskPacks/TaskPackManifestValidator.cs | 470 +-
.../Execution/FilePackRunApprovalStore.cs | 236 +-
.../Execution/FilesystemPackRunDispatcher.cs | 184 +-
.../HttpPackRunNotificationPublisher.cs | 146 +-
.../LoggingPackRunNotificationPublisher.cs | 68 +-
.../Execution/NoopPackRunJobDispatcher.cs | 18 +-
.../Execution/NotificationOptions.cs | 16 +-
...StellaOps.TaskRunner.Infrastructure.csproj | 50 +-
.../PackRunApprovalCoordinatorTests.cs | 190 +-
.../PackRunProcessorTests.cs | 170 +-
.../StellaOps.TaskRunner.Tests.csproj | 270 +-
.../TaskPackPlannerTests.cs | 354 +-
.../TestManifests.cs | 330 +-
.../xunit.runner.json | 3 +
.../Program.cs | 41 +
.../Properties/launchSettings.json | 46 +-
.../StellaOps.TaskRunner.WebService.csproj | 82 +-
.../StellaOps.TaskRunner.WebService.http | 12 +-
.../appsettings.Development.json | 8 +
.../appsettings.json | 9 +
.../StellaOps.TaskRunner.Worker/Program.cs | 84 +-
.../Properties/launchSettings.json | 24 +-
.../Services/PackRunWorkerOptions.cs | 24 +-
.../Services/PackRunWorkerService.cs | 98 +-
.../StellaOps.TaskRunner.Worker.csproj | 86 +-
.../appsettings.Development.json | 8 +
.../appsettings.json | 36 +-
.../StellaOps.TaskRunner.sln | 180 +-
.../StellaOps.TaskRunner/TASKS.md | 102 +-
.../StellaOps.Telemetry.Core/AGENTS.md | 42 +-
.../StellaOps.Telemetry.Core/TASKS.md | 46 +-
.../StellaOps.TimelineIndexer.sln | 99 +
.../StellaOps.TimelineIndexer/AGENTS.md | 56 +-
.../StellaOps.TimelineIndexer.Core/Class1.cs | 12 +-
.../StellaOps.TimelineIndexer.Core.csproj | 36 +-
.../Class1.cs | 12 +-
...aOps.TimelineIndexer.Infrastructure.csproj | 56 +-
.../StellaOps.TimelineIndexer.Tests.csproj | 270 +-
.../UnitTest1.cs | 20 +-
.../xunit.runner.json | 3 +
.../Program.cs | 41 +
.../Properties/launchSettings.json | 46 +-
...tellaOps.TimelineIndexer.WebService.csproj | 82 +-
.../StellaOps.TimelineIndexer.WebService.http | 12 +-
.../appsettings.Development.json | 8 +
.../appsettings.json | 9 +
.../Program.cs | 14 +-
.../Properties/launchSettings.json | 24 +-
.../StellaOps.TimelineIndexer.Worker.csproj | 86 +-
.../Worker.cs | 32 +-
.../appsettings.Development.json | 8 +
.../appsettings.json | 8 +
.../StellaOps.TimelineIndexer.sln | 180 +-
.../StellaOps.TimelineIndexer/TASKS.md | 28 +-
src/{ => UI}/StellaOps.UI/TASKS.md | 190 +-
src/{ => VexLens}/StellaOps.VexLens/AGENTS.md | 4 +-
src/{ => VexLens}/StellaOps.VexLens/TASKS.md | 68 +-
.../StellaOps.VulnExplorer.Api/AGENTS.md | 4 +-
.../StellaOps.VulnExplorer.Api/TASKS.md | 28 +-
src/{ => Web}/StellaOps.Web/.editorconfig | 0
src/{ => Web}/StellaOps.Web/.gitignore | 6 +-
src/{ => Web}/StellaOps.Web/AGENTS.md | 48 +-
src/{ => Web}/StellaOps.Web/README.md | 0
src/{ => Web}/StellaOps.Web/TASKS.md | 358 +-
src/{ => Web}/StellaOps.Web/angular.json | 0
.../docs/DeterministicInstall.md | 2 +-
.../StellaOps.Web/docs/TrivyDbSettings.md | 74 +-
src/{ => Web}/StellaOps.Web/karma.conf.cjs | 126 +-
src/{ => Web}/StellaOps.Web/package-lock.json | 27392 ++++++++--------
src/{ => Web}/StellaOps.Web/package.json | 0
.../StellaOps.Web/playwright.config.ts | 44 +-
.../StellaOps.Web/scripts/chrome-path.js | 266 +-
.../StellaOps.Web/scripts/verify-chromium.js | 48 +-
.../StellaOps.Web/src/app/app.component.html | 92 +-
.../StellaOps.Web/src/app/app.component.scss | 224 +-
.../src/app/app.component.spec.ts | 70 +-
.../StellaOps.Web/src/app/app.component.ts | 128 +-
.../StellaOps.Web/src/app/app.config.ts | 162 +-
.../StellaOps.Web/src/app/app.routes.ts | 96 +-
.../app/core/api/authority-console.client.ts | 226 +-
.../app/core/api/concelier-exporter.client.ts | 102 +-
.../src/app/core/api/notify.client.ts | 284 +-
.../src/app/core/api/notify.models.ts | 388 +-
.../src/app/core/api/policy-preview.models.ts | 0
.../src/app/core/api/scanner.models.ts | 34 +-
.../app/core/auth/auth-http.interceptor.ts | 342 +-
.../src/app/core/auth/auth-session.model.ts | 112 +-
.../app/core/auth/auth-session.store.spec.ts | 110 +-
.../src/app/core/auth/auth-session.store.ts | 258 +-
.../src/app/core/auth/auth-storage.service.ts | 90 +-
.../app/core/auth/authority-auth.service.ts | 1244 +-
.../src/app/core/auth/dpop/dpop-key-store.ts | 362 +-
.../app/core/auth/dpop/dpop.service.spec.ts | 206 +-
.../src/app/core/auth/dpop/dpop.service.ts | 296 +-
.../src/app/core/auth/dpop/jose-utilities.ts | 246 +-
.../src/app/core/auth/pkce.util.ts | 48 +-
.../src/app/core/config/app-config.model.ts | 98 +-
.../src/app/core/config/app-config.service.ts | 198 +-
.../console/console-session.service.spec.ts | 278 +-
.../core/console/console-session.service.ts | 322 +-
.../console/console-session.store.spec.ts | 246 +-
.../app/core/console/console-session.store.ts | 256 +-
.../orchestrator/operator-context.service.ts | 70 +-
.../operator-metadata.interceptor.ts | 82 +-
.../features/auth/auth-callback.component.ts | 122 +-
.../console/console-profile.component.html | 416 +-
.../console/console-profile.component.scss | 440 +-
.../console/console-profile.component.spec.ts | 220 +-
.../console/console-profile.component.ts | 140 +-
.../notify/notify-panel.component.html | 688 +-
.../notify/notify-panel.component.scss | 772 +-
.../notify/notify-panel.component.spec.ts | 132 +-
.../features/notify/notify-panel.component.ts | 1284 +-
.../scan-attestation-panel.component.html | 78 +-
.../scan-attestation-panel.component.scss | 150 +-
.../scan-attestation-panel.component.spec.ts | 110 +-
.../scans/scan-attestation-panel.component.ts | 84 +-
.../scans/scan-detail-page.component.html | 104 +-
.../scans/scan-detail-page.component.scss | 158 +-
.../scans/scan-detail-page.component.spec.ts | 100 +-
.../scans/scan-detail-page.component.ts | 124 +-
.../trivy-db-settings-page.component.html | 216 +-
.../trivy-db-settings-page.component.scss | 460 +-
.../trivy-db-settings-page.component.spec.ts | 188 +-
.../trivy-db-settings-page.component.ts | 270 +-
.../app/testing/mock-notify-api.service.ts | 580 +-
.../src/app/testing/notify-fixtures.ts | 514 +-
.../src/app/testing/policy-fixtures.spec.ts | 108 +-
.../src/app/testing/policy-fixtures.ts | 46 +-
.../src/app/testing/scan-fixtures.ts | 60 +-
.../StellaOps.Web/src/assets/.gitkeep | 0
.../StellaOps.Web/src/config/config.json | 52 +-
.../src/config/config.sample.json | 52 +-
src/{ => Web}/StellaOps.Web/src/favicon.ico | Bin
src/{ => Web}/StellaOps.Web/src/index.html | 0
src/{ => Web}/StellaOps.Web/src/main.ts | 0
src/{ => Web}/StellaOps.Web/src/styles.scss | 0
.../StellaOps.Web/test-results/.last-run.json | 6 +-
.../StellaOps.Web/tests/e2e/auth.spec.ts | 158 +-
src/{ => Web}/StellaOps.Web/tsconfig.app.json | 0
src/{ => Web}/StellaOps.Web/tsconfig.json | 0
.../StellaOps.Web/tsconfig.spec.json | 0
.../Backend/IRuntimePolicyClient.cs | 0
.../Backend/RuntimeEventsClient.cs | 0
.../Backend/RuntimePolicyClient.cs | 0
.../Backend/RuntimePolicyContracts.cs | 0
.../Backend/RuntimePolicyException.cs | 0
.../Configuration/ZastavaObserverOptions.cs | 190 +-
.../ContainerRuntime/ContainerStateTracker.cs | 268 +-
.../ContainerStateTrackerFactory.cs | 0
.../ContainerRuntime/Cri/CriConversions.cs | 134 +-
.../ContainerRuntime/Cri/CriModels.cs | 58 +-
.../ContainerRuntime/Cri/CriRuntimeClient.cs | 356 +-
.../Cri/CriRuntimeClientFactory.cs | 52 +-
.../ObserverServiceCollectionExtensions.cs | 0
.../Posture/IRuntimePostureCache.cs | 0
.../Posture/IRuntimePostureEvaluator.cs | 0
.../Posture/RuntimePostureCache.cs | 0
.../Posture/RuntimePostureCacheEntry.cs | 0
.../Posture/RuntimePostureEvaluationResult.cs | 0
.../Posture/RuntimePostureEvaluator.cs | 0
.../StellaOps.Zastava.Observer/Program.cs | 8 +-
.../Properties/AssemblyInfo.cs | 0
.../Protos/runtime/v1/runtime.proto | 3710 +--
.../Runtime/ElfBuildIdReader.cs | 0
.../Runtime/RuntimeEventBuffer.cs | 0
.../Runtime/RuntimeProcessCollector.cs | 0
.../StellaOps.Zastava.Observer.csproj | 48 +-
.../StellaOps.Zastava.Observer/TASKS.md | 0
.../Worker/BackoffCalculator.cs | 0
.../Worker/ContainerLifecycleHostedService.cs | 0
.../Worker/ContainerRuntimePoller.cs | 0
.../Worker/ObserverBootstrapService.cs | 102 +-
.../Worker/RuntimeEventDispatchService.cs | 0
.../Worker/RuntimeEventFactory.cs | 0
.../Admission/AdmissionEndpoint.cs | 0
.../Admission/AdmissionRequestContext.cs | 0
.../Admission/AdmissionResponseBuilder.cs | 0
.../Admission/AdmissionReviewModels.cs | 0
.../Admission/AdmissionReviewParser.cs | 0
.../Admission/ImageDigestResolver.cs | 0
.../RuntimeAdmissionPolicyService.cs | 0
.../Admission/RuntimePolicyCache.cs | 0
.../Authority/AuthorityTokenProvider.cs | 102 +-
.../Backend/IRuntimePolicyClient.cs | 18 +-
.../Backend/RuntimePolicyClient.cs | 230 +-
.../Backend/RuntimePolicyException.cs | 42 +-
.../Backend/RuntimePolicyRequest.cs | 32 +-
.../Backend/RuntimePolicyResponse.cs | 62 +-
.../Certificates/CsrCertificateSource.cs | 0
.../IWebhookCertificateProvider.cs | 0
.../SecretFileCertificateSource.cs | 0
.../WebhookCertificateHealthCheck.cs | 0
.../Configuration/ZastavaWebhookOptions.cs | 0
.../ServiceCollectionExtensions.cs | 0
.../WebhookRuntimeOptionsPostConfigure.cs | 104 +-
.../Hosting/StartupValidationHostedService.cs | 0
.../IMPLEMENTATION_PLAN.md | 0
.../StellaOps.Zastava.Webhook/Program.cs | 0
.../Properties/AssemblyInfo.cs | 6 +-
.../StellaOps.Zastava.Webhook.csproj | 5 +-
.../StellaOps.Zastava.Webhook/TASKS.md | 0
src/Zastava/StellaOps.Zastava.sln | 199 +
.../Configuration/ZastavaAuthorityOptions.cs | 136 +-
.../Configuration/ZastavaRuntimeOptions.cs | 168 +-
.../Contracts/AdmissionDecision.cs | 0
.../Contracts/RuntimeEvent.cs | 0
.../Contracts/ZastavaContractVersions.cs | 0
.../ZastavaServiceCollectionExtensions.cs | 196 +-
.../Diagnostics/ZastavaLogScopeBuilder.cs | 180 +-
...ZastavaLoggerFactoryOptionsConfigurator.cs | 60 +-
.../Diagnostics/ZastavaRuntimeMetrics.cs | 156 +-
.../StellaOps.Zastava.Core/GlobalUsings.cs | 0
.../Hashing/ZastavaHashing.cs | 0
.../Properties/AssemblyInfo.cs | 6 +-
.../IZastavaAuthorityTokenProvider.cs | 28 +-
.../Security/ZastavaAuthorityTokenProvider.cs | 628 +-
.../Security/ZastavaOperationalToken.cs | 140 +-
.../ZastavaCanonicalJsonSerializer.cs | 0
.../StellaOps.Zastava.Core.csproj | 7 +-
.../StellaOps.Zastava.Core/TASKS.md | 0
.../Contracts/ZastavaContractVersionsTests.cs | 0
...ZastavaServiceCollectionExtensionsTests.cs | 244 +-
.../ZastavaAuthorityTokenProviderTests.cs | 456 +-
.../ZastavaCanonicalJsonSerializerTests.cs | 390 +-
.../StellaOps.Zastava.Core.Tests.csproj | 15 +
.../ContainerRuntimePollerTests.cs | 0
.../Posture/RuntimePostureEvaluatorTests.cs | 0
.../Runtime/ElfBuildIdReaderTests.cs | 0
.../Runtime/RuntimeEventBufferTests.cs | 0
.../Runtime/RuntimeProcessCollectorTests.cs | 0
.../StellaOps.Zastava.Observer.Tests.csproj | 5 +-
.../TestSupport/ElfTestFileBuilder.cs | 0
.../Worker/RuntimeEventFactoryTests.cs | 148 +-
.../AdmissionResponseBuilderTests.cs | 0
.../Admission/AdmissionReviewParserTests.cs | 0
.../RuntimeAdmissionPolicyServiceTests.cs | 0
.../Backend/RuntimePolicyClientTests.cs | 396 +-
.../SecretFileCertificateSourceTests.cs | 0
.../WebhookCertificateProviderTests.cs | 0
.../StellaOps.Zastava.Webhook.Tests.csproj | 5 +-
.../Dpop/DpopNonceConsumeResult.cs | 0
.../Dpop/DpopNonceIssueResult.cs | 0
.../Dpop/DpopNonceUtilities.cs | 0
.../Dpop/DpopProofValidator.cs | 0
.../Dpop/DpopValidationOptions.cs | 0
.../Dpop/DpopValidationResult.cs | 0
.../Dpop/IDpopNonceStore.cs | 0
.../Dpop/IDpopProofValidator.cs | 0
.../Dpop/IDpopReplayCache.cs | 0
.../Dpop/InMemoryDpopNonceStore.cs | 0
.../Dpop/InMemoryDpopReplayCache.cs | 0
.../Dpop/RedisDpopNonceStore.cs | 0
.../StellaOps.Auth.Security/README.md | 0
.../StellaOps.Auth.Security.csproj | 76 +-
.../AuthorityConfigurationDiagnostic.cs | 0
.../AuthorityPluginConfigurationAnalyzer.cs | 0
.../AuthorityPluginConfigurationLoader.cs | 0
.../AuthoritySigningAdditionalKeyOptions.cs | 0
.../AuthoritySigningOptions.cs | 0
.../StellaOps.Configuration.csproj | 7 +-
.../StellaOpsAuthorityConfiguration.cs | 0
.../StellaOpsAuthorityOptions.cs | 0
.../StellaOpsBootstrapOptions.cs | 0
.../StellaOpsConfigurationBootstrapper.cs | 0
.../StellaOpsConfigurationContext.cs | 0
.../StellaOpsConfigurationOptions.cs | 0
.../StellaOpsOptionsBinder.cs | 0
.../CryptoProviderRegistryOptions.cs | 0
.../CryptoServiceCollectionExtensions.cs | 0
...ps.Cryptography.DependencyInjection.csproj | 28 +-
.../StellaOps.Cryptography.Kms/AGENTS.md | 28 +-
.../StellaOps.Cryptography.Kms/TASKS.md | 26 +-
...CastleCryptoServiceCollectionExtensions.cs | 0
.../BouncyCastleEd25519CryptoProvider.cs | 0
...ps.Cryptography.Plugin.BouncyCastle.csproj | 32 +-
.../StellaOps.Cryptography/AGENTS.md | 44 +-
.../Argon2idPasswordHasher.Konscious.cs | 0
.../Argon2idPasswordHasher.Sodium.cs | 0
.../Argon2idPasswordHasher.cs | 0
.../Audit/AuthEventRecord.cs | 536 +-
.../StellaOps.Cryptography/CryptoProvider.cs | 0
.../CryptoProviderRegistry.cs | 0
.../CryptoSigningKey.cs | 0
.../DefaultCryptoProvider.cs | 0
.../StellaOps.Cryptography/EcdsaSigner.cs | 0
.../StellaOps.Cryptography/ICryptoSigner.cs | 0
.../LibsodiumCryptoProvider.cs | 0
.../PasswordHashAlgorithms.cs | 0
.../StellaOps.Cryptography/PasswordHashing.cs | 0
.../Pbkdf2PasswordHasher.cs | 0
.../SignatureAlgorithms.cs | 0
.../StellaOps.Cryptography.csproj | 32 +-
.../StellaOps.Cryptography/TASKS.md | 0
.../IDependencyInjectionRoutine.cs | 0
.../ServiceBindingAttribute.cs | 0
.../StellaOps.DependencyInjection.csproj | 26 +-
.../PluginDependencyInjectionExtensions.cs | 0
.../PluginServiceRegistration.cs | 0
.../StellaOpsPluginRegistration.cs | 0
.../Hosting/PluginAssembly.cs | 0
.../StellaOps.Plugin/Hosting/PluginHost.cs | 0
.../Hosting/PluginHostOptions.cs | 0
.../Hosting/PluginHostResult.cs | 0
.../Hosting/PluginLoadContext.cs | 0
.../Internal/ReflectionExtensions.cs | 0
.../StellaOps.Plugin/PluginContracts.cs | 0
.../Properties/AssemblyInfo.cs | 0
.../StellaOps.Plugin/StellaOps.Plugin.csproj | 3 +-
.../StellaOps.Plugin/TASKS.md | 8 +-
...AuthorityPluginConfigurationLoaderTests.cs | 0
.../AuthorityTelemetryTests.cs | 0
.../StellaOps.Configuration.Tests.csproj | 12 +
.../StellaOpsAuthorityOptionsTests.cs | 444 +-
.../Argon2idPasswordHasherTests.cs | 0
.../Audit/AuthEventRecordTests.cs | 114 +-
.../BouncyCastleEd25519CryptoProviderTests.cs | 0
.../CryptoProviderRegistryTests.cs | 0
.../DefaultCryptoProviderSigningTests.cs | 0
.../LibsodiumCryptoProviderTests.cs | 0
.../PasswordHashOptionsTests.cs | 0
.../Pbkdf2PasswordHasherTests.cs | 0
.../StellaOps.Cryptography.Tests.csproj | 33 +-
...luginDependencyInjectionExtensionsTests.cs | 0
.../PluginServiceRegistrationTests.cs | 0
.../StellaOps.Plugin.Tests.csproj | 7 +-
.../CallgraphIngestionTests.cs | 276 +-
.../SignalsApiTests.cs | 224 +-
.../StellaOps.Signals.Tests.csproj | 5 +-
.../TestInfrastructure/SignalsTestFactory.cs | 128 +-
tmp/docenv/pyvenv.cfg | 10 +-
tmp/reflect/Program.cs | 26 +-
tmp/reflect/reflect.csproj | 28 +-
tools/FixtureUpdater/FixtureUpdater.csproj | 40 +-
.../LanguageAnalyzerSmoke.csproj | 36 +-
tools/LanguageAnalyzerSmoke/Program.cs | 2 +-
.../NotifySmokeCheck/NotifySmokeCheck.csproj | 24 +-
tools/NotifySmokeCheck/Program.cs | 396 +-
.../PolicyDslValidator.csproj | 28 +-
tools/PolicyDslValidator/Program.cs | 112 +-
.../PolicySchemaExporter.csproj | 42 +-
tools/PolicySchemaExporter/Program.cs | 96 +-
.../PolicySimulationSmoke.csproj | 28 +-
tools/PolicySimulationSmoke/Program.cs | 582 +-
4103 files changed, 192899 insertions(+), 187024 deletions(-)
delete mode 100644 SPRINTS.md
delete mode 100644 SPRINTS_PRIOR_20251019.md
delete mode 100644 SPRINTS_PRIOR_20251021.md
delete mode 100644 SPRINTS_PRIOR_20251025.md
rename AGENTS.md => docs/implplan/AGENTS.md (100%)
rename EPIC_1.md => docs/implplan/EPIC_1.md (97%)
rename EPIC_10.md => docs/implplan/EPIC_10.md (99%)
rename EPIC_11.md => docs/implplan/EPIC_11.md (99%)
rename EPIC_12.md => docs/implplan/EPIC_12.md (69%)
rename EPIC_13.md => docs/implplan/EPIC_13.md (100%)
rename EPIC_14.md => docs/implplan/EPIC_14.md (100%)
rename EPIC_15.md => docs/implplan/EPIC_15.md (100%)
rename EPIC_16.md => docs/implplan/EPIC_16.md (98%)
rename EPIC_17.md => docs/implplan/EPIC_17.md (98%)
rename EPIC_18.md => docs/implplan/EPIC_18.md (98%)
rename EPIC_19.md => docs/implplan/EPIC_19.md (98%)
rename EPIC_2.md => docs/implplan/EPIC_2.md (97%)
rename EPIC_4.md => docs/implplan/EPIC_4.md (97%)
rename EPIC_5.md => docs/implplan/EPIC_5.md (97%)
rename EPIC_6.md => docs/implplan/EPIC_6.md (99%)
rename EPIC_7.md => docs/implplan/EPIC_7.md (99%)
rename EPIC_8.md => docs/implplan/EPIC_8.md (99%)
rename EPIC_9.md => docs/implplan/EPIC_9.md (98%)
rename EXECPLAN.md => docs/implplan/EXECPLAN.md (68%)
create mode 100644 docs/implplan/SPRINTS.md
create mode 100644 docs/implplan/SPRINTS_PRIOR_20251019.md
create mode 100644 docs/implplan/SPRINTS_PRIOR_20251021.md
create mode 100644 docs/implplan/SPRINTS_PRIOR_20251025.md
rename SPRINTS_PRIOR_20251027.md => docs/implplan/SPRINTS_PRIOR_20251027.md (57%)
create mode 100644 docs/implplan/SPRINTS_PRIOR_20251028.md
rename src/{ => AdvisoryAI}/StellaOps.AdvisoryAI/AGENTS.md (90%)
rename src/{ => AdvisoryAI}/StellaOps.AdvisoryAI/TASKS.md (99%)
rename src/{ => AirGap}/StellaOps.AirGap.Controller/AGENTS.md (98%)
rename src/{ => AirGap}/StellaOps.AirGap.Controller/TASKS.md (99%)
rename src/{ => AirGap}/StellaOps.AirGap.Importer/AGENTS.md (98%)
rename src/{ => AirGap}/StellaOps.AirGap.Importer/TASKS.md (99%)
rename src/{ => AirGap}/StellaOps.AirGap.Policy/AGENTS.md (98%)
rename src/{ => AirGap}/StellaOps.AirGap.Policy/TASKS.md (99%)
rename src/{ => AirGap}/StellaOps.AirGap.Time/AGENTS.md (97%)
rename src/{ => AirGap}/StellaOps.AirGap.Time/TASKS.md (99%)
create mode 100644 src/Aoc/StellaOps.Aoc.sln
rename src/{ => Aoc/__Libraries}/StellaOps.Aoc/AocForbiddenKeys.cs (96%)
rename src/{ => Aoc/__Libraries}/StellaOps.Aoc/AocGuardException.cs (96%)
rename src/{ => Aoc/__Libraries}/StellaOps.Aoc/AocGuardExtensions.cs (95%)
rename src/{ => Aoc/__Libraries}/StellaOps.Aoc/AocGuardOptions.cs (96%)
rename src/{ => Aoc/__Libraries}/StellaOps.Aoc/AocGuardResult.cs (97%)
rename src/{ => Aoc/__Libraries}/StellaOps.Aoc/AocViolation.cs (97%)
rename src/{ => Aoc/__Libraries}/StellaOps.Aoc/AocViolationCode.cs (96%)
rename src/{ => Aoc/__Libraries}/StellaOps.Aoc/AocWriteGuard.cs (97%)
rename src/{ => Aoc/__Libraries}/StellaOps.Aoc/ServiceCollectionExtensions.cs (96%)
rename src/{ => Aoc/__Libraries}/StellaOps.Aoc/StellaOps.Aoc.csproj (97%)
rename src/{ => Aoc/__Tests}/StellaOps.Aoc.Tests/AocWriteGuardTests.cs (96%)
create mode 100644 src/Aoc/__Tests/StellaOps.Aoc.Tests/StellaOps.Aoc.Tests.csproj
rename src/{ => Aoc/__Tests}/StellaOps.Aoc.Tests/UnitTest1.cs (91%)
rename src/{StellaOps.Cli.Tests => Aoc/__Tests/StellaOps.Aoc.Tests}/xunit.runner.json (100%)
rename src/{ => Api}/StellaOps.Api.Governance/AGENTS.md (97%)
rename src/{ => Api}/StellaOps.Api.Governance/TASKS.md (92%)
rename src/{ => Api}/StellaOps.Api.OpenApi/AGENTS.md (78%)
rename src/{ => Api}/StellaOps.Api.OpenApi/TASKS.md (99%)
rename src/{ => Api}/StellaOps.Api.OpenApi/authority/openapi.yaml (97%)
rename src/{ => Attestor}/StellaOps.Attestor.Envelope/AGENTS.md (98%)
rename src/{ => Attestor}/StellaOps.Attestor.Envelope/TASKS.md (99%)
rename src/{ => Attestor}/StellaOps.Attestor.Types/AGENTS.md (97%)
rename src/{ => Attestor}/StellaOps.Attestor.Types/TASKS.md (99%)
rename src/{ => Attestor}/StellaOps.Attestor.Verify/AGENTS.md (98%)
rename src/{ => Attestor}/StellaOps.Attestor.Verify/TASKS.md (99%)
create mode 100644 src/Attestor/StellaOps.Attestor.sln
rename src/{ => Attestor}/StellaOps.Attestor/AGENTS.md (78%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Audit/AttestorAuditRecord.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Observability/AttestorMetrics.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Options/AttestorOptions.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Rekor/IRekorClient.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Rekor/RekorBackend.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Rekor/RekorProofResponse.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Rekor/RekorSubmissionResponse.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/StellaOps.Attestor.Core.csproj (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Storage/AttestorArchiveBundle.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Storage/AttestorEntry.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Storage/IAttestorArchiveStore.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Storage/IAttestorAuditSink.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Storage/IAttestorDedupeStore.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Storage/IAttestorEntryRepository.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Submission/AttestorSubmissionRequest.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Submission/AttestorSubmissionResult.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Submission/AttestorSubmissionValidationResult.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Submission/AttestorSubmissionValidator.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Submission/AttestorValidationException.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Submission/IAttestorSubmissionService.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Submission/IDsseCanonicalizer.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Submission/SubmissionContext.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/AttestorVerificationException.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/AttestorVerificationRequest.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/AttestorVerificationResult.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/IAttestorVerificationService.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Properties/AssemblyInfo.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Rekor/HttpRekorClient.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Rekor/StubRekorClient.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/ServiceCollectionExtensions.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/StellaOps.Attestor.Infrastructure.csproj (98%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Storage/InMemoryAttestorDedupeStore.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Storage/MongoAttestorAuditSink.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Storage/MongoAttestorEntryRepository.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Storage/NullAttestorArchiveStore.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Storage/RedisAttestorDedupeStore.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Storage/S3AttestorArchiveStore.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Submission/AttestorSubmissionService.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Submission/DefaultDsseCanonicalizer.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Verification/AttestorVerificationService.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Tests/AttestorSubmissionServiceTests.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Tests/AttestorVerificationServiceTests.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Tests/HttpRekorClientTests.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Tests/StellaOps.Attestor.Tests.csproj (80%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.Tests/TestDoubles.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.WebService/Program.cs (100%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.WebService/StellaOps.Attestor.WebService.csproj (61%)
rename src/{ => Attestor}/StellaOps.Attestor/StellaOps.Attestor.sln (100%)
rename src/{ => Attestor}/StellaOps.Attestor/TASKS.md (100%)
create mode 100644 src/Authority/StellaOps.Authority.sln
rename src/{ => Authority}/StellaOps.Authority/AGENTS.md (65%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions.Tests/NetworkMaskMatcherTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions.Tests/StellaOps.Auth.Abstractions.Tests.csproj (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions.Tests/StellaOpsPrincipalBuilderTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions.Tests/StellaOpsProblemResultFactoryTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions.Tests/StellaOpsScopesTests.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions/AuthorityTelemetry.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions/NetworkMask.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions/NetworkMaskMatcher.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions/README.NuGet.md (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOps.Auth.Abstractions.csproj (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsAuthenticationDefaults.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsClaimTypes.cs (96%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsPrincipalBuilder.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsProblemResultFactory.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsScopes.cs (96%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsServiceIdentities.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsTenancyDefaults.cs (96%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client.Tests/ServiceCollectionExtensionsTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client.Tests/StellaOps.Auth.Client.Tests.csproj (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client.Tests/StellaOpsAuthClientOptionsTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client.Tests/StellaOpsDiscoveryCacheTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client.Tests/StellaOpsTokenClientTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client.Tests/TokenCacheTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client/FileTokenCache.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client/IStellaOpsTokenCache.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client/IStellaOpsTokenClient.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client/InMemoryTokenCache.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client/README.NuGet.md (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client/ServiceCollectionExtensions.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client/StellaOps.Auth.Client.csproj (91%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsAuthClientOptions.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsDiscoveryCache.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsJwksCache.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsTokenCacheEntry.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsTokenClient.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsTokenResult.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.ServerIntegration.Tests/ServiceCollectionExtensionsTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.ServerIntegration.Tests/StellaOps.Auth.ServerIntegration.Tests.csproj (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.ServerIntegration.Tests/StellaOpsResourceServerOptionsTests.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.ServerIntegration.Tests/StellaOpsScopeAuthorizationHandlerTests.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.ServerIntegration/README.NuGet.md (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.ServerIntegration/ServiceCollectionExtensions.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOps.Auth.ServerIntegration.csproj (86%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsAuthorityConfigurationManager.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsAuthorizationPolicyBuilderExtensions.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsBypassEvaluator.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsResourceServerOptions.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsScopeAuthorizationHandler.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsScopeRequirement.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/Security/CryptoPasswordHasherTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/StandardClientProvisioningStoreTests.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/StandardPluginOptionsTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/StandardPluginRegistrarTests.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/StandardUserCredentialStoreTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/StellaOps.Authority.Plugin.Standard.Tests.csproj (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/AGENTS.md (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/Bootstrap/StandardPluginBootstrapper.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/Properties/AssemblyInfo.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/Security/IPasswordHasher.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StandardClaimsEnricher.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StandardIdentityProviderPlugin.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StandardPluginOptions.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StandardPluginRegistrar.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StellaOps.Authority.Plugin.Standard.csproj (71%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/Storage/StandardClientProvisioningStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/Storage/StandardUserCredentialStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/Storage/StandardUserDocument.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md (99%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions.Tests/AuthorityClientRegistrationTests.cs (96%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions.Tests/AuthorityCredentialVerificationResultTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions.Tests/AuthorityIdentityProviderCapabilitiesTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions.Tests/AuthorityPluginHealthResultTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions.Tests/AuthorityPluginOperationResultTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions.Tests/AuthorityUserDescriptorTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions.Tests/AuthorityUserRegistrationTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions.Tests/StellaOps.Authority.Plugins.Abstractions.Tests.csproj (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/AuthorityClientMetadataKeys.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/AuthorityPluginContracts.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/AuthorityPluginRegistrationContext.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/AuthoritySecretHasher.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/IdentityProviderContracts.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/StellaOps.Authority.Plugins.Abstractions.csproj (86%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/AuthorityMongoDefaults.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Class1.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Documents/AuthorityBootstrapInviteDocument.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Documents/AuthorityClientCertificateBinding.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Documents/AuthorityClientDocument.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Documents/AuthorityLoginAttemptDocument.cs (96%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Documents/AuthorityRevocationDocument.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Documents/AuthorityRevocationExportStateDocument.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Documents/AuthorityScopeDocument.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Documents/AuthorityTokenDocument.cs (96%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Documents/AuthorityUserDocument.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Extensions/ServiceCollectionExtensions.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Initialization/AuthorityBootstrapInviteCollectionInitializer.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Initialization/AuthorityClientCollectionInitializer.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Initialization/AuthorityLoginAttemptCollectionInitializer.cs (98%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Initialization/AuthorityMongoInitializer.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Initialization/AuthorityRevocationCollectionInitializer.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Initialization/AuthorityScopeCollectionInitializer.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Initialization/AuthorityTokenCollectionInitializer.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Initialization/AuthorityUserCollectionInitializer.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Initialization/IAuthorityCollectionInitializer.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Migrations/AuthorityMongoMigrationRunner.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Migrations/EnsureAuthorityCollectionsMigration.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Migrations/IAuthorityMongoMigration.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Options/AuthorityMongoOptions.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Sessions/AuthorityMongoSessionAccessor.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/StellaOps.Authority.Storage.Mongo.csproj (78%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/AuthorityBootstrapInviteStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/AuthorityClientStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/AuthorityLoginAttemptStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/AuthorityRevocationExportStateStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/AuthorityRevocationStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/AuthorityScopeStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/AuthorityTokenStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/AuthorityUserStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/IAuthorityBootstrapInviteStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/IAuthorityClientStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/IAuthorityLoginAttemptStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/IAuthorityRevocationExportStateStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/IAuthorityRevocationStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/IAuthorityScopeStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/IAuthorityTokenStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Stores/IAuthorityUserStore.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/Bootstrap/BootstrapInviteCleanupServiceTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/Console/ConsoleEndpointsTests.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/Identity/AuthorityIdentityProviderRegistryTests.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/Identity/AuthorityIdentityProviderSelectorTests.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/Infrastructure/AuthorityWebApplicationFactory.cs (96%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/OpenApi/OpenApiDiscoveryEndpointTests.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/OpenIddict/ClientCredentialsAndTokenHandlersTests.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/OpenIddict/PasswordGrantHandlersTests.cs (98%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/OpenIddict/TokenPersistenceIntegrationTests.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/Permalinks/VulnPermalinkServiceTests.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/Plugins/AuthorityPluginLoaderTests.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/RateLimiting/AuthorityRateLimiterIntegrationTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/RateLimiting/AuthorityRateLimiterMetadataAccessorTests.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/RateLimiting/AuthorityRateLimiterMetadataMiddlewareTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/RateLimiting/AuthorityRateLimiterTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/Signing/AuthoritySigningKeyManagerTests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/StellaOps.Authority.Tests.csproj (73%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.Tests/TestEnvironment.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority.sln (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Audit/AuthorityAuditSink.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/AuthorityHttpHeaders.cs (96%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/AuthorityIdentityProviderRegistry.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/AuthorityPluginRegistry.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/AuthorityRateLimiter.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/AuthorityTelemetryConfiguration.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Bootstrap/BootstrapApiKeyFilter.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Bootstrap/BootstrapInviteCleanupService.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Bootstrap/BootstrapRequests.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Console/ConsoleEndpointExtensions.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Console/TenantHeaderFilter.cs (96%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/OpenApi/AuthorityOpenApiDocumentProvider.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/OpenApi/OpenApiDiscoveryEndpointExtensions.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthorityIdentityProviderSelector.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthorityOpenIddictConstants.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/ClientCredentialsAuditHelper.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/ClientCredentialsHandlers.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DpopHandlers.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/PasswordGrantHandlers.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/RevocationHandlers.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/TokenPersistenceHandlers.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/TokenValidationHandlers.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/OpenIddict/TokenRequestTamperInspector.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Permalinks/VulnPermalinkRequest.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Permalinks/VulnPermalinkResponse.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Permalinks/VulnPermalinkService.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginLoader.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginRegistrationSummary.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Program.Partial.cs (91%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Program.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Properties/AssemblyInfo.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Properties/launchSettings.json (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/RateLimiting/AuthorityRateLimiterFeature.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/RateLimiting/AuthorityRateLimiterMetadata.cs (96%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/RateLimiting/AuthorityRateLimiterMetadataAccessor.cs (96%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/RateLimiting/AuthorityRateLimiterMetadataMiddleware.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/RateLimiting/AuthorityRateLimiterPartitionKeyResolver.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/RateLimiting/AuthorityRateLimitingApplicationBuilderExtensions.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Revocation/AuthorityRevocationExportService.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Revocation/RevocationBundleBuildResult.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Revocation/RevocationBundleBuilder.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Revocation/RevocationBundleModel.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Revocation/RevocationBundleSignature.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Revocation/RevocationBundleSigner.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Revocation/RevocationEntryModel.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Revocation/RevocationExportPackage.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Revocation/RevocationExportResponse.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Security/AuthorityClientCertificateValidationResult.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Security/AuthorityClientCertificateValidator.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Security/AuthoritySenderConstraintKinds.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Security/IAuthorityClientCertificateValidator.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Signing/AuthorityJwksService.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Signing/AuthoritySigningKeyManager.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Signing/AuthoritySigningKeyRequest.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Signing/AuthoritySigningKeyStatus.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Signing/FileAuthoritySigningKeySource.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Signing/IAuthoritySigningKeySource.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Signing/SigningRotationRequest.cs (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/StellaOps.Authority.csproj (80%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/Tenants/AuthorityTenantCatalog.cs (97%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/appsettings.Development.json (100%)
rename src/{ => Authority}/StellaOps.Authority/StellaOps.Authority/appsettings.json (100%)
rename src/{ => Authority}/StellaOps.Authority/TASKS.md (98%)
create mode 100644 src/Bench/StellaOps.Bench.sln
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/README.md (87%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex.Tests/BaselineLoaderTests.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex.Tests/BenchmarkScenarioReportTests.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex.Tests/StellaOps.Bench.LinkNotMerge.Vex.Tests.csproj (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex.Tests/VexScenarioRunnerTests.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/Baseline/BaselineEntry.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/Baseline/BaselineLoader.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/Program.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/Properties/AssemblyInfo.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/Reporting/BenchmarkJsonWriter.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/Reporting/BenchmarkScenarioReport.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/Reporting/PrometheusWriter.cs (98%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/Statistics.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex.csproj (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/VexLinksetAggregator.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/VexObservationGenerator.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/VexScenarioConfig.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/VexScenarioExecutionResult.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/VexScenarioResult.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/VexScenarioRunner.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/baseline.csv (99%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge.Vex/config.json (96%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/README.md (88%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge.Tests/BaselineLoaderTests.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge.Tests/BenchmarkScenarioReportTests.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge.Tests/LinkNotMergeScenarioRunnerTests.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge.Tests/StellaOps.Bench.LinkNotMerge.Tests.csproj (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/Baseline/BaselineEntry.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/Baseline/BaselineLoader.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/BenchmarkConfig.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/LinkNotMergeScenarioRunner.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/LinksetAggregator.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/ObservationData.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/Program.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/Properties/AssemblyInfo.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/Reporting/BenchmarkJsonWriter.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/Reporting/BenchmarkScenarioReport.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/Reporting/PrometheusWriter.cs (98%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/ScenarioExecutionResult.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/ScenarioResult.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/ScenarioStatistics.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/StellaOps.Bench.LinkNotMerge.csproj (97%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/baseline.csv (99%)
rename src/{ => Bench}/StellaOps.Bench/LinkNotMerge/config.json (96%)
rename src/{ => Bench}/StellaOps.Bench/Notify/README.md (89%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify.Tests/BaselineLoaderTests.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify.Tests/BenchmarkScenarioReportTests.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify.Tests/NotifyScenarioRunnerTests.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify.Tests/PrometheusWriterTests.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify.Tests/StellaOps.Bench.Notify.Tests.csproj (97%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify/Baseline/BaselineEntry.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify/Baseline/BaselineLoader.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify/BenchmarkConfig.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify/DispatchAccumulator.cs (95%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify/NotifyScenarioRunner.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify/Program.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify/Properties/AssemblyInfo.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify/Reporting/BenchmarkJsonWriter.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify/Reporting/BenchmarkScenarioReport.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify/Reporting/PrometheusWriter.cs (98%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify/ScenarioExecutionResult.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify/ScenarioResult.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify/ScenarioStatistics.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/Notify/StellaOps.Bench.Notify/StellaOps.Bench.Notify.csproj (67%)
rename src/{ => Bench}/StellaOps.Bench/Notify/baseline.csv (99%)
rename src/{ => Bench}/StellaOps.Bench/Notify/config.json (96%)
rename src/{ => Bench}/StellaOps.Bench/PolicyEngine/README.md (87%)
rename src/{ => Bench}/StellaOps.Bench/PolicyEngine/StellaOps.Bench.PolicyEngine/Baseline/BaselineEntry.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/PolicyEngine/StellaOps.Bench.PolicyEngine/Baseline/BaselineLoader.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/PolicyEngine/StellaOps.Bench.PolicyEngine/BenchmarkConfig.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/PolicyEngine/StellaOps.Bench.PolicyEngine/PathUtilities.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/PolicyEngine/StellaOps.Bench.PolicyEngine/PolicyScenarioRunner.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/PolicyEngine/StellaOps.Bench.PolicyEngine/Program.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/PolicyEngine/StellaOps.Bench.PolicyEngine/Reporting/BenchmarkJsonWriter.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/PolicyEngine/StellaOps.Bench.PolicyEngine/Reporting/BenchmarkScenarioReport.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/PolicyEngine/StellaOps.Bench.PolicyEngine/Reporting/PrometheusWriter.cs (98%)
rename src/{ => Bench}/StellaOps.Bench/PolicyEngine/StellaOps.Bench.PolicyEngine/ScenarioResult.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/PolicyEngine/StellaOps.Bench.PolicyEngine/StellaOps.Bench.PolicyEngine.csproj (69%)
rename src/{ => Bench}/StellaOps.Bench/PolicyEngine/baseline.csv (99%)
rename src/{ => Bench}/StellaOps.Bench/PolicyEngine/config.json (96%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/README.md (94%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BaselineLoaderTests.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BenchmarkJsonWriterTests.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BenchmarkScenarioReportTests.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/PrometheusWriterTests.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/StellaOps.Bench.ScannerAnalyzers.Tests.csproj (97%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineEntry.cs (95%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineLoader.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/BenchmarkConfig.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Program.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/BenchmarkJsonWriter.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/BenchmarkScenarioReport.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/PrometheusWriter.cs (97%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/ScenarioResult.cs (96%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/ScenarioRunners.cs (97%)
create mode 100644 src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/baseline.csv (98%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/config.json (77%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/lang/README.md (84%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/lang/dotnet/syft-comparison-20251023.csv (98%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/lang/go/syft-comparison-20251021.csv (98%)
rename src/{ => Bench}/StellaOps.Bench/Scanner.Analyzers/lang/python/hash-throughput-20251023.csv (98%)
rename src/{ => Bench}/StellaOps.Bench/TASKS.md (98%)
create mode 100644 src/Cartographer/StellaOps.Cartographer.sln
rename src/{ => Cartographer}/StellaOps.Cartographer/AGENTS.md (93%)
rename src/{ => Cartographer}/StellaOps.Cartographer/Options/CartographerAuthorityOptions.cs (97%)
rename src/{ => Cartographer}/StellaOps.Cartographer/Options/CartographerAuthorityOptionsConfigurator.cs (96%)
rename src/{ => Cartographer}/StellaOps.Cartographer/Program.cs (97%)
rename src/{ => Cartographer}/StellaOps.Cartographer/Properties/AssemblyInfo.cs (97%)
create mode 100644 src/Cartographer/StellaOps.Cartographer/StellaOps.Cartographer.csproj
rename src/{ => Cartographer}/StellaOps.Cartographer/TASKS.md (99%)
rename src/{ => Cartographer/__Tests}/StellaOps.Cartographer.Tests/Options/CartographerAuthorityOptionsConfiguratorTests.cs (96%)
rename src/{ => Cartographer/__Tests}/StellaOps.Cartographer.Tests/StellaOps.Cartographer.Tests.csproj (79%)
create mode 100644 src/Cli/StellaOps.Cli.sln
rename src/{ => Cli}/StellaOps.Cli/AGENTS.md (95%)
rename src/{ => Cli}/StellaOps.Cli/Commands/CommandFactory.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Commands/CommandHandlers.cs (97%)
rename src/{ => Cli}/StellaOps.Cli/Configuration/AuthorityTokenUtilities.cs (96%)
rename src/{ => Cli}/StellaOps.Cli/Configuration/CliBootstrapper.cs (97%)
rename src/{ => Cli}/StellaOps.Cli/Configuration/StellaOpsCliOptions.cs (96%)
rename src/{ => Cli}/StellaOps.Cli/Plugins/CliCommandModuleLoader.cs (97%)
rename src/{ => Cli}/StellaOps.Cli/Plugins/CliPluginManifest.cs (96%)
rename src/{ => Cli}/StellaOps.Cli/Plugins/CliPluginManifestLoader.cs (97%)
rename src/{ => Cli}/StellaOps.Cli/Plugins/ICliCommandModule.cs (95%)
rename src/{ => Cli}/StellaOps.Cli/Plugins/RestartOnlyCliPluginGuard.cs (96%)
rename src/{ => Cli}/StellaOps.Cli/Program.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Prompts/TrivyDbExportPrompt.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Properties/AssemblyInfo.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/AuthorityDiagnosticsReporter.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/AuthorityRevocationClient.cs (97%)
rename src/{ => Cli}/StellaOps.Cli/Services/BackendOperationsClient.cs (97%)
rename src/{ => Cli}/StellaOps.Cli/Services/ConcelierObservationsClient.cs (97%)
rename src/{ => Cli}/StellaOps.Cli/Services/IAuthorityRevocationClient.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/IBackendOperationsClient.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/IConcelierObservationsClient.cs (96%)
rename src/{ => Cli}/StellaOps.Cli/Services/IScannerExecutor.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/IScannerInstaller.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/AdvisoryObservationsModels.cs (96%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/AocIngestDryRunModels.cs (96%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/AocVerifyModels.cs (96%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/AuthorityRevocationExportResult.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/ExcititorExportDownloadResult.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/ExcititorOperationResult.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/ExcititorProviderSummary.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/JobTriggerResult.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/OfflineKitModels.cs (96%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/PolicyActivationModels.cs (96%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/PolicyFindingsModels.cs (96%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/PolicySimulationModels.cs (96%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/RuntimePolicyEvaluationModels.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/ScannerArtifactResult.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/Transport/JobRunResponse.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/Transport/JobTriggerRequest.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/Transport/OfflineKitTransport.cs (95%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/Transport/PolicyActivationTransport.cs (95%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/Transport/PolicyFindingsTransport.cs (95%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/Transport/PolicySimulationTransport.cs (95%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/Transport/ProblemDocument.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/Models/Transport/RuntimePolicyEvaluationTransport.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/PolicyApiException.cs (96%)
rename src/{ => Cli}/StellaOps.Cli/Services/ScannerExecutionResult.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/ScannerExecutor.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Services/ScannerInstaller.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/StellaOps.Cli.csproj (78%)
rename src/{ => Cli}/StellaOps.Cli/TASKS.md (99%)
rename src/{ => Cli}/StellaOps.Cli/Telemetry/CliActivitySource.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Telemetry/CliMetrics.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/Telemetry/VerbosityState.cs (100%)
rename src/{ => Cli}/StellaOps.Cli/appsettings.json (100%)
rename src/{ => Cli/__Libraries}/StellaOps.Cli.Plugins.NonCore/NonCoreCliCommandModule.cs (97%)
rename src/{ => Cli/__Libraries}/StellaOps.Cli.Plugins.NonCore/StellaOps.Cli.Plugins.NonCore.csproj (97%)
rename src/{ => Cli/__Tests}/StellaOps.Cli.Tests/Commands/CommandHandlersTests.cs (97%)
rename src/{ => Cli/__Tests}/StellaOps.Cli.Tests/Configuration/CliBootstrapperTests.cs (100%)
rename src/{ => Cli/__Tests}/StellaOps.Cli.Tests/Plugins/CliCommandModuleLoaderTests.cs (97%)
rename src/{ => Cli/__Tests}/StellaOps.Cli.Tests/Plugins/RestartOnlyCliPluginGuardTests.cs (96%)
rename src/{ => Cli/__Tests}/StellaOps.Cli.Tests/Services/AuthorityDiagnosticsReporterTests.cs (100%)
rename src/{ => Cli/__Tests}/StellaOps.Cli.Tests/Services/BackendOperationsClientTests.cs (97%)
create mode 100644 src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj
rename src/{ => Cli/__Tests}/StellaOps.Cli.Tests/Testing/TestHelpers.cs (100%)
rename src/{ => Cli/__Tests}/StellaOps.Cli.Tests/UnitTest1.cs (100%)
rename src/{StellaOps.Scanner.Analyzers.Lang.Tests => Cli/__Tests/StellaOps.Cli.Tests}/xunit.runner.json (100%)
rename src/{ => Concelier}/StellaOps.Concelier.Tests.Shared/AssemblyInfo.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.Tests.Shared/MongoFixtureCollection.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/AGENTS.md (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Contracts/AdvisoryObservationContracts.cs (97%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Contracts/AdvisoryRawContracts.cs (98%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Diagnostics/HealthContracts.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Diagnostics/IngestionMetrics.cs (97%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Diagnostics/JobMetrics.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Diagnostics/ProblemTypes.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Diagnostics/ServiceStatus.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Extensions/AdvisoryRawRequestMapper.cs (97%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Extensions/ConfigurationExtensions.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Extensions/JobRegistrationExtensions.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Extensions/MirrorEndpointExtensions.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Extensions/TelemetryExtensions.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Filters/JobAuthorizationAuditFilter.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Jobs/JobDefinitionResponse.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Jobs/JobRunResponse.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Jobs/JobTriggerRequest.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Options/ConcelierOptions.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Options/ConcelierOptionsPostConfigure.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Options/ConcelierOptionsValidator.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Program.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Properties/launchSettings.json (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Services/MirrorFileLocator.cs (100%)
rename src/{ => Concelier}/StellaOps.Concelier.WebService/Services/MirrorRateLimiter.cs (100%)
create mode 100644 src/Concelier/StellaOps.Concelier.WebService/StellaOps.Concelier.WebService.csproj
rename src/{ => Concelier}/StellaOps.Concelier.WebService/TASKS.md (99%)
create mode 100644 src/Concelier/StellaOps.Concelier.sln
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/AcscConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/AcscConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/AcscDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/AcscServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/Configuration/AcscFeedOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/Configuration/AcscOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/Internal/AcscCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/Internal/AcscDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/Internal/AcscDocumentMetadata.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/Internal/AcscDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/Internal/AcscFeedParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/Internal/AcscMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/Properties/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/README.md (95%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/StellaOps.Concelier.Connector.Acsc.csproj (81%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Acsc/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/CccsConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/CccsConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/CccsDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/CccsServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/Configuration/CccsOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/Internal/CccsAdvisoryDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/Internal/CccsCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/Internal/CccsDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/Internal/CccsFeedClient.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/Internal/CccsFeedModels.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/Internal/CccsHtmlParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/Internal/CccsMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/Internal/CccsRawAdvisoryDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/Properties/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/StellaOps.Concelier.Connector.Cccs.csproj (79%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cccs/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/CertBundConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/CertBundConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/CertBundDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/CertBundServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/Configuration/CertBundOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/Internal/CertBundAdvisoryDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/Internal/CertBundCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/Internal/CertBundDetailParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/Internal/CertBundDetailResponse.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/Internal/CertBundDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/Internal/CertBundDocumentMetadata.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/Internal/CertBundFeedClient.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/Internal/CertBundFeedItem.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/Internal/CertBundMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/README.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/StellaOps.Concelier.Connector.CertBund.csproj (75%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertBund/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/CertCcConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/CertCcConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/CertCcDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/CertCcServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/Configuration/CertCcOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/FEEDCONN-CERTCC-02-009_PLAN.md (88%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/FEEDCONN-CERTCC-02-012_HANDOFF.md (58%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/Internal/CertCcCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/Internal/CertCcDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/Internal/CertCcMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/Internal/CertCcNoteDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/Internal/CertCcNoteParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/Internal/CertCcSummaryParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/Internal/CertCcSummaryPlan.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/Internal/CertCcSummaryPlanner.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/Internal/CertCcVendorStatementParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/Properties/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/README.md (91%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/StellaOps.Concelier.Connector.CertCc.csproj (80%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertCc/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/CertFrConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/CertFrConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/CertFrDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/CertFrServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/Configuration/CertFrOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/Internal/CertFrCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/Internal/CertFrDocumentMetadata.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/Internal/CertFrDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/Internal/CertFrFeedClient.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/Internal/CertFrFeedItem.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/Internal/CertFrMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/Internal/CertFrParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/StellaOps.Concelier.Connector.CertFr.csproj (79%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertFr/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertIn/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertIn/CertInConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertIn/CertInConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertIn/CertInDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertIn/CertInServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertIn/Configuration/CertInOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertIn/Internal/CertInAdvisoryDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertIn/Internal/CertInClient.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertIn/Internal/CertInCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertIn/Internal/CertInDetailParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertIn/Internal/CertInListingItem.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertIn/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertIn/StellaOps.Concelier.Connector.CertIn.csproj (79%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.CertIn/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Cursors/PaginationPlanner.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Cursors/TimeWindowCursorOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Cursors/TimeWindowCursorPlanner.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Cursors/TimeWindowCursorState.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/DocumentStatuses.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Fetch/CryptoJitterSource.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Fetch/IJitterSource.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Fetch/RawDocumentStorage.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Fetch/SourceFetchContentResult.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Fetch/SourceFetchRequest.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Fetch/SourceFetchResult.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Fetch/SourceFetchService.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Fetch/SourceRetryPolicy.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Html/HtmlContentSanitizer.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Http/AllowlistedHttpMessageHandler.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Http/ServiceCollectionExtensions.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Http/SourceHttpClientConfigurationBinder.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Http/SourceHttpClientOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Json/IJsonSchemaValidator.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Json/JsonSchemaValidationError.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Json/JsonSchemaValidationException.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Json/JsonSchemaValidator.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Packages/PackageCoordinateHelper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Pdf/PdfTextExtractor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Properties/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/State/SourceStateSeedModels.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/State/SourceStateSeedProcessor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/StellaOps.Concelier.Connector.Common.csproj (87%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Telemetry/SourceDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Testing/CannedHttpMessageHandler.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Url/UrlNormalizer.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Xml/IXmlSchemaValidator.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Xml/XmlSchemaValidationError.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Xml/XmlSchemaValidationException.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Common/Xml/XmlSchemaValidator.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cve/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cve/Configuration/CveOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cve/CveConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cve/CveConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cve/CveDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cve/CveServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cve/Internal/CveCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cve/Internal/CveDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cve/Internal/CveListParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cve/Internal/CveMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cve/Internal/CveRecordDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cve/Internal/CveRecordParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cve/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cve/StellaOps.Concelier.Connector.Cve.csproj (75%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Cve/TASKS.md (94%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/Configuration/DebianOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/DebianConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/DebianConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/DebianDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/DebianServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/Internal/DebianAdvisoryDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/Internal/DebianCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/Internal/DebianDetailMetadata.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/Internal/DebianFetchCacheEntry.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/Internal/DebianHtmlParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/Internal/DebianListEntry.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/Internal/DebianListParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/Internal/DebianMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Debian/StellaOps.Concelier.Connector.Distro.Debian.csproj (82%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.RedHat/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.RedHat/CONFLICT_RESOLVER_NOTES.md (78%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.RedHat/Configuration/RedHatOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.RedHat/Internal/Models/RedHatCsafModels.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.RedHat/Internal/RedHatCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.RedHat/Internal/RedHatMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.RedHat/Internal/RedHatSummaryItem.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.RedHat/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.RedHat/Properties/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.RedHat/RedHatConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.RedHat/RedHatConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.RedHat/RedHatDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.RedHat/RedHatServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.RedHat/StellaOps.Concelier.Connector.Distro.RedHat.csproj (71%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Suse/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Suse/Configuration/SuseOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Suse/Internal/SuseAdvisoryDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Suse/Internal/SuseChangeRecord.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Suse/Internal/SuseChangesParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Suse/Internal/SuseCsafParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Suse/Internal/SuseCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Suse/Internal/SuseFetchCacheEntry.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Suse/Internal/SuseMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Suse/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Suse/StellaOps.Concelier.Connector.Distro.Suse.csproj (82%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Suse/SuseConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Suse/SuseConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Suse/SuseDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Suse/SuseServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Ubuntu/Configuration/UbuntuOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Ubuntu/Internal/UbuntuCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Ubuntu/Internal/UbuntuFetchCacheEntry.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Ubuntu/Internal/UbuntuMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Ubuntu/Internal/UbuntuNoticeDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Ubuntu/Internal/UbuntuNoticeParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Ubuntu/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Ubuntu/StellaOps.Concelier.Connector.Distro.Ubuntu.csproj (82%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Ubuntu/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Ubuntu/UbuntuConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Ubuntu/UbuntuConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Ubuntu/UbuntuDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Distro.Ubuntu/UbuntuServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/Configuration/GhsaOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/GhsaConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/GhsaConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/GhsaDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/GhsaServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/Internal/GhsaCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/Internal/GhsaDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/Internal/GhsaListParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/Internal/GhsaMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/Internal/GhsaRateLimitParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/Internal/GhsaRateLimitSnapshot.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/Internal/GhsaRecordDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/Internal/GhsaRecordParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/Properties/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/StellaOps.Concelier.Connector.Ghsa.csproj (79%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ghsa/TASKS.md (91%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/Configuration/IcsCisaOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/HANDOVER.md (69%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/IcsCisaConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/IcsCisaConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/IcsCisaDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/IcsCisaServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/Internal/IcsCisaAdvisoryDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/Internal/IcsCisaAttachmentDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/Internal/IcsCisaCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/Internal/IcsCisaDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/Internal/IcsCisaFeedDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/Internal/IcsCisaFeedParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/StellaOps.Concelier.Connector.Ics.Cisa.csproj (87%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md (94%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Kaspersky/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Kaspersky/Configuration/KasperskyOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Kaspersky/Internal/KasperskyAdvisoryDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Kaspersky/Internal/KasperskyAdvisoryParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Kaspersky/Internal/KasperskyCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Kaspersky/Internal/KasperskyFeedClient.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Kaspersky/Internal/KasperskyFeedItem.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Kaspersky/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Kaspersky/KasperskyConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Kaspersky/KasperskyConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Kaspersky/KasperskyDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Kaspersky/KasperskyServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Kaspersky/StellaOps.Concelier.Connector.Ics.Kaspersky.csproj (79%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ics.Kaspersky/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Configuration/JvnOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Internal/JvnAdvisoryMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Internal/JvnConstants.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Internal/JvnCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Internal/JvnDetailDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Internal/JvnDetailParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Internal/JvnOverviewItem.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Internal/JvnOverviewPage.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Internal/JvnSchemaProvider.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Internal/JvnSchemaValidationException.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Internal/MyJvnClient.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/JvnConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/JvnConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/JvnDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/JvnServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Schemas/data_marking.xsd (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Schemas/jvnrss_3.2.xsd (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Schemas/mod_sec_3.0.xsd (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Schemas/status_3.3.xsd (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Schemas/tlp_marking.xsd (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Schemas/vuldef_3.2.xsd (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/Schemas/xml.xsd (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/StellaOps.Concelier.Connector.Jvn.csproj (83%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Jvn/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kev/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kev/Configuration/KevOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kev/Internal/KevCatalogDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kev/Internal/KevCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kev/Internal/KevDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kev/Internal/KevMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kev/Internal/KevSchemaProvider.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kev/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kev/KevConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kev/KevConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kev/KevDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kev/KevServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kev/Schemas/kev-catalog.schema.json (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kev/StellaOps.Concelier.Connector.Kev.csproj (85%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kev/TASKS.md (88%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/Configuration/KisaOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/Internal/KisaCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/Internal/KisaDetailParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/Internal/KisaDetailResponse.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/Internal/KisaDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/Internal/KisaDocumentMetadata.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/Internal/KisaFeedClient.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/Internal/KisaFeedItem.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/Internal/KisaMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/KisaConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/KisaConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/KisaDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/KisaServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/StellaOps.Concelier.Connector.Kisa.csproj (79%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Kisa/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Nvd/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Nvd/Configuration/NvdOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Nvd/Internal/NvdCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Nvd/Internal/NvdDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Nvd/Internal/NvdMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Nvd/Internal/NvdSchemaProvider.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Nvd/NvdConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Nvd/NvdConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Nvd/NvdServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Nvd/Properties/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Nvd/Schemas/nvd-vulnerability.schema.json (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Nvd/StellaOps.Concelier.Connector.Nvd.csproj (84%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Nvd/TASKS.md (93%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Osv/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Osv/Configuration/OsvOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Osv/Internal/OsvCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Osv/Internal/OsvDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Osv/Internal/OsvMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Osv/Internal/OsvVulnerabilityDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Osv/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Osv/OsvConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Osv/OsvConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Osv/OsvDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Osv/OsvServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Osv/Properties/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Osv/StellaOps.Concelier.Connector.Osv.csproj (88%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Osv/TASKS.md (88%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/Configuration/RuBduOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/Internal/RuBduCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/Internal/RuBduDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/Internal/RuBduMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/Internal/RuBduVulnerabilityDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/Internal/RuBduXmlParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/Properties/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/README.md (92%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/RuBduConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/RuBduConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/RuBduDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/RuBduServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/StellaOps.Concelier.Connector.Ru.Bdu.csproj (83%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Bdu/TASKS.md (94%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Nkcki/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Nkcki/Configuration/RuNkckiOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Nkcki/Internal/RuNkckiCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Nkcki/Internal/RuNkckiDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Nkcki/Internal/RuNkckiJsonParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Nkcki/Internal/RuNkckiMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Nkcki/Internal/RuNkckiVulnerabilityDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Nkcki/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Nkcki/Properties/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Nkcki/RuNkckiConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Nkcki/RuNkckiConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Nkcki/RuNkckiDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Nkcki/RuNkckiServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Nkcki/StellaOps.Concelier.Connector.Ru.Nkcki.csproj (85%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Ru.Nkcki/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.StellaOpsMirror/Client/MirrorManifestClient.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.StellaOpsMirror/Internal/MirrorAdvisoryMapper.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.StellaOpsMirror/Internal/MirrorBundleDocument.cs (98%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.StellaOpsMirror/Internal/MirrorIndexDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.StellaOpsMirror/Internal/StellaOpsMirrorCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.StellaOpsMirror/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.StellaOpsMirror/Properties/AssemblyInfo.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.StellaOpsMirror/Security/MirrorSignatureVerifier.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.StellaOpsMirror/Settings/StellaOpsMirrorConnectorOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.StellaOpsMirror/StellaOps.Concelier.Connector.StellaOpsMirror.csproj (68%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.StellaOpsMirror/StellaOpsMirrorConnector.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.StellaOpsMirror/StellaOpsMirrorConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.StellaOpsMirror/StellaOpsMirrorDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md (90%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/AdobeConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/AdobeConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/AdobeDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/AdobeServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/Configuration/AdobeOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/Internal/AdobeBulletinDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/Internal/AdobeCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/Internal/AdobeDetailParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/Internal/AdobeDocumentMetadata.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/Internal/AdobeIndexEntry.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/Internal/AdobeIndexParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/Internal/AdobeSchemaProvider.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/Schemas/adobe-bulletin.schema.json (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/StellaOps.Concelier.Connector.Vndr.Adobe.csproj (83%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Adobe/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/AppleConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/AppleDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/AppleOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/AppleServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/Internal/AppleCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/Internal/AppleDetailDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/Internal/AppleDetailParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/Internal/AppleDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/Internal/AppleIndexEntry.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/Internal/AppleMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/Properties/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/README.md (89%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/StellaOps.Concelier.Connector.Vndr.Apple.csproj (81%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Apple/VndrAppleConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/ChromiumConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/ChromiumConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/ChromiumDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/ChromiumServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/Configuration/ChromiumOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/Internal/ChromiumCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/Internal/ChromiumDocumentMetadata.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/Internal/ChromiumDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/Internal/ChromiumFeedEntry.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/Internal/ChromiumFeedLoader.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/Internal/ChromiumMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/Internal/ChromiumParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/Internal/ChromiumSchemaProvider.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/Properties/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/Schemas/chromium-post.schema.json (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/StellaOps.Concelier.Connector.Vndr.Chromium.csproj (87%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Chromium/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/CiscoConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/CiscoDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/CiscoServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/Configuration/CiscoOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/Internal/CiscoAccessTokenProvider.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/Internal/CiscoAdvisoryDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/Internal/CiscoCsafClient.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/Internal/CiscoCsafData.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/Internal/CiscoCsafParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/Internal/CiscoCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/Internal/CiscoDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/Internal/CiscoDtoFactory.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/Internal/CiscoMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/Internal/CiscoOAuthMessageHandler.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/Internal/CiscoOpenVulnClient.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/Internal/CiscoRawAdvisory.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/StellaOps.Concelier.Connector.Vndr.Cisco.csproj (81%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Cisco/VndrCiscoConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/Configuration/MsrcOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/Internal/MsrcAdvisoryDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/Internal/MsrcApiClient.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/Internal/MsrcCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/Internal/MsrcDetailDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/Internal/MsrcDetailParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/Internal/MsrcDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/Internal/MsrcDocumentMetadata.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/Internal/MsrcMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/Internal/MsrcSummaryResponse.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/Internal/MsrcTokenProvider.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/MsrcConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/MsrcConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/MsrcDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/MsrcServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/README.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/StellaOps.Concelier.Connector.Vndr.Msrc.csproj (75%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Msrc/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/Configuration/OracleOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/Internal/OracleAffectedEntry.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/Internal/OracleCalendarFetcher.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/Internal/OracleCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/Internal/OracleDocumentMetadata.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/Internal/OracleDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/Internal/OracleDtoValidator.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/Internal/OracleMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/Internal/OracleParser.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/Internal/OraclePatchDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/OracleConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/OracleDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/OracleServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/Properties/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/StellaOps.Concelier.Connector.Vndr.Oracle.csproj (79%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Oracle/VndrOracleConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/Configuration/VmwareOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/Internal/VmwareCursor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/Internal/VmwareDetailDto.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/Internal/VmwareFetchCacheEntry.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/Internal/VmwareIndexItem.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/Internal/VmwareMapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/Jobs.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/Properties/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/StellaOps.Concelier.Connector.Vndr.Vmware.csproj (86%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/VmwareConnector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/VmwareConnectorPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/VmwareDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/VmwareDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Connector.Vndr.Vmware/VmwareServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Aoc/AdvisoryRawWriteGuard.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Aoc/AocServiceCollectionExtensions.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Aoc/ConcelierAocGuardException.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Aoc/IAdvisoryRawWriteGuard.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/CanonicalMergeResult.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/CanonicalMerger.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Events/AdvisoryEventContracts.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Events/AdvisoryEventLog.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Events/IAdvisoryEventLog.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Events/IAdvisoryEventRepository.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/IJob.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/IJobCoordinator.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/IJobStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/ILeaseStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/JobCoordinator.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/JobDefinition.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/JobDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/JobExecutionContext.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/JobLease.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/JobPluginRegistrationExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/JobRunCompletion.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/JobRunCreateRequest.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/JobRunSnapshot.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/JobRunStatus.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/JobSchedulerBuilder.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/JobSchedulerHostedService.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/JobSchedulerOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/JobTriggerResult.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Jobs/ServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Linksets/AdvisoryLinksetMapper.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Linksets/AdvisoryObservationFactory.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Linksets/IAdvisoryLinksetMapper.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Linksets/IAdvisoryObservationFactory.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Linksets/LinksetNormalization.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Linksets/LinksetServiceCollectionExtensions.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Noise/INoisePriorRepository.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Noise/INoisePriorService.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Noise/NoisePriorComputationRequest.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Noise/NoisePriorComputationResult.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Noise/NoisePriorService.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Noise/NoisePriorServiceCollectionExtensions.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Noise/NoisePriorSummary.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Observations/AdvisoryObservationCursor.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Observations/AdvisoryObservationQueryModels.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Observations/AdvisoryObservationQueryService.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Observations/IAdvisoryObservationLookup.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Observations/IAdvisoryObservationQueryService.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Properties/AssemblyInfo.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Raw/AdvisoryRawQueryOptions.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Raw/AdvisoryRawRecord.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Raw/AdvisoryRawService.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Raw/IAdvisoryRawRepository.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Raw/IAdvisoryRawService.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Raw/RawServiceCollectionExtensions.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/StellaOps.Concelier.Core.csproj (82%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/TASKS.md (99%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Unknown/IUnknownStateLedger.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Unknown/IUnknownStateRepository.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Unknown/UnknownStateLedger.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Unknown/UnknownStateLedgerRequest.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Unknown/UnknownStateLedgerResult.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Unknown/UnknownStateMarkerKinds.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Core/Unknown/UnknownStateSnapshot.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/ExportDigestCalculator.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/ExporterVersion.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/IJsonExportPathResolver.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/JsonExportFile.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/JsonExportJob.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/JsonExportManifestWriter.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/JsonExportOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/JsonExportResult.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/JsonExportSnapshotBuilder.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/JsonExporterDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/JsonExporterPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/JsonFeedExporter.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/JsonMirrorBundleWriter.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/StellaOps.Concelier.Exporter.Json.csproj (77%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/TASKS.md (83%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.Json/VulnListJsonExportPathResolver.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/ITrivyDbBuilder.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/ITrivyDbOrasPusher.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/OciDescriptor.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/OciIndex.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/OciManifest.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/StellaOps.Concelier.Exporter.TrivyDb.csproj (81%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md (87%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyConfigDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbBlob.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbBoltBuilder.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbBuilderResult.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbExportJob.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbExportMode.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbExportOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbExportOverrides.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbExportPlan.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbExportPlanner.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbExporterDependencyInjectionRoutine.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbExporterPlugin.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbFeedExporter.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbMediaTypes.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbMirrorBundleWriter.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbOciWriteResult.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbOciWriter.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbOrasPusher.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbPackage.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbPackageBuilder.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Exporter.TrivyDb/TrivyDbPackageRequest.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Class1.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Comparers/DebianEvr.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Comparers/Nevra.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Comparers/SemanticVersionRangeResolver.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Identity/AdvisoryIdentityCluster.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Identity/AdvisoryIdentityResolver.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Identity/AliasIdentity.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Jobs/MergeJobKinds.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Jobs/MergeReconcileJob.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/MergeServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Options/AdvisoryPrecedenceDefaults.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Options/AdvisoryPrecedenceOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Options/AdvisoryPrecedenceTable.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/RANGE_PRIMITIVES_COORDINATION.md (98%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Services/AdvisoryMergeService.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Services/AdvisoryPrecedenceMerger.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Services/AffectedPackagePrecedenceResolver.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Services/AliasGraphResolver.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Services/CanonicalHashCalculator.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Services/ConflictDetailPayload.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Services/MergeConflictDetail.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Services/MergeConflictExplainerPayload.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Services/MergeConflictSummary.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Services/MergeEventWriter.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/Services/PrecedenceMergeResult.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/StellaOps.Concelier.Merge.csproj (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Merge/TASKS.md (99%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/Advisory.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/AdvisoryCredit.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/AdvisoryProvenance.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/AdvisoryReference.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/AdvisoryWeakness.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/AffectedPackage.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/AffectedPackageStatus.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/AffectedPackageStatusCatalog.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/AffectedVersionRange.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/AffectedVersionRangeExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/AliasSchemeRegistry.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/AliasSchemes.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/BACKWARD_COMPATIBILITY.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/CANONICAL_RECORDS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/CanonicalJsonSerializer.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/CvssMetric.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/EvrPrimitiveExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/NevraPrimitiveExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/NormalizedVersionRule.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/Observations/AdvisoryObservation.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/OsvGhsaParityDiagnostics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/OsvGhsaParityInspector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/PROVENANCE_GUIDELINES.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/ProvenanceFieldMasks.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/ProvenanceInspector.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/RangePrimitives.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/SemVerPrimitiveExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/SeverityNormalization.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/SnapshotSerializer.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/StellaOps.Concelier.Models.csproj (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Models/Validation.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Normalization/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Normalization/Cvss/CvssMetricNormalizer.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Normalization/Distro/DebianEvr.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Normalization/Distro/Nevra.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Normalization/Identifiers/Cpe23.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Normalization/Identifiers/IdentifierNormalizer.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Normalization/Identifiers/PackageUrl.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Normalization/SemVer/SemVerRangeRuleBuilder.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Normalization/StellaOps.Concelier.Normalization.csproj (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Normalization/TASKS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Normalization/Text/DescriptionNormalizer.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.RawModels/AdvisoryRawDocument.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.RawModels/Class1.cs (92%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.RawModels/JsonElementExtensions.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.RawModels/RawDocumentFactory.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.RawModels/StellaOps.Concelier.RawModels.csproj (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.RawModels/VexRawDocument.cs (98%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/AGENTS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Advisories/AdvisoryDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Advisories/AdvisoryStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Advisories/IAdvisoryStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Advisories/NormalizedVersionDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Advisories/NormalizedVersionDocumentFactory.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Aliases/AliasDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Aliases/AliasStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Aliases/AliasStoreConstants.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Aliases/AliasStoreMetrics.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Aliases/IAliasStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/ChangeHistory/ChangeHistoryDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/ChangeHistory/ChangeHistoryDocumentExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/ChangeHistory/ChangeHistoryFieldChange.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/ChangeHistory/ChangeHistoryRecord.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/ChangeHistory/IChangeHistoryStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/ChangeHistory/MongoChangeHistoryStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Conflicts/AdvisoryConflictDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Conflicts/AdvisoryConflictRecord.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Conflicts/AdvisoryConflictStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Documents/DocumentDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Documents/DocumentRecord.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Documents/DocumentStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Documents/IDocumentStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Dtos/DtoDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Dtos/DtoRecord.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Dtos/DtoStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Dtos/IDtoStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Events/MongoAdvisoryEventRepository.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Exporting/ExportStateDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Exporting/ExportStateManager.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Exporting/ExportStateRecord.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Exporting/ExportStateStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Exporting/IExportStateStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/ISourceStateRepository.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/JobLeaseDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/JobRunDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/JpFlags/IJpFlagStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/JpFlags/JpFlagDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/JpFlags/JpFlagRecord.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/JpFlags/JpFlagStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/MIGRATIONS.md (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/MergeEvents/IMergeEventStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/MergeEvents/MergeEventDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/MergeEvents/MergeEventRecord.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/MergeEvents/MergeEventStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/MergeEvents/MergeFieldDecision.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Migrations/EnsureAdvisoryEventCollectionsMigration.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Migrations/EnsureAdvisoryRawIdempotencyIndexMigration.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Migrations/EnsureAdvisoryRawValidatorMigration.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Migrations/EnsureAdvisorySupersedesBackfillMigration.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Migrations/EnsureDocumentExpiryIndexesMigration.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Migrations/EnsureGridFsExpiryIndexesMigration.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Migrations/IMongoMigration.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Migrations/MongoMigrationDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Migrations/MongoMigrationRunner.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Migrations/SemVerStyleBackfillMigration.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/MongoBootstrapper.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/MongoCollectionValidatorOptions.cs (95%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/MongoJobStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/MongoLeaseStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/MongoSessionProvider.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/MongoSourceStateRepository.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/MongoStorageDefaults.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/MongoStorageOptions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Observations/AdvisoryObservationDocument.cs (96%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Observations/AdvisoryObservationDocumentFactory.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Observations/AdvisoryObservationLookup.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Observations/AdvisoryObservationStore.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Observations/IAdvisoryObservationStore.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Properties/AssemblyInfo.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/PsirtFlags/IPsirtFlagStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/PsirtFlags/PsirtFlagDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/PsirtFlags/PsirtFlagRecord.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/PsirtFlags/PsirtFlagStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Raw/MongoAdvisoryRawRepository.cs (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/RawDocumentRetentionService.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/ServiceCollectionExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/SourceStateDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/SourceStateRecord.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/SourceStateRepositoryExtensions.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Statements/AdvisoryStatementDocument.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Statements/AdvisoryStatementRecord.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/Statements/AdvisoryStatementStore.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/StellaOps.Concelier.Storage.Mongo.csproj (97%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Storage.Mongo/TASKS.md (99%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Testing/ConnectorTestHarness.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Testing/MongoIntegrationFixture.cs (100%)
rename src/{ => Concelier/__Libraries}/StellaOps.Concelier.Testing/StellaOps.Concelier.Testing.csproj (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Acsc.Tests/Acsc/AcscConnectorFetchTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Acsc.Tests/Acsc/AcscConnectorParseTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Acsc.Tests/Acsc/AcscHttpClientConfigurationTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Acsc.Tests/Acsc/Fixtures/acsc-advisories-multi.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Acsc.Tests/Acsc/Fixtures/acsc-advisories.snapshot.json (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Acsc.Tests/StellaOps.Concelier.Connector.Acsc.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Cccs.Tests/CccsConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Cccs.Tests/Fixtures/cccs-feed-en.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Cccs.Tests/Fixtures/cccs-raw-advisory-fr.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Cccs.Tests/Fixtures/cccs-raw-advisory.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Cccs.Tests/Fixtures/cccs-taxonomy-en.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Cccs.Tests/Internal/CccsHtmlParserTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Cccs.Tests/Internal/CccsMapperTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Cccs.Tests/StellaOps.Concelier.Connector.Cccs.Tests.csproj (59%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertBund.Tests/CertBundConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertBund.Tests/Fixtures/certbund-detail.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertBund.Tests/Fixtures/certbund-feed.xml (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertBund.Tests/StellaOps.Concelier.Connector.CertBund.Tests.csproj (64%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/CertCc/CertCcConnectorFetchTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/CertCc/CertCcConnectorSnapshotTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/CertCc/CertCcConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/certcc-advisories.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/certcc-documents.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/certcc-requests.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/certcc-state.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/summary-2025-09.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/summary-2025-10.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/summary-2025-11.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/summary-2025.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/vendor-statuses-294418.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/vendors-294418.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/vu-257161.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/vu-294418-vendors.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/vu-294418-vuls.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/vu-294418.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/vulnerabilities-294418.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Internal/CertCcMapperTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Internal/CertCcSummaryParserTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Internal/CertCcSummaryPlannerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/Internal/CertCcVendorStatementParserTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertCc.Tests/StellaOps.Concelier.Connector.CertCc.Tests.csproj (59%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertFr.Tests/CertFr/CertFrConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertFr.Tests/CertFr/Fixtures/certfr-advisories.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertFr.Tests/CertFr/Fixtures/certfr-detail-AV-2024-001.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertFr.Tests/CertFr/Fixtures/certfr-detail-AV-2024-002.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertFr.Tests/CertFr/Fixtures/certfr-feed.xml (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.CertFr.Tests/StellaOps.Concelier.Connector.CertFr.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertIn.Tests/CertIn/CertInConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertIn.Tests/CertIn/Fixtures/alerts-page1.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertIn.Tests/CertIn/Fixtures/detail-CIAD-2024-0005.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.CertIn.Tests/CertIn/Fixtures/expected-advisory.json (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.CertIn.Tests/StellaOps.Concelier.Connector.CertIn.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Common.Tests/Common/CannedHttpMessageHandlerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Common.Tests/Common/HtmlContentSanitizerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Common.Tests/Common/PackageCoordinateHelperTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Common.Tests/Common/PdfTextExtractorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Common.Tests/Common/SourceFetchServiceGuardTests.cs (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Common.Tests/Common/SourceFetchServiceTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Common.Tests/Common/SourceHttpClientBuilderTests.cs (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Common.Tests/Common/TimeWindowCursorPlannerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Common.Tests/Common/UrlNormalizerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Common.Tests/Json/JsonSchemaValidatorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Common.Tests/StellaOps.Concelier.Connector.Common.Tests.csproj (54%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Common.Tests/Xml/XmlSchemaValidatorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Cve.Tests/Cve/CveConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Cve.Tests/Fixtures/cve-CVE-2024-0001.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Cve.Tests/Fixtures/cve-list.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Cve.Tests/Fixtures/expected-CVE-2024-0001.json (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Cve.Tests/StellaOps.Concelier.Connector.Cve.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.Debian.Tests/DebianConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.Debian.Tests/DebianMapperTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.Debian.Tests/Source/Distro/Debian/Fixtures/debian-detail-dsa-2024-123.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.Debian.Tests/Source/Distro/Debian/Fixtures/debian-detail-dsa-2024-124.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.Debian.Tests/Source/Distro/Debian/Fixtures/debian-list.txt (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Distro.Debian.Tests/StellaOps.Concelier.Connector.Distro.Debian.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.RedHat.Tests/RedHat/Fixtures/csaf-rhsa-2025-0001.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.RedHat.Tests/RedHat/Fixtures/csaf-rhsa-2025-0002.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.RedHat.Tests/RedHat/Fixtures/csaf-rhsa-2025-0003.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.RedHat.Tests/RedHat/Fixtures/rhsa-2025-0001.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.RedHat.Tests/RedHat/Fixtures/rhsa-2025-0002.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.RedHat.Tests/RedHat/Fixtures/rhsa-2025-0003.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.RedHat.Tests/RedHat/Fixtures/summary-page1-repeat.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.RedHat.Tests/RedHat/Fixtures/summary-page1.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.RedHat.Tests/RedHat/Fixtures/summary-page2.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.RedHat.Tests/RedHat/Fixtures/summary-page3.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.RedHat.Tests/RedHat/RedHatConnectorHarnessTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.RedHat.Tests/RedHat/RedHatConnectorTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Distro.RedHat.Tests/StellaOps.Concelier.Connector.Distro.RedHat.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.Suse.Tests/Source/Distro/Suse/Fixtures/suse-changes.csv (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.Suse.Tests/Source/Distro/Suse/Fixtures/suse-su-2025_0001-1.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.Suse.Tests/Source/Distro/Suse/Fixtures/suse-su-2025_0002-1.json (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Distro.Suse.Tests/StellaOps.Concelier.Connector.Distro.Suse.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.Suse.Tests/SuseConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.Suse.Tests/SuseCsafParserTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.Suse.Tests/SuseMapperTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.Ubuntu.Tests/Fixtures/ubuntu-notices-page0.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.Ubuntu.Tests/Fixtures/ubuntu-notices-page1.json (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Distro.Ubuntu.Tests/StellaOps.Concelier.Connector.Distro.Ubuntu.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Distro.Ubuntu.Tests/UbuntuConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ghsa.Tests/Fixtures/conflict-ghsa.canonical.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ghsa.Tests/Fixtures/credit-parity.ghsa.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ghsa.Tests/Fixtures/credit-parity.nvd.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ghsa.Tests/Fixtures/credit-parity.osv.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ghsa.Tests/Fixtures/expected-GHSA-xxxx-yyyy-zzzz.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ghsa.Tests/Fixtures/ghsa-GHSA-xxxx-yyyy-zzzz.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ghsa.Tests/Fixtures/ghsa-list.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ghsa.Tests/Ghsa/GhsaConflictFixtureTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ghsa.Tests/Ghsa/GhsaConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ghsa.Tests/Ghsa/GhsaCreditParityRegressionTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ghsa.Tests/Ghsa/GhsaDependencyInjectionRoutineTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ghsa.Tests/Ghsa/GhsaDiagnosticsTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ghsa.Tests/Ghsa/GhsaMapperTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ghsa.Tests/Ghsa/GhsaRateLimitParserTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Ghsa.Tests/StellaOps.Concelier.Connector.Ghsa.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ics.Cisa.Tests/IcsCisa/Fixtures/icsa-25-123-01.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ics.Cisa.Tests/IcsCisa/Fixtures/icsma-25-045-01.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ics.Cisa.Tests/IcsCisa/Fixtures/sample-feed.xml (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ics.Cisa.Tests/IcsCisa/IcsCisaConnectorMappingTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ics.Cisa.Tests/IcsCisa/IcsCisaFeedParserTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ics.Cisa.Tests/IcsCisaConnectorTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Ics.Cisa.Tests/StellaOps.Concelier.Connector.Ics.Cisa.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ics.Kaspersky.Tests/Kaspersky/Fixtures/detail-acme-controller-2024.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ics.Kaspersky.Tests/Kaspersky/Fixtures/expected-advisory.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ics.Kaspersky.Tests/Kaspersky/Fixtures/feed-page1.xml (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ics.Kaspersky.Tests/Kaspersky/KasperskyConnectorTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Ics.Kaspersky.Tests/StellaOps.Concelier.Connector.Ics.Kaspersky.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Jvn.Tests/Jvn/Fixtures/expected-advisory.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Jvn.Tests/Jvn/Fixtures/jvnrss-window1.xml (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Jvn.Tests/Jvn/Fixtures/vuldef-JVNDB-2024-123456.xml (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Jvn.Tests/Jvn/JvnConnectorTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Jvn.Tests/StellaOps.Concelier.Connector.Jvn.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Kev.Tests/Kev/Fixtures/kev-advisories.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Kev.Tests/Kev/Fixtures/kev-catalog.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Kev.Tests/Kev/KevConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Kev.Tests/Kev/KevMapperTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Kev.Tests/StellaOps.Concelier.Connector.Kev.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Kisa.Tests/Fixtures/kisa-detail.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Kisa.Tests/Fixtures/kisa-feed.xml (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Kisa.Tests/KisaConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Kisa.Tests/StellaOps.Concelier.Connector.Kisa.Tests.csproj (62%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Nvd.Tests/Nvd/Fixtures/conflict-nvd.canonical.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Nvd.Tests/Nvd/Fixtures/credit-parity.ghsa.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Nvd.Tests/Nvd/Fixtures/credit-parity.nvd.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Nvd.Tests/Nvd/Fixtures/credit-parity.osv.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Nvd.Tests/Nvd/Fixtures/nvd-invalid-schema.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Nvd.Tests/Nvd/Fixtures/nvd-multipage-1.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Nvd.Tests/Nvd/Fixtures/nvd-multipage-2.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Nvd.Tests/Nvd/Fixtures/nvd-multipage-3.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Nvd.Tests/Nvd/Fixtures/nvd-window-1.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Nvd.Tests/Nvd/Fixtures/nvd-window-2.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Nvd.Tests/Nvd/Fixtures/nvd-window-update.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Nvd.Tests/Nvd/NvdConflictFixtureTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Nvd.Tests/Nvd/NvdConnectorHarnessTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Nvd.Tests/Nvd/NvdConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Nvd.Tests/Nvd/NvdMergeExportParityTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Nvd.Tests/StellaOps.Concelier.Connector.Nvd.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Osv.Tests/Fixtures/conflict-osv.canonical.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Osv.Tests/Fixtures/osv-ghsa.ghsa.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Osv.Tests/Fixtures/osv-ghsa.osv.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Osv.Tests/Fixtures/osv-ghsa.raw-ghsa.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Osv.Tests/Fixtures/osv-ghsa.raw-osv.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Osv.Tests/Fixtures/osv-npm.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Osv.Tests/Fixtures/osv-pypi.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Osv.Tests/Osv/OsvConflictFixtureTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Osv.Tests/Osv/OsvGhsaParityRegressionTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Osv.Tests/Osv/OsvMapperTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Osv.Tests/Osv/OsvSnapshotTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Osv.Tests/StellaOps.Concelier.Connector.Osv.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Bdu.Tests/Fixtures/export-sample.xml (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Bdu.Tests/Fixtures/ru-bdu-advisories.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Bdu.Tests/Fixtures/ru-bdu-documents.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Bdu.Tests/Fixtures/ru-bdu-dtos.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Bdu.Tests/Fixtures/ru-bdu-requests.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Bdu.Tests/Fixtures/ru-bdu-state.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Bdu.Tests/RuBduConnectorSnapshotTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Bdu.Tests/RuBduMapperTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Bdu.Tests/RuBduXmlParserTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Ru.Bdu.Tests/StellaOps.Concelier.Connector.Ru.Bdu.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Nkcki.Tests/Fixtures/bulletin-legacy.json.zip (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Nkcki.Tests/Fixtures/bulletin-sample.json.zip (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Nkcki.Tests/Fixtures/listing-page2.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Nkcki.Tests/Fixtures/listing.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Nkcki.Tests/Fixtures/nkcki-advisories.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Nkcki.Tests/RuNkckiConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Nkcki.Tests/RuNkckiJsonParserTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Ru.Nkcki.Tests/RuNkckiMapperTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Ru.Nkcki.Tests/StellaOps.Concelier.Connector.Ru.Nkcki.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.StellaOpsMirror.Tests/FixtureLoader.cs (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.StellaOpsMirror.Tests/Fixtures/mirror-advisory.expected.json (96%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.StellaOpsMirror.Tests/Fixtures/mirror-bundle.sample.json (96%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.StellaOpsMirror.Tests/MirrorAdvisoryMapperTests.cs (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.StellaOpsMirror.Tests/MirrorSignatureVerifierTests.cs (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.StellaOpsMirror.Tests/SampleData.cs (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.StellaOpsMirror.Tests/StellaOps.Concelier.Connector.StellaOpsMirror.Tests.csproj (51%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.StellaOpsMirror.Tests/StellaOpsMirrorConnectorTests.cs (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Adobe.Tests/Adobe/AdobeConnectorFetchTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Adobe.Tests/Adobe/Fixtures/adobe-advisories.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Adobe.Tests/Adobe/Fixtures/adobe-detail-apsb25-85.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Adobe.Tests/Adobe/Fixtures/adobe-detail-apsb25-87.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Adobe.Tests/Adobe/Fixtures/adobe-index.html (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Vndr.Adobe.Tests/StellaOps.Concelier.Connector.Vndr.Adobe.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/AppleConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/AppleFixtureManager.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/AppleLiveRegressionTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/Fixtures/106355.expected.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/Fixtures/106355.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/Fixtures/125326.expected.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/Fixtures/125326.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/Fixtures/125328.expected.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/Fixtures/125328.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/Fixtures/HT214108.expected.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/Fixtures/HT215500.expected.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/Fixtures/ht214108.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/Fixtures/ht215500.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Apple.Tests/Apple/Fixtures/index.json (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Vndr.Apple.Tests/StellaOps.Concelier.Connector.Vndr.Apple.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Chromium.Tests/Chromium/ChromiumConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Chromium.Tests/Chromium/ChromiumMapperTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Chromium.Tests/Chromium/Fixtures/chromium-advisory.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Chromium.Tests/Chromium/Fixtures/chromium-detail.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Chromium.Tests/Chromium/Fixtures/chromium-feed.xml (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Vndr.Chromium.Tests/StellaOps.Concelier.Connector.Vndr.Chromium.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Cisco.Tests/CiscoDtoFactoryTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Cisco.Tests/CiscoMapperTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Vndr.Cisco.Tests/StellaOps.Concelier.Connector.Vndr.Cisco.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Msrc.Tests/Fixtures/msrc-detail.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Msrc.Tests/Fixtures/msrc-summary.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Msrc.Tests/MsrcConnectorTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Vndr.Msrc.Tests/StellaOps.Concelier.Connector.Vndr.Msrc.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Oracle.Tests/Oracle/Fixtures/oracle-advisories.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Oracle.Tests/Oracle/Fixtures/oracle-calendar-cpuapr2024-single.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Oracle.Tests/Oracle/Fixtures/oracle-calendar-cpuapr2024.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Oracle.Tests/Oracle/Fixtures/oracle-detail-cpuapr2024-01.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Oracle.Tests/Oracle/Fixtures/oracle-detail-cpuapr2024-02.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Oracle.Tests/Oracle/Fixtures/oracle-detail-invalid.html (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Oracle.Tests/Oracle/OracleConnectorTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Vndr.Oracle.Tests/StellaOps.Concelier.Connector.Vndr.Oracle.Tests.csproj
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Connector.Vndr.Vmware.Tests/StellaOps.Concelier.Connector.Vndr.Vmware.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Vmware.Tests/Vmware/Fixtures/vmware-advisories.snapshot.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Vmware.Tests/Vmware/Fixtures/vmware-detail-vmsa-2024-0001.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Vmware.Tests/Vmware/Fixtures/vmware-detail-vmsa-2024-0002.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Vmware.Tests/Vmware/Fixtures/vmware-detail-vmsa-2024-0003.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Vmware.Tests/Vmware/Fixtures/vmware-index-initial.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Vmware.Tests/Vmware/Fixtures/vmware-index-second.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Vmware.Tests/Vmware/VmwareConnectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Connector.Vndr.Vmware.Tests/Vmware/VmwareMapperTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Core.Tests/Aoc/AdvisoryRawWriteGuardTests.cs (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Core.Tests/CanonicalMergerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Core.Tests/Events/AdvisoryEventLogTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Core.Tests/JobCoordinatorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Core.Tests/JobPluginRegistrationExtensionsTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Core.Tests/JobSchedulerBuilderTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Core.Tests/Linksets/AdvisoryLinksetMapperTests.cs (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Core.Tests/Linksets/AdvisoryObservationFactoryTests.cs (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Core.Tests/Noise/NoisePriorServiceTests.cs (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Core.Tests/Observations/AdvisoryObservationQueryServiceTests.cs (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Core.Tests/PluginRoutineFixtures.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Core.Tests/Raw/AdvisoryRawServiceTests.cs (97%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Core.Tests/StellaOps.Concelier.Core.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Core.Tests/Unknown/UnknownStateLedgerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Exporter.Json.Tests/JsonExportSnapshotBuilderTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Exporter.Json.Tests/JsonExporterDependencyInjectionRoutineTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Exporter.Json.Tests/JsonExporterParitySmokeTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Exporter.Json.Tests/JsonFeedExporterTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Exporter.Json.Tests/StellaOps.Concelier.Exporter.Json.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Exporter.Json.Tests/VulnListJsonExportPathResolverTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Exporter.TrivyDb.Tests/StellaOps.Concelier.Exporter.TrivyDb.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Exporter.TrivyDb.Tests/TrivyDbExportPlannerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Exporter.TrivyDb.Tests/TrivyDbFeedExporterTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Exporter.TrivyDb.Tests/TrivyDbOciWriterTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Exporter.TrivyDb.Tests/TrivyDbPackageBuilderTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Merge.Tests/AdvisoryIdentityResolverTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Merge.Tests/AdvisoryMergeServiceTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Merge.Tests/AdvisoryPrecedenceMergerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Merge.Tests/AffectedPackagePrecedenceResolverTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Merge.Tests/AliasGraphResolverTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Merge.Tests/CanonicalHashCalculatorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Merge.Tests/DebianEvrComparerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Merge.Tests/MergeEventWriterTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Merge.Tests/MergePrecedenceIntegrationTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Merge.Tests/MetricCollector.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Merge.Tests/NevraComparerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Merge.Tests/SemanticVersionRangeResolverTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Merge.Tests/StellaOps.Concelier.Merge.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Merge.Tests/TestLogger.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/AdvisoryProvenanceTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/AdvisoryTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/AffectedPackageStatusTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/AffectedVersionRangeExtensionsTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/AliasSchemeRegistryTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/CanonicalExampleFactory.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/CanonicalExamplesTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/CanonicalJsonSerializerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/EvrPrimitiveExtensionsTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/Fixtures/ghsa-semver.actual.json (96%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/Fixtures/ghsa-semver.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/Fixtures/kev-flag.actual.json (96%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/Fixtures/kev-flag.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/Fixtures/nvd-basic.actual.json (96%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/Fixtures/nvd-basic.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/Fixtures/psirt-overlay.actual.json (96%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/Fixtures/psirt-overlay.json (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/NevraPrimitiveExtensionsTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/NormalizedVersionRuleTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/Observations/AdvisoryObservationTests.cs (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/OsvGhsaParityDiagnosticsTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/OsvGhsaParityInspectorTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/ProvenanceDiagnosticsTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/RangePrimitivesTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/SemVerPrimitiveTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/SerializationDeterminismTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/SeverityNormalizationTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Models.Tests/StellaOps.Concelier.Models.Tests.csproj (70%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Normalization.Tests/CpeNormalizerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Normalization.Tests/CvssMetricNormalizerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Normalization.Tests/DebianEvrParserTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Normalization.Tests/DescriptionNormalizerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Normalization.Tests/NevraParserTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Normalization.Tests/PackageUrlNormalizerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Normalization.Tests/SemVerRangeRuleBuilderTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Normalization.Tests/StellaOps.Concelier.Normalization.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.RawModels.Tests/StellaOps.Concelier.RawModels.Tests.csproj (80%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.RawModels.Tests/UnitTest1.cs (92%)
rename src/{StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests => Concelier/__Tests/StellaOps.Concelier.RawModels.Tests}/xunit.runner.json (96%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/AdvisoryConflictStoreTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/AdvisoryStatementStoreTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/AdvisoryStorePerformanceTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/AdvisoryStoreTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/AliasStoreTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/DocumentStoreTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/DtoStoreTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/ExportStateManagerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/ExportStateStoreTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/MergeEventStoreTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/Migrations/MongoMigrationRunnerTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/MongoAdvisoryEventRepositoryTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/MongoBootstrapperTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/MongoJobStoreTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/MongoSourceStateRepositoryTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/Observations/AdvisoryObservationDocumentFactoryTests.cs (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/Observations/AdvisoryObservationStoreTests.cs (97%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.Storage.Mongo.Tests/RawDocumentRetentionServiceTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/StellaOps.Concelier.Storage.Mongo.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.WebService.Tests/ConcelierOptionsPostConfigureTests.cs (100%)
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.WebService.Tests/PluginLoaderTests.cs (100%)
create mode 100644 src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/StellaOps.Concelier.WebService.Tests.csproj
rename src/{ => Concelier/__Tests}/StellaOps.Concelier.WebService.Tests/WebServiceEndpointsTests.cs (97%)
rename src/{ => DevPortal}/StellaOps.DevPortal.Site/AGENTS.md (97%)
rename src/{ => DevPortal}/StellaOps.DevPortal.Site/TASKS.md (99%)
create mode 100644 src/EvidenceLocker/StellaOps.EvidenceLocker.sln
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/AGENTS.md (98%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Class1.cs (92%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/StellaOps.EvidenceLocker.Core.csproj (95%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Class1.cs (93%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/StellaOps.EvidenceLocker.Infrastructure.csproj (94%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj (91%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/UnitTest1.cs (92%)
rename src/{StellaOps.Aoc.Tests => EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests}/xunit.runner.json (96%)
rename src/{StellaOps.Orchestrator/StellaOps.Orchestrator.WebService => EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService}/Program.cs (96%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Properties/launchSettings.json (96%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/StellaOps.EvidenceLocker.WebService.csproj (95%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/StellaOps.EvidenceLocker.WebService.http (96%)
rename src/{StellaOps.Notifier/StellaOps.Notifier.WebService => EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService}/appsettings.Development.json (93%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/appsettings.json (94%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/Program.cs (96%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/Properties/launchSettings.json (96%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/StellaOps.EvidenceLocker.Worker.csproj (95%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/Worker.cs (96%)
rename src/{StellaOps.ExportCenter/StellaOps.ExportCenter.Worker => EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker}/appsettings.Development.json (94%)
rename src/{StellaOps.Notifier/StellaOps.Notifier.Worker => EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker}/appsettings.json (94%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.sln (98%)
rename src/{ => EvidenceLocker}/StellaOps.EvidenceLocker/TASKS.md (99%)
rename src/{ => Excititor}/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md (100%)
rename src/{ => Excititor}/StellaOps.Excititor.WebService/AGENTS.md (100%)
rename src/{ => Excititor}/StellaOps.Excititor.WebService/Endpoints/IngestEndpoints.cs (100%)
rename src/{ => Excititor}/StellaOps.Excititor.WebService/Endpoints/MirrorEndpoints.cs (100%)
rename src/{ => Excititor}/StellaOps.Excititor.WebService/Endpoints/ResolveEndpoint.cs (100%)
rename src/{ => Excititor}/StellaOps.Excititor.WebService/Program.cs (100%)
rename src/{ => Excititor}/StellaOps.Excititor.WebService/Properties/AssemblyInfo.cs (97%)
rename src/{ => Excititor}/StellaOps.Excititor.WebService/Services/MirrorRateLimiter.cs (100%)
rename src/{ => Excititor}/StellaOps.Excititor.WebService/Services/ScopeAuthorization.cs (100%)
rename src/{ => Excititor}/StellaOps.Excititor.WebService/Services/VexIngestOrchestrator.cs (100%)
create mode 100644 src/Excititor/StellaOps.Excititor.WebService/StellaOps.Excititor.WebService.csproj
rename src/{ => Excititor}/StellaOps.Excititor.WebService/TASKS.md (99%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/AGENTS.md (100%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/Options/VexWorkerOptions.cs (100%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/Options/VexWorkerOptionsValidator.cs (100%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/Options/VexWorkerPluginOptions.cs (100%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/Options/VexWorkerRefreshOptions.cs (96%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/Options/VexWorkerRetryOptions.cs (100%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/Program.cs (100%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/Properties/AssemblyInfo.cs (100%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/Scheduling/DefaultVexProviderRunner.cs (97%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/Scheduling/IVexConsensusRefreshScheduler.cs (96%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/Scheduling/IVexProviderRunner.cs (100%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/Scheduling/VexConsensusRefreshService.cs (97%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/Scheduling/VexWorkerHostedService.cs (100%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/Scheduling/VexWorkerSchedule.cs (100%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/Signature/VerifyingVexRawDocumentSink.cs (97%)
rename src/{ => Excititor}/StellaOps.Excititor.Worker/Signature/WorkerSignatureVerifier.cs (97%)
create mode 100644 src/Excititor/StellaOps.Excititor.Worker/StellaOps.Excititor.Worker.csproj
rename src/{ => Excititor}/StellaOps.Excititor.Worker/TASKS.md (99%)
create mode 100644 src/Excititor/StellaOps.Excititor.sln
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.ArtifactStores.S3/Extensions/ServiceCollectionExtensions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.ArtifactStores.S3/S3ArtifactClient.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.ArtifactStores.S3/StellaOps.Excititor.ArtifactStores.S3.csproj (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/Dsse/DsseEnvelope.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/Dsse/VexDsseBuilder.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/EXCITITOR-ATTEST-01-003-plan.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/Extensions/ServiceCollectionExtensions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/Models/VexAttestationPredicate.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/Signing/IVexSigner.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/StellaOps.Excititor.Attestation.csproj (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/TASKS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/Transparency/ITransparencyLogClient.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/Transparency/RekorHttpClient.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/Transparency/RekorHttpClientOptions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/Verification/IVexAttestationVerifier.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/Verification/VexAttestationMetrics.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/Verification/VexAttestationVerificationOptions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/Verification/VexAttestationVerifier.cs (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Attestation/VexAttestationClient.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Abstractions/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Abstractions/IVexConnectorOptionsValidator.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Abstractions/StellaOps.Excititor.Connectors.Abstractions.csproj (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Abstractions/TASKS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Abstractions/VexConnectorBase.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Abstractions/VexConnectorDescriptor.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Abstractions/VexConnectorLogScope.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Abstractions/VexConnectorMetadataBuilder.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Abstractions/VexConnectorOptionsBinder.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Abstractions/VexConnectorOptionsBinderOptions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Abstractions/VexConnectorOptionsValidationException.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Cisco.CSAF/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Cisco.CSAF/CiscoCsafConnector.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Cisco.CSAF/Configuration/CiscoConnectorOptions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Cisco.CSAF/Configuration/CiscoConnectorOptionsValidator.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Cisco.CSAF/DependencyInjection/CiscoConnectorServiceCollectionExtensions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Cisco.CSAF/Metadata/CiscoProviderMetadataLoader.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Cisco.CSAF/StellaOps.Excititor.Connectors.Cisco.CSAF.csproj (98%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Cisco.CSAF/TASKS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.MSRC.CSAF/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.MSRC.CSAF/Authentication/MsrcTokenProvider.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.MSRC.CSAF/Configuration/MsrcConnectorOptions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.MSRC.CSAF/DependencyInjection/MsrcConnectorServiceCollectionExtensions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.MSRC.CSAF/MsrcCsafConnector.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.MSRC.CSAF/StellaOps.Excititor.Connectors.MSRC.CSAF.csproj (98%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/Authentication/OciCosignAuthority.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/Authentication/OciRegistryAuthorization.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/Configuration/OciOpenVexAttestationConnectorOptions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/Configuration/OciOpenVexAttestationConnectorOptionsValidator.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/DependencyInjection/OciOpenVexAttestationConnectorServiceCollectionExtensions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/Discovery/OciAttestationDiscoveryResult.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/Discovery/OciAttestationDiscoveryService.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/Discovery/OciAttestationTarget.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/Discovery/OciImageReference.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/Discovery/OciImageReferenceParser.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/Discovery/OciOfflineBundleReference.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/Fetch/OciArtifactDescriptor.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/Fetch/OciAttestationDocument.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/Fetch/OciAttestationFetcher.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/Fetch/OciRegistryClient.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/OciOpenVexAttestationConnector.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.csproj (98%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/TASKS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Oracle.CSAF/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Oracle.CSAF/Configuration/OracleConnectorOptions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Oracle.CSAF/Configuration/OracleConnectorOptionsValidator.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Oracle.CSAF/DependencyInjection/OracleConnectorServiceCollectionExtensions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Oracle.CSAF/Metadata/OracleCatalogLoader.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Oracle.CSAF/OracleCsafConnector.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Oracle.CSAF/StellaOps.Excititor.Connectors.Oracle.CSAF.csproj (98%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.RedHat.CSAF/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.RedHat.CSAF/Configuration/RedHatConnectorOptions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.RedHat.CSAF/DependencyInjection/RedHatConnectorServiceCollectionExtensions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.RedHat.CSAF/Metadata/RedHatProviderMetadataLoader.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.RedHat.CSAF/RedHatCsafConnector.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.RedHat.CSAF/StellaOps.Excititor.Connectors.RedHat.CSAF.csproj (98%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/Authentication/RancherHubTokenProvider.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/Configuration/RancherHubConnectorOptions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/Configuration/RancherHubConnectorOptionsValidator.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/DependencyInjection/RancherHubConnectorServiceCollectionExtensions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/Design/EXCITITOR-CONN-SUSE-01-002.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/Events/RancherHubEventClient.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/Events/RancherHubEventModels.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/Metadata/RancherHubMetadataLoader.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/RancherHubConnector.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/State/RancherHubCheckpointManager.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.csproj (98%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Ubuntu.CSAF/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Ubuntu.CSAF/Configuration/UbuntuConnectorOptions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Ubuntu.CSAF/Configuration/UbuntuConnectorOptionsValidator.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Ubuntu.CSAF/DependencyInjection/UbuntuConnectorServiceCollectionExtensions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Ubuntu.CSAF/Metadata/UbuntuCatalogLoader.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Ubuntu.CSAF/StellaOps.Excititor.Connectors.Ubuntu.CSAF.csproj (98%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Connectors.Ubuntu.CSAF/UbuntuCsafConnector.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/Aoc/AocServiceCollectionExtensions.cs (96%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/Aoc/ExcititorAocGuardException.cs (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/Aoc/IVexRawWriteGuard.cs (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/Aoc/VexRawWriteGuard.cs (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/BaselineVexConsensusPolicy.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/IVexConsensusPolicy.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/MirrorDistributionOptions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/MirrorExportPlanner.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/Observations/IVexObservationLookup.cs (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/Observations/IVexObservationQueryService.cs (96%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/Observations/VexObservation.cs (96%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/Observations/VexObservationQueryModels.cs (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/Observations/VexObservationQueryService.cs (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/StellaOps.Excititor.Core.csproj (61%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/TASKS.md (99%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexAttestationAbstractions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexCacheEntry.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexCanonicalJsonSerializer.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexClaim.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexConnectorAbstractions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexConsensus.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexConsensusHold.cs (96%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexConsensusPolicyOptions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexConsensusResolver.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexExportManifest.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexExporterAbstractions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexNormalizerAbstractions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexProvider.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexQuery.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexQuietProvenance.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexScoreEnvelope.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexSignals.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Core/VexSignatureVerifiers.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Export/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Export/ExportEngine.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Export/FileSystemArtifactStore.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Export/IVexArtifactStore.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Export/OfflineBundleArtifactStore.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Export/Properties/AssemblyInfo.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Export/S3ArtifactStore.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Export/StellaOps.Excititor.Export.csproj (85%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Export/TASKS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Export/VexExportCacheService.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Export/VexExportEnvelopeBuilder.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Export/VexMirrorBundlePublisher.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Formats.CSAF/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Formats.CSAF/CsafNormalizer.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Formats.CSAF/ServiceCollectionExtensions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Formats.CSAF/StellaOps.Excititor.Formats.CSAF.csproj (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Formats.CSAF/TASKS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Formats.CycloneDX/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Formats.CycloneDX/CycloneDxNormalizer.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Formats.CycloneDX/ServiceCollectionExtensions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Formats.CycloneDX/StellaOps.Excititor.Formats.CycloneDX.csproj (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Formats.CycloneDX/TASKS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Formats.OpenVEX/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Formats.OpenVEX/OpenVexNormalizer.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Formats.OpenVEX/ServiceCollectionExtensions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Formats.OpenVEX/StellaOps.Excititor.Formats.OpenVEX.csproj (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Formats.OpenVEX/TASKS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Policy/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Policy/IVexPolicyProvider.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Policy/StellaOps.Excititor.Policy.csproj (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Policy/TASKS.md (91%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Policy/VexPolicyBinder.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Policy/VexPolicyDiagnostics.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Policy/VexPolicyDigest.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Policy/VexPolicyOptions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Policy/VexPolicyProcessing.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Policy/VexPolicyTelemetry.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/AGENTS.md (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/IVexExportStore.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/IVexRawStore.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/IVexStorageContracts.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/Migrations/IVexMongoMigration.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/Migrations/VexConsensusHoldMigration.cs (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/Migrations/VexConsensusSignalsMigration.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/Migrations/VexInitialIndexMigration.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/Migrations/VexMigrationRecord.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/Migrations/VexMongoMigrationHostedService.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/Migrations/VexMongoMigrationRunner.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/MongoVexCacheIndex.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/MongoVexCacheMaintenance.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/MongoVexClaimStore.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/MongoVexConnectorStateRepository.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/MongoVexConsensusHoldStore.cs (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/MongoVexConsensusStore.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/MongoVexExportStore.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/MongoVexProviderStore.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/MongoVexRawStore.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/Properties/AssemblyInfo.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/ServiceCollectionExtensions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/StellaOps.Excititor.Storage.Mongo.csproj (97%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/StorageBackedVexNormalizerRouter.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/TASKS.md (99%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/VexMongoMappingRegistry.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/VexMongoModels.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/VexMongoSessionProvider.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/VexMongoStorageOptions.cs (100%)
rename src/{ => Excititor/__Libraries}/StellaOps.Excititor.Storage.Mongo/VexStatementBackfillService.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.ArtifactStores.S3.Tests/S3ArtifactClientTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.ArtifactStores.S3.Tests/StellaOps.Excititor.ArtifactStores.S3.Tests.csproj (68%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Attestation.Tests/StellaOps.Excititor.Attestation.Tests.csproj (52%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Attestation.Tests/VexAttestationClientTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Attestation.Tests/VexAttestationVerifierTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Attestation.Tests/VexDsseBuilderTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.Cisco.CSAF.Tests/Connectors/CiscoCsafConnectorTests.cs (97%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.Cisco.CSAF.Tests/Metadata/CiscoProviderMetadataLoaderTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.Cisco.CSAF.Tests/StellaOps.Excititor.Connectors.Cisco.CSAF.Tests.csproj (72%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.MSRC.CSAF.Tests/Authentication/MsrcTokenProviderTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.MSRC.CSAF.Tests/Connectors/MsrcCsafConnectorTests.cs (97%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.MSRC.CSAF.Tests/StellaOps.Excititor.Connectors.MSRC.CSAF.Tests.csproj (78%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests/Configuration/OciOpenVexAttestationConnectorOptionsValidatorTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests/Connector/OciOpenVexAttestationConnectorTests.cs (97%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests/Discovery/OciAttestationDiscoveryServiceTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests.csproj (74%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.Oracle.CSAF.Tests/Connectors/OracleCsafConnectorTests.cs (97%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.Oracle.CSAF.Tests/Metadata/OracleCatalogLoaderTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.Oracle.CSAF.Tests/StellaOps.Excititor.Connectors.Oracle.CSAF.Tests.csproj (75%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests/Connectors/RedHatCsafConnectorTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests/Metadata/RedHatProviderMetadataLoaderTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests.csproj (61%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests/Authentication/RancherHubTokenProviderTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests/Metadata/RancherHubMetadataLoaderTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests.csproj (60%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests/Connectors/UbuntuCsafConnectorTests.cs (97%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests/Metadata/UbuntuCatalogLoaderTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests/StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests.csproj (75%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Core.Tests/Aoc/VexRawWriteGuardTests.cs (97%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Core.Tests/Observations/VexObservationQueryServiceTests.cs (97%)
create mode 100644 src/Excititor/__Tests/StellaOps.Excititor.Core.Tests/StellaOps.Excititor.Core.Tests.csproj
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Core.Tests/VexCanonicalJsonSerializerTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Core.Tests/VexConsensusResolverTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Core.Tests/VexPolicyBinderTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Core.Tests/VexPolicyDiagnosticsTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Core.Tests/VexQuerySignatureTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Core.Tests/VexSignalSnapshotTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Export.Tests/ExportEngineTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Export.Tests/FileSystemArtifactStoreTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Export.Tests/MirrorBundlePublisherTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Export.Tests/OfflineBundleArtifactStoreTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Export.Tests/S3ArtifactStoreTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Export.Tests/StellaOps.Excititor.Export.Tests.csproj (72%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Export.Tests/VexExportCacheServiceTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Formats.CSAF.Tests/CsafNormalizerTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Formats.CSAF.Tests/Fixtures/rhsa-sample.json (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Formats.CSAF.Tests/StellaOps.Excititor.Formats.CSAF.Tests.csproj (62%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Formats.CycloneDX.Tests/CycloneDxNormalizerTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Formats.CycloneDX.Tests/StellaOps.Excititor.Formats.CycloneDX.Tests.csproj (56%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Formats.OpenVEX.Tests/OpenVexNormalizerTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Formats.OpenVEX.Tests/StellaOps.Excititor.Formats.OpenVEX.Tests.csproj (56%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Policy.Tests/StellaOps.Excititor.Policy.Tests.csproj (66%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Policy.Tests/VexPolicyProviderTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Storage.Mongo.Tests/MongoVexCacheMaintenanceTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Storage.Mongo.Tests/MongoVexRepositoryTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Storage.Mongo.Tests/MongoVexSessionConsistencyTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Storage.Mongo.Tests/MongoVexStatementBackfillServiceTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Storage.Mongo.Tests/MongoVexStoreMappingTests.cs (100%)
create mode 100644 src/Excititor/__Tests/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Storage.Mongo.Tests/VexMongoMigrationRunnerTests.cs (100%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.WebService.Tests/IngestEndpointsTests.cs (97%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.WebService.Tests/MirrorEndpointsTests.cs (97%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.WebService.Tests/ResolveEndpointTests.cs (97%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.WebService.Tests/StatusEndpointTests.cs (97%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.WebService.Tests/StellaOps.Excititor.WebService.Tests.csproj (86%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.WebService.Tests/TestAuthentication.cs (97%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.WebService.Tests/TestServiceOverrides.cs (98%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.WebService.Tests/TestWebApplicationFactory.cs (97%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Worker.Tests/DefaultVexProviderRunnerIntegrationTests.cs (97%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Worker.Tests/DefaultVexProviderRunnerTests.cs (97%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Worker.Tests/Signature/WorkerSignatureVerifierTests.cs (97%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Worker.Tests/StellaOps.Excititor.Worker.Tests.csproj (79%)
rename src/{ => Excititor/__Tests}/StellaOps.Excititor.Worker.Tests/VexWorkerOptionsTests.cs (100%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter.AttestationBundles/AGENTS.md (97%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter.AttestationBundles/TASKS.md (99%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter.DevPortalOffline/AGENTS.md (97%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter.DevPortalOffline/TASKS.md (99%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter.RiskBundles/AGENTS.md (98%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter.RiskBundles/TASKS.md (99%)
create mode 100644 src/ExportCenter/StellaOps.ExportCenter.sln
rename src/{ => ExportCenter}/StellaOps.ExportCenter/AGENTS.md (98%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Class1.cs (91%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/StellaOps.ExportCenter.Core.csproj (95%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.Infrastructure/Class1.cs (92%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.Infrastructure/StellaOps.ExportCenter.Infrastructure.csproj (94%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/StellaOps.ExportCenter.Tests.csproj (91%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/UnitTest1.cs (92%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/xunit.runner.json (96%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Program.cs (96%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Properties/launchSettings.json (96%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj (95%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.http (96%)
rename src/{StellaOps.Orchestrator/StellaOps.Orchestrator.WebService => ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService}/appsettings.Development.json (93%)
rename src/{StellaOps.Notifier/StellaOps.Notifier.WebService => ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService}/appsettings.json (94%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/Program.cs (96%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/Properties/launchSettings.json (95%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/StellaOps.ExportCenter.Worker.csproj (95%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/Worker.cs (96%)
rename src/{StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker => ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker}/appsettings.Development.json (94%)
rename src/{StellaOps.Orchestrator/StellaOps.Orchestrator.Worker => ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker}/appsettings.json (94%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/StellaOps.ExportCenter.sln (98%)
rename src/{ => ExportCenter}/StellaOps.ExportCenter/TASKS.md (99%)
rename src/{ => Findings}/StellaOps.Findings.Ledger/AGENTS.md (90%)
rename src/{ => Findings}/StellaOps.Findings.Ledger/TASKS.md (99%)
rename src/{ => Graph}/StellaOps.Graph.Api/AGENTS.md (90%)
rename src/{ => Graph}/StellaOps.Graph.Api/TASKS.md (99%)
rename src/{ => Graph}/StellaOps.Graph.Indexer/AGENTS.md (90%)
rename src/{ => Graph}/StellaOps.Graph.Indexer/TASKS.md (99%)
rename src/{ => IssuerDirectory}/StellaOps.IssuerDirectory/AGENTS.md (87%)
rename src/{ => IssuerDirectory}/StellaOps.IssuerDirectory/TASKS.md (99%)
rename src/{ => Mirror}/StellaOps.Mirror.Creator/AGENTS.md (98%)
rename src/{ => Mirror}/StellaOps.Mirror.Creator/TASKS.md (99%)
create mode 100644 src/Notifier/StellaOps.Notifier.sln
rename src/{ => Notifier}/StellaOps.Notifier/AGENTS.md (98%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.Tests/EventProcessorTests.cs (97%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.Tests/RuleEvaluatorTests.cs (97%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.Tests/StellaOps.Notifier.Tests.csproj (97%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.Tests/Support/InMemoryStores.cs (97%)
rename src/{StellaOps.Concelier.RawModels.Tests => Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests}/xunit.runner.json (96%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.WebService/Program.cs (96%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.WebService/Properties/launchSettings.json (96%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.WebService/Setup/MongoInitializationHostedService.cs (97%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.WebService/StellaOps.Notifier.WebService.csproj (64%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.WebService/StellaOps.Notifier.WebService.http (96%)
rename src/{StellaOps.ExportCenter/StellaOps.ExportCenter.WebService => Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService}/appsettings.Development.json (93%)
rename src/{StellaOps.ExportCenter/StellaOps.ExportCenter.WebService => Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService}/appsettings.json (94%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.Worker/Options/NotifierWorkerOptions.cs (97%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.Worker/Processing/DefaultNotifyRuleEvaluator.cs (97%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.Worker/Processing/IdempotencyKeyBuilder.cs (97%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.Worker/Processing/MongoInitializationHostedService.cs (97%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.Worker/Processing/NotifierEventProcessor.cs (97%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.Worker/Processing/NotifierEventWorker.cs (97%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.Worker/Program.cs (97%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.Worker/Properties/AssemblyInfo.cs (97%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.Worker/Properties/launchSettings.json (95%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.Worker/StellaOps.Notifier.Worker.csproj (59%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.Worker/appsettings.Development.json (94%)
rename src/{StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker => Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker}/appsettings.json (94%)
rename src/{ => Notifier}/StellaOps.Notifier/StellaOps.Notifier.sln (98%)
rename src/{ => Notifier}/StellaOps.Notifier/TASKS.md (99%)
rename src/{ => Notifier}/StellaOps.Notifier/docs/NOTIFY-SVC-38-001-FOUNDATIONS.md (99%)
rename src/{ => Notify}/StellaOps.Notify.WebService/AGENTS.md (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Contracts/ChannelHealthResponse.cs (96%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Contracts/ChannelTestSendRequest.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Contracts/ChannelTestSendResponse.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Contracts/LockRequests.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Diagnostics/ServiceStatus.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Extensions/ConfigurationExtensions.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Hosting/NotifyPluginHostFactory.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Internal/JsonHttpResult.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Options/NotifyWebServiceOptions.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Options/NotifyWebServiceOptionsPostConfigure.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Options/NotifyWebServiceOptionsValidator.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Plugins/NotifyPluginRegistry.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Program.Partial.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Program.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Security/NotifyPolicies.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Security/NotifyRateLimitPolicies.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Services/NotifyChannelHealthService.cs (97%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Services/NotifyChannelTestService.cs (100%)
rename src/{ => Notify}/StellaOps.Notify.WebService/Services/NotifySchemaMigrationService.cs (100%)
create mode 100644 src/Notify/StellaOps.Notify.WebService/StellaOps.Notify.WebService.csproj
rename src/{ => Notify}/StellaOps.Notify.WebService/Storage/InMemory/InMemoryStorageModule.cs (100%)
create mode 100644 src/Notify/StellaOps.Notify.WebService/TASKS.md
rename src/{ => Notify}/StellaOps.Notify.Worker/AGENTS.md (100%)
rename src/{ => Notify}/StellaOps.Notify.Worker/Handlers/INotifyEventHandler.cs (96%)
rename src/{ => Notify}/StellaOps.Notify.Worker/Handlers/NoOpNotifyEventHandler.cs (96%)
rename src/{ => Notify}/StellaOps.Notify.Worker/NotifyWorkerOptions.cs (96%)
rename src/{ => Notify}/StellaOps.Notify.Worker/Processing/NotifyEventLeaseProcessor.cs (97%)
rename src/{ => Notify}/StellaOps.Notify.Worker/Processing/NotifyEventLeaseWorker.cs (97%)
rename src/{ => Notify}/StellaOps.Notify.Worker/Program.cs (97%)
rename src/{ => Notify}/StellaOps.Notify.Worker/Properties/AssemblyInfo.cs (97%)
rename src/{ => Notify}/StellaOps.Notify.Worker/StellaOps.Notify.Worker.csproj (98%)
rename src/{ => Notify}/StellaOps.Notify.Worker/TASKS.md (67%)
rename src/{ => Notify}/StellaOps.Notify.Worker/appsettings.json (96%)
create mode 100644 src/Notify/StellaOps.Notify.sln
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Email/AGENTS.md (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Email/EmailChannelHealthProvider.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Email/EmailChannelTestProvider.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Email/EmailMetadataBuilder.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Email/StellaOps.Notify.Connectors.Email.csproj (79%)
create mode 100644 src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Email/notify-plugin.json (95%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Shared/ConnectorHashing.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Shared/ConnectorMetadataBuilder.cs (96%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Shared/ConnectorValueRedactor.cs (96%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Shared/StellaOps.Notify.Connectors.Shared.csproj (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Slack/AGENTS.md (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Slack/SlackChannelHealthProvider.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Slack/SlackChannelTestProvider.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Slack/SlackMetadataBuilder.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Slack/StellaOps.Notify.Connectors.Slack.csproj (79%)
create mode 100644 src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Slack/notify-plugin.json (96%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Teams/AGENTS.md (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Teams/StellaOps.Notify.Connectors.Teams.csproj (79%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Teams/TASKS.md (79%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Teams/TeamsChannelHealthProvider.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Teams/TeamsChannelTestProvider.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Teams/TeamsMetadataBuilder.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Teams/notify-plugin.json (96%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Webhook/AGENTS.md (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Webhook/StellaOps.Notify.Connectors.Webhook.csproj (79%)
create mode 100644 src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Webhook/WebhookChannelTestProvider.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Webhook/WebhookMetadataBuilder.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Connectors.Webhook/notify-plugin.json (95%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Engine/AGENTS.md (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Engine/ChannelHealthContracts.cs (96%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Engine/ChannelTestPreviewContracts.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Engine/INotifyRuleEvaluator.cs (96%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Engine/NotifyRuleEvaluationOutcome.cs (96%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Engine/StellaOps.Notify.Engine.csproj (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Engine/TASKS.md (67%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Models/AGENTS.md (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Models/Iso8601DurationConverter.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Models/NotifyCanonicalJsonSerializer.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Models/NotifyChannel.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Models/NotifyDelivery.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Models/NotifyEnums.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Models/NotifyEvent.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Models/NotifyEventKinds.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Models/NotifyRule.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Models/NotifySchemaMigration.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Models/NotifySchemaVersions.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Models/NotifyTemplate.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Models/NotifyValidation.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Models/StellaOps.Notify.Models.csproj (100%)
create mode 100644 src/Notify/__Libraries/StellaOps.Notify.Models/TASKS.md
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/AGENTS.md (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/Nats/NatsNotifyDeliveryLease.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/Nats/NatsNotifyDeliveryQueue.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/Nats/NatsNotifyEventLease.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/Nats/NatsNotifyEventQueue.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/NotifyDeliveryQueueHealthCheck.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/NotifyDeliveryQueueOptions.cs (96%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/NotifyEventQueueOptions.cs (96%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/NotifyQueueContracts.cs (96%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/NotifyQueueFields.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/NotifyQueueHealthCheck.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/NotifyQueueMetrics.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/NotifyQueueServiceCollectionExtensions.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/NotifyQueueTransportKind.cs (94%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/Properties/AssemblyInfo.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/Redis/RedisNotifyDeliveryLease.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/Redis/RedisNotifyDeliveryQueue.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/Redis/RedisNotifyEventLease.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/Redis/RedisNotifyEventQueue.cs (97%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/StellaOps.Notify.Queue.csproj (98%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Queue/TASKS.md (67%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/AGENTS.md (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Documents/NotifyAuditEntryDocument.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Documents/NotifyDigestDocument.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Documents/NotifyLockDocument.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Internal/NotifyMongoContext.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Internal/NotifyMongoInitializer.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Migrations/EnsureNotifyCollectionsMigration.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Migrations/EnsureNotifyIndexesMigration.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Migrations/INotifyMongoMigration.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Migrations/NotifyMongoMigrationRecord.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Migrations/NotifyMongoMigrationRunner.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Options/NotifyMongoOptions.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Properties/AssemblyInfo.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Repositories/INotifyAuditRepository.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Repositories/INotifyChannelRepository.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Repositories/INotifyDeliveryRepository.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Repositories/INotifyDigestRepository.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Repositories/INotifyLockRepository.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Repositories/INotifyRuleRepository.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Repositories/INotifyTemplateRepository.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Repositories/NotifyAuditRepository.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Repositories/NotifyChannelRepository.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Repositories/NotifyDeliveryQueryResult.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Repositories/NotifyDeliveryRepository.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Repositories/NotifyDigestRepository.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Repositories/NotifyLockRepository.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Repositories/NotifyRuleRepository.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Repositories/NotifyTemplateRepository.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Serialization/BsonDocumentJsonExtensions.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Serialization/NotifyChannelDocumentMapper.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Serialization/NotifyDeliveryDocumentMapper.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Serialization/NotifyRuleDocumentMapper.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/Serialization/NotifyTemplateDocumentMapper.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/ServiceCollectionExtensions.cs (100%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/StellaOps.Notify.Storage.Mongo.csproj (98%)
rename src/{ => Notify/__Libraries}/StellaOps.Notify.Storage.Mongo/TASKS.md (65%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Connectors.Email.Tests/EmailChannelHealthProviderTests.cs (97%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Connectors.Email.Tests/StellaOps.Notify.Connectors.Email.Tests.csproj (60%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Connectors.Slack.Tests/SlackChannelHealthProviderTests.cs (97%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Connectors.Slack.Tests/SlackChannelTestProviderTests.cs (97%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Connectors.Slack.Tests/StellaOps.Notify.Connectors.Slack.Tests.csproj (60%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Connectors.Teams.Tests/StellaOps.Notify.Connectors.Teams.Tests.csproj (60%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Connectors.Teams.Tests/TeamsChannelHealthProviderTests.cs (97%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Connectors.Teams.Tests/TeamsChannelTestProviderTests.cs (97%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Models.Tests/DocSampleTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Models.Tests/NotifyCanonicalJsonSerializerTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Models.Tests/NotifyDeliveryTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Models.Tests/NotifyRuleTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Models.Tests/NotifySchemaMigrationTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Models.Tests/PlatformEventSamplesTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Models.Tests/PlatformEventSchemaValidationTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Models.Tests/StellaOps.Notify.Models.Tests.csproj (81%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Queue.Tests/NatsNotifyDeliveryQueueTests.cs (97%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Queue.Tests/NatsNotifyEventQueueTests.cs (96%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Queue.Tests/RedisNotifyDeliveryQueueTests.cs (96%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Queue.Tests/RedisNotifyEventQueueTests.cs (96%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Queue.Tests/StellaOps.Notify.Queue.Tests.csproj (79%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Storage.Mongo.Tests/AssemblyInfo.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Storage.Mongo.Tests/GlobalUsings.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Storage.Mongo.Tests/Internal/NotifyMongoMigrationTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Storage.Mongo.Tests/Repositories/NotifyAuditRepositoryTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Storage.Mongo.Tests/Repositories/NotifyChannelRepositoryTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Storage.Mongo.Tests/Repositories/NotifyDeliveryRepositoryTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Storage.Mongo.Tests/Repositories/NotifyDigestRepositoryTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Storage.Mongo.Tests/Repositories/NotifyLockRepositoryTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Storage.Mongo.Tests/Repositories/NotifyRuleRepositoryTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Storage.Mongo.Tests/Repositories/NotifyTemplateRepositoryTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Storage.Mongo.Tests/Serialization/NotifyChannelDocumentMapperTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Storage.Mongo.Tests/Serialization/NotifyRuleDocumentMapperTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Storage.Mongo.Tests/Serialization/NotifyTemplateDocumentMapperTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Storage.Mongo.Tests/StellaOps.Notify.Storage.Mongo.Tests.csproj (75%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.WebService.Tests/CrudEndpointsTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.WebService.Tests/NormalizeEndpointsTests.cs (100%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.WebService.Tests/StellaOps.Notify.WebService.Tests.csproj (59%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Worker.Tests/NotifyEventLeaseProcessorTests.cs (97%)
rename src/{ => Notify/__Tests}/StellaOps.Notify.Worker.Tests/StellaOps.Notify.Worker.Tests.csproj (72%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator.WorkerSdk.Go/AGENTS.md (98%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md (99%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator.WorkerSdk.Python/AGENTS.md (98%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md (99%)
create mode 100644 src/Orchestrator/StellaOps.Orchestrator.sln
rename src/{ => Orchestrator}/StellaOps.Orchestrator/AGENTS.md (98%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Class1.cs (91%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/StellaOps.Orchestrator.Core.csproj (95%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Class1.cs (92%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/StellaOps.Orchestrator.Infrastructure.csproj (94%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/StellaOps.Orchestrator.Tests.csproj (91%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/UnitTest1.cs (92%)
create mode 100644 src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/xunit.runner.json
rename src/{StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService => Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService}/Program.cs (96%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Properties/launchSettings.json (96%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/StellaOps.Orchestrator.WebService.csproj (95%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/StellaOps.Orchestrator.WebService.http (96%)
rename src/{StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService => Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService}/appsettings.Development.json (93%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/appsettings.json (94%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Program.cs (96%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Properties/launchSettings.json (95%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/StellaOps.Orchestrator.Worker.csproj (95%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Worker.cs (96%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/appsettings.Development.json (94%)
rename src/{StellaOps.ExportCenter/StellaOps.ExportCenter.Worker => Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker}/appsettings.json (94%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/StellaOps.Orchestrator.sln (98%)
rename src/{ => Orchestrator}/StellaOps.Orchestrator/TASKS.md (99%)
create mode 100644 src/PacksRegistry/StellaOps.PacksRegistry.sln
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/AGENTS.md (98%)
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/Class1.cs (92%)
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/StellaOps.PacksRegistry.Core.csproj (95%)
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Infrastructure/Class1.cs (92%)
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Infrastructure/StellaOps.PacksRegistry.Infrastructure.csproj (94%)
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/StellaOps.PacksRegistry.Tests.csproj (91%)
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/UnitTest1.cs (92%)
create mode 100644 src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/xunit.runner.json
rename src/{StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService => PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService}/Program.cs (96%)
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/Properties/launchSettings.json (96%)
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/StellaOps.PacksRegistry.WebService.csproj (95%)
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/StellaOps.PacksRegistry.WebService.http (96%)
create mode 100644 src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/appsettings.Development.json
create mode 100644 src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/appsettings.json
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Program.cs (96%)
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Properties/launchSettings.json (95%)
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/StellaOps.PacksRegistry.Worker.csproj (95%)
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Worker.cs (96%)
create mode 100644 src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/appsettings.Development.json
create mode 100644 src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/appsettings.json
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/StellaOps.PacksRegistry.sln (98%)
rename src/{ => PacksRegistry}/StellaOps.PacksRegistry/TASKS.md (99%)
rename src/{ => Policy}/StellaOps.Policy.Engine/AGENTS.md (92%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Compilation/DslToken.cs (96%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Compilation/DslTokenizer.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Compilation/PolicyCompiler.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Compilation/PolicyDslDiagnosticCodes.cs (98%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Compilation/PolicyIr.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Compilation/PolicyIrSerializer.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Compilation/PolicyParser.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Compilation/PolicySyntaxNodes.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Domain/PolicyPackRecord.cs (96%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Endpoints/PolicyCompilationEndpoints.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Endpoints/PolicyPackEndpoints.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Evaluation/PolicyEvaluationContext.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Evaluation/PolicyEvaluator.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Evaluation/PolicyExpressionEvaluator.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Hosting/PolicyEngineStartupDiagnostics.cs (95%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Options/PolicyEngineOptions.cs (96%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Program.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Properties/AssemblyInfo.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/README.md (98%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Services/IPolicyPackRepository.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Services/InMemoryPolicyPackRepository.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Services/PolicyCompilationService.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Services/PolicyEvaluationService.cs (96%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Services/ScopeAuthorization.cs (96%)
create mode 100644 src/Policy/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj
rename src/{ => Policy}/StellaOps.Policy.Engine/TASKS.md (99%)
rename src/{ => Policy}/StellaOps.Policy.Engine/Workers/PolicyEngineBootstrapWorker.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Gateway/Clients/IPolicyEngineClient.cs (98%)
rename src/{ => Policy}/StellaOps.Policy.Gateway/Clients/PolicyEngineClient.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Gateway/Clients/PolicyEngineResponse.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Gateway/Clients/PolicyEngineResponseExtensions.cs (96%)
rename src/{ => Policy}/StellaOps.Policy.Gateway/Contracts/PolicyPackContracts.cs (96%)
rename src/{ => Policy}/StellaOps.Policy.Gateway/Infrastructure/GatewayForwardingContext.cs (96%)
rename src/{ => Policy}/StellaOps.Policy.Gateway/Options/PolicyGatewayOptions.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Gateway/Program.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Gateway/Properties/AssemblyInfo.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Gateway/Services/PolicyEngineTokenProvider.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Gateway/Services/PolicyGatewayAuthorization.cs (96%)
rename src/{ => Policy}/StellaOps.Policy.Gateway/Services/PolicyGatewayDpopHandler.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Gateway/Services/PolicyGatewayDpopProofGenerator.cs (97%)
rename src/{ => Policy}/StellaOps.Policy.Gateway/Services/PolicyGatewayMetrics.cs (97%)
create mode 100644 src/Policy/StellaOps.Policy.Gateway/StellaOps.Policy.Gateway.csproj
rename src/{ => Policy}/StellaOps.Policy.Registry/AGENTS.md (76%)
rename src/{ => Policy}/StellaOps.Policy.Registry/TASKS.md (99%)
rename src/{ => Policy}/StellaOps.Policy.RiskProfile/AGENTS.md (97%)
rename src/{ => Policy}/StellaOps.Policy.RiskProfile/TASKS.md (99%)
create mode 100644 src/Policy/StellaOps.Policy.sln
rename src/{ => Policy/__Libraries}/StellaOps.Policy/AGENTS.md (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/Audit/IPolicyAuditRepository.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/Audit/InMemoryPolicyAuditRepository.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyAuditEntry.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyBinder.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyDiagnostics.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyDigest.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyDocument.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyEvaluation.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyFinding.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyIssue.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyPreviewModels.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyPreviewService.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicySchemaResource.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyScoringConfig.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyScoringConfigBinder.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyScoringConfigDigest.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyScoringSchema.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicySnapshot.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicySnapshotStore.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyUnknownConfidenceConfig.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyValidationCli.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/PolicyVerdict.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/Schemas/policy-schema@1.json (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/Schemas/policy-scoring-default.json (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/Schemas/policy-scoring-schema@1.json (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/StellaOps.Policy.csproj (97%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/Storage/IPolicySnapshotRepository.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/Storage/InMemoryPolicySnapshotRepository.cs (100%)
rename src/{ => Policy/__Libraries}/StellaOps.Policy/TASKS.md (97%)
rename src/{ => Policy/__Tests}/StellaOps.Policy.Engine.Tests/PolicyCompilerTests.cs (97%)
rename src/{ => Policy/__Tests}/StellaOps.Policy.Engine.Tests/PolicyEvaluatorTests.cs (97%)
rename src/{ => Policy/__Tests}/StellaOps.Policy.Engine.Tests/PolicyPackRepositoryTests.cs (98%)
rename src/{ => Policy/__Tests}/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj (68%)
rename src/{ => Policy/__Tests}/StellaOps.Policy.Gateway.Tests/GatewayActivationTests.cs (97%)
rename src/{ => Policy/__Tests}/StellaOps.Policy.Gateway.Tests/PolicyEngineClientTests.cs (97%)
rename src/{ => Policy/__Tests}/StellaOps.Policy.Gateway.Tests/PolicyGatewayDpopProofGeneratorTests.cs (97%)
rename src/{ => Policy/__Tests}/StellaOps.Policy.Gateway.Tests/StellaOps.Policy.Gateway.Tests.csproj (60%)
rename src/{ => Policy/__Tests}/StellaOps.Policy.Tests/PolicyBinderTests.cs (100%)
rename src/{ => Policy/__Tests}/StellaOps.Policy.Tests/PolicyEvaluationTests.cs (100%)
rename src/{ => Policy/__Tests}/StellaOps.Policy.Tests/PolicyPreviewServiceTests.cs (100%)
rename src/{ => Policy/__Tests}/StellaOps.Policy.Tests/PolicyScoringConfigTests.cs (100%)
rename src/{ => Policy/__Tests}/StellaOps.Policy.Tests/PolicySnapshotStoreTests.cs (100%)
rename src/{ => Policy/__Tests}/StellaOps.Policy.Tests/StellaOps.Policy.Tests.csproj (69%)
rename src/{ => Provenance}/StellaOps.Provenance.Attestation/AGENTS.md (98%)
rename src/{ => Provenance}/StellaOps.Provenance.Attestation/TASKS.md (99%)
rename src/{ => Registry}/StellaOps.Registry.TokenService/Observability/RegistryTokenMetrics.cs (96%)
rename src/{ => Registry}/StellaOps.Registry.TokenService/PlanRegistry.cs (96%)
rename src/{ => Registry}/StellaOps.Registry.TokenService/Program.cs (97%)
rename src/{ => Registry}/StellaOps.Registry.TokenService/Properties/launchSettings.json (96%)
rename src/{ => Registry}/StellaOps.Registry.TokenService/RegistryAccessModels.cs (97%)
rename src/{ => Registry}/StellaOps.Registry.TokenService/RegistryScopeParser.cs (96%)
rename src/{ => Registry}/StellaOps.Registry.TokenService/RegistryTokenIssuer.cs (97%)
rename src/{ => Registry}/StellaOps.Registry.TokenService/RegistryTokenServiceOptions.cs (96%)
rename src/{ => Registry}/StellaOps.Registry.TokenService/Security/SigningKeyLoader.cs (96%)
rename src/{ => Registry}/StellaOps.Registry.TokenService/StellaOps.Registry.TokenService.csproj (62%)
create mode 100644 src/Registry/StellaOps.Registry.TokenService/appsettings.Development.json
create mode 100644 src/Registry/StellaOps.Registry.TokenService/appsettings.json
create mode 100644 src/Registry/StellaOps.Registry.sln
rename src/{ => Registry/__Tests}/StellaOps.Registry.TokenService.Tests/PlanRegistryTests.cs (96%)
rename src/{ => Registry/__Tests}/StellaOps.Registry.TokenService.Tests/RegistryScopeParserTests.cs (96%)
rename src/{ => Registry/__Tests}/StellaOps.Registry.TokenService.Tests/RegistryTokenIssuerTests.cs (96%)
create mode 100644 src/Registry/__Tests/StellaOps.Registry.TokenService.Tests/StellaOps.Registry.TokenService.Tests.csproj
rename src/{ => Registry/__Tests}/StellaOps.Registry.TokenService.Tests/UnitTest1.cs (92%)
create mode 100644 src/Registry/__Tests/StellaOps.Registry.TokenService.Tests/xunit.runner.json
create mode 100644 src/RiskEngine/StellaOps.RiskEngine.sln
rename src/{ => RiskEngine}/StellaOps.RiskEngine/AGENTS.md (98%)
rename src/{ => RiskEngine}/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Class1.cs (91%)
rename src/{ => RiskEngine}/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/StellaOps.RiskEngine.Core.csproj (95%)
rename src/{ => RiskEngine}/StellaOps.RiskEngine/StellaOps.RiskEngine.Infrastructure/Class1.cs (92%)
rename src/{ => RiskEngine}/StellaOps.RiskEngine/StellaOps.RiskEngine.Infrastructure/StellaOps.RiskEngine.Infrastructure.csproj (94%)
rename src/{ => RiskEngine}/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/StellaOps.RiskEngine.Tests.csproj (91%)
rename src/{ => RiskEngine}/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/UnitTest1.cs (92%)
create mode 100644 src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/xunit.runner.json
create mode 100644 src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/Program.cs
rename src/{ => RiskEngine}/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/Properties/launchSettings.json (96%)
rename src/{ => RiskEngine}/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/StellaOps.RiskEngine.WebService.csproj (94%)
rename src/{ => RiskEngine}/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/StellaOps.RiskEngine.WebService.http (96%)
create mode 100644 src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/appsettings.Development.json
create mode 100644 src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/appsettings.json
rename src/{ => RiskEngine}/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/Program.cs (96%)
rename src/{ => RiskEngine}/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/Properties/launchSettings.json (95%)
rename src/{ => RiskEngine}/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/StellaOps.RiskEngine.Worker.csproj (95%)
rename src/{ => RiskEngine}/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/Worker.cs (96%)
create mode 100644 src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/appsettings.Development.json
create mode 100644 src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/appsettings.json
rename src/{ => RiskEngine}/StellaOps.RiskEngine/StellaOps.RiskEngine.sln (98%)
rename src/{ => RiskEngine}/StellaOps.RiskEngine/TASKS.md (99%)
create mode 100644 src/SbomService/StellaOps.SbomService.sln
rename src/{ => SbomService}/StellaOps.SbomService/AGENTS.md (98%)
rename src/{ => SbomService}/StellaOps.SbomService/Program.cs (96%)
rename src/{ => SbomService}/StellaOps.SbomService/StellaOps.SbomService.csproj (58%)
rename src/{ => SbomService}/StellaOps.SbomService/TASKS.md (99%)
rename src/{ => Scanner}/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md (99%)
rename src/{ => Scanner}/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md (99%)
rename src/{ => Scanner}/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md (99%)
rename src/{ => Scanner}/StellaOps.Scanner.Analyzers.Native/TASKS.md (99%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/AGENTS.md (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Attestation/AttestorClient.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Attestation/AttestorProvenanceRequest.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/BuildxPluginException.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Cas/CasWriteResult.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Cas/LocalCasClient.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Cas/LocalCasOptions.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Descriptor/DescriptorArtifact.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Descriptor/DescriptorDocument.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Descriptor/DescriptorGenerator.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Descriptor/DescriptorGeneratorMetadata.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Descriptor/DescriptorProvenance.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Descriptor/DescriptorRequest.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Descriptor/DescriptorSubject.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Manifest/BuildxPluginCas.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Manifest/BuildxPluginEntryPoint.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Manifest/BuildxPluginImage.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Manifest/BuildxPluginManifest.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Manifest/BuildxPluginManifestLoader.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Sbomer.BuildXPlugin/stellaops.sbom-indexer.manifest.json (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/AssemblyInfo.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Constants/ProblemTypes.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Contracts/OrchestratorEventContracts.cs (96%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Contracts/PolicyDiagnosticsContracts.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Contracts/PolicyPreviewContracts.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Contracts/ReportContracts.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Contracts/RuntimeEventsContracts.cs (96%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Contracts/RuntimePolicyContracts.cs (97%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Contracts/ScanStatusResponse.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Contracts/ScanSubmitRequest.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Contracts/ScanSubmitResponse.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Diagnostics/ServiceStatus.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Domain/ScanId.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Domain/ScanProgressEvent.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Domain/ScanSnapshot.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Domain/ScanStatus.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Domain/ScanSubmission.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Domain/ScanTarget.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Endpoints/HealthEndpoints.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Endpoints/PolicyEndpoints.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Endpoints/ReportEndpoints.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Endpoints/RuntimeEndpoints.cs (97%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Endpoints/ScanEndpoints.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Extensions/ConfigurationExtensions.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Extensions/OpenApiRegistrationExtensions.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Hosting/ScannerPluginHostFactory.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Infrastructure/ProblemResultFactory.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Options/ScannerWebServiceOptions.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Options/ScannerWebServiceOptionsPostConfigure.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Options/ScannerWebServiceOptionsValidator.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Program.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Security/AnonymousAuthenticationHandler.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Security/ScannerAuthorityScopes.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Security/ScannerPolicies.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Serialization/OrchestratorEventSerializer.cs (96%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Services/IPlatformEventPublisher.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Services/IRedisConnectionFactory.cs (97%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Services/IReportEventDispatcher.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Services/IScanCoordinator.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Services/InMemoryScanCoordinator.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Services/NullPlatformEventPublisher.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Services/PolicyDtoMapper.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Services/RedisConnectionFactory.cs (97%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Services/RedisPlatformEventPublisher.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Services/ReportEventDispatcher.cs (97%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Services/ReportSigner.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Services/RuntimeEventIngestionService.cs (97%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Services/RuntimeEventRateLimiter.cs (97%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Services/RuntimePolicyService.cs (97%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Services/ScanProgressStream.cs (100%)
create mode 100644 src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj
rename src/{ => Scanner}/StellaOps.Scanner.WebService/TASKS.md (97%)
rename src/{ => Scanner}/StellaOps.Scanner.WebService/Utilities/ScanIdGenerator.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/AGENTS.md (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Diagnostics/ScannerWorkerInstrumentation.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Diagnostics/ScannerWorkerMetrics.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Diagnostics/TelemetryExtensions.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Hosting/ScannerWorkerHostedService.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Options/ScannerWorkerOptions.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Options/ScannerWorkerOptionsValidator.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/AnalyzerStageExecutor.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/CompositeScanAnalyzerDispatcher.cs (97%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/EntryTraceExecutionService.cs (97%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/IDelayScheduler.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/IEntryTraceExecutionService.cs (96%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/IScanAnalyzerDispatcher.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/IScanJobLease.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/IScanJobSource.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/IScanStageExecutor.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/LeaseHeartbeatService.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/NoOpStageExecutor.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/NullScanJobSource.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/PollDelayStrategy.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/ScanJobContext.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/ScanJobProcessor.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/ScanProgressReporter.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/ScanStageNames.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Processing/SystemDelayScheduler.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Program.cs (100%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/Properties/AssemblyInfo.cs (97%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/StellaOps.Scanner.Worker.csproj (52%)
rename src/{ => Scanner}/StellaOps.Scanner.Worker/TASKS.md (100%)
create mode 100644 src/Scanner/StellaOps.Scanner.sln
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.DotNet/DotNetAnalyzerPlugin.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.DotNet/DotNetLanguageAnalyzer.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.DotNet/GlobalUsings.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.DotNet/IDotNetAuthenticodeInspector.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/DotNetDependencyCollector.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/DotNetDepsFile.cs (98%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/DotNetFileCaches.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/DotNetRuntimeConfig.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md (99%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.DotNet/manifest.json (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md (94%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/GlobalUsings.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/GoAnalyzerPlugin.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/GoLanguageAnalyzer.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoAnalyzerMetrics.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoBinaryScanner.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoBuildInfo.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoBuildInfoDecoder.cs (95%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoBuildInfoParser.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoBuildInfoProvider.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoDwarfMetadata.cs (95%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoDwarfReader.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoModule.cs (95%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoStrippedBinaryClassification.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/StellaOps.Scanner.Analyzers.Lang.Go.csproj (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Go/manifest.json (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/GlobalUsings.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/ClassPath/JavaClassLocation.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/ClassPath/JavaClassPathAnalysis.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/ClassPath/JavaClassPathBuilder.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/ClassPath/JavaModuleDescriptor.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/ClassPath/JavaModuleInfoParser.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaArchive.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaArchiveEntry.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaPackagingKind.cs (93%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaReleaseFileParser.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaRuntimeImage.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaWorkspace.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaWorkspaceNormalizer.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaZipEntryUtilities.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Reflection/JavaReflectionAnalysis.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Reflection/JavaReflectionAnalyzer.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/ServiceProviders/JavaServiceProviderScanner.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/ServiceProviders/JavaSpiCatalog.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Internal/ServiceProviders/java-spi-catalog.json (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/JavaLanguageAnalyzer.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/Properties/AssemblyInfo.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/StellaOps.Scanner.Analyzers.Lang.Java.csproj (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md (99%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Java/manifest.json (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Node/GlobalUsings.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeAnalyzerMetrics.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeLifecycleScript.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeLockData.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeLockEntry.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodePackage.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodePackageCollector.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeWorkspaceIndex.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Node/NodeAnalyzerPlugin.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Node/NodeLanguageAnalyzer.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Node/StellaOps.Scanner.Analyzers.Lang.Node.csproj (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md (99%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Node/manifest.json (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Python/GlobalUsings.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Python/Internal/PythonDistributionLoader.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Python/PythonAnalyzerPlugin.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Python/PythonLanguageAnalyzer.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.csproj (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md (99%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Python/manifest.json (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Rust/AGENTS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Rust/GlobalUsings.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Rust/Internal/RustAnalyzerCollector.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Rust/Internal/RustBinaryClassifier.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Rust/Internal/RustCargoLockParser.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Rust/Internal/RustFingerprintScanner.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Rust/RustAnalyzerPlugin.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Rust/RustLanguageAnalyzer.cs (99%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Rust/StellaOps.Scanner.Analyzers.Lang.Rust.csproj (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang.Rust/manifest.json (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/AGENTS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/Core/ILanguageAnalyzer.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/Core/Internal/LanguageAnalyzerJson.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/Core/LanguageAnalyzerContext.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/Core/LanguageAnalyzerEngine.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/Core/LanguageAnalyzerResult.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/Core/LanguageComponentEvidence.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/Core/LanguageComponentMapper.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/Core/LanguageComponentRecord.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/Core/LanguageUsageHints.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/GlobalUsings.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/Plugin/ILanguageAnalyzerPlugin.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/Plugin/LanguageAnalyzerPluginCatalog.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/SPRINTS_LANG_IMPLEMENTATION_PLAN.md (93%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/StellaOps.Scanner.Analyzers.Lang.csproj (67%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.Lang/TASKS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Apk/ApkAnalyzerPlugin.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Apk/ApkDatabaseParser.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Apk/ApkPackageAnalyzer.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Apk/Properties/AssemblyInfo.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Apk/StellaOps.Scanner.Analyzers.OS.Apk.csproj (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Apk/manifest.json (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Dpkg/DpkgAnalyzerPlugin.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Dpkg/DpkgPackageAnalyzer.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Dpkg/DpkgStatusParser.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Dpkg/Properties/AssemblyInfo.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Dpkg/StellaOps.Scanner.Analyzers.OS.Dpkg.csproj (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Dpkg/manifest.json (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Rpm/IRpmDatabaseReader.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeader.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeaderParser.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmTags.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Rpm/Properties/AssemblyInfo.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Rpm/RpmAnalyzerPlugin.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Rpm/RpmDatabaseReader.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Rpm/RpmPackageAnalyzer.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Rpm/StellaOps.Scanner.Analyzers.OS.Rpm.csproj (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS.Rpm/manifest.json (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/AGENTS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Abstractions/IOSPackageAnalyzer.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Analyzers/OsPackageAnalyzerBase.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Helpers/CveHintExtractor.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Helpers/PackageUrlBuilder.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Helpers/PackageVersionParser.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Mapping/OsComponentMapper.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Model/AnalyzerWarning.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Model/OSAnalyzerTelemetry.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Model/OSPackageAnalyzerContext.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Model/OSPackageAnalyzerResult.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Model/OSPackageFileEvidence.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Model/OSPackageRecord.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Model/PackageEvidenceSource.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Plugin/IOSAnalyzerPlugin.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Plugin/OsAnalyzerPluginCatalog.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/Properties/AssemblyInfo.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/StellaOps.Scanner.Analyzers.OS.csproj (78%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Analyzers.OS/TASKS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Cache/AGENTS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Cache/Abstractions/IFileContentAddressableStore.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Cache/Abstractions/ILayerCacheStore.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Cache/Abstractions/LayerCacheEntry.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Cache/Abstractions/LayerCachePutRequest.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Cache/FileCas/FileContentAddressableStore.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Cache/FileCas/NullFileContentAddressableStore.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Cache/LayerCache/LayerCacheStore.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Cache/Maintenance/ScannerCacheMaintenanceService.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Cache/ScannerCacheMetrics.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Cache/ScannerCacheOptions.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Cache/ScannerCacheServiceCollectionExtensions.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Cache/StellaOps.Scanner.Cache.csproj (98%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Cache/TASKS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/AGENTS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Contracts/ComponentGraph.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Contracts/ComponentModels.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Contracts/SbomView.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Contracts/ScanAnalysisKeys.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Contracts/ScanAnalysisStore.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Contracts/ScanAnalysisStoreExtensions.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Contracts/ScanJob.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Contracts/ScanJobIdJsonConverter.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Contracts/ScanMetadataKeys.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Contracts/ScanProgressEvent.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Contracts/ScannerError.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Observability/ScannerCorrelationContext.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Observability/ScannerDiagnostics.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Observability/ScannerLogExtensions.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Observability/ScannerMetricNames.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Security/AuthorityTokenSource.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Security/IAuthorityTokenSource.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Security/IPluginCatalogGuard.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Security/RestartOnlyPluginGuard.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Security/ScannerOperationalToken.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Security/ServiceCollectionExtensions.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Serialization/ScannerJsonOptions.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/StellaOps.Scanner.Core.csproj (65%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/TASKS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Utility/ScannerIdentifiers.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Core/Utility/ScannerTimestamps.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Diff/AGENTS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Diff/ComponentDiffModels.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Diff/ComponentDiffer.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Diff/DiffJsonSerializer.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Diff/StellaOps.Scanner.Diff.csproj (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Diff/TASKS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Emit/AGENTS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Emit/Composition/CycloneDxComposer.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Emit/Composition/SbomCompositionRequest.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Emit/Composition/SbomCompositionResult.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Emit/Composition/SbomPolicyFinding.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Emit/Composition/ScanAnalysisCompositionBuilder.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Emit/Index/BomIndexBuilder.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Emit/Packaging/ScannerArtifactPackageBuilder.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Emit/StellaOps.Scanner.Emit.csproj (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Emit/TASKS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/AGENTS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/Diagnostics/EntryTraceMetrics.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/EntryTraceAnalyzer.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/EntryTraceAnalyzerOptions.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/EntryTraceContext.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/EntryTraceImageContextFactory.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/EntryTraceTypes.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/EntrypointSpecification.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/FileSystem/IRootFileSystem.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/FileSystem/LayeredRootFileSystem.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/IEntryTraceAnalyzer.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/Oci/OciImageConfig.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/Parsing/ShellNodes.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/Parsing/ShellParser.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/Parsing/ShellToken.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/Parsing/ShellTokenizer.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/ServiceCollectionExtensions.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/StellaOps.Scanner.EntryTrace.csproj (84%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.EntryTrace/TASKS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/AGENTS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/IScanQueue.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/IScanQueueLease.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/Nats/NatsScanQueue.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/Nats/NatsScanQueueLease.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/QueueEnvelopeFields.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/QueueMetrics.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/QueueTransportKind.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/Redis/RedisScanQueue.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/Redis/RedisScanQueueLease.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/ScanQueueContracts.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/ScannerQueueHealthCheck.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/ScannerQueueOptions.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/ScannerQueueServiceCollectionExtensions.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/StellaOps.Scanner.Queue.csproj (98%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Queue/TASKS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/AGENTS.md (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Catalog/ArtifactDocument.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Catalog/CatalogIdFactory.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Catalog/ImageDocument.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Catalog/JobDocument.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Catalog/LayerDocument.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Catalog/LifecycleRuleDocument.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Catalog/LinkDocument.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Catalog/RuntimeEventDocument.cs (96%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Extensions/ServiceCollectionExtensions.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Migrations/EnsureLifecycleRuleTtlMigration.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Migrations/IMongoMigration.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Migrations/MongoMigrationDocument.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Migrations/MongoMigrationRunner.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Mongo/MongoBootstrapper.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Mongo/MongoCollectionProvider.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/ObjectStore/IArtifactObjectStore.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/ObjectStore/RustFsArtifactObjectStore.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/ObjectStore/S3ArtifactObjectStore.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Repositories/ArtifactRepository.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Repositories/ImageRepository.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Repositories/JobRepository.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Repositories/LayerRepository.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Repositories/LifecycleRuleRepository.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Repositories/LinkRepository.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Repositories/RuntimeEventRepository.cs (97%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/ScannerStorageDefaults.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/ScannerStorageOptions.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/Services/ArtifactStorageService.cs (100%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/StellaOps.Scanner.Storage.csproj (98%)
rename src/{ => Scanner/__Libraries}/StellaOps.Scanner.Storage/TASKS.md (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Go.Tests/Fixtures/lang/go/basic/app (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Go.Tests/Fixtures/lang/go/basic/expected.json (96%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Go.Tests/Fixtures/lang/go/dwarf-only/app (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Go.Tests/Fixtures/lang/go/dwarf-only/expected.json (96%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Go.Tests/Fixtures/lang/go/stripped/app (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Go.Tests/Fixtures/lang/go/stripped/expected.json (96%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Go.Tests/Go/GoLanguageAnalyzerTests.cs (96%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Go.Tests/StellaOps.Scanner.Analyzers.Lang.Go.Tests.csproj (80%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Java.Tests/Fixtures/java/basic/expected.json (96%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Java.Tests/Java/JavaClassPathBuilderTests.cs (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Java.Tests/Java/JavaLanguageAnalyzerTests.cs (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Java.Tests/Java/JavaReflectionAnalyzerTests.cs (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Java.Tests/Java/JavaServiceProviderScannerTests.cs (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Java.Tests/Java/JavaWorkspaceNormalizerTests.cs (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Java.Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests.csproj (80%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Node.Tests/Fixtures/lang/node/workspaces/expected.json (96%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Node.Tests/Fixtures/lang/node/workspaces/package-lock.json (96%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Node.Tests/Fixtures/lang/node/workspaces/package.json (94%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Node.Tests/Fixtures/lang/node/workspaces/packages/app/package.json (94%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Node.Tests/Fixtures/lang/node/workspaces/packages/app/scripts/setup.js (95%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Node.Tests/Fixtures/lang/node/workspaces/packages/lib/package.json (92%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Node.Tests/Fixtures/lang/node/workspaces/packages/shared/package.json (93%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Node.Tests/Node/NodeLanguageAnalyzerTests.cs (96%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Node.Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests.csproj (80%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/expected.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer1/usr/lib/python3.11/site-packages/layered-2.0.dist-info/INSTALLER (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer1/usr/lib/python3.11/site-packages/layered-2.0.dist-info/METADATA (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer1/usr/lib/python3.11/site-packages/layered-2.0.dist-info/RECORD (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer1/usr/lib/python3.11/site-packages/layered-2.0.dist-info/WHEEL (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer1/usr/lib/python3.11/site-packages/layered-2.0.dist-info/entry_points.txt (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer1/usr/lib/python3.11/site-packages/layered/__init__.py (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer1/usr/lib/python3.11/site-packages/layered/cli.py (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer1/usr/lib/python3.11/site-packages/layered/core.py (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer2/usr/lib/python3.11/site-packages/LICENSE (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer2/usr/lib/python3.11/site-packages/layered-2.0.dist-info/INSTALLER (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer2/usr/lib/python3.11/site-packages/layered-2.0.dist-info/METADATA (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer2/usr/lib/python3.11/site-packages/layered-2.0.dist-info/RECORD (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer2/usr/lib/python3.11/site-packages/layered-2.0.dist-info/WHEEL (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer2/usr/lib/python3.11/site-packages/layered-2.0.dist-info/direct_url.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer2/usr/lib/python3.11/site-packages/layered-2.0.dist-info/entry_points.txt (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer2/usr/lib/python3.11/site-packages/layered/plugins/__init__.py (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/layered-editable/layer2/usr/lib/python3.11/site-packages/layered/plugins/plugin.py (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/pip-cache/expected.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/pip-cache/lib/python3.11/site-packages/cache_pkg-1.2.3.data/scripts/cache-tool (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/pip-cache/lib/python3.11/site-packages/cache_pkg-1.2.3.dist-info/INSTALLER (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/pip-cache/lib/python3.11/site-packages/cache_pkg-1.2.3.dist-info/METADATA (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/pip-cache/lib/python3.11/site-packages/cache_pkg-1.2.3.dist-info/RECORD (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/pip-cache/lib/python3.11/site-packages/cache_pkg-1.2.3.dist-info/WHEEL (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/pip-cache/lib/python3.11/site-packages/cache_pkg-1.2.3.dist-info/entry_points.txt (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/pip-cache/lib/python3.11/site-packages/cache_pkg/LICENSE (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/pip-cache/lib/python3.11/site-packages/cache_pkg/__init__.py (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/pip-cache/lib/python3.11/site-packages/cache_pkg/data/config.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/pip-cache/lib/python3.11/site-packages/cache_pkg/md5only.txt (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/simple-venv/expected.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/simple-venv/lib/python3.11/site-packages/simple-1.0.0.dist-info/INSTALLER (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/simple-venv/lib/python3.11/site-packages/simple-1.0.0.dist-info/METADATA (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/simple-venv/lib/python3.11/site-packages/simple-1.0.0.dist-info/RECORD (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/simple-venv/lib/python3.11/site-packages/simple-1.0.0.dist-info/WHEEL (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/simple-venv/lib/python3.11/site-packages/simple-1.0.0.dist-info/direct_url.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/simple-venv/lib/python3.11/site-packages/simple-1.0.0.dist-info/entry_points.txt (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/simple-venv/lib/python3.11/site-packages/simple/__init__.py (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/simple-venv/lib/python3.11/site-packages/simple/__main__.py (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/lang/python/simple-venv/lib/python3.11/site-packages/simple/core.py (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Python/PythonLanguageAnalyzerTests.cs (99%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Python.Tests/StellaOps.Scanner.Analyzers.Lang.Python.Tests.csproj (79%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Core/LanguageAnalyzerResultTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Core/LanguageComponentMapperTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Determinism/LanguageAnalyzerHarnessTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/DotNet/DotNetLanguageAnalyzerTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/determinism/basic/expected.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/determinism/basic/input/placeholder.txt (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/multi/AppA.deps.json (96%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/multi/AppA.runtimeconfig.json (94%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/multi/AppB.deps.json (96%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/multi/AppB.runtimeconfig.json (94%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/multi/expected.json (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/multi/packages/stellaops.logging/2.5.1/LICENSE.txt (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/multi/packages/stellaops.logging/2.5.1/stellaops.logging.nuspec (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/multi/packages/stellaops.toolkit/1.2.3/LICENSE.txt (96%)
rename src/{StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/simple => Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/multi}/packages/stellaops.toolkit/1.2.3/stellaops.toolkit.nuspec (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/selfcontained/MyApp.deps.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/selfcontained/MyApp.runtimeconfig.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/selfcontained/expected.json (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/selfcontained/packages/stellaops.runtime.selfcontained/2.1.0/stellaops.runtime.selfcontained.nuspec (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/selfcontained/packages/stellaops.toolkit/1.2.3/LICENSE.txt (96%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/selfcontained/packages/stellaops.toolkit/1.2.3/stellaops.toolkit.nuspec (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/selfcontained/runtimes/linux-x64/native/libstellaopsnative.so (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/signed/Signed.App.deps.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/signed/Signed.App.runtimeconfig.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/signed/expected.json (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/signed/packages/microsoft.extensions.logging/9.0.0/microsoft.extensions.logging.nuspec (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/simple/Sample.App.deps.json (96%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/simple/Sample.App.runtimeconfig.json (94%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/simple/expected.json (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/simple/packages/microsoft.extensions.logging/9.0.0/microsoft.extensions.logging.nuspec (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/simple/packages/stellaops.toolkit/1.2.3/LICENSE.txt (96%)
rename src/{StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/multi => Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/simple}/packages/stellaops.toolkit/1.2.3/stellaops.toolkit.nuspec (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/rust/simple/Cargo.lock (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/rust/simple/expected.json (96%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/rust/simple/target/debug/.fingerprint/my_app-1234567890abcdef/bin-my_app-1234567890abcdef.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/rust/simple/target/debug/.fingerprint/serde-abcdef1234567890/libserde-abcdef1234567890.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Harness/LanguageAnalyzerTestHarness.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/Rust/RustLanguageAnalyzerTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/StellaOps.Scanner.Analyzers.Lang.Tests.csproj (72%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/TestUtilities/JavaClassFileFactory.cs (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/TestUtilities/JavaFixtureBuilder.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.Lang.Tests/TestUtilities/TestPaths.cs (100%)
create mode 100644 src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/xunit.runner.json
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.OS.Tests/Fixtures/apk/lib/apk/db/installed (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.OS.Tests/Fixtures/dpkg/var/lib/dpkg/info/bash.conffiles (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.OS.Tests/Fixtures/dpkg/var/lib/dpkg/info/bash.list (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.OS.Tests/Fixtures/dpkg/var/lib/dpkg/info/bash.md5sums (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.OS.Tests/Fixtures/dpkg/var/lib/dpkg/status (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.OS.Tests/Fixtures/goldens/apk.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.OS.Tests/Fixtures/goldens/dpkg.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.OS.Tests/Fixtures/goldens/rpm.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.OS.Tests/Mapping/OsComponentMapperTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.OS.Tests/OsAnalyzerDeterminismTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.OS.Tests/StellaOps.Scanner.Analyzers.OS.Tests.csproj (62%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.OS.Tests/TestUtilities/FixtureManager.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.OS.Tests/TestUtilities/GoldenAssert.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Analyzers.OS.Tests/TestUtilities/SnapshotSerializer.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Cache.Tests/LayerCacheRoundTripTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Cache.Tests/StellaOps.Scanner.Cache.Tests.csproj (84%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Core.Tests/Contracts/ComponentGraphBuilderTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Core.Tests/Contracts/ComponentModelsTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Core.Tests/Contracts/ScanJobTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Core.Tests/Contracts/ScannerCoreContractsTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Core.Tests/Fixtures/scan-job.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Core.Tests/Fixtures/scan-progress-event.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Core.Tests/Fixtures/scanner-error.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Core.Tests/Observability/ScannerLogExtensionsPerformanceTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Core.Tests/Observability/ScannerLogExtensionsTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Core.Tests/Security/AuthorityTokenSourceTests.cs (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Core.Tests/Security/DpopProofValidatorTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Core.Tests/Security/RestartOnlyPluginGuardTests.cs (100%)
create mode 100644 src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/StellaOps.Scanner.Core.Tests.csproj
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Core.Tests/Utility/ScannerIdentifiersTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Core.Tests/Utility/ScannerTimestampsTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Diff.Tests/ComponentDifferTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Diff.Tests/StellaOps.Scanner.Diff.Tests.csproj (59%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Emit.Tests/Composition/CycloneDxComposerTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Emit.Tests/Composition/ScanAnalysisCompositionBuilderTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Emit.Tests/Index/BomIndexBuilderTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Emit.Tests/Packaging/ScannerArtifactPackageBuilderTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Emit.Tests/StellaOps.Scanner.Emit.Tests.csproj (59%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.EntryTrace.Tests/EntryTraceAnalyzerTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.EntryTrace.Tests/EntryTraceImageContextFactoryTests.cs (96%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.EntryTrace.Tests/LayeredRootFileSystemTests.cs (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.EntryTrace.Tests/ShellParserTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.EntryTrace.Tests/StellaOps.Scanner.EntryTrace.Tests.csproj (66%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.EntryTrace.Tests/TestRootFileSystem.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Queue.Tests/QueueLeaseIntegrationTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Queue.Tests/StellaOps.Scanner.Queue.Tests.csproj (69%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/Attestation/AttestorClientTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/Cas/LocalCasClientTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/Descriptor/DescriptorGeneratorTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/Descriptor/DescriptorGoldenTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/Fixtures/descriptor.baseline.json (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/Manifest/BuildxPluginManifestLoaderTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests.csproj (69%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/TestUtilities/TempDirectory.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Storage.Tests/InMemoryArtifactObjectStore.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Storage.Tests/RustFsArtifactObjectStoreTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Storage.Tests/ScannerMongoFixture.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Storage.Tests/StellaOps.Scanner.Storage.Tests.csproj (58%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Storage.Tests/StorageDualWriteFixture.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.WebService.Tests/AuthorizationTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.WebService.Tests/HealthEndpointsTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.WebService.Tests/PlatformEventPublisherRegistrationTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.WebService.Tests/PlatformEventSamplesTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.WebService.Tests/PolicyEndpointsTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.WebService.Tests/ReportEventDispatcherTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.WebService.Tests/ReportSamplesTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.WebService.Tests/ReportsEndpointsTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.WebService.Tests/RuntimeEndpointsTests.cs (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.WebService.Tests/ScannerApplicationFactory.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.WebService.Tests/ScansEndpointsTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj (81%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Worker.Tests/CompositeScanAnalyzerDispatcherTests.cs (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Worker.Tests/EntryTraceExecutionServiceTests.cs (97%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Worker.Tests/LeaseHeartbeatServiceTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Worker.Tests/RedisWorkerSmokeTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Worker.Tests/ScannerWorkerOptionsValidatorTests.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Worker.Tests/StellaOps.Scanner.Worker.Tests.csproj (53%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Worker.Tests/TestInfrastructure/StaticOptionsMonitor.cs (100%)
rename src/{ => Scanner/__Tests}/StellaOps.Scanner.Worker.Tests/WorkerBasicScanScenarioTests.cs (100%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/AGENTS.md (100%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Auth/AnonymousAuthenticationHandler.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Auth/ClaimsTenantContextAccessor.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Auth/HeaderScopeAuthorizer.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Auth/HeaderTenantContextAccessor.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Auth/IScopeAuthorizer.cs (95%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Auth/ITenantContextAccessor.cs (95%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Auth/TokenScopeAuthorizer.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/EventWebhooks/EventWebhookEndpointExtensions.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/EventWebhooks/IInboundExportEventSink.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/EventWebhooks/IWebhookRateLimiter.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/EventWebhooks/IWebhookRequestAuthenticator.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/EventWebhooks/InMemoryWebhookRateLimiter.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/EventWebhooks/LoggingExportEventSink.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/EventWebhooks/WebhookPayloads.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/CartographerWebhookClient.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/Events/GraphJobCompletedEvent.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/Events/GraphJobEventFactory.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/Events/GraphJobEventKinds.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/Events/GraphJobEventPublisher.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/GraphBuildJobRequest.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/GraphJobCompletionNotification.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/GraphJobCompletionRequest.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/GraphJobEndpointExtensions.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/GraphJobQuery.cs (95%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/GraphJobResponse.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/GraphJobService.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/GraphOverlayJobRequest.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/ICartographerWebhookClient.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/IGraphJobCompletionPublisher.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/IGraphJobService.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/IGraphJobStore.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/InMemoryGraphJobStore.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/MongoGraphJobStore.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/NullCartographerWebhookClient.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/NullGraphJobCompletionPublisher.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/GraphJobs/OverlayLagMetricsResponse.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Hosting/SchedulerPluginHostFactory.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/ISystemClock.cs (95%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Options/SchedulerAuthorityOptions.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Options/SchedulerCartographerOptions.cs (95%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Options/SchedulerEventsOptions.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Options/SchedulerOptions.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/PolicyRuns/IPolicyRunService.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/PolicyRuns/InMemoryPolicyRunService.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/PolicyRuns/PolicyRunEndpointExtensions.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/PolicyRuns/PolicyRunQueryOptions.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/PolicyRuns/PolicyRunService.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Program.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Properties/AssemblyInfo.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Runs/InMemoryRunRepository.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Runs/RunContracts.cs (98%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Runs/RunEndpoints.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/SchedulerEndpointHelpers.cs (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Schedules/InMemorySchedulerServices.cs (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Schedules/ScheduleContracts.cs (98%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/Schedules/ScheduleEndpoints.cs (97%)
create mode 100644 src/Scheduler/StellaOps.Scheduler.WebService/StellaOps.Scheduler.WebService.csproj
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/TASKS.md (98%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/docs/SCHED-WEB-16-103-RUN-APIS.md (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/docs/SCHED-WEB-16-104-WEBHOOKS.md (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/docs/SCHED-WEB-20-001-POLICY-RUNS.md (97%)
rename src/{ => Scheduler}/StellaOps.Scheduler.WebService/docs/SCHED-WEB-21-001-GRAPH-APIS.md (96%)
rename src/{ => Scheduler}/StellaOps.Scheduler.Worker.Host/Program.cs (100%)
rename src/{ => Scheduler}/StellaOps.Scheduler.Worker.Host/StellaOps.Scheduler.Worker.Host.csproj (100%)
create mode 100644 src/Scheduler/StellaOps.Scheduler.sln
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.ImpactIndex/AGENTS.md (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.ImpactIndex/FixtureImpactIndex.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.ImpactIndex/IImpactIndex.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.ImpactIndex/ImpactImageRecord.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.ImpactIndex/ImpactIndexServiceCollectionExtensions.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.ImpactIndex/ImpactIndexStubOptions.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.ImpactIndex/Ingestion/BomIndexReader.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.ImpactIndex/Ingestion/ImpactIndexIngestionRequest.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.ImpactIndex/REMOVAL_NOTE.md (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.ImpactIndex/RoaringImpactIndex.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.ImpactIndex/StellaOps.Scheduler.ImpactIndex.csproj (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.ImpactIndex/TASKS.md (88%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/AGENTS.md (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/AssemblyInfo.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/AuditRecord.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/CanonicalJsonSerializer.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/EnumConverters.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/Enums.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/GraphBuildJob.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/GraphJobStateMachine.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/GraphOverlayJob.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/ImpactSet.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/PolicyRunJob.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/PolicyRunModels.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/Run.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/RunReasonExtensions.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/RunStateMachine.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/RunStatsBuilder.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/Schedule.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/SchedulerSchemaMigration.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/SchedulerSchemaMigrationResult.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/SchedulerSchemaVersions.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/Selector.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/StellaOps.Scheduler.Models.csproj (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/TASKS.md (95%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/Validation.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/docs/SCHED-MODELS-16-103-DESIGN.md (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/docs/SCHED-MODELS-20-001-POLICY-RUNS.md (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Models/docs/SCHED-MODELS-21-001-GRAPH-JOBS.md (98%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/AGENTS.md (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/AssemblyInfo.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/ISchedulerQueueTransportDiagnostics.cs (95%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/Nats/INatsSchedulerQueuePayload.cs (95%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/Nats/NatsSchedulerPlannerQueue.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/Nats/NatsSchedulerQueueBase.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/Nats/NatsSchedulerQueueLease.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/Nats/NatsSchedulerRunnerQueue.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/README.md (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/Redis/IRedisSchedulerQueuePayload.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/Redis/RedisSchedulerPlannerQueue.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/Redis/RedisSchedulerQueueBase.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/Redis/RedisSchedulerQueueLease.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/Redis/RedisSchedulerRunnerQueue.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/SchedulerQueueContracts.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/SchedulerQueueFields.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/SchedulerQueueHealthCheck.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/SchedulerQueueMetrics.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/SchedulerQueueOptions.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/SchedulerQueueServiceCollectionExtensions.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/SchedulerQueueTransportKind.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/StellaOps.Scheduler.Queue.csproj (98%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Queue/TASKS.md (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/AGENTS.md (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Documents/RunSummaryDocument.cs (95%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Internal/SchedulerMongoContext.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Internal/SchedulerMongoInitializer.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Internal/SchedulerMongoInitializerHostedService.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Migrations/EnsureSchedulerCollectionsMigration.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Migrations/EnsureSchedulerIndexesMigration.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Migrations/ISchedulerMongoMigration.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Migrations/SchedulerMongoMigrationRecord.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Migrations/SchedulerMongoMigrationRunner.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Options/SchedulerMongoOptions.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Projections/RunSummaryProjection.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Properties/AssemblyInfo.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/README.md (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/AuditQueryOptions.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/AuditRepository.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/GraphJobRepository.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/IAuditRepository.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/IGraphJobRepository.cs (98%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/IImpactSnapshotRepository.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/IPolicyRunJobRepository.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/IRunRepository.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/IRunSummaryRepository.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/IScheduleRepository.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/ImpactSnapshotRepository.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/PolicyRunJobRepository.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/RunQueryOptions.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/RunRepository.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/RunSummaryRepository.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/ScheduleQueryOptions.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Repositories/ScheduleRepository.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Serialization/AuditRecordDocumentMapper.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Serialization/BsonDocumentJsonExtensions.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Serialization/GraphJobDocumentMapper.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Serialization/ImpactSetDocumentMapper.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Serialization/PolicyRunJobDocumentMapper.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Serialization/RunDocumentMapper.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Serialization/ScheduleDocumentMapper.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/ServiceCollectionExtensions.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Services/IRunSummaryService.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Services/ISchedulerAuditService.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Services/RunSummaryService.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Services/SchedulerAuditEvent.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Services/SchedulerAuditService.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Sessions/ISchedulerMongoSessionFactory.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Sessions/SchedulerMongoSessionFactory.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/Sessions/SchedulerMongoSessionOptions.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/StellaOps.Scheduler.Storage.Mongo.csproj (98%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Storage.Mongo/TASKS.md (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/AGENTS.md (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/DependencyInjection/SchedulerWorkerServiceCollectionExtensions.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Events/SchedulerEventPublisher.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Execution/HttpScannerReportClient.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Execution/RunnerBackgroundService.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Execution/RunnerExecutionService.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Execution/ScannerReportClient.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Graph/Cartographer/HttpCartographerBuildClient.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Graph/Cartographer/HttpCartographerOverlayClient.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Graph/Cartographer/ICartographerBuildClient.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Graph/Cartographer/ICartographerOverlayClient.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Graph/GraphBuildBackgroundService.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Graph/GraphBuildExecutionService.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Graph/GraphOverlayBackgroundService.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Graph/GraphOverlayExecutionService.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Graph/Scheduler/HttpGraphJobCompletionClient.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Graph/Scheduler/IGraphJobCompletionClient.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/ImpactShard.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/ImpactShardPlanner.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/ImpactTargetingService.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Observability/SchedulerWorkerMetrics.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Options/SchedulerWorkerOptions.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Planning/PlannerBackgroundService.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Planning/PlannerExecutionResult.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Planning/PlannerExecutionService.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Planning/PlannerQueueDispatchService.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Planning/PlannerQueueDispatcherBackgroundService.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Policy/HttpPolicyRunClient.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Policy/IPolicyRunClient.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Policy/IPolicyRunTargetingService.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Policy/PolicyRunDispatchBackgroundService.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Policy/PolicyRunExecutionResult.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Policy/PolicyRunExecutionService.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Policy/PolicyRunSubmissionResult.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Policy/PolicyRunTargetingResult.cs (96%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Policy/PolicyRunTargetingService.cs (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/Properties/AssemblyInfo.cs (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/StellaOps.Scheduler.Worker.csproj (75%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/TASKS.md (98%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/docs/SCHED-WORKER-16-201-PLANNER.md (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/docs/SCHED-WORKER-16-202-IMPACT-TARGETING.md (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/docs/SCHED-WORKER-16-203-RUNNER.md (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/docs/SCHED-WORKER-16-204-EVENTS.md (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/docs/SCHED-WORKER-16-205-OBSERVABILITY.md (100%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/docs/SCHED-WORKER-20-301-POLICY-RUNS.md (98%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/docs/SCHED-WORKER-20-302-POLICY-DELTA-TARGETING.md (98%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/docs/SCHED-WORKER-21-201-GRAPH-BUILD.md (97%)
rename src/{ => Scheduler/__Libraries}/StellaOps.Scheduler.Worker/docs/SCHED-WORKER-21-202-GRAPH-OVERLAY.md (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.ImpactIndex.Tests/FixtureImpactIndexTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.ImpactIndex.Tests/RoaringImpactIndexTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.ImpactIndex.Tests/StellaOps.Scheduler.ImpactIndex.Tests.csproj (68%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Models.Tests/AuditRecordTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Models.Tests/GraphJobStateMachineTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Models.Tests/ImpactSetTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Models.Tests/PolicyRunModelsTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Models.Tests/RescanDeltaEventSampleTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Models.Tests/RunStateMachineTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Models.Tests/RunValidationTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Models.Tests/SamplePayloadTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Models.Tests/ScheduleSerializationTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Models.Tests/SchedulerSchemaMigrationTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Models.Tests/StellaOps.Scheduler.Models.Tests.csproj (64%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Queue.Tests/PlannerAndRunnerMessageTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Queue.Tests/RedisSchedulerQueueTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Queue.Tests/SchedulerQueueServiceCollectionExtensionsTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Queue.Tests/StellaOps.Scheduler.Queue.Tests.csproj (80%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Storage.Mongo.Tests/GlobalUsings.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Storage.Mongo.Tests/Integration/SchedulerMongoRoundTripTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Storage.Mongo.Tests/Migrations/SchedulerMongoMigrationTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Storage.Mongo.Tests/Repositories/AuditRepositoryTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Storage.Mongo.Tests/Repositories/ImpactSnapshotRepositoryTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Storage.Mongo.Tests/Repositories/RunRepositoryTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Storage.Mongo.Tests/Repositories/ScheduleRepositoryTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Storage.Mongo.Tests/SchedulerMongoTestHarness.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Storage.Mongo.Tests/Services/RunSummaryServiceTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Storage.Mongo.Tests/Services/SchedulerAuditServiceTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Storage.Mongo.Tests/Sessions/SchedulerMongoSessionFactoryTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Storage.Mongo.Tests/StellaOps.Scheduler.Storage.Mongo.Tests.csproj (71%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Storage.Mongo.Tests/TestDataFactory.cs (96%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.WebService.Tests/CartographerWebhookClientTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.WebService.Tests/EventWebhookEndpointTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.WebService.Tests/GlobalUsings.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.WebService.Tests/GraphJobEndpointTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.WebService.Tests/GraphJobEventPublisherTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.WebService.Tests/PolicyRunEndpointTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.WebService.Tests/RunEndpointTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.WebService.Tests/ScheduleEndpointTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.WebService.Tests/SchedulerPluginHostFactoryTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.WebService.Tests/SchedulerWebApplicationFactory.cs (98%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.WebService.Tests/StellaOps.Scheduler.WebService.Tests.csproj (81%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Worker.Tests/GlobalUsings.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Worker.Tests/GraphBuildExecutionServiceTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Worker.Tests/GraphOverlayExecutionServiceTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Worker.Tests/HttpScannerReportClientTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Worker.Tests/ImpactShardPlannerTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Worker.Tests/ImpactTargetingServiceTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Worker.Tests/PlannerBackgroundServiceTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Worker.Tests/PlannerExecutionServiceTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Worker.Tests/PlannerQueueDispatchServiceTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Worker.Tests/PolicyRunExecutionServiceTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Worker.Tests/PolicyRunTargetingServiceTests.cs (97%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Worker.Tests/RunnerExecutionServiceTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Worker.Tests/SchedulerEventPublisherTests.cs (100%)
rename src/{ => Scheduler/__Tests}/StellaOps.Scheduler.Worker.Tests/StellaOps.Scheduler.Worker.Tests.csproj (57%)
rename src/{ => Sdk}/StellaOps.Sdk.Generator/AGENTS.md (98%)
rename src/{ => Sdk}/StellaOps.Sdk.Generator/TASKS.md (99%)
rename src/{ => Sdk}/StellaOps.Sdk.Release/AGENTS.md (98%)
rename src/{ => Sdk}/StellaOps.Sdk.Release/TASKS.md (99%)
create mode 100644 src/Signals/StellaOps.Signals.sln
rename src/{ => Signals}/StellaOps.Signals/AGENTS.md (89%)
rename src/{ => Signals}/StellaOps.Signals/Authentication/AnonymousAuthenticationHandler.cs (97%)
rename src/{ => Signals}/StellaOps.Signals/Authentication/HeaderScopeAuthorizer.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Authentication/TokenScopeAuthorizer.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Hosting/SignalsStartupState.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Models/CallgraphArtifactMetadata.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Models/CallgraphDocument.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Models/CallgraphEdge.cs (95%)
rename src/{ => Signals}/StellaOps.Signals/Models/CallgraphIngestRequest.cs (97%)
rename src/{ => Signals}/StellaOps.Signals/Models/CallgraphIngestResponse.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Models/CallgraphNode.cs (95%)
rename src/{ => Signals}/StellaOps.Signals/Options/SignalsArtifactStorageOptions.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Options/SignalsAuthorityOptions.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Options/SignalsAuthorityOptionsConfigurator.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Options/SignalsMongoOptions.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Options/SignalsOptions.cs (95%)
rename src/{ => Signals}/StellaOps.Signals/Parsing/CallgraphParseResult.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Parsing/CallgraphParserNotFoundException.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Parsing/CallgraphParserValidationException.cs (95%)
rename src/{ => Signals}/StellaOps.Signals/Parsing/ICallgraphParser.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Parsing/ICallgraphParserResolver.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Parsing/SimpleJsonCallgraphParser.cs (97%)
rename src/{ => Signals}/StellaOps.Signals/Persistence/ICallgraphRepository.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Persistence/MongoCallgraphRepository.cs (97%)
rename src/{ => Signals}/StellaOps.Signals/Program.cs (97%)
rename src/{ => Signals}/StellaOps.Signals/Routing/SignalsPolicies.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Services/CallgraphIngestionService.cs (97%)
rename src/{ => Signals}/StellaOps.Signals/Services/ICallgraphIngestionService.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/StellaOps.Signals.csproj (52%)
rename src/{ => Signals}/StellaOps.Signals/Storage/FileSystemCallgraphArtifactStore.cs (97%)
rename src/{ => Signals}/StellaOps.Signals/Storage/ICallgraphArtifactStore.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Storage/Models/CallgraphArtifactSaveRequest.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/Storage/Models/StoredCallgraphArtifact.cs (96%)
rename src/{ => Signals}/StellaOps.Signals/TASKS.md (99%)
create mode 100644 src/Signer/StellaOps.Signer.sln
rename src/{ => Signer}/StellaOps.Signer/AGENTS.md (64%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Core/SignerAbstractions.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Core/SignerContracts.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Core/SignerExceptions.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Core/SignerPipeline.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Core/SignerStatementBuilder.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Core/StellaOps.Signer.Core.csproj (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Infrastructure/Auditing/InMemorySignerAuditSink.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Infrastructure/Options/SignerCryptoOptions.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Infrastructure/Options/SignerEntitlementOptions.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Infrastructure/Options/SignerReleaseVerificationOptions.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Infrastructure/ProofOfEntitlement/InMemoryProofOfEntitlementIntrospector.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Infrastructure/Quotas/InMemoryQuotaService.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Infrastructure/ReleaseVerification/DefaultReleaseIntegrityVerifier.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Infrastructure/ServiceCollectionExtensions.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/HmacDsseSigner.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Infrastructure/StellaOps.Signer.Infrastructure.csproj (98%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Tests/SignerEndpointsTests.cs (97%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.Tests/StellaOps.Signer.Tests.csproj (74%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.WebService/Contracts/SignDsseContracts.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.WebService/Endpoints/SignerEndpoints.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.WebService/Program.cs (100%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.WebService/Security/StubBearerAuthenticationDefaults.cs (96%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.WebService/Security/StubBearerAuthenticationHandler.cs (97%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.WebService/StellaOps.Signer.WebService.csproj (60%)
rename src/{ => Signer}/StellaOps.Signer/StellaOps.Signer.sln (100%)
rename src/{ => Signer}/StellaOps.Signer/TASKS.md (94%)
delete mode 100644 src/StellaOps.Aoc.Tests/StellaOps.Aoc.Tests.csproj
delete mode 100644 src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj
delete mode 100644 src/StellaOps.Cartographer/StellaOps.Cartographer.csproj
delete mode 100644 src/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Acsc.Tests/StellaOps.Concelier.Connector.Acsc.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.CertFr.Tests/StellaOps.Concelier.Connector.CertFr.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.CertIn.Tests/StellaOps.Concelier.Connector.CertIn.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Cve.Tests/StellaOps.Concelier.Connector.Cve.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Distro.Debian.Tests/StellaOps.Concelier.Connector.Distro.Debian.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Distro.RedHat.Tests/StellaOps.Concelier.Connector.Distro.RedHat.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Distro.Suse.Tests/StellaOps.Concelier.Connector.Distro.Suse.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Distro.Ubuntu.Tests/StellaOps.Concelier.Connector.Distro.Ubuntu.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Ghsa.Tests/StellaOps.Concelier.Connector.Ghsa.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Ics.Cisa.Tests/StellaOps.Concelier.Connector.Ics.Cisa.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Ics.Kaspersky.Tests/StellaOps.Concelier.Connector.Ics.Kaspersky.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Jvn.Tests/StellaOps.Concelier.Connector.Jvn.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Kev.Tests/StellaOps.Concelier.Connector.Kev.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Nvd.Tests/StellaOps.Concelier.Connector.Nvd.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Osv.Tests/StellaOps.Concelier.Connector.Osv.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Ru.Bdu.Tests/StellaOps.Concelier.Connector.Ru.Bdu.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Ru.Nkcki.Tests/StellaOps.Concelier.Connector.Ru.Nkcki.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Vndr.Adobe.Tests/StellaOps.Concelier.Connector.Vndr.Adobe.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Vndr.Apple.Tests/StellaOps.Concelier.Connector.Vndr.Apple.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Vndr.Chromium.Tests/StellaOps.Concelier.Connector.Vndr.Chromium.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Vndr.Cisco.Tests/StellaOps.Concelier.Connector.Vndr.Cisco.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Vndr.Msrc.Tests/StellaOps.Concelier.Connector.Vndr.Msrc.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Vndr.Oracle.Tests/StellaOps.Concelier.Connector.Vndr.Oracle.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Connector.Vndr.Vmware.Tests/StellaOps.Concelier.Connector.Vndr.Vmware.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Core.Tests/StellaOps.Concelier.Core.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Exporter.Json.Tests/StellaOps.Concelier.Exporter.Json.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Exporter.TrivyDb.Tests/StellaOps.Concelier.Exporter.TrivyDb.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Merge.Tests/StellaOps.Concelier.Merge.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Normalization.Tests/StellaOps.Concelier.Normalization.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.Storage.Mongo.Tests/StellaOps.Concelier.Storage.Mongo.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.WebService.Tests/StellaOps.Concelier.WebService.Tests.csproj
delete mode 100644 src/StellaOps.Concelier.WebService/StellaOps.Concelier.WebService.csproj
delete mode 100644 src/StellaOps.Concelier.sln
delete mode 100644 src/StellaOps.Configuration.Tests/StellaOps.Configuration.Tests.csproj
delete mode 100644 src/StellaOps.Excititor.Core.Tests/StellaOps.Excititor.Core.Tests.csproj
delete mode 100644 src/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj
delete mode 100644 src/StellaOps.Excititor.WebService/StellaOps.Excititor.WebService.csproj
delete mode 100644 src/StellaOps.Excititor.Worker/StellaOps.Excititor.Worker.csproj
delete mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.Tests/xunit.runner.json
delete mode 100644 src/StellaOps.Notify.Connectors.Email/TASKS.md
delete mode 100644 src/StellaOps.Notify.Connectors.Slack/TASKS.md
delete mode 100644 src/StellaOps.Notify.Connectors.Webhook/TASKS.md
delete mode 100644 src/StellaOps.Notify.Models/TASKS.md
delete mode 100644 src/StellaOps.Notify.WebService/StellaOps.Notify.WebService.csproj
delete mode 100644 src/StellaOps.Notify.WebService/TASKS.md
delete mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/xunit.runner.json
delete mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/xunit.runner.json
delete mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/appsettings.Development.json
delete mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/appsettings.json
delete mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/appsettings.Development.json
delete mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/appsettings.json
delete mode 100644 src/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj
delete mode 100644 src/StellaOps.Policy.Gateway/StellaOps.Policy.Gateway.csproj
delete mode 100644 src/StellaOps.Registry.TokenService.Tests/StellaOps.Registry.TokenService.Tests.csproj
delete mode 100644 src/StellaOps.Registry.TokenService.Tests/xunit.runner.json
delete mode 100644 src/StellaOps.Registry.TokenService/appsettings.Development.json
delete mode 100644 src/StellaOps.Registry.TokenService/appsettings.json
delete mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/xunit.runner.json
delete mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/Program.cs
delete mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/appsettings.Development.json
delete mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/appsettings.json
delete mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/appsettings.Development.json
delete mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/appsettings.json
delete mode 100644 src/StellaOps.Scanner.Analyzers.Lang.Node.Tests/Fixtures/lang/node/workspaces/packages/app/node_modules/left-pad/package.json
delete mode 100644 src/StellaOps.Scanner.Analyzers.Lang.Node.Tests/Fixtures/lang/node/workspaces/packages/app/node_modules/lib/package.json
delete mode 100644 src/StellaOps.Scanner.Analyzers.Lang.Node.Tests/Fixtures/lang/node/workspaces/packages/app/node_modules/shared/package.json
delete mode 100644 src/StellaOps.Scanner.Core.Tests/StellaOps.Scanner.Core.Tests.csproj
delete mode 100644 src/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj
delete mode 100644 src/StellaOps.Scheduler.WebService/StellaOps.Scheduler.WebService.csproj
delete mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/xunit.runner.json
delete mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Program.cs
delete mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/appsettings.Development.json
delete mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/appsettings.json
delete mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/appsettings.Development.json
delete mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/xunit.runner.json
delete mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/Program.cs
delete mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/appsettings.Development.json
delete mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/appsettings.json
delete mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/appsettings.Development.json
delete mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/appsettings.json
delete mode 100644 src/StellaOps.Zastava.Core.Tests/StellaOps.Zastava.Core.Tests.csproj
create mode 100644 src/TaskRunner/StellaOps.TaskRunner.sln
rename src/{ => TaskRunner}/StellaOps.TaskRunner/AGENTS.md (98%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/IPackRunApprovalStore.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/IPackRunJobDispatcher.cs (96%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/IPackRunNotificationPublisher.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunApprovalCoordinator.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunApprovalState.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunApprovalStatus.cs (94%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunExecutionContext.cs (96%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunProcessor.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunProcessorResult.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Expressions/TaskPackExpressions.cs (96%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Planning/TaskPackPlan.cs (96%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Planning/TaskPackPlanHasher.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Planning/TaskPackPlanInsights.cs (96%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Planning/TaskPackPlanner.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Serialization/CanonicalJson.cs (96%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/StellaOps.TaskRunner.Core.csproj (96%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/TaskPacks/TaskPackManifest.cs (96%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/TaskPacks/TaskPackManifestLoader.cs (96%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/TaskPacks/TaskPackManifestValidator.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Execution/FilePackRunApprovalStore.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Execution/FilesystemPackRunDispatcher.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Execution/HttpPackRunNotificationPublisher.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Execution/LoggingPackRunNotificationPublisher.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Execution/NoopPackRunJobDispatcher.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Execution/NotificationOptions.cs (96%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/StellaOps.TaskRunner.Infrastructure.csproj (95%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/PackRunApprovalCoordinatorTests.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/PackRunProcessorTests.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/StellaOps.TaskRunner.Tests.csproj (91%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/TaskPackPlannerTests.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/TestManifests.cs (95%)
create mode 100644 src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/xunit.runner.json
create mode 100644 src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Program.cs
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Properties/launchSettings.json (96%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/StellaOps.TaskRunner.WebService.csproj (94%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/StellaOps.TaskRunner.WebService.http (96%)
create mode 100644 src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/appsettings.Development.json
create mode 100644 src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/appsettings.json
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Program.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Properties/launchSettings.json (95%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Services/PackRunWorkerOptions.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Services/PackRunWorkerService.cs (97%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/StellaOps.TaskRunner.Worker.csproj (95%)
create mode 100644 src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/appsettings.Development.json
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/appsettings.json (95%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/StellaOps.TaskRunner.sln (98%)
rename src/{ => TaskRunner}/StellaOps.TaskRunner/TASKS.md (99%)
rename src/{ => Telemetry}/StellaOps.Telemetry.Core/AGENTS.md (98%)
rename src/{ => Telemetry}/StellaOps.Telemetry.Core/TASKS.md (99%)
create mode 100644 src/TimelineIndexer/StellaOps.TimelineIndexer.sln
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/AGENTS.md (98%)
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Core/Class1.cs (92%)
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Core/StellaOps.TimelineIndexer.Core.csproj (95%)
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Infrastructure/Class1.cs (93%)
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Infrastructure/StellaOps.TimelineIndexer.Infrastructure.csproj (94%)
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/StellaOps.TimelineIndexer.Tests.csproj (91%)
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/UnitTest1.cs (92%)
create mode 100644 src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/xunit.runner.json
create mode 100644 src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/Program.cs
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/Properties/launchSettings.json (96%)
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/StellaOps.TimelineIndexer.WebService.csproj (95%)
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/StellaOps.TimelineIndexer.WebService.http (96%)
create mode 100644 src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/appsettings.Development.json
create mode 100644 src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/appsettings.json
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/Program.cs (96%)
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/Properties/launchSettings.json (96%)
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/StellaOps.TimelineIndexer.Worker.csproj (95%)
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/Worker.cs (96%)
create mode 100644 src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/appsettings.Development.json
create mode 100644 src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/appsettings.json
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.sln (98%)
rename src/{ => TimelineIndexer}/StellaOps.TimelineIndexer/TASKS.md (99%)
rename src/{ => UI}/StellaOps.UI/TASKS.md (99%)
rename src/{ => VexLens}/StellaOps.VexLens/AGENTS.md (88%)
rename src/{ => VexLens}/StellaOps.VexLens/TASKS.md (99%)
rename src/{ => VulnExplorer}/StellaOps.VulnExplorer.Api/AGENTS.md (87%)
rename src/{ => VulnExplorer}/StellaOps.VulnExplorer.Api/TASKS.md (99%)
rename src/{ => Web}/StellaOps.Web/.editorconfig (100%)
rename src/{ => Web}/StellaOps.Web/.gitignore (88%)
rename src/{ => Web}/StellaOps.Web/AGENTS.md (93%)
rename src/{ => Web}/StellaOps.Web/README.md (100%)
rename src/{ => Web}/StellaOps.Web/TASKS.md (99%)
rename src/{ => Web}/StellaOps.Web/angular.json (100%)
rename src/{ => Web}/StellaOps.Web/docs/DeterministicInstall.md (96%)
rename src/{ => Web}/StellaOps.Web/docs/TrivyDbSettings.md (87%)
rename src/{ => Web}/StellaOps.Web/karma.conf.cjs (96%)
rename src/{ => Web}/StellaOps.Web/package-lock.json (96%)
rename src/{ => Web}/StellaOps.Web/package.json (100%)
rename src/{ => Web}/StellaOps.Web/playwright.config.ts (96%)
rename src/{ => Web}/StellaOps.Web/scripts/chrome-path.js (95%)
rename src/{ => Web}/StellaOps.Web/scripts/verify-chromium.js (96%)
rename src/{ => Web}/StellaOps.Web/src/app/app.component.html (97%)
rename src/{ => Web}/StellaOps.Web/src/app/app.component.scss (95%)
rename src/{ => Web}/StellaOps.Web/src/app/app.component.spec.ts (97%)
rename src/{ => Web}/StellaOps.Web/src/app/app.component.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/app.config.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/app.routes.ts (95%)
rename src/{ => Web}/StellaOps.Web/src/app/core/api/authority-console.client.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/api/concelier-exporter.client.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/api/notify.client.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/api/notify.models.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/api/policy-preview.models.ts (100%)
rename src/{ => Web}/StellaOps.Web/src/app/core/api/scanner.models.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/auth/auth-http.interceptor.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/auth/auth-session.model.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/auth/auth-session.store.spec.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/auth/auth-session.store.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/auth/auth-storage.service.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/auth/authority-auth.service.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/auth/dpop/dpop-key-store.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/auth/dpop/dpop.service.spec.ts (97%)
rename src/{ => Web}/StellaOps.Web/src/app/core/auth/dpop/dpop.service.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/auth/dpop/jose-utilities.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/auth/pkce.util.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/config/app-config.model.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/config/app-config.service.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/console/console-session.service.spec.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/console/console-session.service.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/console/console-session.store.spec.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/console/console-session.store.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/orchestrator/operator-context.service.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/core/orchestrator/operator-metadata.interceptor.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/features/auth/auth-callback.component.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/features/console/console-profile.component.html (96%)
rename src/{ => Web}/StellaOps.Web/src/app/features/console/console-profile.component.scss (94%)
rename src/{ => Web}/StellaOps.Web/src/app/features/console/console-profile.component.spec.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/features/console/console-profile.component.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/features/notify/notify-panel.component.html (97%)
rename src/{ => Web}/StellaOps.Web/src/app/features/notify/notify-panel.component.scss (94%)
rename src/{ => Web}/StellaOps.Web/src/app/features/notify/notify-panel.component.spec.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/features/notify/notify-panel.component.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/features/scans/scan-attestation-panel.component.html (96%)
rename src/{ => Web}/StellaOps.Web/src/app/features/scans/scan-attestation-panel.component.scss (94%)
rename src/{ => Web}/StellaOps.Web/src/app/features/scans/scan-attestation-panel.component.spec.ts (97%)
rename src/{ => Web}/StellaOps.Web/src/app/features/scans/scan-attestation-panel.component.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/features/scans/scan-detail-page.component.html (96%)
rename src/{ => Web}/StellaOps.Web/src/app/features/scans/scan-detail-page.component.scss (94%)
rename src/{ => Web}/StellaOps.Web/src/app/features/scans/scan-detail-page.component.spec.ts (97%)
rename src/{ => Web}/StellaOps.Web/src/app/features/scans/scan-detail-page.component.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/features/trivy-db-settings/trivy-db-settings-page.component.html (96%)
rename src/{ => Web}/StellaOps.Web/src/app/features/trivy-db-settings/trivy-db-settings-page.component.scss (94%)
rename src/{ => Web}/StellaOps.Web/src/app/features/trivy-db-settings/trivy-db-settings-page.component.spec.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/features/trivy-db-settings/trivy-db-settings-page.component.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/testing/mock-notify-api.service.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/testing/notify-fixtures.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/testing/policy-fixtures.spec.ts (97%)
rename src/{ => Web}/StellaOps.Web/src/app/testing/policy-fixtures.ts (96%)
rename src/{ => Web}/StellaOps.Web/src/app/testing/scan-fixtures.ts (97%)
rename src/{ => Web}/StellaOps.Web/src/assets/.gitkeep (100%)
rename src/{ => Web}/StellaOps.Web/src/config/config.json (97%)
rename src/{ => Web}/StellaOps.Web/src/config/config.sample.json (97%)
rename src/{ => Web}/StellaOps.Web/src/favicon.ico (100%)
rename src/{ => Web}/StellaOps.Web/src/index.html (100%)
rename src/{ => Web}/StellaOps.Web/src/main.ts (100%)
rename src/{ => Web}/StellaOps.Web/src/styles.scss (100%)
rename src/{ => Web}/StellaOps.Web/test-results/.last-run.json (93%)
rename src/{ => Web}/StellaOps.Web/tests/e2e/auth.spec.ts (97%)
rename src/{ => Web}/StellaOps.Web/tsconfig.app.json (100%)
rename src/{ => Web}/StellaOps.Web/tsconfig.json (100%)
rename src/{ => Web}/StellaOps.Web/tsconfig.spec.json (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Backend/IRuntimePolicyClient.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Backend/RuntimeEventsClient.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Backend/RuntimePolicyClient.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Backend/RuntimePolicyContracts.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Backend/RuntimePolicyException.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Configuration/ZastavaObserverOptions.cs (98%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/ContainerRuntime/ContainerStateTracker.cs (97%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/ContainerRuntime/ContainerStateTrackerFactory.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/ContainerRuntime/Cri/CriConversions.cs (98%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/ContainerRuntime/Cri/CriModels.cs (97%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/ContainerRuntime/Cri/CriRuntimeClient.cs (97%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/ContainerRuntime/Cri/CriRuntimeClientFactory.cs (97%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/DependencyInjection/ObserverServiceCollectionExtensions.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Posture/IRuntimePostureCache.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Posture/IRuntimePostureEvaluator.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Posture/RuntimePostureCache.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Posture/RuntimePostureCacheEntry.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Posture/RuntimePostureEvaluationResult.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Posture/RuntimePostureEvaluator.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Program.cs (98%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Properties/AssemblyInfo.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Protos/runtime/v1/runtime.proto (97%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Runtime/ElfBuildIdReader.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Runtime/RuntimeEventBuffer.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Runtime/RuntimeProcessCollector.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/StellaOps.Zastava.Observer.csproj (97%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/TASKS.md (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Worker/BackoffCalculator.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Worker/ContainerLifecycleHostedService.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Worker/ContainerRuntimePoller.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Worker/ObserverBootstrapService.cs (97%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Worker/RuntimeEventDispatchService.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Observer/Worker/RuntimeEventFactory.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Admission/AdmissionEndpoint.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Admission/AdmissionRequestContext.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Admission/AdmissionResponseBuilder.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Admission/AdmissionReviewModels.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Admission/AdmissionReviewParser.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Admission/ImageDigestResolver.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Admission/RuntimeAdmissionPolicyService.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Admission/RuntimePolicyCache.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Authority/AuthorityTokenProvider.cs (97%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Backend/IRuntimePolicyClient.cs (96%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Backend/RuntimePolicyClient.cs (97%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Backend/RuntimePolicyException.cs (96%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Backend/RuntimePolicyRequest.cs (96%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Backend/RuntimePolicyResponse.cs (97%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Certificates/CsrCertificateSource.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Certificates/IWebhookCertificateProvider.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Certificates/SecretFileCertificateSource.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Certificates/WebhookCertificateHealthCheck.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Configuration/ZastavaWebhookOptions.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/DependencyInjection/ServiceCollectionExtensions.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/DependencyInjection/WebhookRuntimeOptionsPostConfigure.cs (97%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Hosting/StartupValidationHostedService.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/IMPLEMENTATION_PLAN.md (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Program.cs (100%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/Properties/AssemblyInfo.cs (97%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/StellaOps.Zastava.Webhook.csproj (81%)
rename src/{ => Zastava}/StellaOps.Zastava.Webhook/TASKS.md (100%)
create mode 100644 src/Zastava/StellaOps.Zastava.sln
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/Configuration/ZastavaAuthorityOptions.cs (96%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/Configuration/ZastavaRuntimeOptions.cs (96%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/Contracts/AdmissionDecision.cs (100%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/Contracts/RuntimeEvent.cs (100%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/Contracts/ZastavaContractVersions.cs (100%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/DependencyInjection/ZastavaServiceCollectionExtensions.cs (97%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/Diagnostics/ZastavaLogScopeBuilder.cs (96%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/Diagnostics/ZastavaLoggerFactoryOptionsConfigurator.cs (97%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/Diagnostics/ZastavaRuntimeMetrics.cs (97%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/GlobalUsings.cs (100%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/Hashing/ZastavaHashing.cs (100%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/Properties/AssemblyInfo.cs (97%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/Security/IZastavaAuthorityTokenProvider.cs (96%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/Security/ZastavaAuthorityTokenProvider.cs (97%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/Security/ZastavaOperationalToken.cs (96%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/Serialization/ZastavaCanonicalJsonSerializer.cs (100%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/StellaOps.Zastava.Core.csproj (75%)
rename src/{ => Zastava/__Libraries}/StellaOps.Zastava.Core/TASKS.md (100%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Core.Tests/Contracts/ZastavaContractVersionsTests.cs (100%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Core.Tests/DependencyInjection/ZastavaServiceCollectionExtensionsTests.cs (97%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Core.Tests/Security/ZastavaAuthorityTokenProviderTests.cs (97%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Core.Tests/Serialization/ZastavaCanonicalJsonSerializerTests.cs (97%)
create mode 100644 src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/StellaOps.Zastava.Core.Tests.csproj
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Observer.Tests/ContainerRuntimePollerTests.cs (100%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Observer.Tests/Posture/RuntimePostureEvaluatorTests.cs (100%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Observer.Tests/Runtime/ElfBuildIdReaderTests.cs (100%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Observer.Tests/Runtime/RuntimeEventBufferTests.cs (100%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Observer.Tests/Runtime/RuntimeProcessCollectorTests.cs (100%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Observer.Tests/StellaOps.Zastava.Observer.Tests.csproj (66%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Observer.Tests/TestSupport/ElfTestFileBuilder.cs (100%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Observer.Tests/Worker/RuntimeEventFactoryTests.cs (97%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Webhook.Tests/Admission/AdmissionResponseBuilderTests.cs (100%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Webhook.Tests/Admission/AdmissionReviewParserTests.cs (100%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Webhook.Tests/Admission/RuntimeAdmissionPolicyServiceTests.cs (100%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Webhook.Tests/Backend/RuntimePolicyClientTests.cs (97%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Webhook.Tests/Certificates/SecretFileCertificateSourceTests.cs (100%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Webhook.Tests/Certificates/WebhookCertificateProviderTests.cs (100%)
rename src/{ => Zastava/__Tests}/StellaOps.Zastava.Webhook.Tests/StellaOps.Zastava.Webhook.Tests.csproj (81%)
rename src/{ => __Libraries}/StellaOps.Auth.Security/Dpop/DpopNonceConsumeResult.cs (100%)
rename src/{ => __Libraries}/StellaOps.Auth.Security/Dpop/DpopNonceIssueResult.cs (100%)
rename src/{ => __Libraries}/StellaOps.Auth.Security/Dpop/DpopNonceUtilities.cs (100%)
rename src/{ => __Libraries}/StellaOps.Auth.Security/Dpop/DpopProofValidator.cs (100%)
rename src/{ => __Libraries}/StellaOps.Auth.Security/Dpop/DpopValidationOptions.cs (100%)
rename src/{ => __Libraries}/StellaOps.Auth.Security/Dpop/DpopValidationResult.cs (100%)
rename src/{ => __Libraries}/StellaOps.Auth.Security/Dpop/IDpopNonceStore.cs (100%)
rename src/{ => __Libraries}/StellaOps.Auth.Security/Dpop/IDpopProofValidator.cs (100%)
rename src/{ => __Libraries}/StellaOps.Auth.Security/Dpop/IDpopReplayCache.cs (100%)
rename src/{ => __Libraries}/StellaOps.Auth.Security/Dpop/InMemoryDpopNonceStore.cs (100%)
rename src/{ => __Libraries}/StellaOps.Auth.Security/Dpop/InMemoryDpopReplayCache.cs (100%)
rename src/{ => __Libraries}/StellaOps.Auth.Security/Dpop/RedisDpopNonceStore.cs (100%)
rename src/{ => __Libraries}/StellaOps.Auth.Security/README.md (100%)
rename src/{ => __Libraries}/StellaOps.Auth.Security/StellaOps.Auth.Security.csproj (97%)
rename src/{ => __Libraries}/StellaOps.Configuration/AuthorityConfigurationDiagnostic.cs (100%)
rename src/{ => __Libraries}/StellaOps.Configuration/AuthorityPluginConfigurationAnalyzer.cs (100%)
rename src/{ => __Libraries}/StellaOps.Configuration/AuthorityPluginConfigurationLoader.cs (100%)
rename src/{ => __Libraries}/StellaOps.Configuration/AuthoritySigningAdditionalKeyOptions.cs (100%)
rename src/{ => __Libraries}/StellaOps.Configuration/AuthoritySigningOptions.cs (100%)
rename src/{ => __Libraries}/StellaOps.Configuration/StellaOps.Configuration.csproj (80%)
rename src/{ => __Libraries}/StellaOps.Configuration/StellaOpsAuthorityConfiguration.cs (100%)
rename src/{ => __Libraries}/StellaOps.Configuration/StellaOpsAuthorityOptions.cs (100%)
rename src/{ => __Libraries}/StellaOps.Configuration/StellaOpsBootstrapOptions.cs (100%)
rename src/{ => __Libraries}/StellaOps.Configuration/StellaOpsConfigurationBootstrapper.cs (100%)
rename src/{ => __Libraries}/StellaOps.Configuration/StellaOpsConfigurationContext.cs (100%)
rename src/{ => __Libraries}/StellaOps.Configuration/StellaOpsConfigurationOptions.cs (100%)
rename src/{ => __Libraries}/StellaOps.Configuration/StellaOpsOptionsBinder.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography.DependencyInjection/CryptoProviderRegistryOptions.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography.DependencyInjection/CryptoServiceCollectionExtensions.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography.DependencyInjection/StellaOps.Cryptography.DependencyInjection.csproj (97%)
rename src/{ => __Libraries}/StellaOps.Cryptography.Kms/AGENTS.md (97%)
rename src/{ => __Libraries}/StellaOps.Cryptography.Kms/TASKS.md (99%)
rename src/{ => __Libraries}/StellaOps.Cryptography.Plugin.BouncyCastle/BouncyCastleCryptoServiceCollectionExtensions.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography.Plugin.BouncyCastle/BouncyCastleEd25519CryptoProvider.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography.Plugin.BouncyCastle/StellaOps.Cryptography.Plugin.BouncyCastle.csproj (97%)
rename src/{ => __Libraries}/StellaOps.Cryptography/AGENTS.md (83%)
rename src/{ => __Libraries}/StellaOps.Cryptography/Argon2idPasswordHasher.Konscious.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography/Argon2idPasswordHasher.Sodium.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography/Argon2idPasswordHasher.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography/Audit/AuthEventRecord.cs (96%)
rename src/{ => __Libraries}/StellaOps.Cryptography/CryptoProvider.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography/CryptoProviderRegistry.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography/CryptoSigningKey.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography/DefaultCryptoProvider.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography/EcdsaSigner.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography/ICryptoSigner.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography/LibsodiumCryptoProvider.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography/PasswordHashAlgorithms.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography/PasswordHashing.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography/Pbkdf2PasswordHasher.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography/SignatureAlgorithms.cs (100%)
rename src/{ => __Libraries}/StellaOps.Cryptography/StellaOps.Cryptography.csproj (97%)
rename src/{ => __Libraries}/StellaOps.Cryptography/TASKS.md (100%)
rename src/{ => __Libraries}/StellaOps.DependencyInjection/IDependencyInjectionRoutine.cs (100%)
rename src/{ => __Libraries}/StellaOps.DependencyInjection/ServiceBindingAttribute.cs (100%)
rename src/{ => __Libraries}/StellaOps.DependencyInjection/StellaOps.DependencyInjection.csproj (97%)
rename src/{ => __Libraries}/StellaOps.Plugin/DependencyInjection/PluginDependencyInjectionExtensions.cs (100%)
rename src/{ => __Libraries}/StellaOps.Plugin/DependencyInjection/PluginServiceRegistration.cs (100%)
rename src/{ => __Libraries}/StellaOps.Plugin/DependencyInjection/StellaOpsPluginRegistration.cs (100%)
rename src/{ => __Libraries}/StellaOps.Plugin/Hosting/PluginAssembly.cs (100%)
rename src/{ => __Libraries}/StellaOps.Plugin/Hosting/PluginHost.cs (100%)
rename src/{ => __Libraries}/StellaOps.Plugin/Hosting/PluginHostOptions.cs (100%)
rename src/{ => __Libraries}/StellaOps.Plugin/Hosting/PluginHostResult.cs (100%)
rename src/{ => __Libraries}/StellaOps.Plugin/Hosting/PluginLoadContext.cs (100%)
rename src/{ => __Libraries}/StellaOps.Plugin/Internal/ReflectionExtensions.cs (100%)
rename src/{ => __Libraries}/StellaOps.Plugin/PluginContracts.cs (100%)
rename src/{ => __Libraries}/StellaOps.Plugin/Properties/AssemblyInfo.cs (100%)
rename src/{ => __Libraries}/StellaOps.Plugin/StellaOps.Plugin.csproj (80%)
rename src/{ => __Libraries}/StellaOps.Plugin/TASKS.md (87%)
rename src/{ => __Libraries/__Tests}/StellaOps.Configuration.Tests/AuthorityPluginConfigurationLoaderTests.cs (100%)
rename src/{ => __Libraries/__Tests}/StellaOps.Configuration.Tests/AuthorityTelemetryTests.cs (100%)
create mode 100644 src/__Libraries/__Tests/StellaOps.Configuration.Tests/StellaOps.Configuration.Tests.csproj
rename src/{ => __Libraries/__Tests}/StellaOps.Configuration.Tests/StellaOpsAuthorityOptionsTests.cs (97%)
rename src/{ => __Libraries/__Tests}/StellaOps.Cryptography.Tests/Argon2idPasswordHasherTests.cs (100%)
rename src/{ => __Libraries/__Tests}/StellaOps.Cryptography.Tests/Audit/AuthEventRecordTests.cs (96%)
rename src/{ => __Libraries/__Tests}/StellaOps.Cryptography.Tests/BouncyCastleEd25519CryptoProviderTests.cs (100%)
rename src/{ => __Libraries/__Tests}/StellaOps.Cryptography.Tests/CryptoProviderRegistryTests.cs (100%)
rename src/{ => __Libraries/__Tests}/StellaOps.Cryptography.Tests/DefaultCryptoProviderSigningTests.cs (100%)
rename src/{ => __Libraries/__Tests}/StellaOps.Cryptography.Tests/LibsodiumCryptoProviderTests.cs (100%)
rename src/{ => __Libraries/__Tests}/StellaOps.Cryptography.Tests/PasswordHashOptionsTests.cs (100%)
rename src/{ => __Libraries/__Tests}/StellaOps.Cryptography.Tests/Pbkdf2PasswordHasherTests.cs (100%)
rename src/{ => __Libraries/__Tests}/StellaOps.Cryptography.Tests/StellaOps.Cryptography.Tests.csproj (50%)
rename src/{ => __Libraries/__Tests}/StellaOps.Plugin.Tests/DependencyInjection/PluginDependencyInjectionExtensionsTests.cs (100%)
rename src/{ => __Libraries/__Tests}/StellaOps.Plugin.Tests/DependencyInjection/PluginServiceRegistrationTests.cs (100%)
rename src/{ => __Libraries/__Tests}/StellaOps.Plugin.Tests/StellaOps.Plugin.Tests.csproj (78%)
rename src/{ => __Libraries/__Tests}/StellaOps.Signals.Tests/CallgraphIngestionTests.cs (97%)
rename src/{ => __Libraries/__Tests}/StellaOps.Signals.Tests/SignalsApiTests.cs (96%)
rename src/{ => __Libraries/__Tests}/StellaOps.Signals.Tests/StellaOps.Signals.Tests.csproj (83%)
rename src/{ => __Libraries/__Tests}/StellaOps.Signals.Tests/TestInfrastructure/SignalsTestFactory.cs (96%)
diff --git a/.gitattributes b/.gitattributes
index f7bffe5c..491baff4 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,2 @@
# Ensure analyzer fixture assets keep LF endings for deterministic hashes
-src/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/** text eol=lf
+src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/** text eol=lf
diff --git a/.gitea/workflows/_deprecated-concelier-ci.yml.disabled b/.gitea/workflows/_deprecated-concelier-ci.yml.disabled
index 781a3c85..faf0f864 100644
--- a/.gitea/workflows/_deprecated-concelier-ci.yml.disabled
+++ b/.gitea/workflows/_deprecated-concelier-ci.yml.disabled
@@ -19,11 +19,11 @@ jobs:
dotnet-version: 10.0.100-rc.1.25451.107
include-prerelease: true
- - name: Restore dependencies
- run: dotnet restore src/StellaOps.Feedser/StellaOps.Feedser.sln
-
- - name: Build
- run: dotnet build src/StellaOps.Feedser/StellaOps.Feedser.sln --configuration Release --no-restore -warnaserror
-
- - name: Test
- run: dotnet test src/StellaOps.Feedser/StellaOps.Feedser.Tests/StellaOps.Feedser.Tests.csproj --configuration Release --no-restore --logger "trx;LogFileName=feedser-tests.trx"
+ - name: Restore dependencies
+ run: dotnet restore src/Concelier/StellaOps.Concelier.sln
+
+ - name: Build
+ run: dotnet build src/Concelier/StellaOps.Concelier.sln --configuration Release --no-restore -warnaserror
+
+ - name: Test
+ run: dotnet test src/Concelier/StellaOps.Concelier.sln --configuration Release --no-restore --logger "trx;LogFileName=concelier-tests.trx"
diff --git a/.gitea/workflows/build-test-deploy.yml b/.gitea/workflows/build-test-deploy.yml
index 61825e84..790cd7bd 100644
--- a/.gitea/workflows/build-test-deploy.yml
+++ b/.gitea/workflows/build-test-deploy.yml
@@ -77,15 +77,15 @@ jobs:
include-prerelease: true
- name: Restore Concelier solution
- run: dotnet restore src/StellaOps.Concelier.sln
+ run: dotnet restore src/Concelier/StellaOps.Concelier.sln
- name: Build Concelier solution (warnings as errors)
- run: dotnet build src/StellaOps.Concelier.sln --configuration $BUILD_CONFIGURATION --no-restore -warnaserror
+ run: dotnet build src/Concelier/StellaOps.Concelier.sln --configuration $BUILD_CONFIGURATION --no-restore -warnaserror
- name: Run Concelier unit and integration tests
run: |
mkdir -p "$TEST_RESULTS_DIR"
- dotnet test src/StellaOps.Concelier.sln \
+ dotnet test src/Concelier/StellaOps.Concelier.sln \
--configuration $BUILD_CONFIGURATION \
--no-build \
--logger "trx;LogFileName=stellaops-concelier-tests.trx" \
@@ -202,20 +202,20 @@ PY
run: |
dotnet restore src/StellaOps.sln
for project in \
- src/StellaOps.Scanner.Analyzers.Lang/StellaOps.Scanner.Analyzers.Lang.csproj \
- src/StellaOps.Scanner.Analyzers.Lang.Java/StellaOps.Scanner.Analyzers.Lang.Java.csproj \
- src/StellaOps.Scanner.Analyzers.Lang.Node/StellaOps.Scanner.Analyzers.Lang.Node.csproj \
- src/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.csproj \
- src/StellaOps.Scanner.Analyzers.Lang.Go/StellaOps.Scanner.Analyzers.Lang.Go.csproj \
- src/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj \
- src/StellaOps.Scanner.Analyzers.Lang.Rust/StellaOps.Scanner.Analyzers.Lang.Rust.csproj
+ src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/StellaOps.Scanner.Analyzers.Lang.csproj \
+ src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/StellaOps.Scanner.Analyzers.Lang.Java.csproj \
+ src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/StellaOps.Scanner.Analyzers.Lang.Node.csproj \
+ src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.csproj \
+ src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/StellaOps.Scanner.Analyzers.Lang.Go.csproj \
+ src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj \
+ src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/StellaOps.Scanner.Analyzers.Lang.Rust.csproj
do
dotnet build "$project" --configuration $BUILD_CONFIGURATION --no-restore -warnaserror
done
- name: Run scanner language analyzer tests
run: |
- dotnet test src/StellaOps.Scanner.Analyzers.Lang.Tests/StellaOps.Scanner.Analyzers.Lang.Tests.csproj \
+ dotnet test src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/StellaOps.Scanner.Analyzers.Lang.Tests.csproj \
--configuration $BUILD_CONFIGURATION \
--no-build \
--logger "trx;LogFileName=stellaops-scanner-lang-tests.trx" \
@@ -231,11 +231,11 @@ PY
CAPTURED_AT="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
dotnet run \
- --project src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj \
+ --project src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj \
--configuration $BUILD_CONFIGURATION \
-- \
--repo-root . \
- --baseline src/StellaOps.Bench/Scanner.Analyzers/baseline.csv \
+ --baseline src/Bench/StellaOps.Bench/Scanner.Analyzers/baseline.csv \
--out "$PERF_OUTPUT_DIR/latest.csv" \
--json "$PERF_OUTPUT_DIR/report.json" \
--prom "$PERF_OUTPUT_DIR/metrics.prom" \
@@ -253,7 +253,7 @@ PY
- name: Publish BuildX SBOM generator
run: |
- dotnet publish src/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj \
+ dotnet publish src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj \
--configuration $BUILD_CONFIGURATION \
--output out/buildx
@@ -337,10 +337,10 @@ PY
if-no-files-found: error
retention-days: 7
- - name: Publish Feedser web service
+ - name: Publish Concelier web service
run: |
mkdir -p "$PUBLISH_DIR"
- dotnet publish src/StellaOps.Feedser.WebService/StellaOps.Feedser.WebService.csproj \
+ dotnet publish src/Concelier/StellaOps.Concelier.WebService/StellaOps.Concelier.WebService.csproj \
--configuration $BUILD_CONFIGURATION \
--no-build \
--output "$PUBLISH_DIR"
@@ -348,20 +348,20 @@ PY
- name: Upload published artifacts
uses: actions/upload-artifact@v4
with:
- name: feedser-publish
+ name: concelier-publish
path: ${{ env.PUBLISH_DIR }}
if-no-files-found: error
retention-days: 7
- name: Restore Authority solution
- run: dotnet restore src/StellaOps.Authority/StellaOps.Authority.sln
+ run: dotnet restore src/Authority/StellaOps.Authority/StellaOps.Authority.sln
- name: Build Authority solution
- run: dotnet build src/StellaOps.Authority/StellaOps.Authority.sln --configuration $BUILD_CONFIGURATION --no-restore -warnaserror
+ run: dotnet build src/Authority/StellaOps.Authority/StellaOps.Authority.sln --configuration $BUILD_CONFIGURATION --no-restore -warnaserror
- name: Run Authority tests
run: |
- dotnet test src/StellaOps.Configuration.Tests/StellaOps.Configuration.Tests.csproj \
+ dotnet test src/__Libraries/__Tests/StellaOps.Configuration.Tests/StellaOps.Configuration.Tests.csproj \
--configuration $BUILD_CONFIGURATION \
--no-build \
--logger "trx;LogFileName=stellaops-authority-tests.trx" \
@@ -370,7 +370,7 @@ PY
- name: Publish Authority web service
run: |
mkdir -p "$AUTHORITY_PUBLISH_DIR"
- dotnet publish src/StellaOps.Authority/StellaOps.Authority/StellaOps.Authority.csproj \
+ dotnet publish src/Authority/StellaOps.Authority/StellaOps.Authority/StellaOps.Authority.csproj \
--configuration $BUILD_CONFIGURATION \
--no-build \
--output "$AUTHORITY_PUBLISH_DIR"
@@ -439,7 +439,7 @@ PY
runs-on: ubuntu-22.04
needs: build-test
env:
- BENCH_DIR: src/StellaOps.Bench/Scanner.Analyzers
+ BENCH_DIR: src/Bench/StellaOps.Bench/Scanner.Analyzers
steps:
- name: Checkout repository
uses: actions/checkout@v4
diff --git a/.gitea/workflows/docs.yml b/.gitea/workflows/docs.yml
index 612a0668..c21742b3 100755
--- a/.gitea/workflows/docs.yml
+++ b/.gitea/workflows/docs.yml
@@ -1,39 +1,39 @@
-# .gitea/workflows/docs.yml
-# Documentation quality checks and preview artefacts
-
-name: Docs CI
-
-on:
- push:
- paths:
- - 'docs/**'
- - 'scripts/render_docs.py'
- - '.gitea/workflows/docs.yml'
- pull_request:
- paths:
- - 'docs/**'
- - 'scripts/render_docs.py'
- - '.gitea/workflows/docs.yml'
- workflow_dispatch: {}
-
-env:
- NODE_VERSION: '20'
- PYTHON_VERSION: '3.11'
-
-jobs:
- lint-and-preview:
- runs-on: ubuntu-22.04
- env:
- DOCS_OUTPUT_DIR: ${{ github.workspace }}/artifacts/docs-preview
- steps:
- - name: Checkout repository
- uses: actions/checkout@v4
-
- - name: Setup Node.js
- uses: actions/setup-node@v4
- with:
- node-version: ${{ env.NODE_VERSION }}
-
+# .gitea/workflows/docs.yml
+# Documentation quality checks and preview artefacts
+
+name: Docs CI
+
+on:
+ push:
+ paths:
+ - 'docs/**'
+ - 'scripts/render_docs.py'
+ - '.gitea/workflows/docs.yml'
+ pull_request:
+ paths:
+ - 'docs/**'
+ - 'scripts/render_docs.py'
+ - '.gitea/workflows/docs.yml'
+ workflow_dispatch: {}
+
+env:
+ NODE_VERSION: '20'
+ PYTHON_VERSION: '3.11'
+
+jobs:
+ lint-and-preview:
+ runs-on: ubuntu-22.04
+ env:
+ DOCS_OUTPUT_DIR: ${{ github.workspace }}/artifacts/docs-preview
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+
+ - name: Setup Node.js
+ uses: actions/setup-node@v4
+ with:
+ node-version: ${{ env.NODE_VERSION }}
+
- name: Install documentation toolchain
run: |
npm install --no-save markdown-link-check remark-cli remark-preset-lint-recommended ajv ajv-cli ajv-formats
@@ -43,11 +43,11 @@ jobs:
with:
dotnet-version: '10.0.100-rc.2.25502.107'
- - name: Link check
- run: |
- find docs -name '*.md' -print0 | \
- xargs -0 -n1 -I{} npx markdown-link-check --quiet '{}'
-
+ - name: Link check
+ run: |
+ find docs -name '*.md' -print0 | \
+ xargs -0 -n1 -I{} npx markdown-link-check --quiet '{}'
+
- name: Remark lint
run: |
npx remark docs -qf
@@ -70,26 +70,26 @@ jobs:
- name: Run Notify schema validation tests
run: |
- dotnet test src/StellaOps.Notify.Models.Tests/StellaOps.Notify.Models.Tests.csproj --configuration Release --nologo
+ dotnet test src/Notify/__Tests/StellaOps.Notify.Models.Tests/StellaOps.Notify.Models.Tests.csproj --configuration Release --nologo
- name: Setup Python
uses: actions/setup-python@v5
- with:
- python-version: ${{ env.PYTHON_VERSION }}
-
- - name: Install documentation dependencies
- run: |
- python -m pip install --upgrade pip
- python -m pip install markdown pygments
-
- - name: Render documentation preview bundle
- run: |
- python scripts/render_docs.py --source docs --output "$DOCS_OUTPUT_DIR" --clean
-
- - name: Upload documentation preview
- if: always()
- uses: actions/upload-artifact@v4
- with:
- name: feedser-docs-preview
- path: ${{ env.DOCS_OUTPUT_DIR }}
- retention-days: 7
+ with:
+ python-version: ${{ env.PYTHON_VERSION }}
+
+ - name: Install documentation dependencies
+ run: |
+ python -m pip install --upgrade pip
+ python -m pip install markdown pygments
+
+ - name: Render documentation preview bundle
+ run: |
+ python scripts/render_docs.py --source docs --output "$DOCS_OUTPUT_DIR" --clean
+
+ - name: Upload documentation preview
+ if: always()
+ uses: actions/upload-artifact@v4
+ with:
+ name: feedser-docs-preview
+ path: ${{ env.DOCS_OUTPUT_DIR }}
+ retention-days: 7
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 0ef66cf7..3b9c3ef3 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -69,7 +69,7 @@ jobs:
- name: Publish Python analyzer plug-in
run: |
set -euo pipefail
- dotnet publish src/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.csproj \
+ dotnet publish src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.csproj \
--configuration Release \
--output out/analyzers/python \
--no-self-contained
diff --git a/.gitignore b/.gitignore
index e4166469..1ee1dd1e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,34 +1,34 @@
-# Build outputs
-bin/
-obj/
-*.pdb
-*.dll
-
-# IDE state
-.vs/
-*.user
-*.suo
-*.userprefs
-
-# Rider/VSCode
-.idea/
-.vscode/
-
-# Packages and logs
-*.log
-TestResults/
-
-.dotnet
-.DS_Store
-seed-data/ics-cisa/*.csv
-seed-data/ics-cisa/*.xlsx
-seed-data/ics-cisa/*.sha256
-seed-data/cert-bund/**/*.json
-seed-data/cert-bund/**/*.sha256
-
-out/offline-kit/web/**/*
-src/StellaOps.Web/node_modules/**/*
-src/StellaOps.Web/.angular/**/*
-**/node_modules/**/*
-node_modules
-tmp/**/*
+# Build outputs
+bin/
+obj/
+*.pdb
+*.dll
+
+# IDE state
+.vs/
+*.user
+*.suo
+*.userprefs
+
+# Rider/VSCode
+.idea/
+.vscode/
+
+# Packages and logs
+*.log
+TestResults/
+
+.dotnet
+.DS_Store
+seed-data/ics-cisa/*.csv
+seed-data/ics-cisa/*.xlsx
+seed-data/ics-cisa/*.sha256
+seed-data/cert-bund/**/*.json
+seed-data/cert-bund/**/*.sha256
+
+out/offline-kit/web/**/*
+src/Web/StellaOps.Web/node_modules/**/*
+src/Web/StellaOps.Web/.angular/**/*
+**/node_modules/**/*
+node_modules
+tmp/**/*
diff --git a/.venv/pyvenv.cfg b/.venv/pyvenv.cfg
index ecf82ea0..ef350ee6 100644
--- a/.venv/pyvenv.cfg
+++ b/.venv/pyvenv.cfg
@@ -1,5 +1,5 @@
-home = /usr/bin
-include-system-site-packages = false
-version = 3.12.3
-executable = /usr/bin/python3.12
-command = /usr/bin/python3 -m venv /mnt/e/dev/git.stella-ops.org/.venv
+home = /usr/bin
+include-system-site-packages = false
+version = 3.12.3
+executable = /usr/bin/python3.12
+command = /usr/bin/python3 -m venv /mnt/e/dev/git.stella-ops.org/.venv
diff --git a/Directory.Build.props b/Directory.Build.props
index c2475e91..07bb742d 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -1,12 +1,12 @@
-
-
- $([System.IO.Path]::GetFullPath('$(MSBuildThisFileDirectory)'))
- $([System.IO.Path]::GetFullPath('$(StellaOpsRepoRoot)local-nuget/'))
- https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json
- https://api.nuget.org/v3/index.json
- <_StellaOpsDefaultRestoreSources>$(StellaOpsLocalNuGetSource);$(StellaOpsDotNetPublicSource);$(StellaOpsNuGetOrgSource)
- <_StellaOpsOriginalRestoreSources Condition="'$(_StellaOpsOriginalRestoreSources)' == ''">$(RestoreSources)
- $(_StellaOpsDefaultRestoreSources)
- $(_StellaOpsDefaultRestoreSources);$(_StellaOpsOriginalRestoreSources)
-
-
+
+
+ $([System.IO.Path]::GetFullPath('$(MSBuildThisFileDirectory)'))
+ $([System.IO.Path]::GetFullPath('$(StellaOpsRepoRoot)local-nuget/'))
+ https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json
+ https://api.nuget.org/v3/index.json
+ <_StellaOpsDefaultRestoreSources>$(StellaOpsLocalNuGetSource);$(StellaOpsDotNetPublicSource);$(StellaOpsNuGetOrgSource)
+ <_StellaOpsOriginalRestoreSources Condition="'$(_StellaOpsOriginalRestoreSources)' == ''">$(RestoreSources)
+ $(_StellaOpsDefaultRestoreSources)
+ $(_StellaOpsDefaultRestoreSources);$(_StellaOpsOriginalRestoreSources)
+
+
diff --git a/Mongo2Go-4.1.0/src/Mongo2Go/Mongo2Go.csproj b/Mongo2Go-4.1.0/src/Mongo2Go/Mongo2Go.csproj
index 029cfb83..4d2555eb 100644
--- a/Mongo2Go-4.1.0/src/Mongo2Go/Mongo2Go.csproj
+++ b/Mongo2Go-4.1.0/src/Mongo2Go/Mongo2Go.csproj
@@ -1,93 +1,93 @@
-
-
-
- net472;netstandard2.1
- Johannes Hoppe and many contributors
- Mongo2Go is a managed wrapper around MongoDB binaries. It targets .NET Framework 4.7.2 and .NET Standard 2.1.
-This Nuget package contains the executables of mongod, mongoimport and mongoexport v4.4.4 for Windows, Linux and macOS.
-
-
-Mongo2Go has two use cases:
-
-1. Providing multiple, temporary and isolated MongoDB databases for integration tests
-2. Providing a quick to set up MongoDB database for a local developer environment
- HAUS HOPPE - ITS
- Copyright © 2012-2025 Johannes Hoppe and many ❤️ contributors
- true
- icon.png
- MIT
- https://github.com/Mongo2Go/Mongo2Go
- https://github.com/Mongo2Go/Mongo2Go/releases
- MongoDB Mongo unit test integration runner
- https://github.com/Mongo2Go/Mongo2Go
- git
- Mongo2Go
- Mongo2Go is a managed wrapper around MongoDB binaries.
-
-
-
- 4
- 1701;1702;1591;1573
-
-
-
- 4
- 1701;1702;1591;1573
-
-
-
- 1701;1702;1591;1573
-
-
-
- 1701;1702;1591;1573
-
-
-
- true
- true
- true
-
-
-
- embedded
- true
- true
-
-
-
- v
-
-
-
-
-
- true
- icon.png
-
-
- true
- tools
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+ net472;netstandard2.1
+ Johannes Hoppe and many contributors
+ Mongo2Go is a managed wrapper around MongoDB binaries. It targets .NET Framework 4.7.2 and .NET Standard 2.1.
+This Nuget package contains the executables of mongod, mongoimport and mongoexport v4.4.4 for Windows, Linux and macOS.
+
+
+Mongo2Go has two use cases:
+
+1. Providing multiple, temporary and isolated MongoDB databases for integration tests
+2. Providing a quick to set up MongoDB database for a local developer environment
+ HAUS HOPPE - ITS
+ Copyright © 2012-2025 Johannes Hoppe and many ❤️ contributors
+ true
+ icon.png
+ MIT
+ https://github.com/Mongo2Go/Mongo2Go
+ https://github.com/Mongo2Go/Mongo2Go/releases
+ MongoDB Mongo unit test integration runner
+ https://github.com/Mongo2Go/Mongo2Go
+ git
+ Mongo2Go
+ Mongo2Go is a managed wrapper around MongoDB binaries.
+
+
+
+ 4
+ 1701;1702;1591;1573
+
+
+
+ 4
+ 1701;1702;1591;1573
+
+
+
+ 1701;1702;1591;1573
+
+
+
+ 1701;1702;1591;1573
+
+
+
+ true
+ true
+ true
+
+
+
+ embedded
+ true
+ true
+
+
+
+ v
+
+
+
+
+
+ true
+ icon.png
+
+
+ true
+ tools
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/Mongo2Go-4.1.0/src/Mongo2GoTests/Mongo2GoTests.csproj b/Mongo2Go-4.1.0/src/Mongo2GoTests/Mongo2GoTests.csproj
index 34f3034a..7c596c21 100644
--- a/Mongo2Go-4.1.0/src/Mongo2GoTests/Mongo2GoTests.csproj
+++ b/Mongo2Go-4.1.0/src/Mongo2GoTests/Mongo2GoTests.csproj
@@ -1,21 +1,21 @@
-
-
- net8.0
- false
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+ net8.0
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/NuGet.config b/NuGet.config
index 225ab2b3..359a8450 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -1,44 +1,44 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/README.md b/README.md
index 2a6184b8..02c13d74 100755
--- a/README.md
+++ b/README.md
@@ -14,9 +14,9 @@ control against the Concelier API.
3. Copy `etc/authority.yaml.sample` to `etc/authority.yaml`, review the issuer, token
lifetimes, and plug-in descriptors, then edit the companion manifests under
`etc/authority.plugins/*.yaml` to match your deployment.
-4. Start the web service with `dotnet run --project src/StellaOps.Concelier.WebService`.
+4. Start the web service with `dotnet run --project src/Concelier/StellaOps.Concelier.WebService`.
5. Configure the CLI via environment variables (e.g. `STELLAOPS_BACKEND_URL`) and trigger
- jobs with `dotnet run --project src/StellaOps.Cli -- db merge`.
+ jobs with `dotnet run --project src/Cli/StellaOps.Cli -- db merge`.
Detailed operator guidance is available in `docs/10_CONCELIER_CLI_QUICKSTART.md`. API and
command reference material lives in `docs/09_API_CLI_REFERENCE.md`.
@@ -31,4 +31,4 @@ for integration steps once available.
- `docs/README.md` now consolidates the platform index and points to the updated high-level architecture.
- Module architecture dossiers live under `docs/ARCHITECTURE_*.md`; the most relevant here are `docs/ARCHITECTURE_CONCELIER.md` (service layout, merge engine, exports) and `docs/ARCHITECTURE_CLI.md` (command surface, AOT packaging, auth flows). Related services such as the Signer, Attestor, Authority, Scanner, UI, Excititor, Zastava, and DevOps pipeline each have their own dossier.
- Offline operation guidance moved to `docs/24_OFFLINE_KIT.md`, which details bundle composition, verification, and delta workflows. Concelier-specific connector operations stay in `docs/ops/concelier-certbund-operations.md` and companion runbooks under `docs/ops/`.
-
+
diff --git a/SPRINTS.md b/SPRINTS.md
deleted file mode 100644
index dd09a0db..00000000
--- a/SPRINTS.md
+++ /dev/null
@@ -1,1119 +0,0 @@
-This file describe implementation of Stella Ops (docs/README.md). Implementation must respect rules from AGENTS.md (read if you have not).
-
-| Sprint | Theme | Tasks File Path | Status | Type of Specialist | Task ID | Task Description |
-| --- | --- | --- | --- | --- | --- | --- |
-| Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.Worker/TASKS.md | DOING (2025-10-27) | Scheduler Worker Guild | SCHED-WORKER-16-201 | Planner loop (cron/event triggers, leases, fairness). |
-| Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.Worker/TASKS.md | DONE (2025-10-27) | Scheduler Worker Guild | SCHED-WORKER-16-202 | ImpactIndex targeting and shard planning. |
-| Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.Worker/TASKS.md | DONE (2025-10-27) | Scheduler Worker Guild | SCHED-WORKER-16-203 | Runner execution invoking Scanner analysis/content refresh. |
-| Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.Worker/TASKS.md | DONE (2025-10-27) | Scheduler Worker Guild | SCHED-WORKER-16-204 | Emit rescan/report events for Notify/UI. |
-| Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.Worker/TASKS.md | DONE (2025-10-27) | Scheduler Worker Guild | SCHED-WORKER-16-205 | Metrics/telemetry for Scheduler planners/runners. |
-| Sprint 17 | Symbol Intelligence & Forensics | ops/offline-kit/TASKS.md | BLOCKED (2025-10-26) | Offline Kit Guild, DevOps Guild | DEVOPS-OFFLINE-17-004 | Run mirror_debug_store.py once release artefacts exist and archive verification evidence with the Offline Kit. |
-| Sprint 17 | Symbol Intelligence & Forensics | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-REL-17-004 | Ensure release workflow publishes `out/release/debug` (build-id tree + manifest) and fails when symbols are missing. |
-> DOCS-AOC-19-004: Architecture overview & policy-engine docs refreshed 2025-10-26 — reuse new AOC boundary diagram + metrics guidance.
-> DOCS-AOC-19-005: Link to the new AOC reference and architecture overview; include exit code table sourced from those docs.
-| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild, Platform Guild | DEVOPS-AOC-19-001 | Integrate AOC analyzer/guard enforcement into CI pipelines. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-AOC-19-002 | Add CI stage running `stella aoc verify` against seeded snapshots. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild, QA Guild | DEVOPS-AOC-19-003 | Enforce guard coverage thresholds and export metrics to dashboards. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Authority/TASKS.md | DONE (2025-10-27) | Authority Core & Security Guild | AUTH-AOC-19-002 | Enforce tenant claim propagation and cross-tenant guardrails. |
-> AUTH-AOC-19-002: Tenant metadata now flows through rate limiter/audit/token persistence; password grant scope/tenant enforcement landed. Docs/stakeholder walkthrough pending.
-> 2025-10-27 Update: Ingestion scopes require tenant assignment; access tokens propagate tenant claims and reject cross-tenant mismatches with coverage.
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Authority/TASKS.md | DONE (2025-10-27) | Authority Core & Docs Guild | AUTH-AOC-19-003 | Update Authority docs/config samples for new scopes. |
-> AUTH-AOC-19-003: Scope catalogue, console/CLI docs, and sample config updated to require `aoc:verify` plus read scopes; verification clients now explicitly include tenant hints. Authority test run remains blocked on Concelier build failure (`ImmutableHashSet`), previously noted under AUTH-AOC-19-002.
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Cli/TASKS.md | DOING (2025-10-27) | DevEx/CLI Guild | CLI-AOC-19-001 | Implement `stella sources ingest --dry-run` command. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AOC-19-002 | Implement `stella aoc verify` command with exit codes. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Cli/TASKS.md | TODO | Docs/CLI Guild | CLI-AOC-19-003 | Update CLI reference and quickstart docs for new AOC commands. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-001 | Implement AOC repository guard rejecting forbidden fields. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-002 | Deliver deterministic linkset extraction for advisories. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-003 | Enforce idempotent append-only upsert with supersedes pointers. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-004 | Remove ingestion normalization; defer derived logic to Policy Engine. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-013 | Extend smoke coverage to validate tenant-scoped Authority tokens and cross-tenant rejection. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-001 | Add Mongo schema validator for `advisory_raw`. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-002 | Create idempotency unique index backed by migration scripts. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-003 | Deliver append-only migration/backfill plan with supersedes chaining. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild, DevOps Guild | CONCELIER-STORE-AOC-19-004 | Document validator deployment steps for online/offline clusters. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-28) | Concelier WebService Guild | CONCELIER-WEB-AOC-19-001 | Implement raw advisory ingestion endpoints with AOC guard and verifier. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, Observability Guild | CONCELIER-WEB-AOC-19-002 | Emit AOC observability metrics, traces, and structured logs. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.WebService/TASKS.md | TODO | QA Guild | CONCELIER-WEB-AOC-19-003 | Add schema/guard unit tests covering AOC error codes. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, QA Guild | CONCELIER-WEB-AOC-19-004 | Build integration suite validating deterministic ingest under load. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-001 | Introduce VEX repository guard enforcing AOC invariants. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-002 | Build deterministic VEX linkset extraction. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-003 | Enforce append-only idempotent VEX raw upserts. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-004 | Remove ingestion consensus logic; rely on Policy Engine. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-013 | Update smoke suites to enforce tenant-scoped Authority tokens and cross-tenant VEX rejection. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-001 | Add Mongo schema validator for `vex_raw`. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-002 | Create idempotency unique index for VEX raw documents. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-003 | Deliver append-only migration/backfill for VEX raw collections. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild, DevOps Guild | EXCITITOR-STORE-AOC-19-004 | Document validator deployment for Excititor clusters/offline kit. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AOC-19-001 | Implement raw VEX ingestion and AOC verifier endpoints. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild, Observability Guild | EXCITITOR-WEB-AOC-19-002 | Emit AOC metrics/traces/logging for Excititor ingestion. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.WebService/TASKS.md | TODO | QA Guild | EXCITITOR-WEB-AOC-19-003 | Add AOC guard test harness for VEX schemas. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild, QA Guild | EXCITITOR-WEB-AOC-19-004 | Validate large VEX ingest runs and CLI verification parity. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-WORKER-AOC-19-001 | Rewire worker to persist raw VEX docs with guard enforcement. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-WORKER-AOC-19-002 | Enforce signature/checksum verification prior to raw writes. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Worker/TASKS.md | DONE (2025-10-28) | QA Guild | EXCITITOR-WORKER-AOC-19-003 | Expand worker tests for deterministic batching and restart safety. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-AOC-19-001 | Add lint preventing ingestion modules from referencing Policy-only helpers. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild, Security Guild | POLICY-AOC-19-002 | Enforce Policy-only writes to `effective_finding_*` collections. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-AOC-19-003 | Update Policy readers to consume only raw document fields. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild, QA Guild | POLICY-AOC-19-004 | Add determinism tests for raw-driven policy recomputation. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-001 | Add Sources dashboard tiles surfacing AOC status and violations. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-002 | Build violation drill-down view for offending documents. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-003 | Wire "Verify last 24h" action and CLI parity messaging. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Web/TASKS.md | DOING (2025-10-26) | BE-Base Platform Guild | WEB-AOC-19-001 | Provide shared AOC forbidden key set and guard middleware. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AOC-19-002 | Ship provenance builder and signature helpers for ingestion services. |
-| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, QA Guild | WEB-AOC-19-003 | Author analyzer + shared test fixtures for guard compliance. |
-| Sprint 20 | Policy Engine v2 | ops/devops/TASKS.md | BLOCKED (waiting on POLICY-ENGINE-20-006) | DevOps Guild | DEVOPS-POLICY-20-002 | Run `stella policy simulate` CI stage against golden SBOMs. |
-| Sprint 20 | Policy Engine v2 | ops/devops/TASKS.md | DONE (2025-10-27) | DevOps Guild, Scheduler Guild, CLI Guild | DEVOPS-POLICY-20-004 | Automate policy schema exports and change notifications for CLI consumers. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Bench/TASKS.md | BLOCKED (waiting on SCHED-WORKER-20-302) | Bench Guild, Scheduler Guild | BENCH-POLICY-20-002 | Add incremental run benchmark capturing delta SLA compliance. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Cli/TASKS.md | DONE (2025-10-27) | DevEx/CLI Guild | CLI-POLICY-20-002 | Implement `stella policy simulate` with diff outputs + exit codes. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild, Docs Guild | CLI-POLICY-20-003 | Extend `stella findings` commands with policy filters and explain view. |
-> 2025-10-27: Backend helpers drafted but command integration/tests pending; task reset to TODO awaiting follow-up.
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-POLICY-20-002 | Strengthen linkset builders with equivalence tables + range parsing. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-POLICY-20-003 | Add advisory selection cursors + change-stream checkpoints for policy runs. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-POLICY-20-001 | Provide advisory selection endpoints for policy engine (batch PURL/ID). |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-POLICY-20-002 | Enhance VEX linkset scope + version resolution for policy accuracy. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-POLICY-20-003 | Introduce VEX selection cursors + change-stream checkpoints. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-POLICY-20-001 | Ship VEX selection APIs aligned with policy join requirements. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | BLOCKED (2025-10-26) | Policy Guild | POLICY-ENGINE-20-002 | Implement deterministic rule evaluator with priority/first-match semantics. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Concelier Core, Excititor Core | POLICY-ENGINE-20-003 | Build SBOM↔advisory↔VEX linkset joiners with deterministic batching. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-20-004 | Materialize effective findings with append-only history and tenant scoping. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Security Guild | POLICY-ENGINE-20-005 | Enforce determinism guard banning wall-clock, RNG, and network usage. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Scheduler Guild | POLICY-ENGINE-20-006 | Implement incremental orchestrator reacting to change streams. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Observability Guild | POLICY-ENGINE-20-007 | Emit policy metrics, traces, and sampled rule-hit logs. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, QA Guild | POLICY-ENGINE-20-008 | Add unit/property/golden/perf suites verifying determinism + SLA. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-20-009 | Define Mongo schemas/indexes + migrations for policies/runs/findings. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Scheduler.Models/TASKS.md | TODO | Scheduler Models Guild | SCHED-MODELS-20-002 | Update schema docs with policy run lifecycle samples. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-WEB-20-001 | Expose policy run scheduling APIs with scope enforcement. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-WEB-20-002 | Provide simulation trigger endpoint returning diff metadata. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-20-301 | Schedule policy runs via API with idempotent job tracking. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-20-302 | Implement delta targeting leveraging change streams + policy metadata. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-20-303 | Expose policy scheduling metrics/logs with policy/run identifiers. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-POLICY-20-001 | Ship Monaco-based policy editor with inline diagnostics + checklists. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-POLICY-20-002 | Build simulation panel with deterministic diff rendering + virtualization. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.UI/TASKS.md | TODO | UI Guild, Product Ops | UI-POLICY-20-003 | Implement submit/review/approve workflow with RBAC + audit trail. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.UI/TASKS.md | TODO | UI Guild, Observability Guild | UI-POLICY-20-004 | Add run dashboards (heatmap/VEX wins/suppressions) with export. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-20-001 | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-20-002 | Add pagination, filters, deterministic ordering to policy listings. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, QA Guild | WEB-POLICY-20-003 | Map engine errors to `ERR_POL_*` responses with contract tests. |
-| Sprint 20 | Policy Engine v2 | src/StellaOps.Web/TASKS.md | TODO | Platform Reliability Guild | WEB-POLICY-20-004 | Introduce rate limits/quotas + metrics for simulation endpoints. |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.Bench/TASKS.md | BLOCKED (2025-10-27) | Bench Guild, Graph Platform Guild | BENCH-GRAPH-21-001 | Graph viewport/path perf harness (50k/100k nodes) measuring Graph API/Indexer latency and cache hit rates. Executed within Sprint 28 Graph program. Upstream Graph API/indexer contracts (`GRAPH-API-28-003`, `GRAPH-INDEX-28-006`) still pending, so benchmarks cannot target stable endpoints yet. |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.Bench/TASKS.md | BLOCKED (2025-10-27) | Bench Guild, UI Guild | BENCH-GRAPH-21-002 | Headless UI load benchmark for graph canvas interactions (Playwright) tracking render FPS budgets. Executed within Sprint 28 Graph program. Depends on BENCH-GRAPH-21-001 and UI Graph Explorer (`UI-GRAPH-24-001`), both pending. |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.Concelier.Core/TASKS.md | BLOCKED (2025-10-27) | Concelier Core Guild | CONCELIER-GRAPH-21-001 | Enrich SBOM normalization with relationships, scopes, entrypoint annotations for Cartographer. Requires finalized schemas from `CONCELIER-POLICY-20-002` and Cartographer event contract (`CARTO-GRAPH-21-002`). |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.Concelier.Core/TASKS.md | BLOCKED (2025-10-27) | Concelier Core & Scheduler Guilds | CONCELIER-GRAPH-21-002 | Publish SBOM change events with tenant metadata for graph builds. Awaiting projection schema from `CONCELIER-GRAPH-21-001` and Cartographer webhook expectations. |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.Cartographer/TASKS.md | DONE (2025-10-27) | Cartographer Guild | CARTO-GRAPH-21-010 | Replace hard-coded `graph:*` scope strings with shared constants once graph services integrate. |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.Excititor.Core/TASKS.md | BLOCKED (2025-10-27) | Excititor Core Guild | EXCITITOR-GRAPH-21-001 | Deliver batched VEX/advisory fetch helpers for inspector linkouts. Waiting on linkset enrichment (`EXCITITOR-POLICY-20-002`) and Cartographer inspector contract (`CARTO-GRAPH-21-005`). |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.Excititor.Core/TASKS.md | BLOCKED (2025-10-27) | Excititor Core Guild | EXCITITOR-GRAPH-21-002 | Enrich overlay metadata with VEX justification summaries for graph overlays. Depends on `EXCITITOR-GRAPH-21-001` and Policy overlay schema (`POLICY-ENGINE-30-001`). |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | BLOCKED (2025-10-27) | Excititor Storage Guild | EXCITITOR-GRAPH-21-005 | Create indexes/materialized views for VEX lookups by PURL/policy. Awaiting access pattern specs from `EXCITITOR-GRAPH-21-001`. |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service Guild | SBOM-SERVICE-21-001 | Expose normalized SBOM projection API with relationships, scopes, entrypoints. Waiting on Concelier projection schema (`CONCELIER-GRAPH-21-001`). |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service & Scheduler Guilds | SBOM-SERVICE-21-002 | Emit SBOM version change events for Cartographer build queue. Depends on SBOM projection API (`SBOM-SERVICE-21-001`) and Scheduler contracts. |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service Guild | SBOM-SERVICE-21-003 | Provide entrypoint management API with tenant overrides. Blocked by SBOM projection API contract. |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service & Observability Guilds | SBOM-SERVICE-21-004 | Add metrics/traces/logs for SBOM projections. Requires projection pipeline from `SBOM-SERVICE-21-001`. |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.Scheduler.WebService/TASKS.md | DONE (2025-10-26) | Scheduler WebService Guild | SCHED-WEB-21-002 | Expose overlay lag metrics and job completion hooks for Cartographer. |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base Platform Guild | WEB-GRAPH-21-001 | Add gateway routes for graph APIs with scope enforcement and streaming. Upstream Graph API (`GRAPH-API-28-003`) and Authority scope work (`AUTH-VULN-24-001`) pending. |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base Platform Guild | WEB-GRAPH-21-002 | Implement bbox/zoom/path validation and pagination for graph endpoints. Depends on core proxy routes. |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base Platform & QA Guilds | WEB-GRAPH-21-003 | Map graph errors to `ERR_Graph_*` and support export streaming. Requires `WEB-GRAPH-21-001`. |
-| Sprint 21 | Graph Explorer v1 | src/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base & Policy Guilds | WEB-GRAPH-21-004 | Wire Policy Engine simulation overlays into graph responses. Waiting on Graph routes and Policy overlay schema (`POLICY-ENGINE-30-002`). |
-| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-001 | Publish advisories aggregation doc with observation/linkset philosophy. |
-> Blocked by `CONCELIER-LNM-21-001..003`; draft doc exists but final alignment waits for schema/API delivery.
-| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-002 | Publish VEX aggregation doc describing observation/linkset flow. |
-> Blocked by `EXCITITOR-LNM-21-001..003`; draft doc staged pending observation/linkset implementation.
-| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-005 | Document UI evidence panel with conflict badges/AOC drill-down. |
-> Blocked by `UI-LNM-22-001..003`; need shipping UI to capture screenshots and finalize guidance.
-| Sprint 22 | Link-Not-Merge v1 | ops/devops/TASKS.md | BLOCKED (2025-10-27) | DevOps Guild | DEVOPS-LNM-22-001 | Execute advisory observation/linkset migration/backfill and automation. |
-| Sprint 22 | Link-Not-Merge v1 | ops/devops/TASKS.md | BLOCKED (2025-10-27) | DevOps Guild | DEVOPS-LNM-22-002 | Run VEX observation/linkset migration/backfill with monitoring/runbook. |
-| Sprint 22 | Link-Not-Merge v1 | samples/TASKS.md | BLOCKED (2025-10-27) | Samples Guild | SAMPLES-LNM-22-001 | Add advisory observation/linkset fixtures with conflicts. |
-| Sprint 22 | Link-Not-Merge v1 | samples/TASKS.md | BLOCKED (2025-10-27) | Samples Guild | SAMPLES-LNM-22-002 | Add VEX observation/linkset fixtures with status disagreements. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-AOC-22-001 | Roll out new advisory/vex ingest/read scopes. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-LNM-22-001 | Implement advisory observation/linkset CLI commands with JSON/OSV export. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-LNM-22-002 | Implement VEX observation/linkset CLI commands. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-LNM-21-001 | Define immutable advisory observation schema with AOC metadata. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild, Data Science Guild | CONCELIER-LNM-21-002 | Implement advisory linkset builder with correlation signals/conflicts. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Concelier.Merge/TASKS.md | TODO | BE-Merge | MERGE-LNM-21-002 | Deprecate merge service and enforce observation-only pipeline. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-LNM-21-101 | Provision observations/linksets collections and indexes. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage & DevOps Guilds | CONCELIER-LNM-21-102 | Backfill legacy merged advisories into observations/linksets with rollback tooling. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-LNM-21-201 | Ship advisory observation read APIs with pagination/RBAC. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-LNM-21-202 | Implement advisory linkset read/export/evidence endpoints mapped to `ERR_AGG_*`. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-LNM-21-001 | Define immutable VEX observation model. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-LNM-21-002 | Build VEX linkset correlator with confidence/conflict recording. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-LNM-21-101 | Provision VEX observation/linkset collections and indexes. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage & DevOps Guilds | EXCITITOR-LNM-21-102 | Backfill legacy VEX data into observations/linksets with rollback scripts. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-201 | Expose VEX observation APIs with filters/pagination and RBAC. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-202 | Implement VEX linkset endpoints + exports with evidence payloads. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-40-001 | Update severity selection to handle multiple source severities per linkset. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Excititor Guild | POLICY-ENGINE-40-002 | Integrate VEX linkset conflicts into effective findings/explain traces. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Scanner.WebService/TASKS.md | TODO | Scanner WebService Guild | SCANNER-LNM-21-001 | Update report/runtime payloads to consume linksets and surface source evidence. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-LNM-22-001 | Deliver Evidence panel with policy banner and source observations. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-LNM-22-003 | Add VEX evidence tab with conflict indicators and exports. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-LNM-21-001 | Surface advisory observation/linkset APIs through gateway with RBAC. |
-| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-LNM-21-002 | Expose VEX observation/linkset endpoints with export handling. |
-| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-28) | Docs Guild | DOCS-CONSOLE-23-011 | Update `/docs/install/docker.md` to include console image, compose/Helm/offline examples. |
-| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-28) | Docs Guild | DOCS-CONSOLE-23-012 | Publish `/docs/security/console-security.md` covering OIDC, scopes, CSP, evidence handling. |
-| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-28) | Docs Guild | DOCS-CONSOLE-23-013 | Write `/docs/observability/ui-telemetry.md` cataloguing metrics/logs/dashboards/alerts. |
-| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-28) | Docs Guild | DOCS-CONSOLE-23-014 | Maintain `/docs/cli-vs-ui-parity.md` matrix with CI drift detection guidance. |
-| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-015 | Produce `/docs/architecture/console.md` describing packages, data flow, SSE design. |
-| Sprint 23 | StellaOps Console | docs/TASKS.md | DONE (2025-10-28) | Docs Guild | DOCS-CONSOLE-23-016 | Refresh `/docs/accessibility.md` with console keyboard flows, tokens, testing tools.
2025-10-28: Published guide covering keyboard matrix, screen-reader behaviour, colour tokens, testing workflow, offline guidance, and compliance checklist. |
-| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-017 | Create `/docs/examples/ui-tours.md` walkthroughs with annotated screenshots/GIFs. |
-| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-018 | Execute console security checklist and record Security Guild sign-off. |
-| Sprint 23 | StellaOps Console | ops/deployment/TASKS.md | TODO | Deployment Guild | DOWNLOADS-CONSOLE-23-001 | Maintain signed downloads manifest pipeline feeding Console + docs parity checks. |
-| Sprint 23 | StellaOps Console | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-CONSOLE-23-001 | Stand up console CI pipeline (pnpm cache, lint, tests, Playwright, Lighthouse, offline runners). |
-| Sprint 23 | StellaOps Console | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONSOLE-23-002 | Deliver `stella-console` container + Helm overlays with SBOM/provenance and offline packaging. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-001 | Register Console OIDC client with PKCE, scopes, short-lived tokens, and offline defaults. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-002 | Provide tenant catalog/user profile endpoints with audit logging and fresh-auth requirements. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-CONSOLE-23-003 | Update security docs/sample configs for Console flows, CSP, and session policies. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-001 | Surface `/console/advisories` aggregation views with per-source metadata and filters. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-002 | Provide advisory delta metrics API for dashboard + live status ticker. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-003 | Add search helpers for CVE/GHSA/PURL lookups returning evidence fragments. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-001 | Expose `/console/vex` aggregation endpoints with precedence and provenance. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-002 | Publish VEX override delta metrics feeding dashboard/status ticker. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-003 | Implement VEX search helpers for global search and explain drill-downs. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Scheduler Guild | EXPORT-CONSOLE-23-001 | Implement evidence bundle/export generator with signed manifests and telemetry. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-CONSOLE-23-001 | Optimize findings/explain APIs for Console filters, aggregation hints, and provenance traces. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Product Ops | POLICY-CONSOLE-23-002 | Expose simulation diff + approval state metadata for policy workspace scenarios. |
-| Sprint 23 | StellaOps Console | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-CONSOLE-23-001 | Deliver Console SBOM catalog API with filters, evaluation metadata, and raw projections. |
-| Sprint 23 | StellaOps Console | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-CONSOLE-23-002 | Provide component lookup/neighborhood endpoints for global search and overlays. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-CONSOLE-23-001 | Extend runs API with SSE progress, queue lag summaries, RBAC actions, and history pagination. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-CONSOLE-23-201 | Stream run progress events with heartbeat/dedupe for Console SSE consumers. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-CONSOLE-23-202 | Coordinate evidence bundle job queueing, status tracking, cancellation, and retention. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONSOLE-23-001 | Ship `/console/dashboard` + `/console/filters` aggregates with tenant scoping and deterministic totals. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, Scheduler Guild | WEB-CONSOLE-23-002 | Provide `/console/status` polling and `/console/runs/{id}/stream` SSE proxy with heartbeat/backoff. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, Policy Guild | WEB-CONSOLE-23-003 | Expose `/console/exports` orchestration for evidence bundles, CSV/JSON streaming, manifest retrieval. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONSOLE-23-004 | Implement `/console/search` fan-out router for CVE/GHSA/PURL/SBOM lookups with caching and RBAC. |
-| Sprint 23 | StellaOps Console | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, DevOps Guild | WEB-CONSOLE-23-005 | Serve `/console/downloads` manifest with signed image metadata and offline guidance. |
-| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-VULN-24-001 | Extend scopes (`vuln:read`) and signed permalinks. |
-> 2025-10-27: Scope enforcement spike paused; no production change landed.
-| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-GRAPH-24-001 | Surface raw advisory observations/linksets for overlay services (no derived aggregation in ingestion). |
-> 2025-10-27: Prototype not merged (query layer + CLI consumer under review); resetting to TODO.
-| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-GRAPH-24-001 | Surface raw VEX statements/linksets for overlay services (no suppression/precedence logic here). |
-| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-60-001 | Maintain Redis effective decision maps for overlays. |
-| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-60-002 | Provide simulation bridge for graph what-if APIs. |
-| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-24-001 | Build Graph Explorer canvas with virtualization. |
-| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-24-002 | Implement overlays (Policy/Evidence/License/Exposure). |
-| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-001 | Document exception governance concepts/workflow. |
-| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-002 | Document approvals routing / MFA requirements. |
-| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-003 | Publish API documentation for exceptions endpoints. |
-| Sprint 25 | Exceptions v1 | docs/TASKS.md | DONE (2025-10-27) | Docs Guild | DOCS-EXC-25-004 | Document policy exception effects + simulation. |
-| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-005 | Document UI exception center + badges. |
-| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-006 | Update CLI docs for exception commands. |
-| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-007 | Write migration guide for governed exceptions. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-EXC-25-001 | Introduce exception scopes and routing matrix with MFA. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-EXC-25-002 | Update docs/config samples for exception governance. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXC-25-001 | Implement CLI exception workflow commands. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXC-25-002 | Extend policy simulate with exception overrides. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.Policy.Engine/TASKS.md | DONE (2025-10-27) | Policy Guild | POLICY-ENGINE-70-001 | Add exception evaluation layer with specificity + effects. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-002 | Create exception collections/bindings storage + repos. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-003 | Implement Redis exception cache + invalidation. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-004 | Add metrics/tracing/logging for exception application. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-005 | Hook workers/events for activation/expiry. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.Policy/TASKS.md | DONE (2025-10-27) | Policy Guild | POLICY-EXC-25-001 | Extend SPL schema to reference exception effects and routing. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-25-101 | Implement exception lifecycle worker for activation/expiry. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-25-102 | Add expiring notification job & metrics. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-001 | Deliver Exception Center (list/kanban) with workflows. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-002 | Build exception creation wizard with scope/timebox guardrails. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-003 | Add inline exception drafting/proposing from explorers. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-004 | Surface badges/countdowns/explain integration. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-001 | Ship exception CRUD + workflow API endpoints. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-002 | Extend policy endpoints to include exception metadata. |
-| Sprint 25 | Exceptions v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-003 | Emit exception events/notifications with rate limits. |
-| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-001 | Document reachability concepts and scoring. |
-| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-002 | Document callgraph formats. |
-| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-003 | Document runtime facts ingestion. |
-| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-004 | Document policy weighting for signals. |
-| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-005 | Document UI overlays/timelines. |
-| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-006 | Document CLI reachability commands. |
-| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-007 | Publish API docs for signals endpoints. |
-| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-008 | Write migration guide for enabling reachability. |
-| Sprint 26 | Reachability v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-SIG-26-001 | Provision pipelines/deployments for Signals service. |
-| Sprint 26 | Reachability v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-SIG-26-002 | Add dashboards/alerts for reachability metrics. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-SIG-26-001 | Add signals scopes/roles + AOC requirements. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SIG-26-001 | Implement reachability CLI commands (upload/list/explain). |
-| Sprint 26 | Reachability v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SIG-26-002 | Add reachability overrides to policy simulate. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-SIG-26-001 | Expose advisory symbol metadata for signals scoring. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-SIG-26-001 | Surface vendor exploitability hints to Signals. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-001 | Integrate reachability inputs into policy evaluation and explainers. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-002 | Optimize reachability fact retrieval + cache. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-003 | Update SPL compiler for reachability predicates. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-004 | Emit reachability metrics/traces. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-SPL-24-001 | Extend SPL schema with reachability predicates/actions. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-26-201 | Implement reachability joiner worker. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-26-202 | Implement staleness monitor + notifications. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild, Authority Guild | SIGNALS-24-001 | Stand up Signals API skeleton with RBAC + health checks. Host scaffold ready, waiting on `AUTH-SIG-26-001` to finalize scope issuance and tenant enforcement. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-002 | Implement callgraph ingestion/normalization pipeline. Waiting on SIGNALS-24-001 skeleton deployment. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-003 | Ingest runtime facts and persist context data with AOC provenance. Depends on SIGNALS-24-001 base host. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-004 | Deliver reachability scoring engine writing reachability facts. Blocked until ingestion pipelines unblock. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-005 | Implement caches + signals events. Downstream of SIGNALS-24-004. |
-| Sprint 26 | Reachability v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-001 | Add reachability columns/badges to Vulnerability Explorer. |
-| Sprint 26 | Reachability v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-002 | Enhance Why drawer with call path/timeline. |
-| Sprint 26 | Reachability v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-003 | Add reachability overlay/time slider to SBOM Graph. |
-| Sprint 26 | Reachability v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-004 | Build Reachability Center + missing sensor view. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-001 | Expose signals proxy endpoints with pagination and RBAC. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-002 | Join reachability data into policy/vuln responses. |
-| Sprint 26 | Reachability v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-003 | Support reachability overrides in simulate APIs. |
-| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-001 | Publish `/docs/policy/studio-overview.md` with lifecycle + roles. |
-> Blocked by `REGISTRY-API-27-001` and `POLICY-ENGINE-27-001`; revisit once spec and compile enrichments land.
-| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Console Guilds | DOCS-POLICY-27-002 | Write `/docs/policy/authoring.md` with templates/snippets/lint rules. |
-> Blocked by `CONSOLE-STUDIO-27-001` pending; waiting on Studio authoring UX.
-| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-003 | Document `/docs/policy/versioning-and-publishing.md`. |
-> Blocked by `REGISTRY-API-27-007` pending publish/sign pipeline.
-| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Scheduler Guilds | DOCS-POLICY-27-004 | Publish `/docs/policy/simulation.md` with quick vs batch guidance. |
-> Blocked by `REGISTRY-API-27-005`/`SCHED-WORKER-27-301` pending batch simulation.
-| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Product Ops | DOCS-POLICY-27-005 | Author `/docs/policy/review-and-approval.md`. |
-> Blocked by `REGISTRY-API-27-006` review workflow outstanding.
-| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-006 | Publish `/docs/policy/promotion.md` covering canary + rollback. |
-> Blocked by `REGISTRY-API-27-008` promotion APIs not ready.
-| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & DevEx/CLI Guilds | DOCS-POLICY-27-007 | Update `/docs/policy/cli.md` with new commands + JSON schemas. |
-> Blocked by `CLI-POLICY-27-001..004` CLI commands missing.
-| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-008 | Publish `/docs/policy/api.md` aligning with Registry OpenAPI. |
-> Blocked by Registry OpenAPI (`REGISTRY-API-27-001..008`) incomplete.
-| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Security Guilds | DOCS-POLICY-27-009 | Create `/docs/security/policy-attestations.md`. |
-> Blocked by `AUTH-POLICY-27-002` signing integration pending.
-| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Architecture Guilds | DOCS-POLICY-27-010 | Write `/docs/architecture/policy-registry.md`. |
-> Blocked by `REGISTRY-API-27-001` & `SCHED-WORKER-27-301` not delivered.
-| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Observability Guilds | DOCS-POLICY-27-011 | Publish `/docs/observability/policy-telemetry.md`. |
-> Blocked by `DEVOPS-POLICY-27-004` observability work outstanding.
-| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Ops Guilds | DOCS-POLICY-27-012 | Write `/docs/runbooks/policy-incident.md`. |
-> Blocked by `DEPLOY-POLICY-27-002` ops playbooks pending.
-| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-013 | Update `/docs/examples/policy-templates.md`. |
-> Blocked by `CONSOLE-STUDIO-27-001`/`REGISTRY-API-27-002` templates missing.
-| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-014 | Refresh `/docs/aoc/aoc-guardrails.md` with Studio guardrails. |
-> Blocked by `REGISTRY-API-27-003` & `WEB-POLICY-27-001` guardrails not implemented.
-| Sprint 27 | Policy Studio | ops/deployment/TASKS.md | TODO | Deployment & Policy Registry Guilds | DEPLOY-POLICY-27-001 | Create Helm/Compose overlays for Policy Registry + workers with signing config. |
-| Sprint 27 | Policy Studio | ops/deployment/TASKS.md | TODO | Deployment & Policy Guilds | DEPLOY-POLICY-27-002 | Document policy rollout/rollback playbooks in runbook. |
-| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-POLICY-27-001 | Add CI stage for policy lint/compile/test + secret scanning and artifacts. |
-| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Policy Registry Guilds | DEVOPS-POLICY-27-002 | Provide optional batch simulation CI job with drift gating + PR comment. |
-| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Security Guilds | DEVOPS-POLICY-27-003 | Manage signing keys + attestation verification in pipelines. |
-| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Observability Guilds | DEVOPS-POLICY-27-004 | Build dashboards/alerts for compile latency, queue depth, approvals, promotions. |
-| Sprint 27 | Policy Studio | src/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-POLICY-27-001 | Define Policy Studio roles/scopes for author/review/approve/operate/audit. |
-| Sprint 27 | Policy Studio | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guilds | AUTH-POLICY-27-002 | Wire signing service + fresh-auth enforcement for publish/promote. |
-| Sprint 27 | Policy Studio | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-POLICY-27-003 | Update authority configuration/docs for Policy Studio roles & signing. |
-| Sprint 27 | Policy Studio | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-001 | Implement policy workspace CLI commands (init, lint, compile, test). |
-| Sprint 27 | Policy Studio | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-002 | Add version bump, submit, review/approve CLI workflow commands. |
-| Sprint 27 | Policy Studio | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-003 | Extend simulate command for quick/batch runs, manifests, CI reports. |
-| Sprint 27 | Policy Studio | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-004 | Implement publish/promote/rollback/sign CLI lifecycle commands. |
-| Sprint 27 | Policy Studio | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI & Docs Guilds | CLI-POLICY-27-005 | Update CLI docs/reference for Policy Studio commands and schemas. |
-| Sprint 27 | Policy Studio | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-001 | Return rule coverage, symbol table, docs, hashes from compile endpoint. |
-| Sprint 27 | Policy Studio | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-002 | Enhance simulate outputs with heatmap, explain traces, delta summaries. |
-| Sprint 27 | Policy Studio | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-003 | Enforce complexity/time limits with diagnostics. |
-| Sprint 27 | Policy Studio | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-004 | Update tests/fixtures for coverage, symbol table, explain, complexity. |
-| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-001 | Define Policy Registry OpenAPI spec for workspaces, versions, reviews, simulations, promotions, attestations. |
-| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-002 | Implement workspace storage + CRUD with tenant retention policies. |
-| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-003 | Integrate compile pipeline storing diagnostics, symbol tables, complexity metrics. |
-| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-004 | Deliver quick simulation API with limits and deterministic outputs. |
-| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Scheduler Guilds | REGISTRY-API-27-005 | Build batch simulation orchestration, reduction, and evidence bundle storage. |
-| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-006 | Implement review workflow with comments, required approvers, webhooks. |
-| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Security Guilds | REGISTRY-API-27-007 | Ship publish/sign pipeline with attestations, immutable versions. |
-| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-008 | Implement promotion/canary bindings per tenant/environment with rollback. |
-| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Observability Guilds | REGISTRY-API-27-009 | Instrument metrics/logs/traces for compile, simulation, approval latency. |
-| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & QA Guilds | REGISTRY-API-27-010 | Build unit/integration/load test suites and seeded fixtures. |
-| Sprint 27 | Policy Studio | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-CONSOLE-27-001 | Provide policy simulation orchestration endpoints with SSE + RBAC. |
-| Sprint 27 | Policy Studio | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService & Observability Guilds | SCHED-CONSOLE-27-002 | Emit policy simulation telemetry endpoints/metrics + webhooks. |
-| Sprint 27 | Policy Studio | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-27-301 | Implement batch simulation worker sharding SBOMs with retries/backoff. |
-| Sprint 27 | Policy Studio | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-27-302 | Build reducer job aggregating shard outputs into manifests with checksums. |
-| Sprint 27 | Policy Studio | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Security Guilds | SCHED-WORKER-27-303 | Enforce tenant isolation/attestation integration and secret scanning for jobs. |
-| Sprint 27 | Policy Studio | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-27-001 | Proxy Policy Registry APIs with tenant scoping, RBAC, evidence streaming. |
-| Sprint 27 | Policy Studio | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-27-002 | Implement review lifecycle routes with audit logs and webhooks. |
-| Sprint 27 | Policy Studio | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Scheduler Guilds | WEB-POLICY-27-003 | Expose quick/batch simulation endpoints with SSE progress + manifests. |
-| Sprint 27 | Policy Studio | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Security Guilds | WEB-POLICY-27-004 | Add publish/promote/rollback endpoints with canary + signing enforcement. |
-| Sprint 27 | Policy Studio | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-POLICY-27-005 | Instrument Policy Studio metrics/logs for dashboards. |
-| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & SBOM Guilds | DOCS-GRAPH-28-001 | Publish `/docs/sbom/graph-explorer-overview.md`. |
-| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Console Guilds | DOCS-GRAPH-28-002 | Write `/docs/sbom/graph-using-the-console.md` with walkthrough + accessibility tips. |
-| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Graph API Guilds | DOCS-GRAPH-28-003 | Document `/docs/sbom/graph-query-language.md` (JSON schema, cost rules). |
-| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Graph API Guilds | DOCS-GRAPH-28-004 | Publish `/docs/sbom/graph-api.md` endpoints + streaming guidance. |
-| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & CLI Guilds | DOCS-GRAPH-28-005 | Produce `/docs/sbom/graph-cli.md` command reference. |
-| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Policy Guilds | DOCS-GRAPH-28-006 | Publish `/docs/policy/graph-overlays.md`. |
-| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Excitator Guilds | DOCS-GRAPH-28-007 | Document `/docs/vex/graph-integration.md`. |
-| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Concelier Guilds | DOCS-GRAPH-28-008 | Document `/docs/advisories/graph-integration.md`. |
-| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Architecture Guilds | DOCS-GRAPH-28-009 | Author `/docs/architecture/graph-services.md`. |
-| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Observability Guilds | DOCS-GRAPH-28-010 | Publish `/docs/observability/graph-telemetry.md`. |
-| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Ops Guilds | DOCS-GRAPH-28-011 | Write `/docs/runbooks/graph-incidents.md`. |
-| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Security Guilds | DOCS-GRAPH-28-012 | Create `/docs/security/graph-rbac.md`. |
-| Sprint 28 | Graph Explorer | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-GRAPH-28-001 | Provide deployment/offline instructions for Graph Indexer/API, including cache seeds. |
-| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-GRAPH-28-001 | Configure load/perf tests, query budget alerts, and CI smoke for graph APIs. |
-| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps & Security Guilds | DEVOPS-GRAPH-28-002 | Implement caching/backpressure limits, rate limiting configs, and runaway query kill switches. |
-| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps & Observability Guilds | DEVOPS-GRAPH-28-003 | Build dashboards/alerts for tile latency, query denials, memory pressure. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-001 | Ship `stella sbom graph` subcommands (search, query, paths, diff, impacted, export) with JSON output + exit codes. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-002 | Add saved query management + deep link helpers to CLI. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-003 | Update CLI docs/examples for Graph Explorer commands. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-GRAPH-24-101 | Deliver advisory summary API feeding graph tooltips. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-GRAPH-28-102 | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | WEB-LNM-21-001 | Provide advisory observation endpoints optimized for graph overlays. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-GRAPH-24-101 | Provide VEX summary API for Graph Explorer inspector overlays. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-001 | Publish Graph API OpenAPI + JSON schemas for queries/tiles. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-002 | Implement `/graph/search` with caching and RBAC. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-003 | Build query planner + streaming tile pipeline with budgets. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-004 | Deliver `/graph/paths` with depth limits and policy overlay support. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-005 | Implement `/graph/diff` streaming adds/removes/changes for SBOM snapshots. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-006 | Compose advisory/VEX/policy overlays with caching + explain sampling. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-007 | Provide export jobs (GraphML/CSV/NDJSON/PNG/SVG) with manifests. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & Authority Guilds | GRAPH-API-28-008 | Enforce RBAC scopes, tenant headers, audit logging, rate limits. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & Observability Guilds | GRAPH-API-28-009 | Instrument metrics/logs/traces; publish dashboards. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & QA Guilds | GRAPH-API-28-010 | Build unit/integration/load tests with synthetic datasets. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & DevOps Guilds | GRAPH-API-28-011 | Ship deployment/offline manifests + gateway integration docs. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-001 | Define node/edge schemas, identity rules, and fixtures for graph ingestion. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-002 | Implement SBOM ingest consumer generating artifact/package/file nodes & edges. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-003 | Serve advisory overlay tiles from Conseiller linksets (no mutation of raw node/edge stores). |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-004 | Integrate VEX statements for `vex_exempts` edges with precedence metadata. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & Policy Guilds | GRAPH-INDEX-28-005 | Hydrate policy overlay nodes/edges referencing determinations + explains. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-006 | Produce graph snapshots per SBOM with lineage for diff jobs. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & Observability Guilds | GRAPH-INDEX-28-007 | Run clustering/centrality background jobs and persist cluster ids. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-008 | Build incremental/backfill pipeline with change streams, retries, backlog metrics. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & QA Guilds | GRAPH-INDEX-28-009 | Extend tests/perf fixtures ensuring determinism on large graphs. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & DevOps Guilds | GRAPH-INDEX-28-010 | Provide deployment/offline artifacts and docs for Graph Indexer. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-001 | Finalize graph overlay contract + projection API. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-002 | Implement simulation overlay bridge for Graph Explorer queries. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy & Scheduler Guilds | POLICY-ENGINE-30-003 | Emit change events for effective findings supporting graph overlays. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Scheduler.WebService/TASKS.md | DOING (2025-10-26) | Scheduler WebService Guild, Scheduler Storage Guild | SCHED-WEB-21-004 | Persist graph jobs + emit completion events/webhook. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-21-201 | Run graph build worker for SBOM snapshots with retries/backoff. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-21-202 | Execute overlay refresh worker subscribing to change events. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Observability Guilds | SCHED-WORKER-21-203 | Emit metrics/logs for graph build/overlay jobs. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-24-001 | Route `/graph/*` APIs through gateway with tenant scoping and RBAC. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-24-002 | Maintain overlay proxy routes to dedicated services (Policy/Vuln API), ensuring caching + RBAC only. |
-| Sprint 28 | Graph Explorer | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-GRAPH-24-004 | Add Graph Explorer telemetry endpoints and metrics aggregation. |
-| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-001 | Publish `/docs/vuln/explorer-overview.md`. |
-| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Console Guilds | DOCS-VULN-29-002 | Write `/docs/vuln/explorer-using-console.md`. |
-| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-003 | Author `/docs/vuln/explorer-api.md`. |
-| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-004 | Publish `/docs/vuln/explorer-cli.md`. |
-| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Ledger Guilds | DOCS-VULN-29-005 | Document Findings Ledger (`/docs/vuln/findings-ledger.md`). |
-| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Policy Guilds | DOCS-VULN-29-006 | Update `/docs/policy/vuln-determinations.md`. |
-| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Excititor Guilds | DOCS-VULN-29-007 | Publish `/docs/vex/explorer-integration.md`. |
-| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Concelier Guilds | DOCS-VULN-29-008 | Publish `/docs/advisories/explorer-integration.md`. |
-| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & SBOM Guilds | DOCS-VULN-29-009 | Publish `/docs/sbom/vuln-resolution.md`. |
-| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Observability Guilds | DOCS-VULN-29-010 | Publish `/docs/observability/vuln-telemetry.md`. |
-| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Security Guilds | DOCS-VULN-29-011 | Publish `/docs/security/vuln-rbac.md`. |
-| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Ops Guilds | DOCS-VULN-29-012 | Publish `/docs/runbooks/vuln-ops.md`. |
-| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Deployment Guilds | DOCS-VULN-29-013 | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API. |
-| Sprint 29 | Vulnerability Explorer | ops/deployment/TASKS.md | TODO | Deployment & Findings Ledger Guilds | DEPLOY-VULN-29-001 | Provide deployments for Findings Ledger/projector with migrations/backups. |
-| Sprint 29 | Vulnerability Explorer | ops/deployment/TASKS.md | TODO | Deployment & Vuln Explorer API Guilds | DEPLOY-VULN-29-002 | Package Vuln Explorer API deployments/health checks/offline kit notes. |
-| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Findings Ledger Guilds | DEVOPS-VULN-29-001 | Set up CI/backups/anchoring monitoring for Findings Ledger. |
-| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Vuln Explorer API Guilds | DEVOPS-VULN-29-002 | Configure Vuln Explorer perf tests, budgets, dashboards, alerts. |
-| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Console Guilds | DEVOPS-VULN-29-003 | Integrate Vuln Explorer telemetry pipeline with privacy safeguards + dashboards. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-VULN-29-001 | Define Vuln Explorer RBAC/ABAC scopes and issuer metadata. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-VULN-29-002 | Enforce CSRF, attachment signing, and audit logging referencing ledger hashes. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-VULN-29-003 | Update docs/config samples for Vuln Explorer roles and security posture. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-001 | Implement `stella vuln list` with grouping, filters, JSON/CSV output. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-002 | Implement `stella vuln show` with evidence/policy/path display. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-003 | Add workflow CLI commands (assign/comment/accept-risk/verify-fix/target-fix/reopen). |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-004 | Implement `stella vuln simulate` producing diff summaries/Markdown. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-005 | Implement `stella vuln export` and bundle signature verification. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI & Docs Guilds | CLI-VULN-29-006 | Update CLI docs/examples for Vulnerability Explorer commands. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-VULN-29-001 | Canonicalize (lossless) advisory identifiers, persist `links[]`, backfill, and expose raw payload snapshots (no merge/derived fields). |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-VULN-29-002 | Provide advisory evidence retrieval endpoint for Vuln Explorer. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService & Observability Guilds | CONCELIER-VULN-29-004 | Add metrics/logs/events for advisory normalization supporting resolver. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001 | Canonicalize (lossless) VEX keys and product scopes with backfill + links (no merge/suppression). |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-002 | Expose VEX evidence retrieval endpoint for Explorer evidence tabs. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService & Observability Guilds | EXCITITOR-VULN-29-004 | Instrument metrics/logs for VEX normalization and suppression events. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-001 | Design ledger & projection schemas, hashing strategy, and migrations for Findings Ledger. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-002 | Implement ledger write API with hash chaining and Merkle root anchoring job. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Scheduler Guilds | LEDGER-29-003 | Build projector worker deriving `findings_projection` with idempotent replay. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Policy Guilds | LEDGER-29-004 | Integrate Policy Engine batch evaluation into projector with rationale caching. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-005 | Implement workflow mutation endpoints producing ledger events (assign/comment/accept-risk/etc.). |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Security Guilds | LEDGER-29-006 | Add attachment encryption, signed URLs, and CSRF protections for workflow endpoints. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Observability Guilds | LEDGER-29-007 | Instrument ledger metrics/logs/alerts (write latency, projection lag, anchoring). |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & QA Guilds | LEDGER-29-008 | Provide replay/determinism/load tests for ledger/projector pipelines. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & DevOps Guilds | LEDGER-29-009 | Deliver deployment/offline artefacts, backup/restore, Merkle anchoring guidance. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-001 | Implement policy batch evaluation endpoint returning determinations + rationale. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-002 | Provide simulation diff API for Vuln Explorer comparisons. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-003 | Include path/scope annotations in determinations for Explorer. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild & Observability Guild | POLICY-ENGINE-29-004 | Add telemetry for batch evaluation + simulation jobs. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-VULN-29-001 | Emit inventory evidence with scope/runtime/path/safe version hints; publish change events. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service & Findings Ledger Guilds | SBOM-VULN-29-002 | Provide resolver feed for candidate generation with idempotent delivery. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-VULN-29-001 | Expose resolver job APIs + status monitoring for Vuln Explorer recomputation. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService & Observability Guilds | SCHED-VULN-29-002 | Provide projector lag metrics endpoint + webhook notifications. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-29-001 | Implement resolver worker applying ecosystem version semantics and path scope. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-29-002 | Implement evaluation worker invoking Policy Engine and updating ledger queues. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Observability Guilds | SCHED-WORKER-29-003 | Add monitoring for resolver/evaluation backlog and SLA alerts. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-001 | Publish Vuln Explorer OpenAPI + query schemas. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-002 | Implement list/query endpoints with grouping, paging, cost budgets. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-003 | Implement detail endpoint combining evidence, policy rationale, paths, history. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Findings Ledger Guilds | VULN-API-29-004 | Expose workflow APIs writing ledger events with validation + idempotency. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Policy Guilds | VULN-API-29-005 | Implement policy simulation endpoint producing diffs without side effects. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-006 | Integrate Graph Explorer paths metadata and deep-link parameters. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Security Guilds | VULN-API-29-007 | Enforce RBAC/ABAC, CSRF, attachment security, and audit logging. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-008 | Provide evidence bundle export job with signing + manifests. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Observability Guilds | VULN-API-29-009 | Instrument API telemetry (latency, workflow counts, exports). |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & QA Guilds | VULN-API-29-010 | Deliver unit/integration/perf/determinism tests for Vuln Explorer API. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & DevOps Guilds | VULN-API-29-011 | Ship deployment/offline manifests, health checks, scaling docs. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-001 | Route `/vuln/*` APIs with tenant RBAC, ABAC, anti-forgery enforcement. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-002 | Proxy workflow calls to Findings Ledger with correlation IDs + retries. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-003 | Expose simulation/export orchestration with SSE/progress + signed links. |
-| Sprint 29 | Vulnerability Explorer | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-VULN-29-004 | Aggregate Vuln Explorer telemetry (latency, errors, exports). |
-| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-001 | Publish `/docs/vex/consensus-overview.md`. |
-| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-002 | Write `/docs/vex/consensus-algorithm.md`. |
-| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-003 | Document `/docs/vex/issuer-directory.md`. |
-| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-004 | Publish `/docs/vex/consensus-api.md`. |
-| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-005 | Create `/docs/vex/consensus-console.md`. |
-| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-006 | Add `/docs/policy/vex-trust-model.md`. |
-| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-007 | Author `/docs/sbom/vex-mapping.md`. |
-| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-008 | Publish `/docs/security/vex-signatures.md`. |
-| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-009 | Write `/docs/runbooks/vex-ops.md`. |
-| Sprint 30 | VEX Lens | ops/devops/TASKS.md | TODO | DevOps Guild | VEXLENS-30-009, ISSUER-30-005 | Set up CI/perf/telemetry dashboards for VEX Lens and Issuer Directory. |
-| Sprint 30 | VEX Lens | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | VEXLENS-30-007 | Implement `stella vex consensus` CLI commands with list/show/simulate/export. |
-| Sprint 30 | VEX Lens | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, VEX Lens Guild | CONCELIER-VEXLENS-30-001 | Guarantee advisory key consistency and provide cross-links for consensus rationale (VEX Lens). |
-| Sprint 30 | VEX Lens | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001 | Ensure VEX evidence includes issuer hints, signatures, product trees for Lens consumption. |
-| Sprint 30 | VEX Lens | src/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory Guild | ISSUER-30-001 | Implement issuer CRUD API with RBAC and audit logs. |
-| Sprint 30 | VEX Lens | src/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Security Guilds | ISSUER-30-002 | Implement key management endpoints with expiry enforcement. |
-| Sprint 30 | VEX Lens | src/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Policy Guilds | ISSUER-30-003 | Provide trust weight override APIs with audit trails. |
-| Sprint 30 | VEX Lens | src/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & VEX Lens Guilds | ISSUER-30-004 | Integrate issuer data into signature verification clients. |
-| Sprint 30 | VEX Lens | src/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Observability Guilds | ISSUER-30-005 | Instrument issuer change metrics/logs and dashboards. |
-| Sprint 30 | VEX Lens | src/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & DevOps Guilds | ISSUER-30-006 | Provide deployment/backup/offline docs for Issuer Directory. |
-| Sprint 30 | VEX Lens | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-101 | Surface trust weighting configuration (issuer weights, modifiers, decay) for VEX Lens via Policy Studio/API. |
-| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-001 | Implement VEX normalization pipeline (CSAF, OpenVEX, CycloneDX) with deterministic outputs. |
-| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-002 | Build product mapping library aligning CSAF product trees to purls/versions with scope scoring. |
-| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Issuer Directory Guilds | VEXLENS-30-003 | Integrate signature verification using issuer keys; annotate evidence. |
-| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Policy Guilds | VEXLENS-30-004 | Implement trust weighting functions configurable via policy. |
-| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-005 | Implement consensus algorithm producing state, confidence, rationale, and quorum. |
-| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Findings Ledger Guilds | VEXLENS-30-006 | Materialize consensus projections and change events. |
-| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-007 | Deliver query/detail/simulation/export APIs with budgets and OpenAPI docs. |
-| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Policy Guilds | VEXLENS-30-008 | Integrate consensus signals with Policy Engine and Vuln Explorer. |
-| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Observability Guilds | VEXLENS-30-009 | Instrument metrics/logs/traces; publish dashboards/alerts. |
-| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & QA Guilds | VEXLENS-30-010 | Build unit/property/integration/load tests and determinism harness. |
-| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & DevOps Guilds | VEXLENS-30-011 | Provide deployment manifests, scaling guides, offline seeds, runbooks. |
-| Sprint 30 | VEX Lens | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, VEX Lens Guild | WEB-VEX-30-007 | Route `/vex/consensus` APIs via gateway with RBAC/ABAC, caching, and telemetry (proxy-only). |
-| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-001 | Publish Advisory AI overview doc. |
-| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-002 | Publish architecture doc for Advisory AI. |
-| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-003..009 | Complete API/Console/CLI/Policy/Security/SBOM/Runbook docs. |
-| Sprint 31 | Advisory AI | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-AIAI-31-001 | Provide Advisory AI deployment/offline guidance. |
-| Sprint 31 | Advisory AI | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIAI-31-001 | Provision CI/perf/telemetry for Advisory AI. |
-| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-001 | Implement advisory/VEX retrievers with paragraph anchors and citations. |
-| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-002 | Build SBOM context retriever and blast radius estimator. |
-| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-003 | Deliver deterministic toolset (version checks, dependency analysis, policy lookup). |
-| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-004 | Orchestrator with task templates, tool chaining, caching. |
-| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & Security Guilds | AIAI-31-005 | Guardrails (redaction, injection defense, output validation). |
-| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-006 | Expose REST/batch APIs with RBAC and OpenAPI. |
-| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & Observability Guilds | AIAI-31-007 | Instrument metrics/logs/traces and dashboards. |
-| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & DevOps Guilds | AIAI-31-008 | Package inference + deployment manifests/flags. |
-| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & QA Guilds | AIAI-31-009 | Build golden/injection/perf tests ensuring determinism. |
-| Sprint 31 | Advisory AI | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-AIAI-31-001 | Define Advisory AI scopes and remote inference toggles. |
-| Sprint 31 | Advisory AI | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-AIAI-31-002 | Enforce prompt logging and consent/audit flows. |
-| Sprint 31 | Advisory AI | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIAI-31-001 | Implement `stella advise *` CLI commands leveraging Advisory AI orchestration and policy scopes. |
-| Sprint 31 | Advisory AI | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-AIAI-31-001 | Expose advisory chunk API with paragraph anchors. |
-| Sprint 31 | Advisory AI | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-AIAI-31-001 | Provide VEX chunks with justifications and signatures. |
-| Sprint 31 | Advisory AI | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-31-001 | Provide policy knobs for Advisory AI. |
-| Sprint 31 | Advisory AI | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-AIAI-31-001 | Deliver SBOM path/timeline endpoints for Advisory AI. |
-| Sprint 31 | Advisory AI | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-AIAI-31-001 | Expose enriched rationale API for conflict explanations. |
-| Sprint 31 | Advisory AI | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-AIAI-31-002 | Provide batching/caching hooks for Advisory AI. |
-| Sprint 31 | Advisory AI | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-001 | Route `/advisory/ai/*` APIs with RBAC/telemetry. |
-| Sprint 31 | Advisory AI | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-002 | Provide batch orchestration and retry handling for Advisory AI. |
-| Sprint 31 | Advisory AI | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-003 | Emit Advisory AI gateway telemetry/audit logs. |
-| Sprint 32 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-32-001 | Author `/docs/orchestrator/overview.md` covering mission, roles, AOC alignment, and imposed rule reminder. |
-| Sprint 32 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-32-002 | Author `/docs/orchestrator/architecture.md` detailing scheduler, DAGs, rate limits, and data model. |
-| Sprint 32 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-32-001 | Provision staging Postgres/message-bus charts, CI smoke deploy, and baseline dashboards for queue depth and inflight jobs. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-32-001 | Introduce `orch:read` scope and `Orch.Viewer` role with metadata, discovery docs, and offline defaults. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-32-001 | Register Concelier sources with orchestrator, publish schedules/rate policies, and seed metadata. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-32-002 | Embed worker SDK into Concelier ingestion loops emitting progress, heartbeats, and artifact hashes. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-32-001 | Adopt worker SDK in Excititor worker with job claim/heartbeat and artifact summary emission. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-32-001 | Bootstrap Go worker SDK (client config, job claim, acknowledgement flow) with integration tests. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-32-002 | Add heartbeat/progress helpers, structured logging, and default metrics exporters to Go SDK. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-32-001 | Bootstrap Python async SDK with job claim/config adapters and sample worker. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-32-002 | Implement heartbeat/progress helpers and logging/metrics instrumentation for Python workers. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-001 | Bootstrap orchestrator service with Postgres schema/migrations for sources, runs, jobs, dag_edges, artifacts, quotas, schedules. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-002 | Implement scheduler DAG planner, dependency resolver, and job state machine for read-only tracking. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-003 | Expose read-only REST APIs (sources, runs, jobs, DAG) with OpenAPI + validation. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-004 | Ship WebSocket/SSE live update stream and metrics counters/histograms for job lifecycle. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-005 | Deliver worker claim/heartbeat/progress endpoints capturing artifact metadata and checksums. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-32-101 | Define orchestrator `policy_eval` job contract, idempotency keys, and enqueue hooks for change events. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-32-001 | Integrate orchestrator job IDs into SBOM ingest/index pipelines with artifact hashing and status updates. |
-| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-32-001 | Expose read-only orchestrator APIs via gateway with tenant scoping, caching headers, and rate limits. |
-| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-001 | Author `/docs/orchestrator/api.md` with endpoints, WebSocket events, error codes, and imposed rule reminder. |
-| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-002 | Author `/docs/orchestrator/console.md` covering screens, accessibility, and live updates. |
-| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-003 | Author `/docs/orchestrator/cli.md` with command reference, examples, and exit codes. |
-| Sprint 33 | Governance & Rules | ops/devops/TASKS.md | DOING (2025-10-26) | DevOps Guild, Platform Leads | DEVOPS-RULES-33-001 | Contracts & Rules anchor (gateway proxy-only; Policy Engine overlays/simulations; AOC ingestion canonicalization; Graph Indexer + Graph API as sole platform). |
-| Sprint 33 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-33-001 | Publish Grafana dashboards for rate-limit/backpressure/error clustering and configure alert rules with runbooks. |
-| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-33-001 | Add `Orch.Operator` role, control action scopes, and enforce reason/ticket field capture. |
-| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-33-001 | Wire orchestrator control hooks (pause, throttle, retry) into Concelier workers with safe checkpoints. |
-| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-33-001 | Honor orchestrator throttles, classify VEX errors, and emit retry-safe checkpoints in Excititor worker. |
-| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-33-001 | Add artifact upload helpers (object store + checksum) and idempotency guard to Go SDK. |
-| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-33-002 | Implement error classification/retry helper and structured failure report in Go SDK. |
-| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-33-001 | Add artifact publish/idempotency features to Python SDK with object store integration. |
-| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-33-002 | Expose error classification/retry/backoff helpers in Python SDK with structured logging. |
-| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-001 | Enable source/job control actions (test, pause/resume, retry/cancel/prioritize) with RBAC and audit hooks. |
-| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-002 | Implement adaptive token-bucket rate limiter and concurrency caps reacting to upstream 429/503 signals. |
-| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-003 | Add watermark/backfill manager with event-time windows, duplicate suppression, and preview API. |
-| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-004 | Deliver dead-letter storage, replay endpoints, and surfaced error classes with remediation hints. |
-| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-33-101 | Implement orchestrator-driven policy evaluation workers with heartbeats, SLO metrics, and rate limit awareness. |
-| Sprint 33 | Orchestrator Dashboard | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-33-001 | Report SBOM ingest backpressure metrics and support orchestrator pause/resume/backfill signals. |
-| Sprint 33 | Orchestrator Dashboard | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-ORCH-33-001 | Expose `consensus_compute` orchestrator job type and integrate VEX Lens worker for diff batches. |
-| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-33-001 | Add control endpoints (actions/backfill) and SSE bridging with permission checks and error mapping. |
-| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-001 | Author `/docs/orchestrator/run-ledger.md` describing provenance export format and audits. |
-| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-002 | Author `/docs/security/secrets-handling.md` covering KMS refs, redaction, and operator hygiene. |
-| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-003 | Author `/docs/operations/orchestrator-runbook.md` (failures, backfill guide, circuit breakers). |
-| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-004 | Author `/docs/schemas/artifacts.md` detailing artifact kinds, schema versions, hashing, storage layout. |
-| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-005 | Author `/docs/slo/orchestrator-slo.md` defining SLOs, burn alerts, and measurement strategy. |
-| Sprint 34 | Orchestrator Dashboard | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-ORCH-34-001 | Provide Helm/Compose manifests, scaling defaults, and offline kit instructions for orchestrator service. |
-| Sprint 34 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-34-001 | Harden production dashboards/alerts, synthetic probes, and incident response playbooks for orchestrator. |
-| Sprint 34 | Orchestrator Dashboard | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | DEVOPS-OFFLINE-34-006 | Bundle orchestrator service, worker SDK samples, and Postgres snapshot into Offline Kit with integrity checks. |
-| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-34-001 | Add `Orch.Admin` role for quotas/backfills, enforce audit reason requirements, update docs and offline defaults. |
-| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-ORCH-34-001 | Implement backfill wizard and quota management commands with dry-run preview and guardrails. |
-| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-34-001 | Implement orchestrator-driven backfills for advisory sources with idempotent artifact reuse and ledger linkage. |
-| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-34-001 | Support orchestrator backfills and circuit breaker resets for Excititor sources with auditing. |
-| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-34-101 | Link orchestrator run ledger entries into Findings Ledger provenance export and audit queries. |
-| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-34-001 | Add backfill range execution, watermark handshake, and artifact dedupe verification to Go SDK. |
-| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-34-001 | Add backfill support and deterministic artifact dedupe validation to Python SDK. |
-| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-001 | Implement quota management APIs, SLO burn-rate computation, and alert budget tracking. |
-| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-002 | Build audit log and immutable run ledger export with signed manifest support. |
-| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-003 | Run perf/scale validation (10k jobs, dispatch <150 ms) and add autoscaling hooks. |
-| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-004 | Package orchestrator container, Helm overlays, offline bundle seeds, and provenance attestations. |
-| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-34-101 | Expose policy eval run ledger exports and SLO burn metrics to orchestrator. |
-| Sprint 34 | Orchestrator Dashboard | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-34-001 | Enable SBOM backfill and watermark reconciliation; emit coverage metrics and flood guard. |
-| Sprint 34 | Orchestrator Dashboard | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-ORCH-34-001 | Integrate consensus compute completion events with orchestrator ledger and provenance outputs. |
-| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-34-001 | Expose quotas/backfill/queue metrics endpoints, throttle toggles, and error clustering APIs. |
-| Sprint 35 | EPDR Foundations | src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild | SCANNER-ANALYZERS-LANG-11-001 | Build entrypoint resolver (identity + environment profiles) and emit normalized entrypoint records. |
-| Sprint 35 | EPDR Foundations | src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild | SCANNER-ANALYZERS-LANG-11-002 | Static IL/reflection/ALC heuristics producing dependency edges with reason codes and confidence. |
-| Sprint 35 | EPDR Foundations | src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, Signals Guild | SCANNER-ANALYZERS-LANG-11-003 | Runtime loader/PInvoke signal ingestion merged with static/declared edges (confidence & explain). |
-| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-001 | Author `/docs/export-center/overview.md` with purpose, profiles, security, and imposed rule reminder. |
-| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-002 | Author `/docs/export-center/architecture.md` detailing service components, adapters, manifests, signing, and distribution. |
-| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-003 | Publish `/docs/export-center/profiles.md` covering schemas, examples, and compatibility. |
-| Sprint 35 | Export Center Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-EXPORT-35-001 | Package exporter service/worker containers, Helm overlays (download-only), and rollout guide. |
-| Sprint 35 | Export Center Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-35-001 | Create exporter CI pipeline (lint/test/perf smoke), object storage fixtures, and initial Grafana dashboards. |
-| Sprint 35 | Export Center Phase 1 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-001 | Bootstrap exporter service, configuration, and migrations for export profiles/runs/inputs/distributions with tenant scopes. |
-| Sprint 35 | Export Center Phase 1 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-002 | Implement planner resolving filters to iterators and orchestrator job contract with deterministic sampling. |
-| Sprint 35 | Export Center Phase 1 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-003 | Deliver JSON adapters (raw/policy) with canonical normalization, redaction enforcement, and zstd writers. |
-| Sprint 35 | Export Center Phase 1 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-004 | Build mirror (full) adapter producing filesystem layout, manifests, and bundle assembly for download profile. |
-| Sprint 35 | Export Center Phase 1 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-005 | Implement manifest/provenance writer and KMS signing/attestation for export bundles. |
-| Sprint 35 | Export Center Phase 1 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-006 | Expose Export API (profiles, runs, download) with SSE updates, concurrency controls, and audit logging. |
-| Sprint 35 | Export Center Phase 1 | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-EXPORT-35-001 | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings filtered by scope selectors. |
-| Sprint 35 | Export Center Phase 1 | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-35-101 | Register export job type, quotas, and rate policies; surface export job telemetry for scheduler. |
-| Sprint 35 | Export Center Phase 1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-35-201 | Expose deterministic policy snapshot + evaluated findings endpoint aligned with Export Center requirements. |
-| Sprint 35 | Export Center Phase 1 | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-EXPORT-35-001 | Publish consensus snapshot API delivering deterministic JSON for export consumption. |
-| Sprint 35 | Export Center Phase 1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-35-001 | Route Export Center APIs through gateway with tenant scoping, viewer/operator scopes, and streaming downloads. |
-| Sprint 36 | EPDR Observations | src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, SBOM Service Guild | SCANNER-ANALYZERS-LANG-11-004 | Normalize EPDR output to Scanner observation writer (entrypoints + edges + env profiles). |
-| Sprint 36 | EPDR Observations | src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, QA Guild | SCANNER-ANALYZERS-LANG-11-005 | End-to-end fixtures/benchmarks covering publish modes, RIDs, trimming, NativeAOT with explain traces. |
-| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-004 | Author `/docs/export-center/api.md` with endpoint examples and imposed rule note. |
-| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-005 | Publish `/docs/export-center/cli.md` covering commands, scripts, verification, and imposed rule reminder. |
-| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-006 | Write `/docs/export-center/trivy-adapter.md` detailing mappings, compatibility, and test matrix. |
-| Sprint 36 | Export Center Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-EXPORT-36-001 | Document registry credentials, OCI push workflows, and automation for export distributions. |
-| Sprint 36 | Export Center Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-36-001 | Integrate Trivy compatibility validation, OCI push smoke tests, and metrics dashboards for export throughput. |
-| Sprint 36 | Export Center Phase 2 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXPORT-36-001 | Add `stella export distribute` (OCI/objstore), `run download --resume`, and status polling enhancements. |
-| Sprint 36 | Export Center Phase 2 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-001 | Implement Trivy DB adapter (core) with schema mapping, validation, and compatibility gating. |
-| Sprint 36 | Export Center Phase 2 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-002 | Add Trivy Java DB variant, shared manifest entries, and adapter regression tests. |
-| Sprint 36 | Export Center Phase 2 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-003 | Build OCI distribution engine for exports with descriptor annotations and registry auth handling. |
-| Sprint 36 | Export Center Phase 2 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-004 | Extend planner/run lifecycle for OCI/object storage distributions with retry + idempotency. |
-| Sprint 36 | Export Center Phase 2 | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-36-101 | Add distribution job follow-ups, retention metadata, and metrics for export runs. |
-| Sprint 36 | Export Center Phase 2 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-36-001 | Expose distribution endpoints (OCI/object storage) and manifest/provenance download proxies with RBAC. |
-| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-001 | Publish `/docs/export-center/mirror-bundles.md` detailing layouts, deltas, encryption, imposed rule reminder. |
-| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-002 | Publish `/docs/export-center/provenance-and-signing.md` covering manifests, attestation, verification. |
-| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-003 | Publish `/docs/operations/export-runbook.md` for failures, tuning, capacity, with imposed rule note. |
-| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-004 | Publish `/docs/security/export-hardening.md` covering RBAC, isolation, encryption, and imposed rule. |
-| Sprint 37 | Export Center Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-37-001 | Finalize dashboards/alerts for exports (failure, verify), retention jobs, and chaos testing harness. |
-| Sprint 37 | Export Center Phase 3 | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | DEVOPS-OFFLINE-37-001 | Package Export Center mirror bundles + verification tooling into Offline Kit with manifest/signature updates. |
-| Sprint 37 | Export Center Phase 3 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-EXPORT-37-001 | Add `Export.Admin` scope enforcement for retention, encryption keys, and scheduling APIs. |
-| Sprint 37 | Export Center Phase 3 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXPORT-37-001 | Implement `stella export schedule`, `run verify`, and bundle verification tooling with signature/hash checks. |
-| Sprint 37 | Export Center Phase 3 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-001 | Implement mirror delta adapter, base export linkage, and content-addressed reuse. |
-| Sprint 37 | Export Center Phase 3 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-002 | Add bundle encryption, key wrapping with KMS, and verification tooling for encrypted exports. |
-| Sprint 37 | Export Center Phase 3 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-003 | Deliver scheduling/retention engine (cron/event triggers), audit trails, and retry idempotency enhancements. |
-| Sprint 37 | Export Center Phase 3 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-004 | Provide export verification API and CLI integration, including hash/signature validation endpoints. |
-| Sprint 37 | Export Center Phase 3 | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-37-101 | Enable scheduled export runs, retention pruning hooks, and failure alerting integration. |
-| Sprint 37 | Export Center Phase 3 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-37-001 | Surface scheduling, retention, and verification endpoints plus encryption parameter handling. |
-| Sprint 37 | Native Analyzer Core | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-001 | Format detector & binary identity for ELF/PE/Mach-O (multi-slice) with stable entrypoint IDs. |
-| Sprint 37 | Native Analyzer Core | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-002 | ELF dynamic parser emitting dtneeded edges, runpath metadata, symbol version needs. |
-| Sprint 37 | Native Analyzer Core | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-003 | PE import + delay-load + SxS manifest parsing producing reason-coded edges. |
-| Sprint 37 | Native Analyzer Core | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-004 | Mach-O load command parsing with @rpath expansion and slice handling. |
-| Sprint 37 | Native Analyzer Core | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-005 | Cross-platform resolver engine modeling search order/explain traces for ELF/PE/Mach-O. |
-| Sprint 37 | Native Analyzer Core | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-006 | Heuristic scanner for dlopen/LoadLibrary strings, plugin configs, ecosystem hints with confidence tags. |
-| Sprint 38 | Native Observation Pipeline | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-007 | Serialize entrypoints/edges/env profiles to Scanner writer (AOC-compliant observations). |
-| Sprint 38 | Native Observation Pipeline | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, QA Guild | SCANNER-ANALYZERS-NATIVE-20-008 | Fixture suite + determinism benchmarks for native analyzer across linux/windows/macos. |
-| Sprint 38 | Native Observation Pipeline | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-NATIVE-20-009 | Optional runtime capture adapters (eBPF/ETW/dyld) producing runtime-load edges with redaction. |
-| Sprint 38 | Native Observation Pipeline | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-NATIVE-20-010 | Package native analyzer plug-in + Offline Kit updates and restart-time loading. |
-| Sprint 38 | Notifications Studio Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-38-001 | Publish `/docs/notifications/overview.md` and `/docs/notifications/architecture.md` ending with imposed rule statement. |
-| Sprint 38 | Notifications Studio Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-NOTIFY-38-001 | Package notifier API/worker Helm overlays (email/chat/webhook), secrets templates, rollout guide. |
-| Sprint 38 | Notifications Studio Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-38-001 | Stand up notifier CI pipelines, event bus fixtures, base dashboards for events/notifications latency. |
-| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-38-001 | Implement `stella notify` rule/template/incident commands (list/create/test/ack) with file-based inputs. |
-| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-001 | Bootstrap notifier service, migrations for notif tables, event ingestion, and rule engine foundation (policy violations + job failures). |
-| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-002 | Implement channel adapters (email, chat-webhook, generic webhook) with retry and audit logging. |
-| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-003 | Deliver template service (versioning, preview), rendering pipeline with redaction, and provenance links. |
-| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-004 | Expose initial API (rules CRUD, templates, incidents list, ack) and live feed WS stream. |
-| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-38-101 | Standardize event envelope publication (policy/export/job lifecycle) with idempotency keys for notifier ingestion. |
-| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-38-201 | Emit enriched violation events including rationale IDs via orchestrator bus. |
-| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-38-001 | Route notifier APIs through gateway with tenant scoping and operator scopes. |
-| Sprint 39 | Java Analyzer Core | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-001 | Java input normalizer (jar/war/ear/fat/jmod/jimage) with MR overlay selection. |
-| Sprint 39 | Java Analyzer Core | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-002 | Module/classpath builder with duplicate & split-package detection. |
-| Sprint 39 | Java Analyzer Core | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-003 | SPI scanner & provider selection with warnings. |
-| Sprint 39 | Java Analyzer Core | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-004 | Reflection/TCCL heuristics emitting reason-coded edges. |
-| Sprint 39 | Java Analyzer Core | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-005 | Framework config extraction (Spring, Jakarta, MicroProfile, logging, Graal configs). |
-| Sprint 39 | Java Analyzer Core | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-006 | JNI/native hint detection for Java artifacts. |
-| Sprint 39 | Java Analyzer Core | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-007 | Manifest/signature metadata collector (main/start/agent classes, signers). |
-| Sprint 39 | Notifications Studio Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-39-002 | Publish `/docs/notifications/rules.md`, `/templates.md`, `/digests.md` with imposed rule reminder. |
-| Sprint 39 | Notifications Studio Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-39-002 | Add throttling/quiet-hours dashboards, digest job monitoring, and storm breaker alerts. |
-| Sprint 39 | Notifications Studio Phase 2 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-39-001 | Add simulation/digest CLI verbs and advanced filtering for incidents. |
-| Sprint 39 | Notifications Studio Phase 2 | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-NOTIFY-39-001 | Optimize digest queries and provide API for notifier to fetch unresolved policy violations/SBOM deltas. |
-| Sprint 39 | Notifications Studio Phase 2 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-001 | Implement correlation engine, throttling, quiet hours/maintenance evaluator, and incident state machine. |
-| Sprint 39 | Notifications Studio Phase 2 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-002 | Add digests generator with Findings Ledger queries and distribution (email/chat). |
-| Sprint 39 | Notifications Studio Phase 2 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-003 | Provide simulation engine and API for rule dry-run against historical events. |
-| Sprint 39 | Notifications Studio Phase 2 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-004 | Integrate quiet hours calendars and default throttles with audit logging. |
-| Sprint 39 | Notifications Studio Phase 2 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-39-001 | Surface digest scheduling, simulation, and throttle management endpoints via gateway. |
-| Sprint 40 | Java Observation & Runtime | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-008 | Observation writer producing entrypoints/components/edges with warnings. |
-| Sprint 40 | Java Observation & Runtime | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, QA Guild | SCANNER-ANALYZERS-JAVA-21-009 | Fixture suite + determinism/perf benchmarks for Java analyzer. |
-| Sprint 40 | Java Observation & Runtime | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-JAVA-21-010 | Optional runtime ingestion via agent/JFR producing runtime edges. |
-| Sprint 40 | Java Observation & Runtime | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-JAVA-21-011 | Package Java analyzer plug-in + Offline Kit/CLI updates. |
-| Sprint 40 | Notifications Studio Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-40-001 | Publish `/docs/notifications/channels.md`, `/escalations.md`, `/api.md`, `/operations/notifier-runbook.md`, `/security/notifications-hardening.md` with imposed rule lines. |
-| Sprint 40 | Notifications Studio Phase 3 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-NOTIFY-40-001 | Package notifier escalations + localization deployment overlays, signed ack token rotation scripts, and rollback guidance. |
-| Sprint 40 | Notifications Studio Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-40-001 | Finalize notifier dashboards/alerts (escalation failures, ack latency), chaos testing harness, and channel health monitoring. |
-| Sprint 40 | Notifications Studio Phase 3 | ops/offline-kit/TASKS.md | CARRY (no scope change) | Offline Kit Guild | DEVOPS-OFFLINE-37-002 | Carry from Sprint 37: Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks. |
-| Sprint 40 | Notifications Studio Phase 3 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-NOTIFY-40-001 | Enforce ack token signing/rotation, webhook allowlists, and admin-only escalation settings. |
-| Sprint 40 | Notifications Studio Phase 3 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-40-001 | Implement ack token redemption, escalation management, localization previews. |
-| Sprint 40 | Notifications Studio Phase 3 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-001 | Implement escalations, on-call schedules, ack bridge, PagerDuty/OpsGenie adapters, and localization bundles. |
-| Sprint 40 | Notifications Studio Phase 3 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-002 | Add CLI inbox/in-app feed channels and summary storm breaker notifications. |
-| Sprint 40 | Notifications Studio Phase 3 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-003 | Harden security: signed ack links, webhook HMAC/IP allowlists, tenant isolation fuzzing, localization fallback. |
-| Sprint 40 | Notifications Studio Phase 3 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-004 | Finalize observability (incident metrics, escalation latency) and chaos tests for channel outages. |
-| Sprint 40 | Notifications Studio Phase 3 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-40-001 | Expose escalation, localization, channel health endpoints and verification of signed links. |
-| Sprint 41 | CLI Parity & Task Packs Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-41-001 | Publish `/docs/cli/overview.md`, `/cli/configuration.md`, `/cli/output-and-exit-codes.md` (with imposed rule). |
-| Sprint 41 | CLI Parity & Task Packs Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-CLI-41-001 | Package CLI release artifacts (tarballs, completions, container image) with distribution docs. |
-| Sprint 41 | CLI Parity & Task Packs Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-41-001 | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums) and parity matrix CI enforcement. |
-| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-PACKS-41-001 | Define CLI SSO scopes and Packs (`Packs.Read/Write/Run/Approve`) roles; update discovery/offline defaults. |
-| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-CORE-41-001 | Implement CLI config/auth foundation, global flags, output renderer, and error/exit code mapping. |
-| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-001 | Deliver parity command groups (`policy`, `sbom`, `vuln`, `vex`, `advisory`, `export`, `orchestrator`) with JSON/table outputs and `--explain`. |
-| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-002 | Implement `notify`, `aoc`, `auth` command groups, idempotency keys, completions, and parity matrix export. |
-| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-41-101 | Register `pack-run` job type, integrate logs/artifacts, expose pack run metadata. |
-| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-41-001 | Implement packs index API, signature verification, provenance storage, and RBAC. |
-| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-41-001 | Bootstrap Task Runner service, migrations, run API, local executor, approvals pause, artifact capture. |
-| Sprint 42 | CLI Parity & Task Packs Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-42-001 | Publish `/docs/cli/parity-matrix.md`, `/cli/commands/*.md`, `/docs/task-packs/spec.md` (imposed rule). |
-| Sprint 42 | CLI Parity & Task Packs Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-42-001 | Add CLI golden output tests, parity diff automation, and pack run CI harness. |
-| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PACKS-42-001 | Implement Task Pack CLI commands (`pack plan/run/push/pull/verify`) with plan/simulate engine and expression sandbox. |
-| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-001..002 | Close parity gaps for Notifications, Policy Studio advanced features, SBOM graph, Vuln Explorer; parity matrix green. |
-| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-PACKS-42-001 | Expose snapshot/time-travel APIs for CLI offline mode and pack simulation. |
-| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-42-101 | Stream pack run logs via SSE/WS, expose artifact manifests, enforce pack run quotas. |
-| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-42-001 | Support pack version lifecycle, tenant allowlists, provenance export, signature rotation. |
-| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-42-201 | Provide stable rationale IDs/APIs for CLI `--explain` and pack policy gates. |
-| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-42-001 | Add loops, conditionals, `maxParallel`, outputs, simulation mode, policy gates in Task Runner. |
-| Sprint 43 | CLI Parity & Task Packs Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-PACKS-43-001 | Publish `/docs/task-packs/authoring-guide.md`, `/registry.md`, `/runbook.md`, `/security/pack-signing-and-rbac.md`, `/operations/cli-release-and-packaging.md` (imposed rule). |
-| Sprint 43 | CLI Parity & Task Packs Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-43-001 | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, pack run chaos tests. |
-| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-PACKS-41-001 | Enforce pack signing policies, approval RBAC, CLI token scopes for CI headless runs. |
-| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PACKS-42-001 | Deliver advanced pack features (approvals pause/resume, remote streaming, secret injection), localization, man pages. |
-| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-005, PACKS-REG-41-001 | Integrate pack run manifests into export bundles and CLI verify flows. |
-| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-42-001 | Enforce pack signing policies, audit trails, registry mirroring, Offline Kit support. |
-| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-42-001 | Implement approvals workflow, notifications integration, remote artifact uploads, chaos resilience. |
-| Sprint 44 | Containerized Distribution Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-44-001 | Publish install overview + Compose Quickstart docs (imposed rule). |
-| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-001 | Deliver Quickstart Compose stack with seed data and quickstart script. |
-| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-002 | Provide backup/reset scripts with guardrails and documentation. |
-| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-003 | Implement seed job and onboarding wizard toggle (`QUICKSTART_MODE`). |
-| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-COMPOSE-44-001 | Finalize Quickstart scripts and README. |
-| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-44-001 | Automate multi-arch builds with SBOM/signature pipeline. |
-| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-001 | Author multi-stage Dockerfiles with non-root users, read-only FS, and health scripts for all services. |
-| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-002 | Generate SBOMs and cosign attestations for each image; integrate signature verification in CI. |
-| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-003 | Ensure `/health/*`, `/version`, `/metrics`, and capability endpoints (`merge=false`) are exposed across services. |
-| Sprint 44 | Containerized Distribution Phase 1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-44-001 | Expose config discovery and quickstart handling with health/version endpoints. |
-| Sprint 45 | Containerized Distribution Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-45-001 | Publish Helm production + configuration reference docs (imposed rule). |
-| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-HELM-45-001 | Publish Helm install guide and sample values. |
-| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-001 | Scaffold Helm chart with component toggles and pinned digests. |
-| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-002 | Add security features (TLS, NetworkPolicy, Secrets integration). |
-| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-003 | Implement HPA, PDB, readiness gates, and observability hooks. |
-| Sprint 45 | Containerized Distribution Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-45-001 | Add Compose/Helm smoke tests to CI. |
-| Sprint 45 | Containerized Distribution Phase 2 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-45-001 | Ensure readiness endpoints and config toggles support Helm deployments. |
-| Sprint 46 | Containerized Distribution Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-46-001 | Publish air-gap, supply chain, health/readiness, image catalog, console onboarding docs (imposed rule). |
-| Sprint 46 | Containerized Distribution Phase 3 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-AIRGAP-46-001 | Provide air-gap load script and docs. |
-| Sprint 46 | Containerized Distribution Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-46-001 | Build signed air-gap bundle and verify in CI. |
-| Sprint 46 | Containerized Distribution Phase 3 | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | OFFLINE-CONTAINERS-46-001 | Include air-gap bundle and instructions in Offline Kit. |
-| Sprint 46 | Containerized Distribution Phase 3 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-46-001 | Harden offline mode and document fallback behavior. |
-| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-47-001 | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` (imposed rule). |
-| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-47-001 | Integrate JWKS caching, signature verification tests, and auth regression suite into CI. |
-| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-TEN-47-001 | Implement unified JWT/ODIC config, scope grammar, tenant/project claims, and JWKS caching in Authority. |
-| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-TEN-47-001 | Ship `stella login`, `whoami`, `tenants list`, and tenant flag persistence with secure token storage. |
-| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-47-001 | Add auth middleware (token verification, tenant activation, scope checks) and structured 403 responses. |
-| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-48-001 | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md` (imposed rule). |
-| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-48-001 | Write integration tests for RLS enforcement, tenant audit stream, and object store prefix checks. |
-| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-TEN-48-001 | Ensure advisory linkers operate per tenant with RLS, enforce aggregation-only capability endpoint. |
-| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-TEN-48-001 | Same as above for VEX linkers; enforce capability endpoint `merge=false`. |
-| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-TEN-48-001 | Add tenant prefixes to manifests/artifacts, enforce scope checks, and block cross-tenant exports by default. |
-| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-TEN-48-001 | Partition findings by tenant/project, enable RLS, and update queries/events to include tenant context. |
-| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-TEN-48-001 | Tenant-scope notification rules, incidents, and outbound channels; update storage schemas. |
-| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-TEN-48-001 | Stamp jobs with tenant/project, set DB session context, and reject jobs without context. |
-| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-TEN-48-001 | Add `tenant_id`/`project_id` to policy data, enable Postgres RLS, and expose rationale IDs with tenant context. |
-| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-TEN-48-001 | Propagate tenant/project to all steps, enforce object store prefix, and validate before execution. |
-| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-48-001 | Enforce tenant context through persistence (DB GUC, object store prefix), add request annotations, and emit audit events. |
-| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-49-001 | Publish `/docs/cli/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, `/docs/install/configuration-reference.md` updates (imposed rule). |
-| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-49-001 | Implement audit log pipeline, monitor scope usage, chaos tests for JWKS outage, and tenant load/perf tests. |
-| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-TEN-49-001 | Implement service accounts, delegation tokens (`act` chain), per-tenant quotas, and audit log streaming. |
-| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-TEN-49-001 | Add service account token minting, delegation, and `--impersonate` banner/controls. |
-| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-49-001 | Integrate ABAC policy overlay (optional), expose audit API, and support service token minting endpoints. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-50-001 | Add `/docs/install/telemetry-stack.md` for collector deployment and offline packaging. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | BLOCKED (2025-10-26) | Docs Guild | DOCS-OBS-50-001 | Author `/docs/observability/overview.md` with imposed rule banner and architecture context. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-002 | Document telemetry standards (fields, scrubbing, sampling) under `/docs/observability/telemetry-standards.md`. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-003 | Publish structured logging guide `/docs/observability/logging.md` with examples and imposed rule banner. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-004 | Publish tracing guide `/docs/observability/tracing.md` covering context propagation and sampling. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-SEC-OBS-50-001 | Update `/docs/security/redaction-and-privacy.md` for telemetry privacy controls. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | ops/devops/TASKS.md | DOING (2025-10-26) | DevOps Guild | DEVOPS-OBS-50-002 | Stand up multi-tenant metrics/logs/traces backends with retention and isolation. |
-> Staging rollout plan recorded in `docs/ops/telemetry-storage.md`; waiting on Authority-issued tokens and namespace bootstrap.
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OBS-50-001 | Introduce observability/timeline/evidence/attestation scopes and update discovery metadata. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-50-001 | Propagate trace headers from CLI commands and print correlation IDs. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-50-001 | Replace ad-hoc logging with telemetry core across advisory ingestion/linking. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-50-001 | Adopt telemetry core in Concelier APIs and surface correlation IDs. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-50-001 | Integrate telemetry core into VEX ingestion/linking with scope metadata. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-50-001 | Add telemetry core to VEX APIs and emit trace headers. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-50-001 | Enable telemetry core in export planner/workers capturing bundle metadata. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-50-001 | Wire telemetry core through ledger writer/projector for append/replay operations. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-50-001 | Instrument orchestrator scheduler/control APIs with telemetry core spans/logs. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-50-001 | Instrument policy compile/evaluate flows with telemetry core spans/logs. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-50-001 | Adopt telemetry core in Task Runner host and workers with scrubbed transcripts. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-50-001 | Bootstrap telemetry core library with structured logging, OTLP exporters, and deterministic bootstrap. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-50-002 | Deliver context propagation middleware for HTTP/gRPC/jobs/CLI carrying trace + tenant metadata. |
-| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-50-001 | Integrate telemetry core into gateway and emit structured traces/logs for all routes. |
-| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-51-001 | Publish `/docs/observability/metrics-and-slos.md` with alert policies. |
-| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-51-001 | Deploy SLO evaluator service, dashboards, and alert routing. |
-| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-51-001 | Implement `stella obs top` streaming health metrics command. |
-| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-51-001 | Emit ingest latency metrics + SLO thresholds for advisories. |
-| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-51-001 | Provide VEX ingest metrics and SLO burn-rate automation. |
-| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-51-001 | Capture export planner/bundle latency metrics and SLOs. |
-| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-51-001 | Add ledger/projector metrics dashboards and burn-rate policies. |
-| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OBS-51-001 | Ingest SLO burn-rate webhooks and deliver observability alerts. |
-| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-51-001 | Publish orchestration metrics, SLOs, and burn-rate alerts. |
-| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-51-001 | Publish policy evaluation metrics + dashboards meeting SLO targets. |
-| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-51-001 | Emit task runner golden-signal metrics and SLO alerts. |
-| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-51-001 | Ship metrics helpers + exemplar guards for golden signals. |
-| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Telemetry.Core/TASKS.md | TODO | Security Guild | TELEMETRY-OBS-51-002 | Implement logging scrubbing and tenant debug override controls. |
-| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-51-001 | Expose `/obs/health` and `/obs/slo` aggregations for services. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-OBS-52-001 | Document `stella obs` CLI commands and scripting patterns. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-OBS-52-001 | Document Console observability hub and trace/log search workflows. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-OBS-52-002 | Publish Console forensics/timeline guidance with imposed rule banner. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-52-001 | Configure streaming pipelines and schema validation for timeline events. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-52-001 | Add `stella obs trace` + log commands correlating timeline data. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-52-001 | Emit advisory ingest/link timeline events with provenance metadata. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-52-001 | Provide SSE bridge for advisory timeline events. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-52-001 | Emit VEX ingest/link timeline events with justification info. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-52-001 | Stream VEX timeline updates to clients with tenant filters. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-52-001 | Publish export lifecycle events into timeline. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-52-001 | Record ledger append/projection events into timeline stream. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-52-001 | Emit job lifecycle timeline events with tenant/project metadata. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-52-001 | Emit policy decision timeline events with rule summaries and trace IDs. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-52-001 | Emit pack run timeline events and dedupe logic. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-001 | Bootstrap timeline indexer service and schema with RLS scaffolding. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-002 | Implement event ingestion pipeline with ordering and dedupe. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-003 | Expose timeline query APIs with tenant filters and pagination. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.TimelineIndexer/TASKS.md | TODO | Security Guild | TIMELINE-OBS-52-004 | Finalize RLS + scope enforcement and audit logging for timeline reads. |
-| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-52-001 | Provide trace/log proxy endpoints bridging to timeline + log store. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-FORENSICS-53-001 | Document `stella forensic` CLI workflows with sample bundles. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-001 | Publish `/docs/forensics/evidence-locker.md` covering bundles, WORM, legal holds. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-003 | Publish `/docs/forensics/timeline.md` with schema and query examples. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-53-001 | Provision WORM-capable storage, legal hold automation, and backup/restore scripts for evidence locker. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-53-001 | Ship `stella forensic snapshot` commands invoking evidence locker. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-53-001 | Generate advisory evidence payloads (raw doc, linkset diff) for locker. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-53-001 | Add `/evidence/advisories/*` gateway endpoints consuming locker APIs. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-001 | Bootstrap evidence locker service with schema, storage abstraction, and RLS. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-002 | Implement bundle builders for evaluation, job, and export snapshots. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-003 | Expose evidence APIs (create/get/verify/hold) with audit + quotas. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-53-001 | Produce VEX evidence payloads and push to locker. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-53-001 | Expose `/evidence/vex/*` endpoints retrieving locker bundles. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-53-001 | Store export manifests + transcripts within evidence bundles. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-53-001 | Persist evidence bundle references alongside ledger entries and expose lookup API. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-53-001 | Attach job capsules + manifests to evidence locker snapshots. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-53-001 | Build evaluation evidence bundles (inputs, rule traces, engine version). |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-53-001 | Capture step transcripts and manifests into evidence bundles. |
-| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-53-001 | Link timeline events to evidence bundle digests and expose evidence lookup endpoint. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-002 | Publish `/docs/forensics/provenance-attestation.md` covering signing + verification. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-54-001 | Manage provenance signing infrastructure (KMS keys, timestamp authority) and CI verification. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-001 | Implement `stella forensic verify` command verifying bundles + signatures. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-002 | Add `stella forensic attest show` command with signer/timestamp details. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-54-001 | Sign advisory batches with DSSE attestations and expose verification. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-54-001 | Add `/attestations/advisories/*` endpoints surfacing verification metadata. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-54-001 | Attach DSSE signing/timestamping to evidence bundles and emit timeline hooks. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-54-002 | Provide bundle packaging + offline verification fixtures. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-54-001 | Produce VEX batch attestations linking to timeline/ledger. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-54-001 | Expose `/attestations/vex/*` endpoints with verification summaries. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-54-001 | Produce export attestation manifests and CLI verification hooks. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-54-001 | Produce DSSE attestations for jobs and surface verification endpoint. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-54-001 | Generate DSSE attestations for policy evaluations and expose verification API. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-53-001 | Implement DSSE/SLSA models with deterministic serializer + test vectors. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-53-002 | Build signer abstraction (cosign/KMS/offline) with policy enforcement. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-54-001 | Deliver verification library validating DSSE signatures + Merkle roots. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild, DevEx/CLI Guild | PROV-OBS-54-002 | Package provenance verification tool for CLI integration and offline use. |
-| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-54-001 | Generate pack run attestations and link to timeline/evidence. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | docs/TASKS.md | TODO | Docs Guild | DOCS-RUNBOOK-55-001 | Publish `/docs/runbooks/incidents.md` covering activation, escalation, and verification checklist. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-55-001 | Automate incident mode activation via SLO alerts, retention override management, and reset job. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OBS-55-001 | Enforce `obs:incident` scope with fresh-auth requirement and audit export for toggles. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-55-001 | Ship `stella obs incident-mode` commands with safeguards and audit logging. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-55-001 | Increase sampling and raw payload retention under incident mode with redaction guards. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-55-001 | Provide incident mode toggle endpoints and propagate to services. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-55-001 | Extend evidence retention + activation events for incident windows. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-55-001 | Enable incident sampling + retention overrides for VEX pipelines. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-55-001 | Add incident mode APIs for VEX services with audit + guardrails. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-55-001 | Increase export telemetry + debug retention during incident mode and emit events. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-55-001 | Extend retention and diagnostics capture during incident mode. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OBS-55-001 | Send incident mode start/stop notifications with quick links to evidence/timeline. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-55-001 | Increase telemetry + evidence capture during incident mode and emit activation events. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-55-001 | Capture full rule traces + retention bump on incident activation with timeline events. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-55-001 | Capture extra debug data + notifications for incident mode runs. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-55-001 | Implement incident mode sampling toggle API with activation audit trail. |
-| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-55-001 | Deliver `/obs/incident-mode` control endpoints with audit + retention previews. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-001 | Publish `/docs/airgap/overview.md`. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-002 | Document sealing and egress controls. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-003 | Publish mirror bundles guide. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-004 | Publish bootstrap pack guide. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-001 | Publish deny-all egress policies and verification script for sealed environments. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-002 | Provide bundle staging/import scripts for air-gapped object stores. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-003 | Build Bootstrap Pack pipeline bundling images/charts with checksums. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-56-001 | Implement sealing state machine, persistence, and RBAC scopes for air-gapped status. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-56-002 | Expose seal/status APIs with policy hash validation and staleness placeholders. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-56-001 | Implement DSSE/TUF/Merkle verification helpers. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-56-002 | Enforce root rotation policy for bundles. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-56-001 | Ship `EgressPolicy` facade with sealed/unsealed enforcement and remediation errors. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-56-002 | Deliver Roslyn analyzer blocking raw HTTP clients; wire into CI. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-56-001 | Implement mirror create/verify and airgap verify commands. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-50-001 | Ensure telemetry propagation for sealed logging. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-AIRGAP-56-001 | Add mirror ingestion adapters preserving source metadata. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-AIRGAP-56-001 | Add VEX mirror ingestion adapters. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-56-001 | Extend export center to build mirror bundles. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-56-001 | Build deterministic bundle assembler (advisories/vex/policy). |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-56-001 | Validate jobs against sealed-mode restrictions. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-56-001 | Accept policy packs from bundles with provenance tracking. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-56-001 | Enforce sealed-mode plan validation for network calls. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-56-001 | (Carry) Extend telemetry core with sealed-mode hooks before integration. |
-| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-56-001 | Extend telemetry core usage for sealed-mode status surfaces (seal/unseal dashboards, drift signals). |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-001 | Publish staleness/time doc. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-002 | Publish console airgap doc. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-003 | Publish CLI airgap doc. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-004 | Publish airgap operations runbook. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-57-001 | Automate mirror bundle creation with approvals. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-57-002 | Run sealed-mode CI suite enforcing zero egress. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-57-001 | Implement bundle catalog with RLS + migrations. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-57-002 | Load artifacts into object store with checksum verification. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-57-001 | Adopt EgressPolicy in core services. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-57-002 | Enforce Task Runner job plan validation. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-57-001 | Parse signed time tokens and expose normalized anchors. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-57-001 | Complete airgap import CLI with diff preview. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-57-002 | Ship seal/status CLI commands. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-56-002 | Deliver bootstrap pack artifacts. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-57-001 | Add OCI image support to mirror bundles. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-57-002 | Embed signed time anchors in bundles. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-56-001 | Lock notifications to enclave-safe channels. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-56-002 | Integrate sealing status + staleness into scheduling. |
-| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-56-002 | Provide bundle ingestion helper steps. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-001 | Publish degradation matrix doc. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-002 | Update trust & signing doc for DSSE/TUF roots. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-003 | Publish developer airgap contracts doc. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-004 | Document portable evidence workflows. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-58-001 | Persist time anchor data and expose drift metrics. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-58-001 | Disable remote observability exporters in sealed mode. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-58-002 | Add CLI sealed-mode guard. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-58-001 | Compute drift/staleness metrics and surface via controller status. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-58-002 | Emit notifications/events for staleness budgets. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-58-001 | Ship portable evidence export helper. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-AIRGAP-57-002 | Annotate advisories with staleness metadata. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-AIRGAP-57-002 | Annotate VEX statements with staleness metadata. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-57-001 | Add portable evidence export integration. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-57-001 | Notify on drift/staleness thresholds. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-58-001 | Link import/export jobs to timeline/evidence. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-57-002 | Show degradation fallback info in explain traces. |
-| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-58-001 | Capture import job evidence transcripts. |
-| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-AIRGAP-57-001 | Map sealed-mode violations to standard errors. |
-| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AIRGAP-57-001 | Map sealed-mode violations to standard errors. |
-| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-58-001 | Emit notifications/timeline for bundle readiness. |
-| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-AIRGAP-56-002 | Enforce staleness thresholds for findings exports. |
-| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-58-001 | Notify on portable evidence exports. |
-| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-57-001 | Automate mirror bundle job scheduling with audit provenance. |
-| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-57-001 | Enforce sealed-mode guardrails inside evaluation engine. |
-| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-57-001 | Block execution when seal state mismatched; emit timeline events. |
-| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-004 | Document portable evidence workflows. |
-| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-58-001 | Finalize portable evidence CLI workflow with verification. |
-| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-AIRGAP-58-001 | Emit timeline events for bundle imports. |
-| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-60-001 | Deliver portable evidence export flow for sealed environments with checksum manifest and offline verification script. |
-| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AIRGAP-58-001 | Emit timeline events for VEX bundle imports. |
-| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-AIRGAP-57-001 | Link findings to portable evidence bundles. |
-| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-58-001 | (Carry) Portable evidence notifications. |
-| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-58-001 | Notify on stale policy packs and guide remediation. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-001 | Publish `/docs/api/overview.md`. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-002 | Publish `/docs/api/conventions.md`. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-003 | Publish `/docs/api/versioning.md`. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OAS-61-001 | Add OAS lint/validation/diff stages to CI. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-61-001 | Configure lint rules and CI enforcement. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-61-002 | Enforce example coverage in CI. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-61-001 | Scaffold per-service OpenAPI skeletons with shared components. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-61-002 | Build aggregate composer and integrate into CI. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-61-001 | Document Authority authentication APIs in OAS. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-61-002 | Provide Authority discovery endpoint. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-61-001 | Update advisory OAS coverage. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-61-002 | Populate advisory examples. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-61-001 | Implement Concelier discovery endpoint. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-61-002 | Standardize error envelope. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-61-001 | Update VEX OAS coverage. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-61-002 | Provide VEX examples. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-61-001 | Implement discovery endpoint. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-61-002 | Migrate errors to standard envelope. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-61-001 | Update Exporter spec coverage. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-61-002 | Implement Exporter discovery endpoint. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-61-001 | Expand Findings Ledger spec coverage. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-61-002 | Provide ledger discovery endpoint. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-61-001 | Update notifier spec coverage. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-61-002 | Implement notifier discovery endpoint. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-61-001 | Extend Orchestrator spec coverage. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-61-002 | Provide orchestrator discovery endpoint. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-61-001 | Document Task Runner APIs in OAS. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-61-002 | Expose Task Runner discovery endpoint. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-61-001 | Implement gateway discovery endpoint. |
-| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-61-002 | Standardize error envelope across gateway. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-CONTRIB-62-001 | Publish API contracts contributing guide. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-DEVPORT-62-001 | Document dev portal publishing. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-62-001 | Deploy `/docs/api/reference/` generated site. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-SDK-62-001 | Publish SDK overview + language guides. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-SEC-62-001 | Update auth scopes documentation. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-TEST-62-001 | Publish contract testing doc. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-62-001 | Implement compatibility diff tool. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-62-001 | Populate examples for top endpoints. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-62-001 | Provide SDK auth helpers/tests. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-62-001 | Migrate CLI to official SDK. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-62-002 | Update CLI error handling for new envelope. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-62-001 | Add SDK smoke tests for advisory APIs. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-62-001 | Add advisory API examples. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-62-001 | Build static generator with nav/search. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-62-002 | Add schema viewer, examples, version selector. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-62-001 | Add SDK tests for VEX APIs. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-62-001 | Provide VEX API examples. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-62-001 | Ensure SDK streaming helpers for exports. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-62-001 | Provide SDK tests for ledger APIs. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-62-001 | Provide SDK examples for notifier APIs. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-62-001 | Establish generator framework. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-62-002 | Implement shared post-processing helpers. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-62-001 | Provide SDK examples for pack runs. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-62-001 | Align pagination/idempotency behaviors. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-62-001 | Generate mock server fixtures. |
-| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-62-002 | Integrate mock server into CI. |
-| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | docs/TASKS.md | TODO | Docs Guild | DOCS-TEST-62-001 | (Carry) ensure contract testing doc final. |
-| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-63-001 | Integrate compatibility diff gating. |
-| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-63-001 | Compatibility diff support. |
-| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-63-002 | Define discovery schema metadata. |
-| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-63-001 | Add CLI spec download command. |
-| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-63-001 | Add Try-It console. |
-| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-63-002 | Embed SDK snippets/quick starts. |
-| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-001 | Release TypeScript SDK alpha. |
-| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-002 | Release Python SDK alpha. |
-| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-003 | Release Go SDK alpha. |
-| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-004 | Release Java SDK alpha. |
-| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-63-001 | Configure SDK release pipelines. |
-| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-63-002 | Automate changelogs from OAS diffs. |
-| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-63-001 | Build replay harness for drift detection. |
-| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-63-002 | Emit contract testing metrics. |
-| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-DEVPORT-64-001 | Document devportal offline usage. |
-| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-DEVPORT-63-001 | Automate developer portal pipeline. |
-| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-DEVPORT-64-001 | Schedule offline bundle builds. |
-| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-64-001 | Offline portal build. |
-| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-64-002 | Add accessibility/performance checks. |
-| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.ExportCenter.DevPortalOffline/TASKS.md | TODO | DevPortal Offline Guild | DVOFF-64-001 | Implement devportal offline export job. |
-| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.ExportCenter.DevPortalOffline/TASKS.md | TODO | DevPortal Offline Guild | DVOFF-64-002 | Provide verification CLI. |
-| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-64-001 | Migrate CLI to SDK. |
-| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-64-002 | Integrate SDKs into Console. |
-| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-001 | Hook SDK releases to Notifications. |
-| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-002 | Produce devportal offline bundle. |
-| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-DEVPORT-64-001 | (Carry) ensure offline doc published; update as necessary. |
-| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-63-001 | (Carry) compatibility gating monitoring. |
-| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-63-001 | Deprecation headers for auth endpoints. |
-| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-64-001 | SDK update awareness command. |
-| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-63-001 | Deprecation metadata for Concelier APIs. |
-| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-63-001 | Deprecation metadata for VEX APIs. |
-| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-63-001 | Deprecation headers for exporter APIs. |
-| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-63-001 | Deprecation headers for ledger APIs. |
-| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-63-001 | Emit deprecation notifications. |
-| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-63-001 | Add orchestrator deprecation headers. |
-| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-001 | Production rollout of notifications feed. |
-| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-63-001 | Add Task Runner deprecation headers. |
-| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-63-001 | Implement deprecation headers in gateway. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-001 | Publish `/docs/risk/overview.md`. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-002 | Publish `/docs/risk/profiles.md`. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-003 | Publish `/docs/risk/factors.md`. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-004 | Publish `/docs/risk/formulas.md`. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-001 | Implement CLI profile management commands. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-002 | Implement CLI simulation command. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-66-001 | Expose CVSS/KEV provider data. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-66-002 | Provide fix availability signals. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-66-001 | Supply VEX gating data to risk engine. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-66-002 | Provide reachability inputs. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-66-001 | Add risk scoring columns/indexes. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-66-002 | Implement deterministic scoring upserts. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-66-001 | Create risk severity alert templates. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-66-003 | Integrate schema validation into Policy Engine. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-66-001 | Deliver RiskProfile schema + validators. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-66-002 | Implement inheritance/merge and hashing. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-66-004 | Extend Policy libraries for RiskProfile handling. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-66-001 | Scaffold risk engine queue/worker/registry. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-66-002 | Implement transforms/gates/contribution calculator. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-66-001 | Expose risk API routing in gateway. |
-| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-66-002 | Handle explainability downloads. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001 | Publish explainability doc. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-002 | Publish risk API doc. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-003 | Publish console risk UI doc. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-004 | Publish CLI risk doc. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-67-001 | Provide risk results query command. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-67-001 | Add source consensus metrics. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-67-001 | Add VEX explainability metadata. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-67-001 | Notify on profile publish/deprecate. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | (Prep) risk routing settings seeds. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-001 | Enqueue scoring on new findings. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-002 | Deliver profile lifecycle APIs. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-67-001 | Integrate profiles into policy store lifecycle. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-67-002 | Publish schema endpoint + validation tooling. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-003 | Provide simulation orchestration APIs. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-001 | Integrate CVSS/KEV providers. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-002 | Integrate VEX gate provider. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-003 | Add fix availability/criticality/exposure providers. |
-| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-67-001 | Provide risk status endpoint. |
-| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-001 | Publish risk bundle doc. |
-| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-002 | Update AOC invariants doc. |
-| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-68-001 | Add risk bundle verification command. |
-| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-67-001 | Provide scored findings query API. |
-| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-68-001 | Enable scored findings export. |
-| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Configure risk notification routing UI/logic. |
-| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-68-001 | Ship simulation API endpoint. |
-| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-68-002 | Support profile export/import. |
-| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-68-001 | Persist scoring results & explanations. |
-| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-68-002 | Expose jobs/results/explanations APIs. |
-| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-68-001 | Emit severity transition events via gateway. |
-| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001..004 | (Carry) ensure docs updated from simulation release. |
-| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-69-001 | Build risk bundle. |
-| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-69-002 | Integrate bundle into pipelines. |
-| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-RISK-69-002 | Enable simulation report exports. |
-| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-66-001 | (Completion) finalize severity alert templates. |
-| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-001 | Implement simulation mode. |
-| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-002 | Add telemetry/metrics dashboards. |
-| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-001 | (Carry) finalize risk bundle doc after verification CLI. |
-| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-70-001 | Provide bundle verification CLI. |
-| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-70-002 | Publish documentation. |
-| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-RISK-70-001 | Integrate risk bundle into offline kit. |
-| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Finalize risk alert routing UI. |
-| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-70-001 | Support offline provider bundles. |
-| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-70-002 | Integrate runtime/reachability providers. |
-| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001..68-002 | Final editorial pass on risk documentation set. |
-| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-001..68-001 | Harden CLI commands with integration tests and error handling. |
-| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-69-001 | Finalize dashboards and alerts for scoring latency. |
-| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Tune routing/quiet hour dedupe for risk alerts. |
-| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-002 | Optimize performance, cache, and incremental scoring; validate SLOs. |
-| Sprint 72 | Attestor Console Phase 1 – Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-73-001 | (Prep) align CI secrets for Attestor service. |
-| Sprint 72 | Attestor Console Phase 1 – Foundations | src/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-72-001 | Implement DSSE canonicalization and hashing helpers. |
-| Sprint 72 | Attestor Console Phase 1 – Foundations | src/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-72-002 | Support compact/expanded output and detached payloads. |
-| Sprint 72 | Attestor Console Phase 1 – Foundations | src/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-001 | Draft schemas for all attestation payload types. |
-| Sprint 72 | Attestor Console Phase 1 – Foundations | src/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-002 | Generate models/validators from schemas. |
-| Sprint 72 | Attestor Console Phase 1 – Foundations | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-001 | Scaffold attestor service skeleton. |
-| Sprint 72 | Attestor Console Phase 1 – Foundations | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-002 | Implement attestation store + storage integration. |
-| Sprint 72 | Attestor Console Phase 1 – Foundations | src/StellaOps.Cryptography.Kms/TASKS.md | TODO | KMS Guild | KMS-72-001 | Implement KMS interface + file driver. |
-| Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-001 | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. |
-| Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-002 | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. |
-| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-001 | Publish attestor overview. |
-| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-002 | Publish payload docs. |
-| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-003 | Publish policies doc. |
-| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-004 | Publish workflows doc. |
-| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-73-001 | Add signing/verification helpers with KMS integration. |
-| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-73-001 | Create golden payload fixtures. |
-| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-001 | Ship signing endpoint. |
-| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-002 | Ship verification pipeline and reports. |
-| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-003 | Implement list/fetch APIs. |
-| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Cryptography.Kms/TASKS.md | TODO | KMS Guild | KMS-72-002 | CLI support for key import/export. |
-| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ATTEST-73-001 | Implement VerificationPolicy lifecycle. |
-| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ATTEST-73-002 | Surface policies in Policy Studio. |
-| Sprint 74 | Attestor CLI Phase 3 – Transparency & Chain of Custody | src/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-74-001 | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. |
-| Sprint 74 | Attestor CLI Phase 3 – Transparency & Chain of Custody | src/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-74-002 | Implement `stella attest fetch` to download envelopes and payloads to disk. |
-| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-001 | Publish keys & issuers doc. |
-| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-002 | Publish transparency doc. |
-| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-003 | Publish console attestor UI doc. |
-| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-004 | Publish CLI attest doc. |
-| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-74-001 | Deploy transparency witness infra. |
-| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-73-002 | Run fuzz tests for envelope handling. |
-| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.Attestor.Verify/TASKS.md | TODO | Verification Guild | ATTEST-VERIFY-74-001 | Add telemetry for verification pipeline. |
-| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.Attestor.Verify/TASKS.md | TODO | Verification Guild | ATTEST-VERIFY-74-002 | Document verification explainability. |
-| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-74-001 | Integrate transparency witness client. |
-| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-74-002 | Implement bulk verification worker. |
-| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-74-001 | Build attestation bundle export job. |
-| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-ATTEST-74-001 | Add verification/key notifications. |
-| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-ATTEST-74-002 | Notify key rotation/revocation. |
-| Sprint 75 | Attestor CLI Phase 4 – Air Gap & Bulk | src/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild, Export Guild | CLI-ATTEST-75-002 | Add support for building/verifying attestation bundles in CLI. |
-| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-75-001 | Publish attestor airgap doc. |
-| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-75-002 | Update AOC invariants for attestations. |
-| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-74-002 | Integrate bundle builds into release/offline pipelines. |
-| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-75-001 | Dashboards/alerts for attestor metrics. |
-| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-75-001 | Support attestation bundle export/import for air gap. |
-| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-75-002 | Harden APIs (rate limits, fuzz tests, threat model actions). |
-| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-001 | CLI bundle verify/import. |
-| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-002 | Document attestor airgap workflow. |
diff --git a/SPRINTS_PRIOR_20251019.md b/SPRINTS_PRIOR_20251019.md
deleted file mode 100644
index f7b3cd43..00000000
--- a/SPRINTS_PRIOR_20251019.md
+++ /dev/null
@@ -1,208 +0,0 @@
-Closed sprint tasks archived from SPRINTS.md on 2025-10-19.
-
-| Sprint | Theme | Tasks File Path | Status | Type of Specialist | Task ID | Task Description |
-| --- | --- | --- | --- | --- | --- | --- |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-12) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-01-001 | SemVer primitive range-style metadata
Instructions to work:
DONE Read ./AGENTS.md and src/StellaOps.Concelier.Models/AGENTS.md. This task lays the groundwork—complete the SemVer helper updates before teammates pick up FEEDMODELS-SCHEMA-01-002/003 and FEEDMODELS-SCHEMA-02-900. Use ./src/FASTER_MODELING_AND_NORMALIZATION.md for the target rule structure. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-11) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-01-002 | Provenance decision rationale field
Instructions to work:
AdvisoryProvenance now carries `decisionReason` and docs/tests were updated. Connectors and merge tasks should populate the field when applying precedence/freshness/tie-breaker logic; see src/StellaOps.Concelier.Models/PROVENANCE_GUIDELINES.md for usage guidance. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-11) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-01-003 | Normalized version rules collection
Instructions to work:
`AffectedPackage.NormalizedVersions` and supporting comparer/docs/tests shipped. Connector owners must emit rule arrays per ./src/FASTER_MODELING_AND_NORMALIZATION.md and report progress via FEEDMERGE-COORD-02-900 so merge/storage backfills can proceed. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-12) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-02-900 | Range primitives for SemVer/EVR/NEVRA metadata
Instructions to work:
DONE Read ./AGENTS.md and src/StellaOps.Concelier.Models/AGENTS.md before resuming this stalled effort. Confirm helpers align with the new `NormalizedVersions` representation so connectors finishing in Sprint 2 can emit consistent metadata. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Normalization/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDNORM-NORM-02-001 | SemVer normalized rule emitter
Shared `SemVerRangeRuleBuilder` now outputs primitives + normalized rules per `FASTER_MODELING_AND_NORMALIZATION.md`; CVE/GHSA connectors consuming the API have verified fixtures. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-001 | Normalized range dual-write + backfill
AdvisoryStore dual-writes flattened `normalizedVersions` when `concelier.storage.enableSemVerStyle` is set; migration `20251011-semver-style-backfill` updates historical records and docs outline the rollout. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-002 | Provenance decision reason persistence
Storage now persists `provenance.decisionReason` for advisories and merge events; tests cover round-trips. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-003 | Normalized versions indexing
Bootstrapper seeds compound/sparse indexes for flattened normalized rules and `docs/dev/mongo_indices.md` documents query guidance. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-TESTS-02-004 | Restore AdvisoryStore build after normalized versions refactor
Updated constructors/tests keep storage suites passing with the new feature flag defaults. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-ENGINE-01-002 | Plumb Authority client resilience options
WebService wires `authority.resilience.*` into `AddStellaOpsAuthClient` and adds binding coverage via `AuthorityClientResilienceOptionsAreBound`. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-003 | Author ops guidance for resilience tuning
Install/runbooks document connected vs air-gapped resilience profiles and monitoring hooks. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-004 | Document authority bypass logging patterns
Operator guides now call out `route/status/subject/clientId/scopes/bypass/remote` audit fields and SIEM triggers. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-005 | Update Concelier operator guide for enforcement cutoff
Install guide reiterates the 2025-12-31 cutoff and links audit signals to the rollout checklist. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Authority/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | SEC3.HOST | Rate limiter policy binding
Authority host now applies configuration-driven fixed windows to `/token`, `/authorize`, and `/internal/*`; integration tests assert 429 + `Retry-After` headers; docs/config samples refreshed for Docs guild diagrams. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Authority/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | SEC3.BUILD | Authority rate-limiter follow-through
`Security.RateLimiting` now fronts token/authorize/internal limiters; Authority + Configuration matrices (`dotnet test src/StellaOps.Authority/StellaOps.Authority.sln`, `dotnet test src/StellaOps.Configuration.Tests/StellaOps.Configuration.Tests.csproj`) passed on 2025-10-11; awaiting #authority-core broadcast. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Authority/TASKS.md | DONE (2025-10-14) | Team Authority Platform & Security Guild | AUTHCORE-BUILD-OPENIDDICT / AUTHCORE-STORAGE-DEVICE-TOKENS / AUTHCORE-BOOTSTRAP-INVITES | Address remaining Authority compile blockers (OpenIddict transaction shim, token device document, bootstrap invite cleanup) so `dotnet build src/StellaOps.Authority.sln` returns success. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | PLG6.DOC | Plugin developer guide polish
Section 9 now documents rate limiter metadata, config keys, and lockout interplay; YAML samples updated alongside Authority config templates. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-001 | Fetch pipeline & state tracking
Summary planner now drives monthly/yearly VINCE fetches, persists pending summaries/notes, and hydrates VINCE detail queue with telemetry.
Team instructions: Read ./AGENTS.md and src/StellaOps.Concelier.Connector.CertCc/AGENTS.md. Coordinate daily with Models/Merge leads so new normalizedVersions output and provenance tags stay aligned with ./src/FASTER_MODELING_AND_NORMALIZATION.md. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-002 | VINCE note detail fetcher
Summary planner queues VINCE note detail endpoints, persists raw JSON with SHA/ETag metadata, and records retry/backoff metrics. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-003 | DTO & parser implementation
Added VINCE DTO aggregate, Markdown→text sanitizer, vendor/status/vulnerability parsers, and parser regression fixture. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-004 | Canonical mapping & range primitives
VINCE DTO aggregate flows through `CertCcMapper`, emitting vendor range primitives + normalized version rules that persist via `_advisoryStore`. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-005 | Deterministic fixtures/tests
Snapshot harness refreshed 2025-10-12; `certcc-*.snapshot.json` regenerated and regression suite green without UPDATE flag drift. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-006 | Telemetry & documentation
`CertCcDiagnostics` publishes summary/detail/parse/map metrics (meter `StellaOps.Concelier.Connector.CertCc`), README documents instruments, and log guidance captured for Ops on 2025-10-12. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-007 | Connector test harness remediation
Harness now wires `AddSourceCommon`, resets `FakeTimeProvider`, and passes canned-response regression run dated 2025-10-12. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-008 | Snapshot coverage handoff
Fixtures regenerated with normalized ranges + provenance fields on 2025-10-11; QA handoff notes published and merge backfill unblocked. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-012 | Schema sync & snapshot regen follow-up
Fixtures regenerated with normalizedVersions + provenance decision reasons; handoff notes updated for Merge backfill 2025-10-12. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-009 | Detail/map reintegration plan
Staged reintegration plan published in `src/StellaOps.Concelier.Connector.CertCc/FEEDCONN-CERTCC-02-009_PLAN.md`; coordinates enablement with FEEDCONN-CERTCC-02-004. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-010 | Partial-detail graceful degradation
Detail fetch now tolerates 404/403/410 responses and regression tests cover mixed endpoint availability. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-REDHAT-02-001 | Fixture validation sweep
Instructions to work:
Fixtures regenerated post-model-helper rollout; provenance ordering and normalizedVersions scaffolding verified via tests. Conflict resolver deltas logged in src/StellaOps.Concelier.Connector.Distro.RedHat/CONFLICT_RESOLVER_NOTES.md for Sprint 3 consumers. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-12) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-001 | Canonical mapping & range primitives
Mapper emits SemVer rules (`scheme=apple:*`); fixtures regenerated with trimmed references + new RSR coverage, update tooling finalized. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-11) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-002 | Deterministic fixtures/tests
Sanitized live fixtures + regression snapshots wired into tests; normalized rule coverage asserted. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-11) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-003 | Telemetry & documentation
Apple meter metrics wired into Concelier WebService OpenTelemetry configuration; README and fixtures document normalizedVersions coverage. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-12) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-004 | Live HTML regression sweep
Sanitised HT125326/HT125328/HT106355/HT214108/HT215500 fixtures recorded and regression tests green on 2025-10-12. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-11) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-005 | Fixture regeneration tooling
`UPDATE_APPLE_FIXTURES=1` flow fetches & rewrites fixtures; README documents usage.
Instructions to work:
DONE Read ./AGENTS.md and src/StellaOps.Concelier.Connector.Vndr.Apple/AGENTS.md. Resume stalled tasks, ensuring normalizedVersions output and fixtures align with ./src/FASTER_MODELING_AND_NORMALIZATION.md before handing data to the conflict sprint. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-GHSA-02-001 | GHSA normalized versions & provenance
Team instructions: Read ./AGENTS.md and each module's AGENTS file. Adopt the `NormalizedVersions` array emitted by the models sprint, wiring provenance `decisionReason` where merge overrides occur. Follow ./src/FASTER_MODELING_AND_NORMALIZATION.md; report via src/StellaOps.Concelier.Merge/TASKS.md (FEEDMERGE-COORD-02-900). Progress 2025-10-11: GHSA/OSV emit normalized arrays with refreshed fixtures; CVE mapper now surfaces SemVer normalized ranges; NVD/KEV adoption pending; outstanding follow-ups include FEEDSTORAGE-DATA-02-001, FEEDMERGE-ENGINE-02-002, and rolling `tools/FixtureUpdater` updates across connectors. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-OSV-02-003 | OSV normalized versions & freshness |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-NVD-02-002 | NVD normalized versions & timestamps |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Cve/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-CVE-02-003 | CVE normalized versions uplift |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Kev/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-KEV-02-003 | KEV normalized versions propagation |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-OSV-04-003 | OSV parity fixture refresh |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-10) | Team WebService & Authority | FEEDWEB-DOCS-01-001 | Document authority toggle & scope requirements
Quickstart carries toggle/scope guidance pending docs guild review (no change this sprint). |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-003 | Author ops guidance for resilience tuning
Operator docs now outline connected vs air-gapped resilience profiles and monitoring cues. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-004 | Document authority bypass logging patterns
Audit logging guidance highlights `route/status/subject/clientId/scopes/bypass/remote` fields and SIEM alerts. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-005 | Update Concelier operator guide for enforcement cutoff
Install guide reiterates the 2025-12-31 cutoff and ties audit signals to rollout checks. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | FEEDWEB-OPS-01-006 | Rename plugin drop directory to namespaced path
Build outputs, tests, and docs now target `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | FEEDWEB-OPS-01-007 | Authority resilience adoption
Deployment docs and CLI notes explain the LIB5 resilience knobs for rollout.
Instructions to work:
DONE Read ./AGENTS.md and src/StellaOps.Concelier.WebService/AGENTS.md. These items were mid-flight; resume implementation ensuring docs/operators receive timely updates. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Authority/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHCORE-ENGINE-01-001 | CORE8.RL — Rate limiter plumbing validated; integration tests green and docs handoff recorded for middleware ordering + Retry-After headers (see `docs/dev/authority-rate-limit-tuning-outline.md` for continuing guidance). |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Cryptography/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHCRYPTO-ENGINE-01-001 | SEC3.A — Shared metadata resolver confirmed via host test run; SEC3.B now unblocked for tuning guidance (outline captured in `docs/dev/authority-rate-limit-tuning-outline.md`). |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Cryptography/TASKS.md | DONE (2025-10-13) | Team Authority Platform & Security Guild | AUTHSEC-DOCS-01-002 | SEC3.B — Published `docs/security/rate-limits.md` with tuning matrix, alert thresholds, and lockout interplay guidance; Docs guild can lift copy into plugin guide. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Cryptography/TASKS.md | DONE (2025-10-14) | Team Authority Platform & Security Guild | AUTHSEC-CRYPTO-02-001 | SEC5.B1 — Introduce libsodium signing provider and parity tests to unblock CLI verification enhancements. |
-| Sprint 1 | Bootstrap & Replay Hardening | src/StellaOps.Cryptography/TASKS.md | DONE (2025-10-14) | Security Guild | AUTHSEC-CRYPTO-02-004 | SEC5.D/E — Finish bootstrap invite lifecycle (API/store/cleanup) and token device heuristics; build currently red due to pending handler integration. |
-| Sprint 1 | Developer Tooling | src/StellaOps.Cli/TASKS.md | DONE (2025-10-15) | DevEx/CLI | AUTHCLI-DIAG-01-001 | Surface password policy diagnostics in CLI startup/output so operators see weakened overrides immediately.
CLI now loads Authority plug-ins at startup, logs weakened password policies (length/complexity), and regression coverage lives in `StellaOps.Cli.Tests/Services/AuthorityDiagnosticsReporterTests`. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHPLUG-DOCS-01-001 | PLG6.DOC — Developer guide copy + diagrams merged 2025-10-11; limiter guidance incorporated and handed to Docs guild for asset export. |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Normalization/TASKS.md | DONE (2025-10-12) | Team Normalization & Storage Backbone | FEEDNORM-NORM-02-001 | SemVer normalized rule emitter
`SemVerRangeRuleBuilder` shipped 2025-10-12 with comparator/`||` support and fixtures aligning to `FASTER_MODELING_AND_NORMALIZATION.md`. |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-001 | Normalized range dual-write + backfill |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-002 | Provenance decision reason persistence |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-003 | Normalized versions indexing
Indexes seeded + docs updated 2025-10-11 to cover flattened normalized rules for connector adoption. |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDMERGE-ENGINE-02-002 | Normalized versions union & dedupe
Affected package resolver unions/dedupes normalized rules, stamps merge provenance with `decisionReason`, and tests cover the rollout. |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-001 | GHSA normalized versions & provenance |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-004 | GHSA credits & ecosystem severity mapping |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-005 | GitHub quota monitoring & retries |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-006 | Production credential & scheduler rollout |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-007 | Credit parity regression fixtures |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-NVD-02-002 | NVD normalized versions & timestamps |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-NVD-02-004 | NVD CVSS & CWE precedence payloads |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-NVD-02-005 | NVD merge/export parity regression |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-02-003 | OSV normalized versions & freshness |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-02-004 | OSV references & credits alignment |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-02-005 | Fixture updater workflow
Resolved 2025-10-12: OSV mapper now derives canonical PURLs for Go + scoped npm packages when raw payloads omit `purl`; conflict fixtures unchanged for invalid npm names. Verified via `dotnet test src/StellaOps.Concelier.Connector.Osv.Tests`, `src/StellaOps.Concelier.Connector.Ghsa.Tests`, `src/StellaOps.Concelier.Connector.Nvd.Tests`, and backbone normalization/storage suites. |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Acsc/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-ACSC-02-001 … 02-008 | Fetch→parse→map pipeline, fixtures, diagnostics, and README finished 2025-10-12; downstream export parity captured via FEEDEXPORT-JSON-04-001 / FEEDEXPORT-TRIVY-04-001 (completed). |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Cccs/TASKS.md | DONE (2025-10-16) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-CCCS-02-001 … 02-008 | Observability meter, historical harvest plan, and DOM sanitizer refinements wrapped; ops notes live under `docs/ops/concelier-cccs-operations.md` with fixtures validating EN/FR list handling. |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.CertBund/TASKS.md | DONE (2025-10-15) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-CERTBUND-02-001 … 02-008 | Telemetry/docs (02-006) and history/locale sweep (02-007) completed alongside pipeline; runbook `docs/ops/concelier-certbund-operations.md` captures locale guidance and offline packaging. |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Kisa/TASKS.md | DONE (2025-10-14) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-KISA-02-001 … 02-007 | Connector, tests, and telemetry/docs (02-006) finalized; localisation notes in `docs/dev/kisa_connector_notes.md` complete rollout. |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ru.Bdu/TASKS.md | DONE (2025-10-14) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-RUBDU-02-001 … 02-008 | Fetch/parser/mapper refinements, regression fixtures, telemetry/docs, access options, and trusted root packaging all landed; README documents offline access strategy. |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ru.Nkcki/TASKS.md | DONE (2025-10-13) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-NKCKI-02-001 … 02-008 | Listing fetch, parser, mapper, fixtures, telemetry/docs, and archive plan finished; Mongo2Go/libcrypto dependency resolved via bundled OpenSSL noted in ops guide. |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md | DONE (2025-10-16) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-ICSCISA-02-001 … 02-011 | Feed parser attachment fixes, SemVer exact values, regression suites, telemetry/docs updates, and handover complete; ops runbook now details attachment verification + proxy usage. |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Vndr.Cisco/TASKS.md | DONE (2025-10-14) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-CISCO-02-001 … 02-007 | OAuth fetch pipeline, DTO/mapping, tests, and telemetry/docs shipped; monitoring/export integration follow-ups recorded in Ops docs and exporter backlog (completed). |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Vndr.Msrc/TASKS.md | DONE (2025-10-15) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-MSRC-02-001 … 02-008 | Azure AD onboarding (02-008) unblocked fetch/parse/map pipeline; fixtures, telemetry/docs, and Offline Kit guidance published in `docs/ops/concelier-msrc-operations.md`. |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Cve/TASKS.md | DONE (2025-10-15) | Team Connector Support & Monitoring | FEEDCONN-CVE-02-001 … 02-002 | CVE data-source selection, fetch pipeline, and docs landed 2025-10-10. 2025-10-15: smoke verified using the seeded mirror fallback; connector now logs a warning and pulls from `seed-data/cve/` until live CVE Services credentials arrive. |
-| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Kev/TASKS.md | DONE (2025-10-12) | Team Connector Support & Monitoring | FEEDCONN-KEV-02-001 … 02-002 | KEV catalog ingestion, fixtures, telemetry, and schema validation completed 2025-10-12; ops dashboard published. |
-| Sprint 2 | Connector & Data Implementation Wave | docs/TASKS.md | DONE (2025-10-11) | Team Docs & Knowledge Base | FEEDDOCS-DOCS-01-001 | Canonical schema docs refresh
Updated canonical schema + provenance guides with SemVer style, normalized version rules, decision reason change log, and migration notes. |
-| Sprint 2 | Connector & Data Implementation Wave | docs/TASKS.md | DONE (2025-10-11) | Team Docs & Knowledge Base | FEEDDOCS-DOCS-02-001 | Concelier-SemVer Playbook
Published merge playbook covering mapper patterns, dedupe flow, indexes, and rollout checklist. |
-| Sprint 2 | Connector & Data Implementation Wave | docs/TASKS.md | DONE (2025-10-11) | Team Docs & Knowledge Base | FEEDDOCS-DOCS-02-002 | Normalized versions query guide
Delivered Mongo index/query addendum with `$unwind` recipes, dedupe checks, and operational checklist.
Instructions to work:
DONE Read ./AGENTS.md and docs/AGENTS.md. Document every schema/index/query change produced in Sprint 1-2 leveraging ./src/FASTER_MODELING_AND_NORMALIZATION.md. |
-| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-03-001 | Canonical merger implementation
`CanonicalMerger` ships with freshness/tie-breaker logic, provenance, and unit coverage feeding Merge. |
-| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-03-002 | Field precedence and tie-breaker map
Field precedence tables and tie-breaker metrics wired into the canonical merge flow; docs/tests updated.
Instructions to work:
Read ./AGENTS.md and core AGENTS. Implement the conflict resolver exactly as specified in ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md, coordinating with Merge and Storage teammates. |
-| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDSTORAGE-DATA-03-001 | Merge event provenance audit prep
Merge events now persist `fieldDecisions` and analytics-ready provenance snapshots. |
-| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDSTORAGE-DATA-02-001 | Normalized range dual-write + backfill
Dual-write/backfill flag delivered; migration + options validated in tests. |
-| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDSTORAGE-TESTS-02-004 | Restore AdvisoryStore build after normalized versions refactor
Storage tests adjusted for normalized versions/decision reasons.
Instructions to work:
Read ./AGENTS.md and storage AGENTS. Extend merge events with decision reasons and analytics views to support the conflict rules, and deliver the dual-write/backfill for `NormalizedVersions` + `decisionReason` so connectors can roll out safely. |
-| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-001 | GHSA/NVD/OSV conflict rules
Merge pipeline consumes `CanonicalMerger` output prior to precedence merge. |
-| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-002 | Override metrics instrumentation
Merge events capture per-field decisions; counters/logs align with conflict rules. |
-| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-003 | Reference & credit union pipeline
Canonical merge preserves unions with updated tests. |
-| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-QA-04-001 | End-to-end conflict regression suite
Added regression tests (`AdvisoryMergeServiceTests`) covering canonical + precedence flow.
Instructions to work:
Read ./AGENTS.md and merge AGENTS. Integrate the canonical merger, instrument metrics, and deliver comprehensive regression tests following ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md. |
-| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Regression Fixtures | FEEDCONN-GHSA-04-002 | GHSA conflict regression fixtures |
-| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-12) | Team Connector Regression Fixtures | FEEDCONN-NVD-04-002 | NVD conflict regression fixtures |
-| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Regression Fixtures | FEEDCONN-OSV-04-002 | OSV conflict regression fixtures
Instructions to work:
Read ./AGENTS.md and module AGENTS. Produce fixture triples supporting the precedence/tie-breaker paths defined in ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md and hand them to Merge QA. |
-| Sprint 3 | Conflict Resolution Integration & Communications | docs/TASKS.md | DONE (2025-10-11) | Team Documentation Guild – Conflict Guidance | FEEDDOCS-DOCS-05-001 | Concelier Conflict Rules
Runbook published at `docs/ops/concelier-conflict-resolution.md`; metrics/log guidance aligned with Sprint 3 merge counters. |
-| Sprint 3 | Conflict Resolution Integration & Communications | docs/TASKS.md | DONE (2025-10-16) | Team Documentation Guild – Conflict Guidance | FEEDDOCS-DOCS-05-002 | Conflict runbook ops rollout
Ops review completed, alert thresholds applied, and change log appended in `docs/ops/concelier-conflict-resolution.md`; task closed after connector signals verified. |
-| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-15) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-04-001 | Advisory schema parity (description/CWE/canonical metric)
Extend `Advisory` and related records with description text, CWE collection, and canonical metric pointer; refresh validation + serializer determinism tests. |
-| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-15) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-04-003 | Canonical merger parity for new fields
Teach `CanonicalMerger` to populate description, CWEResults, and canonical metric pointer with provenance + regression coverage. |
-| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-15) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-04-004 | Reference normalization & freshness instrumentation cleanup
Implement URL normalization for reference dedupe, align freshness-sensitive instrumentation, and add analytics tests. |
-| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-15) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-004 | Merge pipeline parity for new advisory fields
Ensure merge service + merge events surface description/CWE/canonical metric decisions with updated metrics/tests. |
-| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-15) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-005 | Connector coordination for new advisory fields
GHSA/NVD/OSV connectors now ship description, CWE, and canonical metric data with refreshed fixtures; merge coordination log updated and exporters notified. |
-| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Exporter.Json/TASKS.md | DONE (2025-10-15) | Team Exporters – JSON | FEEDEXPORT-JSON-04-001 | Surface new advisory fields in JSON exporter
Update schemas/offline bundle + fixtures once model/core parity lands.
2025-10-15: `dotnet test src/StellaOps.Concelier.Exporter.Json.Tests` validated canonical metric/CWE emission. |
-| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md | DONE (2025-10-15) | Team Exporters – Trivy DB | FEEDEXPORT-TRIVY-04-001 | Propagate new advisory fields into Trivy DB package
Extend Bolt builder, metadata, and regression tests for the expanded schema.
2025-10-15: `dotnet test src/StellaOps.Concelier.Exporter.TrivyDb.Tests` confirmed canonical metric/CWE propagation. |
-| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-16) | Team Connector Regression Fixtures | FEEDCONN-GHSA-04-004 | Harden CVSS fallback so canonical metric ids persist when GitHub omits vectors; extend fixtures and document severity precedence hand-off to Merge. |
-| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-16) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-04-005 | Map OSV advisories lacking CVSS vectors to canonical metric ids/notes and document CWE provenance quirks; schedule parity fixture updates. |
-| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-15) | Team Excititor Core & Policy | EXCITITOR-CORE-01-001 | Stand up canonical VEX claim/consensus records with deterministic serializers so Storage/Exports share a stable contract. |
-| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-15) | Team Excititor Core & Policy | EXCITITOR-CORE-01-002 | Implement trust-weighted consensus resolver with baseline policy weights, justification gates, telemetry output, and majority/tie handling. |
-| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-15) | Team Excititor Core & Policy | EXCITITOR-CORE-01-003 | Publish shared connector/exporter/attestation abstractions and deterministic query signature utilities for cache/attestation workflows. |
-| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-15) | Team Excititor Policy | EXCITITOR-POLICY-01-001 | Established policy options & snapshot provider covering baseline weights/overrides. |
-| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-15) | Team Excititor Policy | EXCITITOR-POLICY-01-002 | Policy evaluator now feeds consensus resolver with immutable snapshots. |
-| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-16) | Team Excititor Policy | EXCITITOR-POLICY-01-003 | Author policy diagnostics, CLI/WebService surfacing, and documentation updates. |
-| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-16) | Team Excititor Policy | EXCITITOR-POLICY-01-004 | Implement YAML/JSON schema validation and deterministic diagnostics for operator bundles. |
-| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-16) | Team Excititor Policy | EXCITITOR-POLICY-01-005 | Add policy change tracking, snapshot digests, and telemetry/logging hooks. |
-| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-15) | Team Excititor Storage | EXCITITOR-STORAGE-01-001 | Mongo mapping registry plus raw/export entities and DI extensions in place. |
-| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-16) | Team Excititor Storage | EXCITITOR-STORAGE-01-004 | Build provider/consensus/cache class maps and related collections. |
-| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Export/TASKS.md | DONE (2025-10-15) | Team Excititor Export | EXCITITOR-EXPORT-01-001 | Export engine delivers cache lookup, manifest creation, and policy integration. |
-| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Export/TASKS.md | DONE (2025-10-17) | Team Excititor Export | EXCITITOR-EXPORT-01-004 | Connect export engine to attestation client and persist Rekor metadata. |
-| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Attestation/TASKS.md | DONE (2025-10-16) | Team Excititor Attestation | EXCITITOR-ATTEST-01-001 | Implement in-toto predicate + DSSE builder providing envelopes for export attestation. |
-| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Connectors.Abstractions/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors | EXCITITOR-CONN-ABS-01-001 | Deliver shared connector context/base classes so provider plug-ins can be activated via WebService/Worker. |
-| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.WebService/TASKS.md | DONE (2025-10-17) | Team Excititor WebService | EXCITITOR-WEB-01-001 | Scaffold minimal API host, DI, and `/excititor/status` endpoint integrating policy, storage, export, and attestation services. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Worker/TASKS.md | DONE (2025-10-17) | Team Excititor Worker | EXCITITOR-WORKER-01-001 | Create Worker host with provider scheduling and logging to drive recurring pulls/reconciliation. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Formats.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Formats | EXCITITOR-FMT-CSAF-01-001 | Implement CSAF normalizer foundation translating provider documents into `VexClaim` entries. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Formats.CycloneDX/TASKS.md | DONE (2025-10-17) | Team Excititor Formats | EXCITITOR-FMT-CYCLONE-01-001 | Implement CycloneDX VEX normalizer capturing `analysis` state and component references. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Formats.OpenVEX/TASKS.md | DONE (2025-10-17) | Team Excititor Formats | EXCITITOR-FMT-OPENVEX-01-001 | Implement OpenVEX normalizer to ingest attestations into canonical claims with provenance. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-001 | Ship Red Hat CSAF provider metadata discovery enabling incremental pulls. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-002 | Fetch CSAF windows with ETag handling, resume tokens, quarantine on schema errors, and persist raw docs. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-003 | Populate provider trust overrides (cosign issuer, identity regex) and provenance hints for policy evaluation/logging. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-004 | Persist resume cursors (last updated timestamp/document hashes) in storage and reload during fetch to avoid duplicates. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-005 | Register connector in Worker/WebService DI, add scheduled jobs, and document CLI triggers for Red Hat CSAF pulls. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-006 | Add CSAF normalization parity fixtures ensuring RHSA-specific metadata is preserved. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.Cisco.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Cisco | EXCITITOR-CONN-CISCO-01-001 | Implement Cisco CSAF endpoint discovery/auth to unlock paginated pulls. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.Cisco.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Cisco | EXCITITOR-CONN-CISCO-01-002 | Implement Cisco CSAF paginated fetch loop with dedupe and raw persistence support. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – SUSE | EXCITITOR-CONN-SUSE-01-001 | Build Rancher VEX Hub discovery/subscription path with offline snapshot support. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – MSRC | EXCITITOR-CONN-MS-01-001 | Deliver AAD onboarding/token cache for MSRC CSAF ingestion. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Oracle | EXCITITOR-CONN-ORACLE-01-001 | Implement Oracle CSAF catalogue discovery with CPU calendar awareness. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Ubuntu | EXCITITOR-CONN-UBUNTU-01-001 | Implement Ubuntu CSAF discovery and channel selection for USN ingestion. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/TASKS.md | DONE (2025-10-18) | Team Excititor Connectors – OCI | EXCITITOR-CONN-OCI-01-001 | Wire OCI discovery/auth to fetch OpenVEX attestations for configured images. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/TASKS.md | DONE (2025-10-18) | Team Excititor Connectors – OCI | EXCITITOR-CONN-OCI-01-002 | Attestation fetch & verify loop – download DSSE attestations, trigger verification, handle retries/backoff, persist raw statements. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/TASKS.md | DONE (2025-10-18) | Team Excititor Connectors – OCI | EXCITITOR-CONN-OCI-01-003 | Provenance metadata & policy hooks – emit image, subject digest, issuer, and trust metadata for policy weighting/logging. |
-| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Cli/TASKS.md | DONE (2025-10-18) | DevEx/CLI | EXCITITOR-CLI-01-001 | Add `excititor` CLI verbs bridging to WebService with consistent auth and offline UX. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-19) | Team Excititor Core & Policy | EXCITITOR-CORE-02-001 | Context signal schema prep – extend consensus models with severity/KEV/EPSS fields and update canonical serializers. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-19) | Team Excititor Policy | EXCITITOR-POLICY-02-001 | Scoring coefficients & weight ceilings – add α/β options, weight boosts, and validation guidance. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Attestation/TASKS.md | DONE (2025-10-16) | Team Excititor Attestation | EXCITITOR-ATTEST-01-002 | Rekor v2 client integration – ship transparency log client with retries and offline queue. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Core/TASKS.md | DONE (2025-10-18) | Team Scanner Core | SCANNER-CORE-09-501 | Define shared DTOs (ScanJob, ProgressEvent), error taxonomy, and deterministic ID/timestamp helpers aligning with `ARCHITECTURE_SCANNER.md` §3–§4. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Core/TASKS.md | DONE (2025-10-18) | Team Scanner Core | SCANNER-CORE-09-502 | Observability helpers (correlation IDs, logging scopes, metric namespacing, deterministic hashes) consumed by WebService/Worker. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Core/TASKS.md | DONE (2025-10-18) | Team Scanner Core | SCANNER-CORE-09-503 | Security utilities: Authority client factory, OpTok caching, DPoP verifier, restart-time plug-in guardrails for scanner components. |
-| Sprint 9 | Scanner Build-time | src/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-001 | Buildx driver scaffold + handshake with Scanner.Emit (local CAS). |
-| Sprint 9 | Scanner Build-time | src/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-002 | OCI annotations + provenance hand-off to Attestor. |
-| Sprint 9 | Scanner Build-time | src/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-003 | CI demo: minimal SBOM push & backend report wiring. |
-| Sprint 9 | Scanner Build-time | src/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-004 | Stabilize descriptor nonce derivation so repeated builds emit deterministic placeholders. |
-| Sprint 9 | Scanner Build-time | src/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-005 | Integrate determinism guard into GitHub/Gitea workflows and archive proof artifacts. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-18) | Team Scanner WebService | SCANNER-WEB-09-101 | Minimal API host with Authority enforcement, health/ready endpoints, and restart-time plug-in loader per architecture §1, §4. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-18) | Team Scanner WebService | SCANNER-WEB-09-102 | `/api/v1/scans` submission/status endpoints with deterministic IDs, validation, and cancellation support. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-19) | Team Scanner WebService | SCANNER-WEB-09-104 | Configuration binding for Mongo, MinIO, queue, feature flags; startup diagnostics and fail-fast policy. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-201 | Worker host bootstrap with Authority auth, hosted services, and graceful shutdown semantics. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-202 | Lease/heartbeat loop with retry+jitter, poison-job quarantine, structured logging. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-203 | Analyzer dispatch skeleton emitting deterministic stage progress and honoring cancellation tokens. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-204 | Worker metrics (queue latency, stage duration, failure counts) with OpenTelemetry resource wiring. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-205 | Harden heartbeat jitter so lease safety margin stays ≥3× and cover with regression tests + optional live queue smoke run. |
-| Sprint 9 | Policy Foundations | src/StellaOps.Policy/TASKS.md | DONE | Policy Guild | POLICY-CORE-09-001 | Policy schema + binder + diagnostics. |
-| Sprint 9 | Policy Foundations | src/StellaOps.Policy/TASKS.md | DONE | Policy Guild | POLICY-CORE-09-002 | Policy snapshot store + revision digests. |
-| Sprint 9 | Policy Foundations | src/StellaOps.Policy/TASKS.md | DONE | Policy Guild | POLICY-CORE-09-003 | `/policy/preview` API (image digest → projected verdict diff). |
-| Sprint 9 | DevOps Foundations | ops/devops/TASKS.md | DONE (2025-10-19) | DevOps Guild | DEVOPS-HELM-09-001 | Helm/Compose environment profiles (dev/staging/airgap) with deterministic digests. |
-| Sprint 9 | Docs & Governance | docs/TASKS.md | DONE (2025-10-19) | Docs Guild, DevEx | DOCS-ADR-09-001 | Establish ADR process and template. |
-| Sprint 9 | Docs & Governance | docs/TASKS.md | DONE (2025-10-19) | Docs Guild, Platform Events | DOCS-EVENTS-09-002 | Publish event schema catalog (`docs/events/`) for critical envelopes. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Storage/TASKS.md | DONE (2025-10-19) | Team Scanner Storage | SCANNER-STORAGE-09-301 | Mongo catalog schemas/indexes for images, layers, artifacts, jobs, lifecycle rules plus migrations. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Storage/TASKS.md | DONE (2025-10-19) | Team Scanner Storage | SCANNER-STORAGE-09-302 | MinIO layout, immutability policies, client abstraction, and configuration binding. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Storage/TASKS.md | DONE (2025-10-19) | Team Scanner Storage | SCANNER-STORAGE-09-303 | Repositories/services with dual-write feature flag, deterministic digests, TTL enforcement tests. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Queue/TASKS.md | DONE (2025-10-19) | Team Scanner Queue | SCANNER-QUEUE-09-401 | Queue abstraction + Redis Streams adapter with ack/claim APIs and idempotency tokens. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Queue/TASKS.md | DONE (2025-10-19) | Team Scanner Queue | SCANNER-QUEUE-09-402 | Pluggable backend support (Redis, NATS) with configuration binding, health probes, failover docs. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Queue/TASKS.md | DONE (2025-10-19) | Team Scanner Queue | SCANNER-QUEUE-09-403 | Retry + dead-letter strategy with structured logs/metrics for offline deployments. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-GHSA-02-001 | GHSA normalized versions & provenance
Team instructions: Read ./AGENTS.md and each module's AGENTS file. Adopt the `NormalizedVersions` array emitted by the models sprint, wiring provenance `decisionReason` where merge overrides occur. Follow ./src/FASTER_MODELING_AND_NORMALIZATION.md; report via src/StellaOps.Concelier.Merge/TASKS.md (FEEDMERGE-COORD-02-900). Progress 2025-10-11: GHSA/OSV emit normalized arrays with refreshed fixtures; CVE mapper now surfaces SemVer normalized ranges; NVD/KEV adoption pending; outstanding follow-ups include FEEDSTORAGE-DATA-02-001, FEEDMERGE-ENGINE-02-002, and rolling `tools/FixtureUpdater` updates across connectors.
Progress 2025-10-20: Coordination matrix + rollout dashboard refreshed; upcoming deadlines tracked (Cccs/Cisco 2025-10-21, CertBund 2025-10-22, ICS-CISA 2025-10-23, KISA 2025-10-24) with escalation path documented in FEEDMERGE-COORD-02-900.|
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-19) | Team WebService & Authority | FEEDWEB-OPS-01-006 | Rename plugin drop directory to namespaced path
Build outputs now point at `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`; defaults/docs/tests updated to reflect the new layout. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Excititor Storage | EXCITITOR-STORAGE-02-001 | Statement events & scoring signals – immutable VEX statements store, consensus signal fields, and migration `20251019-consensus-signals-statements` with tests (`dotnet test src/StellaOps.Excititor.Core.Tests/StellaOps.Excititor.Core.Tests.csproj`, `dotnet test src/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj`). |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-19) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-07-001 | Advisory event log & asOf queries – surface immutable statements and replay capability. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-19) | Concelier WebService Guild | FEEDWEB-EVENTS-07-001 | Advisory event replay API – expose `/concelier/advisories/{key}/replay` with `asOf` filter, hex hashes, and conflict data. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-20) | BE-Merge | FEEDMERGE-ENGINE-07-001 | Conflict sets & explainers – persist conflict materialization and replay hashes for merge decisions. |
-| Sprint 8 | Mongo strengthening | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Normalization & Storage Backbone | FEEDSTORAGE-MONGO-08-001 | Causal-consistent Concelier storage sessions
Scoped session facilitator registered, repositories accept optional session handles, and replica-set failover tests verify read-your-write + monotonic reads. |
-| Sprint 8 | Mongo strengthening | src/StellaOps.Authority/TASKS.md | DONE (2025-10-19) | Authority Core & Storage Guild | AUTHSTORAGE-MONGO-08-001 | Harden Authority Mongo usage
Scoped Mongo sessions with majority read/write concerns wired through stores and GraphQL/HTTP pipelines; replica-set election regression validated. |
-| Sprint 8 | Mongo strengthening | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Excititor Storage | EXCITITOR-STORAGE-MONGO-08-001 | Causal consistency for Excititor repositories
Session-scoped repositories shipped with new Mongo records, orchestrators/workers now share scoped sessions, and replica-set failover coverage added via `dotnet test src/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj`. |
-| Sprint 8 | Platform Maintenance | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Excititor Storage | EXCITITOR-STORAGE-03-001 | Statement backfill tooling – shipped admin backfill endpoint, CLI hook (`stellaops excititor backfill-statements`), integration tests, and operator runbook (`docs/dev/EXCITITOR_STATEMENT_BACKFILL.md`). |
-| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Exporter.Json/TASKS.md | DONE (2025-10-19) | Concelier Export Guild | CONCELIER-EXPORT-08-201 | Mirror bundle + domain manifest – produce signed JSON aggregates for `*.stella-ops.org` mirrors. |
-| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md | DONE (2025-10-19) | Concelier Export Guild | CONCELIER-EXPORT-08-202 | Mirror-ready Trivy DB bundles – mirror options emit per-domain manifests/metadata/db archives with deterministic digests for downstream sync. |
-| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-20) | Concelier WebService Guild | CONCELIER-WEB-08-201 | Mirror distribution endpoints – expose domain-scoped index/download APIs with auth/quota. |
-| Sprint 8 | Mirror Distribution | ops/devops/TASKS.md | DONE (2025-10-19) | DevOps Guild | DEVOPS-MIRROR-08-001 | Managed mirror deployments for `*.stella-ops.org` – Helm/Compose overlays, CDN, runbooks. |
-| Sprint 8 | Plugin Infrastructure | src/StellaOps.Plugin/TASKS.md | DONE (2025-10-20) | Plugin Platform Guild, Authority Core | PLUGIN-DI-08-003 | Refactor Authority identity-provider registry to resolve scoped plugin services on-demand.
Introduce factory pattern aligned with scoped lifetimes decided in coordination workshop. |
-| Sprint 8 | Plugin Infrastructure | src/StellaOps.Plugin/TASKS.md | DONE (2025-10-20) | Plugin Platform Guild, Authority Core | PLUGIN-DI-08-004 | Update Authority plugin loader to activate registrars with DI support and scoped service awareness.
Add two-phase initialization allowing scoped dependencies post-container build. |
-| Sprint 8 | Plugin Infrastructure | src/StellaOps.Plugin/TASKS.md | DONE (2025-10-20) | Plugin Platform Guild, Authority Core | PLUGIN-DI-08-005 | Provide scoped-safe bootstrap execution for Authority plugins.
Implement scope-per-run pattern for hosted bootstrap tasks and document migration guidance. |
-| Sprint 10 | DevOps Security | ops/devops/TASKS.md | DONE (2025-10-20) | DevOps Guild | DEVOPS-SEC-10-301 | Address NU1902/NU1903 advisories for `MongoDB.Driver` 2.12.0 and `SharpCompress` 0.23.0; Wave 0A prerequisites confirmed complete before remediation work. |
-| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Authority/TASKS.md | DONE (2025-10-20) | Authority Core & Security Guild | AUTH-DPOP-11-001 | Implement DPoP proof validation + nonce handling for high-value audiences per architecture. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.WebService/TASKS.md | DONE (2025-10-19) | Notify WebService Guild | NOTIFY-WEB-15-103 | Delivery history & test-send endpoints. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Slack/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-502 | Slack health/test-send support. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Teams/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-602 | Teams health/test-send support. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Teams/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-604 | Teams health endpoint metadata alignment. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Slack/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-503 | Package Slack connector as restart-time plug-in (manifest + host registration). |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Teams/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-603 | Package Teams connector as restart-time plug-in (manifest + host registration). |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Email/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-EMAIL-15-703 | Package Email connector as restart-time plug-in (manifest + host registration). |
-| Sprint 15 | Notify Foundations | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-20) | Scanner WebService Guild | SCANNER-EVENTS-15-201 | Emit `scanner.report.ready` + `scanner.scan.completed` events. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Webhook/TASKS.md | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-WEBHOOK-15-803 | Package Webhook connector as restart-time plug-in (manifest + host registration). |
-| Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.Models/TASKS.md | DONE (2025-10-20) | Scheduler Models Guild | SCHED-MODELS-16-103 | Versioning/migration helpers for schedules/runs. |
-| Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.Queue/TASKS.md | DONE (2025-10-20) | Scheduler Queue Guild | SCHED-QUEUE-16-401 | Queue abstraction + Redis Streams adapter. |
-| Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.Queue/TASKS.md | DONE (2025-10-20) | Scheduler Queue Guild | SCHED-QUEUE-16-402 | NATS JetStream adapter with health probes. |
-| Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.ImpactIndex/TASKS.md | DONE (2025-10-20) | Scheduler ImpactIndex Guild | SCHED-IMPACT-16-300 | **STUB** ImpactIndex ingest/query using fixtures (to be removed by SP16 completion). |
diff --git a/SPRINTS_PRIOR_20251021.md b/SPRINTS_PRIOR_20251021.md
deleted file mode 100644
index f195a15c..00000000
--- a/SPRINTS_PRIOR_20251021.md
+++ /dev/null
@@ -1,88 +0,0 @@
-This file describe implementation of Stella Ops (docs/README.md). Implementation must respect rules from AGENTS.md (read if you have not).
-
-| Sprint | Theme | Tasks File Path | Status | Type of Specialist | Task ID | Task Description |
-| --- | --- | --- | --- | --- | --- | --- |
-| Sprint 7 | Contextual Truth Foundations | docs/TASKS.md | DONE (2025-10-22) | Docs Guild, Concelier WebService | DOCS-CONCELIER-07-201 | Final editorial review and publish pass for Concelier authority toggle documentation (Quickstart + operator guide). |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.WebService/TASKS.md | DONE (2025-10-20) | Team Excititor WebService | EXCITITOR-WEB-01-002 | Ingest & reconcile endpoints – scope-enforced `/excititor/init`, `/excititor/ingest/run`, `/excititor/ingest/resume`, `/excititor/reconcile`; regression via `dotnet test … --filter FullyQualifiedName~IngestEndpointsTests`. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.WebService/TASKS.md | DONE (2025-10-20) | Team Excititor WebService | EXCITITOR-WEB-01-004 | Resolve API & signed responses – expose `/excititor/resolve`, return signed consensus/score envelopes, document auth. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Worker/TASKS.md | DONE (2025-10-21) | Team Excititor Worker | EXCITITOR-WORKER-01-004 | TTL refresh & stability damper – schedule re-resolve loops and guard against status flapping. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-21) | Team Core Engine & Data Science | FEEDCORE-ENGINE-07-002 | Noise prior computation service – learn false-positive priors and expose deterministic summaries. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-21) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-07-003 | Unknown state ledger & confidence seeding – persist unknown flags, seed confidence bands, expose query surface. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.WebService/TASKS.md | DONE (2025-10-19) | Team Excititor WebService | EXCITITOR-WEB-01-005 | Mirror distribution endpoints – expose download APIs for downstream Excititor instances. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Export/TASKS.md | DONE (2025-10-21) | Team Excititor Export | EXCITITOR-EXPORT-01-005 | Score & resolve envelope surfaces – include signed consensus/score artifacts in exports. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Export/TASKS.md | DONE (2025-10-21) | Team Excititor Export | EXCITITOR-EXPORT-01-006 | Quiet provenance packaging – attach quieted-by statement IDs, signers, justification codes to exports and attestations. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Export/TASKS.md | DONE (2025-10-21) | Team Excititor Export | EXCITITOR-EXPORT-01-007 | Mirror bundle + domain manifest – publish signed consensus bundles for mirrors. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md | DONE (2025-10-21) | Excititor Connectors – Stella | EXCITITOR-CONN-STELLA-07-001 | Excititor mirror connector – ingest signed mirror bundles and map to VexClaims with resume handling. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-07-001 | Advisory statement & conflict collections – provision Mongo schema/indexes for event-sourced merge. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Web/TASKS.md | DONE (2025-10-21) | UX Specialist, Angular Eng | WEB1.TRIVY-SETTINGS-TESTS | Add headless UI test run (`ng test --watch=false`) and document prerequisites once Angular tooling is chained up. |
-| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md | DONE (2025-10-20) | BE-Conn-Stella | FEEDCONN-STELLA-08-001 | Concelier mirror connector – fetch mirror manifest, verify signatures, and hydrate canonical DTOs with resume support. |
-| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md | DONE (2025-10-20) | BE-Conn-Stella | FEEDCONN-STELLA-08-002 | Map mirror payloads into canonical advisory DTOs with provenance referencing mirror domain + original source metadata. |
-| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md | DONE (2025-10-20) | BE-Conn-Stella | FEEDCONN-STELLA-08-003 | Add incremental cursor + resume support (per-export fingerprint) and document configuration for downstream Concelier instances. |
-| Sprint 8 | Plugin Infrastructure | src/StellaOps.Plugin/TASKS.md | DONE (2025-10-21) | Plugin Platform Guild | PLUGIN-DI-08-001 | Scoped service support in plugin bootstrap – added dynamic plugin tests ensuring `[ServiceBinding]` metadata flows through plugin hosts and remains idempotent. |
-| Sprint 8 | Plugin Infrastructure | src/StellaOps.Plugin/TASKS.md | DONE (2025-10-20) | Plugin Platform Guild, Authority Core | PLUGIN-DI-08-002.COORD | Authority scoped-service integration handshake
Workshop concluded 2025-10-20 15:00–16:05 UTC; decisions + follow-ups recorded in `docs/dev/authority-plugin-di-coordination.md`. |
-| Sprint 8 | Plugin Infrastructure | src/StellaOps.Plugin/TASKS.md | DONE (2025-10-20) | Plugin Platform Guild, Authority Core | PLUGIN-DI-08-002 | Authority plugin integration updates – scoped identity-provider services with registry handles; regression coverage via scoped registrar/unit tests. |
-| Sprint 8 | Plugin Infrastructure | src/StellaOps.Authority/TASKS.md | DONE (2025-10-20) | Authority Core, Plugin Platform Guild | AUTH-PLUGIN-COORD-08-002 | Coordinate scoped-service adoption for Authority plug-in registrars
Workshop notes and follow-up backlog captured 2025-10-20 in `docs/dev/authority-plugin-di-coordination.md`. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-19) | Team Scanner WebService | SCANNER-WEB-09-103 | Progress streaming (SSE/JSONL) with correlation IDs and ISO-8601 UTC timestamps, documented in API reference. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-19) | Team Scanner WebService | SCANNER-POLICY-09-105 | Policy snapshot loader + schema + OpenAPI (YAML ignore rules, VEX include/exclude, vendor precedence). |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-19) | Team Scanner WebService | SCANNER-POLICY-09-106 | `/reports` verdict assembly (Feedser+Vexer+Policy) + signed response envelope. |
-| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-19) | Team Scanner WebService | SCANNER-POLICY-09-107 | Expose score inputs, config version, and quiet provenance in `/reports` JSON and signed payload. |
-| Sprint 9 | DevOps Foundations | ops/devops/TASKS.md | DONE (2025-10-21) | DevOps Guild, Scanner WebService Guild | DEVOPS-SCANNER-09-204 | Surface `SCANNER__EVENTS__*` env config across Compose/Helm and document overrides. |
-| Sprint 9 | DevOps Foundations | ops/devops/TASKS.md | DONE (2025-10-21) | DevOps Guild, Notify Guild | DEVOPS-SCANNER-09-205 | Notify smoke job validates Redis stream + Notify deliveries after staging deploys. |
-| Sprint 9 | Policy Foundations | src/StellaOps.Policy/TASKS.md | DONE (2025-10-19) | Policy Guild | POLICY-CORE-09-004 | Versioned scoring config with schema validation, trust table, and golden fixtures. |
-| Sprint 9 | Policy Foundations | src/StellaOps.Policy/TASKS.md | DONE (2025-10-19) | Policy Guild | POLICY-CORE-09-005 | Scoring/quiet engine – compute score, enforce VEX-only quiet rules, emit inputs and provenance. |
-| Sprint 9 | Policy Foundations | src/StellaOps.Policy/TASKS.md | DONE (2025-10-19) | Policy Guild | POLICY-CORE-09-006 | Unknown state & confidence decay – deterministic bands surfaced in policy outputs. |
-| Sprint 9 | Docs & Governance | docs/TASKS.md | DONE (2025-10-21) | Platform Events Guild | PLATFORM-EVENTS-09-401 | Embed canonical event samples into contract/integration tests and ensure CI validates payloads against published schemas. |
-| Sprint 10 | Benchmarks | src/StellaOps.Bench/TASKS.md | DONE (2025-10-21) | Bench Guild, Language Analyzer Guild | BENCH-SCANNER-10-002 | Wire real language analyzers into bench harness & refresh baselines post-implementation. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.Lang/TASKS.md | DONE (2025-10-21) | Language Analyzer Guild | SCANNER-ANALYZERS-LANG-10-302 | Node analyzer handling workspaces/symlinks emitting `pkg:npm`. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.Lang/TASKS.md | DONE (2025-10-21) | Language Analyzer Guild | SCANNER-ANALYZERS-LANG-10-303 | Python analyzer reading `*.dist-info`, RECORD hashes, entry points. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.Lang/TASKS.md | DONE (2025-10-22) | Language Analyzer Guild | SCANNER-ANALYZERS-LANG-10-304 | Go analyzer leveraging buildinfo for `pkg:golang` components. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md | DONE (2025-10-22) | Language Analyzer Guild | SCANNER-ANALYZERS-LANG-10-304E | Plumb Go heuristic counter into Scanner metrics pipeline and alerting. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.Lang/TASKS.md | DONE (2025-10-22) | Language Analyzer Guild | SCANNER-ANALYZERS-LANG-10-305 | .NET analyzer parsing `*.deps.json`, assembly metadata, RID variants. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.Lang/TASKS.md | DONE (2025-10-22) | Language Analyzer Guild | SCANNER-ANALYZERS-LANG-10-306 | Rust analyzer detecting crates or falling back to `bin:{sha256}`. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.Lang/TASKS.md | DONE (2025-10-19) | Language Analyzer Guild | SCANNER-ANALYZERS-LANG-10-307 | Shared language evidence helpers + usage flag propagation. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.Lang/TASKS.md | DONE (2025-10-19) | Language Analyzer Guild | SCANNER-ANALYZERS-LANG-10-308 | Determinism + fixture harness for language analyzers. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.Lang/TASKS.md | DONE (2025-10-21) | Language Analyzer Guild | SCANNER-ANALYZERS-LANG-10-309 | Package language analyzers as restart-time plug-ins (manifest + host registration). |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Emit/TASKS.md | DONE (2025-10-22) | Emit Guild | SCANNER-EMIT-10-601 | Compose inventory SBOM (CycloneDX JSON/Protobuf) from layer fragments. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Emit/TASKS.md | DONE (2025-10-22) | Emit Guild | SCANNER-EMIT-10-602 | Compose usage SBOM leveraging EntryTrace to flag actual usage. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Emit/TASKS.md | DONE (2025-10-22) | Emit Guild | SCANNER-EMIT-10-603 | Generate BOM index sidecar (purl table + roaring bitmap + usage flag). |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Emit/TASKS.md | DONE (2025-10-22) | Emit Guild | SCANNER-EMIT-10-604 | Package artifacts for export + attestation with deterministic manifests. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Emit/TASKS.md | DONE (2025-10-22) | Emit Guild | SCANNER-EMIT-10-605 | Emit BOM-Index sidecar schema/fixtures (CRITICAL PATH for SP16). |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Emit/TASKS.md | DONE (2025-10-22) | Emit Guild | SCANNER-EMIT-10-606 | Usage view bit flags integrated with EntryTrace. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Emit/TASKS.md | DONE (2025-10-22) | Emit Guild | SCANNER-EMIT-10-607 | Embed scoring inputs, confidence band, and quiet provenance in CycloneDX/DSSE artifacts. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Cache/TASKS.md | DONE (2025-10-19) | Scanner Cache Guild | SCANNER-CACHE-10-101 | Implement layer cache store keyed by layer digest with metadata retention per architecture §3.3. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Cache/TASKS.md | DONE (2025-10-19) | Scanner Cache Guild | SCANNER-CACHE-10-102 | Build file CAS with dedupe, TTL enforcement, and offline import/export hooks. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Cache/TASKS.md | DONE (2025-10-19) | Scanner Cache Guild | SCANNER-CACHE-10-103 | Expose cache metrics/logging and configuration toggles for warm/cold thresholds. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Cache/TASKS.md | DONE (2025-10-19) | Scanner Cache Guild | SCANNER-CACHE-10-104 | Implement cache invalidation workflows (layer delete, TTL expiry, diff invalidation). |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.OS/TASKS.md | DONE (2025-10-19) | OS Analyzer Guild | SCANNER-ANALYZERS-OS-10-201 | Alpine/apk analyzer emitting deterministic components with provenance. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.OS/TASKS.md | DONE (2025-10-19) | OS Analyzer Guild | SCANNER-ANALYZERS-OS-10-202 | Debian/dpkg analyzer mapping packages to purl identity with evidence. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.OS/TASKS.md | DONE (2025-10-19) | OS Analyzer Guild | SCANNER-ANALYZERS-OS-10-203 | RPM analyzer capturing EVR, file listings, provenance. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.OS/TASKS.md | DONE (2025-10-19) | OS Analyzer Guild | SCANNER-ANALYZERS-OS-10-204 | Shared OS evidence helpers for package identity + provenance. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.OS/TASKS.md | DONE (2025-10-19) | OS Analyzer Guild | SCANNER-ANALYZERS-OS-10-205 | Vendor metadata enrichment (source packages, license, CVE hints). |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.OS/TASKS.md | DONE (2025-10-19) | OS Analyzer Guild | SCANNER-ANALYZERS-OS-10-206 | Determinism harness + fixtures for OS analyzers. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.OS/TASKS.md | DONE (2025-10-19) | OS Analyzer Guild | SCANNER-ANALYZERS-OS-10-207 | Package OS analyzers as restart-time plug-ins (manifest + host registration). |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.Lang/TASKS.md | DONE (2025-10-19) | Language Analyzer Guild | SCANNER-ANALYZERS-LANG-10-301 | Java analyzer emitting `pkg:maven` with provenance. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.EntryTrace/TASKS.md | DONE (2025-10-19) | EntryTrace Guild | SCANNER-ENTRYTRACE-10-401 | POSIX shell AST parser with deterministic output. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.EntryTrace/TASKS.md | DONE (2025-10-19) | EntryTrace Guild | SCANNER-ENTRYTRACE-10-402 | Command resolution across layered rootfs with evidence attribution. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.EntryTrace/TASKS.md | DONE (2025-10-19) | EntryTrace Guild | SCANNER-ENTRYTRACE-10-403 | Interpreter tracing for shell wrappers to Python/Node/Java launchers. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.EntryTrace/TASKS.md | DONE (2025-10-19) | EntryTrace Guild | SCANNER-ENTRYTRACE-10-404 | Python entry analyzer (venv shebang, module invocation, usage flag). |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.EntryTrace/TASKS.md | DONE (2025-10-19) | EntryTrace Guild | SCANNER-ENTRYTRACE-10-405 | Node/Java launcher analyzer capturing script/jar targets. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.EntryTrace/TASKS.md | DONE (2025-10-19) | EntryTrace Guild | SCANNER-ENTRYTRACE-10-406 | Explainability + diagnostics for unresolved constructs with metrics. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.EntryTrace/TASKS.md | DONE (2025-10-19) | EntryTrace Guild | SCANNER-ENTRYTRACE-10-407 | Package EntryTrace analyzers as restart-time plug-ins (manifest + host registration). |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Diff/TASKS.md | DONE (2025-10-19) | Diff Guild | SCANNER-DIFF-10-501 | Build component differ tracking add/remove/version changes with deterministic ordering. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Diff/TASKS.md | DONE (2025-10-19) | Diff Guild | SCANNER-DIFF-10-502 | Attribute diffs to introducing/removing layers including provenance evidence. |
-| Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Diff/TASKS.md | DONE (2025-10-19) | Diff Guild | SCANNER-DIFF-10-503 | Produce JSON diff output for inventory vs usage views aligned with API contract. |
-| Sprint 10 | Samples | samples/TASKS.md | DONE (2025-10-20) | Samples Guild, Scanner Team | SAMPLES-10-001 | Sample images with SBOM/BOM-Index sidecars. |
-| Sprint 10 | DevOps Perf | ops/devops/TASKS.md | DONE (2025-10-22) | DevOps Guild | DEVOPS-PERF-10-001 | Perf smoke job ensuring <5 s SBOM compose. |
-| Sprint 10 | DevOps Perf | ops/devops/TASKS.md | DONE (2025-10-23) | DevOps Guild | DEVOPS-PERF-10-002 | Publish analyzer bench metrics to Grafana/perf workbook and alarm on ≥20 % regressions. |
-| Sprint 10 | Policy Samples | samples/TASKS.md | DONE (2025-10-23) | Samples Guild, Policy Guild | SAMPLES-13-004 | Add policy preview/report fixtures showing confidence bands and unknown-age tags. |
-| Sprint 10 | Policy Samples | src/StellaOps.Web/TASKS.md | DONE (2025-10-23) | UI Guild | WEB-POLICY-FIXTURES-10-001 | Wire policy preview/report doc fixtures into UI harness (test utility or Storybook substitute) with type bindings and validation guard so UI stays aligned with documented payloads. |
-| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Signer/TASKS.md | DONE (2025-10-21) | Signer Guild | SIGNER-API-11-101 | `/sign/dsse` pipeline with Authority auth, PoE introspection, release verification, DSSE signing. |
-| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Signer/TASKS.md | DONE (2025-10-21) | Signer Guild | SIGNER-REF-11-102 | `/verify/referrers` endpoint with OCI lookup, caching, and policy enforcement. |
-| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Signer/TASKS.md | DONE (2025-10-21) | Signer Guild | SIGNER-QUOTA-11-103 | Enforce plan quotas, concurrency/QPS limits, artifact size caps with metrics/audit logs. |
-| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Authority/TASKS.md | DONE (2025-10-23) | Authority Core & Security Guild | AUTH-MTLS-11-002 | Add OAuth mTLS client credential support with certificate-bound tokens and introspection updates. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-20) | Scanner WebService Guild | SCANNER-RUNTIME-12-301 | `/runtime/events` ingestion endpoint with validation, batching, storage hooks. |
-| Sprint 13 | UX & CLI Experience | src/StellaOps.Cli/TASKS.md | DONE (2025-10-21) | DevEx/CLI | CLI-OFFLINE-13-006 | Implement offline kit pull/import/status commands with integrity checks. |
-| Sprint 13 | UX & CLI Experience | src/StellaOps.Cli/TASKS.md | DONE (2025-10-22) | DevEx/CLI | CLI-PLUGIN-13-007 | Package non-core CLI verbs as restart-time plug-ins (manifest + loader tests). |
-| Sprint 13 | UX & CLI Experience | src/StellaOps.Web/TASKS.md | DONE (2025-10-21) | UX Specialist, Angular Eng, DevEx | WEB1.DEPS-13-001 | Stabilise Angular workspace dependencies for headless CI installs (`npm install`, Chromium handling, docs). |
-| Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.Queue/TASKS.md | DONE (2025-10-20) | Scheduler Queue Guild | SCHED-QUEUE-16-403 | Dead-letter handling + metrics. |
-| Sprint 18 | Launch Readiness | ops/offline-kit/TASKS.md | DONE (2025-10-22) | Offline Kit Guild, Scanner Guild | DEVOPS-OFFLINE-18-004 | Rebuild Offline Kit bundle with Go analyzer plug-in and refreshed manifest/signature set. |
diff --git a/SPRINTS_PRIOR_20251025.md b/SPRINTS_PRIOR_20251025.md
deleted file mode 100644
index 53b12e13..00000000
--- a/SPRINTS_PRIOR_20251025.md
+++ /dev/null
@@ -1,34 +0,0 @@
-This file describe implementation of Stella Ops (docs/README.md). Implementation must respect rules from AGENTS.md (read if you have not).
-
-| Sprint | Theme | Tasks File Path | Status | Type of Specialist | Task ID | Task Description |
-| --- | --- | --- | --- | --- | --- | --- |
-| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Attestor/TASKS.md | DONE (2025-10-19) | Attestor Guild | ATTESTOR-API-11-201 | `/rekor/entries` submission pipeline with dedupe, proof acquisition, and persistence. |
-| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Attestor/TASKS.md | DONE (2025-10-19) | Attestor Guild | ATTESTOR-VERIFY-11-202 | `/rekor/verify` + retrieval endpoints validating signatures and Merkle proofs. |
-| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Attestor/TASKS.md | DONE (2025-10-19) | Attestor Guild | ATTESTOR-OBS-11-203 | Telemetry, alerting, mTLS hardening, and archive workflow for Attestor. |
-| Sprint 11 | Storage Platform Hardening | src/StellaOps.Scanner.Storage/TASKS.md | DONE (2025-10-23) | Scanner Storage Guild | SCANNER-STORAGE-11-401 | Migrate scanner object storage integration from MinIO to RustFS with data migration plan. |
-| Sprint 11 | UI Integration | src/StellaOps.UI/TASKS.md | DONE (2025-10-23) | UI Guild | UI-ATTEST-11-005 | Attestation visibility (Rekor id, status) on Scan Detail. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Core/TASKS.md | DONE (2025-10-23) | Zastava Core Guild | ZASTAVA-CORE-12-201 | Define runtime event/admission DTOs, hashing helpers, and versioning strategy. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Core/TASKS.md | DONE (2025-10-23) | Zastava Core Guild | ZASTAVA-CORE-12-202 | Provide configuration/logging/metrics utilities shared by Observer/Webhook. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Core/TASKS.md | DONE (2025-10-23) | Zastava Core Guild | ZASTAVA-CORE-12-203 | Authority client helpers, OpTok caching, and security guardrails for runtime services. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Core/TASKS.md | DONE (2025-10-23) | Zastava Core Guild | ZASTAVA-OPS-12-204 | Operational runbooks, alert rules, and dashboard exports for runtime plane. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Observer/TASKS.md | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-OBS-12-001 | Container lifecycle watcher emitting deterministic runtime events with buffering. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Observer/TASKS.md | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-OBS-12-002 | Capture entrypoint traces + loaded libraries, hashing binaries and linking to baseline SBOM. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Observer/TASKS.md | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-OBS-12-003 | Posture checks for signatures/SBOM/attestation with offline caching. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Observer/TASKS.md | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-OBS-12-004 | Batch `/runtime/events` submissions with disk-backed buffer and rate limits. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Webhook/TASKS.md | DONE (2025-10-24) | Zastava Webhook Guild | ZASTAVA-WEBHOOK-12-101 | Admission controller host with TLS bootstrap and Authority auth. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Webhook/TASKS.md | DONE (2025-10-24) | Zastava Webhook Guild | ZASTAVA-WEBHOOK-12-102 | Query Scanner `/policy/runtime`, resolve digests, enforce verdicts. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Webhook/TASKS.md | DONE (2025-10-24) | Zastava Webhook Guild | ZASTAVA-WEBHOOK-12-103 | Caching, fail-open/closed toggles, metrics/logging for admission decisions. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Webhook/TASKS.md | DONE (2025-10-24) | Zastava Webhook Guild | ZASTAVA-WEBHOOK-12-104 | Wire `/admission` endpoint to runtime policy client and emit allow/deny envelopes. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-24) | Scanner WebService Guild | SCANNER-RUNTIME-12-302 | `/policy/runtime` endpoint joining SBOM baseline + policy verdict, returning admission guidance. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-24) | Scanner WebService Guild | SCANNER-RUNTIME-12-303 | Align `/policy/runtime` verdicts with canonical policy evaluation (Feedser/Vexer). |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-24) | Scanner WebService Guild | SCANNER-RUNTIME-12-304 | Integrate attestation verification into runtime policy metadata. |
-| Sprint 12 | Runtime Guardrails | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-24) | Scanner WebService Guild | SCANNER-RUNTIME-12-305 | Deliver shared fixtures + e2e validation with Zastava/CLI teams. |
-| Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | DONE (2025-10-23) | UI Guild | UI-AUTH-13-001 | Integrate Authority OIDC + DPoP flows with session management. |
-| Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | DONE (2025-10-25) | UI Guild | UI-NOTIFY-13-006 | Notify panel: channels/rules CRUD, deliveries view, test send. |
-| Sprint 13 | Platform Reliability | ops/devops/TASKS.md | DONE (2025-10-25) | DevOps Guild, Platform Leads | DEVOPS-NUGET-13-001 | Wire up .NET 10 preview feeds/local mirrors so `dotnet restore` succeeds offline; document updated NuGet bootstrap. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Queue/TASKS.md | DONE (2025-10-23) | Notify Queue Guild | NOTIFY-QUEUE-15-401 | Bus abstraction + Redis Streams adapter with ordering/idempotency. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Queue/TASKS.md | DONE (2025-10-23) | Notify Queue Guild | NOTIFY-QUEUE-15-402 | NATS JetStream adapter with health probes and failover. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Queue/TASKS.md | DONE (2025-10-23) | Notify Queue Guild | NOTIFY-QUEUE-15-403 | Delivery queue with retry/dead-letter + metrics. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Worker/TASKS.md | DONE (2025-10-23) | Notify Worker Guild | NOTIFY-WORKER-15-201 | Bus subscription + leasing loop with backoff. |
-| Sprint 17 | Symbol Intelligence & Forensics | src/StellaOps.Zastava.Observer/TASKS.md | DONE (2025-10-25) | Zastava Observer Guild | ZASTAVA-OBS-17-005 | Collect GNU build-id during runtime observation and attach it to emitted events. |
-| Sprint 17 | Symbol Intelligence & Forensics | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-25) | Scanner WebService Guild | SCANNER-RUNTIME-17-401 | Persist runtime build-id observations and expose them for debug-symbol correlation. |
diff --git a/deploy/compose/docker-compose.prod.yaml b/deploy/compose/docker-compose.prod.yaml
index 1b22790e..d58df33e 100644
--- a/deploy/compose/docker-compose.prod.yaml
+++ b/deploy/compose/docker-compose.prod.yaml
@@ -1,180 +1,180 @@
-x-release-labels: &release-labels
- com.stellaops.release.version: "2025.09.2"
- com.stellaops.release.channel: "stable"
- com.stellaops.profile: "prod"
-
-networks:
- stellaops:
- driver: bridge
- frontdoor:
- external: true
- name: ${FRONTDOOR_NETWORK:-stellaops_frontdoor}
-
-volumes:
- mongo-data:
- minio-data:
- rustfs-data:
- concelier-jobs:
- nats-data:
-
-services:
- mongo:
- image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
- command: ["mongod", "--bind_ip_all"]
- restart: unless-stopped
- environment:
- MONGO_INITDB_ROOT_USERNAME: "${MONGO_INITDB_ROOT_USERNAME}"
- MONGO_INITDB_ROOT_PASSWORD: "${MONGO_INITDB_ROOT_PASSWORD}"
- volumes:
- - mongo-data:/data/db
- networks:
- - stellaops
- labels: *release-labels
-
- minio:
- image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
- command: ["server", "/data", "--console-address", ":9001"]
- restart: unless-stopped
- environment:
- MINIO_ROOT_USER: "${MINIO_ROOT_USER}"
- MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD}"
- volumes:
- - minio-data:/data
- ports:
- - "${MINIO_CONSOLE_PORT:-9001}:9001"
- networks:
- - stellaops
- labels: *release-labels
-
- rustfs:
- image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
- command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
- restart: unless-stopped
- environment:
- RUSTFS__LOG__LEVEL: info
- RUSTFS__STORAGE__PATH: /data
- volumes:
- - rustfs-data:/data
- ports:
- - "${RUSTFS_HTTP_PORT:-8080}:8080"
- networks:
- - stellaops
- labels: *release-labels
-
- nats:
- image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
- command:
- - "-js"
- - "-sd"
- - /data
- restart: unless-stopped
- ports:
- - "${NATS_CLIENT_PORT:-4222}:4222"
- volumes:
- - nats-data:/data
- networks:
- - stellaops
- labels: *release-labels
-
- authority:
- image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5
- restart: unless-stopped
- depends_on:
- - mongo
- environment:
- STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
- STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
- STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
- STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
- volumes:
- - ../../etc/authority.yaml:/etc/authority.yaml:ro
- - ../../etc/authority.plugins:/app/etc/authority.plugins:ro
- ports:
- - "${AUTHORITY_PORT:-8440}:8440"
- networks:
- - stellaops
- - frontdoor
- labels: *release-labels
-
- signer:
- image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e
- restart: unless-stopped
- depends_on:
- - authority
- environment:
- SIGNER__AUTHORITY__BASEURL: "https://authority:8440"
- SIGNER__POE__INTROSPECTURL: "${SIGNER_POE_INTROSPECT_URL}"
- SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
- ports:
- - "${SIGNER_PORT:-8441}:8441"
- networks:
- - stellaops
- - frontdoor
- labels: *release-labels
-
- attestor:
- image: registry.stella-ops.org/stellaops/attestor@sha256:0534985f978b0b5d220d73c96fddd962cd9135f616811cbe3bff4666c5af568f
- restart: unless-stopped
- depends_on:
- - signer
- environment:
- ATTESTOR__SIGNER__BASEURL: "https://signer:8441"
- ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
- ports:
- - "${ATTESTOR_PORT:-8442}:8442"
- networks:
- - stellaops
- - frontdoor
- labels: *release-labels
-
- concelier:
- image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5
- restart: unless-stopped
- depends_on:
- - mongo
- - minio
- environment:
- CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
- CONCELIER__STORAGE__S3__ENDPOINT: "http://minio:9000"
- CONCELIER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
- CONCELIER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
- CONCELIER__AUTHORITY__BASEURL: "https://authority:8440"
- volumes:
- - concelier-jobs:/var/lib/concelier/jobs
- ports:
- - "${CONCELIER_PORT:-8445}:8445"
- networks:
- - stellaops
- - frontdoor
- labels: *release-labels
-
- scanner-web:
- image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
- restart: unless-stopped
- depends_on:
- - concelier
- - rustfs
- - nats
- environment:
- SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
- SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
- SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1"
- SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
- SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
- SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
- SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-true}"
- SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-redis}"
- SCANNER__EVENTS__DSN: "${SCANNER_EVENTS_DSN:-}"
- SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
- SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
- SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
- ports:
- - "${SCANNER_WEB_PORT:-8444}:8444"
- networks:
- - stellaops
- - frontdoor
- labels: *release-labels
-
+x-release-labels: &release-labels
+ com.stellaops.release.version: "2025.09.2"
+ com.stellaops.release.channel: "stable"
+ com.stellaops.profile: "prod"
+
+networks:
+ stellaops:
+ driver: bridge
+ frontdoor:
+ external: true
+ name: ${FRONTDOOR_NETWORK:-stellaops_frontdoor}
+
+volumes:
+ mongo-data:
+ minio-data:
+ rustfs-data:
+ concelier-jobs:
+ nats-data:
+
+services:
+ mongo:
+ image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+ command: ["mongod", "--bind_ip_all"]
+ restart: unless-stopped
+ environment:
+ MONGO_INITDB_ROOT_USERNAME: "${MONGO_INITDB_ROOT_USERNAME}"
+ MONGO_INITDB_ROOT_PASSWORD: "${MONGO_INITDB_ROOT_PASSWORD}"
+ volumes:
+ - mongo-data:/data/db
+ networks:
+ - stellaops
+ labels: *release-labels
+
+ minio:
+ image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+ command: ["server", "/data", "--console-address", ":9001"]
+ restart: unless-stopped
+ environment:
+ MINIO_ROOT_USER: "${MINIO_ROOT_USER}"
+ MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD}"
+ volumes:
+ - minio-data:/data
+ ports:
+ - "${MINIO_CONSOLE_PORT:-9001}:9001"
+ networks:
+ - stellaops
+ labels: *release-labels
+
+ rustfs:
+ image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+ command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
+ restart: unless-stopped
+ environment:
+ RUSTFS__LOG__LEVEL: info
+ RUSTFS__STORAGE__PATH: /data
+ volumes:
+ - rustfs-data:/data
+ ports:
+ - "${RUSTFS_HTTP_PORT:-8080}:8080"
+ networks:
+ - stellaops
+ labels: *release-labels
+
+ nats:
+ image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
+ command:
+ - "-js"
+ - "-sd"
+ - /data
+ restart: unless-stopped
+ ports:
+ - "${NATS_CLIENT_PORT:-4222}:4222"
+ volumes:
+ - nats-data:/data
+ networks:
+ - stellaops
+ labels: *release-labels
+
+ authority:
+ image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5
+ restart: unless-stopped
+ depends_on:
+ - mongo
+ environment:
+ STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
+ STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+ STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
+ STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
+ volumes:
+ - ../../etc/authority.yaml:/etc/authority.yaml:ro
+ - ../../etc/authority.plugins:/app/etc/authority.plugins:ro
+ ports:
+ - "${AUTHORITY_PORT:-8440}:8440"
+ networks:
+ - stellaops
+ - frontdoor
+ labels: *release-labels
+
+ signer:
+ image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e
+ restart: unless-stopped
+ depends_on:
+ - authority
+ environment:
+ SIGNER__AUTHORITY__BASEURL: "https://authority:8440"
+ SIGNER__POE__INTROSPECTURL: "${SIGNER_POE_INTROSPECT_URL}"
+ SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+ ports:
+ - "${SIGNER_PORT:-8441}:8441"
+ networks:
+ - stellaops
+ - frontdoor
+ labels: *release-labels
+
+ attestor:
+ image: registry.stella-ops.org/stellaops/attestor@sha256:0534985f978b0b5d220d73c96fddd962cd9135f616811cbe3bff4666c5af568f
+ restart: unless-stopped
+ depends_on:
+ - signer
+ environment:
+ ATTESTOR__SIGNER__BASEURL: "https://signer:8441"
+ ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+ ports:
+ - "${ATTESTOR_PORT:-8442}:8442"
+ networks:
+ - stellaops
+ - frontdoor
+ labels: *release-labels
+
+ concelier:
+ image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5
+ restart: unless-stopped
+ depends_on:
+ - mongo
+ - minio
+ environment:
+ CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+ CONCELIER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+ CONCELIER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+ CONCELIER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+ CONCELIER__AUTHORITY__BASEURL: "https://authority:8440"
+ volumes:
+ - concelier-jobs:/var/lib/concelier/jobs
+ ports:
+ - "${CONCELIER_PORT:-8445}:8445"
+ networks:
+ - stellaops
+ - frontdoor
+ labels: *release-labels
+
+ scanner-web:
+ image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
+ restart: unless-stopped
+ depends_on:
+ - concelier
+ - rustfs
+ - nats
+ environment:
+ SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+ SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
+ SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1"
+ SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
+ SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
+ SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+ SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-true}"
+ SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-redis}"
+ SCANNER__EVENTS__DSN: "${SCANNER_EVENTS_DSN:-}"
+ SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
+ SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
+ SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
+ ports:
+ - "${SCANNER_WEB_PORT:-8444}:8444"
+ networks:
+ - stellaops
+ - frontdoor
+ labels: *release-labels
+
scanner-worker:
image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab
restart: unless-stopped
@@ -212,46 +212,46 @@ services:
networks:
- stellaops
labels: *release-labels
-
- notify-web:
- image: ${NOTIFY_WEB_IMAGE:-registry.stella-ops.org/stellaops/notify-web:2025.09.2}
- restart: unless-stopped
- depends_on:
- - mongo
- - authority
- environment:
- DOTNET_ENVIRONMENT: Production
- volumes:
- - ../../etc/notify.prod.yaml:/app/etc/notify.yaml:ro
- ports:
- - "${NOTIFY_WEB_PORT:-8446}:8446"
- networks:
- - stellaops
- - frontdoor
- labels: *release-labels
-
- excititor:
- image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa
- restart: unless-stopped
- depends_on:
- - concelier
- environment:
- EXCITITOR__CONCELIER__BASEURL: "https://concelier:8445"
- EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
- networks:
- - stellaops
- labels: *release-labels
-
- web-ui:
- image: registry.stella-ops.org/stellaops/web-ui@sha256:10d924808c48e4353e3a241da62eb7aefe727a1d6dc830eb23a8e181013b3a23
- restart: unless-stopped
- depends_on:
- - scanner-web
- environment:
- STELLAOPS_UI__BACKEND__BASEURL: "https://scanner-web:8444"
- ports:
- - "${UI_PORT:-8443}:8443"
- networks:
- - stellaops
- - frontdoor
- labels: *release-labels
+
+ notify-web:
+ image: ${NOTIFY_WEB_IMAGE:-registry.stella-ops.org/stellaops/notify-web:2025.09.2}
+ restart: unless-stopped
+ depends_on:
+ - mongo
+ - authority
+ environment:
+ DOTNET_ENVIRONMENT: Production
+ volumes:
+ - ../../etc/notify.prod.yaml:/app/etc/notify.yaml:ro
+ ports:
+ - "${NOTIFY_WEB_PORT:-8446}:8446"
+ networks:
+ - stellaops
+ - frontdoor
+ labels: *release-labels
+
+ excititor:
+ image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa
+ restart: unless-stopped
+ depends_on:
+ - concelier
+ environment:
+ EXCITITOR__CONCELIER__BASEURL: "https://concelier:8445"
+ EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+ networks:
+ - stellaops
+ labels: *release-labels
+
+ web-ui:
+ image: registry.stella-ops.org/stellaops/web-ui@sha256:10d924808c48e4353e3a241da62eb7aefe727a1d6dc830eb23a8e181013b3a23
+ restart: unless-stopped
+ depends_on:
+ - scanner-web
+ environment:
+ STELLAOPS_UI__BACKEND__BASEURL: "https://scanner-web:8444"
+ ports:
+ - "${UI_PORT:-8443}:8443"
+ networks:
+ - stellaops
+ - frontdoor
+ labels: *release-labels
diff --git a/deploy/compose/docker-compose.telemetry-storage.yaml b/deploy/compose/docker-compose.telemetry-storage.yaml
index cb9462f6..aa2ee148 100644
--- a/deploy/compose/docker-compose.telemetry-storage.yaml
+++ b/deploy/compose/docker-compose.telemetry-storage.yaml
@@ -1,57 +1,57 @@
-version: "3.9"
-
-services:
- prometheus:
- image: prom/prometheus:v2.53.0
- container_name: stellaops-prometheus
- command:
- - "--config.file=/etc/prometheus/prometheus.yaml"
- volumes:
- - ../telemetry/storage/prometheus.yaml:/etc/prometheus/prometheus.yaml:ro
- - prometheus-data:/prometheus
- - ../telemetry/certs:/etc/telemetry/tls:ro
- - ../telemetry/storage/auth:/etc/telemetry/auth:ro
- environment:
- PROMETHEUS_COLLECTOR_TARGET: stellaops-otel-collector:9464
- ports:
- - "9090:9090"
- depends_on:
- - tempo
- - loki
-
- tempo:
- image: grafana/tempo:2.5.0
- container_name: stellaops-tempo
- command:
- - "-config.file=/etc/tempo/tempo.yaml"
- volumes:
- - ../telemetry/storage/tempo.yaml:/etc/tempo/tempo.yaml:ro
- - ../telemetry/storage/tenants/tempo-overrides.yaml:/etc/telemetry/tenants/tempo-overrides.yaml:ro
- - ../telemetry/certs:/etc/telemetry/tls:ro
- - tempo-data:/var/tempo
- ports:
- - "3200:3200"
- environment:
- TEMPO_ZONE: docker
-
- loki:
- image: grafana/loki:3.1.0
- container_name: stellaops-loki
- command:
- - "-config.file=/etc/loki/loki.yaml"
- volumes:
- - ../telemetry/storage/loki.yaml:/etc/loki/loki.yaml:ro
- - ../telemetry/storage/tenants/loki-overrides.yaml:/etc/telemetry/tenants/loki-overrides.yaml:ro
- - ../telemetry/certs:/etc/telemetry/tls:ro
- - loki-data:/var/loki
- ports:
- - "3100:3100"
-
-volumes:
- prometheus-data:
- tempo-data:
- loki-data:
-
-networks:
- default:
- name: stellaops-telemetry
+version: "3.9"
+
+services:
+ prometheus:
+ image: prom/prometheus:v2.53.0
+ container_name: stellaops-prometheus
+ command:
+ - "--config.file=/etc/prometheus/prometheus.yaml"
+ volumes:
+ - ../telemetry/storage/prometheus.yaml:/etc/prometheus/prometheus.yaml:ro
+ - prometheus-data:/prometheus
+ - ../telemetry/certs:/etc/telemetry/tls:ro
+ - ../telemetry/storage/auth:/etc/telemetry/auth:ro
+ environment:
+ PROMETHEUS_COLLECTOR_TARGET: stellaops-otel-collector:9464
+ ports:
+ - "9090:9090"
+ depends_on:
+ - tempo
+ - loki
+
+ tempo:
+ image: grafana/tempo:2.5.0
+ container_name: stellaops-tempo
+ command:
+ - "-config.file=/etc/tempo/tempo.yaml"
+ volumes:
+ - ../telemetry/storage/tempo.yaml:/etc/tempo/tempo.yaml:ro
+ - ../telemetry/storage/tenants/tempo-overrides.yaml:/etc/telemetry/tenants/tempo-overrides.yaml:ro
+ - ../telemetry/certs:/etc/telemetry/tls:ro
+ - tempo-data:/var/tempo
+ ports:
+ - "3200:3200"
+ environment:
+ TEMPO_ZONE: docker
+
+ loki:
+ image: grafana/loki:3.1.0
+ container_name: stellaops-loki
+ command:
+ - "-config.file=/etc/loki/loki.yaml"
+ volumes:
+ - ../telemetry/storage/loki.yaml:/etc/loki/loki.yaml:ro
+ - ../telemetry/storage/tenants/loki-overrides.yaml:/etc/telemetry/tenants/loki-overrides.yaml:ro
+ - ../telemetry/certs:/etc/telemetry/tls:ro
+ - loki-data:/var/loki
+ ports:
+ - "3100:3100"
+
+volumes:
+ prometheus-data:
+ tempo-data:
+ loki-data:
+
+networks:
+ default:
+ name: stellaops-telemetry
diff --git a/deploy/compose/docker-compose.telemetry.yaml b/deploy/compose/docker-compose.telemetry.yaml
index c94b6ac4..1d6fd07b 100644
--- a/deploy/compose/docker-compose.telemetry.yaml
+++ b/deploy/compose/docker-compose.telemetry.yaml
@@ -1,34 +1,34 @@
-version: "3.9"
-
-services:
- otel-collector:
- image: otel/opentelemetry-collector:0.105.0
- container_name: stellaops-otel-collector
- command:
- - "--config=/etc/otel-collector/config.yaml"
- environment:
- STELLAOPS_OTEL_TLS_CERT: /etc/otel-collector/tls/collector.crt
- STELLAOPS_OTEL_TLS_KEY: /etc/otel-collector/tls/collector.key
- STELLAOPS_OTEL_TLS_CA: /etc/otel-collector/tls/ca.crt
- STELLAOPS_OTEL_PROMETHEUS_ENDPOINT: 0.0.0.0:9464
- STELLAOPS_OTEL_REQUIRE_CLIENT_CERT: "true"
- STELLAOPS_TENANT_ID: dev
- volumes:
- - ../telemetry/otel-collector-config.yaml:/etc/otel-collector/config.yaml:ro
- - ../telemetry/certs:/etc/otel-collector/tls:ro
- ports:
- - "4317:4317" # OTLP gRPC (mTLS)
- - "4318:4318" # OTLP HTTP (mTLS)
- - "9464:9464" # Prometheus exporter (mTLS)
- - "13133:13133" # Health check
- - "1777:1777" # pprof
- healthcheck:
- test: ["CMD", "curl", "-fsk", "--cert", "/etc/otel-collector/tls/client.crt", "--key", "/etc/otel-collector/tls/client.key", "--cacert", "/etc/otel-collector/tls/ca.crt", "https://localhost:13133/healthz"]
- interval: 30s
- start_period: 15s
- timeout: 5s
- retries: 3
-
-networks:
- default:
- name: stellaops-telemetry
+version: "3.9"
+
+services:
+ otel-collector:
+ image: otel/opentelemetry-collector:0.105.0
+ container_name: stellaops-otel-collector
+ command:
+ - "--config=/etc/otel-collector/config.yaml"
+ environment:
+ STELLAOPS_OTEL_TLS_CERT: /etc/otel-collector/tls/collector.crt
+ STELLAOPS_OTEL_TLS_KEY: /etc/otel-collector/tls/collector.key
+ STELLAOPS_OTEL_TLS_CA: /etc/otel-collector/tls/ca.crt
+ STELLAOPS_OTEL_PROMETHEUS_ENDPOINT: 0.0.0.0:9464
+ STELLAOPS_OTEL_REQUIRE_CLIENT_CERT: "true"
+ STELLAOPS_TENANT_ID: dev
+ volumes:
+ - ../telemetry/otel-collector-config.yaml:/etc/otel-collector/config.yaml:ro
+ - ../telemetry/certs:/etc/otel-collector/tls:ro
+ ports:
+ - "4317:4317" # OTLP gRPC (mTLS)
+ - "4318:4318" # OTLP HTTP (mTLS)
+ - "9464:9464" # Prometheus exporter (mTLS)
+ - "13133:13133" # Health check
+ - "1777:1777" # pprof
+ healthcheck:
+ test: ["CMD", "curl", "-fsk", "--cert", "/etc/otel-collector/tls/client.crt", "--key", "/etc/otel-collector/tls/client.key", "--cacert", "/etc/otel-collector/tls/ca.crt", "https://localhost:13133/healthz"]
+ interval: 30s
+ start_period: 15s
+ timeout: 5s
+ retries: 3
+
+networks:
+ default:
+ name: stellaops-telemetry
diff --git a/deploy/compose/env/prod.env.example b/deploy/compose/env/prod.env.example
index 211ef8b5..79064dfd 100644
--- a/deploy/compose/env/prod.env.example
+++ b/deploy/compose/env/prod.env.example
@@ -1,33 +1,33 @@
-# Substitutions for docker-compose.prod.yaml
-# ⚠️ Replace all placeholder secrets with values sourced from your secret manager.
-MONGO_INITDB_ROOT_USERNAME=stellaops-prod
-MONGO_INITDB_ROOT_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
-MINIO_ROOT_USER=stellaops-prod
-MINIO_ROOT_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
-# Expose the MinIO console only to trusted operator networks.
-MINIO_CONSOLE_PORT=39001
-RUSTFS_HTTP_PORT=8080
-AUTHORITY_ISSUER=https://authority.prod.stella-ops.org
-AUTHORITY_PORT=8440
-SIGNER_POE_INTROSPECT_URL=https://licensing.prod.stella-ops.org/introspect
-SIGNER_PORT=8441
-ATTESTOR_PORT=8442
-CONCELIER_PORT=8445
-SCANNER_WEB_PORT=8444
-UI_PORT=8443
-NATS_CLIENT_PORT=4222
-SCANNER_QUEUE_BROKER=nats://nats:4222
-# `true` enables signed scanner events for Notify ingestion.
-SCANNER_EVENTS_ENABLED=true
-SCANNER_EVENTS_DRIVER=redis
-# Leave SCANNER_EVENTS_DSN empty to inherit the Redis queue DSN when SCANNER_QUEUE_BROKER uses redis://.
-SCANNER_EVENTS_DSN=
-SCANNER_EVENTS_STREAM=stella.events
-SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
+# Substitutions for docker-compose.prod.yaml
+# ⚠️ Replace all placeholder secrets with values sourced from your secret manager.
+MONGO_INITDB_ROOT_USERNAME=stellaops-prod
+MONGO_INITDB_ROOT_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
+MINIO_ROOT_USER=stellaops-prod
+MINIO_ROOT_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
+# Expose the MinIO console only to trusted operator networks.
+MINIO_CONSOLE_PORT=39001
+RUSTFS_HTTP_PORT=8080
+AUTHORITY_ISSUER=https://authority.prod.stella-ops.org
+AUTHORITY_PORT=8440
+SIGNER_POE_INTROSPECT_URL=https://licensing.prod.stella-ops.org/introspect
+SIGNER_PORT=8441
+ATTESTOR_PORT=8442
+CONCELIER_PORT=8445
+SCANNER_WEB_PORT=8444
+UI_PORT=8443
+NATS_CLIENT_PORT=4222
+SCANNER_QUEUE_BROKER=nats://nats:4222
+# `true` enables signed scanner events for Notify ingestion.
+SCANNER_EVENTS_ENABLED=true
+SCANNER_EVENTS_DRIVER=redis
+# Leave SCANNER_EVENTS_DSN empty to inherit the Redis queue DSN when SCANNER_QUEUE_BROKER uses redis://.
+SCANNER_EVENTS_DSN=
+SCANNER_EVENTS_STREAM=stella.events
+SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
SCHEDULER_QUEUE_KIND=Nats
SCHEDULER_QUEUE_NATS_URL=nats://nats:4222
SCHEDULER_STORAGE_DATABASE=stellaops_scheduler
SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
-# External reverse proxy (Traefik, Envoy, etc.) that terminates TLS.
-FRONTDOOR_NETWORK=stellaops_frontdoor
+# External reverse proxy (Traefik, Envoy, etc.) that terminates TLS.
+FRONTDOOR_NETWORK=stellaops_frontdoor
diff --git a/deploy/helm/stellaops/files/otel-collector-config.yaml b/deploy/helm/stellaops/files/otel-collector-config.yaml
index d5d0167e..2a401a65 100644
--- a/deploy/helm/stellaops/files/otel-collector-config.yaml
+++ b/deploy/helm/stellaops/files/otel-collector-config.yaml
@@ -1,64 +1,64 @@
-receivers:
- otlp:
- protocols:
- grpc:
- endpoint: 0.0.0.0:4317
- tls:
- cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
- key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
- client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
- require_client_certificate: ${STELLAOPS_OTEL_REQUIRE_CLIENT_CERT:true}
- http:
- endpoint: 0.0.0.0:4318
- tls:
- cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
- key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
- client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
- require_client_certificate: ${STELLAOPS_OTEL_REQUIRE_CLIENT_CERT:true}
-
-processors:
- attributes/tenant-tag:
- actions:
- - key: tenant.id
- action: insert
- value: ${STELLAOPS_TENANT_ID:unknown}
- batch:
- send_batch_size: 1024
- timeout: 5s
-
-exporters:
- logging:
- verbosity: normal
- prometheus:
- endpoint: ${STELLAOPS_OTEL_PROMETHEUS_ENDPOINT:0.0.0.0:9464}
- enable_open_metrics: true
- metric_expiration: 5m
- tls:
- cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
- key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
- client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
-
-extensions:
- health_check:
- endpoint: ${STELLAOPS_OTEL_HEALTH_ENDPOINT:0.0.0.0:13133}
- pprof:
- endpoint: ${STELLAOPS_OTEL_PPROF_ENDPOINT:0.0.0.0:1777}
-
-service:
- telemetry:
- logs:
- level: ${STELLAOPS_OTEL_LOG_LEVEL:info}
- extensions: [health_check, pprof]
- pipelines:
- traces:
- receivers: [otlp]
- processors: [attributes/tenant-tag, batch]
- exporters: [logging]
- metrics:
- receivers: [otlp]
- processors: [attributes/tenant-tag, batch]
- exporters: [logging, prometheus]
- logs:
- receivers: [otlp]
- processors: [attributes/tenant-tag, batch]
- exporters: [logging]
+receivers:
+ otlp:
+ protocols:
+ grpc:
+ endpoint: 0.0.0.0:4317
+ tls:
+ cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
+ key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
+ client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
+ require_client_certificate: ${STELLAOPS_OTEL_REQUIRE_CLIENT_CERT:true}
+ http:
+ endpoint: 0.0.0.0:4318
+ tls:
+ cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
+ key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
+ client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
+ require_client_certificate: ${STELLAOPS_OTEL_REQUIRE_CLIENT_CERT:true}
+
+processors:
+ attributes/tenant-tag:
+ actions:
+ - key: tenant.id
+ action: insert
+ value: ${STELLAOPS_TENANT_ID:unknown}
+ batch:
+ send_batch_size: 1024
+ timeout: 5s
+
+exporters:
+ logging:
+ verbosity: normal
+ prometheus:
+ endpoint: ${STELLAOPS_OTEL_PROMETHEUS_ENDPOINT:0.0.0.0:9464}
+ enable_open_metrics: true
+ metric_expiration: 5m
+ tls:
+ cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
+ key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
+ client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
+
+extensions:
+ health_check:
+ endpoint: ${STELLAOPS_OTEL_HEALTH_ENDPOINT:0.0.0.0:13133}
+ pprof:
+ endpoint: ${STELLAOPS_OTEL_PPROF_ENDPOINT:0.0.0.0:1777}
+
+service:
+ telemetry:
+ logs:
+ level: ${STELLAOPS_OTEL_LOG_LEVEL:info}
+ extensions: [health_check, pprof]
+ pipelines:
+ traces:
+ receivers: [otlp]
+ processors: [attributes/tenant-tag, batch]
+ exporters: [logging]
+ metrics:
+ receivers: [otlp]
+ processors: [attributes/tenant-tag, batch]
+ exporters: [logging, prometheus]
+ logs:
+ receivers: [otlp]
+ processors: [attributes/tenant-tag, batch]
+ exporters: [logging]
diff --git a/deploy/helm/stellaops/templates/otel-collector.yaml b/deploy/helm/stellaops/templates/otel-collector.yaml
index f4f10f34..9d52e949 100644
--- a/deploy/helm/stellaops/templates/otel-collector.yaml
+++ b/deploy/helm/stellaops/templates/otel-collector.yaml
@@ -1,121 +1,121 @@
-{{- if .Values.telemetry.collector.enabled }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "stellaops.telemetryCollector.fullname" . }}
- labels:
- {{- include "stellaops.labels" (dict "root" . "name" "otel-collector" "svc" (dict "class" "telemetry")) | nindent 4 }}
-data:
- config.yaml: |
-{{ include "stellaops.telemetryCollector.config" . | indent 4 }}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{ include "stellaops.telemetryCollector.fullname" . }}
- labels:
- {{- include "stellaops.labels" (dict "root" . "name" "otel-collector" "svc" (dict "class" "telemetry")) | nindent 4 }}
-spec:
- replicas: {{ .Values.telemetry.collector.replicas | default 1 }}
- selector:
- matchLabels:
- app.kubernetes.io/name: {{ include "stellaops.name" . | quote }}
- app.kubernetes.io/component: "otel-collector"
- template:
- metadata:
- labels:
- app.kubernetes.io/name: {{ include "stellaops.name" . | quote }}
- app.kubernetes.io/component: "otel-collector"
- stellaops.profile: {{ .Values.global.profile | quote }}
- spec:
- containers:
- - name: otel-collector
- image: {{ .Values.telemetry.collector.image | default "otel/opentelemetry-collector:0.105.0" | quote }}
- args:
- - "--config=/etc/otel/config.yaml"
- ports:
- - name: otlp-grpc
- containerPort: 4317
- - name: otlp-http
- containerPort: 4318
- - name: metrics
- containerPort: 9464
- - name: health
- containerPort: 13133
- - name: pprof
- containerPort: 1777
- env:
- - name: STELLAOPS_OTEL_TLS_CERT
- value: {{ .Values.telemetry.collector.tls.certPath | default "/etc/otel/tls/tls.crt" | quote }}
- - name: STELLAOPS_OTEL_TLS_KEY
- value: {{ .Values.telemetry.collector.tls.keyPath | default "/etc/otel/tls/tls.key" | quote }}
- - name: STELLAOPS_OTEL_TLS_CA
- value: {{ .Values.telemetry.collector.tls.caPath | default "/etc/otel/tls/ca.crt" | quote }}
- - name: STELLAOPS_OTEL_PROMETHEUS_ENDPOINT
- value: {{ .Values.telemetry.collector.prometheusEndpoint | default "0.0.0.0:9464" | quote }}
- - name: STELLAOPS_OTEL_REQUIRE_CLIENT_CERT
- value: {{ .Values.telemetry.collector.requireClientCert | default true | quote }}
- - name: STELLAOPS_TENANT_ID
- value: {{ .Values.telemetry.collector.defaultTenant | default "unknown" | quote }}
- - name: STELLAOPS_OTEL_LOG_LEVEL
- value: {{ .Values.telemetry.collector.logLevel | default "info" | quote }}
- volumeMounts:
- - name: config
- mountPath: /etc/otel/config.yaml
- subPath: config.yaml
- readOnly: true
- - name: tls
- mountPath: /etc/otel/tls
- readOnly: true
- livenessProbe:
- httpGet:
- scheme: HTTPS
- port: health
- path: /healthz
- initialDelaySeconds: 10
- periodSeconds: 30
- readinessProbe:
- httpGet:
- scheme: HTTPS
- port: health
- path: /healthz
- initialDelaySeconds: 5
- periodSeconds: 15
-{{- with .Values.telemetry.collector.resources }}
- resources:
-{{ toYaml . | indent 12 }}
-{{- end }}
- volumes:
- - name: config
- configMap:
- name: {{ include "stellaops.telemetryCollector.fullname" . }}
- - name: tls
- secret:
- secretName: {{ .Values.telemetry.collector.tls.secretName | required "telemetry.collector.tls.secretName is required" }}
-{{- if .Values.telemetry.collector.tls.items }}
- items:
-{{ toYaml .Values.telemetry.collector.tls.items | indent 14 }}
-{{- end }}
----
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ include "stellaops.telemetryCollector.fullname" . }}
- labels:
- {{- include "stellaops.labels" (dict "root" . "name" "otel-collector" "svc" (dict "class" "telemetry")) | nindent 4 }}
-spec:
- type: ClusterIP
- selector:
- app.kubernetes.io/name: {{ include "stellaops.name" . | quote }}
- app.kubernetes.io/component: "otel-collector"
- ports:
- - name: otlp-grpc
- port: {{ .Values.telemetry.collector.service.grpcPort | default 4317 }}
- targetPort: otlp-grpc
- - name: otlp-http
- port: {{ .Values.telemetry.collector.service.httpPort | default 4318 }}
- targetPort: otlp-http
- - name: metrics
- port: {{ .Values.telemetry.collector.service.metricsPort | default 9464 }}
- targetPort: metrics
-{{- end }}
+{{- if .Values.telemetry.collector.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "stellaops.telemetryCollector.fullname" . }}
+ labels:
+ {{- include "stellaops.labels" (dict "root" . "name" "otel-collector" "svc" (dict "class" "telemetry")) | nindent 4 }}
+data:
+ config.yaml: |
+{{ include "stellaops.telemetryCollector.config" . | indent 4 }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "stellaops.telemetryCollector.fullname" . }}
+ labels:
+ {{- include "stellaops.labels" (dict "root" . "name" "otel-collector" "svc" (dict "class" "telemetry")) | nindent 4 }}
+spec:
+ replicas: {{ .Values.telemetry.collector.replicas | default 1 }}
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: {{ include "stellaops.name" . | quote }}
+ app.kubernetes.io/component: "otel-collector"
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: {{ include "stellaops.name" . | quote }}
+ app.kubernetes.io/component: "otel-collector"
+ stellaops.profile: {{ .Values.global.profile | quote }}
+ spec:
+ containers:
+ - name: otel-collector
+ image: {{ .Values.telemetry.collector.image | default "otel/opentelemetry-collector:0.105.0" | quote }}
+ args:
+ - "--config=/etc/otel/config.yaml"
+ ports:
+ - name: otlp-grpc
+ containerPort: 4317
+ - name: otlp-http
+ containerPort: 4318
+ - name: metrics
+ containerPort: 9464
+ - name: health
+ containerPort: 13133
+ - name: pprof
+ containerPort: 1777
+ env:
+ - name: STELLAOPS_OTEL_TLS_CERT
+ value: {{ .Values.telemetry.collector.tls.certPath | default "/etc/otel/tls/tls.crt" | quote }}
+ - name: STELLAOPS_OTEL_TLS_KEY
+ value: {{ .Values.telemetry.collector.tls.keyPath | default "/etc/otel/tls/tls.key" | quote }}
+ - name: STELLAOPS_OTEL_TLS_CA
+ value: {{ .Values.telemetry.collector.tls.caPath | default "/etc/otel/tls/ca.crt" | quote }}
+ - name: STELLAOPS_OTEL_PROMETHEUS_ENDPOINT
+ value: {{ .Values.telemetry.collector.prometheusEndpoint | default "0.0.0.0:9464" | quote }}
+ - name: STELLAOPS_OTEL_REQUIRE_CLIENT_CERT
+ value: {{ .Values.telemetry.collector.requireClientCert | default true | quote }}
+ - name: STELLAOPS_TENANT_ID
+ value: {{ .Values.telemetry.collector.defaultTenant | default "unknown" | quote }}
+ - name: STELLAOPS_OTEL_LOG_LEVEL
+ value: {{ .Values.telemetry.collector.logLevel | default "info" | quote }}
+ volumeMounts:
+ - name: config
+ mountPath: /etc/otel/config.yaml
+ subPath: config.yaml
+ readOnly: true
+ - name: tls
+ mountPath: /etc/otel/tls
+ readOnly: true
+ livenessProbe:
+ httpGet:
+ scheme: HTTPS
+ port: health
+ path: /healthz
+ initialDelaySeconds: 10
+ periodSeconds: 30
+ readinessProbe:
+ httpGet:
+ scheme: HTTPS
+ port: health
+ path: /healthz
+ initialDelaySeconds: 5
+ periodSeconds: 15
+{{- with .Values.telemetry.collector.resources }}
+ resources:
+{{ toYaml . | indent 12 }}
+{{- end }}
+ volumes:
+ - name: config
+ configMap:
+ name: {{ include "stellaops.telemetryCollector.fullname" . }}
+ - name: tls
+ secret:
+ secretName: {{ .Values.telemetry.collector.tls.secretName | required "telemetry.collector.tls.secretName is required" }}
+{{- if .Values.telemetry.collector.tls.items }}
+ items:
+{{ toYaml .Values.telemetry.collector.tls.items | indent 14 }}
+{{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "stellaops.telemetryCollector.fullname" . }}
+ labels:
+ {{- include "stellaops.labels" (dict "root" . "name" "otel-collector" "svc" (dict "class" "telemetry")) | nindent 4 }}
+spec:
+ type: ClusterIP
+ selector:
+ app.kubernetes.io/name: {{ include "stellaops.name" . | quote }}
+ app.kubernetes.io/component: "otel-collector"
+ ports:
+ - name: otlp-grpc
+ port: {{ .Values.telemetry.collector.service.grpcPort | default 4317 }}
+ targetPort: otlp-grpc
+ - name: otlp-http
+ port: {{ .Values.telemetry.collector.service.httpPort | default 4318 }}
+ targetPort: otlp-http
+ - name: metrics
+ port: {{ .Values.telemetry.collector.service.metricsPort | default 9464 }}
+ targetPort: metrics
+{{- end }}
diff --git a/deploy/helm/stellaops/values-prod.yaml b/deploy/helm/stellaops/values-prod.yaml
index 03efbad9..bb1f5768 100644
--- a/deploy/helm/stellaops/values-prod.yaml
+++ b/deploy/helm/stellaops/values-prod.yaml
@@ -1,221 +1,221 @@
-global:
- profile: prod
- release:
- version: "2025.09.2"
- channel: stable
- manifestSha256: "dc3c8fe1ab83941c838ccc5a8a5862f7ddfa38c2078e580b5649db26554565b7"
- image:
- pullPolicy: IfNotPresent
- labels:
- stellaops.io/channel: stable
- stellaops.io/profile: prod
-
-configMaps:
- notify-config:
- data:
- notify.yaml: |
- storage:
- driver: mongo
- connectionString: "mongodb://stellaops-mongo:27017"
- database: "stellaops_notify_prod"
- commandTimeoutSeconds: 45
-
- authority:
- enabled: true
- issuer: "https://authority.prod.stella-ops.org"
- metadataAddress: "https://authority.prod.stella-ops.org/.well-known/openid-configuration"
- requireHttpsMetadata: true
- allowAnonymousFallback: false
- backchannelTimeoutSeconds: 30
- tokenClockSkewSeconds: 60
- audiences:
- - notify
- readScope: notify.read
- adminScope: notify.admin
-
- api:
- basePath: "/api/v1/notify"
- internalBasePath: "/internal/notify"
- tenantHeader: "X-StellaOps-Tenant"
-
- plugins:
- baseDirectory: "/opt/stellaops"
- directory: "plugins/notify"
- searchPatterns:
- - "StellaOps.Notify.Connectors.*.dll"
- orderedPlugins:
- - StellaOps.Notify.Connectors.Slack
- - StellaOps.Notify.Connectors.Teams
- - StellaOps.Notify.Connectors.Email
- - StellaOps.Notify.Connectors.Webhook
-
- telemetry:
- enableRequestLogging: true
- minimumLogLevel: Information
-services:
- authority:
- image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5
- service:
- port: 8440
- env:
- STELLAOPS_AUTHORITY__ISSUER: "https://authority.prod.stella-ops.org"
- STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
- STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
- envFrom:
- - secretRef:
- name: stellaops-prod-core
- signer:
- image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e
- service:
- port: 8441
- env:
- SIGNER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
- SIGNER__POE__INTROSPECTURL: "https://licensing.prod.stella-ops.org/introspect"
- envFrom:
- - secretRef:
- name: stellaops-prod-core
- attestor:
- image: registry.stella-ops.org/stellaops/attestor@sha256:0534985f978b0b5d220d73c96fddd962cd9135f616811cbe3bff4666c5af568f
- service:
- port: 8442
- env:
- ATTESTOR__SIGNER__BASEURL: "https://stellaops-signer:8441"
- envFrom:
- - secretRef:
- name: stellaops-prod-core
- concelier:
- image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5
- service:
- port: 8445
- env:
- CONCELIER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
- CONCELIER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
- envFrom:
- - secretRef:
- name: stellaops-prod-core
- volumeMounts:
- - name: concelier-jobs
- mountPath: /var/lib/concelier/jobs
- volumeClaims:
- - name: concelier-jobs
- claimName: stellaops-concelier-jobs
- scanner-web:
- image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
- service:
- port: 8444
- env:
- SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
- SCANNER__ARTIFACTSTORE__ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
- SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
- SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
- SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
- SCANNER__EVENTS__ENABLED: "true"
- SCANNER__EVENTS__DRIVER: "redis"
- SCANNER__EVENTS__DSN: ""
- SCANNER__EVENTS__STREAM: "stella.events"
- SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
- SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
- envFrom:
- - secretRef:
- name: stellaops-prod-core
- scanner-worker:
- image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab
- replicas: 3
- env:
- SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
- SCANNER__ARTIFACTSTORE__ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
- SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
- SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
- SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
- SCANNER__EVENTS__ENABLED: "true"
- SCANNER__EVENTS__DRIVER: "redis"
- SCANNER__EVENTS__DSN: ""
- SCANNER__EVENTS__STREAM: "stella.events"
- SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
- SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
- envFrom:
- - secretRef:
- name: stellaops-prod-core
- notify-web:
- image: registry.stella-ops.org/stellaops/notify-web:2025.09.2
- service:
- port: 8446
- env:
- DOTNET_ENVIRONMENT: Production
- envFrom:
- - secretRef:
- name: stellaops-prod-notify
- configMounts:
- - name: notify-config
- mountPath: /app/etc/notify.yaml
- subPath: notify.yaml
- configMap: notify-config
- excititor:
- image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa
- env:
- EXCITITOR__CONCELIER__BASEURL: "https://stellaops-concelier:8445"
- envFrom:
- - secretRef:
- name: stellaops-prod-core
- web-ui:
- image: registry.stella-ops.org/stellaops/web-ui@sha256:10d924808c48e4353e3a241da62eb7aefe727a1d6dc830eb23a8e181013b3a23
- service:
- port: 8443
- env:
- STELLAOPS_UI__BACKEND__BASEURL: "https://stellaops-scanner-web:8444"
- mongo:
- class: infrastructure
- image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
- service:
- port: 27017
- command:
- - mongod
- - --bind_ip_all
- envFrom:
- - secretRef:
- name: stellaops-prod-mongo
- volumeMounts:
- - name: mongo-data
- mountPath: /data/db
- volumeClaims:
- - name: mongo-data
- claimName: stellaops-mongo-data
- minio:
- class: infrastructure
- image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
- service:
- port: 9000
- command:
- - server
- - /data
- - --console-address
- - :9001
- envFrom:
- - secretRef:
- name: stellaops-prod-minio
- volumeMounts:
- - name: minio-data
- mountPath: /data
- volumeClaims:
- - name: minio-data
- claimName: stellaops-minio-data
- rustfs:
- class: infrastructure
- image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
- service:
- port: 8080
- command:
- - serve
- - --listen
- - 0.0.0.0:8080
- - --root
- - /data
- env:
- RUSTFS__LOG__LEVEL: info
- RUSTFS__STORAGE__PATH: /data
- volumeMounts:
- - name: rustfs-data
- mountPath: /data
- volumeClaims:
- - name: rustfs-data
- claimName: stellaops-rustfs-data
+global:
+ profile: prod
+ release:
+ version: "2025.09.2"
+ channel: stable
+ manifestSha256: "dc3c8fe1ab83941c838ccc5a8a5862f7ddfa38c2078e580b5649db26554565b7"
+ image:
+ pullPolicy: IfNotPresent
+ labels:
+ stellaops.io/channel: stable
+ stellaops.io/profile: prod
+
+configMaps:
+ notify-config:
+ data:
+ notify.yaml: |
+ storage:
+ driver: mongo
+ connectionString: "mongodb://stellaops-mongo:27017"
+ database: "stellaops_notify_prod"
+ commandTimeoutSeconds: 45
+
+ authority:
+ enabled: true
+ issuer: "https://authority.prod.stella-ops.org"
+ metadataAddress: "https://authority.prod.stella-ops.org/.well-known/openid-configuration"
+ requireHttpsMetadata: true
+ allowAnonymousFallback: false
+ backchannelTimeoutSeconds: 30
+ tokenClockSkewSeconds: 60
+ audiences:
+ - notify
+ readScope: notify.read
+ adminScope: notify.admin
+
+ api:
+ basePath: "/api/v1/notify"
+ internalBasePath: "/internal/notify"
+ tenantHeader: "X-StellaOps-Tenant"
+
+ plugins:
+ baseDirectory: "/opt/stellaops"
+ directory: "plugins/notify"
+ searchPatterns:
+ - "StellaOps.Notify.Connectors.*.dll"
+ orderedPlugins:
+ - StellaOps.Notify.Connectors.Slack
+ - StellaOps.Notify.Connectors.Teams
+ - StellaOps.Notify.Connectors.Email
+ - StellaOps.Notify.Connectors.Webhook
+
+ telemetry:
+ enableRequestLogging: true
+ minimumLogLevel: Information
+services:
+ authority:
+ image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5
+ service:
+ port: 8440
+ env:
+ STELLAOPS_AUTHORITY__ISSUER: "https://authority.prod.stella-ops.org"
+ STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
+ STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
+ envFrom:
+ - secretRef:
+ name: stellaops-prod-core
+ signer:
+ image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e
+ service:
+ port: 8441
+ env:
+ SIGNER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+ SIGNER__POE__INTROSPECTURL: "https://licensing.prod.stella-ops.org/introspect"
+ envFrom:
+ - secretRef:
+ name: stellaops-prod-core
+ attestor:
+ image: registry.stella-ops.org/stellaops/attestor@sha256:0534985f978b0b5d220d73c96fddd962cd9135f616811cbe3bff4666c5af568f
+ service:
+ port: 8442
+ env:
+ ATTESTOR__SIGNER__BASEURL: "https://stellaops-signer:8441"
+ envFrom:
+ - secretRef:
+ name: stellaops-prod-core
+ concelier:
+ image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5
+ service:
+ port: 8445
+ env:
+ CONCELIER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+ CONCELIER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+ envFrom:
+ - secretRef:
+ name: stellaops-prod-core
+ volumeMounts:
+ - name: concelier-jobs
+ mountPath: /var/lib/concelier/jobs
+ volumeClaims:
+ - name: concelier-jobs
+ claimName: stellaops-concelier-jobs
+ scanner-web:
+ image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
+ service:
+ port: 8444
+ env:
+ SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
+ SCANNER__ARTIFACTSTORE__ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
+ SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
+ SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
+ SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+ SCANNER__EVENTS__ENABLED: "true"
+ SCANNER__EVENTS__DRIVER: "redis"
+ SCANNER__EVENTS__DSN: ""
+ SCANNER__EVENTS__STREAM: "stella.events"
+ SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
+ SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
+ envFrom:
+ - secretRef:
+ name: stellaops-prod-core
+ scanner-worker:
+ image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab
+ replicas: 3
+ env:
+ SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
+ SCANNER__ARTIFACTSTORE__ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
+ SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
+ SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
+ SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+ SCANNER__EVENTS__ENABLED: "true"
+ SCANNER__EVENTS__DRIVER: "redis"
+ SCANNER__EVENTS__DSN: ""
+ SCANNER__EVENTS__STREAM: "stella.events"
+ SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
+ SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
+ envFrom:
+ - secretRef:
+ name: stellaops-prod-core
+ notify-web:
+ image: registry.stella-ops.org/stellaops/notify-web:2025.09.2
+ service:
+ port: 8446
+ env:
+ DOTNET_ENVIRONMENT: Production
+ envFrom:
+ - secretRef:
+ name: stellaops-prod-notify
+ configMounts:
+ - name: notify-config
+ mountPath: /app/etc/notify.yaml
+ subPath: notify.yaml
+ configMap: notify-config
+ excititor:
+ image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa
+ env:
+ EXCITITOR__CONCELIER__BASEURL: "https://stellaops-concelier:8445"
+ envFrom:
+ - secretRef:
+ name: stellaops-prod-core
+ web-ui:
+ image: registry.stella-ops.org/stellaops/web-ui@sha256:10d924808c48e4353e3a241da62eb7aefe727a1d6dc830eb23a8e181013b3a23
+ service:
+ port: 8443
+ env:
+ STELLAOPS_UI__BACKEND__BASEURL: "https://stellaops-scanner-web:8444"
+ mongo:
+ class: infrastructure
+ image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+ service:
+ port: 27017
+ command:
+ - mongod
+ - --bind_ip_all
+ envFrom:
+ - secretRef:
+ name: stellaops-prod-mongo
+ volumeMounts:
+ - name: mongo-data
+ mountPath: /data/db
+ volumeClaims:
+ - name: mongo-data
+ claimName: stellaops-mongo-data
+ minio:
+ class: infrastructure
+ image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+ service:
+ port: 9000
+ command:
+ - server
+ - /data
+ - --console-address
+ - :9001
+ envFrom:
+ - secretRef:
+ name: stellaops-prod-minio
+ volumeMounts:
+ - name: minio-data
+ mountPath: /data
+ volumeClaims:
+ - name: minio-data
+ claimName: stellaops-minio-data
+ rustfs:
+ class: infrastructure
+ image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+ service:
+ port: 8080
+ command:
+ - serve
+ - --listen
+ - 0.0.0.0:8080
+ - --root
+ - /data
+ env:
+ RUSTFS__LOG__LEVEL: info
+ RUSTFS__STORAGE__PATH: /data
+ volumeMounts:
+ - name: rustfs-data
+ mountPath: /data
+ volumeClaims:
+ - name: rustfs-data
+ claimName: stellaops-rustfs-data
diff --git a/deploy/helm/stellaops/values.yaml b/deploy/helm/stellaops/values.yaml
index 581c0609..af20ed89 100644
--- a/deploy/helm/stellaops/values.yaml
+++ b/deploy/helm/stellaops/values.yaml
@@ -1,39 +1,39 @@
-global:
- release:
- version: ""
- channel: ""
- manifestSha256: ""
- profile: ""
- image:
- pullPolicy: IfNotPresent
- labels: {}
-
-telemetry:
- collector:
- enabled: false
- replicas: 1
- image: otel/opentelemetry-collector:0.105.0
- requireClientCert: true
- defaultTenant: unknown
- logLevel: info
- tls:
- secretName: ""
- certPath: /etc/otel/tls/tls.crt
- keyPath: /etc/otel/tls/tls.key
- caPath: /etc/otel/tls/ca.crt
- items:
- - key: tls.crt
- path: tls.crt
- - key: tls.key
- path: tls.key
- - key: ca.crt
- path: ca.crt
- service:
- grpcPort: 4317
- httpPort: 4318
- metricsPort: 9464
- resources: {}
-
+global:
+ release:
+ version: ""
+ channel: ""
+ manifestSha256: ""
+ profile: ""
+ image:
+ pullPolicy: IfNotPresent
+ labels: {}
+
+telemetry:
+ collector:
+ enabled: false
+ replicas: 1
+ image: otel/opentelemetry-collector:0.105.0
+ requireClientCert: true
+ defaultTenant: unknown
+ logLevel: info
+ tls:
+ secretName: ""
+ certPath: /etc/otel/tls/tls.crt
+ keyPath: /etc/otel/tls/tls.key
+ caPath: /etc/otel/tls/ca.crt
+ items:
+ - key: tls.crt
+ path: tls.crt
+ - key: tls.key
+ path: tls.key
+ - key: ca.crt
+ path: ca.crt
+ service:
+ grpcPort: 4317
+ httpPort: 4318
+ metricsPort: 9464
+ resources: {}
+
services:
scheduler-worker:
image: registry.stella-ops.org/stellaops/scheduler-worker:2025.10.0-edge
diff --git a/deploy/telemetry/.gitignore b/deploy/telemetry/.gitignore
index df912870..88259de6 100644
--- a/deploy/telemetry/.gitignore
+++ b/deploy/telemetry/.gitignore
@@ -1 +1 @@
-certs/
+certs/
diff --git a/deploy/telemetry/README.md b/deploy/telemetry/README.md
index 926c9a36..6e992e9a 100644
--- a/deploy/telemetry/README.md
+++ b/deploy/telemetry/README.md
@@ -1,35 +1,35 @@
-# Telemetry Collector Assets
-
-These assets provision the default OpenTelemetry Collector instance required by
-`DEVOPS-OBS-50-001`. The collector acts as the secured ingest point for traces,
-metrics, and logs emitted by Stella Ops services.
-
-## Contents
-
-| File | Purpose |
-| ---- | ------- |
-| `otel-collector-config.yaml` | Baseline collector configuration (mutual TLS, OTLP receivers, Prometheus exporter). |
-| `storage/prometheus.yaml` | Prometheus scrape configuration tuned for the collector and service tenants. |
-| `storage/tempo.yaml` | Tempo configuration with multitenancy, WAL, and compaction settings. |
-| `storage/loki.yaml` | Loki configuration enabling multitenant log ingestion with retention policies. |
-| `storage/tenants/*.yaml` | Per-tenant overrides for Tempo and Loki rate/retention controls. |
-
-## Development workflow
-
-1. Generate development certificates (collector + client) using
- `ops/devops/telemetry/generate_dev_tls.sh`.
-2. Launch the collector via `docker compose -f docker-compose.telemetry.yaml up`.
-3. Launch the storage backends (Prometheus, Tempo, Loki) via
- `docker compose -f docker-compose.telemetry-storage.yaml up`.
-4. Run the smoke test: `python ops/devops/telemetry/smoke_otel_collector.py`.
-5. Explore the storage configuration (`storage/README.md`) to tune retention/limits.
-
-The smoke test sends OTLP traffic over TLS and asserts the collector accepted
-traces, metrics, and logs by scraping the Prometheus metrics endpoint.
-
-## Kubernetes
-
-The Helm chart consumes the same configuration (see `values.yaml`). Provide TLS
-material via a secret referenced by `telemetry.collector.tls.secretName`,
-containing `ca.crt`, `tls.crt`, and `tls.key`. Client certificates are required
-for ingestion and should be issued by the same CA.
+# Telemetry Collector Assets
+
+These assets provision the default OpenTelemetry Collector instance required by
+`DEVOPS-OBS-50-001`. The collector acts as the secured ingest point for traces,
+metrics, and logs emitted by Stella Ops services.
+
+## Contents
+
+| File | Purpose |
+| ---- | ------- |
+| `otel-collector-config.yaml` | Baseline collector configuration (mutual TLS, OTLP receivers, Prometheus exporter). |
+| `storage/prometheus.yaml` | Prometheus scrape configuration tuned for the collector and service tenants. |
+| `storage/tempo.yaml` | Tempo configuration with multitenancy, WAL, and compaction settings. |
+| `storage/loki.yaml` | Loki configuration enabling multitenant log ingestion with retention policies. |
+| `storage/tenants/*.yaml` | Per-tenant overrides for Tempo and Loki rate/retention controls. |
+
+## Development workflow
+
+1. Generate development certificates (collector + client) using
+ `ops/devops/telemetry/generate_dev_tls.sh`.
+2. Launch the collector via `docker compose -f docker-compose.telemetry.yaml up`.
+3. Launch the storage backends (Prometheus, Tempo, Loki) via
+ `docker compose -f docker-compose.telemetry-storage.yaml up`.
+4. Run the smoke test: `python ops/devops/telemetry/smoke_otel_collector.py`.
+5. Explore the storage configuration (`storage/README.md`) to tune retention/limits.
+
+The smoke test sends OTLP traffic over TLS and asserts the collector accepted
+traces, metrics, and logs by scraping the Prometheus metrics endpoint.
+
+## Kubernetes
+
+The Helm chart consumes the same configuration (see `values.yaml`). Provide TLS
+material via a secret referenced by `telemetry.collector.tls.secretName`,
+containing `ca.crt`, `tls.crt`, and `tls.key`. Client certificates are required
+for ingestion and should be issued by the same CA.
diff --git a/deploy/telemetry/otel-collector-config.yaml b/deploy/telemetry/otel-collector-config.yaml
index bc693d4f..5cdf6908 100644
--- a/deploy/telemetry/otel-collector-config.yaml
+++ b/deploy/telemetry/otel-collector-config.yaml
@@ -1,67 +1,67 @@
-receivers:
- otlp:
- protocols:
- grpc:
- endpoint: 0.0.0.0:4317
- tls:
- cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
- key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
- client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
- require_client_certificate: ${STELLAOPS_OTEL_REQUIRE_CLIENT_CERT:true}
- http:
- endpoint: 0.0.0.0:4318
- tls:
- cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
- key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
- client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
- require_client_certificate: ${STELLAOPS_OTEL_REQUIRE_CLIENT_CERT:true}
-
-processors:
- attributes/tenant-tag:
- actions:
- - key: tenant.id
- action: insert
- value: ${STELLAOPS_TENANT_ID:unknown}
- batch:
- send_batch_size: 1024
- timeout: 5s
-
-exporters:
- logging:
- verbosity: normal
- prometheus:
- endpoint: ${STELLAOPS_OTEL_PROMETHEUS_ENDPOINT:0.0.0.0:9464}
- enable_open_metrics: true
- metric_expiration: 5m
- tls:
- cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
- key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
- client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
-# Additional OTLP exporters can be configured by extending this section at runtime.
-# For example, set STELLAOPS_OTEL_UPSTREAM_ENDPOINT and mount certificates, then
-# add the exporter via a sidecar overlay.
-
-extensions:
- health_check:
- endpoint: ${STELLAOPS_OTEL_HEALTH_ENDPOINT:0.0.0.0:13133}
- pprof:
- endpoint: ${STELLAOPS_OTEL_PPROF_ENDPOINT:0.0.0.0:1777}
-
-service:
- telemetry:
- logs:
- level: ${STELLAOPS_OTEL_LOG_LEVEL:info}
- extensions: [health_check, pprof]
- pipelines:
- traces:
- receivers: [otlp]
- processors: [attributes/tenant-tag, batch]
- exporters: [logging]
- metrics:
- receivers: [otlp]
- processors: [attributes/tenant-tag, batch]
- exporters: [logging, prometheus]
- logs:
- receivers: [otlp]
- processors: [attributes/tenant-tag, batch]
- exporters: [logging]
+receivers:
+ otlp:
+ protocols:
+ grpc:
+ endpoint: 0.0.0.0:4317
+ tls:
+ cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
+ key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
+ client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
+ require_client_certificate: ${STELLAOPS_OTEL_REQUIRE_CLIENT_CERT:true}
+ http:
+ endpoint: 0.0.0.0:4318
+ tls:
+ cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
+ key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
+ client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
+ require_client_certificate: ${STELLAOPS_OTEL_REQUIRE_CLIENT_CERT:true}
+
+processors:
+ attributes/tenant-tag:
+ actions:
+ - key: tenant.id
+ action: insert
+ value: ${STELLAOPS_TENANT_ID:unknown}
+ batch:
+ send_batch_size: 1024
+ timeout: 5s
+
+exporters:
+ logging:
+ verbosity: normal
+ prometheus:
+ endpoint: ${STELLAOPS_OTEL_PROMETHEUS_ENDPOINT:0.0.0.0:9464}
+ enable_open_metrics: true
+ metric_expiration: 5m
+ tls:
+ cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
+ key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
+ client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
+# Additional OTLP exporters can be configured by extending this section at runtime.
+# For example, set STELLAOPS_OTEL_UPSTREAM_ENDPOINT and mount certificates, then
+# add the exporter via a sidecar overlay.
+
+extensions:
+ health_check:
+ endpoint: ${STELLAOPS_OTEL_HEALTH_ENDPOINT:0.0.0.0:13133}
+ pprof:
+ endpoint: ${STELLAOPS_OTEL_PPROF_ENDPOINT:0.0.0.0:1777}
+
+service:
+ telemetry:
+ logs:
+ level: ${STELLAOPS_OTEL_LOG_LEVEL:info}
+ extensions: [health_check, pprof]
+ pipelines:
+ traces:
+ receivers: [otlp]
+ processors: [attributes/tenant-tag, batch]
+ exporters: [logging]
+ metrics:
+ receivers: [otlp]
+ processors: [attributes/tenant-tag, batch]
+ exporters: [logging, prometheus]
+ logs:
+ receivers: [otlp]
+ processors: [attributes/tenant-tag, batch]
+ exporters: [logging]
diff --git a/deploy/telemetry/storage/README.md b/deploy/telemetry/storage/README.md
index b730d5ed..b3e5899c 100644
--- a/deploy/telemetry/storage/README.md
+++ b/deploy/telemetry/storage/README.md
@@ -1,33 +1,33 @@
-# Telemetry Storage Stack
-
-Configuration snippets for the default StellaOps observability backends used in
-staging and production environments. The stack comprises:
-
-- **Prometheus** for metrics (scraping the collector's Prometheus exporter)
-- **Tempo** for traces (OTLP ingest via mTLS)
-- **Loki** for logs (HTTP ingest with tenant isolation)
-
-## Files
-
-| Path | Description |
-| ---- | ----------- |
-| `prometheus.yaml` | Scrape configuration for the collector (mTLS + bearer token placeholder). |
-| `tempo.yaml` | Tempo configuration with multitenancy enabled and local storage paths. |
-| `loki.yaml` | Loki configuration enabling per-tenant overrides and boltdb-shipper storage. |
-| `tenants/tempo-overrides.yaml` | Example tenant overrides for Tempo (retention, limits). |
-| `tenants/loki-overrides.yaml` | Example tenant overrides for Loki (rate limits, retention). |
-| `auth/` | Placeholder directory for Prometheus bearer token files (e.g., `token`). |
-
-These configurations are referenced by the Docker Compose overlay
-(`deploy/compose/docker-compose.telemetry-storage.yaml`) and the staging rollout documented in
-`docs/ops/telemetry-storage.md`. Adjust paths, credentials, and overrides before running in
-connected environments. Place the Prometheus bearer token in `auth/token` when using the
-Compose overlay (the directory contains a `.gitkeep` placeholder and is gitignored by default).
-
-## Security
-
-- Both Tempo and Loki require mutual TLS.
-- Prometheus uses mTLS plus a bearer token that should be minted by Authority.
-- Update the overrides files to enforce per-tenant retention/ingestion limits.
-
-For comprehensive deployment steps see `docs/ops/telemetry-storage.md`.
+# Telemetry Storage Stack
+
+Configuration snippets for the default StellaOps observability backends used in
+staging and production environments. The stack comprises:
+
+- **Prometheus** for metrics (scraping the collector's Prometheus exporter)
+- **Tempo** for traces (OTLP ingest via mTLS)
+- **Loki** for logs (HTTP ingest with tenant isolation)
+
+## Files
+
+| Path | Description |
+| ---- | ----------- |
+| `prometheus.yaml` | Scrape configuration for the collector (mTLS + bearer token placeholder). |
+| `tempo.yaml` | Tempo configuration with multitenancy enabled and local storage paths. |
+| `loki.yaml` | Loki configuration enabling per-tenant overrides and boltdb-shipper storage. |
+| `tenants/tempo-overrides.yaml` | Example tenant overrides for Tempo (retention, limits). |
+| `tenants/loki-overrides.yaml` | Example tenant overrides for Loki (rate limits, retention). |
+| `auth/` | Placeholder directory for Prometheus bearer token files (e.g., `token`). |
+
+These configurations are referenced by the Docker Compose overlay
+(`deploy/compose/docker-compose.telemetry-storage.yaml`) and the staging rollout documented in
+`docs/ops/telemetry-storage.md`. Adjust paths, credentials, and overrides before running in
+connected environments. Place the Prometheus bearer token in `auth/token` when using the
+Compose overlay (the directory contains a `.gitkeep` placeholder and is gitignored by default).
+
+## Security
+
+- Both Tempo and Loki require mutual TLS.
+- Prometheus uses mTLS plus a bearer token that should be minted by Authority.
+- Update the overrides files to enforce per-tenant retention/ingestion limits.
+
+For comprehensive deployment steps see `docs/ops/telemetry-storage.md`.
diff --git a/deploy/telemetry/storage/loki.yaml b/deploy/telemetry/storage/loki.yaml
index 101b4df3..3a9917ff 100644
--- a/deploy/telemetry/storage/loki.yaml
+++ b/deploy/telemetry/storage/loki.yaml
@@ -1,48 +1,48 @@
-auth_enabled: true
-
-server:
- http_listen_port: 3100
- log_level: info
-
-common:
- ring:
- instance_addr: 127.0.0.1
- kvstore:
- store: inmemory
- replication_factor: 1
- path_prefix: /var/loki
-
-schema_config:
- configs:
- - from: 2024-01-01
- store: boltdb-shipper
- object_store: filesystem
- schema: v13
- index:
- prefix: loki_index_
- period: 24h
-
-storage_config:
- filesystem:
- directory: /var/loki/chunks
- boltdb_shipper:
- active_index_directory: /var/loki/index
- cache_location: /var/loki/index_cache
- shared_store: filesystem
-
-ruler:
- storage:
- type: local
- local:
- directory: /var/loki/rules
- rule_path: /tmp/loki-rules
- enable_api: true
-
-limits_config:
- enforce_metric_name: false
- reject_old_samples: true
- reject_old_samples_max_age: 168h
- max_entries_limit_per_query: 5000
- ingestion_rate_mb: 10
- ingestion_burst_size_mb: 20
- per_tenant_override_config: /etc/telemetry/tenants/loki-overrides.yaml
+auth_enabled: true
+
+server:
+ http_listen_port: 3100
+ log_level: info
+
+common:
+ ring:
+ instance_addr: 127.0.0.1
+ kvstore:
+ store: inmemory
+ replication_factor: 1
+ path_prefix: /var/loki
+
+schema_config:
+ configs:
+ - from: 2024-01-01
+ store: boltdb-shipper
+ object_store: filesystem
+ schema: v13
+ index:
+ prefix: loki_index_
+ period: 24h
+
+storage_config:
+ filesystem:
+ directory: /var/loki/chunks
+ boltdb_shipper:
+ active_index_directory: /var/loki/index
+ cache_location: /var/loki/index_cache
+ shared_store: filesystem
+
+ruler:
+ storage:
+ type: local
+ local:
+ directory: /var/loki/rules
+ rule_path: /tmp/loki-rules
+ enable_api: true
+
+limits_config:
+ enforce_metric_name: false
+ reject_old_samples: true
+ reject_old_samples_max_age: 168h
+ max_entries_limit_per_query: 5000
+ ingestion_rate_mb: 10
+ ingestion_burst_size_mb: 20
+ per_tenant_override_config: /etc/telemetry/tenants/loki-overrides.yaml
diff --git a/deploy/telemetry/storage/prometheus.yaml b/deploy/telemetry/storage/prometheus.yaml
index e1dcfe4c..c64b5cf4 100644
--- a/deploy/telemetry/storage/prometheus.yaml
+++ b/deploy/telemetry/storage/prometheus.yaml
@@ -1,19 +1,19 @@
-global:
- scrape_interval: 15s
- evaluation_interval: 30s
-
-scrape_configs:
- - job_name: "stellaops-otel-collector"
- scheme: https
- metrics_path: /
- tls_config:
- ca_file: ${PROMETHEUS_TLS_CA_FILE:-/etc/telemetry/tls/ca.crt}
- cert_file: ${PROMETHEUS_TLS_CERT_FILE:-/etc/telemetry/tls/client.crt}
- key_file: ${PROMETHEUS_TLS_KEY_FILE:-/etc/telemetry/tls/client.key}
- insecure_skip_verify: false
- authorization:
- type: Bearer
- credentials_file: ${PROMETHEUS_BEARER_TOKEN_FILE:-/etc/telemetry/auth/token}
- static_configs:
- - targets:
- - ${PROMETHEUS_COLLECTOR_TARGET:-stellaops-otel-collector:9464}
+global:
+ scrape_interval: 15s
+ evaluation_interval: 30s
+
+scrape_configs:
+ - job_name: "stellaops-otel-collector"
+ scheme: https
+ metrics_path: /
+ tls_config:
+ ca_file: ${PROMETHEUS_TLS_CA_FILE:-/etc/telemetry/tls/ca.crt}
+ cert_file: ${PROMETHEUS_TLS_CERT_FILE:-/etc/telemetry/tls/client.crt}
+ key_file: ${PROMETHEUS_TLS_KEY_FILE:-/etc/telemetry/tls/client.key}
+ insecure_skip_verify: false
+ authorization:
+ type: Bearer
+ credentials_file: ${PROMETHEUS_BEARER_TOKEN_FILE:-/etc/telemetry/auth/token}
+ static_configs:
+ - targets:
+ - ${PROMETHEUS_COLLECTOR_TARGET:-stellaops-otel-collector:9464}
diff --git a/deploy/telemetry/storage/tempo.yaml b/deploy/telemetry/storage/tempo.yaml
index 976e517b..1811eef6 100644
--- a/deploy/telemetry/storage/tempo.yaml
+++ b/deploy/telemetry/storage/tempo.yaml
@@ -1,56 +1,56 @@
-multitenancy_enabled: true
-usage_report:
- reporting_enabled: false
-
-server:
- http_listen_port: 3200
- log_level: info
-
-distributor:
- receivers:
- otlp:
- protocols:
- grpc:
- tls:
- cert_file: ${TEMPO_TLS_CERT_FILE:-/etc/telemetry/tls/server.crt}
- key_file: ${TEMPO_TLS_KEY_FILE:-/etc/telemetry/tls/server.key}
- client_ca_file: ${TEMPO_TLS_CA_FILE:-/etc/telemetry/tls/ca.crt}
- require_client_cert: true
- http:
- tls:
- cert_file: ${TEMPO_TLS_CERT_FILE:-/etc/telemetry/tls/server.crt}
- key_file: ${TEMPO_TLS_KEY_FILE:-/etc/telemetry/tls/server.key}
- client_ca_file: ${TEMPO_TLS_CA_FILE:-/etc/telemetry/tls/ca.crt}
- require_client_cert: true
-
-ingester:
- lifecycler:
- ring:
- instance_availability_zone: ${TEMPO_ZONE:-zone-a}
- trace_idle_period: 10s
- max_block_bytes: 1_048_576
-
-compactor:
- compaction:
- block_retention: 168h
-
-metrics_generator:
- registry:
- external_labels:
- cluster: stellaops
-
-storage:
- trace:
- backend: local
- local:
- path: /var/tempo/traces
- wal:
- path: /var/tempo/wal
- metrics:
- backend: prometheus
-
-overrides:
- defaults:
- ingestion_rate_limit_bytes: 1048576
- max_traces_per_user: 200000
- per_tenant_override_config: /etc/telemetry/tenants/tempo-overrides.yaml
+multitenancy_enabled: true
+usage_report:
+ reporting_enabled: false
+
+server:
+ http_listen_port: 3200
+ log_level: info
+
+distributor:
+ receivers:
+ otlp:
+ protocols:
+ grpc:
+ tls:
+ cert_file: ${TEMPO_TLS_CERT_FILE:-/etc/telemetry/tls/server.crt}
+ key_file: ${TEMPO_TLS_KEY_FILE:-/etc/telemetry/tls/server.key}
+ client_ca_file: ${TEMPO_TLS_CA_FILE:-/etc/telemetry/tls/ca.crt}
+ require_client_cert: true
+ http:
+ tls:
+ cert_file: ${TEMPO_TLS_CERT_FILE:-/etc/telemetry/tls/server.crt}
+ key_file: ${TEMPO_TLS_KEY_FILE:-/etc/telemetry/tls/server.key}
+ client_ca_file: ${TEMPO_TLS_CA_FILE:-/etc/telemetry/tls/ca.crt}
+ require_client_cert: true
+
+ingester:
+ lifecycler:
+ ring:
+ instance_availability_zone: ${TEMPO_ZONE:-zone-a}
+ trace_idle_period: 10s
+ max_block_bytes: 1_048_576
+
+compactor:
+ compaction:
+ block_retention: 168h
+
+metrics_generator:
+ registry:
+ external_labels:
+ cluster: stellaops
+
+storage:
+ trace:
+ backend: local
+ local:
+ path: /var/tempo/traces
+ wal:
+ path: /var/tempo/wal
+ metrics:
+ backend: prometheus
+
+overrides:
+ defaults:
+ ingestion_rate_limit_bytes: 1048576
+ max_traces_per_user: 200000
+ per_tenant_override_config: /etc/telemetry/tenants/tempo-overrides.yaml
diff --git a/deploy/telemetry/storage/tenants/loki-overrides.yaml b/deploy/telemetry/storage/tenants/loki-overrides.yaml
index b0680f31..df52c29a 100644
--- a/deploy/telemetry/storage/tenants/loki-overrides.yaml
+++ b/deploy/telemetry/storage/tenants/loki-overrides.yaml
@@ -1,19 +1,19 @@
-# Example Loki per-tenant overrides
-# Adjust according to https://grafana.com/docs/loki/latest/configuration/#limits_config
-
-stellaops-dev:
- ingestion_rate_mb: 10
- ingestion_burst_size_mb: 20
- max_global_streams_per_user: 5000
- retention_period: 168h
-
-stellaops-stage:
- ingestion_rate_mb: 20
- ingestion_burst_size_mb: 40
- max_global_streams_per_user: 10000
- retention_period: 336h
-
-__default__:
- ingestion_rate_mb: 5
- ingestion_burst_size_mb: 10
- retention_period: 72h
+# Example Loki per-tenant overrides
+# Adjust according to https://grafana.com/docs/loki/latest/configuration/#limits_config
+
+stellaops-dev:
+ ingestion_rate_mb: 10
+ ingestion_burst_size_mb: 20
+ max_global_streams_per_user: 5000
+ retention_period: 168h
+
+stellaops-stage:
+ ingestion_rate_mb: 20
+ ingestion_burst_size_mb: 40
+ max_global_streams_per_user: 10000
+ retention_period: 336h
+
+__default__:
+ ingestion_rate_mb: 5
+ ingestion_burst_size_mb: 10
+ retention_period: 72h
diff --git a/deploy/telemetry/storage/tenants/tempo-overrides.yaml b/deploy/telemetry/storage/tenants/tempo-overrides.yaml
index 26066897..20024629 100644
--- a/deploy/telemetry/storage/tenants/tempo-overrides.yaml
+++ b/deploy/telemetry/storage/tenants/tempo-overrides.yaml
@@ -1,16 +1,16 @@
-# Example Tempo per-tenant overrides
-# Consult https://grafana.com/docs/tempo/latest/configuration/#limits-configuration
-# before applying in production.
-
-stellaops-dev:
- traces_per_second_limit: 100000
- max_bytes_per_trace: 10485760
- max_search_bytes_per_trace: 20971520
-
-stellaops-stage:
- traces_per_second_limit: 200000
- max_bytes_per_trace: 20971520
-
-__default__:
- traces_per_second_limit: 50000
- max_bytes_per_trace: 5242880
+# Example Tempo per-tenant overrides
+# Consult https://grafana.com/docs/tempo/latest/configuration/#limits-configuration
+# before applying in production.
+
+stellaops-dev:
+ traces_per_second_limit: 100000
+ max_bytes_per_trace: 10485760
+ max_search_bytes_per_trace: 20971520
+
+stellaops-stage:
+ traces_per_second_limit: 200000
+ max_bytes_per_trace: 20971520
+
+__default__:
+ traces_per_second_limit: 50000
+ max_bytes_per_trace: 5242880
diff --git a/deploy/tools/check-channel-alignment.py b/deploy/tools/check-channel-alignment.py
index d92dd0e1..2463d662 100644
--- a/deploy/tools/check-channel-alignment.py
+++ b/deploy/tools/check-channel-alignment.py
@@ -1,130 +1,130 @@
-#!/usr/bin/env python3
-"""
-Ensure deployment bundles reference the images defined in a release manifest.
-
-Usage:
- ./deploy/tools/check-channel-alignment.py \
- --release deploy/releases/2025.10-edge.yaml \
- --target deploy/helm/stellaops/values-dev.yaml \
- --target deploy/compose/docker-compose.dev.yaml
-
-For every target file, the script scans `image:` declarations and verifies that
-any image belonging to a repository listed in the release manifest matches the
-exact digest or tag recorded there. Images outside of the manifest (for example,
-supporting services such as `nats`) are ignored.
-"""
-
-from __future__ import annotations
-
-import argparse
-import pathlib
-import re
-import sys
-from typing import Dict, Iterable, List, Optional, Set
-
-IMAGE_LINE = re.compile(r"^\s*image:\s*['\"]?(?P\S+)['\"]?\s*$")
-
-
-def extract_images(path: pathlib.Path) -> List[str]:
- images: List[str] = []
- for line in path.read_text(encoding="utf-8").splitlines():
- match = IMAGE_LINE.match(line)
- if match:
- images.append(match.group("image"))
- return images
-
-
-def image_repo(image: str) -> str:
- if "@" in image:
- return image.split("@", 1)[0]
- # Split on the last colon to preserve registries with ports (e.g. localhost:5000)
- if ":" in image:
- prefix, tag = image.rsplit(":", 1)
- if "/" in tag:
- # handle digestive colon inside path (unlikely)
- return image
- return prefix
- return image
-
-
-def load_release_map(release_path: pathlib.Path) -> Dict[str, str]:
- release_map: Dict[str, str] = {}
- for image in extract_images(release_path):
- repo = image_repo(image)
- release_map[repo] = image
- return release_map
-
-
-def check_target(
- target_path: pathlib.Path,
- release_map: Dict[str, str],
- ignore_repos: Set[str],
-) -> List[str]:
- errors: List[str] = []
- for image in extract_images(target_path):
- repo = image_repo(image)
- if repo in ignore_repos:
- continue
- if repo not in release_map:
- continue
- expected = release_map[repo]
- if image != expected:
- errors.append(
- f"{target_path}: {image} does not match release value {expected}"
- )
- return errors
-
-
-def parse_args(argv: Optional[Iterable[str]] = None) -> argparse.Namespace:
- parser = argparse.ArgumentParser(description=__doc__)
- parser.add_argument(
- "--release",
- required=True,
- type=pathlib.Path,
- help="Path to the release manifest (YAML)",
- )
- parser.add_argument(
- "--target",
- action="append",
- required=True,
- type=pathlib.Path,
- help="Deployment profile to validate against the release manifest",
- )
- parser.add_argument(
- "--ignore-repo",
- action="append",
- default=[],
- help="Repository prefix to ignore (may be repeated)",
- )
- return parser.parse_args(argv)
-
-
-def main(argv: Optional[Iterable[str]] = None) -> int:
- args = parse_args(argv)
-
- release_map = load_release_map(args.release)
- ignore_repos = {repo.rstrip("/") for repo in args.ignore_repo}
-
- if not release_map:
- print(f"error: no images found in release manifest {args.release}", file=sys.stderr)
- return 2
-
- total_errors: List[str] = []
- for target in args.target:
- if not target.exists():
- total_errors.append(f"{target}: file not found")
- continue
- total_errors.extend(check_target(target, release_map, ignore_repos))
-
- if total_errors:
- print("✖ channel alignment check failed:", file=sys.stderr)
- for err in total_errors:
- print(f" - {err}", file=sys.stderr)
- return 1
-
- print("✓ deployment profiles reference release images for the inspected repositories.")
- return 0
-
-
-if __name__ == "__main__":
- raise SystemExit(main())
+#!/usr/bin/env python3
+"""
+Ensure deployment bundles reference the images defined in a release manifest.
+
+Usage:
+ ./deploy/tools/check-channel-alignment.py \
+ --release deploy/releases/2025.10-edge.yaml \
+ --target deploy/helm/stellaops/values-dev.yaml \
+ --target deploy/compose/docker-compose.dev.yaml
+
+For every target file, the script scans `image:` declarations and verifies that
+any image belonging to a repository listed in the release manifest matches the
+exact digest or tag recorded there. Images outside of the manifest (for example,
+supporting services such as `nats`) are ignored.
+"""
+
+from __future__ import annotations
+
+import argparse
+import pathlib
+import re
+import sys
+from typing import Dict, Iterable, List, Optional, Set
+
+IMAGE_LINE = re.compile(r"^\s*image:\s*['\"]?(?P\S+)['\"]?\s*$")
+
+
+def extract_images(path: pathlib.Path) -> List[str]:
+ images: List[str] = []
+ for line in path.read_text(encoding="utf-8").splitlines():
+ match = IMAGE_LINE.match(line)
+ if match:
+ images.append(match.group("image"))
+ return images
+
+
+def image_repo(image: str) -> str:
+ if "@" in image:
+ return image.split("@", 1)[0]
+ # Split on the last colon to preserve registries with ports (e.g. localhost:5000)
+ if ":" in image:
+ prefix, tag = image.rsplit(":", 1)
+ if "/" in tag:
+ # handle digestive colon inside path (unlikely)
+ return image
+ return prefix
+ return image
+
+
+def load_release_map(release_path: pathlib.Path) -> Dict[str, str]:
+ release_map: Dict[str, str] = {}
+ for image in extract_images(release_path):
+ repo = image_repo(image)
+ release_map[repo] = image
+ return release_map
+
+
+def check_target(
+ target_path: pathlib.Path,
+ release_map: Dict[str, str],
+ ignore_repos: Set[str],
+) -> List[str]:
+ errors: List[str] = []
+ for image in extract_images(target_path):
+ repo = image_repo(image)
+ if repo in ignore_repos:
+ continue
+ if repo not in release_map:
+ continue
+ expected = release_map[repo]
+ if image != expected:
+ errors.append(
+ f"{target_path}: {image} does not match release value {expected}"
+ )
+ return errors
+
+
+def parse_args(argv: Optional[Iterable[str]] = None) -> argparse.Namespace:
+ parser = argparse.ArgumentParser(description=__doc__)
+ parser.add_argument(
+ "--release",
+ required=True,
+ type=pathlib.Path,
+ help="Path to the release manifest (YAML)",
+ )
+ parser.add_argument(
+ "--target",
+ action="append",
+ required=True,
+ type=pathlib.Path,
+ help="Deployment profile to validate against the release manifest",
+ )
+ parser.add_argument(
+ "--ignore-repo",
+ action="append",
+ default=[],
+ help="Repository prefix to ignore (may be repeated)",
+ )
+ return parser.parse_args(argv)
+
+
+def main(argv: Optional[Iterable[str]] = None) -> int:
+ args = parse_args(argv)
+
+ release_map = load_release_map(args.release)
+ ignore_repos = {repo.rstrip("/") for repo in args.ignore_repo}
+
+ if not release_map:
+ print(f"error: no images found in release manifest {args.release}", file=sys.stderr)
+ return 2
+
+ total_errors: List[str] = []
+ for target in args.target:
+ if not target.exists():
+ total_errors.append(f"{target}: file not found")
+ continue
+ total_errors.extend(check_target(target, release_map, ignore_repos))
+
+ if total_errors:
+ print("✖ channel alignment check failed:", file=sys.stderr)
+ for err in total_errors:
+ print(f" - {err}", file=sys.stderr)
+ return 1
+
+ print("✓ deployment profiles reference release images for the inspected repositories.")
+ return 0
+
+
+if __name__ == "__main__":
+ raise SystemExit(main())
diff --git a/deploy/tools/validate-profiles.sh b/deploy/tools/validate-profiles.sh
index 5680f0f5..371c4ad3 100644
--- a/deploy/tools/validate-profiles.sh
+++ b/deploy/tools/validate-profiles.sh
@@ -1,61 +1,61 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
-COMPOSE_DIR="$ROOT_DIR/compose"
-HELM_DIR="$ROOT_DIR/helm/stellaops"
-
-compose_profiles=(
- "docker-compose.dev.yaml:env/dev.env.example"
- "docker-compose.stage.yaml:env/stage.env.example"
- "docker-compose.prod.yaml:env/prod.env.example"
- "docker-compose.airgap.yaml:env/airgap.env.example"
- "docker-compose.mirror.yaml:env/mirror.env.example"
- "docker-compose.telemetry.yaml:"
- "docker-compose.telemetry-storage.yaml:"
-)
-
-docker_ready=false
-if command -v docker >/dev/null 2>&1; then
- if docker compose version >/dev/null 2>&1; then
- docker_ready=true
- else
- echo "⚠️ docker CLI present but Compose plugin unavailable; skipping compose validation" >&2
- fi
-else
- echo "⚠️ docker CLI not found; skipping compose validation" >&2
-fi
-
-if [[ "$docker_ready" == "true" ]]; then
- for entry in "${compose_profiles[@]}"; do
- IFS=":" read -r compose_file env_file <<<"$entry"
- printf '→ validating %s with %s\n' "$compose_file" "$env_file"
- if [[ -n "$env_file" ]]; then
- docker compose \
- --env-file "$COMPOSE_DIR/$env_file" \
- -f "$COMPOSE_DIR/$compose_file" config >/dev/null
- else
- docker compose -f "$COMPOSE_DIR/$compose_file" config >/dev/null
- fi
- done
-fi
-
-helm_values=(
- "$HELM_DIR/values-dev.yaml"
- "$HELM_DIR/values-stage.yaml"
- "$HELM_DIR/values-prod.yaml"
- "$HELM_DIR/values-airgap.yaml"
- "$HELM_DIR/values-mirror.yaml"
-)
-
-if command -v helm >/dev/null 2>&1; then
- for values in "${helm_values[@]}"; do
- printf '→ linting Helm chart with %s\n' "$(basename "$values")"
- helm lint "$HELM_DIR" -f "$values"
- helm template test-release "$HELM_DIR" -f "$values" >/dev/null
- done
-else
- echo "⚠️ helm CLI not found; skipping Helm lint/template" >&2
-fi
-
-printf 'Profiles validated (where tooling was available).\n'
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+COMPOSE_DIR="$ROOT_DIR/compose"
+HELM_DIR="$ROOT_DIR/helm/stellaops"
+
+compose_profiles=(
+ "docker-compose.dev.yaml:env/dev.env.example"
+ "docker-compose.stage.yaml:env/stage.env.example"
+ "docker-compose.prod.yaml:env/prod.env.example"
+ "docker-compose.airgap.yaml:env/airgap.env.example"
+ "docker-compose.mirror.yaml:env/mirror.env.example"
+ "docker-compose.telemetry.yaml:"
+ "docker-compose.telemetry-storage.yaml:"
+)
+
+docker_ready=false
+if command -v docker >/dev/null 2>&1; then
+ if docker compose version >/dev/null 2>&1; then
+ docker_ready=true
+ else
+ echo "⚠️ docker CLI present but Compose plugin unavailable; skipping compose validation" >&2
+ fi
+else
+ echo "⚠️ docker CLI not found; skipping compose validation" >&2
+fi
+
+if [[ "$docker_ready" == "true" ]]; then
+ for entry in "${compose_profiles[@]}"; do
+ IFS=":" read -r compose_file env_file <<<"$entry"
+ printf '→ validating %s with %s\n' "$compose_file" "$env_file"
+ if [[ -n "$env_file" ]]; then
+ docker compose \
+ --env-file "$COMPOSE_DIR/$env_file" \
+ -f "$COMPOSE_DIR/$compose_file" config >/dev/null
+ else
+ docker compose -f "$COMPOSE_DIR/$compose_file" config >/dev/null
+ fi
+ done
+fi
+
+helm_values=(
+ "$HELM_DIR/values-dev.yaml"
+ "$HELM_DIR/values-stage.yaml"
+ "$HELM_DIR/values-prod.yaml"
+ "$HELM_DIR/values-airgap.yaml"
+ "$HELM_DIR/values-mirror.yaml"
+)
+
+if command -v helm >/dev/null 2>&1; then
+ for values in "${helm_values[@]}"; do
+ printf '→ linting Helm chart with %s\n' "$(basename "$values")"
+ helm lint "$HELM_DIR" -f "$values"
+ helm template test-release "$HELM_DIR" -f "$values" >/dev/null
+ done
+else
+ echo "⚠️ helm CLI not found; skipping Helm lint/template" >&2
+fi
+
+printf 'Profiles validated (where tooling was available).\n'
diff --git a/docs/09_API_CLI_REFERENCE.md b/docs/09_API_CLI_REFERENCE.md
index c1d0822c..bc0efe46 100755
--- a/docs/09_API_CLI_REFERENCE.md
+++ b/docs/09_API_CLI_REFERENCE.md
@@ -1,933 +1,933 @@
-# API & CLI Reference
-
-*Purpose* – give operators and integrators a single, authoritative spec for REST/GRPC calls **and** first‑party CLI tools (`stella-cli`, `zastava`, `stella`).
-Everything here is *source‑of‑truth* for generated Swagger/OpenAPI and the `--help` screens in the CLIs.
-
----
-
-## 0 Quick Glance
-
-| Area | Call / Flag | Notes |
-| ------------------ | ------------------------------------------- | ------------------------------------------------------------------------------ |
-| Scan entry | `POST /scan` | Accepts SBOM or image; sub‑5 s target |
-| Delta check | `POST /layers/missing` | <20 ms reply; powers *delta SBOM* feature |
-| Rate‑limit / quota | — | Headers **`X‑Stella‑Quota‑Remaining`**, **`X‑Stella‑Reset`** on every response |
-| Policy I/O | `GET /policy/export`, `POST /policy/import` | YAML now; Rego coming |
-| Policy lint | `POST /policy/validate` | Returns 200 OK if ruleset passes |
-| Auth | `POST /connect/token` (OpenIddict) | Client‑credentials preferred |
-| Health | `GET /healthz` | Simple liveness probe |
-| Attestation * | `POST /attest` (TODO Q1‑2026) | SLSA provenance + Rekor log |
-| CLI flags | `--sbom-type` `--delta` `--policy-file` | Added to `stella` |
-
-\* Marked **TODO** → delivered after sixth month (kept on Feature Matrix “To Do” list).
-
----
-
-## 1 Authentication
-
-Stella Ops uses **OAuth 2.0 / OIDC** (token endpoint mounted via OpenIddict).
-
-```
-POST /connect/token
-Content‑Type: application/x-www-form-urlencoded
-
-grant_type=client_credentials&
-client_id=ci‑bot&
-client_secret=REDACTED&
-scope=stella.api
-```
-
-Successful response:
-
-```json
-{
- "access_token": "eyJraWQi...",
- "token_type": "Bearer",
- "expires_in": 3600
-}
-```
-
-> **Tip** – pass the token via `Authorization: Bearer ` on every call.
-
----
-
-## 2 REST API
-
-### 2.0 Obtain / Refresh Offline‑Token
-
-```text
-POST /token/offline
-Authorization: Bearer
-```
-
-| Body field | Required | Example | Notes |
-|------------|----------|---------|-------|
-| `expiresDays` | no | `30` | Max 90 days |
-
-```json
-{
- "jwt": "eyJhbGciOiJSUzI1NiIsInR5cCI6...",
- "expires": "2025‑08‑17T00:00:00Z"
-}
-```
-
-Token is signed with the backend’s private key and already contains
-`"maxScansPerDay": {{ quota_token }}`.
-
-
-### 2.1 Scan – Upload SBOM **or** Image
-
-```
-POST /scan
-```
-
-| Param / Header | In | Required | Description |
-| -------------------- | ------ | -------- | --------------------------------------------------------------------- |
-| `X‑Stella‑Sbom‑Type` | header | no | `trivy-json-v2`, `spdx-json`, `cyclonedx-json`; omitted ➞ auto‑detect |
-| `?threshold` | query | no | `low`, `medium`, `high`, `critical`; default **critical** |
-| body | body | yes | *Either* SBOM JSON *or* Docker image tarball/upload URL |
-
-Every successful `/scan` response now includes:
-
-| Header | Example |
-|--------|---------|
-| `X‑Stella‑Quota‑Remaining` | `129` |
-| `X‑Stella‑Reset` | `2025‑07‑18T23:59:59Z` |
-| `X‑Stella‑Token‑Expires` | `2025‑08‑17T00:00:00Z` |
-
-**Response 200** (scan completed):
-
-```json
-{
- "digest": "sha256:…",
- "summary": {
- "Critical": 0,
- "High": 3,
- "Medium": 12,
- "Low": 41
- },
- "policyStatus": "pass",
- "quota": {
- "remaining": 131,
- "reset": "2025-07-18T00:00:00Z"
- }
-}
-```
-
-**Response 202** – queued; polling URL in `Location` header.
-
----
-
-### 2.2 Delta SBOM – Layer Cache Check
-
-```
-POST /layers/missing
-Content‑Type: application/json
-Authorization: Bearer
-```
-
-```json
-{
- "layers": [
- "sha256:d38b...",
- "sha256:af45..."
- ]
-}
-```
-
-**Response 200** — <20 ms target:
-
-```json
-{
- "missing": [
- "sha256:af45..."
- ]
-}
-```
-
-Client then generates SBOM **only** for the `missing` layers and re‑posts `/scan`.
-
----
-
-### 2.3 Policy Endpoints *(preview feature flag: `scanner.features.enablePolicyPreview`)*
-
-All policy APIs require **`scanner.reports`** scope (or anonymous access while auth is disabled).
-
-**Fetch schema**
-
-```
-GET /api/v1/policy/schema
-Authorization: Bearer
-Accept: application/schema+json
-```
-
-Returns the embedded `policy-schema@1` JSON schema used by the binder.
-
-**Run diagnostics**
-
-```
-POST /api/v1/policy/diagnostics
-Content-Type: application/json
-Authorization: Bearer
-```
-
-```json
-{
- "policy": {
- "format": "yaml",
- "actor": "cli",
- "description": "dev override",
- "content": "version: \"1.0\"\nrules:\n - name: Quiet Dev\n environments: [dev]\n action:\n type: ignore\n justification: dev waiver\n"
- }
-}
-```
-
-**Response 200**:
-
-```json
-{
- "success": false,
- "version": "1.0",
- "ruleCount": 1,
- "errorCount": 0,
- "warningCount": 1,
- "generatedAt": "2025-10-19T03:25:14.112Z",
- "issues": [
- { "code": "policy.rule.quiet.missing_vex", "message": "Quiet flag ignored: rule must specify requireVex justifications.", "severity": "Warning", "path": "$.rules[0]" }
- ],
- "recommendations": [
- "Review policy warnings and ensure intentional overrides are documented."
- ]
-}
-```
-
-`success` is `false` when blocking issues remain; recommendations aggregate YAML ignore rules, VEX include/exclude hints, and vendor precedence guidance.
-
-**Preview impact**
-
-```
-POST /api/v1/policy/preview
-Authorization: Bearer
-Content-Type: application/json
-```
-
-```json
-{
- "imageDigest": "sha256:abc123",
- "findings": [
- { "id": "finding-1", "severity": "Critical", "source": "NVD" }
- ],
- "policy": {
- "format": "yaml",
- "content": "version: \"1.0\"\nrules:\n - name: Block Critical\n severity: [Critical]\n action: block\n"
- }
-}
-```
-
-**Response 200**:
-
-```json
-{
- "success": true,
- "policyDigest": "9c5e...",
- "revisionId": "preview",
- "changed": 1,
- "diffs": [
- {
- "findingId": "finding-1",
- "baseline": {"findingId": "finding-1", "status": "Pass"},
- "projected": {
- "findingId": "finding-1",
- "status": "Blocked",
- "ruleName": "Block Critical",
- "ruleAction": "Block",
- "score": 5.0,
- "configVersion": "1.0",
- "inputs": {"severityWeight": 5.0}
- },
- "changed": true
- }
- ],
- "issues": []
-}
-```
-
-- Provide `policy` to preview staged changes; omit it to compare against the active snapshot.
-- Baseline verdicts are optional; when omitted, the API synthesises pass baselines before computing diffs.
-- Quieted verdicts include `quietedBy` and `quiet` flags; score inputs now surface reachability/vendor trust weights (`reachability.*`, `trustWeight.*`).
-
-**OpenAPI**: the full API document (including these endpoints) is exposed at `/openapi/v1.json` and can be fetched for tooling or contract regeneration.
-
-### 2.4 Scanner – Queue a Scan Job *(SP9 milestone)*
-
-```
-POST /api/v1/scans
-Authorization: Bearer
-Content-Type: application/json
-```
-
-```json
-{
- "image": {
- "reference": "registry.example.com/acme/app:1.2.3"
- },
- "force": false,
- "clientRequestId": "ci-build-1845",
- "metadata": {
- "pipeline": "github",
- "trigger": "pull-request"
- }
-}
-```
-
-| Field | Required | Notes |
-| ------------------- | -------- | ------------------------------------------------------------------------------------------------ |
-| `image.reference` | no\* | Full repo/tag (`registry/repo:tag`). Provide **either** `reference` or `digest` (sha256:…). |
-| `image.digest` | no\* | OCI digest (e.g. `sha256:…`). |
-| `force` | no | `true` forces a re-run even if an identical scan (`scanId`) already exists. Default **false**. |
-| `clientRequestId` | no | Free-form string surfaced in audit logs. |
-| `metadata` | no | Optional string map stored with the job and surfaced in observability feeds. |
-
-\* At least one of `image.reference` or `image.digest` must be supplied.
-
-**Response 202** – job accepted (idempotent):
-
-```http
-HTTP/1.1 202 Accepted
-Location: /api/v1/scans/2f6c17f9b3f548e2a28b9c412f4d63f8
-```
-
-```json
-{
- "scanId": "2f6c17f9b3f548e2a28b9c412f4d63f8",
- "status": "Pending",
- "location": "/api/v1/scans/2f6c17f9b3f548e2a28b9c412f4d63f8",
- "created": true
-}
-```
-
-- `scanId` is deterministic – resubmitting an identical payload returns the same identifier with `"created": false`.
-- API is cancellation-aware; aborting the HTTP request cancels the submission attempt.
-- Required scope: **`scanner.scans.enqueue`**.
-
-**Response 400** – validation problem (`Content-Type: application/problem+json`) when both `image.reference` and `image.digest` are blank.
-
-### 2.5 Scanner – Fetch Scan Status
-
-```
-GET /api/v1/scans/{scanId}
-Authorization: Bearer
-Accept: application/json
-```
-
-**Response 200**:
-
-```json
-{
- "scanId": "2f6c17f9b3f548e2a28b9c412f4d63f8",
- "status": "Pending",
- "image": {
- "reference": "registry.example.com/acme/app:1.2.3",
- "digest": null
- },
- "createdAt": "2025-10-18T20:15:12.482Z",
- "updatedAt": "2025-10-18T20:15:12.482Z",
- "failureReason": null
-}
-```
-
-Statuses: `Pending`, `Running`, `Succeeded`, `Failed`, `Cancelled`.
-
-### 2.6 Scanner – Stream Progress (SSE / JSONL)
-
-```
-GET /api/v1/scans/{scanId}/events?format=sse|jsonl
-Authorization: Bearer
-Accept: text/event-stream
-```
-
-When `format` is omitted the endpoint emits **Server-Sent Events** (SSE). Specify `format=jsonl` to receive newline-delimited JSON (`application/x-ndjson`). Response headers include `Cache-Control: no-store` and `X-Accel-Buffering: no` so intermediaries avoid buffering the stream.
-
-**SSE frame** (default):
-
-```
-id: 1
-event: pending
-data: {"scanId":"2f6c17f9b3f548e2a28b9c412f4d63f8","sequence":1,"state":"Pending","message":"queued","timestamp":"2025-10-19T03:12:45.118Z","correlationId":"2f6c17f9b3f548e2a28b9c412f4d63f8:0001","data":{"force":false,"meta.pipeline":"github"}}
-```
-
-**JSONL frame** (`format=jsonl`):
-
-```json
-{"scanId":"2f6c17f9b3f548e2a28b9c412f4d63f8","sequence":1,"state":"Pending","message":"queued","timestamp":"2025-10-19T03:12:45.118Z","correlationId":"2f6c17f9b3f548e2a28b9c412f4d63f8:0001","data":{"force":false,"meta.pipeline":"github"}}
-```
-
-- `sequence` is monotonic starting at `1`.
-- `correlationId` is deterministic (`{scanId}:{sequence:0000}`) unless a custom identifier is supplied by the publisher.
-- `timestamp` is ISO‑8601 UTC with millisecond precision, ensuring deterministic ordering for consumers.
-- The stream completes when the client disconnects or the coordinator stops publishing events.
-
-### 2.7 Scanner – Assemble Report (Signed Envelope)
-
-```
-POST /api/v1/reports
-Authorization: Bearer
-Content-Type: application/json
-```
-
-Request body mirrors policy preview inputs (image digest plus findings). The service evaluates the active policy snapshot, assembles a verdict, and signs the canonical report payload.
-
-**Response 200**:
-
-```json
-{
- "report": {
- "reportId": "report-9f8cde21aab54321",
- "imageDigest": "sha256:7dbe0c9a5d4f1c8184007e9d94dbe55928f8a2db5ab9c1c2d4a2f7bbcdfe1234",
- "generatedAt": "2025-10-23T15:32:22Z",
- "verdict": "blocked",
- "policy": {
- "revisionId": "rev-42",
- "digest": "8a0f72f8dc5c51c46991db3bba34e9b3c0c8e944a7a6d0a9c29a9aa6b8439876"
- },
- "summary": { "total": 2, "blocked": 1, "warned": 1, "ignored": 0, "quieted": 0 },
- "verdicts": [
- {
- "findingId": "library:pkg/openssl@1.1.1w",
- "status": "Blocked",
- "ruleName": "Block vendor unknowns",
- "ruleAction": "block",
- "notes": "Unknown vendor telemetry — medium confidence band.",
- "score": 19.5,
- "configVersion": "1.0",
- "inputs": {
- "severityWeight": 50,
- "trustWeight": 0.65,
- "reachabilityWeight": 0.6,
- "baseScore": 19.5,
- "trustWeight.vendor": 0.65,
- "reachability.unknown": 0.6,
- "unknownConfidence": 0.55,
- "unknownAgeDays": 5
- },
- "quietedBy": null,
- "quiet": false,
- "unknownConfidence": 0.55,
- "confidenceBand": "medium",
- "unknownAgeDays": 5,
- "sourceTrust": "vendor",
- "reachability": "unknown"
- },
- {
- "findingId": "library:pkg/zlib@1.3.1",
- "status": "Warned",
- "ruleName": "Runtime mitigation required",
- "ruleAction": "warn",
- "notes": "Runtime reachable unknown — mitigation window required.",
- "score": 18.75,
- "configVersion": "1.0",
- "inputs": {
- "severityWeight": 75,
- "trustWeight": 1,
- "reachabilityWeight": 0.45,
- "baseScore": 33.75,
- "reachability.runtime": 0.45,
- "warnPenalty": 15,
- "unknownConfidence": 0.35,
- "unknownAgeDays": 13
- },
- "quietedBy": null,
- "quiet": false,
- "unknownConfidence": 0.35,
- "confidenceBand": "medium",
- "unknownAgeDays": 13,
- "sourceTrust": "NVD",
- "reachability": "runtime"
- }
- ],
- "issues": []
- },
- "dsse": {
- "payloadType": "application/vnd.stellaops.report+json",
- "payload": "eyJyZXBvcnQiOnsicmVwb3J0SWQiOiJyZXBvcnQtOWY4Y2RlMjFhYWI1NDMyMSJ9fQ==",
- "signatures": [
- {
- "keyId": "scanner-report-signing",
- "algorithm": "hs256",
- "signature": "MEQCIGHscnJ2bm9wYXlsb2FkZXIAIjANBgkqhkiG9w0BAQsFAAOCAQEASmFja3Nvbk1ldGE="
- }
- ]
- }
-}
-```
-
-- The `report` object omits null fields and is deterministic (ISO timestamps, sorted keys) while surfacing `unknownConfidence`, `confidenceBand`, and `unknownAgeDays` for auditability.
-- `dsse` follows the DSSE (Dead Simple Signing Envelope) shape; `payload` is the canonical UTF-8 JSON and `signatures[0].signature` is the base64 HMAC/Ed25519 value depending on configuration.
-- Full offline samples live at `samples/policy/policy-report-unknown.json` (request + response) and `samples/api/reports/report-sample.dsse.json` (envelope fixture) for tooling tests or signature verification.
-
-**Response 404** – `application/problem+json` payload with type `https://stellaops.org/problems/not-found` when the scan identifier is unknown.
-
-> **Tip** – poll `Location` from the submission call until `status` transitions away from `Pending`/`Running`.
-
-```yaml
-# Example import payload (YAML)
-version: "1.0"
-rules:
- - name: Ignore Low dev
- severity: [Low, None]
- environments: [dev, staging]
- action: ignore
-```
-
-Validation errors come back as:
-
-```json
-{
- "errors": [
- {
- "path": "$.rules[0].severity",
- "msg": "Invalid level 'None'"
- }
- ]
-}
-```
-
-```json
-# Preview response excerpt
-{
- "success": true,
- "policyDigest": "9c5e...",
- "revisionId": "rev-12",
- "changed": 1,
- "diffs": [
- {
- "baseline": {"findingId": "finding-1", "status": "pass"},
- "projected": {"findingId": "finding-1", "status": "blocked", "ruleName": "Block Critical"},
- "changed": true
- }
- ]
-}
-```
-
----
-
-### 2.4 Attestation (Planned – Q1‑2026)
-
-```
-POST /attest
-```
-
-| Param | Purpose |
-| ----------- | ------------------------------------- |
-| body (JSON) | SLSA v1.0 provenance doc |
-| | Signed + stored in local Rekor mirror |
-
-Returns `202 Accepted` and `Location: /attest/{id}` for async verify.
-
----
-
-### 2.8 Runtime – Ingest Observer Events *(SCANNER-RUNTIME-12-301)*
-
-```
-POST /api/v1/runtime/events
-Authorization: Bearer
-Content-Type: application/json
-```
-
-| Requirement | Details |
-|-------------|---------|
-| Auth scope | `scanner.runtime.ingest` |
-| Batch size | ≤ **256** envelopes (`scanner.runtime.maxBatchSize`, configurable) |
-| Payload cap | ≤ **1 MiB** serialized JSON (`scanner.runtime.maxPayloadBytes`) |
-| Rate limits | Per-tenant and per-node token buckets (default 200 events/s tenant, 50 events/s node, burst 200) – excess returns **429** with `Retry-After`. |
-| TTL | Runtime events retained **45 days** by default (`scanner.runtime.eventTtlDays`). |
-
-**Request body**
-
-```json
-{
- "batchId": "node-a-2025-10-20T15:03:12Z",
- "events": [
- {
- "schemaVersion": "zastava.runtime.event@v1",
- "event": {
- "eventId": "evt-2f9c02b8",
- "when": "2025-10-20T15:03:08Z",
- "kind": "ContainerStart",
- "tenant": "tenant-alpha",
- "node": "cluster-a/node-01",
- "runtime": { "engine": "containerd", "version": "1.7.19" },
- "workload": {
- "platform": "kubernetes",
- "namespace": "payments",
- "pod": "api-7c9fbbd8b7-ktd84",
- "container": "api",
- "containerId": "containerd://bead5...",
- "imageRef": "ghcr.io/acme/api@sha256:deadbeef"
- },
- "process": { "pid": 12345, "entrypoint": ["/start.sh", "--serve"], "buildId": "5f0c7c3c..." },
- "loadedLibs": [
- { "path": "/lib/x86_64-linux-gnu/libssl.so.3", "inode": 123456, "sha256": "abc123..." }
- ],
- "posture": { "imageSigned": true, "sbomReferrer": "present" },
- "delta": { "baselineImageDigest": "sha256:deadbeef" },
- "evidence": [ { "signal": "proc.maps", "value": "libssl.so.3@0x7f..." } ],
- "annotations": { "observerVersion": "1.0.0" }
- }
- }
- ]
-}
-```
-
-**Responses**
-
-| Code | Body | Notes |
-|------|------|-------|
-| `202 Accepted` | `{ "accepted": 128, "duplicates": 2 }` | Batch persisted; duplicates are ignored via unique `eventId`. |
-| `400 Bad Request` | Problem+JSON | Validation failures – empty batch, duplicate IDs, unsupported schema version, payload too large. |
-| `429 Too Many Requests` | Problem+JSON | Per-tenant/node rate limit exceeded; `Retry-After` header emitted in seconds. |
-
-Persisted documents capture the canonical envelope (`payload` field), tenant/node metadata, and set an automatic TTL on `expiresAt`. Observers should retry rejected batches with exponential backoff honouring the provided `Retry-After` hint.
-
----
-
-## 3 StellaOps CLI (`stellaops-cli`)
-
-The new CLI is built on **System.CommandLine 2.0.0‑beta5** and mirrors the Concelier backend REST API.
-Configuration follows the same precedence chain everywhere:
-
-1. Environment variables (e.g. `API_KEY`, `STELLAOPS_BACKEND_URL`, `StellaOps:ApiKey`)
-2. `appsettings.json` → `appsettings.local.json`
-3. `appsettings.yaml` → `appsettings.local.yaml`
-4. Defaults (`ApiKey = ""`, `BackendUrl = ""`, cache folders under the current working directory)
-
-**Authority auth client resilience settings**
-
-| Setting | Environment variable | Default | Purpose |
-|---------|----------------------|---------|---------|
-| `StellaOps:Authority:Resilience:EnableRetries` | `STELLAOPS_AUTHORITY_ENABLE_RETRIES` | `true` | Toggle Polly wait-and-retry handlers for discovery/token calls |
-| `StellaOps:Authority:Resilience:RetryDelays` | `STELLAOPS_AUTHORITY_RETRY_DELAYS` | `1s,2s,5s` | Comma/space-separated backoff sequence (HH:MM:SS) |
-| `StellaOps:Authority:Resilience:AllowOfflineCacheFallback` | `STELLAOPS_AUTHORITY_ALLOW_OFFLINE_CACHE_FALLBACK` | `true` | Reuse cached discovery/JWKS metadata when Authority is temporarily unreachable |
-| `StellaOps:Authority:Resilience:OfflineCacheTolerance` | `STELLAOPS_AUTHORITY_OFFLINE_CACHE_TOLERANCE` | `00:10:00` | Additional tolerance window added to the discovery/JWKS cache lifetime |
-
-See `docs/dev/32_AUTH_CLIENT_GUIDE.md` for recommended profiles (online vs. air-gapped) and testing guidance.
-
-| Command | Purpose | Key Flags / Arguments | Notes |
-|---------|---------|-----------------------|-------|
-| `stellaops-cli scanner download` | Fetch and install scanner container | `--channel ` (default `stable`)
`--output `
`--overwrite`
`--no-install` | Saves artefact under `ScannerCacheDirectory`, verifies digest/signature, and executes `docker load` unless `--no-install` is supplied. |
-| `stellaops-cli scan run` | Execute scanner container against a directory (auto-upload) | `--target ` (required)
`--runner ` (default from config)
`--entry `
`[scanner-args...]` | Runs the scanner, writes results into `ResultsDirectory`, emits a structured `scan-run-*.json` metadata file, and automatically uploads the artefact when the exit code is `0`. |
-| `stellaops-cli scan upload` | Re-upload existing scan artefact | `--file ` | Useful for retries when automatic upload fails or when operating offline. |
-| `stellaops-cli db fetch` | Trigger connector jobs | `--source ` (e.g. `redhat`, `osv`)
`--stage ` (default `fetch`)
`--mode ` | Translates to `POST /jobs/source:{source}:{stage}` with `trigger=cli` |
-| `stellaops-cli db merge` | Run canonical merge reconcile | — | Calls `POST /jobs/merge:reconcile`; exit code `0` on acceptance, `1` on failures/conflicts |
-| `stellaops-cli db export` | Kick JSON / Trivy exports | `--format ` (default `json`)
`--delta`
`--publish-full/--publish-delta`
`--bundle-full/--bundle-delta` | Sets `{ delta = true }` parameter when requested and can override ORAS/bundle toggles per run |
-| `stellaops-cli auth ` | Manage cached tokens for StellaOps Authority | `auth login --force` (ignore cache)
`auth status`
`auth whoami` | Uses `StellaOps.Auth.Client`; honours `StellaOps:Authority:*` configuration, stores tokens under `~/.stellaops/tokens` by default, and `whoami` prints subject/scope/expiry |
-| `stellaops-cli auth revoke export` | Export the Authority revocation bundle | `--output ` (defaults to CWD) | Writes `revocation-bundle.json`, `.json.jws`, and `.json.sha256`; verifies the digest locally and includes key metadata in the log summary. |
-| `stellaops-cli auth revoke verify` | Validate a revocation bundle offline | `--bundle ` `--signature ` `--key `
`--verbose` | Verifies detached JWS signatures, reports the computed SHA-256, and can fall back to cached JWKS when `--key` is omitted. |
-| `stellaops-cli offline kit pull` | Download the latest offline kit bundle and manifest | `--bundle-id ` (optional)
`--destination `
`--overwrite`
`--no-resume` | Streams the bundle + manifest from the configured mirror/backend, resumes interrupted downloads, verifies SHA-256, and writes signatures plus a `.metadata.json` manifest alongside the artefacts. |
-| `stellaops-cli offline kit import` | Upload an offline kit bundle to the backend | `` (argument)
`--manifest `
`--bundle-signature `
`--manifest-signature ` | Validates digests when metadata is present, then posts multipart payloads to `POST /api/offline-kit/import`; logs the submitted import ID/status for air-gapped rollout tracking. |
-| `stellaops-cli offline kit status` | Display imported offline kit details | `--json` | Shows bundle id/kind, captured/imported timestamps, digests, and component versions; `--json` emits machine-readable output for scripting. |
-| `stellaops-cli sources ingest --dry-run` | Dry-run guard validation for individual payloads | `--source `
`--input `
`--tenant `
`--format table\|json`
`--output ` | Normalises gzip/base64 payloads, invokes `api/aoc/ingest/dry-run`, and maps guard failures to deterministic `ERR_AOC_00x` exit codes. |
-| `stellaops-cli aoc verify` | Replay AOC guardrails over stored documents | `--since `
`--limit `
`--sources `
`--codes `
`--format table\|json`
`--export ` | Summarises checked counts/violations, supports JSON evidence exports, and returns `0`, `11…17`, `18`, `70`, or `71` depending on guard outcomes. |
-| `stellaops-cli config show` | Display resolved configuration | — | Masks secret values; helpful for air‑gapped installs |
-| `stellaops-cli runtime policy test` | Ask Scanner.WebService for runtime verdicts (Webhook parity) | `--image/-i ` (repeatable, comma/space lists supported)
`--file/-f `
`--namespace/--ns `
`--label/-l key=value` (repeatable)
`--json` | Posts to `POST /api/v1/scanner/policy/runtime`, deduplicates image digests, and prints TTL/policy revision plus per-image columns for signed state, SBOM referrers, quieted-by metadata, confidence, Rekor attestation (uuid + verified flag), and recently observed build IDs (shortened for readability). Accepts newline/whitespace-delimited stdin when piped; `--json` emits the raw response without additional logging. |
-
-#### Example: Pivot from runtime verdicts to debug symbols
-
-```bash
-$ stellaops-cli runtime policy test \
- --image ghcr.io/acme/payments@sha256:4f7d55f6... \
- --namespace payments
-
-Image Digest Signed SBOM Build IDs TTL
-ghcr.io/acme/payments@sha256:4f7d55f6... yes present 5f0c7c3c..., 1122aabbccddeeff... 04:59:55
-```
-
-1. Copy one of the hashes (e.g. `5f0c7c3cb4d9f8a4f1c1d5c6b7e8f90123456789`) and locate the bundled debug artefact:
- ```bash
- ls offline-kit/debug/.build-id/5f/0c7c3cb4d9f8a4f1c1d5c6b7e8f90123456789.debug
- ```
-2. Confirm the running binary advertises the same GNU build-id:
- ```bash
- readelf -n /proc/$(pgrep -f payments-api | head -n1)/exe | grep -i 'Build ID'
- ```
-3. If you operate a debuginfod mirror backed by the Offline Kit tree, resolve symbols with:
- ```bash
- debuginfod-find debuginfo 5f0c7c3cb4d9f8a4f1c1d5c6b7e8f90123456789 >/tmp/payments-api.debug
- ```
-
-See [Offline Kit step 0](24_OFFLINE_KIT.md#0-prepare-the-debug-store) for instructions on mirroring the debug store before packaging.
-
-`POST /api/v1/scanner/policy/runtime` responds with one entry per digest. Each result now includes:
-
-- `policyVerdict` (`pass|warn|fail|error`), `signed`, and `hasSbomReferrers` parity with the webhook contract.
-- `confidence` (0-1 double) derived from canonical `PolicyPreviewService` evaluation and `quieted`/`quietedBy` flags for muted findings.
-- `rekor` block carrying `uuid`, `url`, and the attestor-backed `verified` boolean when Rekor inclusion proofs have been confirmed.
-- `metadata` (stringified JSON) capturing runtime heuristics, policy issues, evaluated findings, and timestamps for downstream audit.
-- `buildIds` (array) lists up to three distinct GNU build-id hashes recently observed for that digest so debuggers can derive `/usr/lib/debug/.build-id//.debug` paths for symbol stores.
-
-When running on an interactive terminal without explicit override flags, the CLI uses Spectre.Console prompts to let you choose per-run ORAS/offline bundle behaviour.
-
-Runtime verdict output reflects the SCANNER-RUNTIME-12-302 contract sign-off (quieted provenance, confidence band, attestation verification). CLI-RUNTIME-13-008 now mirrors those fields in both table and `--json` formats.
-
-**Startup diagnostics**
-
-- `stellaops-cli` now loads Authority plug-in manifests during startup (respecting `Authority:Plugins:*`) and surfaces analyzer warnings when a plug-in weakens the baseline password policy (minimum length **12** and all character classes required).
-- Follow the log entry’s config path and raise `passwordPolicy.minimumLength` to at least 12 while keeping `requireUppercase`, `requireLowercase`, `requireDigit`, and `requireSymbol` set to `true` to clear the warning; weakened overrides are treated as actionable security deviations.
-
-**Logging & exit codes**
-
-- Structured logging via `Microsoft.Extensions.Logging` with single-line console output (timestamps in UTC).
-- `--verbose / -v` raises log level to `Debug`.
-- Command exit codes bubble up: backend conflict → `1`, cancelled via `CTRL+C` → `130`, scanner exit codes propagate as-is.
-
-**Artifact validation**
-
-- Downloads are verified against the `X-StellaOps-Digest` header (SHA-256). When `StellaOps:ScannerSignaturePublicKeyPath` points to a PEM-encoded RSA key, the optional `X-StellaOps-Signature` header is validated as well.
-- Metadata for each bundle is written alongside the artefact (`*.metadata.json`) with digest, signature, source URL, and timestamps.
-- Retry behaviour is controlled via `StellaOps:ScannerDownloadAttempts` (default **3** with exponential backoff).
-- Successful `scan run` executions create timestamped JSON artefacts inside `ResultsDirectory` plus a `scan-run-*.json` metadata envelope documenting the runner, arguments, timing, and stdout/stderr. The artefact is posted back to Concelier automatically.
-
-#### Trivy DB export metadata (`metadata.json`)
-
-`stellaops-cli db export --format trivy-db` (and the backing `POST /jobs/export:trivy-db`) always emits a `metadata.json` document in the OCI layout root. Operators consuming the bundle or delta updates should inspect the following fields:
-
-| Field | Type | Purpose |
-| ----- | ---- | ------- |
-| `mode` | `full` \| `delta` | Indicates whether the current run rebuilt the entire database (`full`) or only the changed files (`delta`). |
-| `baseExportId` | string? | Export ID of the last full baseline that the delta builds upon. Only present for `mode = delta`. |
-| `baseManifestDigest` | string? | SHA-256 digest of the manifest belonging to the baseline OCI layout. |
-| `resetBaseline` | boolean | `true` when the exporter rotated the baseline (e.g., repo change, delta chain reset). Treat as a full refresh. |
-| `treeDigest` | string | Canonical SHA-256 digest of the JSON tree used to build the database. |
-| `treeBytes` | number | Total bytes across exported JSON files. |
-| `advisoryCount` | number | Count of advisories included in the export. |
-| `exporterVersion` | string | Version stamp of `StellaOps.Concelier.Exporter.TrivyDb`. |
-| `builder` | object? | Raw metadata emitted by `trivy-db build` (version, update cadence, etc.). |
-| `delta.changedFiles[]` | array | Present when `mode = delta`. Each entry lists `{ "path": "", "length": , "digest": "sha256:..." }`. |
-| `delta.removedPaths[]` | array | Paths that existed in the previous manifest but were removed in the new run. |
-
-When the planner opts for a delta run, the exporter copies unmodified blobs from the baseline layout identified by `baseManifestDigest`. Consumers that cache OCI blobs only need to fetch the `changedFiles` and the new manifest/metadata unless `resetBaseline` is true.
-When pushing to ORAS, set `concelier:exporters:trivyDb:oras:publishFull` / `publishDelta` to control whether full or delta runs are copied to the registry. Offline bundles follow the analogous `includeFull` / `includeDelta` switches under `offlineBundle`.
-
-Example configuration (`appsettings.yaml`):
-
-```yaml
-concelier:
- exporters:
- trivyDb:
- oras:
- enabled: true
- publishFull: true
- publishDelta: false
- offlineBundle:
- enabled: true
- includeFull: true
- includeDelta: false
-```
-
-
-**Authentication**
-
-- API key is sent as `Authorization: Bearer ` automatically when configured.
-- Anonymous operation is permitted only when Concelier runs with
- `authority.allowAnonymousFallback: true`. This flag is temporary—plan to disable
- it before **2025-12-31 UTC** so bearer tokens become mandatory.
-
-Authority-backed auth workflow:
-1. Configure Authority settings via config or env vars (see sample below). Minimum fields: `Url`, `ClientId`, and either `ClientSecret` (client credentials) or `Username`/`Password` (password grant).
-2. Run `stellaops-cli auth login` to acquire and cache a token. Use `--force` if you need to ignore an existing cache entry.
-3. Execute CLI commands as normal—the backend client injects the cached bearer token automatically and retries on transient 401/403 responses with operator guidance.
-4. Inspect the cache with `stellaops-cli auth status` (shows expiry, scope, mode) or clear it via `stellaops-cli auth logout`.
-5. Run `stellaops-cli auth whoami` to dump token subject, audience, issuer, scopes, and remaining lifetime (verbose mode prints additional claims).
-6. Expect Concelier to emit audit logs for each `/jobs*` request showing `subject`,
- `clientId`, `scopes`, `status`, and whether network bypass rules were applied.
-
-Tokens live in `~/.stellaops/tokens` unless `StellaOps:Authority:TokenCacheDirectory` overrides it. Cached tokens are reused offline until they expire; the CLI surfaces clear errors if refresh fails.
-
-For offline workflows, configure `StellaOps:Offline:KitsDirectory` (or `STELLAOPS_OFFLINE_KITS_DIR`) to control where bundles, manifests, and metadata are stored, and `StellaOps:Offline:KitMirror` (or `STELLAOPS_OFFLINE_MIRROR_URL`) to override the download base URL when pulling from a mirror.
-
-**Configuration file template**
-
-```jsonc
-{
- "StellaOps": {
- "ApiKey": "your-api-token",
- "BackendUrl": "https://concelier.example.org",
- "ScannerCacheDirectory": "scanners",
- "ResultsDirectory": "results",
- "DefaultRunner": "docker",
- "ScannerSignaturePublicKeyPath": "",
- "ScannerDownloadAttempts": 3,
- "Offline": {
- "KitsDirectory": "offline-kits",
- "KitMirror": "https://get.stella-ops.org/ouk/"
- },
- "Authority": {
- "Url": "https://authority.example.org",
- "ClientId": "concelier-cli",
- "ClientSecret": "REDACTED",
- "Username": "",
- "Password": "",
- "Scope": "concelier.jobs.trigger advisory:ingest advisory:read",
- "TokenCacheDirectory": ""
- }
- }
-}
-```
-
-Drop `appsettings.local.json` or `.yaml` beside the binary to override per environment.
-
----
-
-### 2.5 Misc Endpoints
-
-| Path | Method | Description |
-| ---------- | ------ | ---------------------------- |
-| `/healthz` | GET | Liveness; returns `"ok"` |
-| `/metrics` | GET | Prometheus exposition (OTel) |
-| `/version` | GET | Git SHA + build date |
-
----
-
-### 2.6 Authority Admin APIs
-
-Administrative endpoints live under `/internal/*` on the Authority host and require the bootstrap API key (`x-stellaops-bootstrap-key`). Responses are deterministic and audited via `AuthEventRecord`.
-
-| Path | Method | Description |
-| ---- | ------ | ----------- |
-| `/internal/revocations/export` | GET | Returns the revocation bundle (JSON + detached JWS + digest). Mirrors the output of `stellaops-cli auth revoke export`. |
-| `/internal/signing/rotate` | POST | Promotes a new signing key and marks the previous key as retired without restarting the service. |
-
-**Rotate request body**
-
-```json
-{
- "keyId": "authority-signing-2025",
- "location": "../certificates/authority-signing-2025.pem",
- "source": "file",
- "provider": "default"
-}
-```
-
-The API responds with the active `kid`, previous key (if any), and the set of retired key identifiers. Always export a fresh revocation bundle after rotation so downstream mirrors receive signatures from the new key.
-
----
-
-## 3 First‑Party CLI Tools
-
-### 3.1 `stella`
-
-> *Package SBOM + Scan + Exit code* – designed for CI.
-
-```
-Usage: stella [OPTIONS] IMAGE_OR_SBOM
-```
-
-| Flag / Option | Default | Description |
-| --------------- | ----------------------- | -------------------------------------------------- |
-| `--server` | `http://localhost:8080` | API root |
-| `--token` | *env `STELLA_TOKEN`* | Bearer token |
-| `--sbom-type` | *auto* | Force `trivy-json-v2`/`spdx-json`/`cyclonedx-json` |
-| `--delta` | `false` | Enable delta layer optimisation |
-| `--policy-file` | *none* | Override server rules with local YAML/Rego |
-| `--threshold` | `critical` | Fail build if ≥ level found |
-| `--output-json` | *none* | Write raw scan result to file |
-| `--wait-quota` | `true` | If 429 received, automatically wait `Retry‑After` and retry once. |
-
-**Exit codes**
-
-| Code | Meaning |
-| ---- | ------------------------------------------- |
-| 0 | Scan OK, policy passed |
-| 1 | Vulnerabilities ≥ threshold OR policy block |
-| 2 | Internal error (network etc.) |
-
----
-
-### 3.2 `stella‑zastava`
-
-> *Daemon / K8s DaemonSet* – watch container runtime, push SBOMs.
-
-Core flags (excerpt):
-
-| Flag | Purpose |
-| ---------------- | ---------------------------------- |
-| `--mode` | `listen` (default) / `enforce` |
-| `--filter-image` | Regex; ignore infra/busybox images |
-| `--threads` | Worker pool size |
-
----
-
-### 3.3 `stellopsctl`
-
-> *Admin utility* – policy snapshots, feed status, user CRUD.
-
-Examples:
-
-```
-stellopsctl policy export > policies/backup-2025-07-14.yaml
-stellopsctl feed refresh # force OSV merge
-stellopsctl user add dev-team --role developer
-```
-
----
-
-## 4 Error Model
-
-Uniform problem‑details object (RFC 7807):
-
-```json
-{
- "type": "https://stella-ops.org/probs/validation",
- "title": "Invalid request",
- "status": 400,
- "detail": "Layer digest malformed",
- "traceId": "00-7c39..."
-}
-```
-
----
-
-## 5 Rate Limits
-
-Default **40 requests / second / token**.
-429 responses include `Retry-After` seconds header.
-
----
-
-## 6 FAQ & Tips
-
-* **Skip SBOM generation in CI** – supply a *pre‑built* SBOM and add `?sbom-only=true` to `/scan` for <1 s path.
-* **Air‑gapped?** – point `--server` to `http://oukgw:8080` inside the Offline Update Kit.
-* **YAML vs Rego** – YAML simpler; Rego unlocks time‑based logic (see samples).
-* **Cosign verify plug‑ins** – enable `SCANNER_VERIFY_SIG=true` env to refuse unsigned plug‑ins.
-
----
-
-## 7 Planned Changes (Beyond 6 Months)
-
-These stay in *Feature Matrix → To Do* until design is frozen.
-
-| Epic / Feature | API Impact Sketch |
-| ---------------------------- | ---------------------------------- |
-| **SLSA L1‑L3** attestation | `/attest` (see §2.4) |
-| Rekor transparency log | `/rekor/log/{id}` (GET) |
-| Plug‑in Marketplace metadata | `/plugins/market` (catalog) |
-| Horizontal scaling controls | `POST /cluster/node` (add/remove) |
-| Windows agent support | Update LSAPI to PDE, no API change |
-
----
-
-## 8 References
-
-* OpenAPI YAML → `/openapi/v1.yaml` (served by backend)
-* OAuth2 spec:
-* SLSA spec:
-
----
-
-## 9 Changelog (truncated)
-
-* **2025‑07‑14** – added *delta SBOM*, policy import/export, CLI `--sbom-type`.
-* **2025‑07‑12** – initial public reference.
-
----
+# API & CLI Reference
+
+*Purpose* – give operators and integrators a single, authoritative spec for REST/GRPC calls **and** first‑party CLI tools (`stella-cli`, `zastava`, `stella`).
+Everything here is *source‑of‑truth* for generated Swagger/OpenAPI and the `--help` screens in the CLIs.
+
+---
+
+## 0 Quick Glance
+
+| Area | Call / Flag | Notes |
+| ------------------ | ------------------------------------------- | ------------------------------------------------------------------------------ |
+| Scan entry | `POST /scan` | Accepts SBOM or image; sub‑5 s target |
+| Delta check | `POST /layers/missing` | <20 ms reply; powers *delta SBOM* feature |
+| Rate‑limit / quota | — | Headers **`X‑Stella‑Quota‑Remaining`**, **`X‑Stella‑Reset`** on every response |
+| Policy I/O | `GET /policy/export`, `POST /policy/import` | YAML now; Rego coming |
+| Policy lint | `POST /policy/validate` | Returns 200 OK if ruleset passes |
+| Auth | `POST /connect/token` (OpenIddict) | Client‑credentials preferred |
+| Health | `GET /healthz` | Simple liveness probe |
+| Attestation * | `POST /attest` (TODO Q1‑2026) | SLSA provenance + Rekor log |
+| CLI flags | `--sbom-type` `--delta` `--policy-file` | Added to `stella` |
+
+\* Marked **TODO** → delivered after sixth month (kept on Feature Matrix “To Do” list).
+
+---
+
+## 1 Authentication
+
+Stella Ops uses **OAuth 2.0 / OIDC** (token endpoint mounted via OpenIddict).
+
+```
+POST /connect/token
+Content‑Type: application/x-www-form-urlencoded
+
+grant_type=client_credentials&
+client_id=ci‑bot&
+client_secret=REDACTED&
+scope=stella.api
+```
+
+Successful response:
+
+```json
+{
+ "access_token": "eyJraWQi...",
+ "token_type": "Bearer",
+ "expires_in": 3600
+}
+```
+
+> **Tip** – pass the token via `Authorization: Bearer ` on every call.
+
+---
+
+## 2 REST API
+
+### 2.0 Obtain / Refresh Offline‑Token
+
+```text
+POST /token/offline
+Authorization: Bearer
+```
+
+| Body field | Required | Example | Notes |
+|------------|----------|---------|-------|
+| `expiresDays` | no | `30` | Max 90 days |
+
+```json
+{
+ "jwt": "eyJhbGciOiJSUzI1NiIsInR5cCI6...",
+ "expires": "2025‑08‑17T00:00:00Z"
+}
+```
+
+Token is signed with the backend’s private key and already contains
+`"maxScansPerDay": {{ quota_token }}`.
+
+
+### 2.1 Scan – Upload SBOM **or** Image
+
+```
+POST /scan
+```
+
+| Param / Header | In | Required | Description |
+| -------------------- | ------ | -------- | --------------------------------------------------------------------- |
+| `X‑Stella‑Sbom‑Type` | header | no | `trivy-json-v2`, `spdx-json`, `cyclonedx-json`; omitted ➞ auto‑detect |
+| `?threshold` | query | no | `low`, `medium`, `high`, `critical`; default **critical** |
+| body | body | yes | *Either* SBOM JSON *or* Docker image tarball/upload URL |
+
+Every successful `/scan` response now includes:
+
+| Header | Example |
+|--------|---------|
+| `X‑Stella‑Quota‑Remaining` | `129` |
+| `X‑Stella‑Reset` | `2025‑07‑18T23:59:59Z` |
+| `X‑Stella‑Token‑Expires` | `2025‑08‑17T00:00:00Z` |
+
+**Response 200** (scan completed):
+
+```json
+{
+ "digest": "sha256:…",
+ "summary": {
+ "Critical": 0,
+ "High": 3,
+ "Medium": 12,
+ "Low": 41
+ },
+ "policyStatus": "pass",
+ "quota": {
+ "remaining": 131,
+ "reset": "2025-07-18T00:00:00Z"
+ }
+}
+```
+
+**Response 202** – queued; polling URL in `Location` header.
+
+---
+
+### 2.2 Delta SBOM – Layer Cache Check
+
+```
+POST /layers/missing
+Content‑Type: application/json
+Authorization: Bearer
+```
+
+```json
+{
+ "layers": [
+ "sha256:d38b...",
+ "sha256:af45..."
+ ]
+}
+```
+
+**Response 200** — <20 ms target:
+
+```json
+{
+ "missing": [
+ "sha256:af45..."
+ ]
+}
+```
+
+Client then generates SBOM **only** for the `missing` layers and re‑posts `/scan`.
+
+---
+
+### 2.3 Policy Endpoints *(preview feature flag: `scanner.features.enablePolicyPreview`)*
+
+All policy APIs require **`scanner.reports`** scope (or anonymous access while auth is disabled).
+
+**Fetch schema**
+
+```
+GET /api/v1/policy/schema
+Authorization: Bearer
+Accept: application/schema+json
+```
+
+Returns the embedded `policy-schema@1` JSON schema used by the binder.
+
+**Run diagnostics**
+
+```
+POST /api/v1/policy/diagnostics
+Content-Type: application/json
+Authorization: Bearer
+```
+
+```json
+{
+ "policy": {
+ "format": "yaml",
+ "actor": "cli",
+ "description": "dev override",
+ "content": "version: \"1.0\"\nrules:\n - name: Quiet Dev\n environments: [dev]\n action:\n type: ignore\n justification: dev waiver\n"
+ }
+}
+```
+
+**Response 200**:
+
+```json
+{
+ "success": false,
+ "version": "1.0",
+ "ruleCount": 1,
+ "errorCount": 0,
+ "warningCount": 1,
+ "generatedAt": "2025-10-19T03:25:14.112Z",
+ "issues": [
+ { "code": "policy.rule.quiet.missing_vex", "message": "Quiet flag ignored: rule must specify requireVex justifications.", "severity": "Warning", "path": "$.rules[0]" }
+ ],
+ "recommendations": [
+ "Review policy warnings and ensure intentional overrides are documented."
+ ]
+}
+```
+
+`success` is `false` when blocking issues remain; recommendations aggregate YAML ignore rules, VEX include/exclude hints, and vendor precedence guidance.
+
+**Preview impact**
+
+```
+POST /api/v1/policy/preview
+Authorization: Bearer
+Content-Type: application/json
+```
+
+```json
+{
+ "imageDigest": "sha256:abc123",
+ "findings": [
+ { "id": "finding-1", "severity": "Critical", "source": "NVD" }
+ ],
+ "policy": {
+ "format": "yaml",
+ "content": "version: \"1.0\"\nrules:\n - name: Block Critical\n severity: [Critical]\n action: block\n"
+ }
+}
+```
+
+**Response 200**:
+
+```json
+{
+ "success": true,
+ "policyDigest": "9c5e...",
+ "revisionId": "preview",
+ "changed": 1,
+ "diffs": [
+ {
+ "findingId": "finding-1",
+ "baseline": {"findingId": "finding-1", "status": "Pass"},
+ "projected": {
+ "findingId": "finding-1",
+ "status": "Blocked",
+ "ruleName": "Block Critical",
+ "ruleAction": "Block",
+ "score": 5.0,
+ "configVersion": "1.0",
+ "inputs": {"severityWeight": 5.0}
+ },
+ "changed": true
+ }
+ ],
+ "issues": []
+}
+```
+
+- Provide `policy` to preview staged changes; omit it to compare against the active snapshot.
+- Baseline verdicts are optional; when omitted, the API synthesises pass baselines before computing diffs.
+- Quieted verdicts include `quietedBy` and `quiet` flags; score inputs now surface reachability/vendor trust weights (`reachability.*`, `trustWeight.*`).
+
+**OpenAPI**: the full API document (including these endpoints) is exposed at `/openapi/v1.json` and can be fetched for tooling or contract regeneration.
+
+### 2.4 Scanner – Queue a Scan Job *(SP9 milestone)*
+
+```
+POST /api/v1/scans
+Authorization: Bearer
+Content-Type: application/json
+```
+
+```json
+{
+ "image": {
+ "reference": "registry.example.com/acme/app:1.2.3"
+ },
+ "force": false,
+ "clientRequestId": "ci-build-1845",
+ "metadata": {
+ "pipeline": "github",
+ "trigger": "pull-request"
+ }
+}
+```
+
+| Field | Required | Notes |
+| ------------------- | -------- | ------------------------------------------------------------------------------------------------ |
+| `image.reference` | no\* | Full repo/tag (`registry/repo:tag`). Provide **either** `reference` or `digest` (sha256:…). |
+| `image.digest` | no\* | OCI digest (e.g. `sha256:…`). |
+| `force` | no | `true` forces a re-run even if an identical scan (`scanId`) already exists. Default **false**. |
+| `clientRequestId` | no | Free-form string surfaced in audit logs. |
+| `metadata` | no | Optional string map stored with the job and surfaced in observability feeds. |
+
+\* At least one of `image.reference` or `image.digest` must be supplied.
+
+**Response 202** – job accepted (idempotent):
+
+```http
+HTTP/1.1 202 Accepted
+Location: /api/v1/scans/2f6c17f9b3f548e2a28b9c412f4d63f8
+```
+
+```json
+{
+ "scanId": "2f6c17f9b3f548e2a28b9c412f4d63f8",
+ "status": "Pending",
+ "location": "/api/v1/scans/2f6c17f9b3f548e2a28b9c412f4d63f8",
+ "created": true
+}
+```
+
+- `scanId` is deterministic – resubmitting an identical payload returns the same identifier with `"created": false`.
+- API is cancellation-aware; aborting the HTTP request cancels the submission attempt.
+- Required scope: **`scanner.scans.enqueue`**.
+
+**Response 400** – validation problem (`Content-Type: application/problem+json`) when both `image.reference` and `image.digest` are blank.
+
+### 2.5 Scanner – Fetch Scan Status
+
+```
+GET /api/v1/scans/{scanId}
+Authorization: Bearer
+Accept: application/json
+```
+
+**Response 200**:
+
+```json
+{
+ "scanId": "2f6c17f9b3f548e2a28b9c412f4d63f8",
+ "status": "Pending",
+ "image": {
+ "reference": "registry.example.com/acme/app:1.2.3",
+ "digest": null
+ },
+ "createdAt": "2025-10-18T20:15:12.482Z",
+ "updatedAt": "2025-10-18T20:15:12.482Z",
+ "failureReason": null
+}
+```
+
+Statuses: `Pending`, `Running`, `Succeeded`, `Failed`, `Cancelled`.
+
+### 2.6 Scanner – Stream Progress (SSE / JSONL)
+
+```
+GET /api/v1/scans/{scanId}/events?format=sse|jsonl
+Authorization: Bearer
+Accept: text/event-stream
+```
+
+When `format` is omitted the endpoint emits **Server-Sent Events** (SSE). Specify `format=jsonl` to receive newline-delimited JSON (`application/x-ndjson`). Response headers include `Cache-Control: no-store` and `X-Accel-Buffering: no` so intermediaries avoid buffering the stream.
+
+**SSE frame** (default):
+
+```
+id: 1
+event: pending
+data: {"scanId":"2f6c17f9b3f548e2a28b9c412f4d63f8","sequence":1,"state":"Pending","message":"queued","timestamp":"2025-10-19T03:12:45.118Z","correlationId":"2f6c17f9b3f548e2a28b9c412f4d63f8:0001","data":{"force":false,"meta.pipeline":"github"}}
+```
+
+**JSONL frame** (`format=jsonl`):
+
+```json
+{"scanId":"2f6c17f9b3f548e2a28b9c412f4d63f8","sequence":1,"state":"Pending","message":"queued","timestamp":"2025-10-19T03:12:45.118Z","correlationId":"2f6c17f9b3f548e2a28b9c412f4d63f8:0001","data":{"force":false,"meta.pipeline":"github"}}
+```
+
+- `sequence` is monotonic starting at `1`.
+- `correlationId` is deterministic (`{scanId}:{sequence:0000}`) unless a custom identifier is supplied by the publisher.
+- `timestamp` is ISO‑8601 UTC with millisecond precision, ensuring deterministic ordering for consumers.
+- The stream completes when the client disconnects or the coordinator stops publishing events.
+
+### 2.7 Scanner – Assemble Report (Signed Envelope)
+
+```
+POST /api/v1/reports
+Authorization: Bearer
+Content-Type: application/json
+```
+
+Request body mirrors policy preview inputs (image digest plus findings). The service evaluates the active policy snapshot, assembles a verdict, and signs the canonical report payload.
+
+**Response 200**:
+
+```json
+{
+ "report": {
+ "reportId": "report-9f8cde21aab54321",
+ "imageDigest": "sha256:7dbe0c9a5d4f1c8184007e9d94dbe55928f8a2db5ab9c1c2d4a2f7bbcdfe1234",
+ "generatedAt": "2025-10-23T15:32:22Z",
+ "verdict": "blocked",
+ "policy": {
+ "revisionId": "rev-42",
+ "digest": "8a0f72f8dc5c51c46991db3bba34e9b3c0c8e944a7a6d0a9c29a9aa6b8439876"
+ },
+ "summary": { "total": 2, "blocked": 1, "warned": 1, "ignored": 0, "quieted": 0 },
+ "verdicts": [
+ {
+ "findingId": "library:pkg/openssl@1.1.1w",
+ "status": "Blocked",
+ "ruleName": "Block vendor unknowns",
+ "ruleAction": "block",
+ "notes": "Unknown vendor telemetry — medium confidence band.",
+ "score": 19.5,
+ "configVersion": "1.0",
+ "inputs": {
+ "severityWeight": 50,
+ "trustWeight": 0.65,
+ "reachabilityWeight": 0.6,
+ "baseScore": 19.5,
+ "trustWeight.vendor": 0.65,
+ "reachability.unknown": 0.6,
+ "unknownConfidence": 0.55,
+ "unknownAgeDays": 5
+ },
+ "quietedBy": null,
+ "quiet": false,
+ "unknownConfidence": 0.55,
+ "confidenceBand": "medium",
+ "unknownAgeDays": 5,
+ "sourceTrust": "vendor",
+ "reachability": "unknown"
+ },
+ {
+ "findingId": "library:pkg/zlib@1.3.1",
+ "status": "Warned",
+ "ruleName": "Runtime mitigation required",
+ "ruleAction": "warn",
+ "notes": "Runtime reachable unknown — mitigation window required.",
+ "score": 18.75,
+ "configVersion": "1.0",
+ "inputs": {
+ "severityWeight": 75,
+ "trustWeight": 1,
+ "reachabilityWeight": 0.45,
+ "baseScore": 33.75,
+ "reachability.runtime": 0.45,
+ "warnPenalty": 15,
+ "unknownConfidence": 0.35,
+ "unknownAgeDays": 13
+ },
+ "quietedBy": null,
+ "quiet": false,
+ "unknownConfidence": 0.35,
+ "confidenceBand": "medium",
+ "unknownAgeDays": 13,
+ "sourceTrust": "NVD",
+ "reachability": "runtime"
+ }
+ ],
+ "issues": []
+ },
+ "dsse": {
+ "payloadType": "application/vnd.stellaops.report+json",
+ "payload": "eyJyZXBvcnQiOnsicmVwb3J0SWQiOiJyZXBvcnQtOWY4Y2RlMjFhYWI1NDMyMSJ9fQ==",
+ "signatures": [
+ {
+ "keyId": "scanner-report-signing",
+ "algorithm": "hs256",
+ "signature": "MEQCIGHscnJ2bm9wYXlsb2FkZXIAIjANBgkqhkiG9w0BAQsFAAOCAQEASmFja3Nvbk1ldGE="
+ }
+ ]
+ }
+}
+```
+
+- The `report` object omits null fields and is deterministic (ISO timestamps, sorted keys) while surfacing `unknownConfidence`, `confidenceBand`, and `unknownAgeDays` for auditability.
+- `dsse` follows the DSSE (Dead Simple Signing Envelope) shape; `payload` is the canonical UTF-8 JSON and `signatures[0].signature` is the base64 HMAC/Ed25519 value depending on configuration.
+- Full offline samples live at `samples/policy/policy-report-unknown.json` (request + response) and `samples/api/reports/report-sample.dsse.json` (envelope fixture) for tooling tests or signature verification.
+
+**Response 404** – `application/problem+json` payload with type `https://stellaops.org/problems/not-found` when the scan identifier is unknown.
+
+> **Tip** – poll `Location` from the submission call until `status` transitions away from `Pending`/`Running`.
+
+```yaml
+# Example import payload (YAML)
+version: "1.0"
+rules:
+ - name: Ignore Low dev
+ severity: [Low, None]
+ environments: [dev, staging]
+ action: ignore
+```
+
+Validation errors come back as:
+
+```json
+{
+ "errors": [
+ {
+ "path": "$.rules[0].severity",
+ "msg": "Invalid level 'None'"
+ }
+ ]
+}
+```
+
+```json
+# Preview response excerpt
+{
+ "success": true,
+ "policyDigest": "9c5e...",
+ "revisionId": "rev-12",
+ "changed": 1,
+ "diffs": [
+ {
+ "baseline": {"findingId": "finding-1", "status": "pass"},
+ "projected": {"findingId": "finding-1", "status": "blocked", "ruleName": "Block Critical"},
+ "changed": true
+ }
+ ]
+}
+```
+
+---
+
+### 2.4 Attestation (Planned – Q1‑2026)
+
+```
+POST /attest
+```
+
+| Param | Purpose |
+| ----------- | ------------------------------------- |
+| body (JSON) | SLSA v1.0 provenance doc |
+| | Signed + stored in local Rekor mirror |
+
+Returns `202 Accepted` and `Location: /attest/{id}` for async verify.
+
+---
+
+### 2.8 Runtime – Ingest Observer Events *(SCANNER-RUNTIME-12-301)*
+
+```
+POST /api/v1/runtime/events
+Authorization: Bearer
+Content-Type: application/json
+```
+
+| Requirement | Details |
+|-------------|---------|
+| Auth scope | `scanner.runtime.ingest` |
+| Batch size | ≤ **256** envelopes (`scanner.runtime.maxBatchSize`, configurable) |
+| Payload cap | ≤ **1 MiB** serialized JSON (`scanner.runtime.maxPayloadBytes`) |
+| Rate limits | Per-tenant and per-node token buckets (default 200 events/s tenant, 50 events/s node, burst 200) – excess returns **429** with `Retry-After`. |
+| TTL | Runtime events retained **45 days** by default (`scanner.runtime.eventTtlDays`). |
+
+**Request body**
+
+```json
+{
+ "batchId": "node-a-2025-10-20T15:03:12Z",
+ "events": [
+ {
+ "schemaVersion": "zastava.runtime.event@v1",
+ "event": {
+ "eventId": "evt-2f9c02b8",
+ "when": "2025-10-20T15:03:08Z",
+ "kind": "ContainerStart",
+ "tenant": "tenant-alpha",
+ "node": "cluster-a/node-01",
+ "runtime": { "engine": "containerd", "version": "1.7.19" },
+ "workload": {
+ "platform": "kubernetes",
+ "namespace": "payments",
+ "pod": "api-7c9fbbd8b7-ktd84",
+ "container": "api",
+ "containerId": "containerd://bead5...",
+ "imageRef": "ghcr.io/acme/api@sha256:deadbeef"
+ },
+ "process": { "pid": 12345, "entrypoint": ["/start.sh", "--serve"], "buildId": "5f0c7c3c..." },
+ "loadedLibs": [
+ { "path": "/lib/x86_64-linux-gnu/libssl.so.3", "inode": 123456, "sha256": "abc123..." }
+ ],
+ "posture": { "imageSigned": true, "sbomReferrer": "present" },
+ "delta": { "baselineImageDigest": "sha256:deadbeef" },
+ "evidence": [ { "signal": "proc.maps", "value": "libssl.so.3@0x7f..." } ],
+ "annotations": { "observerVersion": "1.0.0" }
+ }
+ }
+ ]
+}
+```
+
+**Responses**
+
+| Code | Body | Notes |
+|------|------|-------|
+| `202 Accepted` | `{ "accepted": 128, "duplicates": 2 }` | Batch persisted; duplicates are ignored via unique `eventId`. |
+| `400 Bad Request` | Problem+JSON | Validation failures – empty batch, duplicate IDs, unsupported schema version, payload too large. |
+| `429 Too Many Requests` | Problem+JSON | Per-tenant/node rate limit exceeded; `Retry-After` header emitted in seconds. |
+
+Persisted documents capture the canonical envelope (`payload` field), tenant/node metadata, and set an automatic TTL on `expiresAt`. Observers should retry rejected batches with exponential backoff honouring the provided `Retry-After` hint.
+
+---
+
+## 3 StellaOps CLI (`stellaops-cli`)
+
+The new CLI is built on **System.CommandLine 2.0.0‑beta5** and mirrors the Concelier backend REST API.
+Configuration follows the same precedence chain everywhere:
+
+1. Environment variables (e.g. `API_KEY`, `STELLAOPS_BACKEND_URL`, `StellaOps:ApiKey`)
+2. `appsettings.json` → `appsettings.local.json`
+3. `appsettings.yaml` → `appsettings.local.yaml`
+4. Defaults (`ApiKey = ""`, `BackendUrl = ""`, cache folders under the current working directory)
+
+**Authority auth client resilience settings**
+
+| Setting | Environment variable | Default | Purpose |
+|---------|----------------------|---------|---------|
+| `StellaOps:Authority:Resilience:EnableRetries` | `STELLAOPS_AUTHORITY_ENABLE_RETRIES` | `true` | Toggle Polly wait-and-retry handlers for discovery/token calls |
+| `StellaOps:Authority:Resilience:RetryDelays` | `STELLAOPS_AUTHORITY_RETRY_DELAYS` | `1s,2s,5s` | Comma/space-separated backoff sequence (HH:MM:SS) |
+| `StellaOps:Authority:Resilience:AllowOfflineCacheFallback` | `STELLAOPS_AUTHORITY_ALLOW_OFFLINE_CACHE_FALLBACK` | `true` | Reuse cached discovery/JWKS metadata when Authority is temporarily unreachable |
+| `StellaOps:Authority:Resilience:OfflineCacheTolerance` | `STELLAOPS_AUTHORITY_OFFLINE_CACHE_TOLERANCE` | `00:10:00` | Additional tolerance window added to the discovery/JWKS cache lifetime |
+
+See `docs/dev/32_AUTH_CLIENT_GUIDE.md` for recommended profiles (online vs. air-gapped) and testing guidance.
+
+| Command | Purpose | Key Flags / Arguments | Notes |
+|---------|---------|-----------------------|-------|
+| `stellaops-cli scanner download` | Fetch and install scanner container | `--channel ` (default `stable`)
`--output `
`--overwrite`
`--no-install` | Saves artefact under `ScannerCacheDirectory`, verifies digest/signature, and executes `docker load` unless `--no-install` is supplied. |
+| `stellaops-cli scan run` | Execute scanner container against a directory (auto-upload) | `--target ` (required)
`--runner ` (default from config)
`--entry `
`[scanner-args...]` | Runs the scanner, writes results into `ResultsDirectory`, emits a structured `scan-run-*.json` metadata file, and automatically uploads the artefact when the exit code is `0`. |
+| `stellaops-cli scan upload` | Re-upload existing scan artefact | `--file ` | Useful for retries when automatic upload fails or when operating offline. |
+| `stellaops-cli db fetch` | Trigger connector jobs | `--source ` (e.g. `redhat`, `osv`)
`--stage ` (default `fetch`)
`--mode ` | Translates to `POST /jobs/source:{source}:{stage}` with `trigger=cli` |
+| `stellaops-cli db merge` | Run canonical merge reconcile | — | Calls `POST /jobs/merge:reconcile`; exit code `0` on acceptance, `1` on failures/conflicts |
+| `stellaops-cli db export` | Kick JSON / Trivy exports | `--format ` (default `json`)
`--delta`
`--publish-full/--publish-delta`
`--bundle-full/--bundle-delta` | Sets `{ delta = true }` parameter when requested and can override ORAS/bundle toggles per run |
+| `stellaops-cli auth ` | Manage cached tokens for StellaOps Authority | `auth login --force` (ignore cache)
`auth status`
`auth whoami` | Uses `StellaOps.Auth.Client`; honours `StellaOps:Authority:*` configuration, stores tokens under `~/.stellaops/tokens` by default, and `whoami` prints subject/scope/expiry |
+| `stellaops-cli auth revoke export` | Export the Authority revocation bundle | `--output ` (defaults to CWD) | Writes `revocation-bundle.json`, `.json.jws`, and `.json.sha256`; verifies the digest locally and includes key metadata in the log summary. |
+| `stellaops-cli auth revoke verify` | Validate a revocation bundle offline | `--bundle ` `--signature ` `--key `
`--verbose` | Verifies detached JWS signatures, reports the computed SHA-256, and can fall back to cached JWKS when `--key` is omitted. |
+| `stellaops-cli offline kit pull` | Download the latest offline kit bundle and manifest | `--bundle-id ` (optional)
`--destination `
`--overwrite`
`--no-resume` | Streams the bundle + manifest from the configured mirror/backend, resumes interrupted downloads, verifies SHA-256, and writes signatures plus a `.metadata.json` manifest alongside the artefacts. |
+| `stellaops-cli offline kit import` | Upload an offline kit bundle to the backend | `` (argument)
`--manifest `
`--bundle-signature `
`--manifest-signature ` | Validates digests when metadata is present, then posts multipart payloads to `POST /api/offline-kit/import`; logs the submitted import ID/status for air-gapped rollout tracking. |
+| `stellaops-cli offline kit status` | Display imported offline kit details | `--json` | Shows bundle id/kind, captured/imported timestamps, digests, and component versions; `--json` emits machine-readable output for scripting. |
+| `stellaops-cli sources ingest --dry-run` | Dry-run guard validation for individual payloads | `--source `
`--input `
`--tenant `
`--format table\|json`
`--output ` | Normalises gzip/base64 payloads, invokes `api/aoc/ingest/dry-run`, and maps guard failures to deterministic `ERR_AOC_00x` exit codes. |
+| `stellaops-cli aoc verify` | Replay AOC guardrails over stored documents | `--since `
`--limit `
`--sources `
`--codes `
`--format table\|json`
`--export ` | Summarises checked counts/violations, supports JSON evidence exports, and returns `0`, `11…17`, `18`, `70`, or `71` depending on guard outcomes. |
+| `stellaops-cli config show` | Display resolved configuration | — | Masks secret values; helpful for air‑gapped installs |
+| `stellaops-cli runtime policy test` | Ask Scanner.WebService for runtime verdicts (Webhook parity) | `--image/-i ` (repeatable, comma/space lists supported)
`--file/-f `
`--namespace/--ns `
`--label/-l key=value` (repeatable)
`--json` | Posts to `POST /api/v1/scanner/policy/runtime`, deduplicates image digests, and prints TTL/policy revision plus per-image columns for signed state, SBOM referrers, quieted-by metadata, confidence, Rekor attestation (uuid + verified flag), and recently observed build IDs (shortened for readability). Accepts newline/whitespace-delimited stdin when piped; `--json` emits the raw response without additional logging. |
+
+#### Example: Pivot from runtime verdicts to debug symbols
+
+```bash
+$ stellaops-cli runtime policy test \
+ --image ghcr.io/acme/payments@sha256:4f7d55f6... \
+ --namespace payments
+
+Image Digest Signed SBOM Build IDs TTL
+ghcr.io/acme/payments@sha256:4f7d55f6... yes present 5f0c7c3c..., 1122aabbccddeeff... 04:59:55
+```
+
+1. Copy one of the hashes (e.g. `5f0c7c3cb4d9f8a4f1c1d5c6b7e8f90123456789`) and locate the bundled debug artefact:
+ ```bash
+ ls offline-kit/debug/.build-id/5f/0c7c3cb4d9f8a4f1c1d5c6b7e8f90123456789.debug
+ ```
+2. Confirm the running binary advertises the same GNU build-id:
+ ```bash
+ readelf -n /proc/$(pgrep -f payments-api | head -n1)/exe | grep -i 'Build ID'
+ ```
+3. If you operate a debuginfod mirror backed by the Offline Kit tree, resolve symbols with:
+ ```bash
+ debuginfod-find debuginfo 5f0c7c3cb4d9f8a4f1c1d5c6b7e8f90123456789 >/tmp/payments-api.debug
+ ```
+
+See [Offline Kit step 0](24_OFFLINE_KIT.md#0-prepare-the-debug-store) for instructions on mirroring the debug store before packaging.
+
+`POST /api/v1/scanner/policy/runtime` responds with one entry per digest. Each result now includes:
+
+- `policyVerdict` (`pass|warn|fail|error`), `signed`, and `hasSbomReferrers` parity with the webhook contract.
+- `confidence` (0-1 double) derived from canonical `PolicyPreviewService` evaluation and `quieted`/`quietedBy` flags for muted findings.
+- `rekor` block carrying `uuid`, `url`, and the attestor-backed `verified` boolean when Rekor inclusion proofs have been confirmed.
+- `metadata` (stringified JSON) capturing runtime heuristics, policy issues, evaluated findings, and timestamps for downstream audit.
+- `buildIds` (array) lists up to three distinct GNU build-id hashes recently observed for that digest so debuggers can derive `/usr/lib/debug/.build-id//.debug` paths for symbol stores.
+
+When running on an interactive terminal without explicit override flags, the CLI uses Spectre.Console prompts to let you choose per-run ORAS/offline bundle behaviour.
+
+Runtime verdict output reflects the SCANNER-RUNTIME-12-302 contract sign-off (quieted provenance, confidence band, attestation verification). CLI-RUNTIME-13-008 now mirrors those fields in both table and `--json` formats.
+
+**Startup diagnostics**
+
+- `stellaops-cli` now loads Authority plug-in manifests during startup (respecting `Authority:Plugins:*`) and surfaces analyzer warnings when a plug-in weakens the baseline password policy (minimum length **12** and all character classes required).
+- Follow the log entry’s config path and raise `passwordPolicy.minimumLength` to at least 12 while keeping `requireUppercase`, `requireLowercase`, `requireDigit`, and `requireSymbol` set to `true` to clear the warning; weakened overrides are treated as actionable security deviations.
+
+**Logging & exit codes**
+
+- Structured logging via `Microsoft.Extensions.Logging` with single-line console output (timestamps in UTC).
+- `--verbose / -v` raises log level to `Debug`.
+- Command exit codes bubble up: backend conflict → `1`, cancelled via `CTRL+C` → `130`, scanner exit codes propagate as-is.
+
+**Artifact validation**
+
+- Downloads are verified against the `X-StellaOps-Digest` header (SHA-256). When `StellaOps:ScannerSignaturePublicKeyPath` points to a PEM-encoded RSA key, the optional `X-StellaOps-Signature` header is validated as well.
+- Metadata for each bundle is written alongside the artefact (`*.metadata.json`) with digest, signature, source URL, and timestamps.
+- Retry behaviour is controlled via `StellaOps:ScannerDownloadAttempts` (default **3** with exponential backoff).
+- Successful `scan run` executions create timestamped JSON artefacts inside `ResultsDirectory` plus a `scan-run-*.json` metadata envelope documenting the runner, arguments, timing, and stdout/stderr. The artefact is posted back to Concelier automatically.
+
+#### Trivy DB export metadata (`metadata.json`)
+
+`stellaops-cli db export --format trivy-db` (and the backing `POST /jobs/export:trivy-db`) always emits a `metadata.json` document in the OCI layout root. Operators consuming the bundle or delta updates should inspect the following fields:
+
+| Field | Type | Purpose |
+| ----- | ---- | ------- |
+| `mode` | `full` \| `delta` | Indicates whether the current run rebuilt the entire database (`full`) or only the changed files (`delta`). |
+| `baseExportId` | string? | Export ID of the last full baseline that the delta builds upon. Only present for `mode = delta`. |
+| `baseManifestDigest` | string? | SHA-256 digest of the manifest belonging to the baseline OCI layout. |
+| `resetBaseline` | boolean | `true` when the exporter rotated the baseline (e.g., repo change, delta chain reset). Treat as a full refresh. |
+| `treeDigest` | string | Canonical SHA-256 digest of the JSON tree used to build the database. |
+| `treeBytes` | number | Total bytes across exported JSON files. |
+| `advisoryCount` | number | Count of advisories included in the export. |
+| `exporterVersion` | string | Version stamp of `StellaOps.Concelier.Exporter.TrivyDb`. |
+| `builder` | object? | Raw metadata emitted by `trivy-db build` (version, update cadence, etc.). |
+| `delta.changedFiles[]` | array | Present when `mode = delta`. Each entry lists `{ "path": "", "length": , "digest": "sha256:..." }`. |
+| `delta.removedPaths[]` | array | Paths that existed in the previous manifest but were removed in the new run. |
+
+When the planner opts for a delta run, the exporter copies unmodified blobs from the baseline layout identified by `baseManifestDigest`. Consumers that cache OCI blobs only need to fetch the `changedFiles` and the new manifest/metadata unless `resetBaseline` is true.
+When pushing to ORAS, set `concelier:exporters:trivyDb:oras:publishFull` / `publishDelta` to control whether full or delta runs are copied to the registry. Offline bundles follow the analogous `includeFull` / `includeDelta` switches under `offlineBundle`.
+
+Example configuration (`appsettings.yaml`):
+
+```yaml
+concelier:
+ exporters:
+ trivyDb:
+ oras:
+ enabled: true
+ publishFull: true
+ publishDelta: false
+ offlineBundle:
+ enabled: true
+ includeFull: true
+ includeDelta: false
+```
+
+
+**Authentication**
+
+- API key is sent as `Authorization: Bearer ` automatically when configured.
+- Anonymous operation is permitted only when Concelier runs with
+ `authority.allowAnonymousFallback: true`. This flag is temporary—plan to disable
+ it before **2025-12-31 UTC** so bearer tokens become mandatory.
+
+Authority-backed auth workflow:
+1. Configure Authority settings via config or env vars (see sample below). Minimum fields: `Url`, `ClientId`, and either `ClientSecret` (client credentials) or `Username`/`Password` (password grant).
+2. Run `stellaops-cli auth login` to acquire and cache a token. Use `--force` if you need to ignore an existing cache entry.
+3. Execute CLI commands as normal—the backend client injects the cached bearer token automatically and retries on transient 401/403 responses with operator guidance.
+4. Inspect the cache with `stellaops-cli auth status` (shows expiry, scope, mode) or clear it via `stellaops-cli auth logout`.
+5. Run `stellaops-cli auth whoami` to dump token subject, audience, issuer, scopes, and remaining lifetime (verbose mode prints additional claims).
+6. Expect Concelier to emit audit logs for each `/jobs*` request showing `subject`,
+ `clientId`, `scopes`, `status`, and whether network bypass rules were applied.
+
+Tokens live in `~/.stellaops/tokens` unless `StellaOps:Authority:TokenCacheDirectory` overrides it. Cached tokens are reused offline until they expire; the CLI surfaces clear errors if refresh fails.
+
+For offline workflows, configure `StellaOps:Offline:KitsDirectory` (or `STELLAOPS_OFFLINE_KITS_DIR`) to control where bundles, manifests, and metadata are stored, and `StellaOps:Offline:KitMirror` (or `STELLAOPS_OFFLINE_MIRROR_URL`) to override the download base URL when pulling from a mirror.
+
+**Configuration file template**
+
+```jsonc
+{
+ "StellaOps": {
+ "ApiKey": "your-api-token",
+ "BackendUrl": "https://concelier.example.org",
+ "ScannerCacheDirectory": "scanners",
+ "ResultsDirectory": "results",
+ "DefaultRunner": "docker",
+ "ScannerSignaturePublicKeyPath": "",
+ "ScannerDownloadAttempts": 3,
+ "Offline": {
+ "KitsDirectory": "offline-kits",
+ "KitMirror": "https://get.stella-ops.org/ouk/"
+ },
+ "Authority": {
+ "Url": "https://authority.example.org",
+ "ClientId": "concelier-cli",
+ "ClientSecret": "REDACTED",
+ "Username": "",
+ "Password": "",
+ "Scope": "concelier.jobs.trigger advisory:ingest advisory:read",
+ "TokenCacheDirectory": ""
+ }
+ }
+}
+```
+
+Drop `appsettings.local.json` or `.yaml` beside the binary to override per environment.
+
+---
+
+### 2.5 Misc Endpoints
+
+| Path | Method | Description |
+| ---------- | ------ | ---------------------------- |
+| `/healthz` | GET | Liveness; returns `"ok"` |
+| `/metrics` | GET | Prometheus exposition (OTel) |
+| `/version` | GET | Git SHA + build date |
+
+---
+
+### 2.6 Authority Admin APIs
+
+Administrative endpoints live under `/internal/*` on the Authority host and require the bootstrap API key (`x-stellaops-bootstrap-key`). Responses are deterministic and audited via `AuthEventRecord`.
+
+| Path | Method | Description |
+| ---- | ------ | ----------- |
+| `/internal/revocations/export` | GET | Returns the revocation bundle (JSON + detached JWS + digest). Mirrors the output of `stellaops-cli auth revoke export`. |
+| `/internal/signing/rotate` | POST | Promotes a new signing key and marks the previous key as retired without restarting the service. |
+
+**Rotate request body**
+
+```json
+{
+ "keyId": "authority-signing-2025",
+ "location": "../certificates/authority-signing-2025.pem",
+ "source": "file",
+ "provider": "default"
+}
+```
+
+The API responds with the active `kid`, previous key (if any), and the set of retired key identifiers. Always export a fresh revocation bundle after rotation so downstream mirrors receive signatures from the new key.
+
+---
+
+## 3 First‑Party CLI Tools
+
+### 3.1 `stella`
+
+> *Package SBOM + Scan + Exit code* – designed for CI.
+
+```
+Usage: stella [OPTIONS] IMAGE_OR_SBOM
+```
+
+| Flag / Option | Default | Description |
+| --------------- | ----------------------- | -------------------------------------------------- |
+| `--server` | `http://localhost:8080` | API root |
+| `--token` | *env `STELLA_TOKEN`* | Bearer token |
+| `--sbom-type` | *auto* | Force `trivy-json-v2`/`spdx-json`/`cyclonedx-json` |
+| `--delta` | `false` | Enable delta layer optimisation |
+| `--policy-file` | *none* | Override server rules with local YAML/Rego |
+| `--threshold` | `critical` | Fail build if ≥ level found |
+| `--output-json` | *none* | Write raw scan result to file |
+| `--wait-quota` | `true` | If 429 received, automatically wait `Retry‑After` and retry once. |
+
+**Exit codes**
+
+| Code | Meaning |
+| ---- | ------------------------------------------- |
+| 0 | Scan OK, policy passed |
+| 1 | Vulnerabilities ≥ threshold OR policy block |
+| 2 | Internal error (network etc.) |
+
+---
+
+### 3.2 `stella‑zastava`
+
+> *Daemon / K8s DaemonSet* – watch container runtime, push SBOMs.
+
+Core flags (excerpt):
+
+| Flag | Purpose |
+| ---------------- | ---------------------------------- |
+| `--mode` | `listen` (default) / `enforce` |
+| `--filter-image` | Regex; ignore infra/busybox images |
+| `--threads` | Worker pool size |
+
+---
+
+### 3.3 `stellopsctl`
+
+> *Admin utility* – policy snapshots, feed status, user CRUD.
+
+Examples:
+
+```
+stellopsctl policy export > policies/backup-2025-07-14.yaml
+stellopsctl feed refresh # force OSV merge
+stellopsctl user add dev-team --role developer
+```
+
+---
+
+## 4 Error Model
+
+Uniform problem‑details object (RFC 7807):
+
+```json
+{
+ "type": "https://stella-ops.org/probs/validation",
+ "title": "Invalid request",
+ "status": 400,
+ "detail": "Layer digest malformed",
+ "traceId": "00-7c39..."
+}
+```
+
+---
+
+## 5 Rate Limits
+
+Default **40 requests / second / token**.
+429 responses include `Retry-After` seconds header.
+
+---
+
+## 6 FAQ & Tips
+
+* **Skip SBOM generation in CI** – supply a *pre‑built* SBOM and add `?sbom-only=true` to `/scan` for <1 s path.
+* **Air‑gapped?** – point `--server` to `http://oukgw:8080` inside the Offline Update Kit.
+* **YAML vs Rego** – YAML simpler; Rego unlocks time‑based logic (see samples).
+* **Cosign verify plug‑ins** – enable `SCANNER_VERIFY_SIG=true` env to refuse unsigned plug‑ins.
+
+---
+
+## 7 Planned Changes (Beyond 6 Months)
+
+These stay in *Feature Matrix → To Do* until design is frozen.
+
+| Epic / Feature | API Impact Sketch |
+| ---------------------------- | ---------------------------------- |
+| **SLSA L1‑L3** attestation | `/attest` (see §2.4) |
+| Rekor transparency log | `/rekor/log/{id}` (GET) |
+| Plug‑in Marketplace metadata | `/plugins/market` (catalog) |
+| Horizontal scaling controls | `POST /cluster/node` (add/remove) |
+| Windows agent support | Update LSAPI to PDE, no API change |
+
+---
+
+## 8 References
+
+* OpenAPI YAML → `/openapi/v1.yaml` (served by backend)
+* OAuth2 spec:
+* SLSA spec:
+
+---
+
+## 9 Changelog (truncated)
+
+* **2025‑07‑14** – added *delta SBOM*, policy import/export, CLI `--sbom-type`.
+* **2025‑07‑12** – initial public reference.
+
+---
diff --git a/docs/10_CONCELIER_CLI_QUICKSTART.md b/docs/10_CONCELIER_CLI_QUICKSTART.md
index a159bb98..c4fdc7b6 100644
--- a/docs/10_CONCELIER_CLI_QUICKSTART.md
+++ b/docs/10_CONCELIER_CLI_QUICKSTART.md
@@ -45,7 +45,7 @@ runtime wiring, CLI usage) and leaves connector/internal customization for later
4. Start the web service from the repository root:
```bash
- dotnet run --project src/StellaOps.Concelier.WebService
+ dotnet run --project src/Concelier/StellaOps.Concelier.WebService
```
On startup Concelier validates the options, boots MongoDB indexes, loads plug-ins,
@@ -94,7 +94,7 @@ Rollout checkpoints for the two Authority toggles:
## 2 · Configure the CLI
The CLI reads configuration from JSON/YAML files *and* environment variables. The
-defaults live in `src/StellaOps.Cli/appsettings.json` and expect overrides at runtime.
+defaults live in `src/Cli/StellaOps.Cli/appsettings.json` and expect overrides at runtime.
| Setting | Environment variable | Default | Purpose |
| ------- | -------------------- | ------- | ------- |
@@ -123,12 +123,12 @@ export STELLAOPS_AUTHORITY_URL="https://authority.local"
export STELLAOPS_AUTHORITY_CLIENT_ID="concelier-cli"
export STELLAOPS_AUTHORITY_CLIENT_SECRET="s3cr3t"
export STELLAOPS_AUTHORITY_SCOPE="concelier.jobs.trigger advisory:ingest advisory:read"
-dotnet run --project src/StellaOps.Cli -- db merge
+dotnet run --project src/Cli/StellaOps.Cli -- db merge
# Acquire a bearer token and confirm cache state
-dotnet run --project src/StellaOps.Cli -- auth login
-dotnet run --project src/StellaOps.Cli -- auth status
-dotnet run --project src/StellaOps.Cli -- auth whoami
+dotnet run --project src/Cli/StellaOps.Cli -- auth login
+dotnet run --project src/Cli/StellaOps.Cli -- auth status
+dotnet run --project src/Cli/StellaOps.Cli -- auth whoami
```
Refer to `docs/dev/32_AUTH_CLIENT_GUIDE.md` for deeper guidance on tuning retry/offline settings and rollout checklists.
@@ -143,31 +143,31 @@ rely on environment variables for ephemeral runners.
1. **Trigger connector fetch stages**
```bash
- dotnet run --project src/StellaOps.Cli -- db fetch --source osv --stage fetch
- dotnet run --project src/StellaOps.Cli -- db fetch --source osv --stage parse
- dotnet run --project src/StellaOps.Cli -- db fetch --source osv --stage map
+ dotnet run --project src/Cli/StellaOps.Cli -- db fetch --source osv --stage fetch
+ dotnet run --project src/Cli/StellaOps.Cli -- db fetch --source osv --stage parse
+ dotnet run --project src/Cli/StellaOps.Cli -- db fetch --source osv --stage map
```
Use `--mode resume` when continuing from a previous window:
```bash
- dotnet run --project src/StellaOps.Cli -- db fetch --source redhat --stage fetch --mode resume
+ dotnet run --project src/Cli/StellaOps.Cli -- db fetch --source redhat --stage fetch --mode resume
```
2. **Merge canonical advisories**
```bash
- dotnet run --project src/StellaOps.Cli -- db merge
+ dotnet run --project src/Cli/StellaOps.Cli -- db merge
```
3. **Produce exports**
```bash
# JSON tree (vuln-list style)
- dotnet run --project src/StellaOps.Cli -- db export --format json
+ dotnet run --project src/Cli/StellaOps.Cli -- db export --format json
# Trivy DB (delta example)
- dotnet run --project src/StellaOps.Cli -- db export --format trivy-db --delta
+ dotnet run --project src/Cli/StellaOps.Cli -- db export --format trivy-db --delta
```
Concelier always produces a deterministic OCI layout. The first run after a clean
@@ -207,13 +207,13 @@ rely on environment variables for ephemeral runners.
```bash
export STELLA_TENANT="${STELLA_TENANT:-tenant-a}"
- dotnet run --project src/StellaOps.Cli -- aoc verify \
+ dotnet run --project src/Cli/StellaOps.Cli -- aoc verify \
--since 24h \
--format table \
--tenant "$STELLA_TENANT"
# Optional: capture JSON evidence for pipelines/audits
- dotnet run --project src/StellaOps.Cli -- aoc verify \
+ dotnet run --project src/Cli/StellaOps.Cli -- aoc verify \
--since 7d \
--limit 100 \
--format json \
@@ -244,9 +244,9 @@ rely on environment variables for ephemeral runners.
6. **Manage scanners (optional)**
```bash
- dotnet run --project src/StellaOps.Cli -- scanner download --channel stable
- dotnet run --project src/StellaOps.Cli -- scan run --entry scanners/latest/Scanner.dll --target ./sboms
- dotnet run --project src/StellaOps.Cli -- scan upload --file results/scan-001.json
+ dotnet run --project src/Cli/StellaOps.Cli -- scanner download --channel stable
+ dotnet run --project src/Cli/StellaOps.Cli -- scan run --entry scanners/latest/Scanner.dll --target ./sboms
+ dotnet run --project src/Cli/StellaOps.Cli -- scan upload --file results/scan-001.json
```
Add `--verbose` to any command for structured console logs. All commands honour
diff --git a/docs/11_AUTHORITY.md b/docs/11_AUTHORITY.md
index aaf00014..0a95b978 100644
--- a/docs/11_AUTHORITY.md
+++ b/docs/11_AUTHORITY.md
@@ -1,380 +1,380 @@
-# StellaOps Authority Service
-
-> **Status:** Drafted 2025-10-12 (CORE5B.DOC / DOC1.AUTH) – aligns with Authority revocation store, JWKS rotation, and bootstrap endpoints delivered in Sprint 1.
-
-## 1. Purpose
-The **StellaOps Authority** service issues OAuth2/OIDC tokens for every StellaOps module (Concelier, Backend, Agent, Zastava) and exposes the policy controls required in sovereign/offline environments. Authority is built as a minimal ASP.NET host that:
-
-- brokers password, client-credentials, and device-code flows through pluggable identity providers;
-- persists access/refresh/device tokens in MongoDB with deterministic schemas for replay analysis and air-gapped audit copies;
-- distributes revocation bundles and JWKS material so downstream services can enforce lockouts without direct database access;
-- offers bootstrap APIs for first-run provisioning and key rotation without redeploying binaries.
-
-Authority is deployed alongside Concelier in air-gapped environments and never requires outbound internet access. All trusted metadata (OpenIddict discovery, JWKS, revocation bundles) is cacheable, signed, and reproducible.
-
-## 2. Component Architecture
-Authority is composed of five cooperating subsystems:
-
-1. **Minimal API host** – configures OpenIddict endpoints (`/token`, `/authorize`, `/revoke`, `/jwks`), publishes the OpenAPI contract at `/.well-known/openapi`, and enables structured logging/telemetry. Rate limiting hooks (`AuthorityRateLimiter`) wrap every request.
-2. **Plugin host** – loads `StellaOps.Authority.Plugin.*.dll` assemblies, applies capability metadata, and exposes password/client provisioning surfaces through dependency injection.
-3. **Mongo storage** – persists tokens, revocations, bootstrap invites, and plugin state in deterministic collections indexed for offline sync (`authority_tokens`, `authority_revocations`, etc.).
-4. **Cryptography layer** – `StellaOps.Cryptography` abstractions manage password hashing, signing keys, JWKS export, and detached JWS generation.
-5. **Offline ops APIs** – internal endpoints under `/internal/*` provide administrative flows (bootstrap users/clients, revocation export) guarded by API keys and deterministic audit events.
-
-A high-level sequence for password logins:
-
-```
-Client -> /token (password grant)
- -> Rate limiter & audit hooks
- -> Plugin credential store (Argon2id verification)
- -> Token persistence (Mongo authority_tokens)
- -> Response (access/refresh tokens + deterministic claims)
-```
-
-## 3. Token Lifecycle & Persistence
-Authority persists every issued token in MongoDB so operators can audit or revoke without scanning distributed caches.
-
-- **Collection:** `authority_tokens`
-- **Key fields:**
-- `tokenId`, `type` (`access_token`, `refresh_token`, `device_code`, `authorization_code`)
-- `subjectId`, `clientId`, ordered `scope` array
-- `tenant` (lower-cased tenant hint from the issuing client, omitted for global clients)
-
-### Console OIDC client
-
-- **Client ID**: `console-web`
-- **Grants**: `authorization_code` (PKCE required), `refresh_token`
-- **Audience**: `console`
-- **Scopes**: `openid`, `profile`, `email`, `advisory:read`, `vex:read`, `aoc:verify`, `findings:read`, `orch:read`, `vuln:read`
-- **Redirect URIs** (defaults): `https://console.stella-ops.local/oidc/callback`
-- **Post-logout redirect**: `https://console.stella-ops.local/`
-- **Tokens**: Access tokens inherit the global 2 minute lifetime; refresh tokens remain short-lived (30 days) and can be exchanged silently via `/token`.
-- **Roles**: Assign Authority role `Orch.Viewer` (exposed to tenants as `role/orch-viewer`) when operators need read-only access to Orchestrator telemetry via Console dashboards. Policy Studio ships dedicated roles (`role/policy-author`, `role/policy-reviewer`, `role/policy-approver`, `role/policy-operator`, `role/policy-auditor`) that align with the new `policy:*` scope family; issue them per tenant so audit trails remain scoped.
-
-Configuration sample (`etc/authority.yaml.sample`) seeds the client with a confidential secret so Console can negotiate the code exchange on the backend while browsers execute the PKCE dance.
-
-### Console Authority endpoints
-
-- `/console/tenants` — Requires `authority:tenants.read`; returns the tenant catalogue for the authenticated principal. Requests lacking the `X-Stella-Tenant` header are rejected (`tenant_header_missing`) and logged.
-- `/console/profile` — Requires `ui.read`; exposes subject metadata (roles, scopes, audiences) and indicates whether the session is within the five-minute fresh-auth window.
-- `/console/token/introspect` — Requires `ui.read`; introspects the active access token so the SPA can prompt for re-authentication before privileged actions.
-
-All endpoints demand DPoP-bound tokens and propagate structured audit events (`authority.console.*`). Gateways must forward the `X-Stella-Tenant` header derived from the access token; downstream services rely on the same value for isolation. Keep Console access tokens short-lived (default 15 minutes) and enforce the fresh-auth window for admin actions (`ui.admin`, `authority:*`, `policy:activate`, `exceptions:approve`).
-- `status` (`valid`, `revoked`, `expired`), `createdAt`, optional `expiresAt`
-- `revokedAt`, machine-readable `revokedReason`, optional `revokedReasonDescription`
-- `revokedMetadata` (string dictionary for plugin-specific context)
-- **Persistence flow:** `PersistTokensHandler` stamps missing JWT IDs, normalises scopes, and stores every principal emitted by OpenIddict.
-- **Revocation flow:** `AuthorityTokenStore.UpdateStatusAsync` flips status, records the reason metadata, and is invoked by token revocation handlers and plugin provisioning events (e.g., disabling a user).
-- **Expiry maintenance:** `AuthorityTokenStore.DeleteExpiredAsync` prunes non-revoked tokens past their `expiresAt` timestamp. Operators should schedule this in maintenance windows if large volumes of tokens are issued.
-
-### Expectations for resource servers
-Resource servers (Concelier WebService, Backend, Agent) **must not** assume in-memory caches are authoritative. They should:
-
-- cache `/jwks` and `/revocations/export` responses within configured lifetimes;
-- honour `revokedReason` metadata when shaping audit trails;
-- treat `status != "valid"` or missing tokens as immediate denial conditions.
-- propagate the `tenant` claim (`X-Stella-Tenant` header in REST calls) and reject requests when the tenant supplied by Authority does not match the resource server's scope; Concelier and Excititor guard endpoints refuse cross-tenant tokens.
-
-### Tenant propagation
-
-- Client provisioning (bootstrap or plug-in) accepts a `tenant` hint. Authority normalises the value (`trim().ToLowerInvariant()`) and persists it alongside the registration. Clients without an explicit tenant remain global.
-- Issued principals include the `stellaops:tenant` claim. `PersistTokensHandler` mirrors this claim into `authority_tokens.tenant`, enabling per-tenant revocation and reporting.
-- Rate limiter metadata now tags requests with `authority.tenant`, unlocking per-tenant throughput metrics and diagnostic filters. Audit events (`authority.client_credentials.grant`, `authority.password.grant`, bootstrap flows) surface the tenant and login attempt documents index on `{tenant, occurredAt}` for quick queries.
-- Client credentials that request `advisory:ingest`, `advisory:read`, `vex:ingest`, `vex:read`, `signals:read`, `signals:write`, `signals:admin`, or `aoc:verify` now fail fast when the client registration lacks a tenant hint. Issued tokens are re-validated against persisted tenant metadata, and Authority rejects any cross-tenant replay (`invalid_client`/`invalid_token`), ensuring aggregation-only workloads remain tenant-scoped.
-- Client credentials that request `export.viewer`, `export.operator`, or `export.admin` must provide a tenant hint. Requests for `export.admin` also need accompanying `export_reason` and `export_ticket` parameters; Authority returns `invalid_request` when either value is missing and records the denial in token audit events.
-- Policy Studio scopes (`policy:author`, `policy:review`, `policy:approve`, `policy:operate`, `policy:audit`, `policy:simulate`, `policy:run`, `policy:activate`) require a tenant assignment; Authority rejects tokens missing the hint with `invalid_client` and records `scope.invalid` metadata for auditing.
-- **AOC pairing guardrails** – Tokens that request `advisory:read`, `vex:read`, or any `signals:*` scope must also request `aoc:verify`. Authority rejects mismatches with `invalid_scope` (`Scope 'aoc:verify' is required when requesting advisory/vex read scopes.` or `Scope 'aoc:verify' is required when requesting signals scopes.`) so automation surfaces deterministic errors.
-- **Signals ingestion guardrails** – Sensors and services requesting `signals:write`/`signals:admin` must also request `aoc:verify`; Authority records the `authority.aoc_scope_violation` tag when the pairing is missing so operators can trace failing sensors immediately.
-- Password grant flows reuse the client registration's tenant and enforce the configured scope allow-list. Requested scopes outside that list (or mismatched tenants) trigger `invalid_scope`/`invalid_client` failures, ensuring cross-tenant access is denied before token issuance.
-
-### Default service scopes
-
-| Client ID | Purpose | Scopes granted | Sender constraint | Tenant |
-|----------------------|---------------------------------------|--------------------------------------|-------------------|-----------------|
-| `concelier-ingest` | Concelier raw advisory ingestion | `advisory:ingest`, `advisory:read` | `dpop` | `tenant-default` |
-| `excitor-ingest` | Excititor raw VEX ingestion | `vex:ingest`, `vex:read` | `dpop` | `tenant-default` |
-| `aoc-verifier` | Aggregation-only contract verification | `aoc:verify`, `advisory:read`, `vex:read` | `dpop` | `tenant-default` |
-| `cartographer-service` | Graph snapshot construction | `graph:write`, `graph:read` | `dpop` | `tenant-default` |
-| `graph-api` | Graph Explorer gateway/API | `graph:read`, `graph:export`, `graph:simulate` | `dpop` | `tenant-default` |
-| `export-center-operator` | Export Center operator automation | `export.viewer`, `export.operator` | `dpop` | `tenant-default` |
-| `export-center-admin` | Export Center administrative automation | `export.viewer`, `export.operator`, `export.admin` | `dpop` | `tenant-default` |
-| `vuln-explorer-ui` | Vuln Explorer UI/API | `vuln:read` | `dpop` | `tenant-default` |
-| `signals-uploader` | Reachability sensor ingestion | `signals:write`, `signals:read`, `aoc:verify` | `dpop` | `tenant-default` |
-
-> **Secret hygiene (2025‑10‑27):** The repository includes a convenience `etc/authority.yaml` for compose/helm smoke tests. Every entry’s `secretFile` points to `etc/secrets/*.secret`, which ship with `*-change-me` placeholders—replace them with strong values (and wire them through your vault/secret manager) before issuing tokens in CI, staging, or production.
-
-For factory provisioning, issue sensors the **SignalsUploader** role template (`signals:write`, `signals:read`, `aoc:verify`). Authority rejects ingestion tokens that omit `aoc:verify`, preserving aggregation-only contract guarantees for reachability signals.
-
-These registrations are provided as examples in `etc/authority.yaml.sample`. Clone them per tenant (for example `concelier-tenant-a`, `concelier-tenant-b`) so tokens remain tenant-scoped by construction.
-
-Graph Explorer introduces dedicated scopes: `graph:write` for Cartographer build jobs, `graph:read` for query/read operations, `graph:export` for long-running export downloads, and `graph:simulate` for what-if overlays. Assign only the scopes a client actually needs to preserve least privilege—UI-facing clients should typically request read/export access, while background services (Cartographer, Scheduler) require write privileges.
-
-#### Least-privilege guidance for graph clients
-
-- **Service identities** – The Cartographer worker should request `graph:write` and `graph:read` only; grant `graph:simulate` exclusively to pipeline automation that invokes Policy Engine overlays on demand. Keep `graph:export` scoped to API gateway components responsible for streaming GraphML/JSONL artifacts. Authority enforces this by rejecting `graph:write` tokens that lack `properties.serviceIdentity: cartographer`.
-- **Tenant propagation** – Every client registration must pin a `tenant` hint. Authority normalises the value and stamps it into issued tokens (`stellaops:tenant`) so downstream services (Scheduler, Graph API, Console) can enforce tenant isolation without custom headers. Graph scopes (`graph:read`, `graph:write`, `graph:export`, `graph:simulate`) are denied if the tenant hint is missing.
-- **SDK alignment** – Use the generated `StellaOpsScopes` constants in service code to request graph scopes. Hard-coded strings risk falling out of sync as additional graph capabilities are added.
-- **DPOP for automation** – Maintain sender-constrained (`dpop`) flows for Cartographer and Scheduler to limit reuse of access tokens if a build host is compromised. For UI-facing tokens, pair `graph:read`/`graph:export` with short lifetimes and enforce refresh-token rotation at the gateway.
-
-#### Export Center scope guardrails
-
-- **Viewer vs operator** – `export.viewer` grants read-only access to export profiles, manifests, and bundles. Automation that schedules or reruns exports should request `export.operator` (and typically `export.viewer`). Tenant hints remain mandatory; Authority refuses tokens without them.
-- **Administrative mutations** – Changes to retention policies, encryption key references, or schedule defaults require `export.admin`. When requesting tokens with this scope, clients must supply `export_reason` and `export_ticket` parameters; Authority persists the values for audit records and rejects missing metadata with `invalid_request`.
-- **Operational hygiene** – Rotate `export.admin` credentials infrequently and run them through fresh-auth workflows where possible. Prefer distributing verification tooling with `export.viewer` tokens for day-to-day bundle validation.
-
-#### Vuln Explorer permalinks
-
-- **Scope** – `vuln:read` authorises Vuln Explorer to fetch advisory/linkset evidence and issue shareable links. Assign it only to front-end/API clients that must render vulnerability details.
-- **Signed links** – `POST /permalinks/vuln` (requires `vuln:read`) accepts `{ "tenant": "tenant-a", "resourceKind": "vulnerability", "state": { ... }, "expiresInSeconds": 86400 }` and returns a JWT (`token`) plus `issuedAt`/`expiresAt`. The token embeds the tenant, requested state, and `vuln:read` scope and is signed with the same Authority signing keys published via `/jwks`.
-- **Validation** – Resource servers verify the permalink using cached JWKS: check signature, ensure the tenant matches the current request context, honour the expiry, and enforce the contained `vuln:read` scope. The payload’s `resource.state` block is opaque JSON so UIs can round-trip filters/search terms without new schema changes.
-
-## 4. Revocation Pipeline
-Authority centralises revocation in `authority_revocations` with deterministic categories:
-
-| Category | Meaning | Required fields |
-| --- | --- | --- |
-| `token` | Specific OAuth token revoked early. | `revocationId` (token id), `tokenType`, optional `clientId`, `subjectId` |
-| `subject` | All tokens for a subject disabled. | `revocationId` (= subject id) |
-| `client` | OAuth client registration revoked. | `revocationId` (= client id) |
-| `key` | Signing/JWE key withdrawn. | `revocationId` (= key id) |
-
-`RevocationBundleBuilder` flattens Mongo documents into canonical JSON, sorts entries by (`category`, `revocationId`, `revokedAt`), and signs exports using detached JWS (RFC 7797) with cosign-compatible headers.
-
-**Export surfaces** (deterministic output, suitable for Offline Kit):
-
-- CLI: `stella auth revoke export --output ./out` writes `revocation-bundle.json`, `.jws`, `.sha256`.
-- Verification: `stella auth revoke verify --bundle --signature --key ` validates detached JWS signatures before distribution, selecting the crypto provider advertised in the detached header (see `docs/security/revocation-bundle.md`).
-- API: `GET /internal/revocations/export` (requires bootstrap API key) returns the same payload.
-- Verification: `stella auth revoke verify` validates schema, digest, and detached JWS using cached JWKS or offline keys, automatically preferring the hinted provider (libsodium builds honour `provider=libsodium`; other builds fall back to the managed provider).
-
-**Consumer guidance:**
-
-1. Mirror `revocation-bundle.json*` alongside Concelier exports. Offline agents fetch both over the existing update channel.
-2. Use bundle `sequence` and `bundleId` to detect replay or monotonicity regressions. Ignore bundles with older sequence numbers unless `bundleId` changes and `issuedAt` advances.
-3. Treat `revokedReason` taxonomy as machine-friendly codes (`compromised`, `rotation`, `policy`, `lifecycle`). Translating to human-readable logs is the consumer’s responsibility.
-
-## 5. Signing Keys & JWKS Rotation
-Authority signs revocation bundles and publishes JWKS entries via the new signing manager:
-
-- **Configuration (`authority.yaml`):**
- ```yaml
- signing:
- enabled: true
- algorithm: ES256 # Defaults to ES256
- keySource: file # Loader identifier (file, vault, etc.)
- provider: default # Optional preferred crypto provider
- activeKeyId: authority-signing-dev
- keyPath: "../certificates/authority-signing-dev.pem"
- additionalKeys:
- - keyId: authority-signing-dev-2024
- path: "../certificates/authority-signing-dev-2024.pem"
- source: "file"
- ```
-- **Sources:** The default loader supports PEM files relative to the content root; additional loaders can be registered via `IAuthoritySigningKeySource`.
-- **Providers:** Keys are registered against the `ICryptoProviderRegistry`, so alternative implementations (HSM, libsodium) can be plugged in without changing host code.
-- **OpenAPI discovery:** `GET /.well-known/openapi` returns the published authentication contract (JSON by default, YAML when requested). Responses include `X-StellaOps-Service`, `X-StellaOps-Api-Version`, `X-StellaOps-Build-Version`, plus grant and scope headers, and honour conditional requests via `ETag`/`If-None-Match`.
-- **JWKS output:** `GET /jwks` lists every signing key with `status` metadata (`active`, `retired`). Old keys remain until operators remove them from configuration, allowing verification of historical bundles/tokens.
-
-### Rotation SOP (no downtime)
-1. Generate a new P-256 private key (PEM) on an offline workstation and place it where the Authority host can read it (e.g., `../certificates/authority-signing-2025.pem`).
-2. Call the authenticated admin API:
- ```bash
- curl -sS -X POST https://authority.example.com/internal/signing/rotate \
- -H "x-stellaops-bootstrap-key: ${BOOTSTRAP_KEY}" \
- -H "Content-Type: application/json" \
- -d '{
- "keyId": "authority-signing-2025",
- "location": "../certificates/authority-signing-2025.pem",
- "source": "file"
- }'
- ```
-3. Verify the response reports the previous key as retired and fetch `/jwks` to confirm the new `kid` appears with `status: "active"`.
-4. Persist the old key path in `signing.additionalKeys` (the rotation API updates in-memory options; rewrite the YAML to match so restarts remain consistent).
-5. If you prefer automation, trigger the `.gitea/workflows/authority-key-rotation.yml` workflow with the new `keyId`/`keyPath`; it wraps `ops/authority/key-rotation.sh` and reads environment-specific secrets. The older key will be marked `retired` and appended to `signing.additionalKeys`.
-6. Re-run `stella auth revoke export` so revocation bundles are signed with the new key. Downstream caches should refresh JWKS within their configured lifetime (`StellaOpsAuthorityOptions.Signing` + client cache tolerance).
-
-The rotation API leverages the same cryptography abstractions as revocation signing; no restart is required and the previous key is marked `retired` but kept available for verification.
-
-## 6. Bootstrap & Administrative Endpoints
-Administrative APIs live under `/internal/*` and require the bootstrap API key plus rate-limiter compliance.
-
-| Endpoint | Method | Description |
-| --- | --- | --- |
-| `/internal/users` | `POST` | Provision initial administrative accounts through the registered password-capable plug-in. Emits structured audit events. |
-| `/internal/clients` | `POST` | Provision OAuth clients (client credentials / device code). |
-| `/internal/revocations/export` | `GET` | Export revocation bundle + detached JWS + digest. |
-| `/internal/signing/rotate` | `POST` | Promote a new signing key (see SOP above). Request body accepts `keyId`, `location`, optional `source`, `algorithm`, `provider`, and metadata. |
-
-All administrative calls emit `AuthEventRecord` entries enriched with correlation IDs, PII tags, and network metadata for offline SOC ingestion.
-
-> **Tenant hint:** include a `tenant` entry inside `properties` when bootstrapping clients. Authority normalises the value, stores it on the registration, and stamps future tokens/audit events with the tenant.
-
-### Bootstrap client example
-
-```jsonc
-POST /internal/clients
-{
- "clientId": "concelier",
- "confidential": true,
- "displayName": "Concelier Backend",
- "allowedGrantTypes": ["client_credentials"],
- "allowedScopes": ["concelier.jobs.trigger", "advisory:ingest", "advisory:read"],
- "properties": {
- "tenant": "tenant-default"
- }
-}
-```
-
-For environments with multiple tenants, repeat the call per tenant-specific client (e.g. `concelier-tenant-a`, `concelier-tenant-b`) or append suffixes to the client identifier.
-
-### Aggregation-only verification tokens
-
-- Issue a dedicated client (e.g. `aoc-verifier`) with the scopes `aoc:verify`, `advisory:read`, and `vex:read` for each tenant that runs guard checks. Authority refuses to mint tokens for these scopes unless the client registration provides a tenant hint.
-- The CLI (`stella aoc verify --tenant `) and Console verification panel both call `/aoc/verify` on Concelier and Excititor. Tokens that omit the tenant claim or present a tenant that does not match the stored registration are rejected with `invalid_client`/`invalid_token`.
-- Audit: `authority.client_credentials.grant` entries record `scope.invalid="aoc:verify"` when requests are rejected because the tenant hint is missing or mismatched.
-
-### Exception approvals & routing
-
-- New scopes `exceptions:read`, `exceptions:write`, and `exceptions:approve` govern access to the exception lifecycle. Map these via tenant roles (`exceptions-service`, `exceptions-approver`) as described in `/docs/security/authority-scopes.md`.
-- Configure approval routing in `authority.yaml` with declarative templates. Each template exposes an `authorityRouteId` for downstream services (Policy Engine, Console) and an optional `requireMfa` flag:
-
-```yaml
-exceptions:
- routingTemplates:
- - id: "secops"
- authorityRouteId: "approvals/secops"
- requireMfa: true
- description: "Security Operations approval chain"
- - id: "governance"
- authorityRouteId: "approvals/governance"
- requireMfa: false
- description: "Non-production waiver review"
-```
-
-- Clients requesting exception scopes must include a tenant assignment. Authority rejects client-credential flows that request `exceptions:*` with `invalid_client` and logs `scope.invalid="exceptions:write"` (or the requested scope) in `authority.client_credentials.grant` audit events when the tenant hint is missing.
-- When any configured routing template sets `requireMfa: true`, user-facing tokens that contain `exceptions:approve` must be acquired through an MFA-capable identity provider. Password/OIDC flows that lack MFA support are rejected with `authority.password.grant` audit events where `reason="Exception approval scope requires an MFA-capable identity provider."`
-- Update interactive clients (Console) to request `exceptions:read` by default and elevate to `exceptions:approve` only inside fresh-auth workflows for approvers. Documented examples live in `etc/authority.yaml.sample`.
-- Verification responses map guard failures to `ERR_AOC_00x` codes and Authority emits `authority.client_credentials.grant` + `authority.token.validate_access` audit records containing the tenant and scopes so operators can trace who executed a run.
-- For air-gapped or offline replicas, pre-issue verification tokens per tenant and rotate them alongside ingest credentials; the guard endpoints never mutate data and remain safe to expose through the offline kit schedule.
-
-## 7. Configuration Reference
-
-| Section | Key | Description | Notes |
-| --- | --- | --- | --- |
-| Root | `issuer` | Absolute HTTPS issuer advertised to clients. | Required. Loopback HTTP allowed only for development. |
-| Tokens | `accessTokenLifetime`, `refreshTokenLifetime`, etc. | Lifetimes for each grant (access, refresh, device, authorization code, identity). | Enforced during issuance; persisted on each token document. |
-| Storage | `storage.connectionString` | MongoDB connection string. | Required even for tests; offline kits ship snapshots for seeding. |
-| Signing | `signing.enabled` | Enable JWKS/revocation signing. | Disable only for development. |
-| Signing | `signing.algorithm` | Signing algorithm identifier. | Currently ES256; additional curves can be wired through crypto providers. |
-| Signing | `signing.keySource` | Loader identifier (`file`, `vault`, custom). | Determines which `IAuthoritySigningKeySource` resolves keys. |
-| Signing | `signing.keyPath` | Relative/absolute path understood by the loader. | Stored as-is; rotation request should keep it in sync with filesystem layout. |
-| Signing | `signing.activeKeyId` | Active JWKS / revocation signing key id. | Exposed as `kid` in JWKS and bundles. |
-| Signing | `signing.additionalKeys[].keyId` | Retired key identifier retained for verification. | Manager updates this automatically after rotation; keep YAML aligned. |
-| Signing | `signing.additionalKeys[].source` | Loader identifier per retired key. | Defaults to `signing.keySource` if omitted. |
-| Security | `security.rateLimiting` | Fixed-window limits for `/token`, `/authorize`, `/internal/*`. | See `docs/security/rate-limits.md` for tuning. |
-| Bootstrap | `bootstrap.apiKey` | Shared secret required for `/internal/*`. | Only required when `bootstrap.enabled` is true. |
-
-### 7.1 Sender-constrained clients (DPoP & mTLS)
-
-Authority now understands two flavours of sender-constrained OAuth clients:
-
-- **DPoP proof-of-possession** – clients sign a `DPoP` header for `/token` requests. Authority validates the JWK thumbprint, HTTP method/URI, and replay window, then stamps the resulting access token with `cnf.jkt` so downstream services can verify the same key is reused.
- - Configure under `security.senderConstraints.dpop`. `allowedAlgorithms`, `proofLifetime`, and `replayWindow` are enforced at validation time.
- - `security.senderConstraints.dpop.nonce.enabled` enables nonce challenges for high-value audiences (`requiredAudiences`, normalised to case-insensitive strings). When a nonce is required but missing or expired, `/token` replies with `WWW-Authenticate: DPoP error="use_dpop_nonce"` (and, when available, a fresh `DPoP-Nonce` header). Clients must retry with the issued nonce embedded in the proof.
- - `security.senderConstraints.dpop.nonce.store` selects `memory` (default) or `redis`. When `redis` is configured, set `security.senderConstraints.dpop.nonce.redisConnectionString` so replicas share nonce issuance and high-value clients avoid replay gaps during failover.
- - Example (enabling Redis-backed nonces; adjust audiences per deployment):
- ```yaml
- security:
- senderConstraints:
- dpop:
- enabled: true
- proofLifetime: "00:02:00"
- replayWindow: "00:05:00"
- allowedAlgorithms: [ "ES256", "ES384" ]
- nonce:
- enabled: true
- ttl: "00:10:00"
- maxIssuancePerMinute: 120
- store: "redis"
- redisConnectionString: "redis://authority-redis:6379?ssl=false"
- requiredAudiences:
- - "signer"
- - "attestor"
- ```
- Operators can override any field via environment variables (e.g. `STELLAOPS_AUTHORITY__SECURITY__SENDERCONSTRAINTS__DPOP__NONCE__STORE=redis`).
- - Declare client `audiences` in bootstrap manifests or plug-in provisioning metadata; Authority now defaults the token `aud` claim and `resource` indicator from this list, which is also used to trigger nonce enforcement for audiences such as `signer` and `attestor`.
-- **Mutual TLS clients** – client registrations may declare an mTLS binding (`senderConstraint: mtls`). When enabled via `security.senderConstraints.mtls`, Authority validates the presented client certificate against stored bindings (`certificateBindings[]`), optional chain verification, and timing windows. Successful requests embed `cnf.x5t#S256` into the access token (and introspection output) so resource servers can enforce the certificate thumbprint.
- - `security.senderConstraints.mtls.enforceForAudiences` forces mTLS whenever the requested `aud`/`resource` (or the client's configured audiences) intersect the configured allow-list (default includes `signer`). Clients configured for different sender constraints are rejected early so operator policy remains consistent.
- - Certificate bindings now act as an allow-list: Authority verifies thumbprint, subject, issuer, serial number, and any declared SAN values against the presented certificate, with rotation grace windows applied to `notBefore/notAfter`. Operators can enforce subject regexes, SAN type allow-lists (`dns`, `uri`, `ip`), trusted certificate authorities, and rotation grace via `security.senderConstraints.mtls.*`.
-
-Both modes persist additional metadata in `authority_tokens`: `senderConstraint` records the enforced policy, while `senderKeyThumbprint` stores the DPoP JWK thumbprint or mTLS certificate hash captured at issuance. Downstream services can rely on these fields (and the corresponding `cnf` claim) when auditing offline copies of the token store.
-
-### 7.2 Policy Engine clients & scopes
-
-Policy Engine v2 introduces dedicated scopes and a service identity that materialises effective findings. Configure Authority as follows when provisioning policy clients:
-
-| Client | Scopes | Notes |
-| --- | --- | --- |
-| `policy-engine` (service) | `policy:run`, `findings:read`, `effective:write` | Must include `properties.serviceIdentity: policy-engine` and a tenant. Authority rejects `effective:write` tokens without the marker or tenant. |
-| `policy-cli` / automation | `policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read` *(optionally add `policy:approve` / `policy:operate` / `policy:activate` for promotion pipelines)* | Keep scopes minimal; reroll CLI/CI tokens issued before 2025‑10‑27 so they drop legacy scope names and adopt the new set. |
-| UI/editor sessions | `policy:read`, `policy:author`, `policy:simulate` (+ reviewer/approver/operator scopes as appropriate) | Issue tenant-specific clients so audit and rate limits remain scoped. |
-
-Sample YAML entry:
-
-```yaml
- - clientId: "policy-engine"
- displayName: "Policy Engine Service"
- grantTypes: [ "client_credentials" ]
- audiences: [ "api://policy-engine" ]
- scopes: [ "policy:run", "findings:read", "effective:write" ]
- tenant: "tenant-default"
- properties:
- serviceIdentity: "policy-engine"
- senderConstraint: "dpop"
- auth:
- type: "client_secret"
- secretFile: "../secrets/policy-engine.secret"
-```
-
-Compliance checklist:
-
-- [ ] `policy-engine` client includes `properties.serviceIdentity: policy-engine` and a tenant hint; logins missing either are rejected.
-- [ ] Non-service clients omit `effective:write` and receive only the scopes required for their role (`policy:read`, `policy:author`, `policy:review`, `policy:approve`, `policy:operate`, `policy:simulate`, etc.).
-- [ ] Legacy tokens using `policy:write`/`policy:submit`/`policy:edit` are rotated to the new scope set before Production change freeze (see release migration note below).
-- [ ] Approval/activation workflows use identities distinct from authoring identities; tenants are provisioned per client to keep telemetry segregated.
-- [ ] Operators document reviewer assignments and incident procedures alongside `/docs/security/policy-governance.md` and archive policy evidence bundles (`stella policy bundle export`) with each release.
-
-### 7.3 Orchestrator roles & scopes
-
-| Role / Client | Scopes | Notes |
-| --- | --- | --- |
-| `Orch.Viewer` role | `orch:read` | Read-only access to Orchestrator dashboards, queues, and telemetry. |
-| `Orch.Operator` role | `orch:read`, `orch:operate` | Issue short-lived tokens for control actions (pause/resume, retry, sync). Token requests **must** include `operator_reason` (≤256 chars) and `operator_ticket` (≤128 chars); Authority rejects requests missing either value and records both in audit events. |
-
-Token request example via client credentials:
-
-```bash
-curl -u orch-operator:s3cr3t! \
- -d 'grant_type=client_credentials' \
- -d 'scope=orch:operate' \
- -d 'operator_reason=resume source after maintenance' \
- -d 'operator_ticket=INC-2045' \
- https://authority.example.com/token
-```
-
-Tokens lacking `operator_reason` or `operator_ticket` receive `invalid_request`; audit events (`authority.client_credentials.grant`) surface the supplied values under `request.reason` and `request.ticket` for downstream review.
-CLI clients set these parameters via `Authority.OperatorReason` / `Authority.OperatorTicket` (environment variables `STELLAOPS_ORCH_REASON` and `STELLAOPS_ORCH_TICKET`).
-
-## 8. Offline & Sovereign Operation
-- **No outbound dependencies:** Authority only contacts MongoDB and local plugins. Discovery and JWKS are cached by clients with offline tolerances (`AllowOfflineCacheFallback`, `OfflineCacheTolerance`). Operators should mirror these responses for air-gapped use.
-- **Structured logging:** Every revocation export, signing rotation, bootstrap action, and token issuance emits structured logs with `traceId`, `client_id`, `subjectId`, and `network.remoteIp` where applicable. Mirror logs to your SIEM to retain audit trails without central connectivity.
-- **Determinism:** Sorting rules in token and revocation exports guarantee byte-for-byte identical artefacts given the same datastore state. Hashes and signatures remain stable across machines.
-
-## 9. Operational Checklist
-- [ ] Protect the bootstrap API key and disable bootstrap endpoints (`bootstrap.enabled: false`) once initial setup is complete.
-- [ ] Schedule `stella auth revoke export` (or `/internal/revocations/export`) at the same cadence as Concelier exports so bundles remain in lockstep.
-- [ ] Rotate signing keys before expiration; keep at least one retired key until all cached bundles/tokens signed with it have expired.
-- [ ] Monitor `/health` and `/ready` plus rate-limiter metrics to detect plugin outages early.
-- [ ] Ensure downstream services cache JWKS and revocation bundles within tolerances; stale caches risk accepting revoked tokens.
-
-For plug-in specific requirements, refer to **[Authority Plug-in Developer Guide](dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md)**. For revocation bundle validation workflow, see **[Authority Revocation Bundle](security/revocation-bundle.md)**.
+# StellaOps Authority Service
+
+> **Status:** Drafted 2025-10-12 (CORE5B.DOC / DOC1.AUTH) – aligns with Authority revocation store, JWKS rotation, and bootstrap endpoints delivered in Sprint 1.
+
+## 1. Purpose
+The **StellaOps Authority** service issues OAuth2/OIDC tokens for every StellaOps module (Concelier, Backend, Agent, Zastava) and exposes the policy controls required in sovereign/offline environments. Authority is built as a minimal ASP.NET host that:
+
+- brokers password, client-credentials, and device-code flows through pluggable identity providers;
+- persists access/refresh/device tokens in MongoDB with deterministic schemas for replay analysis and air-gapped audit copies;
+- distributes revocation bundles and JWKS material so downstream services can enforce lockouts without direct database access;
+- offers bootstrap APIs for first-run provisioning and key rotation without redeploying binaries.
+
+Authority is deployed alongside Concelier in air-gapped environments and never requires outbound internet access. All trusted metadata (OpenIddict discovery, JWKS, revocation bundles) is cacheable, signed, and reproducible.
+
+## 2. Component Architecture
+Authority is composed of five cooperating subsystems:
+
+1. **Minimal API host** – configures OpenIddict endpoints (`/token`, `/authorize`, `/revoke`, `/jwks`), publishes the OpenAPI contract at `/.well-known/openapi`, and enables structured logging/telemetry. Rate limiting hooks (`AuthorityRateLimiter`) wrap every request.
+2. **Plugin host** – loads `StellaOps.Authority.Plugin.*.dll` assemblies, applies capability metadata, and exposes password/client provisioning surfaces through dependency injection.
+3. **Mongo storage** – persists tokens, revocations, bootstrap invites, and plugin state in deterministic collections indexed for offline sync (`authority_tokens`, `authority_revocations`, etc.).
+4. **Cryptography layer** – `StellaOps.Cryptography` abstractions manage password hashing, signing keys, JWKS export, and detached JWS generation.
+5. **Offline ops APIs** – internal endpoints under `/internal/*` provide administrative flows (bootstrap users/clients, revocation export) guarded by API keys and deterministic audit events.
+
+A high-level sequence for password logins:
+
+```
+Client -> /token (password grant)
+ -> Rate limiter & audit hooks
+ -> Plugin credential store (Argon2id verification)
+ -> Token persistence (Mongo authority_tokens)
+ -> Response (access/refresh tokens + deterministic claims)
+```
+
+## 3. Token Lifecycle & Persistence
+Authority persists every issued token in MongoDB so operators can audit or revoke without scanning distributed caches.
+
+- **Collection:** `authority_tokens`
+- **Key fields:**
+- `tokenId`, `type` (`access_token`, `refresh_token`, `device_code`, `authorization_code`)
+- `subjectId`, `clientId`, ordered `scope` array
+- `tenant` (lower-cased tenant hint from the issuing client, omitted for global clients)
+
+### Console OIDC client
+
+- **Client ID**: `console-web`
+- **Grants**: `authorization_code` (PKCE required), `refresh_token`
+- **Audience**: `console`
+- **Scopes**: `openid`, `profile`, `email`, `advisory:read`, `vex:read`, `aoc:verify`, `findings:read`, `orch:read`, `vuln:read`
+- **Redirect URIs** (defaults): `https://console.stella-ops.local/oidc/callback`
+- **Post-logout redirect**: `https://console.stella-ops.local/`
+- **Tokens**: Access tokens inherit the global 2 minute lifetime; refresh tokens remain short-lived (30 days) and can be exchanged silently via `/token`.
+- **Roles**: Assign Authority role `Orch.Viewer` (exposed to tenants as `role/orch-viewer`) when operators need read-only access to Orchestrator telemetry via Console dashboards. Policy Studio ships dedicated roles (`role/policy-author`, `role/policy-reviewer`, `role/policy-approver`, `role/policy-operator`, `role/policy-auditor`) that align with the new `policy:*` scope family; issue them per tenant so audit trails remain scoped.
+
+Configuration sample (`etc/authority.yaml.sample`) seeds the client with a confidential secret so Console can negotiate the code exchange on the backend while browsers execute the PKCE dance.
+
+### Console Authority endpoints
+
+- `/console/tenants` — Requires `authority:tenants.read`; returns the tenant catalogue for the authenticated principal. Requests lacking the `X-Stella-Tenant` header are rejected (`tenant_header_missing`) and logged.
+- `/console/profile` — Requires `ui.read`; exposes subject metadata (roles, scopes, audiences) and indicates whether the session is within the five-minute fresh-auth window.
+- `/console/token/introspect` — Requires `ui.read`; introspects the active access token so the SPA can prompt for re-authentication before privileged actions.
+
+All endpoints demand DPoP-bound tokens and propagate structured audit events (`authority.console.*`). Gateways must forward the `X-Stella-Tenant` header derived from the access token; downstream services rely on the same value for isolation. Keep Console access tokens short-lived (default 15 minutes) and enforce the fresh-auth window for admin actions (`ui.admin`, `authority:*`, `policy:activate`, `exceptions:approve`).
+- `status` (`valid`, `revoked`, `expired`), `createdAt`, optional `expiresAt`
+- `revokedAt`, machine-readable `revokedReason`, optional `revokedReasonDescription`
+- `revokedMetadata` (string dictionary for plugin-specific context)
+- **Persistence flow:** `PersistTokensHandler` stamps missing JWT IDs, normalises scopes, and stores every principal emitted by OpenIddict.
+- **Revocation flow:** `AuthorityTokenStore.UpdateStatusAsync` flips status, records the reason metadata, and is invoked by token revocation handlers and plugin provisioning events (e.g., disabling a user).
+- **Expiry maintenance:** `AuthorityTokenStore.DeleteExpiredAsync` prunes non-revoked tokens past their `expiresAt` timestamp. Operators should schedule this in maintenance windows if large volumes of tokens are issued.
+
+### Expectations for resource servers
+Resource servers (Concelier WebService, Backend, Agent) **must not** assume in-memory caches are authoritative. They should:
+
+- cache `/jwks` and `/revocations/export` responses within configured lifetimes;
+- honour `revokedReason` metadata when shaping audit trails;
+- treat `status != "valid"` or missing tokens as immediate denial conditions.
+- propagate the `tenant` claim (`X-Stella-Tenant` header in REST calls) and reject requests when the tenant supplied by Authority does not match the resource server's scope; Concelier and Excititor guard endpoints refuse cross-tenant tokens.
+
+### Tenant propagation
+
+- Client provisioning (bootstrap or plug-in) accepts a `tenant` hint. Authority normalises the value (`trim().ToLowerInvariant()`) and persists it alongside the registration. Clients without an explicit tenant remain global.
+- Issued principals include the `stellaops:tenant` claim. `PersistTokensHandler` mirrors this claim into `authority_tokens.tenant`, enabling per-tenant revocation and reporting.
+- Rate limiter metadata now tags requests with `authority.tenant`, unlocking per-tenant throughput metrics and diagnostic filters. Audit events (`authority.client_credentials.grant`, `authority.password.grant`, bootstrap flows) surface the tenant and login attempt documents index on `{tenant, occurredAt}` for quick queries.
+- Client credentials that request `advisory:ingest`, `advisory:read`, `vex:ingest`, `vex:read`, `signals:read`, `signals:write`, `signals:admin`, or `aoc:verify` now fail fast when the client registration lacks a tenant hint. Issued tokens are re-validated against persisted tenant metadata, and Authority rejects any cross-tenant replay (`invalid_client`/`invalid_token`), ensuring aggregation-only workloads remain tenant-scoped.
+- Client credentials that request `export.viewer`, `export.operator`, or `export.admin` must provide a tenant hint. Requests for `export.admin` also need accompanying `export_reason` and `export_ticket` parameters; Authority returns `invalid_request` when either value is missing and records the denial in token audit events.
+- Policy Studio scopes (`policy:author`, `policy:review`, `policy:approve`, `policy:operate`, `policy:audit`, `policy:simulate`, `policy:run`, `policy:activate`) require a tenant assignment; Authority rejects tokens missing the hint with `invalid_client` and records `scope.invalid` metadata for auditing.
+- **AOC pairing guardrails** – Tokens that request `advisory:read`, `vex:read`, or any `signals:*` scope must also request `aoc:verify`. Authority rejects mismatches with `invalid_scope` (`Scope 'aoc:verify' is required when requesting advisory/vex read scopes.` or `Scope 'aoc:verify' is required when requesting signals scopes.`) so automation surfaces deterministic errors.
+- **Signals ingestion guardrails** – Sensors and services requesting `signals:write`/`signals:admin` must also request `aoc:verify`; Authority records the `authority.aoc_scope_violation` tag when the pairing is missing so operators can trace failing sensors immediately.
+- Password grant flows reuse the client registration's tenant and enforce the configured scope allow-list. Requested scopes outside that list (or mismatched tenants) trigger `invalid_scope`/`invalid_client` failures, ensuring cross-tenant access is denied before token issuance.
+
+### Default service scopes
+
+| Client ID | Purpose | Scopes granted | Sender constraint | Tenant |
+|----------------------|---------------------------------------|--------------------------------------|-------------------|-----------------|
+| `concelier-ingest` | Concelier raw advisory ingestion | `advisory:ingest`, `advisory:read` | `dpop` | `tenant-default` |
+| `excitor-ingest` | Excititor raw VEX ingestion | `vex:ingest`, `vex:read` | `dpop` | `tenant-default` |
+| `aoc-verifier` | Aggregation-only contract verification | `aoc:verify`, `advisory:read`, `vex:read` | `dpop` | `tenant-default` |
+| `cartographer-service` | Graph snapshot construction | `graph:write`, `graph:read` | `dpop` | `tenant-default` |
+| `graph-api` | Graph Explorer gateway/API | `graph:read`, `graph:export`, `graph:simulate` | `dpop` | `tenant-default` |
+| `export-center-operator` | Export Center operator automation | `export.viewer`, `export.operator` | `dpop` | `tenant-default` |
+| `export-center-admin` | Export Center administrative automation | `export.viewer`, `export.operator`, `export.admin` | `dpop` | `tenant-default` |
+| `vuln-explorer-ui` | Vuln Explorer UI/API | `vuln:read` | `dpop` | `tenant-default` |
+| `signals-uploader` | Reachability sensor ingestion | `signals:write`, `signals:read`, `aoc:verify` | `dpop` | `tenant-default` |
+
+> **Secret hygiene (2025‑10‑27):** The repository includes a convenience `etc/authority.yaml` for compose/helm smoke tests. Every entry’s `secretFile` points to `etc/secrets/*.secret`, which ship with `*-change-me` placeholders—replace them with strong values (and wire them through your vault/secret manager) before issuing tokens in CI, staging, or production.
+
+For factory provisioning, issue sensors the **SignalsUploader** role template (`signals:write`, `signals:read`, `aoc:verify`). Authority rejects ingestion tokens that omit `aoc:verify`, preserving aggregation-only contract guarantees for reachability signals.
+
+These registrations are provided as examples in `etc/authority.yaml.sample`. Clone them per tenant (for example `concelier-tenant-a`, `concelier-tenant-b`) so tokens remain tenant-scoped by construction.
+
+Graph Explorer introduces dedicated scopes: `graph:write` for Cartographer build jobs, `graph:read` for query/read operations, `graph:export` for long-running export downloads, and `graph:simulate` for what-if overlays. Assign only the scopes a client actually needs to preserve least privilege—UI-facing clients should typically request read/export access, while background services (Cartographer, Scheduler) require write privileges.
+
+#### Least-privilege guidance for graph clients
+
+- **Service identities** – The Cartographer worker should request `graph:write` and `graph:read` only; grant `graph:simulate` exclusively to pipeline automation that invokes Policy Engine overlays on demand. Keep `graph:export` scoped to API gateway components responsible for streaming GraphML/JSONL artifacts. Authority enforces this by rejecting `graph:write` tokens that lack `properties.serviceIdentity: cartographer`.
+- **Tenant propagation** – Every client registration must pin a `tenant` hint. Authority normalises the value and stamps it into issued tokens (`stellaops:tenant`) so downstream services (Scheduler, Graph API, Console) can enforce tenant isolation without custom headers. Graph scopes (`graph:read`, `graph:write`, `graph:export`, `graph:simulate`) are denied if the tenant hint is missing.
+- **SDK alignment** – Use the generated `StellaOpsScopes` constants in service code to request graph scopes. Hard-coded strings risk falling out of sync as additional graph capabilities are added.
+- **DPOP for automation** – Maintain sender-constrained (`dpop`) flows for Cartographer and Scheduler to limit reuse of access tokens if a build host is compromised. For UI-facing tokens, pair `graph:read`/`graph:export` with short lifetimes and enforce refresh-token rotation at the gateway.
+
+#### Export Center scope guardrails
+
+- **Viewer vs operator** – `export.viewer` grants read-only access to export profiles, manifests, and bundles. Automation that schedules or reruns exports should request `export.operator` (and typically `export.viewer`). Tenant hints remain mandatory; Authority refuses tokens without them.
+- **Administrative mutations** – Changes to retention policies, encryption key references, or schedule defaults require `export.admin`. When requesting tokens with this scope, clients must supply `export_reason` and `export_ticket` parameters; Authority persists the values for audit records and rejects missing metadata with `invalid_request`.
+- **Operational hygiene** – Rotate `export.admin` credentials infrequently and run them through fresh-auth workflows where possible. Prefer distributing verification tooling with `export.viewer` tokens for day-to-day bundle validation.
+
+#### Vuln Explorer permalinks
+
+- **Scope** – `vuln:read` authorises Vuln Explorer to fetch advisory/linkset evidence and issue shareable links. Assign it only to front-end/API clients that must render vulnerability details.
+- **Signed links** – `POST /permalinks/vuln` (requires `vuln:read`) accepts `{ "tenant": "tenant-a", "resourceKind": "vulnerability", "state": { ... }, "expiresInSeconds": 86400 }` and returns a JWT (`token`) plus `issuedAt`/`expiresAt`. The token embeds the tenant, requested state, and `vuln:read` scope and is signed with the same Authority signing keys published via `/jwks`.
+- **Validation** – Resource servers verify the permalink using cached JWKS: check signature, ensure the tenant matches the current request context, honour the expiry, and enforce the contained `vuln:read` scope. The payload’s `resource.state` block is opaque JSON so UIs can round-trip filters/search terms without new schema changes.
+
+## 4. Revocation Pipeline
+Authority centralises revocation in `authority_revocations` with deterministic categories:
+
+| Category | Meaning | Required fields |
+| --- | --- | --- |
+| `token` | Specific OAuth token revoked early. | `revocationId` (token id), `tokenType`, optional `clientId`, `subjectId` |
+| `subject` | All tokens for a subject disabled. | `revocationId` (= subject id) |
+| `client` | OAuth client registration revoked. | `revocationId` (= client id) |
+| `key` | Signing/JWE key withdrawn. | `revocationId` (= key id) |
+
+`RevocationBundleBuilder` flattens Mongo documents into canonical JSON, sorts entries by (`category`, `revocationId`, `revokedAt`), and signs exports using detached JWS (RFC 7797) with cosign-compatible headers.
+
+**Export surfaces** (deterministic output, suitable for Offline Kit):
+
+- CLI: `stella auth revoke export --output ./out` writes `revocation-bundle.json`, `.jws`, `.sha256`.
+- Verification: `stella auth revoke verify --bundle --signature --key ` validates detached JWS signatures before distribution, selecting the crypto provider advertised in the detached header (see `docs/security/revocation-bundle.md`).
+- API: `GET /internal/revocations/export` (requires bootstrap API key) returns the same payload.
+- Verification: `stella auth revoke verify` validates schema, digest, and detached JWS using cached JWKS or offline keys, automatically preferring the hinted provider (libsodium builds honour `provider=libsodium`; other builds fall back to the managed provider).
+
+**Consumer guidance:**
+
+1. Mirror `revocation-bundle.json*` alongside Concelier exports. Offline agents fetch both over the existing update channel.
+2. Use bundle `sequence` and `bundleId` to detect replay or monotonicity regressions. Ignore bundles with older sequence numbers unless `bundleId` changes and `issuedAt` advances.
+3. Treat `revokedReason` taxonomy as machine-friendly codes (`compromised`, `rotation`, `policy`, `lifecycle`). Translating to human-readable logs is the consumer’s responsibility.
+
+## 5. Signing Keys & JWKS Rotation
+Authority signs revocation bundles and publishes JWKS entries via the new signing manager:
+
+- **Configuration (`authority.yaml`):**
+ ```yaml
+ signing:
+ enabled: true
+ algorithm: ES256 # Defaults to ES256
+ keySource: file # Loader identifier (file, vault, etc.)
+ provider: default # Optional preferred crypto provider
+ activeKeyId: authority-signing-dev
+ keyPath: "../certificates/authority-signing-dev.pem"
+ additionalKeys:
+ - keyId: authority-signing-dev-2024
+ path: "../certificates/authority-signing-dev-2024.pem"
+ source: "file"
+ ```
+- **Sources:** The default loader supports PEM files relative to the content root; additional loaders can be registered via `IAuthoritySigningKeySource`.
+- **Providers:** Keys are registered against the `ICryptoProviderRegistry`, so alternative implementations (HSM, libsodium) can be plugged in without changing host code.
+- **OpenAPI discovery:** `GET /.well-known/openapi` returns the published authentication contract (JSON by default, YAML when requested). Responses include `X-StellaOps-Service`, `X-StellaOps-Api-Version`, `X-StellaOps-Build-Version`, plus grant and scope headers, and honour conditional requests via `ETag`/`If-None-Match`.
+- **JWKS output:** `GET /jwks` lists every signing key with `status` metadata (`active`, `retired`). Old keys remain until operators remove them from configuration, allowing verification of historical bundles/tokens.
+
+### Rotation SOP (no downtime)
+1. Generate a new P-256 private key (PEM) on an offline workstation and place it where the Authority host can read it (e.g., `../certificates/authority-signing-2025.pem`).
+2. Call the authenticated admin API:
+ ```bash
+ curl -sS -X POST https://authority.example.com/internal/signing/rotate \
+ -H "x-stellaops-bootstrap-key: ${BOOTSTRAP_KEY}" \
+ -H "Content-Type: application/json" \
+ -d '{
+ "keyId": "authority-signing-2025",
+ "location": "../certificates/authority-signing-2025.pem",
+ "source": "file"
+ }'
+ ```
+3. Verify the response reports the previous key as retired and fetch `/jwks` to confirm the new `kid` appears with `status: "active"`.
+4. Persist the old key path in `signing.additionalKeys` (the rotation API updates in-memory options; rewrite the YAML to match so restarts remain consistent).
+5. If you prefer automation, trigger the `.gitea/workflows/authority-key-rotation.yml` workflow with the new `keyId`/`keyPath`; it wraps `ops/authority/key-rotation.sh` and reads environment-specific secrets. The older key will be marked `retired` and appended to `signing.additionalKeys`.
+6. Re-run `stella auth revoke export` so revocation bundles are signed with the new key. Downstream caches should refresh JWKS within their configured lifetime (`StellaOpsAuthorityOptions.Signing` + client cache tolerance).
+
+The rotation API leverages the same cryptography abstractions as revocation signing; no restart is required and the previous key is marked `retired` but kept available for verification.
+
+## 6. Bootstrap & Administrative Endpoints
+Administrative APIs live under `/internal/*` and require the bootstrap API key plus rate-limiter compliance.
+
+| Endpoint | Method | Description |
+| --- | --- | --- |
+| `/internal/users` | `POST` | Provision initial administrative accounts through the registered password-capable plug-in. Emits structured audit events. |
+| `/internal/clients` | `POST` | Provision OAuth clients (client credentials / device code). |
+| `/internal/revocations/export` | `GET` | Export revocation bundle + detached JWS + digest. |
+| `/internal/signing/rotate` | `POST` | Promote a new signing key (see SOP above). Request body accepts `keyId`, `location`, optional `source`, `algorithm`, `provider`, and metadata. |
+
+All administrative calls emit `AuthEventRecord` entries enriched with correlation IDs, PII tags, and network metadata for offline SOC ingestion.
+
+> **Tenant hint:** include a `tenant` entry inside `properties` when bootstrapping clients. Authority normalises the value, stores it on the registration, and stamps future tokens/audit events with the tenant.
+
+### Bootstrap client example
+
+```jsonc
+POST /internal/clients
+{
+ "clientId": "concelier",
+ "confidential": true,
+ "displayName": "Concelier Backend",
+ "allowedGrantTypes": ["client_credentials"],
+ "allowedScopes": ["concelier.jobs.trigger", "advisory:ingest", "advisory:read"],
+ "properties": {
+ "tenant": "tenant-default"
+ }
+}
+```
+
+For environments with multiple tenants, repeat the call per tenant-specific client (e.g. `concelier-tenant-a`, `concelier-tenant-b`) or append suffixes to the client identifier.
+
+### Aggregation-only verification tokens
+
+- Issue a dedicated client (e.g. `aoc-verifier`) with the scopes `aoc:verify`, `advisory:read`, and `vex:read` for each tenant that runs guard checks. Authority refuses to mint tokens for these scopes unless the client registration provides a tenant hint.
+- The CLI (`stella aoc verify --tenant `) and Console verification panel both call `/aoc/verify` on Concelier and Excititor. Tokens that omit the tenant claim or present a tenant that does not match the stored registration are rejected with `invalid_client`/`invalid_token`.
+- Audit: `authority.client_credentials.grant` entries record `scope.invalid="aoc:verify"` when requests are rejected because the tenant hint is missing or mismatched.
+
+### Exception approvals & routing
+
+- New scopes `exceptions:read`, `exceptions:write`, and `exceptions:approve` govern access to the exception lifecycle. Map these via tenant roles (`exceptions-service`, `exceptions-approver`) as described in `/docs/security/authority-scopes.md`.
+- Configure approval routing in `authority.yaml` with declarative templates. Each template exposes an `authorityRouteId` for downstream services (Policy Engine, Console) and an optional `requireMfa` flag:
+
+```yaml
+exceptions:
+ routingTemplates:
+ - id: "secops"
+ authorityRouteId: "approvals/secops"
+ requireMfa: true
+ description: "Security Operations approval chain"
+ - id: "governance"
+ authorityRouteId: "approvals/governance"
+ requireMfa: false
+ description: "Non-production waiver review"
+```
+
+- Clients requesting exception scopes must include a tenant assignment. Authority rejects client-credential flows that request `exceptions:*` with `invalid_client` and logs `scope.invalid="exceptions:write"` (or the requested scope) in `authority.client_credentials.grant` audit events when the tenant hint is missing.
+- When any configured routing template sets `requireMfa: true`, user-facing tokens that contain `exceptions:approve` must be acquired through an MFA-capable identity provider. Password/OIDC flows that lack MFA support are rejected with `authority.password.grant` audit events where `reason="Exception approval scope requires an MFA-capable identity provider."`
+- Update interactive clients (Console) to request `exceptions:read` by default and elevate to `exceptions:approve` only inside fresh-auth workflows for approvers. Documented examples live in `etc/authority.yaml.sample`.
+- Verification responses map guard failures to `ERR_AOC_00x` codes and Authority emits `authority.client_credentials.grant` + `authority.token.validate_access` audit records containing the tenant and scopes so operators can trace who executed a run.
+- For air-gapped or offline replicas, pre-issue verification tokens per tenant and rotate them alongside ingest credentials; the guard endpoints never mutate data and remain safe to expose through the offline kit schedule.
+
+## 7. Configuration Reference
+
+| Section | Key | Description | Notes |
+| --- | --- | --- | --- |
+| Root | `issuer` | Absolute HTTPS issuer advertised to clients. | Required. Loopback HTTP allowed only for development. |
+| Tokens | `accessTokenLifetime`, `refreshTokenLifetime`, etc. | Lifetimes for each grant (access, refresh, device, authorization code, identity). | Enforced during issuance; persisted on each token document. |
+| Storage | `storage.connectionString` | MongoDB connection string. | Required even for tests; offline kits ship snapshots for seeding. |
+| Signing | `signing.enabled` | Enable JWKS/revocation signing. | Disable only for development. |
+| Signing | `signing.algorithm` | Signing algorithm identifier. | Currently ES256; additional curves can be wired through crypto providers. |
+| Signing | `signing.keySource` | Loader identifier (`file`, `vault`, custom). | Determines which `IAuthoritySigningKeySource` resolves keys. |
+| Signing | `signing.keyPath` | Relative/absolute path understood by the loader. | Stored as-is; rotation request should keep it in sync with filesystem layout. |
+| Signing | `signing.activeKeyId` | Active JWKS / revocation signing key id. | Exposed as `kid` in JWKS and bundles. |
+| Signing | `signing.additionalKeys[].keyId` | Retired key identifier retained for verification. | Manager updates this automatically after rotation; keep YAML aligned. |
+| Signing | `signing.additionalKeys[].source` | Loader identifier per retired key. | Defaults to `signing.keySource` if omitted. |
+| Security | `security.rateLimiting` | Fixed-window limits for `/token`, `/authorize`, `/internal/*`. | See `docs/security/rate-limits.md` for tuning. |
+| Bootstrap | `bootstrap.apiKey` | Shared secret required for `/internal/*`. | Only required when `bootstrap.enabled` is true. |
+
+### 7.1 Sender-constrained clients (DPoP & mTLS)
+
+Authority now understands two flavours of sender-constrained OAuth clients:
+
+- **DPoP proof-of-possession** – clients sign a `DPoP` header for `/token` requests. Authority validates the JWK thumbprint, HTTP method/URI, and replay window, then stamps the resulting access token with `cnf.jkt` so downstream services can verify the same key is reused.
+ - Configure under `security.senderConstraints.dpop`. `allowedAlgorithms`, `proofLifetime`, and `replayWindow` are enforced at validation time.
+ - `security.senderConstraints.dpop.nonce.enabled` enables nonce challenges for high-value audiences (`requiredAudiences`, normalised to case-insensitive strings). When a nonce is required but missing or expired, `/token` replies with `WWW-Authenticate: DPoP error="use_dpop_nonce"` (and, when available, a fresh `DPoP-Nonce` header). Clients must retry with the issued nonce embedded in the proof.
+ - `security.senderConstraints.dpop.nonce.store` selects `memory` (default) or `redis`. When `redis` is configured, set `security.senderConstraints.dpop.nonce.redisConnectionString` so replicas share nonce issuance and high-value clients avoid replay gaps during failover.
+ - Example (enabling Redis-backed nonces; adjust audiences per deployment):
+ ```yaml
+ security:
+ senderConstraints:
+ dpop:
+ enabled: true
+ proofLifetime: "00:02:00"
+ replayWindow: "00:05:00"
+ allowedAlgorithms: [ "ES256", "ES384" ]
+ nonce:
+ enabled: true
+ ttl: "00:10:00"
+ maxIssuancePerMinute: 120
+ store: "redis"
+ redisConnectionString: "redis://authority-redis:6379?ssl=false"
+ requiredAudiences:
+ - "signer"
+ - "attestor"
+ ```
+ Operators can override any field via environment variables (e.g. `STELLAOPS_AUTHORITY__SECURITY__SENDERCONSTRAINTS__DPOP__NONCE__STORE=redis`).
+ - Declare client `audiences` in bootstrap manifests or plug-in provisioning metadata; Authority now defaults the token `aud` claim and `resource` indicator from this list, which is also used to trigger nonce enforcement for audiences such as `signer` and `attestor`.
+- **Mutual TLS clients** – client registrations may declare an mTLS binding (`senderConstraint: mtls`). When enabled via `security.senderConstraints.mtls`, Authority validates the presented client certificate against stored bindings (`certificateBindings[]`), optional chain verification, and timing windows. Successful requests embed `cnf.x5t#S256` into the access token (and introspection output) so resource servers can enforce the certificate thumbprint.
+ - `security.senderConstraints.mtls.enforceForAudiences` forces mTLS whenever the requested `aud`/`resource` (or the client's configured audiences) intersect the configured allow-list (default includes `signer`). Clients configured for different sender constraints are rejected early so operator policy remains consistent.
+ - Certificate bindings now act as an allow-list: Authority verifies thumbprint, subject, issuer, serial number, and any declared SAN values against the presented certificate, with rotation grace windows applied to `notBefore/notAfter`. Operators can enforce subject regexes, SAN type allow-lists (`dns`, `uri`, `ip`), trusted certificate authorities, and rotation grace via `security.senderConstraints.mtls.*`.
+
+Both modes persist additional metadata in `authority_tokens`: `senderConstraint` records the enforced policy, while `senderKeyThumbprint` stores the DPoP JWK thumbprint or mTLS certificate hash captured at issuance. Downstream services can rely on these fields (and the corresponding `cnf` claim) when auditing offline copies of the token store.
+
+### 7.2 Policy Engine clients & scopes
+
+Policy Engine v2 introduces dedicated scopes and a service identity that materialises effective findings. Configure Authority as follows when provisioning policy clients:
+
+| Client | Scopes | Notes |
+| --- | --- | --- |
+| `policy-engine` (service) | `policy:run`, `findings:read`, `effective:write` | Must include `properties.serviceIdentity: policy-engine` and a tenant. Authority rejects `effective:write` tokens without the marker or tenant. |
+| `policy-cli` / automation | `policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read` *(optionally add `policy:approve` / `policy:operate` / `policy:activate` for promotion pipelines)* | Keep scopes minimal; reroll CLI/CI tokens issued before 2025‑10‑27 so they drop legacy scope names and adopt the new set. |
+| UI/editor sessions | `policy:read`, `policy:author`, `policy:simulate` (+ reviewer/approver/operator scopes as appropriate) | Issue tenant-specific clients so audit and rate limits remain scoped. |
+
+Sample YAML entry:
+
+```yaml
+ - clientId: "policy-engine"
+ displayName: "Policy Engine Service"
+ grantTypes: [ "client_credentials" ]
+ audiences: [ "api://policy-engine" ]
+ scopes: [ "policy:run", "findings:read", "effective:write" ]
+ tenant: "tenant-default"
+ properties:
+ serviceIdentity: "policy-engine"
+ senderConstraint: "dpop"
+ auth:
+ type: "client_secret"
+ secretFile: "../secrets/policy-engine.secret"
+```
+
+Compliance checklist:
+
+- [ ] `policy-engine` client includes `properties.serviceIdentity: policy-engine` and a tenant hint; logins missing either are rejected.
+- [ ] Non-service clients omit `effective:write` and receive only the scopes required for their role (`policy:read`, `policy:author`, `policy:review`, `policy:approve`, `policy:operate`, `policy:simulate`, etc.).
+- [ ] Legacy tokens using `policy:write`/`policy:submit`/`policy:edit` are rotated to the new scope set before Production change freeze (see release migration note below).
+- [ ] Approval/activation workflows use identities distinct from authoring identities; tenants are provisioned per client to keep telemetry segregated.
+- [ ] Operators document reviewer assignments and incident procedures alongside `/docs/security/policy-governance.md` and archive policy evidence bundles (`stella policy bundle export`) with each release.
+
+### 7.3 Orchestrator roles & scopes
+
+| Role / Client | Scopes | Notes |
+| --- | --- | --- |
+| `Orch.Viewer` role | `orch:read` | Read-only access to Orchestrator dashboards, queues, and telemetry. |
+| `Orch.Operator` role | `orch:read`, `orch:operate` | Issue short-lived tokens for control actions (pause/resume, retry, sync). Token requests **must** include `operator_reason` (≤256 chars) and `operator_ticket` (≤128 chars); Authority rejects requests missing either value and records both in audit events. |
+
+Token request example via client credentials:
+
+```bash
+curl -u orch-operator:s3cr3t! \
+ -d 'grant_type=client_credentials' \
+ -d 'scope=orch:operate' \
+ -d 'operator_reason=resume source after maintenance' \
+ -d 'operator_ticket=INC-2045' \
+ https://authority.example.com/token
+```
+
+Tokens lacking `operator_reason` or `operator_ticket` receive `invalid_request`; audit events (`authority.client_credentials.grant`) surface the supplied values under `request.reason` and `request.ticket` for downstream review.
+CLI clients set these parameters via `Authority.OperatorReason` / `Authority.OperatorTicket` (environment variables `STELLAOPS_ORCH_REASON` and `STELLAOPS_ORCH_TICKET`).
+
+## 8. Offline & Sovereign Operation
+- **No outbound dependencies:** Authority only contacts MongoDB and local plugins. Discovery and JWKS are cached by clients with offline tolerances (`AllowOfflineCacheFallback`, `OfflineCacheTolerance`). Operators should mirror these responses for air-gapped use.
+- **Structured logging:** Every revocation export, signing rotation, bootstrap action, and token issuance emits structured logs with `traceId`, `client_id`, `subjectId`, and `network.remoteIp` where applicable. Mirror logs to your SIEM to retain audit trails without central connectivity.
+- **Determinism:** Sorting rules in token and revocation exports guarantee byte-for-byte identical artefacts given the same datastore state. Hashes and signatures remain stable across machines.
+
+## 9. Operational Checklist
+- [ ] Protect the bootstrap API key and disable bootstrap endpoints (`bootstrap.enabled: false`) once initial setup is complete.
+- [ ] Schedule `stella auth revoke export` (or `/internal/revocations/export`) at the same cadence as Concelier exports so bundles remain in lockstep.
+- [ ] Rotate signing keys before expiration; keep at least one retired key until all cached bundles/tokens signed with it have expired.
+- [ ] Monitor `/health` and `/ready` plus rate-limiter metrics to detect plugin outages early.
+- [ ] Ensure downstream services cache JWKS and revocation bundles within tolerances; stale caches risk accepting revoked tokens.
+
+For plug-in specific requirements, refer to **[Authority Plug-in Developer Guide](dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md)**. For revocation bundle validation workflow, see **[Authority Revocation Bundle](security/revocation-bundle.md)**.
diff --git a/docs/11_DATA_SCHEMAS.md b/docs/11_DATA_SCHEMAS.md
index 0e98e14e..6a5c7413 100755
--- a/docs/11_DATA_SCHEMAS.md
+++ b/docs/11_DATA_SCHEMAS.md
@@ -1,91 +1,91 @@
-# Data Schemas & Persistence Contracts
-
-*Audience* – backend developers, plug‑in authors, DB admins.
-*Scope* – describes **Redis**, **MongoDB** (optional), and on‑disk blob shapes that power Stella Ops.
-
----
-
-## 0 Document Conventions
-
-* **CamelCase** for JSON.
-* All timestamps are **RFC 3339 / ISO 8601** with `Z` (UTC).
-* `⭑` = planned but *not* shipped yet (kept on Feature Matrix “To Do”).
-
----
-
-## 1 SBOM Wrapper Envelope
-
-Every SBOM blob (regardless of format) is stored on disk or in object storage with a *sidecar* JSON file that indexes it for the scanners.
-
-#### 1.1 JSON Shape
-
-```jsonc
-{
- "id": "sha256:417f…", // digest of the SBOM *file* itself
- "imageDigest": "sha256:e2b9…", // digest of the original container image
- "created": "2025-07-14T07:02:13Z",
- "format": "trivy-json-v2", // NEW enum: trivy-json-v2 | spdx-json | cyclonedx-json
- "layers": [
- "sha256:d38b…", // layer digests (ordered)
- "sha256:af45…"
- ],
- "partial": false, // true => delta SBOM (only some layers)
- "provenanceId": "prov_0291" // ⭑ link to SLSA attestation (Q1‑2026)
-}
-```
-
-*`format`* **NEW** – added to support **multiple SBOM formats**.
-*`partial`* **NEW** – true when generated via the **delta SBOM** flow (§1.3).
-
-#### 1.2 File‑system Layout
-
-```
-blobs/
- ├─ 417f… # digest prefix
- │ ├─ sbom.json # payload (any format)
- │ └─ sbom.meta.json # wrapper (shape above)
-```
-
-> **Note** – blob storage can point at S3, MinIO, or plain disk; driver plug‑ins adapt.
-
-#### 1.3 Delta SBOM Extension
-
-When `partial: true`, *only* the missing layers have been scanned.
-Merging logic inside `scanning` module stitches new data onto the cached full SBOM in Redis.
-
----
-
-## 2 Redis Keyspace
-
-| Key pattern | Type | TTL | Purpose |
-|-------------------------------------|---------|------|--------------------------------------------------|
-| `scan:<digest>` | string | ∞ | Last scan JSON result (as returned by `/scan`) |
-| `layers:<digest>` | set | 90d | Layers already possessing SBOMs (delta cache) |
-| `policy:active` | string | ∞ | YAML **or** Rego ruleset |
-| `quota:<token>` | string | *until next UTC midnight* | Per‑token scan counter for Free tier ({{ quota_token }} scans). |
-| `policy:history` | list | ∞ | Change audit IDs (see Mongo) |
-| `feed:nvd:json` | string | 24h | Normalised feed snapshot |
-| `locator:<imageDigest>` | string | 30d | Maps image digest → sbomBlobId |
-| `metrics:…` | various | — | Prom / OTLP runtime metrics |
-
-> **Delta SBOM** uses `layers:*` to skip work in <20 ms.
-> **Quota enforcement** increments `quota:` atomically; when {{ quota_token }} the API returns **429**.
-
----
-
-## 3 MongoDB Collections (Optional)
-
-Only enabled when `MONGO_URI` is supplied (for long‑term audit).
-
-| Collection | Shape (summary) | Indexes |
-|--------------------|------------------------------------------------------------|-------------------------------------|
-| `sbom_history` | Wrapper JSON + `replaceTs` on overwrite | `{imageDigest}` `{created}` |
-| `policy_versions` | `{_id, yaml, rego, authorId, created}` | `{created}` |
-| `attestations` ⭑ | SLSA provenance doc + Rekor log pointer | `{imageDigest}` |
-| `audit_log` | Fully rendered RFC 5424 entries (UI & CLI actions) | `{userId}` `{ts}` |
-
-Schema detail for **policy_versions**:
-
+# Data Schemas & Persistence Contracts
+
+*Audience* – backend developers, plug‑in authors, DB admins.
+*Scope* – describes **Redis**, **MongoDB** (optional), and on‑disk blob shapes that power Stella Ops.
+
+---
+
+## 0 Document Conventions
+
+* **CamelCase** for JSON.
+* All timestamps are **RFC 3339 / ISO 8601** with `Z` (UTC).
+* `⭑` = planned but *not* shipped yet (kept on Feature Matrix “To Do”).
+
+---
+
+## 1 SBOM Wrapper Envelope
+
+Every SBOM blob (regardless of format) is stored on disk or in object storage with a *sidecar* JSON file that indexes it for the scanners.
+
+#### 1.1 JSON Shape
+
+```jsonc
+{
+ "id": "sha256:417f…", // digest of the SBOM *file* itself
+ "imageDigest": "sha256:e2b9…", // digest of the original container image
+ "created": "2025-07-14T07:02:13Z",
+ "format": "trivy-json-v2", // NEW enum: trivy-json-v2 | spdx-json | cyclonedx-json
+ "layers": [
+ "sha256:d38b…", // layer digests (ordered)
+ "sha256:af45…"
+ ],
+ "partial": false, // true => delta SBOM (only some layers)
+ "provenanceId": "prov_0291" // ⭑ link to SLSA attestation (Q1‑2026)
+}
+```
+
+*`format`* **NEW** – added to support **multiple SBOM formats**.
+*`partial`* **NEW** – true when generated via the **delta SBOM** flow (§1.3).
+
+#### 1.2 File‑system Layout
+
+```
+blobs/
+ ├─ 417f… # digest prefix
+ │ ├─ sbom.json # payload (any format)
+ │ └─ sbom.meta.json # wrapper (shape above)
+```
+
+> **Note** – blob storage can point at S3, MinIO, or plain disk; driver plug‑ins adapt.
+
+#### 1.3 Delta SBOM Extension
+
+When `partial: true`, *only* the missing layers have been scanned.
+Merging logic inside `scanning` module stitches new data onto the cached full SBOM in Redis.
+
+---
+
+## 2 Redis Keyspace
+
+| Key pattern | Type | TTL | Purpose |
+|-------------------------------------|---------|------|--------------------------------------------------|
+| `scan:<digest>` | string | ∞ | Last scan JSON result (as returned by `/scan`) |
+| `layers:<digest>` | set | 90d | Layers already possessing SBOMs (delta cache) |
+| `policy:active` | string | ∞ | YAML **or** Rego ruleset |
+| `quota:<token>` | string | *until next UTC midnight* | Per‑token scan counter for Free tier ({{ quota_token }} scans). |
+| `policy:history` | list | ∞ | Change audit IDs (see Mongo) |
+| `feed:nvd:json` | string | 24h | Normalised feed snapshot |
+| `locator:<imageDigest>` | string | 30d | Maps image digest → sbomBlobId |
+| `metrics:…` | various | — | Prom / OTLP runtime metrics |
+
+> **Delta SBOM** uses `layers:*` to skip work in <20 ms.
+> **Quota enforcement** increments `quota:` atomically; when {{ quota_token }} the API returns **429**.
+
+---
+
+## 3 MongoDB Collections (Optional)
+
+Only enabled when `MONGO_URI` is supplied (for long‑term audit).
+
+| Collection | Shape (summary) | Indexes |
+|--------------------|------------------------------------------------------------|-------------------------------------|
+| `sbom_history` | Wrapper JSON + `replaceTs` on overwrite | `{imageDigest}` `{created}` |
+| `policy_versions` | `{_id, yaml, rego, authorId, created}` | `{created}` |
+| `attestations` ⭑ | SLSA provenance doc + Rekor log pointer | `{imageDigest}` |
+| `audit_log` | Fully rendered RFC 5424 entries (UI & CLI actions) | `{userId}` `{ts}` |
+
+Schema detail for **policy_versions**:
+
Samples live under `samples/api/scheduler/` (e.g., `schedule.json`, `run.json`, `impact-set.json`, `audit.json`) and mirror the canonical serializer output shown below.
```jsonc
@@ -327,34 +327,34 @@ Materialized view powering the Scheduler UI dashboards. Stores the latest roll-u
- Schedulers should call the projection service after every run state change so the cache mirrors planner/runner progress.
Sample file: `samples/api/scheduler/run-summary.json`.
-
----
-
-## 4 Policy Schema (YAML v1.0)
-
-Minimal viable grammar (subset of OSV‑SCHEMA ideas).
-
-```yaml
-version: "1.0"
-rules:
- - name: Block Critical
- severity: [Critical]
- action: block
- - name: Ignore Low Dev
- severity: [Low, None]
- environments: [dev, staging]
- action: ignore
- expires: "2026-01-01"
- - name: Escalate RegionalFeed High
- sources: [NVD, CNNVD, CNVD, ENISA, JVN, BDU]
- severity: [High, Critical]
- action: escalate
-```
-
+
+---
+
+## 4 Policy Schema (YAML v1.0)
+
+Minimal viable grammar (subset of OSV‑SCHEMA ideas).
+
+```yaml
+version: "1.0"
+rules:
+ - name: Block Critical
+ severity: [Critical]
+ action: block
+ - name: Ignore Low Dev
+ severity: [Low, None]
+ environments: [dev, staging]
+ action: ignore
+ expires: "2026-01-01"
+ - name: Escalate RegionalFeed High
+ sources: [NVD, CNNVD, CNVD, ENISA, JVN, BDU]
+ severity: [High, Critical]
+ action: escalate
+```
+
Validation is performed by `policy:mapping.yaml` JSON‑Schema embedded in backend.
-Canonical schema source: `src/StellaOps.Policy/Schemas/policy-schema@1.json` (embedded into `StellaOps.Policy`).
-`PolicyValidationCli` (see `src/StellaOps.Policy/PolicyValidationCli.cs`) provides the reusable command handler that the main CLI wires up; in the interim it can be invoked from a short host like:
+Canonical schema source: `src/Policy/__Libraries/StellaOps.Policy/Schemas/policy-schema@1.json` (embedded into `StellaOps.Policy`).
+`PolicyValidationCli` (see `src/Policy/__Libraries/StellaOps.Policy/PolicyValidationCli.cs`) provides the reusable command handler that the main CLI wires up; in the interim it can be invoked from a short host like:
```csharp
await new PolicyValidationCli().RunAsync(new PolicyValidationCliOptions
@@ -363,7 +363,7 @@ await new PolicyValidationCli().RunAsync(new PolicyValidationCliOptions
Strict = true,
});
```
-
+
### 4.1 Rego Variant (Advanced – TODO)
*Accepted but stored as‑is in `rego` field.*
@@ -372,7 +372,7 @@ Evaluated via internal **OPA** side‑car once feature graduates from TODO list.
### 4.2 Policy Scoring Config (JSON)
*Schema id.* `https://schemas.stella-ops.org/policy/policy-scoring-schema@1.json`
-*Source.* `src/StellaOps.Policy/Schemas/policy-scoring-schema@1.json` (embedded in `StellaOps.Policy`), default fixture at `src/StellaOps.Policy/Schemas/policy-scoring-default.json`.
+*Source.* `src/Policy/__Libraries/StellaOps.Policy/Schemas/policy-scoring-schema@1.json` (embedded in `StellaOps.Policy`), default fixture at `src/Policy/__Libraries/StellaOps.Policy/Schemas/policy-scoring-default.json`.
```jsonc
{
@@ -426,25 +426,25 @@ npx ajv validate --spec=draft2020 -c ajv-formats \
Planned for Q1‑2026 (kept here for early plug‑in authors).
```jsonc
-{
- "id": "prov_0291",
- "imageDigest": "sha256:e2b9…",
- "buildType": "https://slsa.dev/container/v1",
- "builder": {
- "id": "https://git.stella-ops.ru/ci/stella-runner@sha256:f7b7…"
- },
- "metadata": {
- "invocation": {
- "parameters": {"GIT_SHA": "f6a1…"},
- "buildStart": "2025-07-14T06:59:17Z",
- "buildEnd": "2025-07-14T07:01:22Z"
- },
- "completeness": {"parameters": true}
- },
- "materials": [
- {"uri": "git+https://git…", "digest": {"sha1": "f6a1…"}}
- ],
- "rekorLogIndex": 99817 // entry in local Rekor mirror
+{
+ "id": "prov_0291",
+ "imageDigest": "sha256:e2b9…",
+ "buildType": "https://slsa.dev/container/v1",
+ "builder": {
+ "id": "https://git.stella-ops.ru/ci/stella-runner@sha256:f7b7…"
+ },
+ "metadata": {
+ "invocation": {
+ "parameters": {"GIT_SHA": "f6a1…"},
+ "buildStart": "2025-07-14T06:59:17Z",
+ "buildEnd": "2025-07-14T07:01:22Z"
+ },
+ "completeness": {"parameters": true}
+ },
+ "materials": [
+ {"uri": "git+https://git…", "digest": {"sha1": "f6a1…"}}
+ ],
+ "rekorLogIndex": 99817 // entry in local Rekor mirror
}
```
@@ -509,42 +509,42 @@ done
```
Integration tests can embed the sample fixtures to guarantee deterministic serialisation from the `StellaOps.Notify.Models` DTOs introduced in Sprint 15.
-
----
-
-## 6 Validator Contracts
-
-* For SBOM wrapper – `ISbomValidator` (DLL plug‑in) must return *typed* error list.
-* For YAML policies – JSON‑Schema at `/schemas/policy‑v1.json`.
-* For Rego – OPA `opa eval --fail-defined` under the hood.
-* For **Free‑tier quotas** – `IQuotaService` integration tests ensure `quota:` resets at UTC midnight and produces correct `Retry‑After` headers.
-
----
-
-## 7 Migration Notes
-
-1. **Add `format` column** to existing SBOM wrappers; default to `trivy-json-v2`.
-2. **Populate `layers` & `partial`** via backfill script (ship with `stellopsctl migrate` wizard).
-3. Policy YAML previously stored in Redis → copy to Mongo if persistence enabled.
-4. Prepare `attestations` collection (empty) – safe to create in advance.
-
----
-
-## 8 Open Questions / Future Work
-
-* How to de‑duplicate *identical* Rego policies differing only in whitespace?
-* Embed *GOST 34.11‑2018* digests when users enable Russian crypto suite?
-* Should enterprise tiers share the same Redis quota keys or switch to JWT claim `tier != Free` bypass?
-* Evaluate sliding‑window quota instead of strict daily reset.
-* Consider rate‑limit for `/layers/missing` to avoid brute‑force enumeration.
-
----
-
-## 9 Change Log
-
-| Date | Note |
-|------------|--------------------------------------------------------------------------------|
-| 2025‑07‑14 | **Added:** `format`, `partial`, delta cache keys, YAML policy schema v1.0. |
-| 2025‑07‑12 | **Initial public draft** – SBOM wrapper, Redis keyspace, audit collections. |
-
----
+
+---
+
+## 6 Validator Contracts
+
+* For SBOM wrapper – `ISbomValidator` (DLL plug‑in) must return *typed* error list.
+* For YAML policies – JSON‑Schema at `/schemas/policy‑v1.json`.
+* For Rego – OPA `opa eval --fail-defined` under the hood.
+* For **Free‑tier quotas** – `IQuotaService` integration tests ensure `quota:` resets at UTC midnight and produces correct `Retry‑After` headers.
+
+---
+
+## 7 Migration Notes
+
+1. **Add `format` column** to existing SBOM wrappers; default to `trivy-json-v2`.
+2. **Populate `layers` & `partial`** via backfill script (ship with `stellopsctl migrate` wizard).
+3. Policy YAML previously stored in Redis → copy to Mongo if persistence enabled.
+4. Prepare `attestations` collection (empty) – safe to create in advance.
+
+---
+
+## 8 Open Questions / Future Work
+
+* How to de‑duplicate *identical* Rego policies differing only in whitespace?
+* Embed *GOST 34.11‑2018* digests when users enable Russian crypto suite?
+* Should enterprise tiers share the same Redis quota keys or switch to JWT claim `tier != Free` bypass?
+* Evaluate sliding‑window quota instead of strict daily reset.
+* Consider rate‑limit for `/layers/missing` to avoid brute‑force enumeration.
+
+---
+
+## 9 Change Log
+
+| Date | Note |
+|------------|--------------------------------------------------------------------------------|
+| 2025‑07‑14 | **Added:** `format`, `partial`, delta cache keys, YAML policy schema v1.0. |
+| 2025‑07‑12 | **Initial public draft** – SBOM wrapper, Redis keyspace, audit collections. |
+
+---
diff --git a/docs/12_PERFORMANCE_WORKBOOK.md b/docs/12_PERFORMANCE_WORKBOOK.md
index 2460fd30..1444ed63 100755
--- a/docs/12_PERFORMANCE_WORKBOOK.md
+++ b/docs/12_PERFORMANCE_WORKBOOK.md
@@ -56,7 +56,7 @@
## 3 Test Harness
* **Runner** – `perf/run.sh`, accepts `--phase` and `--samples`.
-* **Language analyzers microbench** – `dotnet run --project src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj -- --repo-root . --out src/StellaOps.Bench/Scanner.Analyzers/baseline.csv --json out/bench/scanner-analyzers/latest.json --prom out/bench/scanner-analyzers/latest.prom --commit $(git rev-parse HEAD)` produces CSV + JSON + Prometheus gauges for analyzer scenarios. Runs fail if `max_ms` regresses ≥ 20 % against `baseline.csv` or if thresholds are exceeded.
+* **Language analyzers microbench** – `dotnet run --project src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj -- --repo-root . --out src/Bench/StellaOps.Bench/Scanner.Analyzers/baseline.csv --json out/bench/scanner-analyzers/latest.json --prom out/bench/scanner-analyzers/latest.prom --commit $(git rev-parse HEAD)` produces CSV + JSON + Prometheus gauges for analyzer scenarios. Runs fail if `max_ms` regresses ≥ 20 % against `baseline.csv` or if thresholds are exceeded.
* **Metrics** – Prometheus + `jq` extracts; aggregated via `scripts/aggregate.ts`.
* **CI** – GitLab CI job *benchmark* publishes JSON to `bench‑artifacts/`.
* **Visualisation** – Grafana dashboard *Stella‑Perf* (provisioned JSON).
diff --git a/docs/19_TEST_SUITE_OVERVIEW.md b/docs/19_TEST_SUITE_OVERVIEW.md
index 991e8d07..2c9c956e 100755
--- a/docs/19_TEST_SUITE_OVERVIEW.md
+++ b/docs/19_TEST_SUITE_OVERVIEW.md
@@ -1,47 +1,47 @@
-# Automated Test‑Suite Overview
-
-This document enumerates **every automated check** executed by the Stella Ops
-CI pipeline, from unit level to chaos experiments. It is intended for
-contributors who need to extend coverage or diagnose failures.
-
-> **Build parameters** – values such as `{{ dotnet }}` (runtime) and
-> `{{ angular }}` (UI framework) are injected at build time.
-
----
-
-## Layer map
-
-| Layer | Tooling | Entry‑point | Frequency |
-|-------|---------|-------------|-----------|
-| **1. Unit** | `xUnit` (dotnet test) | `*.Tests.csproj` | per PR / push |
-| **2. Property‑based** | `FsCheck` | `SbomPropertyTests` | per PR |
-| **3. Integration (API)** | `Testcontainers` suite | `test/Api.Integration` | per PR + nightly |
+# Automated Test‑Suite Overview
+
+This document enumerates **every automated check** executed by the Stella Ops
+CI pipeline, from unit level to chaos experiments. It is intended for
+contributors who need to extend coverage or diagnose failures.
+
+> **Build parameters** – values such as `{{ dotnet }}` (runtime) and
+> `{{ angular }}` (UI framework) are injected at build time.
+
+---
+
+## Layer map
+
+| Layer | Tooling | Entry‑point | Frequency |
+|-------|---------|-------------|-----------|
+| **1. Unit** | `xUnit` (dotnet test) | `*.Tests.csproj` | per PR / push |
+| **2. Property‑based** | `FsCheck` | `SbomPropertyTests` | per PR |
+| **3. Integration (API)** | `Testcontainers` suite | `test/Api.Integration` | per PR + nightly |
| **4. Integration (DB-merge)** | in-memory Mongo + Redis | `Concelier.Integration` (vulnerability ingest/merge/export service) | per PR |
-| **5. Contract (gRPC)** | `Buf breaking` | `buf.yaml` files | per PR |
-| **6. Front‑end unit** | `Jest` | `ui/src/**/*.spec.ts` | per PR |
-| **7. Front‑end E2E** | `Playwright` | `ui/e2e/**` | nightly |
-| **8. Lighthouse perf / a11y** | `lighthouse-ci` (Chrome headless) | `ui/dist/index.html` | nightly |
-| **9. Load** | `k6` scripted scenarios | `k6/*.js` | nightly |
-| **10. Chaos CPU / OOM** | `pumba` | Docker Compose overlay | weekly |
-| **11. Dependency scanning** | `Trivy fs` + `dotnet list package --vuln` | root | per PR |
-| **12. License compliance** | `LicenceFinder` | root | per PR |
-| **13. SBOM reproducibility** | `in‑toto attestation` diff | GitLab job | release tags |
-
----
-
-## Quality gates
-
-| Metric | Budget | Gate |
-|--------|--------|------|
-| API unit coverage | ≥ 85 % lines | PR merge |
-| API response P95 | ≤ 120 ms | nightly alert |
-| Δ‑SBOM warm scan P95 (4 vCPU) | ≤ 5 s | nightly alert |
-| Lighthouse performance score | ≥ 90 | nightly alert |
-| Lighthouse accessibility score | ≥ 95 | nightly alert |
-| k6 sustained RPS drop | < 5 % vs baseline | nightly alert |
-
----
-
+| **5. Contract (gRPC)** | `Buf breaking` | `buf.yaml` files | per PR |
+| **6. Front‑end unit** | `Jest` | `ui/src/**/*.spec.ts` | per PR |
+| **7. Front‑end E2E** | `Playwright` | `ui/e2e/**` | nightly |
+| **8. Lighthouse perf / a11y** | `lighthouse-ci` (Chrome headless) | `ui/dist/index.html` | nightly |
+| **9. Load** | `k6` scripted scenarios | `k6/*.js` | nightly |
+| **10. Chaos CPU / OOM** | `pumba` | Docker Compose overlay | weekly |
+| **11. Dependency scanning** | `Trivy fs` + `dotnet list package --vuln` | root | per PR |
+| **12. License compliance** | `LicenceFinder` | root | per PR |
+| **13. SBOM reproducibility** | `in‑toto attestation` diff | GitLab job | release tags |
+
+---
+
+## Quality gates
+
+| Metric | Budget | Gate |
+|--------|--------|------|
+| API unit coverage | ≥ 85 % lines | PR merge |
+| API response P95 | ≤ 120 ms | nightly alert |
+| Δ‑SBOM warm scan P95 (4 vCPU) | ≤ 5 s | nightly alert |
+| Lighthouse performance score | ≥ 90 | nightly alert |
+| Lighthouse accessibility score | ≥ 95 | nightly alert |
+| k6 sustained RPS drop | < 5 % vs baseline | nightly alert |
+
+---
+
## Local runner
```bash
@@ -63,13 +63,13 @@ The script spins up MongoDB/Redis via Testcontainers and requires:
The Concelier connector suite includes a regression test (`OsvGhsaParityRegressionTests`)
that checks a curated set of GHSA identifiers against OSV responses. The fixture
-snapshots live in `src/StellaOps.Concelier.Connector.Osv.Tests/Fixtures/` and are kept
+snapshots live in `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv.Tests/Fixtures/` and are kept
deterministic so the parity report remains reproducible.
To refresh the fixtures when GHSA/OSV payloads change:
1. Ensure outbound HTTPS access to `https://api.osv.dev` and `https://api.github.com`.
-2. Run `UPDATE_PARITY_FIXTURES=1 dotnet test src/StellaOps.Concelier.Connector.Osv.Tests/StellaOps.Concelier.Connector.Osv.Tests.csproj`.
+2. Run `UPDATE_PARITY_FIXTURES=1 dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv.Tests/StellaOps.Concelier.Connector.Osv.Tests.csproj`.
3. Commit the regenerated `osv-ghsa.*.json` files that the test emits (raw snapshots and canonical advisories).
The regen flow logs `[Parity]` messages and normalises `recordedAt` timestamps so the
@@ -82,28 +82,28 @@ fixtures stay stable across machines.
```mermaid
flowchart LR
subgraph fast-path
- U[xUnit] --> P[FsCheck] --> I1[Testcontainer API]
- end
-
- I1 --> FE[Jest]
- FE --> E2E[Playwright]
- E2E --> Lighthouse
+ U[xUnit] --> P[FsCheck] --> I1[Testcontainer API]
+ end
+
+ I1 --> FE[Jest]
+ FE --> E2E[Playwright]
+ E2E --> Lighthouse
Lighthouse --> INTEG2[Concelier]
- INTEG2 --> LOAD[k6]
- LOAD --> CHAOS[pumba]
- CHAOS --> RELEASE[Attestation diff]
-```
-
----
-
-## Adding a new test layer
-
-1. Extend `scripts/dev-test.sh` so local contributors get the layer by default.
-2. Add a dedicated GitLab job in `.gitlab-ci.yml` (stage `test` or `nightly`).
-3. Register the job in `docs/19_TEST_SUITE_OVERVIEW.md` *and* list its metric
- in `docs/metrics/README.md`.
-
----
-
-*Last updated {{ "now" | date: "%Y‑%m‑%d" }}*
-
+ INTEG2 --> LOAD[k6]
+ LOAD --> CHAOS[pumba]
+ CHAOS --> RELEASE[Attestation diff]
+```
+
+---
+
+## Adding a new test layer
+
+1. Extend `scripts/dev-test.sh` so local contributors get the layer by default.
+2. Add a dedicated GitLab job in `.gitlab-ci.yml` (stage `test` or `nightly`).
+3. Register the job in `docs/19_TEST_SUITE_OVERVIEW.md` *and* list its metric
+ in `docs/metrics/README.md`.
+
+---
+
+*Last updated {{ "now" | date: "%Y‑%m‑%d" }}*
+
diff --git a/docs/21_INSTALL_GUIDE.md b/docs/21_INSTALL_GUIDE.md
index a6f8c830..9b9c28d4 100755
--- a/docs/21_INSTALL_GUIDE.md
+++ b/docs/21_INSTALL_GUIDE.md
@@ -1,190 +1,190 @@
-# Stella Ops — Installation Guide (Docker & Air‑Gap)
-
-
-
-> **Status — public α not yet published.**
-> The commands below will work as soon as the first image is tagged
-> `registry.stella-ops.org/stella-ops/stella-ops:0.1.0-alpha`
-> (target date: **late 2025**). Track progress on the
-> [road‑map](/roadmap/).
-
----
-
-## 0 · Prerequisites
-
-| Item | Minimum | Notes |
-|------|---------|-------|
-| Linux | Ubuntu 22.04 LTS / Alma 9 | x86‑64 or arm64 |
-| CPU / RAM | 2 vCPU / 2 GiB | Laptop baseline |
-| Disk | 10 GiB SSD | SBOM + vuln DB cache |
-| Docker | **Engine 25 + Compose v2** | `docker -v` |
-| TLS | OpenSSL 1.1 + | Self‑signed cert generated at first run |
-
----
-
-## 1 · Connected‑host install (Docker Compose)
-
-```bash
-# 1. Make a working directory
-mkdir stella && cd stella
-
-# 2. Download the signed Compose bundle + example .env
-curl -LO https://get.stella-ops.org/releases/latest/.env.example
-curl -LO https://get.stella-ops.org/releases/latest/.env.example.sig
-curl -LO https://get.stella-ops.org/releases/latest/docker-compose.infrastructure.yml
-curl -LO https://get.stella-ops.org/releases/latest/docker-compose.infrastructure.yml.sig
-curl -LO https://get.stella-ops.org/releases/latest/docker-compose.stella-ops.yml
-curl -LO https://get.stella-ops.org/releases/latest/docker-compose.stella-ops.yml.sig
-
-# 3. Verify provenance (Cosign public key is stable)
-cosign verify-blob \
- --key https://stella-ops.org/keys/cosign.pub \
- --signature .env.example.sig \
- .env.example
-
-cosign verify-blob \
- --key https://stella-ops.org/keys/cosign.pub \
- --signature docker-compose.infrastructure.yml.sig \
- docker-compose.infrastructure.yml
-
-cosign verify-blob \
- --key https://stella-ops.org/keys/cosign.pub \
- --signature docker-compose.stella-ops.yml.sig \
- docker-compose.stella-ops.yml
-
-# 4. Copy .env.example → .env and edit secrets
-cp .env.example .env
-$EDITOR .env
-
-# 5. Launch databases (MongoDB + Redis)
-docker compose --env-file .env -f docker-compose.infrastructure.yml up -d
-
-# 6. Launch Stella Ops (first run pulls ~50 MB merged vuln DB)
-docker compose --env-file .env -f docker-compose.stella-ops.yml up -d
-````
-
-*Default login:* `admin / changeme`
-UI: [https://\<host\>:8443](https://<host>:8443) (self‑signed certificate)
-
-> **Pinning best‑practice** – in production environments replace
-> `stella-ops:latest` with the immutable digest printed by
-> `docker images --digests`.
-
-> **Repo bundles** – Development, staging, and air‑gapped Compose profiles live
-> under `deploy/compose/`, already tied to the release manifests in
-> `deploy/releases/`. Helm users can pull the same channel overlays from
-> `deploy/helm/stellaops/values-*.yaml` and validate everything with
-> `deploy/tools/validate-profiles.sh`.
-
-### 1.1 · Concelier authority configuration
-
-The Concelier container reads configuration from `etc/concelier.yaml` plus
-`CONCELIER_` environment variables. To enable the new Authority integration:
-
-1. Add the following keys to `.env` (replace values for your environment):
-
- ```bash
- CONCELIER_AUTHORITY__ENABLED=true
- CONCELIER_AUTHORITY__ALLOWANONYMOUSFALLBACK=true # temporary rollout only
- CONCELIER_AUTHORITY__ISSUER="https://authority.internal"
- CONCELIER_AUTHORITY__AUDIENCES__0="api://concelier"
- CONCELIER_AUTHORITY__REQUIREDSCOPES__0="concelier.jobs.trigger"
- CONCELIER_AUTHORITY__REQUIREDSCOPES__1="advisory:read"
- CONCELIER_AUTHORITY__REQUIREDSCOPES__2="advisory:ingest"
- CONCELIER_AUTHORITY__REQUIREDTENANTS__0="tenant-default"
- CONCELIER_AUTHORITY__CLIENTID="concelier-jobs"
- CONCELIER_AUTHORITY__CLIENTSCOPES__0="concelier.jobs.trigger"
- CONCELIER_AUTHORITY__CLIENTSCOPES__1="advisory:read"
- CONCELIER_AUTHORITY__CLIENTSCOPES__2="advisory:ingest"
- CONCELIER_AUTHORITY__CLIENTSECRETFILE="/run/secrets/concelier_authority_client"
- CONCELIER_AUTHORITY__BYPASSNETWORKS__0="127.0.0.1/32"
- CONCELIER_AUTHORITY__BYPASSNETWORKS__1="::1/128"
- CONCELIER_AUTHORITY__RESILIENCE__ENABLERETRIES=true
- CONCELIER_AUTHORITY__RESILIENCE__RETRYDELAYS__0="00:00:01"
- CONCELIER_AUTHORITY__RESILIENCE__RETRYDELAYS__1="00:00:02"
- CONCELIER_AUTHORITY__RESILIENCE__RETRYDELAYS__2="00:00:05"
- CONCELIER_AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK=true
- CONCELIER_AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE="00:10:00"
- ```
-
- Store the client secret outside source control (Docker secrets, mounted file,
- or Kubernetes Secret). Concelier loads the secret during post-configuration, so
- the value never needs to appear in the YAML template.
-
- Connected sites can keep the retry ladder short (1 s, 2 s, 5 s) so job triggers fail fast when Authority is down. For air‑gapped or intermittently connected deployments, extend `RESILIENCE__OFFLINECACHETOLERANCE` (e.g. `00:30:00`) so cached discovery/JWKS data remains valid while the Offline Kit synchronises upstream changes.
-
-2. Redeploy Concelier:
-
- ```bash
- docker compose --env-file .env -f docker-compose.stella-ops.yml up -d concelier
- ```
-
-3. Tail the logs: `docker compose logs -f concelier`. Successful `/jobs*` calls now
- emit `Concelier.Authorization.Audit` entries with `route`, `status`, `subject`,
- `clientId`, `scopes`, `bypass`, and `remote` fields. 401 denials keep the same
- shape—watch for `bypass=True`, which indicates a bypass CIDR accepted an anonymous
- call. See `docs/ops/concelier-authority-audit-runbook.md` for a full audit/alerting checklist.
-
-> **Enforcement deadline** – keep `CONCELIER_AUTHORITY__ALLOWANONYMOUSFALLBACK=true`
-> only while validating the rollout. Set it to `false` (and restart Concelier)
-> before **2025-12-31 UTC** to require tokens in production.
-
----
-
-## 2 · Optional: request a free quota token
-
-Anonymous installs allow **{{ quota\_anon }} scans per UTC day**.
-Email `token@stella-ops.org` to receive a signed JWT that raises the limit to
-**{{ quota\_token }} scans/day**. Insert it into `.env`:
-
-```bash
-STELLA_JWT="paste‑token‑here"
-docker compose --env-file .env -f docker-compose.stella-ops.yml \
- exec stella-ops stella set-jwt "$STELLA_JWT"
-```
-
-> The UI shows a reminder at 200 scans and throttles above the limit but will
-> **never block** your pipeline.
-
----
-
-## 3 · Air‑gapped install (Offline Update Kit)
-
-When running on an isolated network use the **Offline Update Kit (OUK)**:
-
-```bash
-# Download & verify on a connected host
-curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-v0.1a.tgz
-curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-v0.1a.tgz.sig
-
-cosign verify-blob \
- --key https://stella-ops.org/keys/cosign.pub \
- --signature stella-ops-offline-kit-v0.1a.tgz.sig \
- stella-ops-offline-kit-v0.1a.tgz
-
-# Transfer → air‑gap → import
-docker compose --env-file .env -f docker-compose.stella-ops.yml \
- exec stella admin import-offline-usage-kit stella-ops-offline-kit-v0.1a.tgz
-```
-
-*Import is atomic; no service downtime.*
-
-For details see the dedicated [Offline Kit guide](/offline/).
-
----
-
-## 4 · Next steps
-
-* **5‑min Quick‑Start:** `/quickstart/`
-* **CI recipes:** `docs/ci/20_CI_RECIPES.md`
-* **Plug‑in SDK:** `/plugins/`
-
----
-
-*Generated {{ "now" | date: "%Y‑%m‑%d" }} — build tags inserted at render time.*
+# Stella Ops — Installation Guide (Docker & Air‑Gap)
+
+
+
+> **Status — public α not yet published.**
+> The commands below will work as soon as the first image is tagged
+> `registry.stella-ops.org/stella-ops/stella-ops:0.1.0-alpha`
+> (target date: **late 2025**). Track progress on the
+> [road‑map](/roadmap/).
+
+---
+
+## 0 · Prerequisites
+
+| Item | Minimum | Notes |
+|------|---------|-------|
+| Linux | Ubuntu 22.04 LTS / Alma 9 | x86‑64 or arm64 |
+| CPU / RAM | 2 vCPU / 2 GiB | Laptop baseline |
+| Disk | 10 GiB SSD | SBOM + vuln DB cache |
+| Docker | **Engine 25 + Compose v2** | `docker -v` |
+| TLS | OpenSSL 1.1 + | Self‑signed cert generated at first run |
+
+---
+
+## 1 · Connected‑host install (Docker Compose)
+
+```bash
+# 1. Make a working directory
+mkdir stella && cd stella
+
+# 2. Download the signed Compose bundle + example .env
+curl -LO https://get.stella-ops.org/releases/latest/.env.example
+curl -LO https://get.stella-ops.org/releases/latest/.env.example.sig
+curl -LO https://get.stella-ops.org/releases/latest/docker-compose.infrastructure.yml
+curl -LO https://get.stella-ops.org/releases/latest/docker-compose.infrastructure.yml.sig
+curl -LO https://get.stella-ops.org/releases/latest/docker-compose.stella-ops.yml
+curl -LO https://get.stella-ops.org/releases/latest/docker-compose.stella-ops.yml.sig
+
+# 3. Verify provenance (Cosign public key is stable)
+cosign verify-blob \
+ --key https://stella-ops.org/keys/cosign.pub \
+ --signature .env.example.sig \
+ .env.example
+
+cosign verify-blob \
+ --key https://stella-ops.org/keys/cosign.pub \
+ --signature docker-compose.infrastructure.yml.sig \
+ docker-compose.infrastructure.yml
+
+cosign verify-blob \
+ --key https://stella-ops.org/keys/cosign.pub \
+ --signature docker-compose.stella-ops.yml.sig \
+ docker-compose.stella-ops.yml
+
+# 4. Copy .env.example → .env and edit secrets
+cp .env.example .env
+$EDITOR .env
+
+# 5. Launch databases (MongoDB + Redis)
+docker compose --env-file .env -f docker-compose.infrastructure.yml up -d
+
+# 6. Launch Stella Ops (first run pulls ~50 MB merged vuln DB)
+docker compose --env-file .env -f docker-compose.stella-ops.yml up -d
+````
+
+*Default login:* `admin / changeme`
+UI: [https://\<host\>:8443](https://<host>:8443) (self‑signed certificate)
+
+> **Pinning best‑practice** – in production environments replace
+> `stella-ops:latest` with the immutable digest printed by
+> `docker images --digests`.
+
+> **Repo bundles** – Development, staging, and air‑gapped Compose profiles live
+> under `deploy/compose/`, already tied to the release manifests in
+> `deploy/releases/`. Helm users can pull the same channel overlays from
+> `deploy/helm/stellaops/values-*.yaml` and validate everything with
+> `deploy/tools/validate-profiles.sh`.
+
+### 1.1 · Concelier authority configuration
+
+The Concelier container reads configuration from `etc/concelier.yaml` plus
+`CONCELIER_` environment variables. To enable the new Authority integration:
+
+1. Add the following keys to `.env` (replace values for your environment):
+
+ ```bash
+ CONCELIER_AUTHORITY__ENABLED=true
+ CONCELIER_AUTHORITY__ALLOWANONYMOUSFALLBACK=true # temporary rollout only
+ CONCELIER_AUTHORITY__ISSUER="https://authority.internal"
+ CONCELIER_AUTHORITY__AUDIENCES__0="api://concelier"
+ CONCELIER_AUTHORITY__REQUIREDSCOPES__0="concelier.jobs.trigger"
+ CONCELIER_AUTHORITY__REQUIREDSCOPES__1="advisory:read"
+ CONCELIER_AUTHORITY__REQUIREDSCOPES__2="advisory:ingest"
+ CONCELIER_AUTHORITY__REQUIREDTENANTS__0="tenant-default"
+ CONCELIER_AUTHORITY__CLIENTID="concelier-jobs"
+ CONCELIER_AUTHORITY__CLIENTSCOPES__0="concelier.jobs.trigger"
+ CONCELIER_AUTHORITY__CLIENTSCOPES__1="advisory:read"
+ CONCELIER_AUTHORITY__CLIENTSCOPES__2="advisory:ingest"
+ CONCELIER_AUTHORITY__CLIENTSECRETFILE="/run/secrets/concelier_authority_client"
+ CONCELIER_AUTHORITY__BYPASSNETWORKS__0="127.0.0.1/32"
+ CONCELIER_AUTHORITY__BYPASSNETWORKS__1="::1/128"
+ CONCELIER_AUTHORITY__RESILIENCE__ENABLERETRIES=true
+ CONCELIER_AUTHORITY__RESILIENCE__RETRYDELAYS__0="00:00:01"
+ CONCELIER_AUTHORITY__RESILIENCE__RETRYDELAYS__1="00:00:02"
+ CONCELIER_AUTHORITY__RESILIENCE__RETRYDELAYS__2="00:00:05"
+ CONCELIER_AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK=true
+ CONCELIER_AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE="00:10:00"
+ ```
+
+ Store the client secret outside source control (Docker secrets, mounted file,
+ or Kubernetes Secret). Concelier loads the secret during post-configuration, so
+ the value never needs to appear in the YAML template.
+
+ Connected sites can keep the retry ladder short (1 s, 2 s, 5 s) so job triggers fail fast when Authority is down. For air‑gapped or intermittently connected deployments, extend `RESILIENCE__OFFLINECACHETOLERANCE` (e.g. `00:30:00`) so cached discovery/JWKS data remains valid while the Offline Kit synchronises upstream changes.
+
+2. Redeploy Concelier:
+
+ ```bash
+ docker compose --env-file .env -f docker-compose.stella-ops.yml up -d concelier
+ ```
+
+3. Tail the logs: `docker compose logs -f concelier`. Successful `/jobs*` calls now
+ emit `Concelier.Authorization.Audit` entries with `route`, `status`, `subject`,
+ `clientId`, `scopes`, `bypass`, and `remote` fields. 401 denials keep the same
+ shape—watch for `bypass=True`, which indicates a bypass CIDR accepted an anonymous
+ call. See `docs/ops/concelier-authority-audit-runbook.md` for a full audit/alerting checklist.
+
+> **Enforcement deadline** – keep `CONCELIER_AUTHORITY__ALLOWANONYMOUSFALLBACK=true`
+> only while validating the rollout. Set it to `false` (and restart Concelier)
+> before **2025-12-31 UTC** to require tokens in production.
+
+---
+
+## 2 · Optional: request a free quota token
+
+Anonymous installs allow **{{ quota\_anon }} scans per UTC day**.
+Email `token@stella-ops.org` to receive a signed JWT that raises the limit to
+**{{ quota\_token }} scans/day**. Insert it into `.env`:
+
+```bash
+STELLA_JWT="paste‑token‑here"
+docker compose --env-file .env -f docker-compose.stella-ops.yml \
+ exec stella-ops stella set-jwt "$STELLA_JWT"
+```
+
+> The UI shows a reminder at 200 scans and throttles above the limit but will
+> **never block** your pipeline.
+
+---
+
+## 3 · Air‑gapped install (Offline Update Kit)
+
+When running on an isolated network use the **Offline Update Kit (OUK)**:
+
+```bash
+# Download & verify on a connected host
+curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-v0.1a.tgz
+curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-v0.1a.tgz.sig
+
+cosign verify-blob \
+ --key https://stella-ops.org/keys/cosign.pub \
+ --signature stella-ops-offline-kit-v0.1a.tgz.sig \
+ stella-ops-offline-kit-v0.1a.tgz
+
+# Transfer → air‑gap → import
+docker compose --env-file .env -f docker-compose.stella-ops.yml \
+ exec stella admin import-offline-usage-kit stella-ops-offline-kit-v0.1a.tgz
+```
+
+*Import is atomic; no service downtime.*
+
+For details see the dedicated [Offline Kit guide](/offline/).
+
+---
+
+## 4 · Next steps
+
+* **5‑min Quick‑Start:** `/quickstart/`
+* **CI recipes:** `docs/ci/20_CI_RECIPES.md`
+* **Plug‑in SDK:** `/plugins/`
+
+---
+
+*Generated {{ "now" | date: "%Y‑%m‑%d" }} — build tags inserted at render time.*
diff --git a/docs/ARCHITECTURE_AUTHORITY.md b/docs/ARCHITECTURE_AUTHORITY.md
index edccfdb8..26b5ad4f 100644
--- a/docs/ARCHITECTURE_AUTHORITY.md
+++ b/docs/ARCHITECTURE_AUTHORITY.md
@@ -1,443 +1,443 @@
-# component_architecture_authority.md — **Stella Ops Authority** (2025Q4)
-
-> **Scope.** Implementation‑ready architecture for **Stella Ops Authority**: the on‑prem **OIDC/OAuth2** service that issues **short‑lived, sender‑constrained operational tokens (OpToks)** to first‑party services and tools. Covers protocols (DPoP & mTLS binding), token shapes, endpoints, storage, rotation, HA, RBAC, audit, and testing. This component is the trust anchor for *who* is calling inside a Stella Ops installation. (Entitlement is proven separately by **PoE** from the cloud Licensing Service; Authority does not issue PoE.)
-
----
-
-## 0) Mission & boundaries
-
-**Mission.** Provide **fast, local, verifiable** authentication for Stella Ops microservices and tools by minting **very short‑lived** OAuth2/OIDC tokens that are **sender‑constrained** (DPoP or mTLS‑bound). Support RBAC scopes, multi‑tenant claims, and deterministic validation for APIs (Scanner, Signer, Attestor, Excititor, Concelier, UI, CLI, Zastava).
-
-**Boundaries.**
-
-* Authority **does not** validate entitlements/licensing. That’s enforced by **Signer** using **PoE** with the cloud Licensing Service.
-* Authority tokens are **operational only** (2–5 min TTL) and must not be embedded in long‑lived artifacts or stored in SBOMs.
-* Authority is **stateless for validation** (JWT) and **optional introspection** for services that prefer online checks.
-
----
-
-## 1) Protocols & cryptography
-
-* **OIDC Discovery**: `/.well-known/openid-configuration`
-* **OAuth2** grant types:
-
- * **Client Credentials** (service↔service, with mTLS or private_key_jwt)
- * **Device Code** (CLI login on headless agents; optional)
- * **Authorization Code + PKCE** (browser login for UI; optional)
-* **Sender constraint options** (choose per caller or per audience):
-
- * **DPoP** (Demonstration of Proof‑of‑Possession): proof JWT on each HTTP request, bound to the access token via `cnf.jkt`.
- * **OAuth 2.0 mTLS** (certificate‑bound tokens): token bound to client certificate thumbprint via `cnf.x5t#S256`.
-* **Signing algorithms**: **EdDSA (Ed25519)** preferred; fallback **ES256 (P‑256)**. Rotation is supported via **kid** in JWKS.
-* **Token format**: **JWT** access tokens (compact), optionally opaque reference tokens for services that insist on introspection.
-* **Clock skew tolerance**: ±60 s; issue `nbf`, `iat`, `exp` accordingly.
-
----
-
-## 2) Token model
-
-### 2.1 Access token (OpTok) — short‑lived (120–300 s)
-
-**Registered claims**
-
-```
-iss = https://authority.
-sub =
-aud =
-exp = (<= 300 s from iat)
-iat =
-nbf = iat - 30
-jti =
-scope = "scanner.scan scanner.export signer.sign ..."
-```
-
-**Sender‑constraint (`cnf`)**
-
-* **DPoP**:
-
- ```json
- "cnf": { "jkt": "" }
- ```
-* **mTLS**:
-
- ```json
- "cnf": { "x5t#S256": "" }
- ```
-
-**Install/tenant context (custom claims)**
-
-```
-tid = // multi-tenant
-inst = // unique installation
-roles = [ "svc.scanner", "svc.signer", "ui.admin", ... ]
-plan? = // optional hint for UIs; not used for enforcement
-```
-
-> **Note**: Do **not** copy PoE claims into OpTok; OpTok ≠ entitlement. Only **Signer** checks PoE.
-
-### 2.2 Refresh tokens (optional)
-
-* Default **disabled**. If enabled (for UI interactive logins), pair with **DPoP‑bound** refresh tokens or **mTLS** client sessions; short TTL (≤ 8 h), rotating on use (replay‑safe).
-
-### 2.3 ID tokens (optional)
-
-* Issued for UI/browser OIDC flows (Authorization Code + PKCE); not used for service auth.
-
----
-
-## 3) Endpoints & flows
-
-### 3.1 OIDC discovery & keys
-
-* `GET /.well-known/openid-configuration` → endpoints, algs, jwks_uri
-* `GET /jwks` → JSON Web Key Set (rotating, at least 2 active keys during transition)
-
-### 3.2 Token issuance
-
-* `POST /oauth/token`
-
- * **Client Credentials** (service→service):
-
+# component_architecture_authority.md — **Stella Ops Authority** (2025Q4)
+
+> **Scope.** Implementation‑ready architecture for **Stella Ops Authority**: the on‑prem **OIDC/OAuth2** service that issues **short‑lived, sender‑constrained operational tokens (OpToks)** to first‑party services and tools. Covers protocols (DPoP & mTLS binding), token shapes, endpoints, storage, rotation, HA, RBAC, audit, and testing. This component is the trust anchor for *who* is calling inside a Stella Ops installation. (Entitlement is proven separately by **PoE** from the cloud Licensing Service; Authority does not issue PoE.)
+
+---
+
+## 0) Mission & boundaries
+
+**Mission.** Provide **fast, local, verifiable** authentication for Stella Ops microservices and tools by minting **very short‑lived** OAuth2/OIDC tokens that are **sender‑constrained** (DPoP or mTLS‑bound). Support RBAC scopes, multi‑tenant claims, and deterministic validation for APIs (Scanner, Signer, Attestor, Excititor, Concelier, UI, CLI, Zastava).
+
+**Boundaries.**
+
+* Authority **does not** validate entitlements/licensing. That’s enforced by **Signer** using **PoE** with the cloud Licensing Service.
+* Authority tokens are **operational only** (2–5 min TTL) and must not be embedded in long‑lived artifacts or stored in SBOMs.
+* Authority is **stateless for validation** (JWT) and **optional introspection** for services that prefer online checks.
+
+---
+
+## 1) Protocols & cryptography
+
+* **OIDC Discovery**: `/.well-known/openid-configuration`
+* **OAuth2** grant types:
+
+ * **Client Credentials** (service↔service, with mTLS or private_key_jwt)
+ * **Device Code** (CLI login on headless agents; optional)
+ * **Authorization Code + PKCE** (browser login for UI; optional)
+* **Sender constraint options** (choose per caller or per audience):
+
+ * **DPoP** (Demonstration of Proof‑of‑Possession): proof JWT on each HTTP request, bound to the access token via `cnf.jkt`.
+ * **OAuth 2.0 mTLS** (certificate‑bound tokens): token bound to client certificate thumbprint via `cnf.x5t#S256`.
+* **Signing algorithms**: **EdDSA (Ed25519)** preferred; fallback **ES256 (P‑256)**. Rotation is supported via **kid** in JWKS.
+* **Token format**: **JWT** access tokens (compact), optionally opaque reference tokens for services that insist on introspection.
+* **Clock skew tolerance**: ±60 s; issue `nbf`, `iat`, `exp` accordingly.
+
+---
+
+## 2) Token model
+
+### 2.1 Access token (OpTok) — short‑lived (120–300 s)
+
+**Registered claims**
+
+```
+iss = https://authority.
+sub =
+aud =
+exp = (<= 300 s from iat)
+iat =
+nbf = iat - 30
+jti =
+scope = "scanner.scan scanner.export signer.sign ..."
+```
+
+**Sender‑constraint (`cnf`)**
+
+* **DPoP**:
+
+ ```json
+ "cnf": { "jkt": "" }
+ ```
+* **mTLS**:
+
+ ```json
+ "cnf": { "x5t#S256": "" }
+ ```
+
+**Install/tenant context (custom claims)**
+
+```
+tid = // multi-tenant
+inst = // unique installation
+roles = [ "svc.scanner", "svc.signer", "ui.admin", ... ]
+plan? = // optional hint for UIs; not used for enforcement
+```
+
+> **Note**: Do **not** copy PoE claims into OpTok; OpTok ≠ entitlement. Only **Signer** checks PoE.
+
+### 2.2 Refresh tokens (optional)
+
+* Default **disabled**. If enabled (for UI interactive logins), pair with **DPoP‑bound** refresh tokens or **mTLS** client sessions; short TTL (≤ 8 h), rotating on use (replay‑safe).
+
+### 2.3 ID tokens (optional)
+
+* Issued for UI/browser OIDC flows (Authorization Code + PKCE); not used for service auth.
+
+---
+
+## 3) Endpoints & flows
+
+### 3.1 OIDC discovery & keys
+
+* `GET /.well-known/openid-configuration` → endpoints, algs, jwks_uri
+* `GET /jwks` → JSON Web Key Set (rotating, at least 2 active keys during transition)
+
+### 3.2 Token issuance
+
+* `POST /oauth/token`
+
+ * **Client Credentials** (service→service):
+
* **mTLS**: mutual TLS + `client_id` → bound token (`cnf.x5t#S256`)
* `security.senderConstraints.mtls.enforceForAudiences` forces the mTLS path when requested `aud`/`resource` values intersect high-value audiences (defaults include `signer`). Authority rejects clients attempting to use DPoP/basic secrets for these audiences.
* Stored `certificateBindings` are authoritative: thumbprint, subject, issuer, serial number, and SAN values are matched against the presented certificate, with rotation grace applied to activation windows. Failures surface deterministic error codes (e.g. `certificate_binding_subject_mismatch`).
* **private_key_jwt**: JWT‑based client auth + **DPoP** header (preferred for tools and CLI)
- * **Device Code** (CLI): `POST /oauth/device/code` + `POST /oauth/token` poll
- * **Authorization Code + PKCE** (UI): standard
-
-**DPoP handshake (example)**
-
-1. Client prepares **JWK** (ephemeral keypair).
-2. Client sends **DPoP proof** header with fields:
-
- ```
- htm=POST
- htu=https://authority.../oauth/token
- iat=
- jti=
- ```
-
- signed with the DPoP private key; header carries JWK.
-3. Authority validates proof; issues access token with `cnf.jkt=`.
-4. Client uses the same DPoP key to sign **every subsequent API request** to services (Signer, Scanner, …).
-
-**mTLS flow**
-
-* Mutual TLS at the connection; Authority extracts client cert, validates chain; token carries `cnf.x5t#S256`.
-
-### 3.3 Introspection & revocation (optional)
-
-* `POST /oauth/introspect` → `{ active, sub, scope, aud, exp, cnf, ... }`
-* `POST /oauth/revoke` → revokes refresh tokens or opaque access tokens.
-* **Replay prevention**: maintain **DPoP `jti` cache** (TTL ≤ 10 min) to reject duplicate proofs when services supply DPoP nonces (Signer requires nonce for high‑value operations).
-
-### 3.4 UserInfo (optional for UI)
-
-* `GET /userinfo` (ID token context).
-
----
-
-## 4) Audiences, scopes & RBAC
-
-### 4.1 Audiences
-
-* `signer` — only the **Signer** service should accept tokens with `aud=signer`.
-* `attestor`, `scanner`, `concelier`, `excititor`, `ui`, `zastava` similarly.
-
-Services **must** verify `aud` and **sender constraint** (DPoP/mTLS) per their policy.
-
-### 4.2 Core scopes
-
-| Scope | Service | Operation |
-| ---------------------------------- | ------------------ | -------------------------- |
-| `signer.sign` | Signer | Request DSSE signing |
-| `attestor.write` | Attestor | Submit Rekor entries |
-| `scanner.scan` | Scanner.WebService | Submit scan jobs |
-| `scanner.export` | Scanner.WebService | Export SBOMs |
-| `scanner.read` | Scanner.WebService | Read catalog/SBOMs |
-| `vex.read` / `vex.admin` | Excititor | Query/operate |
-| `concelier.read` / `concelier.export` | Concelier | Query/exports |
-| `ui.read` / `ui.admin` | UI | View/admin |
-| `zastava.emit` / `zastava.enforce` | Scanner/Zastava | Runtime events / admission |
-
-**Roles → scopes mapping** is configured centrally (Authority policy) and pushed during token issuance.
-
----
-
-## 5) Storage & state
-
-* **Configuration DB** (PostgreSQL/MySQL): clients, audiences, role→scope maps, tenant/installation registry, device code grants, persistent consents (if any).
-* **Cache** (Redis):
-
- * DPoP **jti** replay cache (short TTL)
- * **Nonce** store (per resource server, if they demand nonce)
- * Device code pollers, rate limiting buckets
-* **JWKS**: key material in HSM/KMS or encrypted at rest; JWKS served from memory.
-
----
-
-## 6) Key management & rotation
-
-* Maintain **at least 2 signing keys** active during rotation; tokens carry `kid`.
-* Prefer **Ed25519** for compact tokens; maintain **ES256** fallback for FIPS contexts.
-* Rotation cadence: 30–90 days; emergency rotation supported.
-* Publish new JWKS **before** issuing tokens with the new `kid` to avoid cold‑start validation misses.
-* Keep **old keys** available **at least** for max token TTL + 5 minutes.
-
----
-
-## 7) HA & performance
-
-* **Stateless issuance** (except device codes/refresh) → scale horizontally behind a load‑balancer.
-* **DB** only for client metadata and optional flows; token checks are JWT‑local; introspection endpoints hit cache/DB minimally.
-* **Targets**:
-
- * Token issuance P95 ≤ **20 ms** under warm cache.
- * DPoP proof validation ≤ **1 ms** extra per request at resource servers (Signer/Scanner).
- * 99.9% uptime; HPA on CPU/latency.
-
----
-
-## 8) Security posture
-
-* **Strict TLS** (1.3 preferred); HSTS; modern cipher suites.
-* **mTLS** enabled where required (Signer/Attestor paths).
-* **Replay protection**: DPoP `jti` cache, nonce support for **Signer** (add `DPoP-Nonce` header on 401; clients re‑sign).
-* **Rate limits** per client & per IP; exponential backoff on failures.
-* **Secrets**: clients use **private_key_jwt** or **mTLS**; never basic secrets over the wire.
-* **CSP/CSRF** hardening on UI flows; `SameSite=Lax` cookies; PKCE enforced.
-* **Logs** redact `Authorization` and DPoP proofs; store `sub`, `aud`, `scopes`, `inst`, `tid`, `cnf` thumbprints, not full keys.
-
----
-
-## 9) Multi‑tenancy & installations
-
-* **Tenant (`tid`)** and **Installation (`inst`)** registries define which audiences/scopes a client can request.
-* Cross‑tenant isolation enforced at issuance (disallow rogue `aud`), and resource servers **must** check that `tid` matches their configured tenant.
-
----
-
-## 10) Admin & operations APIs
-
-All under `/admin` (mTLS + `authority.admin` scope).
-
-```
-POST /admin/clients # create/update client (confidential/public)
-POST /admin/audiences # register audience resource URIs
-POST /admin/roles # define role→scope mappings
-POST /admin/tenants # create tenant/install entries
-POST /admin/keys/rotate # rotate signing key (zero-downtime)
-GET /admin/metrics # Prometheus exposition (token issue rates, errors)
-GET /admin/healthz|readyz # health/readiness
-```
-
-Declared client `audiences` flow through to the issued JWT `aud` claim and the token request's `resource` indicators. Authority relies on this metadata to enforce DPoP nonce challenges for `signer`, `attestor`, and other high-value services without requiring clients to repeat the audience parameter on every request.
-
----
-
-## 11) Integration hard lines (what resource servers must enforce)
-
-Every Stella Ops service that consumes Authority tokens **must**:
-
-1. Verify JWT signature (`kid` in JWKS), `iss`, `aud`, `exp`, `nbf`.
-2. Enforce **sender‑constraint**:
-
- * **DPoP**: validate DPoP proof (`htu`, `htm`, `iat`, `jti`) and match `cnf.jkt`; cache `jti` for replay defense; honor nonce challenges.
- * **mTLS**: match presented client cert thumbprint to token `cnf.x5t#S256`.
-3. Check **scopes**; optionally map to internal roles.
-4. Check **tenant** (`tid`) and **installation** (`inst`) as appropriate.
-5. For **Signer** only: require **both** OpTok and **PoE** in the request (enforced by Signer, not Authority).
-
----
-
-## 12) Error surfaces & UX
-
-* Token endpoint errors follow OAuth2 (`invalid_client`, `invalid_grant`, `invalid_scope`, `unauthorized_client`).
-* Resource servers use RFC 6750 style (`WWW-Authenticate: DPoP error="invalid_token", error_description="…", dpop_nonce="…" `).
-* For DPoP nonce challenges, clients retry with the server‑supplied nonce once.
-
----
-
-## 13) Observability & audit
-
-* **Metrics**:
-
- * `authority.tokens_issued_total{grant,aud}`
- * `authority.dpop_validations_total{result}`
- * `authority.mtls_bindings_total{result}`
- * `authority.jwks_rotations_total`
- * `authority.errors_total{type}`
-* **Audit log** (immutable sink): token issuance (`sub`, `aud`, `scopes`, `tid`, `inst`, `cnf thumbprint`, `jti`), revocations, admin changes.
-* **Tracing**: token flows, DB reads, JWKS cache.
-
----
-
-## 14) Configuration (YAML)
-
-```yaml
-authority:
- issuer: "https://authority.internal"
- signing:
- enabled: true
- activeKeyId: "authority-signing-2025"
- keyPath: "../certificates/authority-signing-2025.pem"
- algorithm: "ES256"
- keySource: "file"
- security:
- rateLimiting:
- token:
- enabled: true
- permitLimit: 30
- window: "00:01:00"
- queueLimit: 0
- authorize:
- enabled: true
- permitLimit: 60
- window: "00:01:00"
- queueLimit: 10
- internal:
- enabled: false
- permitLimit: 5
- window: "00:01:00"
- queueLimit: 0
- senderConstraints:
- dpop:
- enabled: true
- allowedAlgorithms: [ "ES256", "ES384" ]
- proofLifetime: "00:02:00"
- allowedClockSkew: "00:00:30"
- replayWindow: "00:05:00"
- nonce:
- enabled: true
- ttl: "00:10:00"
- maxIssuancePerMinute: 120
- store: "redis"
- redisConnectionString: "redis://authority-redis:6379?ssl=false"
- requiredAudiences:
- - "signer"
- - "attestor"
- mtls:
- enabled: true
- requireChainValidation: true
- rotationGrace: "00:15:00"
- enforceForAudiences:
- - "signer"
- allowedSanTypes:
- - "dns"
- - "uri"
- allowedCertificateAuthorities:
- - "/etc/ssl/mtls/clients-ca.pem"
- clients:
- - clientId: scanner-web
- grantTypes: [ "client_credentials" ]
- audiences: [ "scanner" ]
- auth: { type: "private_key_jwt", jwkFile: "/secrets/scanner-web.jwk" }
- senderConstraint: "dpop"
- scopes: [ "scanner.scan", "scanner.export", "scanner.read" ]
- - clientId: signer
- grantTypes: [ "client_credentials" ]
- audiences: [ "signer" ]
- auth: { type: "mtls" }
- senderConstraint: "mtls"
- scopes: [ "signer.sign" ]
- - clientId: notify-web-dev
- grantTypes: [ "client_credentials" ]
- audiences: [ "notify.dev" ]
- auth: { type: "client_secret", secretFile: "/secrets/notify-web-dev.secret" }
- senderConstraint: "dpop"
- scopes: [ "notify.read", "notify.admin" ]
- - clientId: notify-web
- grantTypes: [ "client_credentials" ]
- audiences: [ "notify" ]
- auth: { type: "client_secret", secretFile: "/secrets/notify-web.secret" }
- senderConstraint: "dpop"
- scopes: [ "notify.read", "notify.admin" ]
-```
-
----
-
-## 15) Testing matrix
-
-* **JWT validation**: wrong `aud`, expired `exp`, skewed `nbf`, stale `kid`.
-* **DPoP**: invalid `htu`/`htm`, replayed `jti`, stale `iat`, wrong `jkt`, nonce dance.
-* **mTLS**: wrong client cert, wrong CA, thumbprint mismatch.
-* **RBAC**: scope enforcement per audience; over‑privileged client denied.
-* **Rotation**: JWKS rotation while load‑testing; zero‑downtime verification.
-* **HA**: kill one Authority instance; verify issuance continues; JWKS served by peers.
-* **Performance**: 1k token issuance/sec on 2 cores with Redis enabled for jti caching.
-
----
-
-## 16) Threat model & mitigations (summary)
-
-| Threat | Vector | Mitigation |
-| ------------------- | ---------------- | ------------------------------------------------------------------------------------------ |
-| Token theft | Copy of JWT | **Short TTL**, **sender‑constraint** (DPoP/mTLS); replay blocked by `jti` cache and nonces |
-| Replay across hosts | Reuse DPoP proof | Enforce `htu`/`htm`, `iat` freshness, `jti` uniqueness; services may require **nonce** |
-| Impersonation | Fake client | mTLS or `private_key_jwt` with pinned JWK; client registration & rotation |
-| Key compromise | Signing key leak | HSM/KMS storage, key rotation, audit; emergency key revoke path; narrow token TTL |
-| Cross‑tenant abuse | Scope elevation | Enforce `aud`, `tid`, `inst` at issuance and resource servers |
-| Downgrade to bearer | Strip DPoP | Resource servers require DPoP/mTLS based on `aud`; reject bearer without `cnf` |
-
----
-
-## 17) Deployment & HA
-
-* **Stateless** microservice, containerized; run ≥ 2 replicas behind LB.
-* **DB**: HA Postgres (or MySQL) for clients/roles; **Redis** for device codes, DPoP nonces/jtis.
-* **Secrets**: mount client JWKs via K8s Secrets/HashiCorp Vault; signing keys via KMS.
-* **Backups**: DB daily; Redis not critical (ephemeral).
-* **Disaster recovery**: export/import of client registry; JWKS rehydrate from KMS.
-* **Compliance**: TLS audit; penetration testing for OIDC flows.
-
----
-
-## 18) Implementation notes
-
-* Reference stack: **.NET 10** + **OpenIddict 6** (or IdentityServer if licensed) with custom DPoP validator and mTLS binding middleware.
-* Keep the DPoP/JTI cache pluggable; allow Redis/Memcached.
-* Provide **client SDKs** for C# and Go: DPoP key mgmt, proof generation, nonce handling, token refresh helper.
-
----
-
-## 19) Quick reference — wire examples
-
-**Access token (payload excerpt)**
-
-```json
-{
- "iss": "https://authority.internal",
- "sub": "scanner-web",
- "aud": "signer",
- "exp": 1760668800,
- "iat": 1760668620,
- "nbf": 1760668620,
- "jti": "9d9c3f01-6e1a-49f1-8f77-9b7e6f7e3c50",
- "scope": "signer.sign",
- "tid": "tenant-01",
- "inst": "install-7A2B",
- "cnf": { "jkt": "KcVb2V...base64url..." }
-}
-```
-
-**DPoP proof header fields (for POST /sign/dsse)**
-
-```json
-{
- "htu": "https://signer.internal/sign/dsse",
- "htm": "POST",
- "iat": 1760668620,
- "jti": "4b1c9b3c-8a95-4c58-8a92-9c6cfb4a6a0b"
-}
-```
-
-Signer validates that `hash(JWK)` in the proof matches `cnf.jkt` in the token.
-
----
-
-## 20) Rollout plan
-
-1. **MVP**: Client Credentials (private_key_jwt + DPoP), JWKS, short OpToks, per‑audience scopes.
-2. **Add**: mTLS‑bound tokens for Signer/Attestor; device code for CLI; optional introspection.
-3. **Hardening**: DPoP nonce support; full audit pipeline; HA tuning.
-4. **UX**: Tenant/installation admin UI; role→scope editors; client bootstrap wizards.
+ * **Device Code** (CLI): `POST /oauth/device/code` + `POST /oauth/token` poll
+ * **Authorization Code + PKCE** (UI): standard
+
+**DPoP handshake (example)**
+
+1. Client prepares **JWK** (ephemeral keypair).
+2. Client sends **DPoP proof** header with fields:
+
+ ```
+ htm=POST
+ htu=https://authority.../oauth/token
+ iat=
+ jti=
+ ```
+
+ signed with the DPoP private key; header carries JWK.
+3. Authority validates proof; issues access token with `cnf.jkt=`.
+4. Client uses the same DPoP key to sign **every subsequent API request** to services (Signer, Scanner, …).
+
+**mTLS flow**
+
+* Mutual TLS at the connection; Authority extracts client cert, validates chain; token carries `cnf.x5t#S256`.
+
+### 3.3 Introspection & revocation (optional)
+
+* `POST /oauth/introspect` → `{ active, sub, scope, aud, exp, cnf, ... }`
+* `POST /oauth/revoke` → revokes refresh tokens or opaque access tokens.
+* **Replay prevention**: maintain **DPoP `jti` cache** (TTL ≤ 10 min) to reject duplicate proofs when services supply DPoP nonces (Signer requires nonce for high‑value operations).
+
+### 3.4 UserInfo (optional for UI)
+
+* `GET /userinfo` (ID token context).
+
+---
+
+## 4) Audiences, scopes & RBAC
+
+### 4.1 Audiences
+
+* `signer` — only the **Signer** service should accept tokens with `aud=signer`.
+* `attestor`, `scanner`, `concelier`, `excititor`, `ui`, `zastava` similarly.
+
+Services **must** verify `aud` and **sender constraint** (DPoP/mTLS) per their policy.
+
+### 4.2 Core scopes
+
+| Scope | Service | Operation |
+| ---------------------------------- | ------------------ | -------------------------- |
+| `signer.sign` | Signer | Request DSSE signing |
+| `attestor.write` | Attestor | Submit Rekor entries |
+| `scanner.scan` | Scanner.WebService | Submit scan jobs |
+| `scanner.export` | Scanner.WebService | Export SBOMs |
+| `scanner.read` | Scanner.WebService | Read catalog/SBOMs |
+| `vex.read` / `vex.admin` | Excititor | Query/operate |
+| `concelier.read` / `concelier.export` | Concelier | Query/exports |
+| `ui.read` / `ui.admin` | UI | View/admin |
+| `zastava.emit` / `zastava.enforce` | Scanner/Zastava | Runtime events / admission |
+
+**Roles → scopes mapping** is configured centrally (Authority policy) and pushed during token issuance.
+
+---
+
+## 5) Storage & state
+
+* **Configuration DB** (PostgreSQL/MySQL): clients, audiences, role→scope maps, tenant/installation registry, device code grants, persistent consents (if any).
+* **Cache** (Redis):
+
+ * DPoP **jti** replay cache (short TTL)
+ * **Nonce** store (per resource server, if they demand nonce)
+ * Device code pollers, rate limiting buckets
+* **JWKS**: key material in HSM/KMS or encrypted at rest; JWKS served from memory.
+
+---
+
+## 6) Key management & rotation
+
+* Maintain **at least 2 signing keys** active during rotation; tokens carry `kid`.
+* Prefer **Ed25519** for compact tokens; maintain **ES256** fallback for FIPS contexts.
+* Rotation cadence: 30–90 days; emergency rotation supported.
+* Publish new JWKS **before** issuing tokens with the new `kid` to avoid cold‑start validation misses.
+* Keep **old keys** available **at least** for max token TTL + 5 minutes.
+
+---
+
+## 7) HA & performance
+
+* **Stateless issuance** (except device codes/refresh) → scale horizontally behind a load‑balancer.
+* **DB** only for client metadata and optional flows; token checks are JWT‑local; introspection endpoints hit cache/DB minimally.
+* **Targets**:
+
+ * Token issuance P95 ≤ **20 ms** under warm cache.
+ * DPoP proof validation ≤ **1 ms** extra per request at resource servers (Signer/Scanner).
+ * 99.9% uptime; HPA on CPU/latency.
+
+---
+
+## 8) Security posture
+
+* **Strict TLS** (1.3 preferred); HSTS; modern cipher suites.
+* **mTLS** enabled where required (Signer/Attestor paths).
+* **Replay protection**: DPoP `jti` cache, nonce support for **Signer** (add `DPoP-Nonce` header on 401; clients re‑sign).
+* **Rate limits** per client & per IP; exponential backoff on failures.
+* **Secrets**: clients use **private_key_jwt** or **mTLS**; never basic secrets over the wire.
+* **CSP/CSRF** hardening on UI flows; `SameSite=Lax` cookies; PKCE enforced.
+* **Logs** redact `Authorization` and DPoP proofs; store `sub`, `aud`, `scopes`, `inst`, `tid`, `cnf` thumbprints, not full keys.
+
+---
+
+## 9) Multi‑tenancy & installations
+
+* **Tenant (`tid`)** and **Installation (`inst`)** registries define which audiences/scopes a client can request.
+* Cross‑tenant isolation enforced at issuance (disallow rogue `aud`), and resource servers **must** check that `tid` matches their configured tenant.
+
+---
+
+## 10) Admin & operations APIs
+
+All under `/admin` (mTLS + `authority.admin` scope).
+
+```
+POST /admin/clients # create/update client (confidential/public)
+POST /admin/audiences # register audience resource URIs
+POST /admin/roles # define role→scope mappings
+POST /admin/tenants # create tenant/install entries
+POST /admin/keys/rotate # rotate signing key (zero-downtime)
+GET /admin/metrics # Prometheus exposition (token issue rates, errors)
+GET /admin/healthz|readyz # health/readiness
+```
+
+Declared client `audiences` flow through to the issued JWT `aud` claim and the token request's `resource` indicators. Authority relies on this metadata to enforce DPoP nonce challenges for `signer`, `attestor`, and other high-value services without requiring clients to repeat the audience parameter on every request.
+
+---
+
+## 11) Integration hard lines (what resource servers must enforce)
+
+Every Stella Ops service that consumes Authority tokens **must**:
+
+1. Verify JWT signature (`kid` in JWKS), `iss`, `aud`, `exp`, `nbf`.
+2. Enforce **sender‑constraint**:
+
+ * **DPoP**: validate DPoP proof (`htu`, `htm`, `iat`, `jti`) and match `cnf.jkt`; cache `jti` for replay defense; honor nonce challenges.
+ * **mTLS**: match presented client cert thumbprint to token `cnf.x5t#S256`.
+3. Check **scopes**; optionally map to internal roles.
+4. Check **tenant** (`tid`) and **installation** (`inst`) as appropriate.
+5. For **Signer** only: require **both** OpTok and **PoE** in the request (enforced by Signer, not Authority).
+
+---
+
+## 12) Error surfaces & UX
+
+* Token endpoint errors follow OAuth2 (`invalid_client`, `invalid_grant`, `invalid_scope`, `unauthorized_client`).
+* Resource servers use RFC 6750 style (`WWW-Authenticate: DPoP error="invalid_token", error_description="…", dpop_nonce="…" `).
+* For DPoP nonce challenges, clients retry with the server‑supplied nonce once.
+
+---
+
+## 13) Observability & audit
+
+* **Metrics**:
+
+ * `authority.tokens_issued_total{grant,aud}`
+ * `authority.dpop_validations_total{result}`
+ * `authority.mtls_bindings_total{result}`
+ * `authority.jwks_rotations_total`
+ * `authority.errors_total{type}`
+* **Audit log** (immutable sink): token issuance (`sub`, `aud`, `scopes`, `tid`, `inst`, `cnf thumbprint`, `jti`), revocations, admin changes.
+* **Tracing**: token flows, DB reads, JWKS cache.
+
+---
+
+## 14) Configuration (YAML)
+
+```yaml
+authority:
+ issuer: "https://authority.internal"
+ signing:
+ enabled: true
+ activeKeyId: "authority-signing-2025"
+ keyPath: "../certificates/authority-signing-2025.pem"
+ algorithm: "ES256"
+ keySource: "file"
+ security:
+ rateLimiting:
+ token:
+ enabled: true
+ permitLimit: 30
+ window: "00:01:00"
+ queueLimit: 0
+ authorize:
+ enabled: true
+ permitLimit: 60
+ window: "00:01:00"
+ queueLimit: 10
+ internal:
+ enabled: false
+ permitLimit: 5
+ window: "00:01:00"
+ queueLimit: 0
+ senderConstraints:
+ dpop:
+ enabled: true
+ allowedAlgorithms: [ "ES256", "ES384" ]
+ proofLifetime: "00:02:00"
+ allowedClockSkew: "00:00:30"
+ replayWindow: "00:05:00"
+ nonce:
+ enabled: true
+ ttl: "00:10:00"
+ maxIssuancePerMinute: 120
+ store: "redis"
+ redisConnectionString: "redis://authority-redis:6379?ssl=false"
+ requiredAudiences:
+ - "signer"
+ - "attestor"
+ mtls:
+ enabled: true
+ requireChainValidation: true
+ rotationGrace: "00:15:00"
+ enforceForAudiences:
+ - "signer"
+ allowedSanTypes:
+ - "dns"
+ - "uri"
+ allowedCertificateAuthorities:
+ - "/etc/ssl/mtls/clients-ca.pem"
+ clients:
+ - clientId: scanner-web
+ grantTypes: [ "client_credentials" ]
+ audiences: [ "scanner" ]
+ auth: { type: "private_key_jwt", jwkFile: "/secrets/scanner-web.jwk" }
+ senderConstraint: "dpop"
+ scopes: [ "scanner.scan", "scanner.export", "scanner.read" ]
+ - clientId: signer
+ grantTypes: [ "client_credentials" ]
+ audiences: [ "signer" ]
+ auth: { type: "mtls" }
+ senderConstraint: "mtls"
+ scopes: [ "signer.sign" ]
+ - clientId: notify-web-dev
+ grantTypes: [ "client_credentials" ]
+ audiences: [ "notify.dev" ]
+ auth: { type: "client_secret", secretFile: "/secrets/notify-web-dev.secret" }
+ senderConstraint: "dpop"
+ scopes: [ "notify.read", "notify.admin" ]
+ - clientId: notify-web
+ grantTypes: [ "client_credentials" ]
+ audiences: [ "notify" ]
+ auth: { type: "client_secret", secretFile: "/secrets/notify-web.secret" }
+ senderConstraint: "dpop"
+ scopes: [ "notify.read", "notify.admin" ]
+```
+
+---
+
+## 15) Testing matrix
+
+* **JWT validation**: wrong `aud`, expired `exp`, skewed `nbf`, stale `kid`.
+* **DPoP**: invalid `htu`/`htm`, replayed `jti`, stale `iat`, wrong `jkt`, nonce dance.
+* **mTLS**: wrong client cert, wrong CA, thumbprint mismatch.
+* **RBAC**: scope enforcement per audience; over‑privileged client denied.
+* **Rotation**: JWKS rotation while load‑testing; zero‑downtime verification.
+* **HA**: kill one Authority instance; verify issuance continues; JWKS served by peers.
+* **Performance**: 1k token issuance/sec on 2 cores with Redis enabled for jti caching.
+
+---
+
+## 16) Threat model & mitigations (summary)
+
+| Threat | Vector | Mitigation |
+| ------------------- | ---------------- | ------------------------------------------------------------------------------------------ |
+| Token theft | Copy of JWT | **Short TTL**, **sender‑constraint** (DPoP/mTLS); replay blocked by `jti` cache and nonces |
+| Replay across hosts | Reuse DPoP proof | Enforce `htu`/`htm`, `iat` freshness, `jti` uniqueness; services may require **nonce** |
+| Impersonation | Fake client | mTLS or `private_key_jwt` with pinned JWK; client registration & rotation |
+| Key compromise | Signing key leak | HSM/KMS storage, key rotation, audit; emergency key revoke path; narrow token TTL |
+| Cross‑tenant abuse | Scope elevation | Enforce `aud`, `tid`, `inst` at issuance and resource servers |
+| Downgrade to bearer | Strip DPoP | Resource servers require DPoP/mTLS based on `aud`; reject bearer without `cnf` |
+
+---
+
+## 17) Deployment & HA
+
+* **Stateless** microservice, containerized; run ≥ 2 replicas behind LB.
+* **DB**: HA Postgres (or MySQL) for clients/roles; **Redis** for device codes, DPoP nonces/jtis.
+* **Secrets**: mount client JWKs via K8s Secrets/HashiCorp Vault; signing keys via KMS.
+* **Backups**: DB daily; Redis not critical (ephemeral).
+* **Disaster recovery**: export/import of client registry; JWKS rehydrate from KMS.
+* **Compliance**: TLS audit; penetration testing for OIDC flows.
+
+---
+
+## 18) Implementation notes
+
+* Reference stack: **.NET 10** + **OpenIddict 6** (or IdentityServer if licensed) with custom DPoP validator and mTLS binding middleware.
+* Keep the DPoP/JTI cache pluggable; allow Redis/Memcached.
+* Provide **client SDKs** for C# and Go: DPoP key mgmt, proof generation, nonce handling, token refresh helper.
+
+---
+
+## 19) Quick reference — wire examples
+
+**Access token (payload excerpt)**
+
+```json
+{
+ "iss": "https://authority.internal",
+ "sub": "scanner-web",
+ "aud": "signer",
+ "exp": 1760668800,
+ "iat": 1760668620,
+ "nbf": 1760668620,
+ "jti": "9d9c3f01-6e1a-49f1-8f77-9b7e6f7e3c50",
+ "scope": "signer.sign",
+ "tid": "tenant-01",
+ "inst": "install-7A2B",
+ "cnf": { "jkt": "KcVb2V...base64url..." }
+}
+```
+
+**DPoP proof header fields (for POST /sign/dsse)**
+
+```json
+{
+ "htu": "https://signer.internal/sign/dsse",
+ "htm": "POST",
+ "iat": 1760668620,
+ "jti": "4b1c9b3c-8a95-4c58-8a92-9c6cfb4a6a0b"
+}
+```
+
+Signer validates that `hash(JWK)` in the proof matches `cnf.jkt` in the token.
+
+---
+
+## 20) Rollout plan
+
+1. **MVP**: Client Credentials (private_key_jwt + DPoP), JWKS, short OpToks, per‑audience scopes.
+2. **Add**: mTLS‑bound tokens for Signer/Attestor; device code for CLI; optional introspection.
+3. **Hardening**: DPoP nonce support; full audit pipeline; HA tuning.
+4. **UX**: Tenant/installation admin UI; role→scope editors; client bootstrap wizards.
diff --git a/docs/ARCHITECTURE_CLI.md b/docs/ARCHITECTURE_CLI.md
index ce2c541f..fccf3c3c 100644
--- a/docs/ARCHITECTURE_CLI.md
+++ b/docs/ARCHITECTURE_CLI.md
@@ -1,406 +1,406 @@
-# component_architecture_cli.md — **Stella Ops CLI** (2025Q4)
-
-> **Scope.** Implementation‑ready architecture for **Stella Ops CLI**: command surface, process model, auth (Authority/DPoP), integration with Scanner/Excititor/Concelier/Signer/Attestor, Buildx plug‑in management, offline kit behavior, packaging, observability, security posture, and CI ergonomics.
-
----
-
-## 0) Mission & boundaries
-
-**Mission.** Provide a **fast, deterministic, CI‑friendly** command‑line interface to drive Stella Ops workflows:
-
-* Build‑time SBOM generation via **Buildx generator** orchestration.
-* Post‑build **scan/compose/diff/export** against **Scanner.WebService**.
-* **Policy** operations and **VEX/Vuln** data pulls (operator tasks).
-* **Verification** (attestation, referrers, signatures) for audits.
-* Air‑gapped/offline **kit** administration.
-
-**Boundaries.**
-
-* CLI **never** signs; it only calls **Signer**/**Attestor** via backend APIs when needed (e.g., `report --attest`).
-* CLI **does not** store long‑lived credentials beyond OS keychain; tokens are **short** (Authority OpToks).
-* Heavy work (scanning, merging, policy) is executed **server‑side** (Scanner/Excititor/Concelier).
-
----
-
-## 1) Solution layout & runtime form
-
-```
-src/
- ├─ StellaOps.Cli/ # net10.0 (Native AOT) single binary
- ├─ StellaOps.Cli.Core/ # verb plumbing, config, HTTP, auth
- ├─ StellaOps.Cli.Plugins/ # optional verbs packaged as plugins
- ├─ StellaOps.Cli.Tests/ # unit + golden-output tests
- └─ packaging/
- ├─ msix / msi / deb / rpm / brew formula
- └─ scoop manifest / winget manifest
-```
-
-**Language/runtime**: .NET 10 **Native AOT** for speed/startup; Linux builds use **musl** static when possible.
-
-**Plug-in verbs.** Non-core verbs (Excititor, runtime helpers, future integrations) ship as restart-time plug-ins under `plugins/cli/**` with manifest descriptors. The launcher loads plug-ins on startup; hot reloading is intentionally unsupported. The inaugural bundle, `StellaOps.Cli.Plugins.NonCore`, packages the Excititor, runtime, and offline-kit command groups and publishes its manifest at `plugins/cli/StellaOps.Cli.Plugins.NonCore/`.
-
-**OS targets**: linux‑x64/arm64, windows‑x64/arm64, macOS‑x64/arm64.
-
----
-
-## 2) Command surface (verbs)
-
-> All verbs default to **JSON** output when `--json` is set (CI mode). Human output is concise, deterministic.
-
-### 2.1 Auth & profile
-
-* `auth login`
-
- * Modes: **device‑code** (default), **client‑credentials** (service principal).
- * Produces **Authority** access token (OpTok) + stores **DPoP** keypair in OS keychain.
-* `auth status` — show current issuer, subject, audiences, expiry.
-* `auth logout` — wipe cached tokens/keys.
-
-### 2.2 Build‑time SBOM (Buildx)
-
-* `buildx install` — install/update the **StellaOps.Scanner.Sbomer.BuildXPlugin** on the host.
-* `buildx verify` — ensure generator is usable.
-* `buildx build` — thin wrapper around `docker buildx build --attest=type=sbom,generator=stellaops/sbom-indexer` with convenience flags:
-
- * `--attest` (request Signer/Attestor via backend post‑push)
- * `--provenance` pass‑through (optional)
-
-### 2.3 Scanning & artifacts
-
-* `scan image `
-
- * Options: `--force`, `--wait`, `--view=inventory|usage|both`, `--format=cdx-json|cdx-pb|spdx-json`, `--attest` (ask backend to sign/log).
- * Streams progress; exits early unless `--wait`.
-* `diff image --old --new [--view ...]` — show layer‑attributed changes.
-* `export sbom [--view ... --format ... --out file]` — download artifact.
-* `report final [--policy-revision ... --attest]` — request PASS/FAIL report from backend (policy+vex) and optional attestation.
-
-### 2.4 Policy & data
-
-* `policy get/set/apply` — fetch active policy, apply staged policy, compute digest.
-* `concelier export` — trigger/export canonical JSON or Trivy DB (admin).
-* `excititor export` — trigger/export consensus/raw claims (admin).
-
-### 2.5 Verification
-
-* `verify attestation --uuid | --artifact | --bundle ` — call **Attestor /verify** and print proof summary.
-* `verify referrers ` — ask **Signer /verify/referrers** (is image Stella‑signed?).
-* `verify image-signature ` — standalone cosign verification (optional, local).
-
-### 2.6 Runtime (Zastava helper)
-
-* `runtime policy test --image/-i [--file --ns --label key=value --json]` — ask backend `/policy/runtime` like the webhook would (accepts multiple `--image`, comma/space lists, or stdin pipelines).
-
-### 2.7 Offline kit
-
-* `offline kit pull` — fetch latest **Concelier JSON + Trivy DB + Excititor exports** as a tarball from a mirror.
-* `offline kit import ` — upload the kit to on‑prem services (Concelier/Excititor).
-* `offline kit status` — list current seed versions.
-
-### 2.8 Utilities
-
-* `config set/get` — endpoint & defaults.
-* `whoami` — short auth display.
-* `version` — CLI + protocol versions; release channel.
-
-### 2.9 Aggregation-only guard helpers
-
-* `sources ingest --dry-run --source --input [--tenant ... --format table|json --output file]`
-
- * Normalises documents (handles gzip/base64), posts them to the backend `aoc/ingest/dry-run` route, and exits non-zero when guard violations are detected.
- * Defaults to table output with ANSI colour; `--json`/`--output` produce deterministic JSON for CI pipelines.
-
-* `aoc verify [--since ] [--limit ] [--sources list] [--codes list] [--format table|json] [--export file] [--tenant id] [--no-color]`
-
- * Replays guard checks against stored raw documents. Maps backend `ERR_AOC_00x` codes onto deterministic exit codes so CI can block regressions.
- * Supports pagination hints (`--limit`, `--since`), tenant scoping via `--tenant` or `STELLA_TENANT`, and JSON exports for evidence lockers.
-
----
-
-## 3) AuthN: Authority + DPoP
-
-### 3.1 Token acquisition
-
-* **Device‑code**: the CLI opens an OIDC device code flow against **Authority**; the browser login is optional for service principals.
-* **Client‑credentials**: service principals use **private_key_jwt** or **mTLS** to get tokens.
-
-### 3.2 DPoP key management
-
-* On first login, the CLI generates an **ephemeral JWK** (Ed25519) and stores it in the **OS keychain** (Keychain/DPAPI/KWallet/Gnome Keyring).
-* Every request to backend services includes a **DPoP proof**; CLI refreshes tokens as needed.
-
-### 3.3 Multi‑audience & scopes
-
-* CLI requests **audiences** as needed per verb:
-
- * `scanner` for scan/export/report/diff
- * `signer` (indirect; usually backend calls Signer)
- * `attestor` for verify
- * `concelier`/`excititor` for admin verbs
-
-CLI rejects verbs if required scopes are missing.
-
----
-
-## 4) Process model & reliability
-
-### 4.1 HTTP client
-
-* Single **http2** client with connection pooling, DNS pinning, retry/backoff (idempotent GET/POST marked safe).
-* **DPoP nonce** handling: on `401` with nonce challenge, CLI replays once.
-
-### 4.2 Streaming
-
-* `scan` and `report` support **server‑sent JSON lines** (progress events).
-* `--json` prints machine events; human mode shows compact spinners and crucial updates only.
-
-### 4.3 Exit codes (CI‑safe)
-
-| Code | Meaning |
-| ---- | ------------------------------------------- |
-| 0 | Success |
-| 2 | Policy fail (final report verdict=fail) |
-| 3 | Verification failed (attestation/signature) |
-| 4 | Auth error (invalid/missing token/DPoP) |
-| 5 | Resource not found (image/SBOM) |
-| 6 | Rate limited / quota exceeded |
-| 7 | Backend unavailable (retryable) |
-| 9 | Invalid arguments |
-| 11–17 | Aggregation-only guard violation (`ERR_AOC_00x`) |
-| 18 | Verification truncated (increase `--limit`) |
-| 70 | Transport/authentication failure |
-| 71 | CLI usage error (missing tenant, invalid cursor) |
-
----
-
-## 5) Configuration model
-
-**Precedence:** CLI flags → env vars → config file → defaults.
-
-**Config file**: `${XDG_CONFIG_HOME}/stellaops/config.yaml` (Windows: `%APPDATA%\StellaOps\config.yaml`)
-
-```yaml
-cli:
- authority: "https://authority.internal"
- backend:
- scanner: "https://scanner-web.internal"
- attestor: "https://attestor.internal"
- concelier: "https://concelier-web.internal"
- excititor: "https://excititor-web.internal"
- auth:
- audienceDefault: "scanner"
- deviceCode: true
- output:
- json: false
- color: auto
- tls:
- caBundle: "/etc/ssl/certs/ca-bundle.crt"
- offline:
- kitMirror: "s3://mirror/stellaops-kit"
-```
-
-Environment variables: `STELLAOPS_AUTHORITY`, `STELLAOPS_SCANNER_URL`, etc.
-
----
-
-## 6) Buildx generator orchestration
-
-* `buildx install` locates the Docker root directory, writes the **generator** plugin manifest, and pulls `stellaops/sbom-indexer` image (pinned digest).
-* `buildx build` wrapper injects:
-
- * `--attest=type=sbom,generator=stellaops/sbom-indexer`
- * `--label org.stellaops.request=sbom`
-* Post‑build: CLI optionally calls **Scanner.WebService** to **verify referrers**, **compose** image SBOMs, and **attest** via Signer/Attestor.
-
-**Detection**: If Buildx or generator unavailable, CLI falls back to **post‑build scan** with a warning.
-
----
-
-## 7) Artifact handling
-
-* **Downloads** (`export sbom`, `report final`): stream to file; compute sha256 on the fly; write sidecar `.sha256` and optional **verification bundle** (if `--bundle`).
-* **Uploads** (`offline kit import`): chunked upload; retry on transient errors; show progress bar (unless `--json`).
-
----
-
-## 8) Security posture
-
-* **DPoP private keys** stored in **OS keychain**; metadata cached in config.
-* **No plaintext tokens** on disk; short‑lived **OpToks** held in memory.
-* **TLS**: verify backend certificates; allow custom CA bundle for on‑prem.
-* **Redaction**: CLI logs remove `Authorization`, DPoP headers, PoE tokens.
-* **Supply chain**: CLI distribution binaries are **cosign‑signed**; `stellaops version --verify` checks its own signature.
-
----
-
-## 9) Observability
-
-* `--verbose` adds request IDs, timings, and retry traces.
-* **Metrics** (optional, disabled by default): Prometheus text file exporter for local monitoring in long‑running agents.
-* **Structured logs** (`--json`): per‑event JSON lines with `ts`, `verb`, `status`, `latencyMs`.
-
----
-
-## 10) Performance targets
-
-* Startup ≤ **20 ms** (AOT).
-* `scan image` request/response overhead ≤ **5 ms** (excluding server work).
-* Buildx wrapper overhead negligible (<1 ms).
-* Large artifact download (100 MB) sustained ≥ **80 MB/s** on local networks.
-
----
-
-## 11) Tests & golden outputs
-
-* **Unit tests**: argument parsing, config precedence, URL resolution, DPoP proof creation.
-* **Integration tests** (Testcontainers): mock Authority/Scanner/Attestor; CI pipeline with fake registry.
-* **Golden outputs**: verb snapshots for `--json` across OSes; kept in `tests/golden/…`.
-* **Contract tests**: ensure API shapes match service OpenAPI; fail build if incompatible.
-
----
-
-## 12) Error envelopes (human + JSON)
-
-**Human:**
-
-```
-✖ Policy FAIL: 3 high, 1 critical (VEX suppressed 12)
- - pkg:rpm/openssl (CVE-2025-12345) — affected (vendor) — fixed in 3.0.14
- - pkg:npm/lodash (GHSA-xxxx) — affected — no fix
- See: https://ui.internal/scans/sha256:...
-Exit code: 2
-```
-
-**JSON (`--json`):**
-
-```json
-{ "event":"report", "status":"fail", "critical":1, "high":3, "url":"https://ui..." }
-```
-
----
-
-## 13) Admin & advanced flags
-
-* `--authority`, `--scanner`, `--attestor`, `--concelier`, `--excititor` override config URLs.
-* `--no-color`, `--quiet`, `--json`.
-* `--timeout`, `--retries`, `--retry-backoff-ms`.
-* `--ca-bundle`, `--insecure` (dev only; prints warning).
-* `--trace` (dump HTTP traces to file; scrubbed).
-
----
-
-## 14) Interop with other tools
-
-* Emits **CycloneDX Protobuf** directly to stdout when `export sbom --format cdx-pb --out -`.
-* Pipes to `jq`/`yq` cleanly in JSON mode.
-* Can act as a **credential helper** for scripts: `stellaops auth token --aud scanner` prints a one‑shot token for curl.
-
----
-
-## 15) Packaging & distribution
-
-* **Installers**: deb/rpm (postinst registers completions), Homebrew, Scoop, Winget, MSI/MSIX.
-* **Shell completions**: bash/zsh/fish/pwsh.
-* **Update channel**: `stellaops self-update` (optional) fetches cosign‑signed release manifest; corporate environments can disable.
-
----
-
-## 16) Security hard lines
-
-* Refuse to print token values; redact Authorization headers in verbose output.
-* Disallow `--insecure` unless `STELLAOPS_CLI_ALLOW_INSECURE=1` set (double opt‑in).
-* Enforce **short token TTL**; refresh proactively when <30 s left.
-* Device‑code cache binding to **machine** and **user** (protect against copy to other machines).
-
----
-
-## 17) Wire sequences
-
-**A) Scan & wait with attestation**
-
-```mermaid
-sequenceDiagram
- autonumber
- participant CLI
- participant Auth as Authority
- participant SW as Scanner.WebService
- participant SG as Signer
- participant AT as Attestor
-
- CLI->>Auth: device code flow (DPoP)
- Auth-->>CLI: OpTok (aud=scanner)
-
- CLI->>SW: POST /scans { imageRef, attest:true }
- SW-->>CLI: { scanId }
- CLI->>SW: GET /scans/{id} (poll)
- SW-->>CLI: { status: completed, artifacts, rekor? } # if attested
-
- alt attestation pending
- SW->>SG: POST /sign/dsse (server-side)
- SG-->>SW: DSSE
- SW->>AT: POST /rekor/entries
- AT-->>SW: { uuid, proof }
- end
-
- CLI->>SW: GET /sboms/?format=cdx-pb&view=usage
- SW-->>CLI: bytes
-```
-
-**B) Verify attestation by artifact**
-
-```mermaid
-sequenceDiagram
- autonumber
- participant CLI
- participant AT as Attestor
-
- CLI->>AT: POST /rekor/verify { artifactSha256 }
- AT-->>CLI: { ok:true, uuid, index, logURL }
-```
-
----
-
-## 18) Roadmap (CLI)
-
-* `scan fs ` (local filesystem tree) → upload to backend for analysis.
-* `policy test --sbom ` (simulate policy results offline using local policy bundle).
-* `runtime capture` (developer mode) — capture small `/proc//maps` for troubleshooting.
-* Pluggable output renderers for SARIF/HTML (admin‑controlled).
-
----
-
-## 19) Example CI snippets
-
-**GitHub Actions (post‑build)**
-
-```yaml
-- name: Login (device code w/ OIDC broker)
- run: stellaops auth login --json --authority ${{ secrets.AUTHORITY_URL }}
-
-- name: Scan
- run: stellaops scan image ${{ steps.build.outputs.digest }} --wait --json
-
-- name: Export (usage view, protobuf)
- run: stellaops export sbom ${{ steps.build.outputs.digest }} --view usage --format cdx-pb --out sbom.pb
-
-- name: Verify attestation
- run: stellaops verify attestation --artifact $(sha256sum sbom.pb | cut -d' ' -f1) --json
-```
-
-**GitLab (buildx generator)**
-
-```yaml
-script:
- - stellaops buildx install
- - docker buildx build --attest=type=sbom,generator=stellaops/sbom-indexer -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
- - stellaops scan image $CI_REGISTRY_IMAGE@$IMAGE_DIGEST --wait --json
-```
-
----
-
-## 20) Test matrix (OS/arch)
-
-* Linux: ubuntu‑20.04/22.04/24.04 (x64, arm64), alpine (musl).
-* macOS: 13–15 (x64, arm64).
-* Windows: 10/11, Server 2019/2022 (x64, arm64).
-* Docker engines: Docker Desktop, containerd‑based runners.
+# component_architecture_cli.md — **Stella Ops CLI** (2025Q4)
+
+> **Scope.** Implementation‑ready architecture for **Stella Ops CLI**: command surface, process model, auth (Authority/DPoP), integration with Scanner/Excititor/Concelier/Signer/Attestor, Buildx plug‑in management, offline kit behavior, packaging, observability, security posture, and CI ergonomics.
+
+---
+
+## 0) Mission & boundaries
+
+**Mission.** Provide a **fast, deterministic, CI‑friendly** command‑line interface to drive Stella Ops workflows:
+
+* Build‑time SBOM generation via **Buildx generator** orchestration.
+* Post‑build **scan/compose/diff/export** against **Scanner.WebService**.
+* **Policy** operations and **VEX/Vuln** data pulls (operator tasks).
+* **Verification** (attestation, referrers, signatures) for audits.
+* Air‑gapped/offline **kit** administration.
+
+**Boundaries.**
+
+* CLI **never** signs; it only calls **Signer**/**Attestor** via backend APIs when needed (e.g., `report --attest`).
+* CLI **does not** store long‑lived credentials beyond OS keychain; tokens are **short** (Authority OpToks).
+* Heavy work (scanning, merging, policy) is executed **server‑side** (Scanner/Excititor/Concelier).
+
+---
+
+## 1) Solution layout & runtime form
+
+```
+src/
+ ├─ StellaOps.Cli/ # net10.0 (Native AOT) single binary
+ ├─ StellaOps.Cli.Core/ # verb plumbing, config, HTTP, auth
+ ├─ StellaOps.Cli.Plugins/ # optional verbs packaged as plugins
+ ├─ StellaOps.Cli.Tests/ # unit + golden-output tests
+ └─ packaging/
+ ├─ msix / msi / deb / rpm / brew formula
+ └─ scoop manifest / winget manifest
+```
+
+**Language/runtime**: .NET 10 **Native AOT** for speed/startup; Linux builds use **musl** static when possible.
+
+**Plug-in verbs.** Non-core verbs (Excititor, runtime helpers, future integrations) ship as restart-time plug-ins under `plugins/cli/**` with manifest descriptors. The launcher loads plug-ins on startup; hot reloading is intentionally unsupported. The inaugural bundle, `StellaOps.Cli.Plugins.NonCore`, packages the Excititor, runtime, and offline-kit command groups and publishes its manifest at `plugins/cli/StellaOps.Cli.Plugins.NonCore/`.
+
+**OS targets**: linux‑x64/arm64, windows‑x64/arm64, macOS‑x64/arm64.
+
+---
+
+## 2) Command surface (verbs)
+
+> All verbs default to **JSON** output when `--json` is set (CI mode). Human output is concise, deterministic.
+
+### 2.1 Auth & profile
+
+* `auth login`
+
+ * Modes: **device‑code** (default), **client‑credentials** (service principal).
+ * Produces **Authority** access token (OpTok) + stores **DPoP** keypair in OS keychain.
+* `auth status` — show current issuer, subject, audiences, expiry.
+* `auth logout` — wipe cached tokens/keys.
+
+### 2.2 Build‑time SBOM (Buildx)
+
+* `buildx install` — install/update the **StellaOps.Scanner.Sbomer.BuildXPlugin** on the host.
+* `buildx verify` — ensure generator is usable.
+* `buildx build` — thin wrapper around `docker buildx build --attest=type=sbom,generator=stellaops/sbom-indexer` with convenience flags:
+
+ * `--attest` (request Signer/Attestor via backend post‑push)
+ * `--provenance` pass‑through (optional)
+
+### 2.3 Scanning & artifacts
+
+* `scan image `
+
+ * Options: `--force`, `--wait`, `--view=inventory|usage|both`, `--format=cdx-json|cdx-pb|spdx-json`, `--attest` (ask backend to sign/log).
+ * Streams progress; exits early unless `--wait`.
+* `diff image --old --new [--view ...]` — show layer‑attributed changes.
+* `export sbom [--view ... --format ... --out file]` — download artifact.
+* `report final [--policy-revision ... --attest]` — request PASS/FAIL report from backend (policy+vex) and optional attestation.
+
+### 2.4 Policy & data
+
+* `policy get/set/apply` — fetch active policy, apply staged policy, compute digest.
+* `concelier export` — trigger/export canonical JSON or Trivy DB (admin).
+* `excititor export` — trigger/export consensus/raw claims (admin).
+
+### 2.5 Verification
+
+* `verify attestation --uuid | --artifact | --bundle ` — call **Attestor /verify** and print proof summary.
+* `verify referrers ` — ask **Signer /verify/referrers** (is image Stella‑signed?).
+* `verify image-signature ` — standalone cosign verification (optional, local).
+
+### 2.6 Runtime (Zastava helper)
+
+* `runtime policy test --image/-i [--file --ns --label key=value --json]` — ask backend `/policy/runtime` like the webhook would (accepts multiple `--image`, comma/space lists, or stdin pipelines).
+
+### 2.7 Offline kit
+
+* `offline kit pull` — fetch latest **Concelier JSON + Trivy DB + Excititor exports** as a tarball from a mirror.
+* `offline kit import ` — upload the kit to on‑prem services (Concelier/Excititor).
+* `offline kit status` — list current seed versions.
+
+### 2.8 Utilities
+
+* `config set/get` — endpoint & defaults.
+* `whoami` — short auth display.
+* `version` — CLI + protocol versions; release channel.
+
+### 2.9 Aggregation-only guard helpers
+
+* `sources ingest --dry-run --source --input [--tenant ... --format table|json --output file]`
+
+ * Normalises documents (handles gzip/base64), posts them to the backend `aoc/ingest/dry-run` route, and exits non-zero when guard violations are detected.
+ * Defaults to table output with ANSI colour; `--json`/`--output` produce deterministic JSON for CI pipelines.
+
+* `aoc verify [--since ] [--limit ] [--sources list] [--codes list] [--format table|json] [--export file] [--tenant id] [--no-color]`
+
+ * Replays guard checks against stored raw documents. Maps backend `ERR_AOC_00x` codes onto deterministic exit codes so CI can block regressions.
+ * Supports pagination hints (`--limit`, `--since`), tenant scoping via `--tenant` or `STELLA_TENANT`, and JSON exports for evidence lockers.
+
+---
+
+## 3) AuthN: Authority + DPoP
+
+### 3.1 Token acquisition
+
+* **Device‑code**: the CLI opens an OIDC device code flow against **Authority**; the browser login is optional for service principals.
+* **Client‑credentials**: service principals use **private_key_jwt** or **mTLS** to get tokens.
+
+### 3.2 DPoP key management
+
+* On first login, the CLI generates an **ephemeral JWK** (Ed25519) and stores it in the **OS keychain** (Keychain/DPAPI/KWallet/Gnome Keyring).
+* Every request to backend services includes a **DPoP proof**; CLI refreshes tokens as needed.
+
+### 3.3 Multi‑audience & scopes
+
+* CLI requests **audiences** as needed per verb:
+
+ * `scanner` for scan/export/report/diff
+ * `signer` (indirect; usually backend calls Signer)
+ * `attestor` for verify
+ * `concelier`/`excititor` for admin verbs
+
+CLI rejects verbs if required scopes are missing.
+
+---
+
+## 4) Process model & reliability
+
+### 4.1 HTTP client
+
+* Single **http2** client with connection pooling, DNS pinning, retry/backoff (idempotent GET/POST marked safe).
+* **DPoP nonce** handling: on `401` with nonce challenge, CLI replays once.
+
+### 4.2 Streaming
+
+* `scan` and `report` support **server‑sent JSON lines** (progress events).
+* `--json` prints machine events; human mode shows compact spinners and crucial updates only.
+
+### 4.3 Exit codes (CI‑safe)
+
+| Code | Meaning |
+| ---- | ------------------------------------------- |
+| 0 | Success |
+| 2 | Policy fail (final report verdict=fail) |
+| 3 | Verification failed (attestation/signature) |
+| 4 | Auth error (invalid/missing token/DPoP) |
+| 5 | Resource not found (image/SBOM) |
+| 6 | Rate limited / quota exceeded |
+| 7 | Backend unavailable (retryable) |
+| 9 | Invalid arguments |
+| 11–17 | Aggregation-only guard violation (`ERR_AOC_00x`) |
+| 18 | Verification truncated (increase `--limit`) |
+| 70 | Transport/authentication failure |
+| 71 | CLI usage error (missing tenant, invalid cursor) |
+
+---
+
+## 5) Configuration model
+
+**Precedence:** CLI flags → env vars → config file → defaults.
+
+**Config file**: `${XDG_CONFIG_HOME}/stellaops/config.yaml` (Windows: `%APPDATA%\StellaOps\config.yaml`)
+
+```yaml
+cli:
+ authority: "https://authority.internal"
+ backend:
+ scanner: "https://scanner-web.internal"
+ attestor: "https://attestor.internal"
+ concelier: "https://concelier-web.internal"
+ excititor: "https://excititor-web.internal"
+ auth:
+ audienceDefault: "scanner"
+ deviceCode: true
+ output:
+ json: false
+ color: auto
+ tls:
+ caBundle: "/etc/ssl/certs/ca-bundle.crt"
+ offline:
+ kitMirror: "s3://mirror/stellaops-kit"
+```
+
+Environment variables: `STELLAOPS_AUTHORITY`, `STELLAOPS_SCANNER_URL`, etc.
+
+---
+
+## 6) Buildx generator orchestration
+
+* `buildx install` locates the Docker root directory, writes the **generator** plugin manifest, and pulls `stellaops/sbom-indexer` image (pinned digest).
+* `buildx build` wrapper injects:
+
+ * `--attest=type=sbom,generator=stellaops/sbom-indexer`
+ * `--label org.stellaops.request=sbom`
+* Post‑build: CLI optionally calls **Scanner.WebService** to **verify referrers**, **compose** image SBOMs, and **attest** via Signer/Attestor.
+
+**Detection**: If Buildx or generator unavailable, CLI falls back to **post‑build scan** with a warning.
+
+---
+
+## 7) Artifact handling
+
+* **Downloads** (`export sbom`, `report final`): stream to file; compute sha256 on the fly; write sidecar `.sha256` and optional **verification bundle** (if `--bundle`).
+* **Uploads** (`offline kit import`): chunked upload; retry on transient errors; show progress bar (unless `--json`).
+
+---
+
+## 8) Security posture
+
+* **DPoP private keys** stored in **OS keychain**; metadata cached in config.
+* **No plaintext tokens** on disk; short‑lived **OpToks** held in memory.
+* **TLS**: verify backend certificates; allow custom CA bundle for on‑prem.
+* **Redaction**: CLI logs remove `Authorization`, DPoP headers, PoE tokens.
+* **Supply chain**: CLI distribution binaries are **cosign‑signed**; `stellaops version --verify` checks its own signature.
+
+---
+
+## 9) Observability
+
+* `--verbose` adds request IDs, timings, and retry traces.
+* **Metrics** (optional, disabled by default): Prometheus text file exporter for local monitoring in long‑running agents.
+* **Structured logs** (`--json`): per‑event JSON lines with `ts`, `verb`, `status`, `latencyMs`.
+
+---
+
+## 10) Performance targets
+
+* Startup ≤ **20 ms** (AOT).
+* `scan image` request/response overhead ≤ **5 ms** (excluding server work).
+* Buildx wrapper overhead negligible (<1 ms).
+* Large artifact download (100 MB) sustained ≥ **80 MB/s** on local networks.
+
+---
+
+## 11) Tests & golden outputs
+
+* **Unit tests**: argument parsing, config precedence, URL resolution, DPoP proof creation.
+* **Integration tests** (Testcontainers): mock Authority/Scanner/Attestor; CI pipeline with fake registry.
+* **Golden outputs**: verb snapshots for `--json` across OSes; kept in `tests/golden/…`.
+* **Contract tests**: ensure API shapes match service OpenAPI; fail build if incompatible.
+
+---
+
+## 12) Error envelopes (human + JSON)
+
+**Human:**
+
+```
+✖ Policy FAIL: 3 high, 1 critical (VEX suppressed 12)
+ - pkg:rpm/openssl (CVE-2025-12345) — affected (vendor) — fixed in 3.0.14
+ - pkg:npm/lodash (GHSA-xxxx) — affected — no fix
+ See: https://ui.internal/scans/sha256:...
+Exit code: 2
+```
+
+**JSON (`--json`):**
+
+```json
+{ "event":"report", "status":"fail", "critical":1, "high":3, "url":"https://ui..." }
+```
+
+---
+
+## 13) Admin & advanced flags
+
+* `--authority`, `--scanner`, `--attestor`, `--concelier`, `--excititor` override config URLs.
+* `--no-color`, `--quiet`, `--json`.
+* `--timeout`, `--retries`, `--retry-backoff-ms`.
+* `--ca-bundle`, `--insecure` (dev only; prints warning).
+* `--trace` (dump HTTP traces to file; scrubbed).
+
+---
+
+## 14) Interop with other tools
+
+* Emits **CycloneDX Protobuf** directly to stdout when `export sbom --format cdx-pb --out -`.
+* Pipes to `jq`/`yq` cleanly in JSON mode.
+* Can act as a **credential helper** for scripts: `stellaops auth token --aud scanner` prints a one‑shot token for curl.
+
+---
+
+## 15) Packaging & distribution
+
+* **Installers**: deb/rpm (postinst registers completions), Homebrew, Scoop, Winget, MSI/MSIX.
+* **Shell completions**: bash/zsh/fish/pwsh.
+* **Update channel**: `stellaops self-update` (optional) fetches cosign‑signed release manifest; corporate environments can disable.
+
+---
+
+## 16) Security hard lines
+
+* Refuse to print token values; redact Authorization headers in verbose output.
+* Disallow `--insecure` unless `STELLAOPS_CLI_ALLOW_INSECURE=1` set (double opt‑in).
+* Enforce **short token TTL**; refresh proactively when <30 s left.
+* Device‑code cache binding to **machine** and **user** (protect against copy to other machines).
+
+---
+
+## 17) Wire sequences
+
+**A) Scan & wait with attestation**
+
+```mermaid
+sequenceDiagram
+ autonumber
+ participant CLI
+ participant Auth as Authority
+ participant SW as Scanner.WebService
+ participant SG as Signer
+ participant AT as Attestor
+
+ CLI->>Auth: device code flow (DPoP)
+ Auth-->>CLI: OpTok (aud=scanner)
+
+ CLI->>SW: POST /scans { imageRef, attest:true }
+ SW-->>CLI: { scanId }
+ CLI->>SW: GET /scans/{id} (poll)
+ SW-->>CLI: { status: completed, artifacts, rekor? } # if attested
+
+ alt attestation pending
+ SW->>SG: POST /sign/dsse (server-side)
+ SG-->>SW: DSSE
+ SW->>AT: POST /rekor/entries
+ AT-->>SW: { uuid, proof }
+ end
+
+ CLI->>SW: GET /sboms/?format=cdx-pb&view=usage
+ SW-->>CLI: bytes
+```
+
+**B) Verify attestation by artifact**
+
+```mermaid
+sequenceDiagram
+ autonumber
+ participant CLI
+ participant AT as Attestor
+
+ CLI->>AT: POST /rekor/verify { artifactSha256 }
+ AT-->>CLI: { ok:true, uuid, index, logURL }
+```
+
+---
+
+## 18) Roadmap (CLI)
+
+* `scan fs ` (local filesystem tree) → upload to backend for analysis.
+* `policy test --sbom ` (simulate policy results offline using local policy bundle).
+* `runtime capture` (developer mode) — capture small `/proc//maps` for troubleshooting.
+* Pluggable output renderers for SARIF/HTML (admin‑controlled).
+
+---
+
+## 19) Example CI snippets
+
+**GitHub Actions (post‑build)**
+
+```yaml
+- name: Login (device code w/ OIDC broker)
+ run: stellaops auth login --json --authority ${{ secrets.AUTHORITY_URL }}
+
+- name: Scan
+ run: stellaops scan image ${{ steps.build.outputs.digest }} --wait --json
+
+- name: Export (usage view, protobuf)
+ run: stellaops export sbom ${{ steps.build.outputs.digest }} --view usage --format cdx-pb --out sbom.pb
+
+- name: Verify attestation
+ run: stellaops verify attestation --artifact $(sha256sum sbom.pb | cut -d' ' -f1) --json
+```
+
+**GitLab (buildx generator)**
+
+```yaml
+script:
+ - stellaops buildx install
+ - docker buildx build --attest=type=sbom,generator=stellaops/sbom-indexer -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
+ - stellaops scan image $CI_REGISTRY_IMAGE@$IMAGE_DIGEST --wait --json
+```
+
+---
+
+## 20) Test matrix (OS/arch)
+
+* Linux: ubuntu‑20.04/22.04/24.04 (x64, arm64), alpine (musl).
+* macOS: 13–15 (x64, arm64).
+* Windows: 10/11, Server 2019/2022 (x64, arm64).
+* Docker engines: Docker Desktop, containerd‑based runners.
diff --git a/docs/ARCHITECTURE_CONCELIER.md b/docs/ARCHITECTURE_CONCELIER.md
index 8437c2ba..16a6f9b4 100644
--- a/docs/ARCHITECTURE_CONCELIER.md
+++ b/docs/ARCHITECTURE_CONCELIER.md
@@ -1,518 +1,518 @@
-# component_architecture_concelier.md — **Stella Ops Concelier** (Sprint 22)
-
-> **Scope.** Implementation-ready architecture for **Concelier**: the advisory ingestion and Link-Not-Merge (LNM) observation pipeline that produces deterministic raw observations, correlation linksets, and evidence events consumed by Policy Engine, Console, CLI, and Export centers. Covers domain models, connectors, observation/linkset builders, storage schema, events, APIs, performance, security, and test matrices.
-
----
-
-## 0) Mission & boundaries
-
-**Mission.** Acquire authoritative **vulnerability advisories** (vendor PSIRTs, distros, OSS ecosystems, CERTs), persist them as immutable **observations** under the Aggregation-Only Contract (AOC), construct **linksets** that correlate observations without merging or precedence, and export deterministic evidence bundles (JSON, Trivy DB, Offline Kit) for downstream policy evaluation and operator tooling.
-
-**Boundaries.**
-
-* Concelier **does not** sign with private keys. When attestation is required, the export artifact is handed to the **Signer**/**Attestor** pipeline (out‑of‑process).
-* Concelier **does not** decide PASS/FAIL; it provides data to the **Policy** engine.
-* Online operation is **allowlist‑only**; air‑gapped deployments use the **Offline Kit**.
-
----
-
-## 1) Topology & processes
-
-**Process shape:** single ASP.NET Core service `StellaOps.Concelier.WebService` hosting:
-
-* **Scheduler** with distributed locks (Mongo backed).
-* **Connectors** (fetch/parse/map) that emit immutable observation candidates.
-* **Observation writer** enforcing AOC invariants via `AOCWriteGuard`.
-* **Linkset builder** that correlates observations into `advisory_linksets` and annotates conflicts.
-* **Event publisher** emitting `advisory.observation.updated` and `advisory.linkset.updated` messages.
-* **Exporters** (JSON, Trivy DB, Offline Kit slices) fed from observation/linkset stores.
-* **Minimal REST** for health/status/trigger/export and observation/linkset reads.
-
-**Scale:** HA by running N replicas; **locks** prevent overlapping jobs per source/exporter.
-
----
-
-## 2) Canonical domain model
-
-> Stored in MongoDB (database `concelier`), serialized with a **canonical JSON** writer (stable order, camelCase, normalized timestamps).
-
-### 2.1 Core entities
-
-#### AdvisoryObservation
-
-```jsonc
-observationId // deterministic id: {tenant}:{source.vendor}:{upstreamId}:{revision}
-tenant // issuing tenant (lower-case)
-source{
- vendor, stream, api, collectorVersion
-}
-upstream{
- upstreamId, documentVersion, fetchedAt, receivedAt,
- contentHash, signature{present, format?, keyId?, signature?}
-}
-content{
- format, specVersion, raw, metadata?
-}
-identifiers{
- cve?, ghsa?, vendorIds[], aliases[]
-}
-linkset{
- purls[], cpes[], aliases[], references[{type,url}],
- reconciledFrom[]
-}
-createdAt // when Concelier recorded the observation
-attributes // optional provenance metadata (batch ids, ingest cursor)
-```jsonc
-
-#### AdvisoryLinkset
-
-```jsonc
-linksetId // sha256 over sorted (tenant, product/vuln tuple, observation ids)
-tenant
-key{
- vulnerabilityId,
- productKey,
- confidence // low|medium|high
-}
-observations[] = [
- {
- observationId,
- sourceVendor,
- statement{
- status?, severity?, references?, notes?
- },
- collectedAt
- }
-]
-aliases{
- primary,
- others[]
-}
-purls[]
-cpes[]
-conflicts[]? // see AdvisoryLinksetConflict
-createdAt
-updatedAt
-```jsonc
-
-#### AdvisoryLinksetConflict
-
-```jsonc
-conflictId // deterministic hash
-type // severity-mismatch | affected-range-divergence | reference-clash | alias-inconsistency | metadata-gap
-field? // optional JSON pointer (e.g., /statement/severity/vector)
-observations[] // per-source values contributing to the conflict
-confidence // low|medium|high (heuristic weight)
-detectedAt
-```jsonc
-
-#### ObservationEvent / LinksetEvent
-
-```jsonc
-eventId // ULID
-tenant
-type // advisory.observation.updated | advisory.linkset.updated
-key{
- observationId? // on observation event
- linksetId? // on linkset event
- vulnerabilityId?,
- productKey?
-}
-delta{
- added[], removed[], changed[] // normalized summary for consumers
-}
-hash // canonical hash of serialized delta payload
-occurredAt
-```jsonc
-
-#### ExportState
-
-```jsonc
-exportKind // json | trivydb
-baseExportId? // last full baseline
-baseDigest? // digest of last full baseline
-lastFullDigest? // digest of last full export
-lastDeltaDigest? // digest of last delta export
-cursor // per-kind incremental cursor
-files[] // last manifest snapshot (path → sha256)
-```jsonc
-
-Legacy `Advisory`, `Affected`, and merge-centric entities remain in the repository for historical exports and replay but are being phased out as Link-Not-Merge takes over. New code paths must interact with `AdvisoryObservation` / `AdvisoryLinkset` exclusively and emit conflicts through the structured payloads described above.
-
-### 2.2 Product identity (`productKey`)
-
-* **Primary:** `purl` (Package URL).
-* **OS packages:** RPM (NEVRA→purl:rpm), DEB (dpkg→purl:deb), APK (apk→purl:alpine), with **EVR/NVRA** preserved.
-* **Secondary:** `cpe` retained for compatibility; advisory records may carry both.
-* **Image/platform:** `oci:/@` for image‑level advisories (rare).
-* **Unmappable:** if a source is non‑deterministic, keep native string under `productKey="native::"` and mark **non‑joinable**.
-
----
-
-## 3) Source families & precedence
-
-### 3.1 Families
-
-* **Vendor PSIRTs**: Microsoft, Oracle, Cisco, Adobe, Apple, VMware, Chromium…
-* **Linux distros**: Red Hat, SUSE, Ubuntu, Debian, Alpine…
-* **OSS ecosystems**: OSV, GHSA (GitHub Security Advisories), PyPI, npm, Maven, NuGet, Go.
-* **CERTs / national CSIRTs**: CISA (KEV, ICS), JVN, ACSC, CCCS, KISA, CERT‑FR/BUND, etc.
-
-### 3.2 Precedence (when claims conflict)
-
-1. **Vendor PSIRT** (authoritative for their product).
-2. **Distro** (authoritative for packages they ship, including backports).
-3. **Ecosystem** (OSV/GHSA) for library semantics.
-4. **CERTs/aggregators** for enrichment (KEV/known exploited).
-
-> Precedence affects **Affected** ranges and **fixed** info; **severity** is normalized to the **maximum** credible severity unless policy overrides. Conflicts are retained with **source provenance**.
-
----
-
-## 4) Connectors & normalization
-
-### 4.1 Connector contract
-
-```csharp
-public interface IFeedConnector {
- string SourceName { get; }
- Task FetchAsync(IServiceProvider sp, CancellationToken ct); // -> document collection
- Task ParseAsync(IServiceProvider sp, CancellationToken ct); // -> dto collection (validated)
- Task MapAsync(IServiceProvider sp, CancellationToken ct); // -> advisory/alias/affected/reference
-}
-```jsonc
-
-* **Fetch**: windowed (cursor), conditional GET (ETag/Last‑Modified), retry/backoff, rate limiting.
-* **Parse**: schema validation (JSON Schema, XSD/CSAF), content type checks; write **DTO** with normalized casing.
-* **Map**: build canonical records; all outputs carry **provenance** (doc digest, URI, anchors).
-
-### 4.2 Version range normalization
-
-* **SemVer** ecosystems (npm, pypi, maven, nuget, golang): normalize to `introduced`/`fixed` semver ranges (use `~`, `^`, `<`, `>=` canonicalized to intervals).
-* **RPM EVR**: `epoch:version-release` with `rpmvercmp` semantics; store raw EVR strings and also **computed order keys** for query.
-* **DEB**: dpkg version comparison semantics mirrored; store computed keys.
-* **APK**: Alpine version semantics; compute order keys.
-* **Generic**: if provider uses text, retain raw; do **not** invent ranges.
-
-### 4.3 Severity & CVSS
-
-* Normalize **CVSS v2/v3/v4** where available (vector, baseScore, severity).
-* If multiple CVSS sources exist, track them all; **effective severity** defaults to **max** by policy (configurable).
-* **ExploitKnown** toggled by KEV and equivalent sources; store **evidence** (source, date).
-
----
-
-## 5) Observation & linkset pipeline
-
-> **Goal:** deterministically ingest raw documents into immutable observations, correlate them into evidence-rich linksets, and broadcast changes without precedence or mutation.
-
-### 5.1 Observation flow
-
-1. **Connector fetch/parse/map** — connectors download upstream payloads, validate signatures, and map to DTOs (identifiers, references, raw payload, provenance).
-2. **AOC guard** — `AOCWriteGuard` verifies forbidden keys, provenance completeness, tenant claims, timestamp normalization, and content hash idempotency. Violations raise `ERR_AOC_00x` mapped to structured logs and metrics.
-3. **Append-only write** — observations insert into `advisory_observations`; duplicates by `(tenant, source.vendor, upstream.upstreamId, upstream.contentHash)` become no-ops; new content for same upstream id creates a supersedes chain.
-4. **Change feed + event** — Mongo change streams trigger `advisory.observation.updated@1` events with deterministic payloads (IDs, hash, supersedes pointer, linkset summary). Policy Engine, Offline Kit builder, and guard dashboards subscribe.
-
-### 5.2 Linkset correlation
-
-1. **Queue** — observation deltas enqueue correlation jobs keyed by `(tenant, vulnerabilityId, productKey)` candidates derived from identifiers + alias graph.
-2. **Canonical grouping** — builder resolves aliases using Concelier’s alias store and deterministic heuristics (vendor > distro > cert), deriving normalized product keys (purl preferred) and confidence scores.
-3. **Linkset materialization** — `advisory_linksets` documents store sorted observation references, alias sets, product keys, range metadata, and conflict payloads. Writes are idempotent; unchanged hashes skip updates.
-4. **Conflict detection** — builder emits structured conflicts (`severity-mismatch`, `affected-range-divergence`, `reference-clash`, `alias-inconsistency`, `metadata-gap`). Conflicts carry per-observation values for explainability.
-5. **Event emission** — `advisory.linkset.updated@1` summarizes deltas (`added`, `removed`, `changed` observation IDs, conflict updates, confidence changes) and includes a canonical hash for replay validation.
-
-### 5.3 Event contract
-
-| Event | Schema | Notes |
-|-------|--------|-------|
-| `advisory.observation.updated@1` | `events/advisory.observation.updated@1.json` | Fired on new or superseded observations. Includes `observationId`, source metadata, `linksetSummary` (aliases/purls), supersedes pointer (if any), SHA-256 hash, and `traceId`. |
-| `advisory.linkset.updated@1` | `events/advisory.linkset.updated@1.json` | Fired when correlation changes. Includes `linksetId`, `key{vulnerabilityId, productKey, confidence}`, observation deltas, conflicts, `updatedAt`, and canonical hash. |
-
-Events are emitted via NATS (primary) and Redis Stream (fallback). Consumers acknowledge idempotently using the hash; duplicates are safe. Offline Kit captures both topics during bundle creation for air-gapped replay.
-
----
-
-## 6) Storage schema (MongoDB)
-
-### Collections & indexes (LNM path)
-
-* `concelier.sources` `{_id, type, baseUrl, enabled, notes}` — connector catalog.
-* `concelier.source_state` `{sourceName(unique), enabled, cursor, lastSuccess, backoffUntil, paceOverrides}` — run-state (TTL indexes on `backoffUntil`).
-* `concelier.documents` `{_id, sourceName, uri, fetchedAt, sha256, contentType, status, metadata, gridFsId?, etag?, lastModified?}` — raw payload registry.
- * Indexes: `{sourceName:1, uri:1}` unique; `{fetchedAt:-1}` for recent fetches.
-* `concelier.dto` `{_id, sourceName, documentId, schemaVer, payload, validatedAt}` — normalized connector DTOs used for replay.
- * Index: `{sourceName:1, documentId:1}`.
-* `concelier.advisory_observations`
-
-```
-{
- _id: "tenant:vendor:upstreamId:revision",
- tenant,
- source: { vendor, stream, api, collectorVersion },
- upstream: { upstreamId, documentVersion, fetchedAt, receivedAt, contentHash, signature },
- content: { format, specVersion, raw, metadata? },
- identifiers: { cve?, ghsa?, vendorIds[], aliases[] },
- linkset: { purls[], cpes[], aliases[], references[], reconciledFrom[] },
- supersedes?: "prevObservationId",
- createdAt,
- attributes?: object
-}
-```
-
- * Indexes: `{tenant:1, upstream.upstreamId:1}`, `{tenant:1, source.vendor:1, linkset.purls:1}`, `{tenant:1, linkset.aliases:1}`, `{tenant:1, createdAt:-1}`.
-* `concelier.advisory_linksets`
-
-```
-{
- _id: "sha256:...",
- tenant,
- key: { vulnerabilityId, productKey, confidence },
- observations: [
- { observationId, sourceVendor, statement, collectedAt }
- ],
- aliases: { primary, others: [] },
- purls: [],
- cpes: [],
- conflicts: [],
- createdAt,
- updatedAt
-}
-```
-
- * Indexes: `{tenant:1, key.vulnerabilityId:1, key.productKey:1}`, `{tenant:1, purls:1}`, `{tenant:1, aliases.primary:1}`, `{tenant:1, updatedAt:-1}`.
-* `concelier.advisory_events`
-
-```
-{
- _id: ObjectId,
- tenant,
- type: "advisory.observation.updated" | "advisory.linkset.updated",
- key,
- delta,
- hash,
- occurredAt
-}
-```
-
- * TTL index on `occurredAt` (configurable retention), `{type:1, occurredAt:-1}` for replay.
-* `concelier.export_state` `{_id(exportKind), baseExportId?, baseDigest?, lastFullDigest?, lastDeltaDigest?, cursor, files[]}`
-* `locks` `{_id(jobKey), holder, acquiredAt, heartbeatAt, leaseMs, ttlAt}` (TTL cleans dead locks)
-* `jobs` `{_id, type, args, state, startedAt, heartbeatAt, endedAt, error}`
-
-**Legacy collections** (`advisory`, `alias`, `affected`, `reference`, `merge_event`) remain read-only during the migration window to support back-compat exports. New code must not write to them; scheduled cleanup removes them after Link-Not-Merge GA.
-
-**GridFS buckets**: `fs.documents` for raw payloads (immutable); `fs.exports` for historical JSON/Trivy archives.
-
----
-
-## 7) Exporters
-
-### 7.1 Deterministic JSON (vuln‑list style)
-
-* Folder structure mirroring `////…` with one JSON per advisory; deterministic ordering, stable timestamps, normalized whitespace.
-* `manifest.json` lists all files with SHA‑256 and a top‑level **export digest**.
-
-### 7.2 Trivy DB exporter
-
-* Builds Bolt DB archives compatible with Trivy; supports **full** and **delta** modes.
-* In delta, unchanged blobs are reused from the base; metadata captures:
-
- ```json
- {
- "mode": "delta|full",
- "baseExportId": "...",
- "baseManifestDigest": "sha256:...",
- "changed": ["path1", "path2"],
- "removed": ["path3"]
- }
- ```
-* Optional ORAS push (OCI layout) for registries.
-* Offline kit bundles include Trivy DB + JSON tree + export manifest.
-* Mirror-ready bundles: when `concelier.trivy.mirror` defines domains, the exporter emits `mirror/index.json` plus per-domain `manifest.json`, `metadata.json`, and `db.tar.gz` files with SHA-256 digests so Concelier mirrors can expose domain-scoped download endpoints.
-* Concelier.WebService serves `/concelier/exports/index.json` and `/concelier/exports/mirror/{domain}/…` directly from the export tree with hour-long budgets (index: 60 s, bundles: 300 s, immutable) and per-domain rate limiting; the endpoints honour Stella Ops Authority or CIDR bypass lists depending on mirror topology.
-
-### 7.3 Hand‑off to Signer/Attestor (optional)
-
-* On export completion, if `attest: true` is set in job args, Concelier **posts** the artifact metadata to **Signer**/**Attestor**; Concelier itself **does not** hold signing keys.
-* Export record stores returned `{ uuid, index, url }` from **Rekor v2**.
-
----
-
-## 8) REST APIs
-
-All under `/api/v1/concelier`.
-
-**Health & status**
-
-```
-GET /healthz | /readyz
-GET /status → sources, last runs, export cursors
-```
-
-**Sources & jobs**
-
-```
-GET /sources → list of configured sources
-POST /sources/{name}/trigger → { jobId }
-POST /sources/{name}/pause | /resume → toggle
-GET /jobs/{id} → job status
-```
-
-**Exports**
-
-```
-POST /exports/json { full?:bool, force?:bool, attest?:bool } → { exportId, digest, rekor? }
-POST /exports/trivy { full?:bool, force?:bool, publish?:bool, attest?:bool } → { exportId, digest, rekor? }
-GET /exports/{id} → export metadata (kind, digest, createdAt, rekor?)
-GET /concelier/exports/index.json → mirror index describing available domains/bundles
-GET /concelier/exports/mirror/{domain}/manifest.json
-GET /concelier/exports/mirror/{domain}/bundle.json
-GET /concelier/exports/mirror/{domain}/bundle.json.jws
-```
-
-**Search (operator debugging)**
-
-```
-GET /advisories/{key}
-GET /advisories?scheme=CVE&value=CVE-2025-12345
-GET /affected?productKey=pkg:rpm/openssl&limit=100
-```
-
-**AuthN/Z:** Authority tokens (OpTok) with roles: `concelier.read`, `concelier.admin`, `concelier.export`.
-
----
-
-## 9) Configuration (YAML)
-
-```yaml
-concelier:
- mongo: { uri: "mongodb://mongo/concelier" }
- s3:
- endpoint: "http://minio:9000"
- bucket: "stellaops-concelier"
- scheduler:
- windowSeconds: 30
- maxParallelSources: 4
- sources:
- - name: redhat
- kind: csaf
- baseUrl: https://access.redhat.com/security/data/csaf/v2/
- signature: { type: pgp, keys: [ "…redhat PGP…" ] }
- enabled: true
- windowDays: 7
- - name: suse
- kind: csaf
- baseUrl: https://ftp.suse.com/pub/projects/security/csaf/
- signature: { type: pgp, keys: [ "…suse PGP…" ] }
- - name: ubuntu
- kind: usn-json
- baseUrl: https://ubuntu.com/security/notices.json
- signature: { type: none }
- - name: osv
- kind: osv
- baseUrl: https://api.osv.dev/v1/
- signature: { type: none }
- - name: ghsa
- kind: ghsa
- baseUrl: https://api.github.com/graphql
- auth: { tokenRef: "env:GITHUB_TOKEN" }
- exporters:
- json:
- enabled: true
- output: s3://stellaops-concelier/json/
- trivy:
- enabled: true
- mode: full
- output: s3://stellaops-concelier/trivy/
- oras:
- enabled: false
- repo: ghcr.io/org/concelier
- precedence:
- vendorWinsOverDistro: true
- distroWinsOverOsv: true
- severity:
- policy: max # or 'vendorPreferred' / 'distroPreferred'
-```
-
----
-
-## 10) Security & compliance
-
-* **Outbound allowlist** per connector (domains, protocols); proxy support; TLS pinning where possible.
-* **Signature verification** for raw docs (PGP/cosign/x509) with results stored in `document.metadata.sig`. Docs failing verification may still be ingested but flagged; Policy Engine or downstream policy can down-weight them.
-* **No secrets in logs**; auth material via `env:` or mounted files; HTTP redaction of `Authorization` headers.
-* **Multi‑tenant**: per‑tenant DBs or prefixes; per‑tenant S3 prefixes; tenant‑scoped API tokens.
-* **Determinism**: canonical JSON writer; export digests stable across runs given same inputs.
-
----
-
-## 11) Performance targets & scale
-
-* **Ingest**: ≥ 5k documents/min on 4 cores (CSAF/OpenVEX/JSON).
-* **Normalize/map**: ≥ 50k observation statements/min on 4 cores.
-* **Observation write**: ≤ 5 ms P95 per document (including guard + Mongo write).
-* **Linkset build**: ≤ 15 ms P95 per `(vulnerabilityId, productKey)` update, even with 20+ contributing observations.
-* **Export**: 1M advisories JSON in ≤ 90 s (streamed, zstd), Trivy DB in ≤ 60 s on 8 cores.
-* **Memory**: hard cap per job; chunked streaming writers; backpressure to avoid GC spikes.
-
-**Scale pattern**: add Concelier replicas; Mongo scaling via indices and read/write concerns; GridFS only for oversized docs.
-
----
-
-## 12) Observability
-
-* **Metrics**
-
- * `concelier.fetch.docs_total{source}`
- * `concelier.fetch.bytes_total{source}`
- * `concelier.parse.failures_total{source}`
- * `concelier.map.statements_total{source}`
- * `concelier.observations.write_total{result=ok|noop|error}`
- * `concelier.linksets.updated_total{result=ok|skip|error}`
- * `concelier.linksets.conflicts_total{type}`
- * `concelier.export.bytes{kind}`
- * `concelier.export.duration_seconds{kind}`
-* **Tracing** around fetch/parse/map/observe/linkset/export.
-* **Logs**: structured with `source`, `uri`, `docDigest`, `advisoryKey`, `exportId`.
-
----
-
-## 13) Testing matrix
-
-* **Connectors:** fixture suites for each provider/format (happy path; malformed; signature fail).
-* **Version semantics:** EVR vs dpkg vs semver edge cases (epoch bumps, tilde versions, pre‑releases).
-* **Linkset correlation:** multi-source conflicts (severity, range, alias) produce deterministic conflict payloads; ensure confidence scoring stable.
-* **Export determinism:** byte‑for‑byte stable outputs across runs; digest equality.
-* **Performance:** soak tests with 1M advisories; cap memory; verify backpressure.
-* **API:** pagination, filters, RBAC, error envelopes (RFC 7807).
-* **Offline kit:** bundle build & import correctness.
-
----
-
-## 14) Failure modes & recovery
-
-* **Source outages:** scheduler backs off with exponential delay; `source_state.backoffUntil`; alerts on staleness.
-* **Schema drifts:** parse stage marks DTO invalid; job fails with clear diagnostics; connector version flags track supported schema ranges.
-* **Partial exports:** exporters write to temp prefix; **manifest commit** is atomic; only then move to final prefix and update `export_state`.
-* **Resume:** all stages idempotent; `source_state.cursor` supports window resume.
-
----
-
-## 15) Operator runbook (quick)
-
-* **Trigger all sources:** `POST /api/v1/concelier/sources/*/trigger`
-* **Force full export JSON:** `POST /api/v1/concelier/exports/json { "full": true, "force": true }`
-* **Force Trivy DB delta publish:** `POST /api/v1/concelier/exports/trivy { "full": false, "publish": true }`
-* **Inspect observation:** `GET /api/v1/concelier/observations/{observationId}`
-* **Query linkset:** `GET /api/v1/concelier/linksets?vulnerabilityId=CVE-2025-12345&productKey=pkg:rpm/redhat/openssl`
-* **Pause noisy source:** `POST /api/v1/concelier/sources/osv/pause`
-
----
-
-## 16) Rollout plan
-
-1. **MVP**: Red Hat (CSAF), SUSE (CSAF), Ubuntu (USN JSON), OSV; JSON export.
-2. **Add**: GHSA GraphQL, Debian (DSA HTML/JSON), Alpine secdb; Trivy DB export.
-3. **Attestation hand‑off**: integrate with **Signer/Attestor** (optional).
-4. **Scale & diagnostics**: provider dashboards, staleness alerts, export cache reuse.
-5. **Offline kit**: end‑to‑end verified bundles for air‑gap.
+# component_architecture_concelier.md — **Stella Ops Concelier** (Sprint 22)
+
+> **Scope.** Implementation-ready architecture for **Concelier**: the advisory ingestion and Link-Not-Merge (LNM) observation pipeline that produces deterministic raw observations, correlation linksets, and evidence events consumed by Policy Engine, Console, CLI, and Export centers. Covers domain models, connectors, observation/linkset builders, storage schema, events, APIs, performance, security, and test matrices.
+
+---
+
+## 0) Mission & boundaries
+
+**Mission.** Acquire authoritative **vulnerability advisories** (vendor PSIRTs, distros, OSS ecosystems, CERTs), persist them as immutable **observations** under the Aggregation-Only Contract (AOC), construct **linksets** that correlate observations without merging or precedence, and export deterministic evidence bundles (JSON, Trivy DB, Offline Kit) for downstream policy evaluation and operator tooling.
+
+**Boundaries.**
+
+* Concelier **does not** sign with private keys. When attestation is required, the export artifact is handed to the **Signer**/**Attestor** pipeline (out‑of‑process).
+* Concelier **does not** decide PASS/FAIL; it provides data to the **Policy** engine.
+* Online operation is **allowlist‑only**; air‑gapped deployments use the **Offline Kit**.
+
+---
+
+## 1) Topology & processes
+
+**Process shape:** single ASP.NET Core service `StellaOps.Concelier.WebService` hosting:
+
+* **Scheduler** with distributed locks (Mongo backed).
+* **Connectors** (fetch/parse/map) that emit immutable observation candidates.
+* **Observation writer** enforcing AOC invariants via `AOCWriteGuard`.
+* **Linkset builder** that correlates observations into `advisory_linksets` and annotates conflicts.
+* **Event publisher** emitting `advisory.observation.updated` and `advisory.linkset.updated` messages.
+* **Exporters** (JSON, Trivy DB, Offline Kit slices) fed from observation/linkset stores.
+* **Minimal REST** for health/status/trigger/export and observation/linkset reads.
+
+**Scale:** HA by running N replicas; **locks** prevent overlapping jobs per source/exporter.
+
+---
+
+## 2) Canonical domain model
+
+> Stored in MongoDB (database `concelier`), serialized with a **canonical JSON** writer (stable order, camelCase, normalized timestamps).
+
+### 2.1 Core entities
+
+#### AdvisoryObservation
+
+```jsonc
+observationId // deterministic id: {tenant}:{source.vendor}:{upstreamId}:{revision}
+tenant // issuing tenant (lower-case)
+source{
+ vendor, stream, api, collectorVersion
+}
+upstream{
+ upstreamId, documentVersion, fetchedAt, receivedAt,
+ contentHash, signature{present, format?, keyId?, signature?}
+}
+content{
+ format, specVersion, raw, metadata?
+}
+identifiers{
+ cve?, ghsa?, vendorIds[], aliases[]
+}
+linkset{
+ purls[], cpes[], aliases[], references[{type,url}],
+ reconciledFrom[]
+}
+createdAt // when Concelier recorded the observation
+attributes // optional provenance metadata (batch ids, ingest cursor)
+```jsonc
+
+#### AdvisoryLinkset
+
+```jsonc
+linksetId // sha256 over sorted (tenant, product/vuln tuple, observation ids)
+tenant
+key{
+ vulnerabilityId,
+ productKey,
+ confidence // low|medium|high
+}
+observations[] = [
+ {
+ observationId,
+ sourceVendor,
+ statement{
+ status?, severity?, references?, notes?
+ },
+ collectedAt
+ }
+]
+aliases{
+ primary,
+ others[]
+}
+purls[]
+cpes[]
+conflicts[]? // see AdvisoryLinksetConflict
+createdAt
+updatedAt
+```jsonc
+
+#### AdvisoryLinksetConflict
+
+```jsonc
+conflictId // deterministic hash
+type // severity-mismatch | affected-range-divergence | reference-clash | alias-inconsistency | metadata-gap
+field? // optional JSON pointer (e.g., /statement/severity/vector)
+observations[] // per-source values contributing to the conflict
+confidence // low|medium|high (heuristic weight)
+detectedAt
+```jsonc
+
+#### ObservationEvent / LinksetEvent
+
+```jsonc
+eventId // ULID
+tenant
+type // advisory.observation.updated | advisory.linkset.updated
+key{
+ observationId? // on observation event
+ linksetId? // on linkset event
+ vulnerabilityId?,
+ productKey?
+}
+delta{
+ added[], removed[], changed[] // normalized summary for consumers
+}
+hash // canonical hash of serialized delta payload
+occurredAt
+```jsonc
+
+#### ExportState
+
+```jsonc
+exportKind // json | trivydb
+baseExportId? // last full baseline
+baseDigest? // digest of last full baseline
+lastFullDigest? // digest of last full export
+lastDeltaDigest? // digest of last delta export
+cursor // per-kind incremental cursor
+files[] // last manifest snapshot (path → sha256)
+```jsonc
+
+Legacy `Advisory`, `Affected`, and merge-centric entities remain in the repository for historical exports and replay but are being phased out as Link-Not-Merge takes over. New code paths must interact with `AdvisoryObservation` / `AdvisoryLinkset` exclusively and emit conflicts through the structured payloads described above.
+
+### 2.2 Product identity (`productKey`)
+
+* **Primary:** `purl` (Package URL).
+* **OS packages:** RPM (NEVRA→purl:rpm), DEB (dpkg→purl:deb), APK (apk→purl:alpine), with **EVR/NVRA** preserved.
+* **Secondary:** `cpe` retained for compatibility; advisory records may carry both.
+* **Image/platform:** `oci:/@` for image‑level advisories (rare).
+* **Unmappable:** if a source is non‑deterministic, keep native string under `productKey="native::"` and mark **non‑joinable**.
+
+---
+
+## 3) Source families & precedence
+
+### 3.1 Families
+
+* **Vendor PSIRTs**: Microsoft, Oracle, Cisco, Adobe, Apple, VMware, Chromium…
+* **Linux distros**: Red Hat, SUSE, Ubuntu, Debian, Alpine…
+* **OSS ecosystems**: OSV, GHSA (GitHub Security Advisories), PyPI, npm, Maven, NuGet, Go.
+* **CERTs / national CSIRTs**: CISA (KEV, ICS), JVN, ACSC, CCCS, KISA, CERT‑FR/BUND, etc.
+
+### 3.2 Precedence (when claims conflict)
+
+1. **Vendor PSIRT** (authoritative for their product).
+2. **Distro** (authoritative for packages they ship, including backports).
+3. **Ecosystem** (OSV/GHSA) for library semantics.
+4. **CERTs/aggregators** for enrichment (KEV/known exploited).
+
+> Precedence affects **Affected** ranges and **fixed** info; **severity** is normalized to the **maximum** credible severity unless policy overrides. Conflicts are retained with **source provenance**.
+
+---
+
+## 4) Connectors & normalization
+
+### 4.1 Connector contract
+
+```csharp
+public interface IFeedConnector {
+ string SourceName { get; }
+ Task FetchAsync(IServiceProvider sp, CancellationToken ct); // -> document collection
+ Task ParseAsync(IServiceProvider sp, CancellationToken ct); // -> dto collection (validated)
+ Task MapAsync(IServiceProvider sp, CancellationToken ct); // -> advisory/alias/affected/reference
+}
+```jsonc
+
+* **Fetch**: windowed (cursor), conditional GET (ETag/Last‑Modified), retry/backoff, rate limiting.
+* **Parse**: schema validation (JSON Schema, XSD/CSAF), content type checks; write **DTO** with normalized casing.
+* **Map**: build canonical records; all outputs carry **provenance** (doc digest, URI, anchors).
+
+### 4.2 Version range normalization
+
+* **SemVer** ecosystems (npm, pypi, maven, nuget, golang): normalize to `introduced`/`fixed` semver ranges (use `~`, `^`, `<`, `>=` canonicalized to intervals).
+* **RPM EVR**: `epoch:version-release` with `rpmvercmp` semantics; store raw EVR strings and also **computed order keys** for query.
+* **DEB**: dpkg version comparison semantics mirrored; store computed keys.
+* **APK**: Alpine version semantics; compute order keys.
+* **Generic**: if provider uses text, retain raw; do **not** invent ranges.
+
+### 4.3 Severity & CVSS
+
+* Normalize **CVSS v2/v3/v4** where available (vector, baseScore, severity).
+* If multiple CVSS sources exist, track them all; **effective severity** defaults to **max** by policy (configurable).
+* **ExploitKnown** toggled by KEV and equivalent sources; store **evidence** (source, date).
+
+---
+
+## 5) Observation & linkset pipeline
+
+> **Goal:** deterministically ingest raw documents into immutable observations, correlate them into evidence-rich linksets, and broadcast changes without precedence or mutation.
+
+### 5.1 Observation flow
+
+1. **Connector fetch/parse/map** — connectors download upstream payloads, validate signatures, and map to DTOs (identifiers, references, raw payload, provenance).
+2. **AOC guard** — `AOCWriteGuard` verifies forbidden keys, provenance completeness, tenant claims, timestamp normalization, and content hash idempotency. Violations raise `ERR_AOC_00x` mapped to structured logs and metrics.
+3. **Append-only write** — observations insert into `advisory_observations`; duplicates by `(tenant, source.vendor, upstream.upstreamId, upstream.contentHash)` become no-ops; new content for same upstream id creates a supersedes chain.
+4. **Change feed + event** — Mongo change streams trigger `advisory.observation.updated@1` events with deterministic payloads (IDs, hash, supersedes pointer, linkset summary). Policy Engine, Offline Kit builder, and guard dashboards subscribe.
+
+### 5.2 Linkset correlation
+
+1. **Queue** — observation deltas enqueue correlation jobs keyed by `(tenant, vulnerabilityId, productKey)` candidates derived from identifiers + alias graph.
+2. **Canonical grouping** — builder resolves aliases using Concelier’s alias store and deterministic heuristics (vendor > distro > cert), deriving normalized product keys (purl preferred) and confidence scores.
+3. **Linkset materialization** — `advisory_linksets` documents store sorted observation references, alias sets, product keys, range metadata, and conflict payloads. Writes are idempotent; unchanged hashes skip updates.
+4. **Conflict detection** — builder emits structured conflicts (`severity-mismatch`, `affected-range-divergence`, `reference-clash`, `alias-inconsistency`, `metadata-gap`). Conflicts carry per-observation values for explainability.
+5. **Event emission** — `advisory.linkset.updated@1` summarizes deltas (`added`, `removed`, `changed` observation IDs, conflict updates, confidence changes) and includes a canonical hash for replay validation.
+
+### 5.3 Event contract
+
+| Event | Schema | Notes |
+|-------|--------|-------|
+| `advisory.observation.updated@1` | `events/advisory.observation.updated@1.json` | Fired on new or superseded observations. Includes `observationId`, source metadata, `linksetSummary` (aliases/purls), supersedes pointer (if any), SHA-256 hash, and `traceId`. |
+| `advisory.linkset.updated@1` | `events/advisory.linkset.updated@1.json` | Fired when correlation changes. Includes `linksetId`, `key{vulnerabilityId, productKey, confidence}`, observation deltas, conflicts, `updatedAt`, and canonical hash. |
+
+Events are emitted via NATS (primary) and Redis Stream (fallback). Consumers acknowledge idempotently using the hash; duplicates are safe. Offline Kit captures both topics during bundle creation for air-gapped replay.
+
+---
+
+## 6) Storage schema (MongoDB)
+
+### Collections & indexes (LNM path)
+
+* `concelier.sources` `{_id, type, baseUrl, enabled, notes}` — connector catalog.
+* `concelier.source_state` `{sourceName(unique), enabled, cursor, lastSuccess, backoffUntil, paceOverrides}` — run-state (TTL indexes on `backoffUntil`).
+* `concelier.documents` `{_id, sourceName, uri, fetchedAt, sha256, contentType, status, metadata, gridFsId?, etag?, lastModified?}` — raw payload registry.
+ * Indexes: `{sourceName:1, uri:1}` unique; `{fetchedAt:-1}` for recent fetches.
+* `concelier.dto` `{_id, sourceName, documentId, schemaVer, payload, validatedAt}` — normalized connector DTOs used for replay.
+ * Index: `{sourceName:1, documentId:1}`.
+* `concelier.advisory_observations`
+
+```
+{
+ _id: "tenant:vendor:upstreamId:revision",
+ tenant,
+ source: { vendor, stream, api, collectorVersion },
+ upstream: { upstreamId, documentVersion, fetchedAt, receivedAt, contentHash, signature },
+ content: { format, specVersion, raw, metadata? },
+ identifiers: { cve?, ghsa?, vendorIds[], aliases[] },
+ linkset: { purls[], cpes[], aliases[], references[], reconciledFrom[] },
+ supersedes?: "prevObservationId",
+ createdAt,
+ attributes?: object
+}
+```
+
+ * Indexes: `{tenant:1, upstream.upstreamId:1}`, `{tenant:1, source.vendor:1, linkset.purls:1}`, `{tenant:1, linkset.aliases:1}`, `{tenant:1, createdAt:-1}`.
+* `concelier.advisory_linksets`
+
+```
+{
+ _id: "sha256:...",
+ tenant,
+ key: { vulnerabilityId, productKey, confidence },
+ observations: [
+ { observationId, sourceVendor, statement, collectedAt }
+ ],
+ aliases: { primary, others: [] },
+ purls: [],
+ cpes: [],
+ conflicts: [],
+ createdAt,
+ updatedAt
+}
+```
+
+ * Indexes: `{tenant:1, key.vulnerabilityId:1, key.productKey:1}`, `{tenant:1, purls:1}`, `{tenant:1, aliases.primary:1}`, `{tenant:1, updatedAt:-1}`.
+* `concelier.advisory_events`
+
+```
+{
+ _id: ObjectId,
+ tenant,
+ type: "advisory.observation.updated" | "advisory.linkset.updated",
+ key,
+ delta,
+ hash,
+ occurredAt
+}
+```
+
+ * TTL index on `occurredAt` (configurable retention), `{type:1, occurredAt:-1}` for replay.
+* `concelier.export_state` `{_id(exportKind), baseExportId?, baseDigest?, lastFullDigest?, lastDeltaDigest?, cursor, files[]}`
+* `locks` `{_id(jobKey), holder, acquiredAt, heartbeatAt, leaseMs, ttlAt}` (TTL cleans dead locks)
+* `jobs` `{_id, type, args, state, startedAt, heartbeatAt, endedAt, error}`
+
+**Legacy collections** (`advisory`, `alias`, `affected`, `reference`, `merge_event`) remain read-only during the migration window to support back-compat exports. New code must not write to them; scheduled cleanup removes them after Link-Not-Merge GA.
+
+**GridFS buckets**: `fs.documents` for raw payloads (immutable); `fs.exports` for historical JSON/Trivy archives.
+
+---
+
+## 7) Exporters
+
+### 7.1 Deterministic JSON (vuln‑list style)
+
+* Folder structure mirroring `////…` with one JSON per advisory; deterministic ordering, stable timestamps, normalized whitespace.
+* `manifest.json` lists all files with SHA‑256 and a top‑level **export digest**.
+
+### 7.2 Trivy DB exporter
+
+* Builds Bolt DB archives compatible with Trivy; supports **full** and **delta** modes.
+* In delta, unchanged blobs are reused from the base; metadata captures:
+
+ ```json
+ {
+ "mode": "delta|full",
+ "baseExportId": "...",
+ "baseManifestDigest": "sha256:...",
+ "changed": ["path1", "path2"],
+ "removed": ["path3"]
+ }
+ ```
+* Optional ORAS push (OCI layout) for registries.
+* Offline kit bundles include Trivy DB + JSON tree + export manifest.
+* Mirror-ready bundles: when `concelier.trivy.mirror` defines domains, the exporter emits `mirror/index.json` plus per-domain `manifest.json`, `metadata.json`, and `db.tar.gz` files with SHA-256 digests so Concelier mirrors can expose domain-scoped download endpoints.
+* Concelier.WebService serves `/concelier/exports/index.json` and `/concelier/exports/mirror/{domain}/…` directly from the export tree with hour-long budgets (index: 60 s, bundles: 300 s, immutable) and per-domain rate limiting; the endpoints honour Stella Ops Authority or CIDR bypass lists depending on mirror topology.
+
+### 7.3 Hand‑off to Signer/Attestor (optional)
+
+* On export completion, if `attest: true` is set in job args, Concelier **posts** the artifact metadata to **Signer**/**Attestor**; Concelier itself **does not** hold signing keys.
+* Export record stores returned `{ uuid, index, url }` from **Rekor v2**.
+
+---
+
+## 8) REST APIs
+
+All under `/api/v1/concelier`.
+
+**Health & status**
+
+```
+GET /healthz | /readyz
+GET /status → sources, last runs, export cursors
+```
+
+**Sources & jobs**
+
+```
+GET /sources → list of configured sources
+POST /sources/{name}/trigger → { jobId }
+POST /sources/{name}/pause | /resume → toggle
+GET /jobs/{id} → job status
+```
+
+**Exports**
+
+```
+POST /exports/json { full?:bool, force?:bool, attest?:bool } → { exportId, digest, rekor? }
+POST /exports/trivy { full?:bool, force?:bool, publish?:bool, attest?:bool } → { exportId, digest, rekor? }
+GET /exports/{id} → export metadata (kind, digest, createdAt, rekor?)
+GET /concelier/exports/index.json → mirror index describing available domains/bundles
+GET /concelier/exports/mirror/{domain}/manifest.json
+GET /concelier/exports/mirror/{domain}/bundle.json
+GET /concelier/exports/mirror/{domain}/bundle.json.jws
+```
+
+**Search (operator debugging)**
+
+```
+GET /advisories/{key}
+GET /advisories?scheme=CVE&value=CVE-2025-12345
+GET /affected?productKey=pkg:rpm/openssl&limit=100
+```
+
+**AuthN/Z:** Authority tokens (OpTok) with roles: `concelier.read`, `concelier.admin`, `concelier.export`.
+
+---
+
+## 9) Configuration (YAML)
+
+```yaml
+concelier:
+ mongo: { uri: "mongodb://mongo/concelier" }
+ s3:
+ endpoint: "http://minio:9000"
+ bucket: "stellaops-concelier"
+ scheduler:
+ windowSeconds: 30
+ maxParallelSources: 4
+ sources:
+ - name: redhat
+ kind: csaf
+ baseUrl: https://access.redhat.com/security/data/csaf/v2/
+ signature: { type: pgp, keys: [ "…redhat PGP…" ] }
+ enabled: true
+ windowDays: 7
+ - name: suse
+ kind: csaf
+ baseUrl: https://ftp.suse.com/pub/projects/security/csaf/
+ signature: { type: pgp, keys: [ "…suse PGP…" ] }
+ - name: ubuntu
+ kind: usn-json
+ baseUrl: https://ubuntu.com/security/notices.json
+ signature: { type: none }
+ - name: osv
+ kind: osv
+ baseUrl: https://api.osv.dev/v1/
+ signature: { type: none }
+ - name: ghsa
+ kind: ghsa
+ baseUrl: https://api.github.com/graphql
+ auth: { tokenRef: "env:GITHUB_TOKEN" }
+ exporters:
+ json:
+ enabled: true
+ output: s3://stellaops-concelier/json/
+ trivy:
+ enabled: true
+ mode: full
+ output: s3://stellaops-concelier/trivy/
+ oras:
+ enabled: false
+ repo: ghcr.io/org/concelier
+ precedence:
+ vendorWinsOverDistro: true
+ distroWinsOverOsv: true
+ severity:
+ policy: max # or 'vendorPreferred' / 'distroPreferred'
+```
+
+---
+
+## 10) Security & compliance
+
+* **Outbound allowlist** per connector (domains, protocols); proxy support; TLS pinning where possible.
+* **Signature verification** for raw docs (PGP/cosign/x509) with results stored in `document.metadata.sig`. Docs failing verification may still be ingested but flagged; Policy Engine or downstream policy can down-weight them.
+* **No secrets in logs**; auth material via `env:` or mounted files; HTTP redaction of `Authorization` headers.
+* **Multi‑tenant**: per‑tenant DBs or prefixes; per‑tenant S3 prefixes; tenant‑scoped API tokens.
+* **Determinism**: canonical JSON writer; export digests stable across runs given same inputs.
+
+---
+
+## 11) Performance targets & scale
+
+* **Ingest**: ≥ 5k documents/min on 4 cores (CSAF/OpenVEX/JSON).
+* **Normalize/map**: ≥ 50k observation statements/min on 4 cores.
+* **Observation write**: ≤ 5 ms P95 per document (including guard + Mongo write).
+* **Linkset build**: ≤ 15 ms P95 per `(vulnerabilityId, productKey)` update, even with 20+ contributing observations.
+* **Export**: 1M advisories JSON in ≤ 90 s (streamed, zstd), Trivy DB in ≤ 60 s on 8 cores.
+* **Memory**: hard cap per job; chunked streaming writers; backpressure to avoid GC spikes.
+
+**Scale pattern**: add Concelier replicas; Mongo scaling via indices and read/write concerns; GridFS only for oversized docs.
+
+---
+
+## 12) Observability
+
+* **Metrics**
+
+ * `concelier.fetch.docs_total{source}`
+ * `concelier.fetch.bytes_total{source}`
+ * `concelier.parse.failures_total{source}`
+ * `concelier.map.statements_total{source}`
+ * `concelier.observations.write_total{result=ok|noop|error}`
+ * `concelier.linksets.updated_total{result=ok|skip|error}`
+ * `concelier.linksets.conflicts_total{type}`
+ * `concelier.export.bytes{kind}`
+ * `concelier.export.duration_seconds{kind}`
+* **Tracing** around fetch/parse/map/observe/linkset/export.
+* **Logs**: structured with `source`, `uri`, `docDigest`, `advisoryKey`, `exportId`.
+
+---
+
+## 13) Testing matrix
+
+* **Connectors:** fixture suites for each provider/format (happy path; malformed; signature fail).
+* **Version semantics:** EVR vs dpkg vs semver edge cases (epoch bumps, tilde versions, pre‑releases).
+* **Linkset correlation:** multi-source conflicts (severity, range, alias) produce deterministic conflict payloads; ensure confidence scoring stable.
+* **Export determinism:** byte‑for‑byte stable outputs across runs; digest equality.
+* **Performance:** soak tests with 1M advisories; cap memory; verify backpressure.
+* **API:** pagination, filters, RBAC, error envelopes (RFC 7807).
+* **Offline kit:** bundle build & import correctness.
+
+---
+
+## 14) Failure modes & recovery
+
+* **Source outages:** scheduler backs off with exponential delay; `source_state.backoffUntil`; alerts on staleness.
+* **Schema drifts:** parse stage marks DTO invalid; job fails with clear diagnostics; connector version flags track supported schema ranges.
+* **Partial exports:** exporters write to temp prefix; **manifest commit** is atomic; only then move to final prefix and update `export_state`.
+* **Resume:** all stages idempotent; `source_state.cursor` supports window resume.
+
+---
+
+## 15) Operator runbook (quick)
+
+* **Trigger all sources:** `POST /api/v1/concelier/sources/*/trigger`
+* **Force full export JSON:** `POST /api/v1/concelier/exports/json { "full": true, "force": true }`
+* **Force Trivy DB delta publish:** `POST /api/v1/concelier/exports/trivy { "full": false, "publish": true }`
+* **Inspect observation:** `GET /api/v1/concelier/observations/{observationId}`
+* **Query linkset:** `GET /api/v1/concelier/linksets?vulnerabilityId=CVE-2025-12345&productKey=pkg:rpm/redhat/openssl`
+* **Pause noisy source:** `POST /api/v1/concelier/sources/osv/pause`
+
+---
+
+## 16) Rollout plan
+
+1. **MVP**: Red Hat (CSAF), SUSE (CSAF), Ubuntu (USN JSON), OSV; JSON export.
+2. **Add**: GHSA GraphQL, Debian (DSA HTML/JSON), Alpine secdb; Trivy DB export.
+3. **Attestation hand‑off**: integrate with **Signer/Attestor** (optional).
+4. **Scale & diagnostics**: provider dashboards, staleness alerts, export cache reuse.
+5. **Offline kit**: end‑to‑end verified bundles for air‑gap.
diff --git a/docs/ARCHITECTURE_DEVOPS.md b/docs/ARCHITECTURE_DEVOPS.md
index eddb74d0..2eb884a1 100644
--- a/docs/ARCHITECTURE_DEVOPS.md
+++ b/docs/ARCHITECTURE_DEVOPS.md
@@ -98,7 +98,7 @@ At startup, services **self‑advertise** their semver & channel; the UI surface
**Gating policy**:
* **Core images** (Authority, Scanner, Concelier, Excititor, Attestor, UI): public **read**.
-* **Enterprise add‑ons** (if any) and **pre‑release**: private repos via the **Registry Token Service** (`src/StellaOps.Registry.TokenService`) which exchanges Authority-issued OpToks for short-lived Docker registry bearer tokens.
+* **Enterprise add‑ons** (if any) and **pre‑release**: private repos via the **Registry Token Service** (`src/Registry/StellaOps.Registry.TokenService`) which exchanges Authority-issued OpToks for short-lived Docker registry bearer tokens.
> Monetization lever is **signing** (PoE gate), not image pulls, so the core remains simple to consume.
diff --git a/docs/ARCHITECTURE_SCANNER.md b/docs/ARCHITECTURE_SCANNER.md
index 8d9df7ed..3713850d 100644
--- a/docs/ARCHITECTURE_SCANNER.md
+++ b/docs/ARCHITECTURE_SCANNER.md
@@ -1,487 +1,487 @@
-# component_architecture_scanner.md — **Stella Ops Scanner** (2025Q4)
-
-> **Scope.** Implementation‑ready architecture for the **Scanner** subsystem: WebService, Workers, analyzers, SBOM assembly (inventory & usage), per‑layer caching, three‑way diffs, artifact catalog (RustFS default + Mongo, S3-compatible fallback), attestation hand‑off, and scale/security posture. This document is the contract between the scanning plane and everything else (Policy, Excititor, Concelier, UI, CLI).
-
----
-
-## 0) Mission & boundaries
-
-**Mission.** Produce **deterministic**, **explainable** SBOMs and diffs for container images and filesystems, quickly and repeatedly, without guessing. Emit two views: **Inventory** (everything present) and **Usage** (entrypoint closure + actually linked libs). Attach attestations through **Signer→Attestor→Rekor v2**.
-
-**Boundaries.**
-
-* Scanner **does not** produce PASS/FAIL. The backend (Policy + Excititor + Concelier) decides presentation and verdicts.
-* Scanner **does not** keep third‑party SBOM warehouses. It may **bind** to existing attestations for exact hashes.
-* Core analyzers are **deterministic** (no fuzzy identity). Optional heuristic plug‑ins (e.g., patch‑presence) run under explicit flags and never contaminate the core SBOM.
-
----
-
-## 1) Solution & project layout
-
-```
-src/
- ├─ StellaOps.Scanner.WebService/ # REST control plane, catalog, diff, exports
- ├─ StellaOps.Scanner.Worker/ # queue consumer; executes analyzers
- ├─ StellaOps.Scanner.Models/ # DTOs, evidence, graph nodes, CDX/SPDX adapters
- ├─ StellaOps.Scanner.Storage/ # Mongo repositories; RustFS object client (default) + S3 fallback; ILM/GC
- ├─ StellaOps.Scanner.Queue/ # queue abstraction (Redis/NATS/RabbitMQ)
- ├─ StellaOps.Scanner.Cache/ # layer cache; file CAS; bloom/bitmap indexes
- ├─ StellaOps.Scanner.EntryTrace/ # ENTRYPOINT/CMD → terminal program resolver (shell AST)
- ├─ StellaOps.Scanner.Analyzers.OS.[Apk|Dpkg|Rpm]/
- ├─ StellaOps.Scanner.Analyzers.Lang.[Java|Node|Python|Go|DotNet|Rust]/
- ├─ StellaOps.Scanner.Analyzers.Native.[ELF|PE|MachO]/ # PE/Mach-O planned (M2)
- ├─ StellaOps.Scanner.Emit.CDX/ # CycloneDX (JSON + Protobuf)
- ├─ StellaOps.Scanner.Emit.SPDX/ # SPDX 3.0.1 JSON
- ├─ StellaOps.Scanner.Diff/ # image→layer→component three‑way diff
- ├─ StellaOps.Scanner.Index/ # BOM‑Index sidecar (purls + roaring bitmaps)
- ├─ StellaOps.Scanner.Tests.* # unit/integration/e2e fixtures
- └─ tools/
- ├─ StellaOps.Scanner.Sbomer.BuildXPlugin/ # BuildKit generator (image referrer SBOMs)
- └─ StellaOps.Scanner.Sbomer.DockerImage/ # CLI‑driven scanner container
-```
-
-Analyzer assemblies and buildx generators are packaged as **restart-time plug-ins** under `plugins/scanner/**` with manifests; services must restart to activate new plug-ins.
-
-### 1.1 Queue backbone (Redis / NATS)
-
-`StellaOps.Scanner.Queue` exposes a transport-agnostic contract (`IScanQueue`/`IScanQueueLease`) used by the WebService producer and Worker consumers. Sprint 9 introduces two first-party transports:
-
-- **Redis Streams** (default). Uses consumer groups, deterministic idempotency keys (`scanner:jobs:idemp:*`), and supports lease claim (`XCLAIM`), renewal, exponential-backoff retries, and a `scanner:jobs:dead` stream for exhausted attempts.
-- **NATS JetStream**. Provisions the `SCANNER_JOBS` work-queue stream + durable consumer `scanner-workers`, publishes with `MsgId` for dedupe, applies backoff via `NAK` delays, and routes dead-lettered jobs to `SCANNER_JOBS_DEAD`.
-
-Metrics are emitted via `Meter` counters (`scanner_queue_enqueued_total`, `scanner_queue_retry_total`, `scanner_queue_deadletter_total`), and `ScannerQueueHealthCheck` pings the active backend (Redis `PING`, NATS `PING`). Configuration is bound from `scanner.queue`:
-
-```yaml
-scanner:
- queue:
- kind: redis # or nats
- redis:
- connectionString: "redis://queue:6379/0"
- streamName: "scanner:jobs"
- nats:
- url: "nats://queue:4222"
- stream: "SCANNER_JOBS"
- subject: "scanner.jobs"
- durableConsumer: "scanner-workers"
- deadLetterSubject: "scanner.jobs.dead"
- maxDeliveryAttempts: 5
- retryInitialBackoff: 00:00:05
- retryMaxBackoff: 00:02:00
-```
-
-The DI extension (`AddScannerQueue`) wires the selected transport, so future additions (e.g., RabbitMQ) only implement the same contract and register.
-
-**Runtime form‑factor:** two deployables
-
-* **Scanner.WebService** (stateless REST)
-* **Scanner.Worker** (N replicas; queue‑driven)
-
----
-
-## 2) External dependencies
-
-* **OCI registry** with **Referrers API** (discover attached SBOMs/signatures).
-* **RustFS** (default, offline-first) for SBOM artifacts; optional S3/MinIO compatibility retained for migration; **Object Lock** semantics emulated via retention headers; **ILM** for TTL.
-* **MongoDB** for catalog, job state, diffs, ILM rules.
-* **Queue** (Redis Streams/NATS/RabbitMQ).
-* **Authority** (on‑prem OIDC) for **OpToks** (DPoP/mTLS).
-* **Signer** + **Attestor** (+ **Fulcio/KMS** + **Rekor v2**) for DSSE + transparency.
-
----
-
-## 3) Contracts & data model
-
-### 3.1 Evidence‑first component model
-
-**Nodes**
-
-* `Image`, `Layer`, `File`
-* `Component` (`purl?`, `name`, `version?`, `type`, `id` — may be `bin:{sha256}`)
-* `Executable` (ELF/PE/Mach‑O), `Library` (native or managed), `EntryScript` (shell/launcher)
-
-**Edges** (all carry **Evidence**)
-
-* `contains(Image|Layer → File)`
-* `installs(PackageDB → Component)` (OS database row)
-* `declares(InstalledMetadata → Component)` (dist‑info, pom.properties, deps.json…)
-* `links_to(Executable → Library)` (ELF `DT_NEEDED`, PE imports)
-* `calls(EntryScript → Program)` (file:line from shell AST)
-* `attests(Rekor → Component|Image)` (SBOM/predicate binding)
-* `bound_from_attestation(Component_attested → Component_observed)` (hash equality proof)
-
-**Evidence**
-
-```
-{ source: enum, locator: (path|offset|line), sha256?, method: enum, timestamp }
-```
-
-No confidences. Either a fact is proven with listed mechanisms, or it is not claimed.
-
-### 3.2 Catalog schema (Mongo)
-
-* `artifacts`
-
- ```
- { _id, type: layer-bom|image-bom|diff|index,
- format: cdx-json|cdx-pb|spdx-json,
- bytesSha256, size, rekor: { uuid,index,url }?,
- ttlClass, immutable, refCount, createdAt }
- ```
-* `images { imageDigest, repo, tag?, arch, createdAt, lastSeen }`
-* `layers { layerDigest, mediaType, size, createdAt, lastSeen }`
-* `links { fromType, fromDigest, artifactId }` // image/layer -> artifact
-* `jobs { _id, kind, args, state, startedAt, heartbeatAt, endedAt, error }`
-* `lifecycleRules { ruleId, scope, ttlDays, retainIfReferenced, immutable }`
-
-### 3.3 Object store layout (RustFS)
-
-```
-layers//sbom.cdx.json.zst
-layers//sbom.spdx.json.zst
-images//inventory.cdx.pb # CycloneDX Protobuf
-images//usage.cdx.pb
-indexes//bom-index.bin # purls + roaring bitmaps
-diffs/_/diff.json.zst
-attest/.dsse.json # DSSE bundle (cert chain + Rekor proof)
-```
-
-RustFS exposes a deterministic HTTP API (`PUT|GET|DELETE /api/v1/buckets/{bucket}/objects/{key}`).
-Scanner clients tag immutable uploads with `X-RustFS-Immutable: true` and, when retention applies,
-`X-RustFS-Retain-Seconds: `. Additional headers can be injected via
-`scanner.artifactStore.headers` to support custom auth or proxy requirements. Legacy MinIO/S3
-deployments remain supported by setting `scanner.artifactStore.driver = "s3"` during phased
-migrations.
-
----
-
-## 4) REST API (Scanner.WebService)
-
-All under `/api/v1/scanner`. Auth: **OpTok** (DPoP/mTLS); RBAC scopes.
-
-```
-POST /scans { imageRef|digest, force?:bool } → { scanId }
-GET /scans/{id} → { status, imageDigest, artifacts[], rekor? }
-GET /sboms/{imageDigest} ?format=cdx-json|cdx-pb|spdx-json&view=inventory|usage → bytes
-GET /diff?old=&new=&view=inventory|usage → diff.json
-POST /exports { imageDigest, format, view, attest?:bool } → { artifactId, rekor? }
-POST /reports { imageDigest, policyRevision? } → { reportId, rekor? } # delegates to backend policy+vex
-GET /catalog/artifacts/{id} → { meta }
-GET /healthz | /readyz | /metrics
-```
-
-### Report events
-
-When `scanner.events.enabled = true`, the WebService serialises the signed report (canonical JSON + DSSE envelope) with `NotifyCanonicalJsonSerializer` and publishes two Redis Stream entries (`scanner.report.ready`, `scanner.scan.completed`) to the configured stream (default `stella.events`). The stream fields carry the whole envelope plus lightweight headers (`kind`, `tenant`, `ts`) so Notify and UI timelines can consume the event bus without recomputing signatures. Publish timeouts and bounded stream length are controlled via `scanner:events:publishTimeoutSeconds` and `scanner:events:maxStreamLength`. If the queue driver is already Redis and no explicit events DSN is provided, the host reuses the queue connection and auto-enables event emission so deployments get live envelopes without extra wiring. Compose/Helm bundles expose the same knobs via the `SCANNER__EVENTS__*` environment variables for quick tuning.
-
----
-
-## 5) Execution flow (Worker)
-
-### 5.1 Acquire & verify
-
-1. **Resolve image** (prefer `repo@sha256:…`).
-2. **(Optional) verify image signature** per policy (cosign).
-3. **Pull blobs**, compute layer digests; record metadata.
-
-### 5.2 Layer union FS
-
-* Apply whiteouts; materialize final filesystem; map **file → first introducing layer**.
-* Windows layers (MSI/SxS/GAC) planned in **M2**.
-
-### 5.3 Evidence harvest (parallel analyzers; deterministic only)
-
-**A) OS packages**
-
-* **apk**: `/lib/apk/db/installed`
-* **dpkg**: `/var/lib/dpkg/status`, `/var/lib/dpkg/info/*.list`
-* **rpm**: `/var/lib/rpm/Packages` (via librpm or parser)
-* Record `name`, `version` (epoch/revision), `arch`, source package where present, and **declared file lists**.
-
-> **Data flow note:** Each OS analyzer now writes its canonical output into the shared `ScanAnalysisStore` under
-> `analysis.os.packages` (raw results), `analysis.os.fragments` (per-analyzer layer fragments), and contributes to
-> `analysis.layers.fragments` (the aggregated view consumed by emit/diff pipelines). Helpers in
-> `ScanAnalysisCompositionBuilder` convert these fragments into SBOM composition requests and component graphs so the
-> diff/emit stages no longer reach back into individual analyzer implementations.
-
-**B) Language ecosystems (installed state only)**
-
-* **Java**: `META-INF/maven/*/pom.properties`, MANIFEST → `pkg:maven/...`
-* **Node**: `node_modules/**/package.json` → `pkg:npm/...`
-* **Python**: `*.dist-info/{METADATA,RECORD}` → `pkg:pypi/...`
-* **Go**: Go **buildinfo** in binaries → `pkg:golang/...`
-* **.NET**: `*.deps.json` + assembly metadata → `pkg:nuget/...`
-* **Rust**: crates only when **explicitly present** (embedded metadata or cargo/registry traces); otherwise binaries reported as `bin:{sha256}`.
-
-> **Rule:** We only report components proven **on disk** with authoritative metadata. Lockfiles are evidence only.
-
-**C) Native link graph**
-
-* **ELF**: parse `PT_INTERP`, `DT_NEEDED`, RPATH/RUNPATH, **GNU symbol versions**; map **SONAMEs** to file paths; link executables → libs.
-* **PE/Mach‑O** (planned M2): import table, delay‑imports; version resources; code signatures.
-* Map libs back to **OS packages** if possible (via file lists); else emit `bin:{sha256}` components.
-* The exported metadata (`stellaops.os.*` properties, license list, source package) feeds policy scoring and export pipelines
- directly – Policy evaluates quiet rules against package provenance while Exporters forward the enriched fields into
- downstream JSON/Trivy payloads.
-
-**D) EntryTrace (ENTRYPOINT/CMD → terminal program)**
-
-* Read image config; parse shell (POSIX/Bash subset) with AST: `source`/`.` includes; `case/if`; `exec`/`command`; `run‑parts`.
-* Resolve commands via **PATH** within the **built rootfs**; follow language launchers (Java/Node/Python) to identify the terminal program (ELF/JAR/venv script).
-* Record **file:line** and choices for each hop; output chain graph.
-* Unresolvable dynamic constructs are recorded as **unknown** edges with reasons (e.g., `$FOO` unresolved).
-
-**E) Attestation & SBOM bind (optional)**
-
-* For each **file hash** or **binary hash**, query local cache of **Rekor v2** indices; if an SBOM attestation is found for **exact hash**, bind it to the component (origin=`attested`).
-* For the **image** digest, likewise bind SBOM attestations (build‑time referrers).
-
-### 5.4 Component normalization (exact only)
-
-* Create `Component` nodes only with deterministic identities: purl, or **`bin:{sha256}`** for unlabeled binaries.
-* Record **origin** (OS DB, installed metadata, linker, attestation).
-
-### 5.5 SBOM assembly & emit
-
-* **Per-layer SBOM fragments**: components introduced by the layer (+ relationships).
-* **Image SBOMs**: merge fragments; refer back to them via **CycloneDX BOM‑Link** (or SPDX ExternalRef).
-* Emit both **Inventory** & **Usage** views.
-* When the native analyzer reports an ELF `buildId`, attach it to component metadata and surface it as `stellaops:buildId` in CycloneDX properties (and diff metadata). This keeps SBOM/diff output in lockstep with runtime events and the debug-store manifest.
-* Serialize **CycloneDX JSON** and **CycloneDX Protobuf**; optionally **SPDX 3.0.1 JSON**.
-* Build **BOM‑Index** sidecar: purl table + roaring bitmap; flag `usedByEntrypoint` components for fast backend joins.
-
-The emitted `buildId` metadata is preserved in component hashes, diff payloads, and `/policy/runtime` responses so operators can pivot from SBOM entries → runtime events → `debug/.build-id//.debug` within the Offline Kit or release bundle.
-
-### 5.6 DSSE attestation (via Signer/Attestor)
-
-* WebService constructs **predicate** with `image_digest`, `stellaops_version`, `license_id`, `policy_digest?` (when emitting **final reports**), timestamps.
-* Calls **Signer** (requires **OpTok + PoE**); Signer verifies **entitlement + scanner image integrity** and returns **DSSE bundle**.
-* **Attestor** logs to **Rekor v2**; returns `{uuid,index,proof}` → stored in `artifacts.rekor`.
-
----
-
-## 6) Three‑way diff (image → layer → component)
-
-### 6.1 Keys & classification
-
-* Component key: **purl** when present; else `bin:{sha256}`.
-* Diff classes: `added`, `removed`, `version_changed` (`upgraded|downgraded`), `metadata_changed` (e.g., origin from attestation vs observed).
-* Layer attribution: for each change, resolve the **introducing/removing layer**.
-
-### 6.2 Algorithm (outline)
-
-```
-A = components(imageOld, key)
-B = components(imageNew, key)
-
-added = B \ A
-removed = A \ B
-changed = { k in A∩B : version(A[k]) != version(B[k]) || origin changed }
-
-for each item in added/removed/changed:
- layer = attribute_to_layer(item, imageOld|imageNew)
- usageFlag = usedByEntrypoint(item, imageNew)
-emit diff.json (grouped by layer with badges)
-```
-
-Diffs are stored as artifacts and feed **UI** and **CLI**.
-
----
-
-## 7) Build‑time SBOMs (fast CI path)
-
-**Scanner.Sbomer.BuildXPlugin** can act as a BuildKit **generator**:
-
-* During `docker buildx build --attest=type=sbom,generator=stellaops/sbom-indexer`, run analyzers on the build context/output; attach SBOMs as OCI **referrers** to the built image.
-* Optionally request **Signer/Attestor** to produce **Stella Ops‑verified** attestation immediately; else, Scanner.WebService can verify and re‑attest post‑push.
-* Scanner.WebService trusts build‑time SBOMs per policy, enabling **no‑rescan** for unchanged bases.
-
----
-
-## 8) Configuration (YAML)
-
-```yaml
-scanner:
- queue:
- kind: redis
- url: "redis://queue:6379/0"
- mongo:
- uri: "mongodb://mongo/scanner"
- s3:
- endpoint: "http://minio:9000"
- bucket: "stellaops"
- objectLock: "governance" # or 'compliance'
- analyzers:
- os: { apk: true, dpkg: true, rpm: true }
- lang: { java: true, node: true, python: true, go: true, dotnet: true, rust: true }
- native: { elf: true, pe: false, macho: false } # PE/Mach-O in M2
- entryTrace: { enabled: true, shellMaxDepth: 64, followRunParts: true }
- emit:
- cdx: { json: true, protobuf: true }
- spdx: { json: true }
- compress: "zstd"
- rekor:
- url: "https://rekor-v2.internal"
- signer:
- url: "https://signer.internal"
- limits:
- maxParallel: 8
- perRegistryConcurrency: 2
- policyHints:
- verifyImageSignature: false
- trustBuildTimeSboms: true
-```
-
----
-
-## 9) Scale & performance
-
-* **Parallelism**: per‑analyzer concurrency; bounded directory walkers; file CAS dedupe by sha256.
-* **Distributed locks** per **layer digest** to prevent duplicate work across Workers.
-* **Registry throttles**: per‑host concurrency budgets; exponential backoff on 429/5xx.
-* **Targets**:
-
- * **Build‑time**: P95 ≤ 3–5 s on warmed bases (CI generator).
- * **Post‑build delta**: P95 ≤ 10 s for 200 MB images with cache hit.
- * **Emit**: CycloneDX Protobuf ≤ 150 ms for 5k components; JSON ≤ 500 ms.
- * **Diff**: ≤ 200 ms for 5k vs 5k components.
-
----
-
-## 10) Security posture
-
-* **AuthN**: Authority‑issued short OpToks (DPoP/mTLS).
-* **AuthZ**: scopes (`scanner.scan`, `scanner.export`, `scanner.catalog.read`).
-* **mTLS** to **Signer**/**Attestor**; only **Signer** can sign.
-* **No network fetches** during analysis (except registry pulls and optional Rekor index reads).
-* **Sandboxing**: non‑root containers; read‑only FS; seccomp profiles; disable execution of scanned content.
-* **Release integrity**: all first‑party images are **cosign‑signed**; Workers/WebService self‑verify at startup.
-
----
-
-## 11) Observability & audit
-
-* **Metrics**:
-
- * `scanner.jobs_inflight`, `scanner.scan_latency_seconds`
- * `scanner.layer_cache_hits_total`, `scanner.file_cas_hits_total`
- * `scanner.artifact_bytes_total{format}`
- * `scanner.attestation_latency_seconds`, `scanner.rekor_failures_total`
- * `scanner_analyzer_golang_heuristic_total{indicator,version_hint}` — increments whenever the Go analyzer falls back to heuristics (build-id or runtime markers). Grafana panel: `sum by (indicator) (rate(scanner_analyzer_golang_heuristic_total[5m]))`; alert when the rate is ≥ 1 for 15 minutes to highlight unexpected stripped binaries.
-* **Tracing**: spans for acquire→union→analyzers→compose→emit→sign→log.
-* **Audit logs**: DSSE requests log `license_id`, `image_digest`, `artifactSha256`, `policy_digest?`, Rekor UUID on success.
-
----
-
-## 12) Testing matrix
-
-* **Determinism:** given same image + analyzers → byte‑identical **CDX Protobuf**; JSON normalized.
-* **OS packages:** ground‑truth images per distro; compare to package DB.
-* **Lang ecosystems:** sample images per ecosystem (Java/Node/Python/Go/.NET/Rust) with installed metadata; negative tests w/ lockfile‑only.
-* **Native & EntryTrace:** ELF graph correctness; shell AST cases (includes, run‑parts, exec, case/if).
-* **Diff:** layer attribution against synthetic two‑image sequences.
-* **Performance:** cold vs warm cache; large `node_modules` and `site‑packages`.
-* **Security:** ensure no code execution from image; fuzz parser inputs; path traversal resistance on layer extract.
-
----
-
-## 13) Failure modes & degradations
-
-* **Missing OS DB** (files exist, DB removed): record **files**; do **not** fabricate package components; emit `bin:{sha256}` where unavoidable; flag in evidence.
-* **Unreadable metadata** (corrupt dist‑info): record file evidence; skip component creation; annotate.
-* **Dynamic shell constructs**: mark unresolved edges with reasons (env var unknown) and continue; **Usage** view may be partial.
-* **Registry rate limits**: honor backoff; queue job retries with jitter.
-* **Signer refusal** (license/plan/version): scan completes; artifact produced; **no attestation**; WebService marks result as **unverified**.
-
----
-
-## 14) Optional plug‑ins (off by default)
-
-* **Patch‑presence detector** (signature‑based backport checks). Reads curated function‑level signatures from advisories; inspects binaries for patched code snippets to lower false‑positives for backported fixes. Runs as a sidecar analyzer that **annotates** components; never overrides core identities.
-* **Runtime probes** (with Zastava): when allowed, compare **/proc//maps** (DSOs actually loaded) with static **Usage** view for precision.
-
----
-
-## 15) DevOps & operations
-
-* **HA**: WebService horizontal scale; Workers autoscale by queue depth & CPU; distributed locks on layers.
-* **Retention**: ILM rules per artifact class (`short`, `default`, `compliance`); **Object Lock** for compliance artifacts (reports, signed SBOMs).
-* **Upgrades**: bump **cache schema** when analyzer outputs change; WebService triggers refresh of dependent artifacts.
-* **Backups**: Mongo (daily dumps); RustFS snapshots (filesystem-level rsync/ZFS) or S3 versioning when legacy driver enabled; Rekor v2 DB snapshots.
-
----
-
-## 16) CLI & UI touch points
-
-* **CLI**: `stellaops scan [`, `stellaops diff --old --new`, `stellaops export`, `stellaops verify attestation `.
-* **UI**: Scan detail shows **Inventory/Usage** toggles, **Diff by Layer**, **Attestation badge** (verified/unverified), Rekor link, and **EntryTrace** chain with file:line breadcrumbs.
-
----
-
-## 17) Roadmap (Scanner)
-
-* **M2**: Windows containers (MSI/SxS/GAC analyzers), PE/Mach‑O native analyzer, deeper Rust metadata.
-* **M2**: Buildx generator GA (certified external registries), cross‑registry trust policies.
-* **M3**: Patch‑presence plug‑in GA (opt‑in), cross‑image corpus clustering (evidence‑only; not identity).
-* **M3**: Advanced EntryTrace (POSIX shell features breadth, busybox detection).
-
----
-
-### Appendix A — EntryTrace resolution (pseudo)
-
-```csharp
-ResolveEntrypoint(ImageConfig cfg, RootFs fs):
- cmd = Normalize(cfg.ENTRYPOINT, cfg.CMD)
- stack = [ Script(cmd, path=FindOnPath(cmd[0], fs)) ]
- visited = set()
-
- while stack not empty and depth < MAX:
- cur = stack.pop()
- if cur in visited: continue
- visited.add(cur)
-
- if IsShellScript(cur.path):
- ast = ParseShell(cur.path)
- foreach directive in ast:
- if directive is Source include:
- p = ResolveInclude(include.path, cur.env, fs)
- stack.push(Script(p))
- if directive is Exec call:
- p = ResolveExec(call.argv[0], cur.env, fs)
- stack.push(Program(p, argv=call.argv))
- if directive is Interpreter (python -m / node / java -jar):
- term = ResolveInterpreterTarget(call, fs)
- stack.push(Program(term))
- else:
- return Terminal(cur.path)
-
- return Unknown(reason)
-```
-
-### Appendix A.1 — EntryTrace Explainability
-
-EntryTrace emits structured diagnostics and metrics so operators can quickly understand why resolution succeeded or degraded:
-
-| Reason | Description | Typical Mitigation |
-|--------|-------------|--------------------|
-| `CommandNotFound` | A command referenced in the script cannot be located in the layered root filesystem or `PATH`. | Ensure binaries exist in the image or extend `PATH` hints. |
-| `MissingFile` | `source`/`.`/`run-parts` targets are missing. | Bundle the script or guard the include. |
-| `DynamicEnvironmentReference` | Path depends on `$VARS` that are unknown at scan time. | Provide defaults via scan metadata or accept partial usage. |
-| `RecursionLimitReached` | Nested includes exceeded the analyzer depth limit (default 64). | Flatten indirection or increase the limit in options. |
-| `RunPartsEmpty` | `run-parts` directory contained no executable entries. | Remove empty directories or ignore if intentional. |
-| `JarNotFound` / `ModuleNotFound` | Java/Python targets missing, preventing interpreter tracing. | Ship the jar/module with the image or adjust the launcher. |
-
-Diagnostics drive two metrics published by `EntryTraceMetrics`:
-
-- `entrytrace_resolutions_total{outcome}` — resolution attempts segmented by outcome (`resolved`, `partiallyresolved`, `unresolved`).
-- `entrytrace_unresolved_total{reason}` — diagnostic counts keyed by reason.
-
-Structured logs include `entrytrace.path`, `entrytrace.command`, `entrytrace.reason`, and `entrytrace.depth`, all correlated with scan/job IDs. Timestamps are normalized to UTC (microsecond precision) to keep DSSE attestations and UI traces explainable.
-
-### Appendix B — BOM‑Index sidecar
-
-```
-struct Header { magic, version, imageDigest, createdAt }
-vector purls
-map components
-optional map usedByEntrypoint
-```
+# component_architecture_scanner.md — **Stella Ops Scanner** (2025Q4)
+
+> **Scope.** Implementation‑ready architecture for the **Scanner** subsystem: WebService, Workers, analyzers, SBOM assembly (inventory & usage), per‑layer caching, three‑way diffs, artifact catalog (RustFS default + Mongo, S3-compatible fallback), attestation hand‑off, and scale/security posture. This document is the contract between the scanning plane and everything else (Policy, Excititor, Concelier, UI, CLI).
+
+---
+
+## 0) Mission & boundaries
+
+**Mission.** Produce **deterministic**, **explainable** SBOMs and diffs for container images and filesystems, quickly and repeatedly, without guessing. Emit two views: **Inventory** (everything present) and **Usage** (entrypoint closure + actually linked libs). Attach attestations through **Signer→Attestor→Rekor v2**.
+
+**Boundaries.**
+
+* Scanner **does not** produce PASS/FAIL. The backend (Policy + Excititor + Concelier) decides presentation and verdicts.
+* Scanner **does not** keep third‑party SBOM warehouses. It may **bind** to existing attestations for exact hashes.
+* Core analyzers are **deterministic** (no fuzzy identity). Optional heuristic plug‑ins (e.g., patch‑presence) run under explicit flags and never contaminate the core SBOM.
+
+---
+
+## 1) Solution & project layout
+
+```
+src/
+ ├─ StellaOps.Scanner.WebService/ # REST control plane, catalog, diff, exports
+ ├─ StellaOps.Scanner.Worker/ # queue consumer; executes analyzers
+ ├─ StellaOps.Scanner.Models/ # DTOs, evidence, graph nodes, CDX/SPDX adapters
+ ├─ StellaOps.Scanner.Storage/ # Mongo repositories; RustFS object client (default) + S3 fallback; ILM/GC
+ ├─ StellaOps.Scanner.Queue/ # queue abstraction (Redis/NATS/RabbitMQ)
+ ├─ StellaOps.Scanner.Cache/ # layer cache; file CAS; bloom/bitmap indexes
+ ├─ StellaOps.Scanner.EntryTrace/ # ENTRYPOINT/CMD → terminal program resolver (shell AST)
+ ├─ StellaOps.Scanner.Analyzers.OS.[Apk|Dpkg|Rpm]/
+ ├─ StellaOps.Scanner.Analyzers.Lang.[Java|Node|Python|Go|DotNet|Rust]/
+ ├─ StellaOps.Scanner.Analyzers.Native.[ELF|PE|MachO]/ # PE/Mach-O planned (M2)
+ ├─ StellaOps.Scanner.Emit.CDX/ # CycloneDX (JSON + Protobuf)
+ ├─ StellaOps.Scanner.Emit.SPDX/ # SPDX 3.0.1 JSON
+ ├─ StellaOps.Scanner.Diff/ # image→layer→component three‑way diff
+ ├─ StellaOps.Scanner.Index/ # BOM‑Index sidecar (purls + roaring bitmaps)
+ ├─ StellaOps.Scanner.Tests.* # unit/integration/e2e fixtures
+ └─ tools/
+ ├─ StellaOps.Scanner.Sbomer.BuildXPlugin/ # BuildKit generator (image referrer SBOMs)
+ └─ StellaOps.Scanner.Sbomer.DockerImage/ # CLI‑driven scanner container
+```
+
+Analyzer assemblies and buildx generators are packaged as **restart-time plug-ins** under `plugins/scanner/**` with manifests; services must restart to activate new plug-ins.
+
+### 1.1 Queue backbone (Redis / NATS)
+
+`StellaOps.Scanner.Queue` exposes a transport-agnostic contract (`IScanQueue`/`IScanQueueLease`) used by the WebService producer and Worker consumers. Sprint 9 introduces two first-party transports:
+
+- **Redis Streams** (default). Uses consumer groups, deterministic idempotency keys (`scanner:jobs:idemp:*`), and supports lease claim (`XCLAIM`), renewal, exponential-backoff retries, and a `scanner:jobs:dead` stream for exhausted attempts.
+- **NATS JetStream**. Provisions the `SCANNER_JOBS` work-queue stream + durable consumer `scanner-workers`, publishes with `MsgId` for dedupe, applies backoff via `NAK` delays, and routes dead-lettered jobs to `SCANNER_JOBS_DEAD`.
+
+Metrics are emitted via `Meter` counters (`scanner_queue_enqueued_total`, `scanner_queue_retry_total`, `scanner_queue_deadletter_total`), and `ScannerQueueHealthCheck` pings the active backend (Redis `PING`, NATS `PING`). Configuration is bound from `scanner.queue`:
+
+```yaml
+scanner:
+ queue:
+ kind: redis # or nats
+ redis:
+ connectionString: "redis://queue:6379/0"
+ streamName: "scanner:jobs"
+ nats:
+ url: "nats://queue:4222"
+ stream: "SCANNER_JOBS"
+ subject: "scanner.jobs"
+ durableConsumer: "scanner-workers"
+ deadLetterSubject: "scanner.jobs.dead"
+ maxDeliveryAttempts: 5
+ retryInitialBackoff: 00:00:05
+ retryMaxBackoff: 00:02:00
+```
+
+The DI extension (`AddScannerQueue`) wires the selected transport, so future additions (e.g., RabbitMQ) only implement the same contract and register.
+
+**Runtime form‑factor:** two deployables
+
+* **Scanner.WebService** (stateless REST)
+* **Scanner.Worker** (N replicas; queue‑driven)
+
+---
+
+## 2) External dependencies
+
+* **OCI registry** with **Referrers API** (discover attached SBOMs/signatures).
+* **RustFS** (default, offline-first) for SBOM artifacts; optional S3/MinIO compatibility retained for migration; **Object Lock** semantics emulated via retention headers; **ILM** for TTL.
+* **MongoDB** for catalog, job state, diffs, ILM rules.
+* **Queue** (Redis Streams/NATS/RabbitMQ).
+* **Authority** (on‑prem OIDC) for **OpToks** (DPoP/mTLS).
+* **Signer** + **Attestor** (+ **Fulcio/KMS** + **Rekor v2**) for DSSE + transparency.
+
+---
+
+## 3) Contracts & data model
+
+### 3.1 Evidence‑first component model
+
+**Nodes**
+
+* `Image`, `Layer`, `File`
+* `Component` (`purl?`, `name`, `version?`, `type`, `id` — may be `bin:{sha256}`)
+* `Executable` (ELF/PE/Mach‑O), `Library` (native or managed), `EntryScript` (shell/launcher)
+
+**Edges** (all carry **Evidence**)
+
+* `contains(Image|Layer → File)`
+* `installs(PackageDB → Component)` (OS database row)
+* `declares(InstalledMetadata → Component)` (dist‑info, pom.properties, deps.json…)
+* `links_to(Executable → Library)` (ELF `DT_NEEDED`, PE imports)
+* `calls(EntryScript → Program)` (file:line from shell AST)
+* `attests(Rekor → Component|Image)` (SBOM/predicate binding)
+* `bound_from_attestation(Component_attested → Component_observed)` (hash equality proof)
+
+**Evidence**
+
+```
+{ source: enum, locator: (path|offset|line), sha256?, method: enum, timestamp }
+```
+
+No confidences. Either a fact is proven with listed mechanisms, or it is not claimed.
+
+### 3.2 Catalog schema (Mongo)
+
+* `artifacts`
+
+ ```
+ { _id, type: layer-bom|image-bom|diff|index,
+ format: cdx-json|cdx-pb|spdx-json,
+ bytesSha256, size, rekor: { uuid,index,url }?,
+ ttlClass, immutable, refCount, createdAt }
+ ```
+* `images { imageDigest, repo, tag?, arch, createdAt, lastSeen }`
+* `layers { layerDigest, mediaType, size, createdAt, lastSeen }`
+* `links { fromType, fromDigest, artifactId }` // image/layer -> artifact
+* `jobs { _id, kind, args, state, startedAt, heartbeatAt, endedAt, error }`
+* `lifecycleRules { ruleId, scope, ttlDays, retainIfReferenced, immutable }`
+
+### 3.3 Object store layout (RustFS)
+
+```
+layers//sbom.cdx.json.zst
+layers//sbom.spdx.json.zst
+images//inventory.cdx.pb # CycloneDX Protobuf
+images//usage.cdx.pb
+indexes//bom-index.bin # purls + roaring bitmaps
+diffs/_/diff.json.zst
+attest/.dsse.json # DSSE bundle (cert chain + Rekor proof)
+```
+
+RustFS exposes a deterministic HTTP API (`PUT|GET|DELETE /api/v1/buckets/{bucket}/objects/{key}`).
+Scanner clients tag immutable uploads with `X-RustFS-Immutable: true` and, when retention applies,
+`X-RustFS-Retain-Seconds: `. Additional headers can be injected via
+`scanner.artifactStore.headers` to support custom auth or proxy requirements. Legacy MinIO/S3
+deployments remain supported by setting `scanner.artifactStore.driver = "s3"` during phased
+migrations.
+
+---
+
+## 4) REST API (Scanner.WebService)
+
+All under `/api/v1/scanner`. Auth: **OpTok** (DPoP/mTLS); RBAC scopes.
+
+```
+POST /scans { imageRef|digest, force?:bool } → { scanId }
+GET /scans/{id} → { status, imageDigest, artifacts[], rekor? }
+GET /sboms/{imageDigest} ?format=cdx-json|cdx-pb|spdx-json&view=inventory|usage → bytes
+GET /diff?old=&new=&view=inventory|usage → diff.json
+POST /exports { imageDigest, format, view, attest?:bool } → { artifactId, rekor? }
+POST /reports { imageDigest, policyRevision? } → { reportId, rekor? } # delegates to backend policy+vex
+GET /catalog/artifacts/{id} → { meta }
+GET /healthz | /readyz | /metrics
+```
+
+### Report events
+
+When `scanner.events.enabled = true`, the WebService serialises the signed report (canonical JSON + DSSE envelope) with `NotifyCanonicalJsonSerializer` and publishes two Redis Stream entries (`scanner.report.ready`, `scanner.scan.completed`) to the configured stream (default `stella.events`). The stream fields carry the whole envelope plus lightweight headers (`kind`, `tenant`, `ts`) so Notify and UI timelines can consume the event bus without recomputing signatures. Publish timeouts and bounded stream length are controlled via `scanner:events:publishTimeoutSeconds` and `scanner:events:maxStreamLength`. If the queue driver is already Redis and no explicit events DSN is provided, the host reuses the queue connection and auto-enables event emission so deployments get live envelopes without extra wiring. Compose/Helm bundles expose the same knobs via the `SCANNER__EVENTS__*` environment variables for quick tuning.
+
+---
+
+## 5) Execution flow (Worker)
+
+### 5.1 Acquire & verify
+
+1. **Resolve image** (prefer `repo@sha256:…`).
+2. **(Optional) verify image signature** per policy (cosign).
+3. **Pull blobs**, compute layer digests; record metadata.
+
+### 5.2 Layer union FS
+
+* Apply whiteouts; materialize final filesystem; map **file → first introducing layer**.
+* Windows layers (MSI/SxS/GAC) planned in **M2**.
+
+### 5.3 Evidence harvest (parallel analyzers; deterministic only)
+
+**A) OS packages**
+
+* **apk**: `/lib/apk/db/installed`
+* **dpkg**: `/var/lib/dpkg/status`, `/var/lib/dpkg/info/*.list`
+* **rpm**: `/var/lib/rpm/Packages` (via librpm or parser)
+* Record `name`, `version` (epoch/revision), `arch`, source package where present, and **declared file lists**.
+
+> **Data flow note:** Each OS analyzer now writes its canonical output into the shared `ScanAnalysisStore` under
+> `analysis.os.packages` (raw results), `analysis.os.fragments` (per-analyzer layer fragments), and contributes to
+> `analysis.layers.fragments` (the aggregated view consumed by emit/diff pipelines). Helpers in
+> `ScanAnalysisCompositionBuilder` convert these fragments into SBOM composition requests and component graphs so the
+> diff/emit stages no longer reach back into individual analyzer implementations.
+
+**B) Language ecosystems (installed state only)**
+
+* **Java**: `META-INF/maven/*/pom.properties`, MANIFEST → `pkg:maven/...`
+* **Node**: `node_modules/**/package.json` → `pkg:npm/...`
+* **Python**: `*.dist-info/{METADATA,RECORD}` → `pkg:pypi/...`
+* **Go**: Go **buildinfo** in binaries → `pkg:golang/...`
+* **.NET**: `*.deps.json` + assembly metadata → `pkg:nuget/...`
+* **Rust**: crates only when **explicitly present** (embedded metadata or cargo/registry traces); otherwise binaries reported as `bin:{sha256}`.
+
+> **Rule:** We only report components proven **on disk** with authoritative metadata. Lockfiles are evidence only.
+
+**C) Native link graph**
+
+* **ELF**: parse `PT_INTERP`, `DT_NEEDED`, RPATH/RUNPATH, **GNU symbol versions**; map **SONAMEs** to file paths; link executables → libs.
+* **PE/Mach‑O** (planned M2): import table, delay‑imports; version resources; code signatures.
+* Map libs back to **OS packages** if possible (via file lists); else emit `bin:{sha256}` components.
+* The exported metadata (`stellaops.os.*` properties, license list, source package) feeds policy scoring and export pipelines
+ directly – Policy evaluates quiet rules against package provenance while Exporters forward the enriched fields into
+ downstream JSON/Trivy payloads.
+
+**D) EntryTrace (ENTRYPOINT/CMD → terminal program)**
+
+* Read image config; parse shell (POSIX/Bash subset) with AST: `source`/`.` includes; `case/if`; `exec`/`command`; `run‑parts`.
+* Resolve commands via **PATH** within the **built rootfs**; follow language launchers (Java/Node/Python) to identify the terminal program (ELF/JAR/venv script).
+* Record **file:line** and choices for each hop; output chain graph.
+* Unresolvable dynamic constructs are recorded as **unknown** edges with reasons (e.g., `$FOO` unresolved).
+
+**E) Attestation & SBOM bind (optional)**
+
+* For each **file hash** or **binary hash**, query local cache of **Rekor v2** indices; if an SBOM attestation is found for **exact hash**, bind it to the component (origin=`attested`).
+* For the **image** digest, likewise bind SBOM attestations (build‑time referrers).
+
+### 5.4 Component normalization (exact only)
+
+* Create `Component` nodes only with deterministic identities: purl, or **`bin:{sha256}`** for unlabeled binaries.
+* Record **origin** (OS DB, installed metadata, linker, attestation).
+
+### 5.5 SBOM assembly & emit
+
+* **Per-layer SBOM fragments**: components introduced by the layer (+ relationships).
+* **Image SBOMs**: merge fragments; refer back to them via **CycloneDX BOM‑Link** (or SPDX ExternalRef).
+* Emit both **Inventory** & **Usage** views.
+* When the native analyzer reports an ELF `buildId`, attach it to component metadata and surface it as `stellaops:buildId` in CycloneDX properties (and diff metadata). This keeps SBOM/diff output in lockstep with runtime events and the debug-store manifest.
+* Serialize **CycloneDX JSON** and **CycloneDX Protobuf**; optionally **SPDX 3.0.1 JSON**.
+* Build **BOM‑Index** sidecar: purl table + roaring bitmap; flag `usedByEntrypoint` components for fast backend joins.
+
+The emitted `buildId` metadata is preserved in component hashes, diff payloads, and `/policy/runtime` responses so operators can pivot from SBOM entries → runtime events → `debug/.build-id//.debug` within the Offline Kit or release bundle.
+
+### 5.6 DSSE attestation (via Signer/Attestor)
+
+* WebService constructs **predicate** with `image_digest`, `stellaops_version`, `license_id`, `policy_digest?` (when emitting **final reports**), timestamps.
+* Calls **Signer** (requires **OpTok + PoE**); Signer verifies **entitlement + scanner image integrity** and returns **DSSE bundle**.
+* **Attestor** logs to **Rekor v2**; returns `{uuid,index,proof}` → stored in `artifacts.rekor`.
+
+---
+
+## 6) Three‑way diff (image → layer → component)
+
+### 6.1 Keys & classification
+
+* Component key: **purl** when present; else `bin:{sha256}`.
+* Diff classes: `added`, `removed`, `version_changed` (`upgraded|downgraded`), `metadata_changed` (e.g., origin from attestation vs observed).
+* Layer attribution: for each change, resolve the **introducing/removing layer**.
+
+### 6.2 Algorithm (outline)
+
+```
+A = components(imageOld, key)
+B = components(imageNew, key)
+
+added = B \ A
+removed = A \ B
+changed = { k in A∩B : version(A[k]) != version(B[k]) || origin changed }
+
+for each item in added/removed/changed:
+ layer = attribute_to_layer(item, imageOld|imageNew)
+ usageFlag = usedByEntrypoint(item, imageNew)
+emit diff.json (grouped by layer with badges)
+```
+
+Diffs are stored as artifacts and feed **UI** and **CLI**.
+
+---
+
+## 7) Build‑time SBOMs (fast CI path)
+
+**Scanner.Sbomer.BuildXPlugin** can act as a BuildKit **generator**:
+
+* During `docker buildx build --attest=type=sbom,generator=stellaops/sbom-indexer`, run analyzers on the build context/output; attach SBOMs as OCI **referrers** to the built image.
+* Optionally request **Signer/Attestor** to produce **Stella Ops‑verified** attestation immediately; else, Scanner.WebService can verify and re‑attest post‑push.
+* Scanner.WebService trusts build‑time SBOMs per policy, enabling **no‑rescan** for unchanged bases.
+
+---
+
+## 8) Configuration (YAML)
+
+```yaml
+scanner:
+ queue:
+ kind: redis
+ url: "redis://queue:6379/0"
+ mongo:
+ uri: "mongodb://mongo/scanner"
+ s3:
+ endpoint: "http://minio:9000"
+ bucket: "stellaops"
+ objectLock: "governance" # or 'compliance'
+ analyzers:
+ os: { apk: true, dpkg: true, rpm: true }
+ lang: { java: true, node: true, python: true, go: true, dotnet: true, rust: true }
+ native: { elf: true, pe: false, macho: false } # PE/Mach-O in M2
+ entryTrace: { enabled: true, shellMaxDepth: 64, followRunParts: true }
+ emit:
+ cdx: { json: true, protobuf: true }
+ spdx: { json: true }
+ compress: "zstd"
+ rekor:
+ url: "https://rekor-v2.internal"
+ signer:
+ url: "https://signer.internal"
+ limits:
+ maxParallel: 8
+ perRegistryConcurrency: 2
+ policyHints:
+ verifyImageSignature: false
+ trustBuildTimeSboms: true
+```
+
+---
+
+## 9) Scale & performance
+
+* **Parallelism**: per‑analyzer concurrency; bounded directory walkers; file CAS dedupe by sha256.
+* **Distributed locks** per **layer digest** to prevent duplicate work across Workers.
+* **Registry throttles**: per‑host concurrency budgets; exponential backoff on 429/5xx.
+* **Targets**:
+
+ * **Build‑time**: P95 ≤ 3–5 s on warmed bases (CI generator).
+ * **Post‑build delta**: P95 ≤ 10 s for 200 MB images with cache hit.
+ * **Emit**: CycloneDX Protobuf ≤ 150 ms for 5k components; JSON ≤ 500 ms.
+ * **Diff**: ≤ 200 ms for 5k vs 5k components.
+
+---
+
+## 10) Security posture
+
+* **AuthN**: Authority‑issued short OpToks (DPoP/mTLS).
+* **AuthZ**: scopes (`scanner.scan`, `scanner.export`, `scanner.catalog.read`).
+* **mTLS** to **Signer**/**Attestor**; only **Signer** can sign.
+* **No network fetches** during analysis (except registry pulls and optional Rekor index reads).
+* **Sandboxing**: non‑root containers; read‑only FS; seccomp profiles; disable execution of scanned content.
+* **Release integrity**: all first‑party images are **cosign‑signed**; Workers/WebService self‑verify at startup.
+
+---
+
+## 11) Observability & audit
+
+* **Metrics**:
+
+ * `scanner.jobs_inflight`, `scanner.scan_latency_seconds`
+ * `scanner.layer_cache_hits_total`, `scanner.file_cas_hits_total`
+ * `scanner.artifact_bytes_total{format}`
+ * `scanner.attestation_latency_seconds`, `scanner.rekor_failures_total`
+ * `scanner_analyzer_golang_heuristic_total{indicator,version_hint}` — increments whenever the Go analyzer falls back to heuristics (build-id or runtime markers). Grafana panel: `sum by (indicator) (rate(scanner_analyzer_golang_heuristic_total[5m]))`; alert when the rate is ≥ 1 for 15 minutes to highlight unexpected stripped binaries.
+* **Tracing**: spans for acquire→union→analyzers→compose→emit→sign→log.
+* **Audit logs**: DSSE requests log `license_id`, `image_digest`, `artifactSha256`, `policy_digest?`, Rekor UUID on success.
+
+---
+
+## 12) Testing matrix
+
+* **Determinism:** given same image + analyzers → byte‑identical **CDX Protobuf**; JSON normalized.
+* **OS packages:** ground‑truth images per distro; compare to package DB.
+* **Lang ecosystems:** sample images per ecosystem (Java/Node/Python/Go/.NET/Rust) with installed metadata; negative tests w/ lockfile‑only.
+* **Native & EntryTrace:** ELF graph correctness; shell AST cases (includes, run‑parts, exec, case/if).
+* **Diff:** layer attribution against synthetic two‑image sequences.
+* **Performance:** cold vs warm cache; large `node_modules` and `site‑packages`.
+* **Security:** ensure no code execution from image; fuzz parser inputs; path traversal resistance on layer extract.
+
+---
+
+## 13) Failure modes & degradations
+
+* **Missing OS DB** (files exist, DB removed): record **files**; do **not** fabricate package components; emit `bin:{sha256}` where unavoidable; flag in evidence.
+* **Unreadable metadata** (corrupt dist‑info): record file evidence; skip component creation; annotate.
+* **Dynamic shell constructs**: mark unresolved edges with reasons (env var unknown) and continue; **Usage** view may be partial.
+* **Registry rate limits**: honor backoff; queue job retries with jitter.
+* **Signer refusal** (license/plan/version): scan completes; artifact produced; **no attestation**; WebService marks result as **unverified**.
+
+---
+
+## 14) Optional plug‑ins (off by default)
+
+* **Patch‑presence detector** (signature‑based backport checks). Reads curated function‑level signatures from advisories; inspects binaries for patched code snippets to lower false‑positives for backported fixes. Runs as a sidecar analyzer that **annotates** components; never overrides core identities.
+* **Runtime probes** (with Zastava): when allowed, compare **/proc//maps** (DSOs actually loaded) with static **Usage** view for precision.
+
+---
+
+## 15) DevOps & operations
+
+* **HA**: WebService horizontal scale; Workers autoscale by queue depth & CPU; distributed locks on layers.
+* **Retention**: ILM rules per artifact class (`short`, `default`, `compliance`); **Object Lock** for compliance artifacts (reports, signed SBOMs).
+* **Upgrades**: bump **cache schema** when analyzer outputs change; WebService triggers refresh of dependent artifacts.
+* **Backups**: Mongo (daily dumps); RustFS snapshots (filesystem-level rsync/ZFS) or S3 versioning when legacy driver enabled; Rekor v2 DB snapshots.
+
+---
+
+## 16) CLI & UI touch points
+
+* **CLI**: `stellaops scan ][`, `stellaops diff --old --new`, `stellaops export`, `stellaops verify attestation `.
+* **UI**: Scan detail shows **Inventory/Usage** toggles, **Diff by Layer**, **Attestation badge** (verified/unverified), Rekor link, and **EntryTrace** chain with file:line breadcrumbs.
+
+---
+
+## 17) Roadmap (Scanner)
+
+* **M2**: Windows containers (MSI/SxS/GAC analyzers), PE/Mach‑O native analyzer, deeper Rust metadata.
+* **M2**: Buildx generator GA (certified external registries), cross‑registry trust policies.
+* **M3**: Patch‑presence plug‑in GA (opt‑in), cross‑image corpus clustering (evidence‑only; not identity).
+* **M3**: Advanced EntryTrace (POSIX shell features breadth, busybox detection).
+
+---
+
+### Appendix A — EntryTrace resolution (pseudo)
+
+```csharp
+ResolveEntrypoint(ImageConfig cfg, RootFs fs):
+ cmd = Normalize(cfg.ENTRYPOINT, cfg.CMD)
+ stack = [ Script(cmd, path=FindOnPath(cmd[0], fs)) ]
+ visited = set()
+
+ while stack not empty and depth < MAX:
+ cur = stack.pop()
+ if cur in visited: continue
+ visited.add(cur)
+
+ if IsShellScript(cur.path):
+ ast = ParseShell(cur.path)
+ foreach directive in ast:
+ if directive is Source include:
+ p = ResolveInclude(include.path, cur.env, fs)
+ stack.push(Script(p))
+ if directive is Exec call:
+ p = ResolveExec(call.argv[0], cur.env, fs)
+ stack.push(Program(p, argv=call.argv))
+ if directive is Interpreter (python -m / node / java -jar):
+ term = ResolveInterpreterTarget(call, fs)
+ stack.push(Program(term))
+ else:
+ return Terminal(cur.path)
+
+ return Unknown(reason)
+```
+
+### Appendix A.1 — EntryTrace Explainability
+
+EntryTrace emits structured diagnostics and metrics so operators can quickly understand why resolution succeeded or degraded:
+
+| Reason | Description | Typical Mitigation |
+|--------|-------------|--------------------|
+| `CommandNotFound` | A command referenced in the script cannot be located in the layered root filesystem or `PATH`. | Ensure binaries exist in the image or extend `PATH` hints. |
+| `MissingFile` | `source`/`.`/`run-parts` targets are missing. | Bundle the script or guard the include. |
+| `DynamicEnvironmentReference` | Path depends on `$VARS` that are unknown at scan time. | Provide defaults via scan metadata or accept partial usage. |
+| `RecursionLimitReached` | Nested includes exceeded the analyzer depth limit (default 64). | Flatten indirection or increase the limit in options. |
+| `RunPartsEmpty` | `run-parts` directory contained no executable entries. | Remove empty directories or ignore if intentional. |
+| `JarNotFound` / `ModuleNotFound` | Java/Python targets missing, preventing interpreter tracing. | Ship the jar/module with the image or adjust the launcher. |
+
+Diagnostics drive two metrics published by `EntryTraceMetrics`:
+
+- `entrytrace_resolutions_total{outcome}` — resolution attempts segmented by outcome (`resolved`, `partiallyresolved`, `unresolved`).
+- `entrytrace_unresolved_total{reason}` — diagnostic counts keyed by reason.
+
+Structured logs include `entrytrace.path`, `entrytrace.command`, `entrytrace.reason`, and `entrytrace.depth`, all correlated with scan/job IDs. Timestamps are normalized to UTC (microsecond precision) to keep DSSE attestations and UI traces explainable.
+
+### Appendix B — BOM‑Index sidecar
+
+```
+struct Header { magic, version, imageDigest, createdAt }
+vector purls
+map components
+optional map usedByEntrypoint
+```
diff --git a/docs/ARCHITECTURE_VEXER.md b/docs/ARCHITECTURE_VEXER.md
index 0ea54de5..7722fb19 100644
--- a/docs/ARCHITECTURE_VEXER.md
+++ b/docs/ARCHITECTURE_VEXER.md
@@ -1,463 +1,463 @@
-# component_architecture_vexer.md — **Stella Ops Vexer** (2025Q4)
-
-> **Scope.** This document specifies the **Vexer** service: its purpose, trust model, data structures, APIs, plug‑in contracts, storage schema, normalization/consensus algorithms, performance budgets, testing matrix, and how it integrates with Scanner, Policy, Feedser, and the attestation chain. It is implementation‑ready.
-
----
-
-## 0) Mission & role in the platform
-
-**Mission.** Convert heterogeneous **VEX** statements (OpenVEX, CSAF VEX, CycloneDX VEX; vendor/distro/platform sources) into **canonical, queryable claims**; compute **deterministic consensus** per *(vuln, product)*; preserve **conflicts with provenance**; publish **stable, attestable exports** that the backend uses to suppress non‑exploitable findings, prioritize remaining risk, and explain decisions.
-
-**Boundaries.**
-
-* Vexer **does not** decide PASS/FAIL. It supplies **evidence** (statuses + justifications + provenance weights).
-* Vexer preserves **conflicting claims** unchanged; consensus encodes how we would pick, but the raw set is always exportable.
-* VEX consumption is **backend‑only**: Scanner never applies VEX. The backend’s **Policy Engine** asks Vexer for status evidence and then decides what to show.
-
----
-
-## 1) Inputs, outputs & canonical domain
-
-### 1.1 Accepted input formats (ingest)
-
-* **OpenVEX** JSON documents (attested or raw).
-* **CSAF VEX** 2.x (vendor PSIRTs and distros commonly publish CSAF).
-* **CycloneDX VEX** 1.4+ (standalone VEX or embedded VEX blocks).
-* **OCI‑attached attestations** (VEX statements shipped as OCI referrers) — optional connectors.
-
-All connectors register **source metadata**: provider identity, trust tier, signature expectations (PGP/cosign/PKI), fetch windows, rate limits, and time anchors.
-
-### 1.2 Canonical model (normalized)
-
-Every incoming statement becomes a set of **VexClaim** records:
-
-```
-VexClaim
-- providerId // 'redhat', 'suse', 'ubuntu', 'github', 'vendorX'
-- vulnId // 'CVE-2025-12345', 'GHSA-xxxx', canonicalized
-- productKey // canonical product identity (see §2.2)
-- status // affected | not_affected | fixed | under_investigation
-- justification? // for 'not_affected'/'affected' where provided
-- introducedVersion? // semantics per provider (range or exact)
-- fixedVersion? // where provided (range or exact)
-- lastObserved // timestamp from source or fetch time
-- provenance // doc digest, signature status, fetch URI, line/offset anchors
-- evidence[] // raw source snippets for explainability
-- supersedes? // optional cross-doc chain (docDigest → docDigest)
-```
-
-### 1.3 Exports (consumption)
-
-* **VexConsensus** per `(vulnId, productKey)` with:
-
- * `rollupStatus` (after policy weights/justification gates),
- * `sources[]` (winning + losing claims with weights & reasons),
- * `policyRevisionId` (identifier of the Vexer policy used),
- * `consensusDigest` (stable SHA‑256 over canonical JSON).
-* **Raw claims** export for auditing (unchanged, with provenance).
-* **Provider snapshots** (per source, last N days) for operator debugging.
-* **Index** optimized for backend joins: `(productKey, vulnId) → (status, confidence, sourceSet)`.
-
-All exports are **deterministic**, and (optionally) **attested** via DSSE and logged to Rekor v2.
-
----
-
-## 2) Identity model — products & joins
-
-### 2.1 Vuln identity
-
-* Accepts **CVE**, **GHSA**, vendor IDs (MSRC, RHSA…), distro IDs (DSA/USN/RHSA…) — normalized to `vulnId` with alias sets.
-* **Alias graph** maintained (from Feedser) to map vendor/distro IDs → CVE (primary) and to **GHSA** where applicable.
-
-### 2.2 Product identity (`productKey`)
-
-* **Primary:** `purl` (Package URL).
-* **Secondary links:** `cpe`, **OS package NVRA/EVR**, NuGet/Maven/Golang identity, and **OS package name** when purl unavailable.
-* **Fallback:** `oci:/@` for image‑level VEX.
-* **Special cases:** kernel modules, firmware, platforms → provider‑specific mapping helpers (connector captures provider’s product taxonomy → canonical `productKey`).
-
-> Vexer does not invent identities. If a provider cannot be mapped to purl/CPE/NVRA deterministically, we keep the native **product string** and mark the claim as **non‑joinable**; the backend will ignore it unless a policy explicitly whitelists that provider mapping.
-
----
-
-## 3) Storage schema (MongoDB)
-
-Database: `vexer`
-
-### 3.1 Collections
-
-**`vex.providers`**
-
-```
-_id: providerId
-name, homepage, contact
-trustTier: enum {vendor, distro, platform, hub, attestation}
-signaturePolicy: { type: pgp|cosign|x509|none, keys[], certs[], cosignKeylessRoots[] }
-fetch: { baseUrl, kind: http|oci|file, rateLimit, etagSupport, windowDays }
-enabled: bool
-createdAt, modifiedAt
-```
-
-**`vex.raw`** (immutable raw documents)
-
-```
-_id: sha256(doc bytes)
-providerId
-uri
-ingestedAt
-contentType
-sig: { verified: bool, method: pgp|cosign|x509|none, keyId|certSubject, bundle? }
-payload: GridFS pointer (if large)
-disposition: kept|replaced|superseded
-correlation: { replaces?: sha256, replacedBy?: sha256 }
-```
-
-**`vex.claims`** (normalized rows; dedupe on providerId+vulnId+productKey+docDigest)
-
-```
-_id
-providerId
-vulnId
-productKey
-status
-justification?
-introducedVersion?
-fixedVersion?
-lastObserved
-docDigest
-provenance { uri, line?, pointer?, signatureState }
-evidence[] { key, value, locator }
-indices:
- - {vulnId:1, productKey:1}
- - {providerId:1, lastObserved:-1}
- - {status:1}
- - text index (optional) on evidence.value for debugging
-```
-
-**`vex.consensus`** (rollups)
-
-```
-_id: sha256(canonical(vulnId, productKey, policyRevision))
-vulnId
-productKey
-rollupStatus
-sources[]: [
- { providerId, status, justification?, weight, lastObserved, accepted:bool, reason }
-]
-policyRevisionId
-evaluatedAt
-consensusDigest // same as _id
-indices:
- - {vulnId:1, productKey:1}
- - {policyRevisionId:1, evaluatedAt:-1}
-```
-
-**`vex.exports`** (manifest of emitted artifacts)
-
-```
-_id
-querySignature
-format: raw|consensus|index
-artifactSha256
-rekor { uuid, index, url }?
-createdAt
-policyRevisionId
-cacheable: bool
-```
-
-**`vex.cache`**
-
-```
-querySignature -> exportId (for fast reuse)
-ttl, hits
-```
-
-**`vex.migrations`**
-
-* ordered migrations applied at bootstrap to ensure indexes.
-
-### 3.2 Indexing strategy
-
-* Hot path queries use exact `(vulnId, productKey)` and time‑bounded windows; compound indexes cover both.
-* Providers list view by `lastObserved` for monitoring staleness.
-* `vex.consensus` keyed by `(vulnId, productKey, policyRevision)` for deterministic reuse.
-
----
-
-## 4) Ingestion pipeline
-
-### 4.1 Connector contract
-
-```csharp
-public interface IVexConnector
-{
- string ProviderId { get; }
- Task FetchAsync(VexConnectorContext ctx, CancellationToken ct); // raw docs
- Task NormalizeAsync(VexConnectorContext ctx, CancellationToken ct); // raw -> VexClaim[]
-}
-```
-
-* **Fetch** must implement: window scheduling, conditional GET (ETag/If‑Modified‑Since), rate limiting, retry/backoff.
-* **Normalize** parses the format, validates schema, maps product identities deterministically, emits `VexClaim` records with **provenance**.
-
-### 4.2 Signature verification (per provider)
-
-* **cosign (keyless or keyful)** for OCI referrers or HTTP‑served JSON with Sigstore bundles.
-* **PGP** (provider keyrings) for distro/vendor feeds that sign docs.
-* **x509** (mutual TLS / provider‑pinned certs) where applicable.
-* Signature state is stored on **vex.raw.sig** and copied into **provenance.signatureState** on claims.
-
-> Claims from sources failing signature policy are marked `"signatureState.verified=false"` and **policy** can down‑weight or ignore them.
-
-### 4.3 Time discipline
-
-* For each doc, prefer **provider’s document timestamp**; if absent, use fetch time.
-* Claims carry `lastObserved` which drives **tie‑breaking** within equal weight tiers.
-
----
-
-## 5) Normalization: product & status semantics
-
-### 5.1 Product mapping
-
-* **purl** first; **cpe** second; OS package NVRA/EVR mapping helpers (distro connectors) produce purls via canonical tables (e.g., rpm→purl:rpm, deb→purl:deb).
-* Where a provider publishes **platform‑level** VEX (e.g., “RHEL 9 not affected”), connectors expand to known product inventory rules (e.g., map to sets of packages/components shipped in the platform). Expansion tables are versioned and kept per provider; every expansion emits **evidence** indicating the rule applied.
-* If expansion would be speculative, the claim remains **platform‑scoped** with `productKey="platform:redhat:rhel:9"` and is flagged **non‑joinable**; backend can decide to use platform VEX only when Scanner proves the platform runtime.
-
-### 5.2 Status + justification mapping
-
-* Canonical **status**: `affected | not_affected | fixed | under_investigation`.
-* **Justifications** normalized to a controlled vocabulary (CISA‑aligned), e.g.:
-
- * `component_not_present`
- * `vulnerable_code_not_in_execute_path`
- * `vulnerable_configuration_unused`
- * `inline_mitigation_applied`
- * `fix_available` (with `fixedVersion`)
- * `under_investigation`
-* Providers with free‑text justifications are mapped by deterministic tables; raw text preserved as `evidence`.
-
----
-
-## 6) Consensus algorithm
-
-**Goal:** produce a **stable**, explainable `rollupStatus` per `(vulnId, productKey)` given possibly conflicting claims.
-
-### 6.1 Inputs
-
-* Set **S** of `VexClaim` for the key.
-* **Vexer policy snapshot**:
-
- * **weights** per provider tier and per provider overrides.
- * **justification gates** (e.g., require justification for `not_affected` to be acceptable).
- * **minEvidence** rules (e.g., `not_affected` must come from ≥1 vendor or 2 distros).
- * **signature requirements** (e.g., require verified signature for ‘fixed’ to be considered).
-
-### 6.2 Steps
-
-1. **Filter invalid** claims by signature policy & justification gates → set `S'`.
-2. **Score** each claim:
- `score = weight(provider) * freshnessFactor(lastObserved)` where freshnessFactor ∈ [0.8, 1.0] for staleness decay (configurable; small effect).
-3. **Aggregate** scores per status: `W(status) = Σ score(claims with that status)`.
-4. **Pick** `rollupStatus = argmax_status W(status)`.
-5. **Tie‑breakers** (in order):
-
- * Higher **max single** provider score wins (vendor > distro > platform > hub).
- * More **recent** lastObserved wins.
- * Deterministic lexicographic order of status (`fixed` > `not_affected` > `under_investigation` > `affected`) as final tiebreaker.
-6. **Explain**: mark accepted sources (`accepted=true; reason="weight"`/`"freshness"`), mark rejected sources with explicit `reason` (`"insufficient_justification"`, `"signature_unverified"`, `"lower_weight"`).
-
-> The algorithm is **pure** given S and policy snapshot; result is reproducible and hashed into `consensusDigest`.
-
----
-
-## 7) Query & export APIs
-
-All endpoints are versioned under `/api/v1/vex`.
-
-### 7.1 Query (online)
-
-```
-POST /claims/search
- body: { vulnIds?: string[], productKeys?: string[], providers?: string[], since?: timestamp, limit?: int, pageToken?: string }
- → { claims[], nextPageToken? }
-
-POST /consensus/search
- body: { vulnIds?: string[], productKeys?: string[], policyRevisionId?: string, since?: timestamp, limit?: int, pageToken?: string }
- → { entries[], nextPageToken? }
-
-POST /excititor/resolve (scope: vex.read)
- body: { productKeys?: string[], purls?: string[], vulnerabilityIds: string[], policyRevisionId?: string }
- → { policy, resolvedAt, results: [ { vulnerabilityId, productKey, status, sources[], conflicts[], decisions[], signals?, summary?, envelope: { artifact, contentSignature?, attestation?, attestationEnvelope?, attestationSignature? } } ] }
-```
-
-### 7.2 Exports (cacheable snapshots)
-
-```
-POST /exports
- body: { signature: { vulnFilter?, productFilter?, providers?, since? }, format: raw|consensus|index, policyRevisionId?: string, force?: bool }
- → { exportId, artifactSha256, rekor? }
-
-GET /exports/{exportId} → bytes (application/json or binary index)
-GET /exports/{exportId}/meta → { signature, policyRevisionId, createdAt, artifactSha256, rekor? }
-```
-
-### 7.3 Provider operations
-
-```
-GET /providers → provider list & signature policy
-POST /providers/{id}/refresh → trigger fetch/normalize window
-GET /providers/{id}/status → last fetch, doc counts, signature stats
-```
-
-**Auth:** service‑to‑service via Authority tokens; operator operations via UI/CLI with RBAC.
-
----
-
-## 8) Attestation integration
-
-* Exports can be **DSSE‑signed** via **Signer** and logged to **Rekor v2** via **Attestor** (optional but recommended for regulated pipelines).
-* `vex.exports.rekor` stores `{uuid, index, url}` when present.
-* **Predicate type**: `https://stella-ops.org/attestations/vex-export/1` with fields:
-
- * `querySignature`, `policyRevisionId`, `artifactSha256`, `createdAt`.
-
----
-
-## 9) Configuration (YAML)
-
-```yaml
-vexer:
- mongo: { uri: "mongodb://mongo/vexer" }
- s3:
- endpoint: http://minio:9000
- bucket: stellaops
- policy:
- weights:
- vendor: 1.0
- distro: 0.9
- platform: 0.7
- hub: 0.5
- attestation: 0.6
- providerOverrides:
- redhat: 1.0
- suse: 0.95
- requireJustificationForNotAffected: true
- signatureRequiredForFixed: true
- minEvidence:
- not_affected:
- vendorOrTwoDistros: true
- connectors:
- - providerId: redhat
- kind: csaf
- baseUrl: https://access.redhat.com/security/data/csaf/v2/
- signaturePolicy: { type: pgp, keys: [ "…redhat-pgp-key…" ] }
- windowDays: 7
- - providerId: suse
- kind: csaf
- baseUrl: https://ftp.suse.com/pub/projects/security/csaf/
- signaturePolicy: { type: pgp, keys: [ "…suse-pgp-key…" ] }
- - providerId: ubuntu
- kind: openvex
- baseUrl: https://…/vex/
- signaturePolicy: { type: none }
- - providerId: vendorX
- kind: cyclonedx-vex
- ociRef: ghcr.io/vendorx/vex@sha256:…
- signaturePolicy: { type: cosign, cosignKeylessRoots: [ "sigstore-root" ] }
-```
-
----
-
-## 10) Security model
-
-* **Input signature verification** enforced per provider policy (PGP, cosign, x509).
-* **Connector allowlists**: outbound fetch constrained to configured domains.
-* **Tenant isolation**: per‑tenant DB prefixes or separate DBs; per‑tenant S3 prefixes; per‑tenant policies.
-* **AuthN/Z**: Authority‑issued OpToks; RBAC roles (`vex.read`, `vex.admin`, `vex.export`).
-* **No secrets in logs**; deterministic logging contexts include providerId, docDigest, claim keys.
-
----
-
-## 11) Performance & scale
-
-* **Targets:**
-
- * Normalize 10k VEX claims/minute/core.
- * Consensus compute ≤ 50 ms for 1k unique `(vuln, product)` pairs in hot cache.
- * Export (consensus) 1M rows in ≤ 60 s on 8 cores with streaming writer.
-
-* **Scaling:**
-
- * WebService handles control APIs; **Worker** background services (same image) execute fetch/normalize in parallel with rate‑limits; Mongo writes batched; upserts by natural keys.
- * Exports stream straight to S3 (MinIO) with rolling buffers.
-
-* **Caching:**
-
- * `vex.cache` maps query signatures → export; TTL to avoid stampedes; optimistic reuse unless `force`.
-
----
-
-## 12) Observability
-
-* **Metrics:**
-
- * `vex.ingest.docs_total{provider}`
- * `vex.normalize.claims_total{provider}`
- * `vex.signature.failures_total{provider,method}`
- * `vex.consensus.conflicts_total{vulnId}`
- * `vex.exports.bytes{format}` / `vex.exports.latency_seconds`
-* **Tracing:** spans for fetch, verify, parse, map, consensus, export.
-* **Dashboards:** provider staleness, top conflicting vulns/components, signature posture, export cache hit‑rate.
-
----
-
-## 13) Testing matrix
-
-* **Connectors:** golden raw docs → deterministic claims (fixtures per provider/format).
-* **Signature policies:** valid/invalid PGP/cosign/x509 samples; ensure rejects are recorded but not accepted.
-* **Normalization edge cases:** platform‑only claims, free‑text justifications, non‑purl products.
-* **Consensus:** conflict scenarios across tiers; check tie‑breakers; justification gates.
-* **Performance:** 1M‑row export timing; memory ceilings; stream correctness.
-* **Determinism:** same inputs + policy → identical `consensusDigest` and export bytes.
-* **API contract tests:** pagination, filters, RBAC, rate limits.
-
----
-
-## 14) Integration points
-
-* **Backend Policy Engine** (in Scanner.WebService): calls `POST /excititor/resolve` (scope `vex.read`) with batched `(purl, vulnId)` pairs to fetch `rollupStatus + sources`.
-* **Feedser**: provides alias graph (CVE↔vendor IDs) and may supply VEX‑adjacent metadata (e.g., KEV flag) for policy escalation.
-* **UI**: VEX explorer screens use `/claims/search` and `/consensus/search`; show conflicts & provenance.
-* **CLI**: `stellaops vex export --consensus --since 7d --out vex.json` for audits.
-
----
-
-## 15) Failure modes & fallback
-
-* **Provider unreachable:** stale thresholds trigger warnings; policy can down‑weight stale providers automatically (freshness factor).
-* **Signature outage:** continue to ingest but mark `signatureState.verified=false`; consensus will likely exclude or down‑weight per policy.
-* **Schema drift:** unknown fields are preserved as `evidence`; normalization rejects only on **invalid identity** or **status**.
-
----
-
-## 16) Rollout plan (incremental)
-
-1. **MVP**: OpenVEX + CSAF connectors for 3 major providers (e.g., Red Hat/SUSE/Ubuntu), normalization + consensus + `/excititor/resolve`.
-2. **Signature policies**: PGP for distros; cosign for OCI.
-3. **Exports + optional attestation**.
-4. **CycloneDX VEX** connectors; platform claim expansion tables; UI explorer.
-5. **Scale hardening**: export indexes; conflict analytics.
-
----
-
-## 17) Appendix — canonical JSON (stable ordering)
-
-All exports and consensus entries are serialized via `VexCanonicalJsonSerializer`:
-
-* UTF‑8 without BOM;
-* keys sorted (ASCII);
-* arrays sorted by `(providerId, vulnId, productKey, lastObserved)` unless semantic order mandated;
-* timestamps in `YYYY‑MM‑DDThh:mm:ssZ`;
-* no insignificant whitespace.
-
+# component_architecture_vexer.md — **Stella Ops Vexer** (2025Q4)
+
+> **Scope.** This document specifies the **Vexer** service: its purpose, trust model, data structures, APIs, plug‑in contracts, storage schema, normalization/consensus algorithms, performance budgets, testing matrix, and how it integrates with Scanner, Policy, Feedser, and the attestation chain. It is implementation‑ready.
+
+---
+
+## 0) Mission & role in the platform
+
+**Mission.** Convert heterogeneous **VEX** statements (OpenVEX, CSAF VEX, CycloneDX VEX; vendor/distro/platform sources) into **canonical, queryable claims**; compute **deterministic consensus** per *(vuln, product)*; preserve **conflicts with provenance**; publish **stable, attestable exports** that the backend uses to suppress non‑exploitable findings, prioritize remaining risk, and explain decisions.
+
+**Boundaries.**
+
+* Vexer **does not** decide PASS/FAIL. It supplies **evidence** (statuses + justifications + provenance weights).
+* Vexer preserves **conflicting claims** unchanged; consensus encodes how we would pick, but the raw set is always exportable.
+* VEX consumption is **backend‑only**: Scanner never applies VEX. The backend’s **Policy Engine** asks Vexer for status evidence and then decides what to show.
+
+---
+
+## 1) Inputs, outputs & canonical domain
+
+### 1.1 Accepted input formats (ingest)
+
+* **OpenVEX** JSON documents (attested or raw).
+* **CSAF VEX** 2.x (vendor PSIRTs and distros commonly publish CSAF).
+* **CycloneDX VEX** 1.4+ (standalone VEX or embedded VEX blocks).
+* **OCI‑attached attestations** (VEX statements shipped as OCI referrers) — optional connectors.
+
+All connectors register **source metadata**: provider identity, trust tier, signature expectations (PGP/cosign/PKI), fetch windows, rate limits, and time anchors.
+
+### 1.2 Canonical model (normalized)
+
+Every incoming statement becomes a set of **VexClaim** records:
+
+```
+VexClaim
+- providerId // 'redhat', 'suse', 'ubuntu', 'github', 'vendorX'
+- vulnId // 'CVE-2025-12345', 'GHSA-xxxx', canonicalized
+- productKey // canonical product identity (see §2.2)
+- status // affected | not_affected | fixed | under_investigation
+- justification? // for 'not_affected'/'affected' where provided
+- introducedVersion? // semantics per provider (range or exact)
+- fixedVersion? // where provided (range or exact)
+- lastObserved // timestamp from source or fetch time
+- provenance // doc digest, signature status, fetch URI, line/offset anchors
+- evidence[] // raw source snippets for explainability
+- supersedes? // optional cross-doc chain (docDigest → docDigest)
+```
+
+### 1.3 Exports (consumption)
+
+* **VexConsensus** per `(vulnId, productKey)` with:
+
+ * `rollupStatus` (after policy weights/justification gates),
+ * `sources[]` (winning + losing claims with weights & reasons),
+ * `policyRevisionId` (identifier of the Vexer policy used),
+ * `consensusDigest` (stable SHA‑256 over canonical JSON).
+* **Raw claims** export for auditing (unchanged, with provenance).
+* **Provider snapshots** (per source, last N days) for operator debugging.
+* **Index** optimized for backend joins: `(productKey, vulnId) → (status, confidence, sourceSet)`.
+
+All exports are **deterministic**, and (optionally) **attested** via DSSE and logged to Rekor v2.
+
+---
+
+## 2) Identity model — products & joins
+
+### 2.1 Vuln identity
+
+* Accepts **CVE**, **GHSA**, vendor IDs (MSRC, RHSA…), distro IDs (DSA/USN/RHSA…) — normalized to `vulnId` with alias sets.
+* **Alias graph** maintained (from Feedser) to map vendor/distro IDs → CVE (primary) and to **GHSA** where applicable.
+
+### 2.2 Product identity (`productKey`)
+
+* **Primary:** `purl` (Package URL).
+* **Secondary links:** `cpe`, **OS package NVRA/EVR**, NuGet/Maven/Golang identity, and **OS package name** when purl unavailable.
+* **Fallback:** `oci:/@` for image‑level VEX.
+* **Special cases:** kernel modules, firmware, platforms → provider‑specific mapping helpers (connector captures provider’s product taxonomy → canonical `productKey`).
+
+> Vexer does not invent identities. If a provider cannot be mapped to purl/CPE/NVRA deterministically, we keep the native **product string** and mark the claim as **non‑joinable**; the backend will ignore it unless a policy explicitly whitelists that provider mapping.
+
+---
+
+## 3) Storage schema (MongoDB)
+
+Database: `vexer`
+
+### 3.1 Collections
+
+**`vex.providers`**
+
+```
+_id: providerId
+name, homepage, contact
+trustTier: enum {vendor, distro, platform, hub, attestation}
+signaturePolicy: { type: pgp|cosign|x509|none, keys[], certs[], cosignKeylessRoots[] }
+fetch: { baseUrl, kind: http|oci|file, rateLimit, etagSupport, windowDays }
+enabled: bool
+createdAt, modifiedAt
+```
+
+**`vex.raw`** (immutable raw documents)
+
+```
+_id: sha256(doc bytes)
+providerId
+uri
+ingestedAt
+contentType
+sig: { verified: bool, method: pgp|cosign|x509|none, keyId|certSubject, bundle? }
+payload: GridFS pointer (if large)
+disposition: kept|replaced|superseded
+correlation: { replaces?: sha256, replacedBy?: sha256 }
+```
+
+**`vex.claims`** (normalized rows; dedupe on providerId+vulnId+productKey+docDigest)
+
+```
+_id
+providerId
+vulnId
+productKey
+status
+justification?
+introducedVersion?
+fixedVersion?
+lastObserved
+docDigest
+provenance { uri, line?, pointer?, signatureState }
+evidence[] { key, value, locator }
+indices:
+ - {vulnId:1, productKey:1}
+ - {providerId:1, lastObserved:-1}
+ - {status:1}
+ - text index (optional) on evidence.value for debugging
+```
+
+**`vex.consensus`** (rollups)
+
+```
+_id: sha256(canonical(vulnId, productKey, policyRevision))
+vulnId
+productKey
+rollupStatus
+sources[]: [
+ { providerId, status, justification?, weight, lastObserved, accepted:bool, reason }
+]
+policyRevisionId
+evaluatedAt
+consensusDigest // same as _id
+indices:
+ - {vulnId:1, productKey:1}
+ - {policyRevisionId:1, evaluatedAt:-1}
+```
+
+**`vex.exports`** (manifest of emitted artifacts)
+
+```
+_id
+querySignature
+format: raw|consensus|index
+artifactSha256
+rekor { uuid, index, url }?
+createdAt
+policyRevisionId
+cacheable: bool
+```
+
+**`vex.cache`**
+
+```
+querySignature -> exportId (for fast reuse)
+ttl, hits
+```
+
+**`vex.migrations`**
+
+* ordered migrations applied at bootstrap to ensure indexes.
+
+### 3.2 Indexing strategy
+
+* Hot path queries use exact `(vulnId, productKey)` and time‑bounded windows; compound indexes cover both.
+* Providers list view by `lastObserved` for monitoring staleness.
+* `vex.consensus` keyed by `(vulnId, productKey, policyRevision)` for deterministic reuse.
+
+---
+
+## 4) Ingestion pipeline
+
+### 4.1 Connector contract
+
+```csharp
+public interface IVexConnector
+{
+ string ProviderId { get; }
+ Task FetchAsync(VexConnectorContext ctx, CancellationToken ct); // raw docs
+ Task NormalizeAsync(VexConnectorContext ctx, CancellationToken ct); // raw -> VexClaim[]
+}
+```
+
+* **Fetch** must implement: window scheduling, conditional GET (ETag/If‑Modified‑Since), rate limiting, retry/backoff.
+* **Normalize** parses the format, validates schema, maps product identities deterministically, emits `VexClaim` records with **provenance**.
+
+### 4.2 Signature verification (per provider)
+
+* **cosign (keyless or keyful)** for OCI referrers or HTTP‑served JSON with Sigstore bundles.
+* **PGP** (provider keyrings) for distro/vendor feeds that sign docs.
+* **x509** (mutual TLS / provider‑pinned certs) where applicable.
+* Signature state is stored on **vex.raw.sig** and copied into **provenance.signatureState** on claims.
+
+> Claims from sources failing signature policy are marked `"signatureState.verified=false"` and **policy** can down‑weight or ignore them.
+
+### 4.3 Time discipline
+
+* For each doc, prefer **provider’s document timestamp**; if absent, use fetch time.
+* Claims carry `lastObserved` which drives **tie‑breaking** within equal weight tiers.
+
+---
+
+## 5) Normalization: product & status semantics
+
+### 5.1 Product mapping
+
+* **purl** first; **cpe** second; OS package NVRA/EVR mapping helpers (distro connectors) produce purls via canonical tables (e.g., rpm→purl:rpm, deb→purl:deb).
+* Where a provider publishes **platform‑level** VEX (e.g., “RHEL 9 not affected”), connectors expand to known product inventory rules (e.g., map to sets of packages/components shipped in the platform). Expansion tables are versioned and kept per provider; every expansion emits **evidence** indicating the rule applied.
+* If expansion would be speculative, the claim remains **platform‑scoped** with `productKey="platform:redhat:rhel:9"` and is flagged **non‑joinable**; backend can decide to use platform VEX only when Scanner proves the platform runtime.
+
+### 5.2 Status + justification mapping
+
+* Canonical **status**: `affected | not_affected | fixed | under_investigation`.
+* **Justifications** normalized to a controlled vocabulary (CISA‑aligned), e.g.:
+
+ * `component_not_present`
+ * `vulnerable_code_not_in_execute_path`
+ * `vulnerable_configuration_unused`
+ * `inline_mitigation_applied`
+ * `fix_available` (with `fixedVersion`)
+ * `under_investigation`
+* Providers with free‑text justifications are mapped by deterministic tables; raw text preserved as `evidence`.
+
+---
+
+## 6) Consensus algorithm
+
+**Goal:** produce a **stable**, explainable `rollupStatus` per `(vulnId, productKey)` given possibly conflicting claims.
+
+### 6.1 Inputs
+
+* Set **S** of `VexClaim` for the key.
+* **Vexer policy snapshot**:
+
+ * **weights** per provider tier and per provider overrides.
+ * **justification gates** (e.g., require justification for `not_affected` to be acceptable).
+ * **minEvidence** rules (e.g., `not_affected` must come from ≥1 vendor or 2 distros).
+ * **signature requirements** (e.g., require verified signature for ‘fixed’ to be considered).
+
+### 6.2 Steps
+
+1. **Filter invalid** claims by signature policy & justification gates → set `S'`.
+2. **Score** each claim:
+ `score = weight(provider) * freshnessFactor(lastObserved)` where freshnessFactor ∈ [0.8, 1.0] for staleness decay (configurable; small effect).
+3. **Aggregate** scores per status: `W(status) = Σ score(claims with that status)`.
+4. **Pick** `rollupStatus = argmax_status W(status)`.
+5. **Tie‑breakers** (in order):
+
+ * Higher **max single** provider score wins (vendor > distro > platform > hub).
+ * More **recent** lastObserved wins.
+ * Deterministic lexicographic order of status (`fixed` > `not_affected` > `under_investigation` > `affected`) as final tiebreaker.
+6. **Explain**: mark accepted sources (`accepted=true; reason="weight"`/`"freshness"`), mark rejected sources with explicit `reason` (`"insufficient_justification"`, `"signature_unverified"`, `"lower_weight"`).
+
+> The algorithm is **pure** given S and policy snapshot; result is reproducible and hashed into `consensusDigest`.
+
+---
+
+## 7) Query & export APIs
+
+All endpoints are versioned under `/api/v1/vex`.
+
+### 7.1 Query (online)
+
+```
+POST /claims/search
+ body: { vulnIds?: string[], productKeys?: string[], providers?: string[], since?: timestamp, limit?: int, pageToken?: string }
+ → { claims[], nextPageToken? }
+
+POST /consensus/search
+ body: { vulnIds?: string[], productKeys?: string[], policyRevisionId?: string, since?: timestamp, limit?: int, pageToken?: string }
+ → { entries[], nextPageToken? }
+
+POST /excititor/resolve (scope: vex.read)
+ body: { productKeys?: string[], purls?: string[], vulnerabilityIds: string[], policyRevisionId?: string }
+ → { policy, resolvedAt, results: [ { vulnerabilityId, productKey, status, sources[], conflicts[], decisions[], signals?, summary?, envelope: { artifact, contentSignature?, attestation?, attestationEnvelope?, attestationSignature? } } ] }
+```
+
+### 7.2 Exports (cacheable snapshots)
+
+```
+POST /exports
+ body: { signature: { vulnFilter?, productFilter?, providers?, since? }, format: raw|consensus|index, policyRevisionId?: string, force?: bool }
+ → { exportId, artifactSha256, rekor? }
+
+GET /exports/{exportId} → bytes (application/json or binary index)
+GET /exports/{exportId}/meta → { signature, policyRevisionId, createdAt, artifactSha256, rekor? }
+```
+
+### 7.3 Provider operations
+
+```
+GET /providers → provider list & signature policy
+POST /providers/{id}/refresh → trigger fetch/normalize window
+GET /providers/{id}/status → last fetch, doc counts, signature stats
+```
+
+**Auth:** service‑to‑service via Authority tokens; operator operations via UI/CLI with RBAC.
+
+---
+
+## 8) Attestation integration
+
+* Exports can be **DSSE‑signed** via **Signer** and logged to **Rekor v2** via **Attestor** (optional but recommended for regulated pipelines).
+* `vex.exports.rekor` stores `{uuid, index, url}` when present.
+* **Predicate type**: `https://stella-ops.org/attestations/vex-export/1` with fields:
+
+ * `querySignature`, `policyRevisionId`, `artifactSha256`, `createdAt`.
+
+---
+
+## 9) Configuration (YAML)
+
+```yaml
+vexer:
+ mongo: { uri: "mongodb://mongo/vexer" }
+ s3:
+ endpoint: http://minio:9000
+ bucket: stellaops
+ policy:
+ weights:
+ vendor: 1.0
+ distro: 0.9
+ platform: 0.7
+ hub: 0.5
+ attestation: 0.6
+ providerOverrides:
+ redhat: 1.0
+ suse: 0.95
+ requireJustificationForNotAffected: true
+ signatureRequiredForFixed: true
+ minEvidence:
+ not_affected:
+ vendorOrTwoDistros: true
+ connectors:
+ - providerId: redhat
+ kind: csaf
+ baseUrl: https://access.redhat.com/security/data/csaf/v2/
+ signaturePolicy: { type: pgp, keys: [ "…redhat-pgp-key…" ] }
+ windowDays: 7
+ - providerId: suse
+ kind: csaf
+ baseUrl: https://ftp.suse.com/pub/projects/security/csaf/
+ signaturePolicy: { type: pgp, keys: [ "…suse-pgp-key…" ] }
+ - providerId: ubuntu
+ kind: openvex
+ baseUrl: https://…/vex/
+ signaturePolicy: { type: none }
+ - providerId: vendorX
+ kind: cyclonedx-vex
+ ociRef: ghcr.io/vendorx/vex@sha256:…
+ signaturePolicy: { type: cosign, cosignKeylessRoots: [ "sigstore-root" ] }
+```
+
+---
+
+## 10) Security model
+
+* **Input signature verification** enforced per provider policy (PGP, cosign, x509).
+* **Connector allowlists**: outbound fetch constrained to configured domains.
+* **Tenant isolation**: per‑tenant DB prefixes or separate DBs; per‑tenant S3 prefixes; per‑tenant policies.
+* **AuthN/Z**: Authority‑issued OpToks; RBAC roles (`vex.read`, `vex.admin`, `vex.export`).
+* **No secrets in logs**; deterministic logging contexts include providerId, docDigest, claim keys.
+
+---
+
+## 11) Performance & scale
+
+* **Targets:**
+
+ * Normalize 10k VEX claims/minute/core.
+ * Consensus compute ≤ 50 ms for 1k unique `(vuln, product)` pairs in hot cache.
+ * Export (consensus) 1M rows in ≤ 60 s on 8 cores with streaming writer.
+
+* **Scaling:**
+
+ * WebService handles control APIs; **Worker** background services (same image) execute fetch/normalize in parallel with rate‑limits; Mongo writes batched; upserts by natural keys.
+ * Exports stream straight to S3 (MinIO) with rolling buffers.
+
+* **Caching:**
+
+ * `vex.cache` maps query signatures → export; TTL to avoid stampedes; optimistic reuse unless `force`.
+
+---
+
+## 12) Observability
+
+* **Metrics:**
+
+ * `vex.ingest.docs_total{provider}`
+ * `vex.normalize.claims_total{provider}`
+ * `vex.signature.failures_total{provider,method}`
+ * `vex.consensus.conflicts_total{vulnId}`
+ * `vex.exports.bytes{format}` / `vex.exports.latency_seconds`
+* **Tracing:** spans for fetch, verify, parse, map, consensus, export.
+* **Dashboards:** provider staleness, top conflicting vulns/components, signature posture, export cache hit‑rate.
+
+---
+
+## 13) Testing matrix
+
+* **Connectors:** golden raw docs → deterministic claims (fixtures per provider/format).
+* **Signature policies:** valid/invalid PGP/cosign/x509 samples; ensure rejects are recorded but not accepted.
+* **Normalization edge cases:** platform‑only claims, free‑text justifications, non‑purl products.
+* **Consensus:** conflict scenarios across tiers; check tie‑breakers; justification gates.
+* **Performance:** 1M‑row export timing; memory ceilings; stream correctness.
+* **Determinism:** same inputs + policy → identical `consensusDigest` and export bytes.
+* **API contract tests:** pagination, filters, RBAC, rate limits.
+
+---
+
+## 14) Integration points
+
+* **Backend Policy Engine** (in Scanner.WebService): calls `POST /excititor/resolve` (scope `vex.read`) with batched `(purl, vulnId)` pairs to fetch `rollupStatus + sources`.
+* **Feedser**: provides alias graph (CVE↔vendor IDs) and may supply VEX‑adjacent metadata (e.g., KEV flag) for policy escalation.
+* **UI**: VEX explorer screens use `/claims/search` and `/consensus/search`; show conflicts & provenance.
+* **CLI**: `stellaops vex export --consensus --since 7d --out vex.json` for audits.
+
+---
+
+## 15) Failure modes & fallback
+
+* **Provider unreachable:** stale thresholds trigger warnings; policy can down‑weight stale providers automatically (freshness factor).
+* **Signature outage:** continue to ingest but mark `signatureState.verified=false`; consensus will likely exclude or down‑weight per policy.
+* **Schema drift:** unknown fields are preserved as `evidence`; normalization rejects only on **invalid identity** or **status**.
+
+---
+
+## 16) Rollout plan (incremental)
+
+1. **MVP**: OpenVEX + CSAF connectors for 3 major providers (e.g., Red Hat/SUSE/Ubuntu), normalization + consensus + `/excititor/resolve`.
+2. **Signature policies**: PGP for distros; cosign for OCI.
+3. **Exports + optional attestation**.
+4. **CycloneDX VEX** connectors; platform claim expansion tables; UI explorer.
+5. **Scale hardening**: export indexes; conflict analytics.
+
+---
+
+## 17) Appendix — canonical JSON (stable ordering)
+
+All exports and consensus entries are serialized via `VexCanonicalJsonSerializer`:
+
+* UTF‑8 without BOM;
+* keys sorted (ASCII);
+* arrays sorted by `(providerId, vulnId, productKey, lastObserved)` unless semantic order mandated;
+* timestamps in `YYYY‑MM‑DDThh:mm:ssZ`;
+* no insignificant whitespace.
+
diff --git a/docs/README.md b/docs/README.md
index 523d6ceb..2491e2be 100755
--- a/docs/README.md
+++ b/docs/README.md
@@ -82,7 +82,7 @@ Everything here is open‑source and versioned — when you check out a git ta
- **70a – [Policy Gateway](policy/gateway.md)**
- **71 – [Policy Examples](examples/policies/README.md)**
- **72 – [Policy FAQ](faq/policy-faq.md)**
-- **73 – [Policy Run DTOs](../src/StellaOps.Scheduler.Models/docs/SCHED-MODELS-20-001-POLICY-RUNS.md)**
+- **73 – [Policy Run DTOs](../src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-20-001-POLICY-RUNS.md)**
- **30 – [Fixture Maintenance](dev/fixtures.md)**
- **74 – [Export Center Overview](export-center/overview.md)**
- **75 – [Export Center Architecture](export-center/architecture.md)**
@@ -147,10 +147,10 @@ Everything here is open‑source and versioned — when you check out a git ta
> Imposed rule: Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.
-- **Aggregation-Only Contract (AOC).** Ingestion services aggregate and link facts only—derived precedence, severity, and safe-fix hints live in Policy overlays and dedicated explorers. Review [`../AGENTS.md`](../AGENTS.md) and the AOC guardrails in [`aoc/aoc-guardrails.md`](aoc/aoc-guardrails.md).
+- **Aggregation-Only Contract (AOC).** Ingestion services aggregate and link facts only—derived precedence, severity, and safe-fix hints live in Policy overlays and dedicated explorers. Review [`implplan/AGENTS.md`](implplan/AGENTS.md) and the AOC guardrails in [`aoc/aoc-guardrails.md`](aoc/aoc-guardrails.md).
- **Cartographer owns graphs.** SBOM Service emits projections/events; Cartographer (`CARTO-GRAPH-21-00x`) builds graph storage, overlays, and tiles. See `ARCHITECTURE_CONCELIER.md` (Cartographer handshake section) for handoff boundaries.
- **Notifier replaces legacy Notify.** Sprint‑15 `StellaOps.Notify.*` tasks are frozen; use the Notifications Studio/Notifier backlogs (`NOTIFY-SVC-38..40`, `WEB-NOTIFY-3x-00x`, `CLI-NOTIFY-3x-00x`).
-- **Dedicated services for Vuln & Policy.** Vuln Explorer work flows through `src/StellaOps.VulnExplorer.Api`/Console/CLI (Sprint 29); gateway routes proxy only. Policy Engine remains the sole source for precedence/suppression overlays.
+- **Dedicated services for Vuln & Policy.** Vuln Explorer work flows through `src/VulnExplorer/StellaOps.VulnExplorer.Api`/Console/CLI (Sprint 29); gateway routes proxy only. Policy Engine remains the sole source for precedence/suppression overlays.
- **Cleanup log.** The backlog consolidation summary lives in [`backlog/2025-10-cleanup.md`](backlog/2025-10-cleanup.md).
© 2025 Stella Ops contributors – licensed AGPL‑3.0‑or‑later
diff --git a/docs/TASKS.md b/docs/TASKS.md
index 98984bd4..2d529135 100644
--- a/docs/TASKS.md
+++ b/docs/TASKS.md
@@ -1,381 +1,381 @@
-# Docs Guild Task Board (UTC 2025-10-10)
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOC7.README-INDEX | DONE (2025-10-17) | Docs Guild | — | Refresh index docs (docs/README.md + root README) after architecture dossier split and Offline Kit overhaul. | ✅ ToC reflects new component architecture docs; ✅ root README highlights updated doc set; ✅ Offline Kit guide linked correctly. |
-| DOC4.AUTH-PDG | DONE (2025-10-19) | Docs Guild, Plugin Team | PLG6.DOC | Copy-edit `docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md`, export lifecycle diagram, add LDAP RFC cross-link. | ✅ PR merged with polish; ✅ Diagram committed; ✅ Slack handoff posted. |
-| DOC1.AUTH | DONE (2025-10-12) | Docs Guild, Authority Core | CORE5B.DOC | Draft `docs/11_AUTHORITY.md` covering architecture, configuration, bootstrap flows. | ✅ Architecture + config sections approved by Core; ✅ Samples reference latest options; ✅ Offline note added. |
-| DOC3.Concelier-Authority | DONE (2025-10-12) | Docs Guild, DevEx | FSR4 | Polish operator/runbook sections (DOC3/DOC5) to document Concelier authority rollout, bypass logging, and enforcement checklist. | ✅ DOC3/DOC5 updated with audit runbook references; ✅ enforcement deadline highlighted; ✅ Docs guild sign-off. |
-| DOC5.Concelier-Runbook | DONE (2025-10-12) | Docs Guild | DOC3.Concelier-Authority | Produce dedicated Concelier authority audit runbook covering log fields, monitoring recommendations, and troubleshooting steps. | ✅ Runbook published; ✅ linked from DOC3/DOC5; ✅ alerting guidance included. |
-| FEEDDOCS-DOCS-05-001 | DONE (2025-10-11) | Docs Guild | FEEDMERGE-ENGINE-04-001, FEEDMERGE-ENGINE-04-002 | Publish Concelier conflict resolution runbook covering precedence workflow, merge-event auditing, and Sprint 3 metrics. | ✅ `docs/ops/concelier-conflict-resolution.md` committed; ✅ metrics/log tables align with latest merge code; ✅ Ops alert guidance handed to Concelier team. |
-| FEEDDOCS-DOCS-05-002 | DONE (2025-10-16) | Docs Guild, Concelier Ops | FEEDDOCS-DOCS-05-001 | Ops sign-off captured: conflict runbook circulated, alert thresholds tuned, and rollout decisions documented in change log. | ✅ Ops review recorded; ✅ alert thresholds finalised using `docs/ops/concelier-authority-audit-runbook.md`; ✅ change-log entry linked from runbook once GHSA/NVD/OSV regression fixtures land. |
-| DOCS-ADR-09-001 | DONE (2025-10-19) | Docs Guild, DevEx | — | Establish ADR process (`docs/adr/0000-template.md`) and document usage guidelines. | Template published; README snippet linking ADR process; announcement posted (`docs/updates/2025-10-18-docs-guild.md`). |
-| DOCS-EVENTS-09-002 | DONE (2025-10-19) | Docs Guild, Platform Events | SCANNER-EVENTS-15-201 | Publish event schema catalog (`docs/events/`) for `scanner.report.ready@1`, `scheduler.rescan.delta@1`, `attestor.logged@1`. | Schemas validated (Ajv CI hooked); docs/events/README summarises usage; Platform Events notified via `docs/updates/2025-10-18-docs-guild.md`. |
-| DOCS-EVENTS-09-003 | DONE (2025-10-19) | Docs Guild | DOCS-EVENTS-09-002 | Add human-readable envelope field references and canonical payload samples for published events, including offline validation workflow. | Tables explain common headers/payload segments; versioned sample payloads committed; README links to validation instructions and samples. |
-| DOCS-EVENTS-09-004 | DONE (2025-10-19) | Docs Guild, Scanner WebService | SCANNER-EVENTS-15-201 | Refresh scanner event docs to mirror DSSE-backed report fields, document `scanner.scan.completed`, and capture canonical sample validation. | Schemas updated for new payload shape; README references DSSE reuse and validation test; samples align with emitted events. |
-| PLATFORM-EVENTS-09-401 | DONE (2025-10-21) | Platform Events Guild | DOCS-EVENTS-09-003 | Embed canonical event samples into contract/integration tests and ensure CI validates payloads against published schemas. | Notify models tests now run schema validation against `docs/events/*.json`, event schemas allow optional `attributes`, and docs capture the new validation workflow. |
-| RUNTIME-GUILD-09-402 | DONE (2025-10-19) | Runtime Guild | SCANNER-POLICY-09-107 | Confirm Scanner WebService surfaces `quietedFindingCount` and progress hints to runtime consumers; document readiness checklist. | Runtime verification run captures enriched payload; checklist/doc updates merged; stakeholders acknowledge availability. |
-| DOCS-CONCELIER-07-201 | DONE (2025-10-22) | Docs Guild, Concelier WebService | FEEDWEB-DOCS-01-001 | Final editorial review and publish pass for Concelier authority toggle documentation (Quickstart + operator guide). | Review feedback resolved, publish PR merged, release notes updated with documentation pointer. |
-| DOCS-RUNTIME-17-004 | DONE (2025-10-26) | Docs Guild, Runtime Guild | SCANNER-EMIT-17-701, ZASTAVA-OBS-17-005, DEVOPS-REL-17-002 | Document build-id workflows: SBOM exposure, runtime event payloads (`process.buildId`), Scanner `/policy/runtime` response (`buildIds` list), debug-store layout, and operator guidance for symbol retrieval. | Architecture + operator docs updated with build-id sections (Observer, Scanner, CLI), examples show `readelf` output + debuginfod usage, references linked from Offline Kit/Release guides + CLI help. |
-| DOCS-OBS-50-001 | BLOCKED (2025-10-26) | Docs Guild, Observability Guild | TELEMETRY-OBS-50-001 | Publish `/docs/observability/overview.md` introducing scope, imposed rule banner, architecture diagram, and tenant guarantees. | Doc merged with imposed rule banner; diagram committed; cross-links to telemetry stack + evidence locker docs. |
-> Blocked: waiting on telemetry core deliverable (TELEMETRY-OBS-50-001) to finalise architecture details and diagrams.
-| DOCS-OBS-50-002 | TODO | Docs Guild, Security Guild | TELEMETRY-OBS-50-002 | Author `/docs/observability/telemetry-standards.md` detailing common fields, scrubbing policy, sampling defaults, and redaction override procedure. | Doc merged; imposed rule banner present; examples validated with telemetry fixtures; security review sign-off captured. |
-| DOCS-OBS-50-003 | TODO | Docs Guild, Observability Guild | TELEMETRY-OBS-50-001 | Create `/docs/observability/logging.md` covering structured log schema, dos/don'ts, tenant isolation, and copyable examples. | Doc merged with banner; sample logs redacted; lint passes; linked from coding standards. |
-| DOCS-OBS-50-004 | TODO | Docs Guild, Observability Guild | TELEMETRY-OBS-50-002 | Draft `/docs/observability/tracing.md` explaining context propagation, async linking, CLI header usage, and sampling strategies. | Doc merged; imposed rule banner included; diagrams updated; references to CLI/Console features added. |
-| DOCS-OBS-51-001 | TODO | Docs Guild, DevOps Guild | WEB-OBS-51-001, DEVOPS-OBS-51-001 | Publish `/docs/observability/metrics-and-slos.md` cataloging metrics, SLO targets, burn rate policies, and alert runbooks. | Doc merged with banner; SLO tables verified; alert workflows linked to incident runbook. |
-| DOCS-SEC-OBS-50-001 | TODO | Docs Guild, Security Guild | TELEMETRY-OBS-51-002 | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Doc merged; redaction matrix updated; banner present; security sign-off recorded. |
-| DOCS-INSTALL-50-001 | TODO | Docs Guild, DevOps Guild | DEVOPS-OBS-50-003 | Add `/docs/install/telemetry-stack.md` with collector deployment, exporter options, offline kit notes, and imposed rule banner. | Doc merged; install steps verified on air-gapped profile; banner present; screenshots attached. |
-| DOCS-FORENSICS-53-001 | TODO | Docs Guild, Evidence Locker Guild | EVID-OBS-53-003 | Publish `/docs/forensics/evidence-locker.md` describing bundle formats, WORM options, retention, legal hold, and imposed rule banner. | Doc merged; manifest examples validated; banner present; legal hold steps aligned with API. |
-| DOCS-FORENSICS-53-002 | TODO | Docs Guild, Provenance Guild | PROV-OBS-54-001 | Release `/docs/forensics/provenance-attestation.md` covering DSSE schema, signing process, verification workflow, and imposed rule banner. | Doc merged; sample statements reference fixtures; banner included; verification steps tested. |
-| DOCS-FORENSICS-53-003 | TODO | Docs Guild, Timeline Indexer Guild | TIMELINE-OBS-52-003 | Publish `/docs/forensics/timeline.md` with schema, event kinds, filters, query examples, and imposed rule banner. | Doc merged; query examples validated; banner present; linked from Console/CLI docs. |
-| DOCS-CONSOLE-OBS-52-001 | TODO | Docs Guild, Console Guild | CONSOLE-OBS-51-001 | Document `/docs/console/observability.md` showcasing Observability Hub widgets, trace/log search, imposed rule banner, and accessibility tips. | Doc merged; screenshots updated; banner present; navigation steps verified. |
-| DOCS-CONSOLE-OBS-52-002 | TODO | Docs Guild, Console Guild | CONSOLE-OBS-52-002, CONSOLE-OBS-53-001 | Publish `/docs/console/forensics.md` covering timeline explorer, evidence viewer, attestation verifier, imposed rule banner, and troubleshooting. | Doc merged; banner included; workflows validated via Playwright capture; troubleshooting section populated. |
-| DOCS-CLI-OBS-52-001 | TODO | Docs Guild, DevEx/CLI Guild | CLI-OBS-52-001 | Create `/docs/cli/observability.md` detailing `stella obs` commands, examples, exit codes, imposed rule banner, and scripting tips. | Doc merged; examples tested; banner included; CLI parity matrix updated. |
-| DOCS-CLI-FORENSICS-53-001 | TODO | Docs Guild, DevEx/CLI Guild | CLI-FORENSICS-54-001 | Publish `/docs/cli/forensics.md` for snapshot/verify/attest commands with sample outputs, imposed rule banner, and offline workflows. | Doc merged; sample bundles verified; banner present; offline notes cross-linked. |
-| DOCS-RUNBOOK-55-001 | TODO | Docs Guild, Ops Guild | DEVOPS-OBS-55-001, WEB-OBS-55-001 | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Doc merged; runbook rehearsed; banner included; linked from alerts. |
-| DOCS-AOC-19-001 | DONE (2025-10-26) | Docs Guild, Concelier Guild | CONCELIER-WEB-AOC-19-001, EXCITITOR-WEB-AOC-19-001 | Author `/docs/ingestion/aggregation-only-contract.md` covering philosophy, invariants, schemas, error codes, migration, observability, and security checklist. | New doc published with compliance checklist; cross-links from existing docs added. |
-| DOCS-AOC-19-002 | DONE (2025-10-26) | Docs Guild, Architecture Guild | DOCS-AOC-19-001 | Update `/docs/architecture/overview.md` to include AOC boundary, raw stores, and sequence diagram (fetch → guard → raw insert → policy evaluation). | Overview doc updated with diagrams/text; lint passes; stakeholders sign off. |
-| DOCS-AOC-19-003 | DONE (2025-10-26) | Docs Guild, Policy Guild | POLICY-AOC-19-003 | Refresh `/docs/architecture/policy-engine.md` clarifying ingestion boundary, raw inputs, and policy-only derived data. | Doc highlights raw-only ingestion contract, updated diagrams merge, compliance checklist added. |
-| DOCS-AOC-19-004 | DONE (2025-10-26) | Docs Guild, UI Guild | UI-AOC-19-001 | Extend `/docs/ui/console.md` with Sources dashboard tiles, violation drill-down workflow, and verification action. | UI doc updated with screenshots/flow descriptions, compliance checklist appended. |
-> DOCS-AOC-19-004: Architecture overview & policy-engine updates landed 2025-10-26; incorporate the new AOC boundary diagrams and metrics references.
-| DOCS-AOC-19-005 | DONE (2025-10-26) | Docs Guild, CLI Guild | CLI-AOC-19-003 | Update `/docs/cli/cli-reference.md` with `stella sources ingest --dry-run` and `stella aoc verify` usage, exit codes, and offline notes. | CLI reference + quickstart sections updated; examples validated; compliance checklist added. |
-> DOCS-AOC-19-005: New ingestion reference + architecture overview published 2025-10-26; ensure CLI docs link to both and surface AOC exit codes mapping.
-| DOCS-AOC-19-006 | DONE (2025-10-26) | Docs Guild, Observability Guild | CONCELIER-WEB-AOC-19-002, EXCITITOR-WEB-AOC-19-002 | Document new metrics/traces/log keys in `/docs/observability/observability.md`. | Observability doc lists new metrics/traces/log fields; dashboards referenced; compliance checklist appended. |
-| DOCS-AOC-19-007 | DONE (2025-10-26) | Docs Guild, Authority Core | AUTH-AOC-19-001 | Update `/docs/security/authority-scopes.md` with new ingestion scopes and tenancy enforcement notes. | Doc reflects new scopes, sample policies updated, compliance checklist added. |
-| DOCS-AOC-19-008 | DONE (2025-10-26) | Docs Guild, DevOps Guild | DEVOPS-AOC-19-002 | Refresh `/docs/deploy/containers.md` to cover validator enablement, guard env flags, and read-only verify user. | Deploy doc updated; offline kit section mentions validator scripts; compliance checklist appended. |
-| DOCS-AOC-19-009 | DONE (2025-10-26) | Docs Guild, Authority Core | AUTH-AOC-19-001 | Update AOC docs/samples to reflect new `advisory:*`, `vex:*`, and `aoc:verify` scopes. | Docs reference new scopes, samples aligned, compliance checklist updated. |
-
-## Air-Gapped Mode (Epic 16)
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-AIRGAP-56-001 | TODO | Docs Guild, AirGap Controller Guild | AIRGAP-CTL-56-002 | Publish `/docs/airgap/overview.md` outlining modes, lifecycle, responsibilities, and imposed rule banner. | Doc merged; banner present; diagrams included. |
-| DOCS-AIRGAP-56-002 | TODO | Docs Guild, DevOps Guild | DEVOPS-AIRGAP-56-001 | Author `/docs/airgap/sealing-and-egress.md` covering network policies, EgressPolicy facade usage, and verification steps. | Doc merged; examples validated; banner included. |
-| DOCS-AIRGAP-56-003 | TODO | Docs Guild, Exporter Guild | EXPORT-AIRGAP-56-001 | Create `/docs/airgap/mirror-bundles.md` describing bundle format, DSSE/TUF/Merkle validation, creation/import workflows. | Doc merged; sample commands verified; banner present. |
-| DOCS-AIRGAP-56-004 | TODO | Docs Guild, Deployment Guild | DEVOPS-AIRGAP-56-003 | Publish `/docs/airgap/bootstrap.md` detailing Bootstrap Pack creation, validation, and install procedures. | Doc merged; checklist appended; screenshots verified. |
-| DOCS-AIRGAP-57-001 | TODO | Docs Guild, AirGap Time Guild | AIRGAP-TIME-58-001 | Write `/docs/airgap/staleness-and-time.md` explaining time anchors, drift policies, staleness budgets, and UI indicators. | Doc merged; math checked; banner included. |
-| DOCS-AIRGAP-57-002 | TODO | Docs Guild, Console Guild | CONSOLE-AIRGAP-57-001 | Publish `/docs/console/airgap.md` covering sealed badge, import wizard, staleness dashboards. | Doc merged; screenshots captured; banner present. |
-| DOCS-AIRGAP-57-003 | TODO | Docs Guild, CLI Guild | CLI-AIRGAP-57-001 | Publish `/docs/cli/airgap.md` documenting commands, examples, exit codes. | Doc merged; examples validated; banner present. |
-| DOCS-AIRGAP-57-004 | TODO | Docs Guild, Ops Guild | DEVOPS-AIRGAP-56-002 | Create `/docs/airgap/operations.md` with runbooks for imports, failure recovery, and auditing. | Doc merged; runbooks rehearsed; banner included. |
-| DOCS-AIRGAP-58-001 | TODO | Docs Guild, Product Guild | CONSOLE-AIRGAP-58-002 | Provide `/docs/airgap/degradation-matrix.md` enumerating feature availability, fallbacks, remediation. | Doc merged; matrix reviewed; banner included. |
-| DOCS-AIRGAP-58-002 | TODO | Docs Guild, Security Guild | PROV-OBS-54-001 | Update `/docs/security/trust-and-signing.md` with DSSE/TUF roots, rotation, and signed time tokens. | Doc merged; security sign-off recorded; banner present. |
-| DOCS-AIRGAP-58-003 | TODO | Docs Guild, DevEx Guild | AIRGAP-POL-56-001 | Publish `/docs/dev/airgap-contracts.md` describing EgressPolicy usage, sealed-mode tests, linting. | Doc merged; sample code validated; banner included. |
-| DOCS-AIRGAP-58-004 | TODO | Docs Guild, Evidence Locker Guild | EVID-OBS-55-001 | Document `/docs/airgap/portable-evidence.md` for exporting/importing portable evidence bundles across enclaves. | Doc merged; verification steps tested; banner present. |
-
-## SDKs & OpenAPI (Epic 17)
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-OAS-61-001 | TODO | Docs Guild, API Contracts Guild | OAS-61-002 | Publish `/docs/api/overview.md` covering auth, tenancy, pagination, idempotency, rate limits with banner. | Doc merged; examples validated; banner present. |
-| DOCS-OAS-61-002 | TODO | Docs Guild, API Governance Guild | APIGOV-61-001 | Author `/docs/api/conventions.md` capturing naming, errors, filters, sorting, examples. | Doc merged; lint passes; banner included. |
-| DOCS-OAS-61-003 | TODO | Docs Guild, API Governance Guild | APIGOV-63-001 | Publish `/docs/api/versioning.md` describing SemVer, deprecation headers, migration playbooks. | Doc merged; example headers validated; banner present. |
-| DOCS-OAS-62-001 | TODO | Docs Guild, Developer Portal Guild | DEVPORT-62-002 | Stand up `/docs/api/reference/` auto-generated site; integrate with portal nav. | Reference site builds; search works; banner included. |
-| DOCS-SDK-62-001 | TODO | Docs Guild, SDK Generator Guild | SDKGEN-63-001 | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Docs merged; code samples pulled from tested examples; banner present. |
-| DOCS-DEVPORT-62-001 | TODO | Docs Guild, Developer Portal Guild | DEVPORT-62-001 | Document `/docs/devportal/publishing.md` for build pipeline, offline bundle steps. | Doc merged; cross-links validated; banner included. |
-| DOCS-CONTRIB-62-001 | TODO | Docs Guild, API Governance Guild | APIGOV-61-001 | Publish `/docs/contributing/api-contracts.md` detailing how to edit OAS, lint rules, compatibility checks. | Doc merged; banner present; examples validated. |
-| DOCS-TEST-62-001 | TODO | Docs Guild, Contract Testing Guild | CONTR-62-001 | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. | Doc merged; references to tooling validated; banner present. |
-| DOCS-SEC-62-001 | TODO | Docs Guild, Authority Core | AUTH-AIRGAP-56-001 | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Doc merged; scope tables verified; banner included. |
-| DOCS-AIRGAP-DEVPORT-64-001 | TODO | Docs Guild, DevPortal Offline Guild | DVOFF-64-001 | Create `/docs/airgap/devportal-offline.md` describing offline bundle usage and verification. | Doc merged; verification steps tested; banner present. |
-
-## Risk Profiles (Epic 18)
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-RISK-66-001 | TODO | Docs Guild, Risk Profile Schema Guild | POLICY-RISK-66-001 | Publish `/docs/risk/overview.md` covering concepts and glossary. | Doc merged with banner; terminology reviewed. |
-| DOCS-RISK-66-002 | TODO | Docs Guild, Policy Guild | POLICY-RISK-66-003 | Author `/docs/risk/profiles.md` (authoring, versioning, scope). | Doc merged; schema examples validated; banner present. |
-| DOCS-RISK-66-003 | TODO | Docs Guild, Risk Engine Guild | RISK-ENGINE-67-001 | Publish `/docs/risk/factors.md` cataloging signals, transforms, reducers, TTLs. | Document merged; tables verified; banner included. |
-| DOCS-RISK-66-004 | TODO | Docs Guild, Risk Engine Guild | RISK-ENGINE-66-002 | Create `/docs/risk/formulas.md` detailing math, normalization, gating, severity. | Doc merged; equations rendered; banner present. |
-| DOCS-RISK-67-001 | TODO | Docs Guild, Risk Engine Guild | RISK-ENGINE-68-001 | Publish `/docs/risk/explainability.md` showing artifact schema and UI screenshots. | Doc merged; CLI examples validated; banner included. |
-| DOCS-RISK-67-002 | TODO | Docs Guild, API Guild | POLICY-RISK-67-002 | Produce `/docs/risk/api.md` with endpoint reference/examples. | Doc merged; OAS examples synced; banner present. |
-| DOCS-RISK-67-003 | TODO | Docs Guild, Console Guild | CONSOLE-RISK-66-001 | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. | Doc merged; screenshots updated; banner included. |
-| DOCS-RISK-67-004 | TODO | Docs Guild, CLI Guild | CLI-RISK-66-001 | Publish `/docs/cli/risk.md` covering CLI workflows. | Doc merged; command examples validated; banner present. |
-| DOCS-RISK-68-001 | TODO | Docs Guild, Export Guild | RISK-BUNDLE-69-001 | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. | Doc merged; verification steps confirmed; banner included. |
-| DOCS-RISK-68-002 | TODO | Docs Guild, Security Guild | POLICY-RISK-66-003 | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. | Doc merged; audit references updated; banner present. |
-
-## Attestor Console (Epic 19)
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-ATTEST-73-001 | TODO | Docs Guild, Attestor Service Guild | ATTEST-TYPES-73-001 | Publish `/docs/attestor/overview.md` with imposed rule banner. | Doc merged; terminology validated. |
-| DOCS-ATTEST-73-002 | TODO | Docs Guild, Attestation Payloads Guild | ATTEST-TYPES-73-002 | Write `/docs/attestor/payloads.md` with schemas/examples. | Doc merged; examples validated via tests. |
-| DOCS-ATTEST-73-003 | TODO | Docs Guild, Policy Guild | POLICY-ATTEST-73-002 | Publish `/docs/attestor/policies.md` covering verification policies. | Doc merged; policy examples validated. |
-| DOCS-ATTEST-73-004 | TODO | Docs Guild, Attestor Service Guild | ATTESTOR-73-002 | Add `/docs/attestor/workflows.md` detailing ingest, verify, bulk operations. | Doc merged; workflows tested. |
-| DOCS-ATTEST-74-001 | TODO | Docs Guild, KMS Guild | KMS-73-001 | Publish `/docs/attestor/keys-and-issuers.md`. | Doc merged; rotation guidance verified. |
-| DOCS-ATTEST-74-002 | TODO | Docs Guild, Transparency Guild | TRANSP-74-001 | Document `/docs/attestor/transparency.md` with witness usage/offline validation. | Doc merged; proofs validated. |
-| DOCS-ATTEST-74-003 | TODO | Docs Guild, Attestor Console Guild | CONSOLE-ATTEST-73-001 | Write `/docs/console/attestor-ui.md` with screenshots/workflows. | Doc merged; screenshots captured; banner present. |
-| DOCS-ATTEST-74-004 | TODO | Docs Guild, CLI Attestor Guild | CLI-ATTEST-73-001 | Publish `/docs/cli/attest.md` covering CLI usage. | Doc merged; commands validated. |
-| DOCS-ATTEST-75-001 | TODO | Docs Guild, Export Attestation Guild | EXPORT-ATTEST-75-002 | Add `/docs/attestor/airgap.md` for attestation bundles. | Doc merged; verification steps confirmed. |
-| DOCS-ATTEST-75-002 | TODO | Docs Guild, Security Guild | ATTESTOR-73-002 | Update `/docs/security/aoc-invariants.md` with attestation invariants. | Doc merged; invariants detailed. |
-## Policy Engine v2
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-POLICY-20-001 | DONE (2025-10-26) | Docs Guild, Policy Guild | POLICY-ENGINE-20-000 | Author `/docs/policy/overview.md` covering concepts, inputs/outputs, determinism, and compliance checklist. | Doc published with diagrams + glossary; lint passes; checklist included. |
-| DOCS-POLICY-20-002 | DONE (2025-10-26) | Docs Guild, Policy Guild | POLICY-ENGINE-20-001 | Write `/docs/policy/dsl.md` with grammar, built-ins, examples, anti-patterns. | DSL doc includes grammar tables, examples, compliance checklist; validated against parser tests. |
-| DOCS-POLICY-20-003 | DONE (2025-10-26) | Docs Guild, Authority Core | AUTH-POLICY-20-001 | Publish `/docs/policy/lifecycle.md` describing draft→approve workflow, roles, audit, compliance list. | Lifecycle doc linked from UI/CLI help; approvals roles documented; checklist appended. |
-| DOCS-POLICY-20-004 | DONE (2025-10-26) | Docs Guild, Scheduler Guild | SCHED-MODELS-20-001 | Create `/docs/policy/runs.md` detailing run modes, incremental mechanics, cursors, replay. | Run doc includes sequence diagrams + compliance checklist; cross-links to scheduler docs. |
-| DOCS-POLICY-20-005 | DONE (2025-10-26) | Docs Guild, BE-Base Platform Guild | WEB-POLICY-20-001 | Draft `/docs/api/policy.md` describing endpoints, schemas, error codes. | API doc validated against OpenAPI; examples included; checklist appended. |
-| DOCS-POLICY-20-006 | DONE (2025-10-26) | Docs Guild, DevEx/CLI Guild | CLI-POLICY-20-002 | Produce `/docs/cli/policy.md` with command usage, exit codes, JSON output contracts. | CLI doc includes examples, exit codes, compliance checklist. |
-| DOCS-POLICY-20-007 | DONE (2025-10-26) | Docs Guild, UI Guild | UI-POLICY-20-001 | Document `/docs/ui/policy-editor.md` covering editor, simulation, diff workflows, approvals. | UI doc includes screenshots/placeholders, accessibility notes, compliance checklist. |
-| DOCS-POLICY-20-008 | DONE (2025-10-26) | Docs Guild, Architecture Guild | POLICY-ENGINE-20-003 | Write `/docs/architecture/policy-engine.md` (new epic content) with sequence diagrams, selection strategy, schema. | Architecture doc merged with diagrams; compliance checklist appended; references updated. |
-| DOCS-POLICY-20-009 | DONE (2025-10-26) | Docs Guild, Observability Guild | POLICY-ENGINE-20-007 | Add `/docs/observability/policy.md` for metrics/traces/logs, sample dashboards. | Observability doc includes metrics tables, dashboard screenshots, checklist. |
-| DOCS-POLICY-20-010 | DONE (2025-10-26) | Docs Guild, Security Guild | AUTH-POLICY-20-002 | Publish `/docs/security/policy-governance.md` covering scopes, approvals, tenancy, least privilege. | Security doc merged; compliance checklist appended; reviewed by Security Guild. |
-| DOCS-POLICY-20-011 | DONE (2025-10-26) | Docs Guild, Policy Guild | POLICY-ENGINE-20-001 | Populate `/docs/examples/policies/` with baseline/serverless/internal-only samples and commentary. | Example policies committed with explanations; lint passes; compliance checklist per file. |
-| DOCS-POLICY-20-012 | DONE (2025-10-26) | Docs Guild, Support Guild | WEB-POLICY-20-003 | Draft `/docs/faq/policy-faq.md` addressing common pitfalls, VEX conflicts, determinism issues. | FAQ published with Q/A entries, cross-links, compliance checklist. |
-
-## Graph Explorer v1
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-
-## Link-Not-Merge v1
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-LNM-22-001 | BLOCKED (2025-10-27) | Docs Guild, Concelier Guild | CONCELIER-LNM-21-001..003 | Author `/docs/advisories/aggregation.md` covering observation vs linkset, conflict handling, AOC requirements, and reviewer checklist. | Draft doc merged with examples + checklist; final sign-off blocked until Concelier schema/API tasks land. |
-> Blocker (2025-10-27): `CONCELIER-LNM-21-001..003` still TODO; update doc + fixtures once schema/API implementations are available.
-| DOCS-LNM-22-002 | BLOCKED (2025-10-27) | Docs Guild, Excititor Guild | EXCITITOR-LNM-21-001..003 | Publish `/docs/vex/aggregation.md` describing VEX observation/linkset model, product matching, conflicts. | Draft doc merged with fixtures; final approval blocked until Excititor observation/linkset work ships. |
-> Blocker (2025-10-27): `EXCITITOR-LNM-21-001..003` remain TODO; refresh doc, fixtures, and examples post-implementation.
-| DOCS-LNM-22-003 | BLOCKED (2025-10-27) | Docs Guild, BE-Base Platform Guild | WEB-LNM-21-001..003 | Update `/docs/api/advisories.md` and `/docs/api/vex.md` for new endpoints, parameters, errors, exports. | Draft pending gateway/API delivery; unblock once endpoints + OpenAPI specs are available. |
-> Blocker (2025-10-27): `WEB-LNM-21-001..003` all TODO—no gateway endpoints/OpenAPI to document yet.
-| DOCS-LNM-22-004 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-40-001 | Create `/docs/policy/effective-severity.md` detailing severity selection strategies from multiple sources. | Doc merged with policy examples; checklist included. |
-| DOCS-LNM-22-005 | BLOCKED (2025-10-27) | Docs Guild, UI Guild | UI-LNM-22-001..003 | Document `/docs/ui/evidence-panel.md` with screenshots, conflict badges, accessibility guidance. | Awaiting UI implementation to capture screenshots + flows; unblock once Evidence panel ships. |
-> Blocker (2025-10-27): `UI-LNM-22-001..003` all TODO; documentation requires final UI states and accessibility audit artifacts.
-
-## StellaOps Console (Sprint 23)
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-CONSOLE-23-001 | DONE (2025-10-26) | Docs Guild, Console Guild | CONSOLE-CORE-23-004 | Publish `/docs/ui/console-overview.md` covering IA, tenant model, global filters, and AOC alignment with compliance checklist. | Doc merged with diagrams + overview tables; checklist appended; Console Guild sign-off. |
-| DOCS-CONSOLE-23-002 | DONE (2025-10-26) | Docs Guild, Console Guild | DOCS-CONSOLE-23-001 | Author `/docs/ui/navigation.md` detailing routes, breadcrumbs, keyboard shortcuts, deep links, and tenant context switching. | Navigation doc merged with shortcut tables and screenshots; accessibility checklist satisfied. |
-| DOCS-CONSOLE-23-003 | DONE (2025-10-26) | Docs Guild, SBOM Service Guild, Console Guild | SBOM-CONSOLE-23-001, CONSOLE-FEAT-23-102 | Document `/docs/ui/sbom-explorer.md` (catalog, detail, graph overlays, exports) including compliance checklist and performance tips. | Doc merged with annotated screenshots, export instructions, and overlay examples; checklist appended. |
-| DOCS-CONSOLE-23-004 | DONE (2025-10-26) | Docs Guild, Concelier Guild, Excititor Guild | CONCELIER-CONSOLE-23-001, EXCITITOR-CONSOLE-23-001 | Produce `/docs/ui/advisories-and-vex.md` explaining aggregation-not-merge, conflict indicators, raw viewers, and provenance banners. | Doc merged; raw JSON examples included; compliance checklist complete. |
-| DOCS-CONSOLE-23-005 | DONE (2025-10-26) | Docs Guild, Policy Guild | POLICY-CONSOLE-23-001, CONSOLE-FEAT-23-104 | Write `/docs/ui/findings.md` describing filters, saved views, explain drawer, exports, and CLI parity callouts. | Doc merged with filter matrix + explain walkthrough; checklist appended. |
-| DOCS-CONSOLE-23-006 | DONE (2025-10-26) | Docs Guild, Policy Guild, Product Ops | POLICY-CONSOLE-23-002, CONSOLE-FEAT-23-105 | Publish `/docs/ui/policies.md` with editor, simulation, approvals, compliance checklist, and RBAC mapping. | Doc merged; Monaco screenshots + simulation diff examples included; approval flow described; checklist appended. |
-| DOCS-CONSOLE-23-007 | DONE (2025-10-26) | Docs Guild, Scheduler Guild | SCHED-CONSOLE-23-001, CONSOLE-FEAT-23-106 | Document `/docs/ui/runs.md` covering queues, live progress, diffs, retries, evidence downloads, and troubleshooting. | Doc merged with SSE troubleshooting, metrics references, compliance checklist. |
-| DOCS-CONSOLE-23-008 | DONE (2025-10-26) | Docs Guild, Authority Guild | AUTH-CONSOLE-23-002, CONSOLE-FEAT-23-108 | Draft `/docs/ui/admin.md` describing users/roles, tenants, tokens, integrations, fresh-auth prompts, and RBAC mapping. | Doc merged with tables for scopes vs roles, screenshots, compliance checklist. |
-| DOCS-CONSOLE-23-009 | DONE (2025-10-27) | Docs Guild, DevOps Guild | DOWNLOADS-CONSOLE-23-001, CONSOLE-FEAT-23-109 | Publish `/docs/ui/downloads.md` listing product images, commands, offline instructions, parity with CLI, and compliance checklist. | Doc merged; manifest sample included; copy-to-clipboard guidance documented; checklist complete. |
-| DOCS-CONSOLE-23-010 | DONE (2025-10-27) | Docs Guild, Deployment Guild, Console Guild | DEVOPS-CONSOLE-23-002, CONSOLE-REL-23-301 | Write `/docs/deploy/console.md` (Helm, ingress, TLS, CSP, env vars, health checks) with compliance checklist. | Deploy doc merged; templates validated; CSP guidance included; checklist appended. |
-| DOCS-CONSOLE-23-011 | DONE (2025-10-28) | Docs Guild, Deployment Guild | DOCS-CONSOLE-23-010 | Update `/docs/install/docker.md` to cover Console image, Compose/Helm usage, offline tarballs, parity with CLI. | Doc updated with new sections; commands validated; compliance checklist appended. |
-| DOCS-CONSOLE-23-012 | DONE (2025-10-28) | Docs Guild, Security Guild | AUTH-CONSOLE-23-003, WEB-CONSOLE-23-002 | Publish `/docs/security/console-security.md` detailing OIDC flows, scopes, CSP, fresh-auth, evidence handling, and compliance checklist. | Security doc merged; threat model notes included; checklist appended. |
-| DOCS-CONSOLE-23-013 | DONE (2025-10-28) | Docs Guild, Observability Guild | TELEMETRY-CONSOLE-23-001, CONSOLE-QA-23-403 | Write `/docs/observability/ui-telemetry.md` cataloguing metrics/logs/traces, dashboards, alerts, and feature flags. | Doc merged with instrumentation tables, dashboard screenshots, checklist appended. |
-| DOCS-CONSOLE-23-014 | DONE (2025-10-28) | Docs Guild, Console Guild, CLI Guild | CONSOLE-DOC-23-502 | Maintain `/docs/cli-vs-ui-parity.md` matrix and integrate CI check guidance. | Matrix published with parity status, CI workflow documented, compliance checklist appended. |
-> 2025-10-28: Install Docker guide references pending CLI commands (`stella downloads manifest`, `stella downloads mirror`, `stella console status`). Update once CLI parity lands.
-| DOCS-CONSOLE-23-015 | DONE (2025-10-27) | Docs Guild, Architecture Guild | CONSOLE-CORE-23-001, WEB-CONSOLE-23-001 | Produce `/docs/architecture/console.md` describing frontend packages, data flow diagrams, SSE design, performance budgets. | Architecture doc merged with diagrams + compliance checklist; reviewers approve. |
-| DOCS-CONSOLE-23-016 | DONE (2025-10-28) | Docs Guild, Accessibility Guild | CONSOLE-QA-23-402, CONSOLE-FEAT-23-102 | Refresh `/docs/accessibility.md` with Console-specific keyboard flows, color tokens, testing tools, and compliance checklist updates. | Accessibility doc updated; audits referenced; checklist appended. |
-> 2025-10-28: Added guide covering keyboard matrix, screen reader behaviour, colour/focus tokens, testing workflow, offline guidance, and compliance checklist.
-| DOCS-CONSOLE-23-017 | DONE (2025-10-27) | Docs Guild, Console Guild | CONSOLE-FEAT-23-101..109 | Create `/docs/examples/ui-tours.md` providing triage, audit, policy rollout walkthroughs with annotated screenshots and GIFs. | UI tours doc merged; capture instructions + asset placeholders committed; compliance checklist appended. |
-| DOCS-CONSOLE-23-018 | DONE (2025-10-27) | Docs Guild, Security Guild | DOCS-CONSOLE-23-012 | Execute console security compliance checklist and capture Security Guild sign-off in Sprint 23 log. | Checklist completed; findings addressed or tickets filed; sign-off noted in updates file. |
-| DOCS-LNM-22-006 | DONE (2025-10-27) | Docs Guild, Architecture Guild | CONCELIER-LNM-21-001..005, EXCITITOR-LNM-21-001..005 | Refresh `/docs/architecture/conseiller.md` and `/docs/architecture/excitator.md` describing observation/linkset pipelines and event contracts. | Architecture docs updated with observation/linkset flow + event tables; revisit once service implementations land. |
-> Follow-up: align diagrams/examples after `CONCELIER-LNM-21` & `EXCITITOR-LNM-21` work merges (currently TODO).
-| DOCS-LNM-22-007 | TODO | Docs Guild, Observability Guild | CONCELIER-LNM-21-005, EXCITITOR-LNM-21-005, DEVOPS-LNM-22-002 | Publish `/docs/observability/aggregation.md` with metrics/traces/logs/SLOs. | Observability doc merged; dashboards referenced; checklist appended. |
-| DOCS-LNM-22-008 | TODO | Docs Guild, DevOps Guild | MERGE-LNM-21-001, CONCELIER-LNM-21-102 | Write `/docs/migration/no-merge.md` describing migration plan, backfill steps, rollback, feature flags. | Migration doc approved by stakeholders; checklist appended. |
-
-## Policy Engine + Editor v1
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-POLICY-23-001 | TODO | Docs Guild, Policy Guild | POLICY-SPL-23-001..003 | Author `/docs/policy/overview.md` describing SPL philosophy, layering, and glossary with reviewer checklist. | Doc merged; lint passes; checklist appended. |
-| DOCS-POLICY-23-002 | TODO | Docs Guild, Policy Guild | POLICY-SPL-23-001 | Write `/docs/policy/spl-v1.md` (language reference, JSON Schema, examples). | Reference published with schema snippets; checklist completed. |
-| DOCS-POLICY-23-003 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-50-001..004 | Produce `/docs/policy/runtime.md` covering compiler, evaluator, caching, events, SLOs. | Runtime doc merged with diagrams; observability references included. |
-| DOCS-POLICY-23-004 | TODO | Docs Guild, UI Guild | UI-POLICY-23-001..006 | Document `/docs/policy/editor.md` (UI walkthrough, validation, simulation, approvals). | Editor doc merged with screenshots; accessibility checklist satisfied. |
-| DOCS-POLICY-23-005 | TODO | Docs Guild, Security Guild | AUTH-POLICY-23-001..002 | Publish `/docs/policy/governance.md` (roles, scopes, approvals, signing, exceptions). | Governance doc merged; checklist appended. |
-| DOCS-POLICY-23-006 | TODO | Docs Guild, BE-Base Platform Guild | WEB-POLICY-23-001..004 | Update `/docs/api/policy.md` with new endpoints, schemas, errors, pagination. | API doc aligns with OpenAPI; examples validated; checklist included. |
-| DOCS-POLICY-23-007 | TODO | Docs Guild, DevEx/CLI Guild | CLI-POLICY-23-004..006 | Update `/docs/cli/policy.md` for lint/simulate/activate/history commands, exit codes. | CLI doc updated; samples verified; checklist appended. |
-| DOCS-POLICY-23-008 | TODO | Docs Guild, Architecture Guild | POLICY-ENGINE-50-005..006 | Refresh `/docs/architecture/policy-engine.md` with data model, sequence diagrams, event flows. | Architecture doc merged with diagrams; checklist appended. |
-| DOCS-POLICY-23-009 | TODO | Docs Guild, DevOps Guild | MERGE-LNM-21-001, DEVOPS-LNM-22-001 | Create `/docs/migration/policy-parity.md` covering dual-run parity plan and rollback. | Migration doc approved; checklist appended. |
-| DOCS-POLICY-23-010 | TODO | Docs Guild, UI Guild | UI-POLICY-23-006 | Write `/docs/ui/explainers.md` showing explain trees, evidence overlays, interpretation guidance. | Doc merged with annotated screenshots; checklist appended. |
-
-## Graph & Vuln Explorer v1
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-GRAPH-24-001 | TODO | Docs Guild, UI Guild | UI-GRAPH-24-001..006 | Author `/docs/ui/sbom-graph-explorer.md` detailing overlays, filters, saved views, accessibility, and AOC visibility. | Doc merged; screenshots included; checklist appended. |
-| DOCS-GRAPH-24-002 | TODO | Docs Guild, UI Guild | UI-GRAPH-24-005 | Publish `/docs/ui/vulnerability-explorer.md` covering table usage, grouping, fix suggestions, Why drawer. | Doc merged with annotated images; accessibility checklist satisfied. |
-| DOCS-GRAPH-24-003 | TODO | Docs Guild, SBOM Service Guild | SBOM-GRAPH-24-001..003 | Create `/docs/architecture/graph-index.md` describing data model, ingestion pipeline, caches, events. | Architecture doc merged with diagrams; checklist appended. |
-| DOCS-GRAPH-24-004 | TODO | Docs Guild, BE-Base Platform Guild | WEB-GRAPH-24-001..003 | Document `/docs/api/graph.md` and `/docs/api/vuln.md` avec endpoints, parameters, errors, RBAC. | API docs aligned with OpenAPI; examples validated; checklist appended. |
-| DOCS-GRAPH-24-005 | TODO | Docs Guild, DevEx/CLI Guild | CLI-GRAPH-24-001..003 | Update `/docs/cli/graph-and-vuln.md` covering new CLI commands, exit codes, scripting. | CLI doc merged; examples tested; checklist appended. |
-| DOCS-GRAPH-24-006 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-60-001..002 | Write `/docs/policy/ui-integration.md` explaining overlays, cache usage, simulator contracts. | Doc merged; references cross-linked; checklist appended. |
-| DOCS-GRAPH-24-007 | TODO | Docs Guild, DevOps Guild | DEVOPS-GRAPH-24-001..003 | Produce `/docs/migration/graph-parity.md` with rollout plan, parity checks, fallback guidance. | Migration doc approved; checklist appended. |
-
-## Exceptions v1
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-EXC-25-001 | TODO | Docs Guild, Governance Guild | WEB-EXC-25-001 | Author `/docs/governance/exceptions.md` covering lifecycle, scope patterns, examples, compliance checklist. | Doc merged; reviewers sign off; checklist included. |
-| DOCS-EXC-25-002 | TODO | Docs Guild, Authority Core | AUTH-EXC-25-001 | Publish `/docs/governance/approvals-and-routing.md` detailing roles, routing matrix, MFA rules, audit trails. | Doc merged; routing examples validated; checklist appended. |
-| DOCS-EXC-25-003 | TODO | Docs Guild, BE-Base Platform Guild | WEB-EXC-25-001..003 | Create `/docs/api/exceptions.md` with endpoints, payloads, errors, idempotency notes. | API doc aligned with OpenAPI; examples tested; checklist appended. |
-| DOCS-EXC-25-004 | DONE (2025-10-27) | Docs Guild, Policy Guild | POLICY-ENGINE-70-001 | Document `/docs/policy/exception-effects.md` explaining evaluation order, conflicts, simulation. | Doc merged; tests cross-referenced; checklist appended. |
-| DOCS-EXC-25-005 | TODO | Docs Guild, UI Guild | UI-EXC-25-001..004 | Write `/docs/ui/exception-center.md` with UI walkthrough, badges, accessibility, shortcuts. | Doc merged with screenshots; accessibility checklist completed. |
-| DOCS-EXC-25-006 | TODO | Docs Guild, DevEx/CLI Guild | CLI-EXC-25-001..002 | Update `/docs/cli/exceptions.md` covering command usage and exit codes. | CLI doc updated; examples validated; checklist appended. |
-| DOCS-EXC-25-007 | TODO | Docs Guild, DevOps Guild | SCHED-WORKER-25-101, DEVOPS-GRAPH-24-003 | Publish `/docs/migration/exception-governance.md` describing cutover from legacy suppressions, notifications, rollback. | Migration doc approved; checklist included. |
-
-> Update statuses (TODO/DOING/REVIEW/DONE/BLOCKED) as progress changes. Keep guides in sync with configuration samples under `etc/`.
-
-> Remark (2025-10-13, DOC4.AUTH-PDG): Rate limit guide published (`docs/security/rate-limits.md`) and handed to plugin docs team for diagram uplift once PLG6.DIAGRAM lands.
-
-## Orchestrator Dashboard (Epic 9)
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-ORCH-32-001 | TODO | Docs Guild | ORCH-SVC-32-001, AUTH-ORCH-32-001 | Author `/docs/orchestrator/overview.md` covering mission, roles, AOC alignment, governance, with imposed rule reminder. | Doc merged with diagrams; imposed rule statement included; entry linked from docs index. |
-| DOCS-ORCH-32-002 | TODO | Docs Guild | ORCH-SVC-32-002 | Author `/docs/orchestrator/architecture.md` detailing scheduler, DAGs, rate limits, data model, message bus, storage layout, restating imposed rule. | Architecture doc merged; diagrams reviewed; imposed rule noted. |
-| DOCS-ORCH-33-001 | TODO | Docs Guild | ORCH-SVC-33-001..004, WEB-ORCH-33-001 | Publish `/docs/orchestrator/api.md` (REST/WebSocket endpoints, payloads, error codes) with imposed rule note. | API doc merged; examples validated; imposed rule appended. |
-| DOCS-ORCH-33-002 | TODO | Docs Guild | CONSOLE-ORCH-32-002, CONSOLE-ORCH-33-001..002 | Publish `/docs/orchestrator/console.md` covering screens, a11y, live updates, control actions, reiterating imposed rule. | Console doc merged with screenshots; accessibility checklist done; imposed rule statement present. |
-| DOCS-ORCH-33-003 | TODO | Docs Guild | CLI-ORCH-33-001 | Publish `/docs/orchestrator/cli.md` documenting commands, options, exit codes, streaming output, offline usage, and imposed rule. | CLI doc merged; examples tested; imposed rule appended. |
-| DOCS-ORCH-34-001 | TODO | Docs Guild | ORCH-SVC-34-002, LEDGER-34-101 | Author `/docs/orchestrator/run-ledger.md` covering ledger schema, provenance chain, audit workflows, with imposed rule reminder. | Run-ledger doc merged; payload samples validated; imposed rule included; cross-links added. |
-| DOCS-ORCH-34-002 | TODO | Docs Guild | AUTH-ORCH-32-001, AUTH-ORCH-34-001 | Update `/docs/security/secrets-handling.md` for orchestrator KMS refs, redaction badges, operator hygiene, reiterating imposed rule. | Security doc merged; checklists updated; imposed rule restated; references from Console/CLI docs added. |
-| DOCS-ORCH-34-003 | TODO | Docs Guild | ORCH-SVC-33-003, ORCH-SVC-34-001, DEVOPS-ORCH-34-001 | Publish `/docs/operations/orchestrator-runbook.md` (incident playbook, backfill guide, circuit breakers, throttling) with imposed rule statement. | Runbook merged; steps validated with DevOps; imposed rule included; runbook linked from ops index. |
-| DOCS-ORCH-34-004 | TODO | Docs Guild | ORCH-SVC-32-005, WORKER-GO-33-001, WORKER-PY-33-001 | Document `/docs/schemas/artifacts.md` describing artifact kinds, schema versions, hashing, storage layout, restating imposed rule. | Schema doc merged; JSON schema provided; imposed rule included; sample payload validated. |
-| DOCS-ORCH-34-005 | TODO | Docs Guild | ORCH-SVC-34-001, DEVOPS-ORCH-34-001 | Author `/docs/slo/orchestrator-slo.md` defining SLOs, burn alerts, measurement, and reiterating imposed rule. | SLO doc merged; dashboard screenshots embedded; imposed rule appended; alerts documented. |
-
-## Export Center (Epic 10)
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-EXPORT-35-001 | DONE (2025-10-29) | Docs Guild | EXPORT-SVC-35-001..006 | Author `/docs/export-center/overview.md` covering purpose, profiles, security, AOC alignment, surfaces, ending with imposed rule statement. | Doc merged with diagrams/examples; imposed rule line present; index updated. |
-| DOCS-EXPORT-35-002 | DONE (2025-10-29) | Docs Guild | EXPORT-SVC-35-002..005 | Publish `/docs/export-center/architecture.md` describing planner, adapters, manifests, signing, distribution flows, restating imposed rule. | Architecture doc merged; sequence diagrams included; rule statement appended. |
-| DOCS-EXPORT-35-003 | DONE (2025-10-29) | Docs Guild | EXPORT-SVC-35-003..004 | Publish `/docs/export-center/profiles.md` detailing schema fields, examples, compatibility, and imposed rule reminder. | Profiles doc merged; JSON schemas linked; imposed rule noted. |
-| DOCS-EXPORT-36-004 | DONE (2025-10-29) | Docs Guild | EXPORT-SVC-36-001..004, WEB-EXPORT-36-001 | Publish `/docs/export-center/api.md` covering endpoints, payloads, errors, and mention imposed rule. | API doc merged; examples validated; rule included. |
-| DOCS-EXPORT-36-005 | DONE (2025-10-29) | Docs Guild | CLI-EXPORT-35-001, CLI-EXPORT-36-001 | Publish `/docs/export-center/cli.md` with command reference, CI scripts, verification steps, restating imposed rule. | CLI doc merged; script snippets tested; rule appended. |
-| DOCS-EXPORT-36-006 | DONE (2025-10-29) | Docs Guild | EXPORT-SVC-36-001, DEVOPS-EXPORT-36-001 | Publish `/docs/export-center/trivy-adapter.md` covering field mappings, compatibility matrix, and imposed rule reminder. | Doc merged; mapping tables validated; rule included. |
-| DOCS-EXPORT-37-001 | DONE (2025-10-29) | Docs Guild | EXPORT-SVC-37-001, DEVOPS-EXPORT-37-001 | Publish `/docs/export-center/mirror-bundles.md` describing filesystem/OCI layouts, delta/encryption, import guide, ending with imposed rule. | Doc merged; diagrams provided; verification steps tested; rule stated. |
-| DOCS-EXPORT-37-002 | DONE (2025-10-29) | Docs Guild | EXPORT-SVC-35-005, EXPORT-SVC-37-002 | Publish `/docs/export-center/provenance-and-signing.md` detailing manifests, attestation flow, verification, reiterating imposed rule. | Doc merged; signature examples validated; rule appended. |
-| DOCS-EXPORT-37-003 | DONE (2025-10-29) | Docs Guild | DEVOPS-EXPORT-37-001 | Publish `/docs/operations/export-runbook.md` covering failures, tuning, capacity planning, with imposed rule reminder. | Runbook merged; procedures validated; rule included. |
-| DOCS-EXPORT-37-004 | TODO | Docs Guild | AUTH-EXPORT-37-001, EXPORT-SVC-37-002 | Publish `/docs/security/export-hardening.md` outlining RBAC, tenancy, encryption, redaction, restating imposed rule. | Security doc merged; checklist updated; rule appended. |
-| DOCS-EXPORT-37-101 | TODO | Docs Guild, DevEx/CLI Guild | CLI-EXPORT-37-001 | Refresh CLI verification sections once `stella export verify` lands (flags, exit codes, samples). | `docs/export-center/cli.md` & `docs/export-center/provenance-and-signing.md` updated with final command syntax; examples tested; rule reminder retained. |
-| DOCS-EXPORT-37-102 | TODO | Docs Guild, DevOps Guild | DEVOPS-EXPORT-37-001 | Embed export dashboards/alerts references into provenance/runbook docs after Grafana work ships. | Docs updated with dashboard IDs/alert notes; update logged; rule reminder present. |
-| DOCS-EXPORT-37-005 | TODO | Docs Guild, Exporter Service Guild | EXPORT-SVC-35-006, DEVOPS-EXPORT-36-001 | Validate Export Center docs against live Trivy/mirror bundles once implementation lands; refresh examples and CLI snippets accordingly. | Real bundle examples recorded; docs updated; verification steps confirmed with production artefacts. |
-> Note (2025-10-29): Blocked until exporter API (`EXPORT-SVC-35-006`) and Trivy/mirror adapters (`EXPORT-SVC-36-001`, `EXPORT-SVC-37-001`) ship. Requires access to CI smoke outputs (`DEVOPS-EXPORT-36-001`) for verification artifacts.
-
-## Reachability v1
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-SIG-26-001 | TODO | Docs Guild, Signals Guild | SIGNALS-24-004 | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. | Doc merged with diagrams/examples; checklist appended. |
-| DOCS-SIG-26-002 | TODO | Docs Guild, Signals Guild | SIGNALS-24-002 | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. | Doc merged; examples tested; checklist included. |
-| DOCS-SIG-26-003 | TODO | Docs Guild, Runtime Guild | SIGNALS-24-003 | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. | Doc merged; privacy review done; checklist appended. |
-| DOCS-SIG-26-004 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-80-001 | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. | Doc merged; sample policies validated; checklist appended. |
-| DOCS-SIG-26-005 | TODO | Docs Guild, UI Guild | UI-SIG-26-001..003 | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. | Doc merged with screenshots; accessibility checklist completed. |
-| DOCS-SIG-26-006 | TODO | Docs Guild, DevEx/CLI Guild | CLI-SIG-26-001..002 | Update `/docs/cli/reachability.md` for new commands and automation recipes. | Doc merged; examples verified; checklist appended. |
-| DOCS-SIG-26-007 | TODO | Docs Guild, BE-Base Platform Guild | WEB-SIG-26-001..003 | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. | API doc aligned with OpenAPI; examples tested; checklist appended. |
-| DOCS-SIG-26-008 | TODO | Docs Guild, DevOps Guild | DEVOPS-SIG-26-001..002 | Write `/docs/migration/enable-reachability.md` guiding rollout, fallbacks, monitoring. | Migration doc approved; checklist appended. |
-
-## Policy Studio (Sprint 27)
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-POLICY-27-001 | BLOCKED (2025-10-27) | Docs Guild, Policy Guild | REGISTRY-API-27-001, POLICY-ENGINE-27-001 | Publish `/docs/policy/studio-overview.md` covering lifecycle, roles, glossary, and compliance checklist. | Doc merged with diagrams + lifecycle table; checklist appended; stakeholders sign off. |
-> Blocked by `REGISTRY-API-27-001` and `POLICY-ENGINE-27-001`; need spec + compile data.
-> Blocker: Registry OpenAPI (`REGISTRY-API-27-001`) and policy compile enrichments (`POLICY-ENGINE-27-001`) are still TODO; need final interfaces before drafting overview.
-| DOCS-POLICY-27-002 | BLOCKED (2025-10-27) | Docs Guild, Console Guild | CONSOLE-STUDIO-27-001 | Write `/docs/policy/authoring.md` detailing workspace templates, snippets, lint rules, IDE shortcuts, and best practices. | Authoring doc includes annotated screenshots, snippet catalog, compliance checklist. |
-> Blocked by `CONSOLE-STUDIO-27-001` Studio authoring UI pending.
-> Blocker: Console Studio authoring UI (`CONSOLE-STUDIO-27-001`) not implemented; awaiting UX to capture flows/snippets.
-| DOCS-POLICY-27-003 | BLOCKED (2025-10-27) | Docs Guild, Policy Registry Guild | REGISTRY-API-27-007 | Document `/docs/policy/versioning-and-publishing.md` (semver rules, attestations, rollback) with compliance checklist. | Doc merged with flow diagrams; attestation steps documented; checklist appended. |
-> Blocked by `REGISTRY-API-27-007` publish/sign pipeline outstanding.
-> Blocker: Registry publish/sign workflow (`REGISTRY-API-27-007`) pending.
-| DOCS-POLICY-27-004 | BLOCKED (2025-10-27) | Docs Guild, Scheduler Guild | REGISTRY-API-27-005, SCHED-WORKER-27-301 | Write `/docs/policy/simulation.md` covering quick vs batch sim, thresholds, evidence bundles, CLI examples. | Simulation doc includes charts, sample manifests, checklist appended. |
-> Blocked by `REGISTRY-API-27-005`/`SCHED-WORKER-27-301` batch simulation not ready.
-> Blocker: Batch simulation APIs/workers (`REGISTRY-API-27-005`, `SCHED-WORKER-27-301`) still TODO.
-| DOCS-POLICY-27-005 | BLOCKED (2025-10-27) | Docs Guild, Product Ops | REGISTRY-API-27-006 | Publish `/docs/policy/review-and-approval.md` with approver requirements, comments, webhooks, audit trail guidance. | Doc merged with role matrix + webhook schema; checklist appended. |
-> Blocked by `REGISTRY-API-27-006` review workflow not implemented.
-> Blocker: Review workflow (`REGISTRY-API-27-006`) not landed.
-| DOCS-POLICY-27-006 | BLOCKED (2025-10-27) | Docs Guild, Policy Guild | REGISTRY-API-27-008 | Author `/docs/policy/promotion.md` covering environments, canary, rollback, and monitoring steps. | Promotion doc includes examples + checklist; verified by Policy Ops. |
-> Blocked by `REGISTRY-API-27-008` promotion APIs pending.
-> Blocker: Promotion/canary APIs (`REGISTRY-API-27-008`) outstanding.
-| DOCS-POLICY-27-007 | BLOCKED (2025-10-27) | Docs Guild, DevEx/CLI Guild | CLI-POLICY-27-001..004 | Update `/docs/policy/cli.md` with new commands, JSON schemas, CI usage, and compliance checklist. | CLI doc merged with transcripts; schema references validated; checklist appended. |
-> Blocked by `CLI-POLICY-27-001..004` CLI commands missing.
-> Blocker: Policy CLI commands (`CLI-POLICY-27-001..004`) yet to implement.
-| DOCS-POLICY-27-008 | BLOCKED (2025-10-27) | Docs Guild, Policy Registry Guild | REGISTRY-API-27-001..008 | Publish `/docs/policy/api.md` describing Registry endpoints, request/response schemas, errors, and feature flags. | API doc aligned with OpenAPI; examples validated; checklist appended. |
-> Blocked by `REGISTRY-API-27-001..008` OpenAPI + endpoints incomplete.
-> Blocker: Registry OpenAPI/spec suite (`REGISTRY-API-27-001..008`) incomplete.
-| DOCS-POLICY-27-009 | BLOCKED (2025-10-27) | Docs Guild, Security Guild | AUTH-POLICY-27-002 | Create `/docs/security/policy-attestations.md` covering signing, verification, key rotation, and compliance checklist. | Security doc approved by Security Guild; verifier steps documented; checklist appended. |
-> Blocked by `AUTH-POLICY-27-002` signing enforcement pending.
-> Blocker: Authority signing enforcement (`AUTH-POLICY-27-002`) pending.
-| DOCS-POLICY-27-010 | BLOCKED (2025-10-27) | Docs Guild, Architecture Guild | REGISTRY-API-27-001, SCHED-WORKER-27-301 | Author `/docs/architecture/policy-registry.md` (service design, schemas, queues, failure modes) with diagrams and checklist. | Architecture doc merged; diagrams committed; checklist appended. |
-> Blocked by `REGISTRY-API-27-001` & `SCHED-WORKER-27-301` need delivery.
-> Blocker: Policy Registry schema/workers not delivered (see `REGISTRY-API-27-001`, `SCHED-WORKER-27-301`).
-| DOCS-POLICY-27-011 | BLOCKED (2025-10-27) | Docs Guild, Observability Guild | DEVOPS-POLICY-27-004 | Publish `/docs/observability/policy-telemetry.md` with metrics/log tables, dashboards, alerts, and compliance checklist. | Observability doc merged; dashboards linked; checklist appended. |
-> Blocked by `DEVOPS-POLICY-27-004` observability dashboards outstanding.
-> Blocker: Observability dashboards (`DEVOPS-POLICY-27-004`) not built.
-| DOCS-POLICY-27-012 | BLOCKED (2025-10-27) | Docs Guild, Ops Guild | DEPLOY-POLICY-27-002 | Write `/docs/runbooks/policy-incident.md` detailing rollback, freeze, forensic steps, notifications. | Runbook merged; rehearsal recorded; checklist appended. |
-> Blocked by `DEPLOY-POLICY-27-002` incident runbook inputs pending.
-> Blocker: Ops runbook inputs (`DEPLOY-POLICY-27-002`) pending.
-| DOCS-POLICY-27-013 | BLOCKED (2025-10-27) | Docs Guild, Policy Guild | CONSOLE-STUDIO-27-001, REGISTRY-API-27-002 | Update `/docs/examples/policy-templates.md` with new templates, snippets, and sample policies. | Examples committed with commentary; lint passes; checklist appended. |
-> Blocked by `CONSOLE-STUDIO-27-001`/`REGISTRY-API-27-002` templates missing.
-> Blocker: Studio templates and registry storage (`CONSOLE-STUDIO-27-001`, `REGISTRY-API-27-002`) not available.
-| DOCS-POLICY-27-014 | BLOCKED (2025-10-27) | Docs Guild, Policy Registry Guild | REGISTRY-API-27-003, WEB-POLICY-27-001 | Refresh `/docs/aoc/aoc-guardrails.md` to include Studio-specific guardrails and validation scenarios. | Doc updated with Studio guardrails; compliance checklist appended. |
-> Blocked by `REGISTRY-API-27-003` & `WEB-POLICY-27-001` guardrails not implemented.
-> Blocker: Registry compile pipeline/web proxy (`REGISTRY-API-27-003`, `WEB-POLICY-27-001`) outstanding.
-
-## Vulnerability Explorer (Sprint 29)
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-VULN-29-001 | TODO | Docs Guild, Vuln Explorer Guild | VULN-API-29-001 | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. | Doc merged with diagrams/table; compliance checklist appended. |
-| DOCS-VULN-29-002 | TODO | Docs Guild, Console Guild | CONSOLE-VULN-29-001..006 | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. | Doc merged; images stored; WCAG notes included; checklist appended. |
-| DOCS-VULN-29-003 | TODO | Docs Guild, Vuln Explorer API Guild | VULN-API-29-001..009 | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). | Doc aligned with OpenAPI; examples validated; checklist appended. |
-| DOCS-VULN-29-004 | TODO | Docs Guild, DevEx/CLI Guild | CLI-VULN-29-001..005 | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. | CLI doc merged; transcripts/JSON outputs validated; checklist appended. |
-| DOCS-VULN-29-005 | TODO | Docs Guild, Findings Ledger Guild | LEDGER-29-001..009 | Write `/docs/vuln/findings-ledger.md` detailing event schema, hashing, Merkle roots, replay tooling. | Doc merged; compliance checklist appended; audit team sign-off. |
-| DOCS-VULN-29-006 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-29-001..003 | Update `/docs/policy/vuln-determinations.md` for new rationale, signals, simulation semantics. | Doc updated; examples validated; checklist appended. |
-| DOCS-VULN-29-007 | TODO | Docs Guild, Excititor Guild | EXCITITOR-VULN-29-001..004 | Publish `/docs/vex/explorer-integration.md` covering CSAF mapping, suppression precedence, status semantics. | Doc merged; compliance checklist appended. |
-| DOCS-VULN-29-008 | TODO | Docs Guild, Concelier Guild | CONCELIER-VULN-29-001..004 | Publish `/docs/advisories/explorer-integration.md` covering key normalization, withdrawn handling, provenance. | Doc merged; checklist appended. |
-| DOCS-VULN-29-009 | TODO | Docs Guild, SBOM Service Guild | SBOM-VULN-29-001..002 | Author `/docs/sbom/vuln-resolution.md` detailing version semantics, scope, paths, safe version hints. | Doc merged; ecosystem tables validated; checklist appended. |
-| DOCS-VULN-29-010 | TODO | Docs Guild, Observability Guild | VULN-API-29-009, DEVOPS-VULN-29-002 | Publish `/docs/observability/vuln-telemetry.md` (metrics, logs, tracing, dashboards, SLOs). | Doc merged; dashboards linked; checklist appended. |
-| DOCS-VULN-29-011 | TODO | Docs Guild, Security Guild | AUTH-VULN-29-001..003 | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. | Security doc approved; checklist appended. |
-| DOCS-VULN-29-012 | TODO | Docs Guild, Ops Guild | DEVOPS-VULN-29-002, SCHED-WORKER-29-003 | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). | Runbook merged; rehearsal recorded; checklist appended. |
-| DOCS-VULN-29-013 | TODO | Docs Guild, Deployment Guild | DEPLOY-VULN-29-001..002 | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. | Install doc updated; validation commands included; checklist appended. |
-
-## VEX Lens (Sprint 30)
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-VEX-30-001 | TODO | Docs Guild, VEX Lens Guild | VEXLENS-30-005 | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. | Doc merged with diagrams/terminology tables; compliance checklist appended. |
-| DOCS-VEX-30-002 | TODO | Docs Guild, VEX Lens Guild | VEXLENS-30-005 | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. | Doc merged; math reviewed by Policy; checklist appended. |
-| DOCS-VEX-30-003 | TODO | Docs Guild, Issuer Directory Guild | ISSUER-30-001..003 | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). | Doc merged; security review done; checklist appended. |
-| DOCS-VEX-30-004 | TODO | Docs Guild, VEX Lens Guild | VEXLENS-30-007 | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. | API doc aligned with OpenAPI; examples validated; checklist appended. |
-| DOCS-VEX-30-005 | TODO | Docs Guild, Console Guild | CONSOLE-VEX-30-001 | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. | Doc merged; screenshots added; checklist appended. |
-| DOCS-VEX-30-006 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-29-001, VEXLENS-30-004 | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. | Doc merged; policy review completed; checklist appended. |
-| DOCS-VEX-30-007 | TODO | Docs Guild, SBOM Service Guild | VEXLENS-30-002 | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). | Doc merged; mapping tables validated; checklist appended. |
-| DOCS-VEX-30-008 | TODO | Docs Guild, Security Guild | ISSUER-30-002, VEXLENS-30-003 | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). | Doc approved by Security; checklist appended. |
-| DOCS-VEX-30-009 | TODO | Docs Guild, DevOps Guild | VEXLENS-30-009, DEVOPS-VEX-30-001 | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. | Runbook merged; rehearsal logged; checklist appended. |
-
-## Advisory AI (Sprint 31)
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-AIAI-31-001 | TODO | Docs Guild, Advisory AI Guild | AIAI-31-006 | Publish `/docs/advisory-ai/overview.md` covering capabilities, guardrails, RBAC. | Doc merged with diagrams; compliance checklist appended. |
-| DOCS-AIAI-31-002 | TODO | Docs Guild, Advisory AI Guild | AIAI-31-004 | Author `/docs/advisory-ai/architecture.md` detailing RAG pipeline, deterministics, caching, model options. | Doc merged; architecture review done; checklist appended. |
-| DOCS-AIAI-31-003 | TODO | Docs Guild, Advisory AI Guild | AIAI-31-006 | Write `/docs/advisory-ai/api.md` describing endpoints, schemas, errors, rate limits. | API doc aligned with OpenAPI; examples validated; checklist appended. |
-| DOCS-AIAI-31-004 | TODO | Docs Guild, Console Guild | CONSOLE-VULN-29-001, CONSOLE-VEX-30-001 | Create `/docs/advisory-ai/console.md` with screenshots, a11y notes, copy-as-ticket instructions. | Doc merged; images stored; checklist appended. |
-| DOCS-AIAI-31-005 | TODO | Docs Guild, DevEx/CLI Guild | CLI-VULN-29-001, CLI-VEX-30-001 | Publish `/docs/advisory-ai/cli.md` covering commands, exit codes, scripting patterns. | Doc merged; examples tested; checklist appended. |
-| DOCS-AIAI-31-006 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-31-001 | Update `/docs/policy/assistant-parameters.md` covering temperature, token limits, ranking weights, TTLs. | Doc merged; policy review done; checklist appended. |
-| DOCS-AIAI-31-007 | TODO | Docs Guild, Security Guild | AIAI-31-005 | Write `/docs/security/assistant-guardrails.md` detailing redaction, injection defense, logging. | Doc approved by Security; checklist appended. |
-| DOCS-AIAI-31-008 | TODO | Docs Guild, SBOM Service Guild | SBOM-AIAI-31-001 | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). | Doc merged; heuristics reviewed; checklist appended. |
-| DOCS-AIAI-31-009 | TODO | Docs Guild, DevOps Guild | DEVOPS-AIAI-31-001 | Create `/docs/runbooks/assistant-ops.md` for warmup, cache priming, model outages, scaling. | Runbook merged; rehearsal logged; checklist appended. |
-
-## Notifications Studio
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-NOTIFY-38-001 | DONE (2025-10-29) | Docs Guild, Notifications Service Guild | NOTIFY-SVC-38-001..004 | Publish `/docs/notifications/overview.md` and `/docs/notifications/architecture.md`, each ending with imposed rule reminder. | Docs merged; diagrams verified; imposed rule appended. |
-| DOCS-NOTIFY-39-002 | DONE (2025-10-29) | Docs Guild, Notifications Service Guild | NOTIFY-SVC-39-001..004 | Publish `/docs/notifications/rules.md`, `/docs/notifications/templates.md`, `/docs/notifications/digests.md` with examples and imposed rule line. | Docs merged; examples validated; imposed rule appended. |
-| DOCS-NOTIFY-40-001 | TODO | Docs Guild, Security Guild | AUTH-NOTIFY-38-001, NOTIFY-SVC-40-001..004 | Publish `/docs/notifications/channels.md`, `/docs/notifications/escalations.md`, `/docs/notifications/api.md`, `/docs/operations/notifier-runbook.md`, `/docs/security/notifications-hardening.md`; each ends with imposed rule line. | Docs merged; accessibility checks passed; imposed rule appended. |
-
-## CLI Parity & Task Packs
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-CLI-41-001 | TODO | Docs Guild, DevEx/CLI Guild | CLI-CORE-41-001 | Publish `/docs/cli/overview.md`, `/docs/cli/configuration.md`, `/docs/cli/output-and-exit-codes.md` with imposed rule statements. | Docs merged; examples verified; imposed rule appended. |
-| DOCS-CLI-42-001 | TODO | Docs Guild | DOCS-CLI-41-001, CLI-PARITY-41-001 | Publish `/docs/cli/parity-matrix.md` and command guides under `/docs/cli/commands/*.md` (policy, sbom, vuln, vex, advisory, export, orchestrator, notify, aoc, auth). | Guides merged; parity automation documented; imposed rule appended. |
-| DOCS-PACKS-43-001 | DONE (2025-10-27) | Docs Guild, Task Runner Guild | PACKS-REG-42-001, TASKRUN-42-001 | Publish `/docs/task-packs/spec.md`, `/docs/task-packs/authoring-guide.md`, `/docs/task-packs/registry.md`, `/docs/task-packs/runbook.md`, `/docs/security/pack-signing-and-rbac.md`, `/docs/operations/cli-release-and-packaging.md` with imposed rule statements. | Docs merged; tutorials validated; imposed rule appended; cross-links added. |
-
-## Containerized Distribution (Epic 13)
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-INSTALL-44-001 | TODO | Docs Guild, Deployment Guild | COMPOSE-44-001 | Publish `/docs/install/overview.md` and `/docs/install/compose-quickstart.md` with imposed rule line and copy-ready commands. | Docs merged; screenshots/commands verified; imposed rule appended. |
-| DOCS-INSTALL-45-001 | TODO | Docs Guild, Deployment Guild | HELM-45-001 | Publish `/docs/install/helm-prod.md` and `/docs/install/configuration-reference.md` with values tables and imposed rule reminder. | Docs merged; configuration matrix verified; imposed rule appended. |
-| DOCS-INSTALL-46-001 | TODO | Docs Guild, Security Guild | DEPLOY-PACKS-43-001, CLI-PACKS-43-001 | Publish `/docs/install/airgap.md`, `/docs/security/supply-chain.md`, `/docs/operations/health-and-readiness.md`, `/docs/release/image-catalog.md`, `/docs/console/onboarding.md` (each with imposed rule). | Docs merged; checksum/signature sections validated; imposed rule appended. |
-
-## Authority-Backed Scopes & Tenancy (Epic 14)
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
-|----|--------|----------|------------|-------------|---------------|
-| DOCS-TEN-47-001 | TODO | Docs Guild, Authority Core | AUTH-TEN-47-001 | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Docs merged; diagrams included; imposed rule appended. |
-| DOCS-TEN-48-001 | TODO | Docs Guild, Platform Ops | WEB-TEN-48-001 | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. | Docs merged; examples validated; imposed rule appended. |
-| DOCS-TEN-49-001 | TODO | Docs & DevEx Guilds | CLI-TEN-47-001, AUTH-TEN-49-001 | Publish `/docs/cli/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars, all ending with imposed rule line. | Docs merged; command examples verified; imposed rule appended. |
+# Docs Guild Task Board (UTC 2025-10-10)
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOC7.README-INDEX | DONE (2025-10-17) | Docs Guild | — | Refresh index docs (docs/README.md + root README) after architecture dossier split and Offline Kit overhaul. | ✅ ToC reflects new component architecture docs; ✅ root README highlights updated doc set; ✅ Offline Kit guide linked correctly. |
+| DOC4.AUTH-PDG | DONE (2025-10-19) | Docs Guild, Plugin Team | PLG6.DOC | Copy-edit `docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md`, export lifecycle diagram, add LDAP RFC cross-link. | ✅ PR merged with polish; ✅ Diagram committed; ✅ Slack handoff posted. |
+| DOC1.AUTH | DONE (2025-10-12) | Docs Guild, Authority Core | CORE5B.DOC | Draft `docs/11_AUTHORITY.md` covering architecture, configuration, bootstrap flows. | ✅ Architecture + config sections approved by Core; ✅ Samples reference latest options; ✅ Offline note added. |
+| DOC3.Concelier-Authority | DONE (2025-10-12) | Docs Guild, DevEx | FSR4 | Polish operator/runbook sections (DOC3/DOC5) to document Concelier authority rollout, bypass logging, and enforcement checklist. | ✅ DOC3/DOC5 updated with audit runbook references; ✅ enforcement deadline highlighted; ✅ Docs guild sign-off. |
+| DOC5.Concelier-Runbook | DONE (2025-10-12) | Docs Guild | DOC3.Concelier-Authority | Produce dedicated Concelier authority audit runbook covering log fields, monitoring recommendations, and troubleshooting steps. | ✅ Runbook published; ✅ linked from DOC3/DOC5; ✅ alerting guidance included. |
+| FEEDDOCS-DOCS-05-001 | DONE (2025-10-11) | Docs Guild | FEEDMERGE-ENGINE-04-001, FEEDMERGE-ENGINE-04-002 | Publish Concelier conflict resolution runbook covering precedence workflow, merge-event auditing, and Sprint 3 metrics. | ✅ `docs/ops/concelier-conflict-resolution.md` committed; ✅ metrics/log tables align with latest merge code; ✅ Ops alert guidance handed to Concelier team. |
+| FEEDDOCS-DOCS-05-002 | DONE (2025-10-16) | Docs Guild, Concelier Ops | FEEDDOCS-DOCS-05-001 | Ops sign-off captured: conflict runbook circulated, alert thresholds tuned, and rollout decisions documented in change log. | ✅ Ops review recorded; ✅ alert thresholds finalised using `docs/ops/concelier-authority-audit-runbook.md`; ✅ change-log entry linked from runbook once GHSA/NVD/OSV regression fixtures land. |
+| DOCS-ADR-09-001 | DONE (2025-10-19) | Docs Guild, DevEx | — | Establish ADR process (`docs/adr/0000-template.md`) and document usage guidelines. | Template published; README snippet linking ADR process; announcement posted (`docs/updates/2025-10-18-docs-guild.md`). |
+| DOCS-EVENTS-09-002 | DONE (2025-10-19) | Docs Guild, Platform Events | SCANNER-EVENTS-15-201 | Publish event schema catalog (`docs/events/`) for `scanner.report.ready@1`, `scheduler.rescan.delta@1`, `attestor.logged@1`. | Schemas validated (Ajv CI hooked); docs/events/README summarises usage; Platform Events notified via `docs/updates/2025-10-18-docs-guild.md`. |
+| DOCS-EVENTS-09-003 | DONE (2025-10-19) | Docs Guild | DOCS-EVENTS-09-002 | Add human-readable envelope field references and canonical payload samples for published events, including offline validation workflow. | Tables explain common headers/payload segments; versioned sample payloads committed; README links to validation instructions and samples. |
+| DOCS-EVENTS-09-004 | DONE (2025-10-19) | Docs Guild, Scanner WebService | SCANNER-EVENTS-15-201 | Refresh scanner event docs to mirror DSSE-backed report fields, document `scanner.scan.completed`, and capture canonical sample validation. | Schemas updated for new payload shape; README references DSSE reuse and validation test; samples align with emitted events. |
+| PLATFORM-EVENTS-09-401 | DONE (2025-10-21) | Platform Events Guild | DOCS-EVENTS-09-003 | Embed canonical event samples into contract/integration tests and ensure CI validates payloads against published schemas. | Notify models tests now run schema validation against `docs/events/*.json`, event schemas allow optional `attributes`, and docs capture the new validation workflow. |
+| RUNTIME-GUILD-09-402 | DONE (2025-10-19) | Runtime Guild | SCANNER-POLICY-09-107 | Confirm Scanner WebService surfaces `quietedFindingCount` and progress hints to runtime consumers; document readiness checklist. | Runtime verification run captures enriched payload; checklist/doc updates merged; stakeholders acknowledge availability. |
+| DOCS-CONCELIER-07-201 | DONE (2025-10-22) | Docs Guild, Concelier WebService | FEEDWEB-DOCS-01-001 | Final editorial review and publish pass for Concelier authority toggle documentation (Quickstart + operator guide). | Review feedback resolved, publish PR merged, release notes updated with documentation pointer. |
+| DOCS-RUNTIME-17-004 | DONE (2025-10-26) | Docs Guild, Runtime Guild | SCANNER-EMIT-17-701, ZASTAVA-OBS-17-005, DEVOPS-REL-17-002 | Document build-id workflows: SBOM exposure, runtime event payloads (`process.buildId`), Scanner `/policy/runtime` response (`buildIds` list), debug-store layout, and operator guidance for symbol retrieval. | Architecture + operator docs updated with build-id sections (Observer, Scanner, CLI), examples show `readelf` output + debuginfod usage, references linked from Offline Kit/Release guides + CLI help. |
+| DOCS-OBS-50-001 | BLOCKED (2025-10-26) | Docs Guild, Observability Guild | TELEMETRY-OBS-50-001 | Publish `/docs/observability/overview.md` introducing scope, imposed rule banner, architecture diagram, and tenant guarantees. | Doc merged with imposed rule banner; diagram committed; cross-links to telemetry stack + evidence locker docs. |
+> Blocked: waiting on telemetry core deliverable (TELEMETRY-OBS-50-001) to finalise architecture details and diagrams.
+| DOCS-OBS-50-002 | TODO | Docs Guild, Security Guild | TELEMETRY-OBS-50-002 | Author `/docs/observability/telemetry-standards.md` detailing common fields, scrubbing policy, sampling defaults, and redaction override procedure. | Doc merged; imposed rule banner present; examples validated with telemetry fixtures; security review sign-off captured. |
+| DOCS-OBS-50-003 | TODO | Docs Guild, Observability Guild | TELEMETRY-OBS-50-001 | Create `/docs/observability/logging.md` covering structured log schema, dos/don'ts, tenant isolation, and copyable examples. | Doc merged with banner; sample logs redacted; lint passes; linked from coding standards. |
+| DOCS-OBS-50-004 | TODO | Docs Guild, Observability Guild | TELEMETRY-OBS-50-002 | Draft `/docs/observability/tracing.md` explaining context propagation, async linking, CLI header usage, and sampling strategies. | Doc merged; imposed rule banner included; diagrams updated; references to CLI/Console features added. |
+| DOCS-OBS-51-001 | TODO | Docs Guild, DevOps Guild | WEB-OBS-51-001, DEVOPS-OBS-51-001 | Publish `/docs/observability/metrics-and-slos.md` cataloging metrics, SLO targets, burn rate policies, and alert runbooks. | Doc merged with banner; SLO tables verified; alert workflows linked to incident runbook. |
+| DOCS-SEC-OBS-50-001 | TODO | Docs Guild, Security Guild | TELEMETRY-OBS-51-002 | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Doc merged; redaction matrix updated; banner present; security sign-off recorded. |
+| DOCS-INSTALL-50-001 | TODO | Docs Guild, DevOps Guild | DEVOPS-OBS-50-003 | Add `/docs/install/telemetry-stack.md` with collector deployment, exporter options, offline kit notes, and imposed rule banner. | Doc merged; install steps verified on air-gapped profile; banner present; screenshots attached. |
+| DOCS-FORENSICS-53-001 | TODO | Docs Guild, Evidence Locker Guild | EVID-OBS-53-003 | Publish `/docs/forensics/evidence-locker.md` describing bundle formats, WORM options, retention, legal hold, and imposed rule banner. | Doc merged; manifest examples validated; banner present; legal hold steps aligned with API. |
+| DOCS-FORENSICS-53-002 | TODO | Docs Guild, Provenance Guild | PROV-OBS-54-001 | Release `/docs/forensics/provenance-attestation.md` covering DSSE schema, signing process, verification workflow, and imposed rule banner. | Doc merged; sample statements reference fixtures; banner included; verification steps tested. |
+| DOCS-FORENSICS-53-003 | TODO | Docs Guild, Timeline Indexer Guild | TIMELINE-OBS-52-003 | Publish `/docs/forensics/timeline.md` with schema, event kinds, filters, query examples, and imposed rule banner. | Doc merged; query examples validated; banner present; linked from Console/CLI docs. |
+| DOCS-CONSOLE-OBS-52-001 | TODO | Docs Guild, Console Guild | CONSOLE-OBS-51-001 | Document `/docs/console/observability.md` showcasing Observability Hub widgets, trace/log search, imposed rule banner, and accessibility tips. | Doc merged; screenshots updated; banner present; navigation steps verified. |
+| DOCS-CONSOLE-OBS-52-002 | TODO | Docs Guild, Console Guild | CONSOLE-OBS-52-002, CONSOLE-OBS-53-001 | Publish `/docs/console/forensics.md` covering timeline explorer, evidence viewer, attestation verifier, imposed rule banner, and troubleshooting. | Doc merged; banner included; workflows validated via Playwright capture; troubleshooting section populated. |
+| DOCS-CLI-OBS-52-001 | TODO | Docs Guild, DevEx/CLI Guild | CLI-OBS-52-001 | Create `/docs/cli/observability.md` detailing `stella obs` commands, examples, exit codes, imposed rule banner, and scripting tips. | Doc merged; examples tested; banner included; CLI parity matrix updated. |
+| DOCS-CLI-FORENSICS-53-001 | TODO | Docs Guild, DevEx/CLI Guild | CLI-FORENSICS-54-001 | Publish `/docs/cli/forensics.md` for snapshot/verify/attest commands with sample outputs, imposed rule banner, and offline workflows. | Doc merged; sample bundles verified; banner present; offline notes cross-linked. |
+| DOCS-RUNBOOK-55-001 | TODO | Docs Guild, Ops Guild | DEVOPS-OBS-55-001, WEB-OBS-55-001 | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Doc merged; runbook rehearsed; banner included; linked from alerts. |
+| DOCS-AOC-19-001 | DONE (2025-10-26) | Docs Guild, Concelier Guild | CONCELIER-WEB-AOC-19-001, EXCITITOR-WEB-AOC-19-001 | Author `/docs/ingestion/aggregation-only-contract.md` covering philosophy, invariants, schemas, error codes, migration, observability, and security checklist. | New doc published with compliance checklist; cross-links from existing docs added. |
+| DOCS-AOC-19-002 | DONE (2025-10-26) | Docs Guild, Architecture Guild | DOCS-AOC-19-001 | Update `/docs/architecture/overview.md` to include AOC boundary, raw stores, and sequence diagram (fetch → guard → raw insert → policy evaluation). | Overview doc updated with diagrams/text; lint passes; stakeholders sign off. |
+| DOCS-AOC-19-003 | DONE (2025-10-26) | Docs Guild, Policy Guild | POLICY-AOC-19-003 | Refresh `/docs/architecture/policy-engine.md` clarifying ingestion boundary, raw inputs, and policy-only derived data. | Doc highlights raw-only ingestion contract, updated diagrams merge, compliance checklist added. |
+| DOCS-AOC-19-004 | DONE (2025-10-26) | Docs Guild, UI Guild | UI-AOC-19-001 | Extend `/docs/ui/console.md` with Sources dashboard tiles, violation drill-down workflow, and verification action. | UI doc updated with screenshots/flow descriptions, compliance checklist appended. |
+> DOCS-AOC-19-004: Architecture overview & policy-engine updates landed 2025-10-26; incorporate the new AOC boundary diagrams and metrics references.
+| DOCS-AOC-19-005 | DONE (2025-10-26) | Docs Guild, CLI Guild | CLI-AOC-19-003 | Update `/docs/cli/cli-reference.md` with `stella sources ingest --dry-run` and `stella aoc verify` usage, exit codes, and offline notes. | CLI reference + quickstart sections updated; examples validated; compliance checklist added. |
+> DOCS-AOC-19-005: New ingestion reference + architecture overview published 2025-10-26; ensure CLI docs link to both and surface AOC exit codes mapping.
+| DOCS-AOC-19-006 | DONE (2025-10-26) | Docs Guild, Observability Guild | CONCELIER-WEB-AOC-19-002, EXCITITOR-WEB-AOC-19-002 | Document new metrics/traces/log keys in `/docs/observability/observability.md`. | Observability doc lists new metrics/traces/log fields; dashboards referenced; compliance checklist appended. |
+| DOCS-AOC-19-007 | DONE (2025-10-26) | Docs Guild, Authority Core | AUTH-AOC-19-001 | Update `/docs/security/authority-scopes.md` with new ingestion scopes and tenancy enforcement notes. | Doc reflects new scopes, sample policies updated, compliance checklist added. |
+| DOCS-AOC-19-008 | DONE (2025-10-26) | Docs Guild, DevOps Guild | DEVOPS-AOC-19-002 | Refresh `/docs/deploy/containers.md` to cover validator enablement, guard env flags, and read-only verify user. | Deploy doc updated; offline kit section mentions validator scripts; compliance checklist appended. |
+| DOCS-AOC-19-009 | DONE (2025-10-26) | Docs Guild, Authority Core | AUTH-AOC-19-001 | Update AOC docs/samples to reflect new `advisory:*`, `vex:*`, and `aoc:verify` scopes. | Docs reference new scopes, samples aligned, compliance checklist updated. |
+
+## Air-Gapped Mode (Epic 16)
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-AIRGAP-56-001 | TODO | Docs Guild, AirGap Controller Guild | AIRGAP-CTL-56-002 | Publish `/docs/airgap/overview.md` outlining modes, lifecycle, responsibilities, and imposed rule banner. | Doc merged; banner present; diagrams included. |
+| DOCS-AIRGAP-56-002 | TODO | Docs Guild, DevOps Guild | DEVOPS-AIRGAP-56-001 | Author `/docs/airgap/sealing-and-egress.md` covering network policies, EgressPolicy facade usage, and verification steps. | Doc merged; examples validated; banner included. |
+| DOCS-AIRGAP-56-003 | TODO | Docs Guild, Exporter Guild | EXPORT-AIRGAP-56-001 | Create `/docs/airgap/mirror-bundles.md` describing bundle format, DSSE/TUF/Merkle validation, creation/import workflows. | Doc merged; sample commands verified; banner present. |
+| DOCS-AIRGAP-56-004 | TODO | Docs Guild, Deployment Guild | DEVOPS-AIRGAP-56-003 | Publish `/docs/airgap/bootstrap.md` detailing Bootstrap Pack creation, validation, and install procedures. | Doc merged; checklist appended; screenshots verified. |
+| DOCS-AIRGAP-57-001 | TODO | Docs Guild, AirGap Time Guild | AIRGAP-TIME-58-001 | Write `/docs/airgap/staleness-and-time.md` explaining time anchors, drift policies, staleness budgets, and UI indicators. | Doc merged; math checked; banner included. |
+| DOCS-AIRGAP-57-002 | TODO | Docs Guild, Console Guild | CONSOLE-AIRGAP-57-001 | Publish `/docs/console/airgap.md` covering sealed badge, import wizard, staleness dashboards. | Doc merged; screenshots captured; banner present. |
+| DOCS-AIRGAP-57-003 | TODO | Docs Guild, CLI Guild | CLI-AIRGAP-57-001 | Publish `/docs/cli/airgap.md` documenting commands, examples, exit codes. | Doc merged; examples validated; banner present. |
+| DOCS-AIRGAP-57-004 | TODO | Docs Guild, Ops Guild | DEVOPS-AIRGAP-56-002 | Create `/docs/airgap/operations.md` with runbooks for imports, failure recovery, and auditing. | Doc merged; runbooks rehearsed; banner included. |
+| DOCS-AIRGAP-58-001 | TODO | Docs Guild, Product Guild | CONSOLE-AIRGAP-58-002 | Provide `/docs/airgap/degradation-matrix.md` enumerating feature availability, fallbacks, remediation. | Doc merged; matrix reviewed; banner included. |
+| DOCS-AIRGAP-58-002 | TODO | Docs Guild, Security Guild | PROV-OBS-54-001 | Update `/docs/security/trust-and-signing.md` with DSSE/TUF roots, rotation, and signed time tokens. | Doc merged; security sign-off recorded; banner present. |
+| DOCS-AIRGAP-58-003 | TODO | Docs Guild, DevEx Guild | AIRGAP-POL-56-001 | Publish `/docs/dev/airgap-contracts.md` describing EgressPolicy usage, sealed-mode tests, linting. | Doc merged; sample code validated; banner included. |
+| DOCS-AIRGAP-58-004 | TODO | Docs Guild, Evidence Locker Guild | EVID-OBS-55-001 | Document `/docs/airgap/portable-evidence.md` for exporting/importing portable evidence bundles across enclaves. | Doc merged; verification steps tested; banner present. |
+
+## SDKs & OpenAPI (Epic 17)
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-OAS-61-001 | TODO | Docs Guild, API Contracts Guild | OAS-61-002 | Publish `/docs/api/overview.md` covering auth, tenancy, pagination, idempotency, rate limits with banner. | Doc merged; examples validated; banner present. |
+| DOCS-OAS-61-002 | TODO | Docs Guild, API Governance Guild | APIGOV-61-001 | Author `/docs/api/conventions.md` capturing naming, errors, filters, sorting, examples. | Doc merged; lint passes; banner included. |
+| DOCS-OAS-61-003 | TODO | Docs Guild, API Governance Guild | APIGOV-63-001 | Publish `/docs/api/versioning.md` describing SemVer, deprecation headers, migration playbooks. | Doc merged; example headers validated; banner present. |
+| DOCS-OAS-62-001 | TODO | Docs Guild, Developer Portal Guild | DEVPORT-62-002 | Stand up `/docs/api/reference/` auto-generated site; integrate with portal nav. | Reference site builds; search works; banner included. |
+| DOCS-SDK-62-001 | TODO | Docs Guild, SDK Generator Guild | SDKGEN-63-001 | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Docs merged; code samples pulled from tested examples; banner present. |
+| DOCS-DEVPORT-62-001 | TODO | Docs Guild, Developer Portal Guild | DEVPORT-62-001 | Document `/docs/devportal/publishing.md` for build pipeline, offline bundle steps. | Doc merged; cross-links validated; banner included. |
+| DOCS-CONTRIB-62-001 | TODO | Docs Guild, API Governance Guild | APIGOV-61-001 | Publish `/docs/contributing/api-contracts.md` detailing how to edit OAS, lint rules, compatibility checks. | Doc merged; banner present; examples validated. |
+| DOCS-TEST-62-001 | TODO | Docs Guild, Contract Testing Guild | CONTR-62-001 | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. | Doc merged; references to tooling validated; banner present. |
+| DOCS-SEC-62-001 | TODO | Docs Guild, Authority Core | AUTH-AIRGAP-56-001 | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Doc merged; scope tables verified; banner included. |
+| DOCS-AIRGAP-DEVPORT-64-001 | TODO | Docs Guild, DevPortal Offline Guild | DVOFF-64-001 | Create `/docs/airgap/devportal-offline.md` describing offline bundle usage and verification. | Doc merged; verification steps tested; banner present. |
+
+## Risk Profiles (Epic 18)
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-RISK-66-001 | TODO | Docs Guild, Risk Profile Schema Guild | POLICY-RISK-66-001 | Publish `/docs/risk/overview.md` covering concepts and glossary. | Doc merged with banner; terminology reviewed. |
+| DOCS-RISK-66-002 | TODO | Docs Guild, Policy Guild | POLICY-RISK-66-003 | Author `/docs/risk/profiles.md` (authoring, versioning, scope). | Doc merged; schema examples validated; banner present. |
+| DOCS-RISK-66-003 | TODO | Docs Guild, Risk Engine Guild | RISK-ENGINE-67-001 | Publish `/docs/risk/factors.md` cataloging signals, transforms, reducers, TTLs. | Document merged; tables verified; banner included. |
+| DOCS-RISK-66-004 | TODO | Docs Guild, Risk Engine Guild | RISK-ENGINE-66-002 | Create `/docs/risk/formulas.md` detailing math, normalization, gating, severity. | Doc merged; equations rendered; banner present. |
+| DOCS-RISK-67-001 | TODO | Docs Guild, Risk Engine Guild | RISK-ENGINE-68-001 | Publish `/docs/risk/explainability.md` showing artifact schema and UI screenshots. | Doc merged; CLI examples validated; banner included. |
+| DOCS-RISK-67-002 | TODO | Docs Guild, API Guild | POLICY-RISK-67-002 | Produce `/docs/risk/api.md` with endpoint reference/examples. | Doc merged; OAS examples synced; banner present. |
+| DOCS-RISK-67-003 | TODO | Docs Guild, Console Guild | CONSOLE-RISK-66-001 | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. | Doc merged; screenshots updated; banner included. |
+| DOCS-RISK-67-004 | TODO | Docs Guild, CLI Guild | CLI-RISK-66-001 | Publish `/docs/cli/risk.md` covering CLI workflows. | Doc merged; command examples validated; banner present. |
+| DOCS-RISK-68-001 | TODO | Docs Guild, Export Guild | RISK-BUNDLE-69-001 | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. | Doc merged; verification steps confirmed; banner included. |
+| DOCS-RISK-68-002 | TODO | Docs Guild, Security Guild | POLICY-RISK-66-003 | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. | Doc merged; audit references updated; banner present. |
+
+## Attestor Console (Epic 19)
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-ATTEST-73-001 | TODO | Docs Guild, Attestor Service Guild | ATTEST-TYPES-73-001 | Publish `/docs/attestor/overview.md` with imposed rule banner. | Doc merged; terminology validated. |
+| DOCS-ATTEST-73-002 | TODO | Docs Guild, Attestation Payloads Guild | ATTEST-TYPES-73-002 | Write `/docs/attestor/payloads.md` with schemas/examples. | Doc merged; examples validated via tests. |
+| DOCS-ATTEST-73-003 | TODO | Docs Guild, Policy Guild | POLICY-ATTEST-73-002 | Publish `/docs/attestor/policies.md` covering verification policies. | Doc merged; policy examples validated. |
+| DOCS-ATTEST-73-004 | TODO | Docs Guild, Attestor Service Guild | ATTESTOR-73-002 | Add `/docs/attestor/workflows.md` detailing ingest, verify, bulk operations. | Doc merged; workflows tested. |
+| DOCS-ATTEST-74-001 | TODO | Docs Guild, KMS Guild | KMS-73-001 | Publish `/docs/attestor/keys-and-issuers.md`. | Doc merged; rotation guidance verified. |
+| DOCS-ATTEST-74-002 | TODO | Docs Guild, Transparency Guild | TRANSP-74-001 | Document `/docs/attestor/transparency.md` with witness usage/offline validation. | Doc merged; proofs validated. |
+| DOCS-ATTEST-74-003 | TODO | Docs Guild, Attestor Console Guild | CONSOLE-ATTEST-73-001 | Write `/docs/console/attestor-ui.md` with screenshots/workflows. | Doc merged; screenshots captured; banner present. |
+| DOCS-ATTEST-74-004 | TODO | Docs Guild, CLI Attestor Guild | CLI-ATTEST-73-001 | Publish `/docs/cli/attest.md` covering CLI usage. | Doc merged; commands validated. |
+| DOCS-ATTEST-75-001 | TODO | Docs Guild, Export Attestation Guild | EXPORT-ATTEST-75-002 | Add `/docs/attestor/airgap.md` for attestation bundles. | Doc merged; verification steps confirmed. |
+| DOCS-ATTEST-75-002 | TODO | Docs Guild, Security Guild | ATTESTOR-73-002 | Update `/docs/security/aoc-invariants.md` with attestation invariants. | Doc merged; invariants detailed. |
+## Policy Engine v2
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-POLICY-20-001 | DONE (2025-10-26) | Docs Guild, Policy Guild | POLICY-ENGINE-20-000 | Author `/docs/policy/overview.md` covering concepts, inputs/outputs, determinism, and compliance checklist. | Doc published with diagrams + glossary; lint passes; checklist included. |
+| DOCS-POLICY-20-002 | DONE (2025-10-26) | Docs Guild, Policy Guild | POLICY-ENGINE-20-001 | Write `/docs/policy/dsl.md` with grammar, built-ins, examples, anti-patterns. | DSL doc includes grammar tables, examples, compliance checklist; validated against parser tests. |
+| DOCS-POLICY-20-003 | DONE (2025-10-26) | Docs Guild, Authority Core | AUTH-POLICY-20-001 | Publish `/docs/policy/lifecycle.md` describing draft→approve workflow, roles, audit, compliance list. | Lifecycle doc linked from UI/CLI help; approvals roles documented; checklist appended. |
+| DOCS-POLICY-20-004 | DONE (2025-10-26) | Docs Guild, Scheduler Guild | SCHED-MODELS-20-001 | Create `/docs/policy/runs.md` detailing run modes, incremental mechanics, cursors, replay. | Run doc includes sequence diagrams + compliance checklist; cross-links to scheduler docs. |
+| DOCS-POLICY-20-005 | DONE (2025-10-26) | Docs Guild, BE-Base Platform Guild | WEB-POLICY-20-001 | Draft `/docs/api/policy.md` describing endpoints, schemas, error codes. | API doc validated against OpenAPI; examples included; checklist appended. |
+| DOCS-POLICY-20-006 | DONE (2025-10-26) | Docs Guild, DevEx/CLI Guild | CLI-POLICY-20-002 | Produce `/docs/cli/policy.md` with command usage, exit codes, JSON output contracts. | CLI doc includes examples, exit codes, compliance checklist. |
+| DOCS-POLICY-20-007 | DONE (2025-10-26) | Docs Guild, UI Guild | UI-POLICY-20-001 | Document `/docs/ui/policy-editor.md` covering editor, simulation, diff workflows, approvals. | UI doc includes screenshots/placeholders, accessibility notes, compliance checklist. |
+| DOCS-POLICY-20-008 | DONE (2025-10-26) | Docs Guild, Architecture Guild | POLICY-ENGINE-20-003 | Write `/docs/architecture/policy-engine.md` (new epic content) with sequence diagrams, selection strategy, schema. | Architecture doc merged with diagrams; compliance checklist appended; references updated. |
+| DOCS-POLICY-20-009 | DONE (2025-10-26) | Docs Guild, Observability Guild | POLICY-ENGINE-20-007 | Add `/docs/observability/policy.md` for metrics/traces/logs, sample dashboards. | Observability doc includes metrics tables, dashboard screenshots, checklist. |
+| DOCS-POLICY-20-010 | DONE (2025-10-26) | Docs Guild, Security Guild | AUTH-POLICY-20-002 | Publish `/docs/security/policy-governance.md` covering scopes, approvals, tenancy, least privilege. | Security doc merged; compliance checklist appended; reviewed by Security Guild. |
+| DOCS-POLICY-20-011 | DONE (2025-10-26) | Docs Guild, Policy Guild | POLICY-ENGINE-20-001 | Populate `/docs/examples/policies/` with baseline/serverless/internal-only samples and commentary. | Example policies committed with explanations; lint passes; compliance checklist per file. |
+| DOCS-POLICY-20-012 | DONE (2025-10-26) | Docs Guild, Support Guild | WEB-POLICY-20-003 | Draft `/docs/faq/policy-faq.md` addressing common pitfalls, VEX conflicts, determinism issues. | FAQ published with Q/A entries, cross-links, compliance checklist. |
+
+## Graph Explorer v1
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+
+## Link-Not-Merge v1
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-LNM-22-001 | BLOCKED (2025-10-27) | Docs Guild, Concelier Guild | CONCELIER-LNM-21-001..003 | Author `/docs/advisories/aggregation.md` covering observation vs linkset, conflict handling, AOC requirements, and reviewer checklist. | Draft doc merged with examples + checklist; final sign-off blocked until Concelier schema/API tasks land. |
+> Blocker (2025-10-27): `CONCELIER-LNM-21-001..003` still TODO; update doc + fixtures once schema/API implementations are available.
+| DOCS-LNM-22-002 | BLOCKED (2025-10-27) | Docs Guild, Excititor Guild | EXCITITOR-LNM-21-001..003 | Publish `/docs/vex/aggregation.md` describing VEX observation/linkset model, product matching, conflicts. | Draft doc merged with fixtures; final approval blocked until Excititor observation/linkset work ships. |
+> Blocker (2025-10-27): `EXCITITOR-LNM-21-001..003` remain TODO; refresh doc, fixtures, and examples post-implementation.
+| DOCS-LNM-22-003 | BLOCKED (2025-10-27) | Docs Guild, BE-Base Platform Guild | WEB-LNM-21-001..003 | Update `/docs/api/advisories.md` and `/docs/api/vex.md` for new endpoints, parameters, errors, exports. | Draft pending gateway/API delivery; unblock once endpoints + OpenAPI specs are available. |
+> Blocker (2025-10-27): `WEB-LNM-21-001..003` all TODO—no gateway endpoints/OpenAPI to document yet.
+| DOCS-LNM-22-004 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-40-001 | Create `/docs/policy/effective-severity.md` detailing severity selection strategies from multiple sources. | Doc merged with policy examples; checklist included. |
+| DOCS-LNM-22-005 | BLOCKED (2025-10-27) | Docs Guild, UI Guild | UI-LNM-22-001..003 | Document `/docs/ui/evidence-panel.md` with screenshots, conflict badges, accessibility guidance. | Awaiting UI implementation to capture screenshots + flows; unblock once Evidence panel ships. |
+> Blocker (2025-10-27): `UI-LNM-22-001..003` all TODO; documentation requires final UI states and accessibility audit artifacts.
+
+## StellaOps Console (Sprint 23)
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-CONSOLE-23-001 | DONE (2025-10-26) | Docs Guild, Console Guild | CONSOLE-CORE-23-004 | Publish `/docs/ui/console-overview.md` covering IA, tenant model, global filters, and AOC alignment with compliance checklist. | Doc merged with diagrams + overview tables; checklist appended; Console Guild sign-off. |
+| DOCS-CONSOLE-23-002 | DONE (2025-10-26) | Docs Guild, Console Guild | DOCS-CONSOLE-23-001 | Author `/docs/ui/navigation.md` detailing routes, breadcrumbs, keyboard shortcuts, deep links, and tenant context switching. | Navigation doc merged with shortcut tables and screenshots; accessibility checklist satisfied. |
+| DOCS-CONSOLE-23-003 | DONE (2025-10-26) | Docs Guild, SBOM Service Guild, Console Guild | SBOM-CONSOLE-23-001, CONSOLE-FEAT-23-102 | Document `/docs/ui/sbom-explorer.md` (catalog, detail, graph overlays, exports) including compliance checklist and performance tips. | Doc merged with annotated screenshots, export instructions, and overlay examples; checklist appended. |
+| DOCS-CONSOLE-23-004 | DONE (2025-10-26) | Docs Guild, Concelier Guild, Excititor Guild | CONCELIER-CONSOLE-23-001, EXCITITOR-CONSOLE-23-001 | Produce `/docs/ui/advisories-and-vex.md` explaining aggregation-not-merge, conflict indicators, raw viewers, and provenance banners. | Doc merged; raw JSON examples included; compliance checklist complete. |
+| DOCS-CONSOLE-23-005 | DONE (2025-10-26) | Docs Guild, Policy Guild | POLICY-CONSOLE-23-001, CONSOLE-FEAT-23-104 | Write `/docs/ui/findings.md` describing filters, saved views, explain drawer, exports, and CLI parity callouts. | Doc merged with filter matrix + explain walkthrough; checklist appended. |
+| DOCS-CONSOLE-23-006 | DONE (2025-10-26) | Docs Guild, Policy Guild, Product Ops | POLICY-CONSOLE-23-002, CONSOLE-FEAT-23-105 | Publish `/docs/ui/policies.md` with editor, simulation, approvals, compliance checklist, and RBAC mapping. | Doc merged; Monaco screenshots + simulation diff examples included; approval flow described; checklist appended. |
+| DOCS-CONSOLE-23-007 | DONE (2025-10-26) | Docs Guild, Scheduler Guild | SCHED-CONSOLE-23-001, CONSOLE-FEAT-23-106 | Document `/docs/ui/runs.md` covering queues, live progress, diffs, retries, evidence downloads, and troubleshooting. | Doc merged with SSE troubleshooting, metrics references, compliance checklist. |
+| DOCS-CONSOLE-23-008 | DONE (2025-10-26) | Docs Guild, Authority Guild | AUTH-CONSOLE-23-002, CONSOLE-FEAT-23-108 | Draft `/docs/ui/admin.md` describing users/roles, tenants, tokens, integrations, fresh-auth prompts, and RBAC mapping. | Doc merged with tables for scopes vs roles, screenshots, compliance checklist. |
+| DOCS-CONSOLE-23-009 | DONE (2025-10-27) | Docs Guild, DevOps Guild | DOWNLOADS-CONSOLE-23-001, CONSOLE-FEAT-23-109 | Publish `/docs/ui/downloads.md` listing product images, commands, offline instructions, parity with CLI, and compliance checklist. | Doc merged; manifest sample included; copy-to-clipboard guidance documented; checklist complete. |
+| DOCS-CONSOLE-23-010 | DONE (2025-10-27) | Docs Guild, Deployment Guild, Console Guild | DEVOPS-CONSOLE-23-002, CONSOLE-REL-23-301 | Write `/docs/deploy/console.md` (Helm, ingress, TLS, CSP, env vars, health checks) with compliance checklist. | Deploy doc merged; templates validated; CSP guidance included; checklist appended. |
+| DOCS-CONSOLE-23-011 | DONE (2025-10-28) | Docs Guild, Deployment Guild | DOCS-CONSOLE-23-010 | Update `/docs/install/docker.md` to cover Console image, Compose/Helm usage, offline tarballs, parity with CLI. | Doc updated with new sections; commands validated; compliance checklist appended. |
+| DOCS-CONSOLE-23-012 | DONE (2025-10-28) | Docs Guild, Security Guild | AUTH-CONSOLE-23-003, WEB-CONSOLE-23-002 | Publish `/docs/security/console-security.md` detailing OIDC flows, scopes, CSP, fresh-auth, evidence handling, and compliance checklist. | Security doc merged; threat model notes included; checklist appended. |
+| DOCS-CONSOLE-23-013 | DONE (2025-10-28) | Docs Guild, Observability Guild | TELEMETRY-CONSOLE-23-001, CONSOLE-QA-23-403 | Write `/docs/observability/ui-telemetry.md` cataloguing metrics/logs/traces, dashboards, alerts, and feature flags. | Doc merged with instrumentation tables, dashboard screenshots, checklist appended. |
+| DOCS-CONSOLE-23-014 | DONE (2025-10-28) | Docs Guild, Console Guild, CLI Guild | CONSOLE-DOC-23-502 | Maintain `/docs/cli-vs-ui-parity.md` matrix and integrate CI check guidance. | Matrix published with parity status, CI workflow documented, compliance checklist appended. |
+> 2025-10-28: Install Docker guide references pending CLI commands (`stella downloads manifest`, `stella downloads mirror`, `stella console status`). Update once CLI parity lands.
+| DOCS-CONSOLE-23-015 | DONE (2025-10-27) | Docs Guild, Architecture Guild | CONSOLE-CORE-23-001, WEB-CONSOLE-23-001 | Produce `/docs/architecture/console.md` describing frontend packages, data flow diagrams, SSE design, performance budgets. | Architecture doc merged with diagrams + compliance checklist; reviewers approve. |
+| DOCS-CONSOLE-23-016 | DONE (2025-10-28) | Docs Guild, Accessibility Guild | CONSOLE-QA-23-402, CONSOLE-FEAT-23-102 | Refresh `/docs/accessibility.md` with Console-specific keyboard flows, color tokens, testing tools, and compliance checklist updates. | Accessibility doc updated; audits referenced; checklist appended. |
+> 2025-10-28: Added guide covering keyboard matrix, screen reader behaviour, colour/focus tokens, testing workflow, offline guidance, and compliance checklist.
+| DOCS-CONSOLE-23-017 | DONE (2025-10-27) | Docs Guild, Console Guild | CONSOLE-FEAT-23-101..109 | Create `/docs/examples/ui-tours.md` providing triage, audit, policy rollout walkthroughs with annotated screenshots and GIFs. | UI tours doc merged; capture instructions + asset placeholders committed; compliance checklist appended. |
+| DOCS-CONSOLE-23-018 | DONE (2025-10-27) | Docs Guild, Security Guild | DOCS-CONSOLE-23-012 | Execute console security compliance checklist and capture Security Guild sign-off in Sprint 23 log. | Checklist completed; findings addressed or tickets filed; sign-off noted in updates file. |
+| DOCS-LNM-22-006 | DONE (2025-10-27) | Docs Guild, Architecture Guild | CONCELIER-LNM-21-001..005, EXCITITOR-LNM-21-001..005 | Refresh `/docs/architecture/conseiller.md` and `/docs/architecture/excitator.md` describing observation/linkset pipelines and event contracts. | Architecture docs updated with observation/linkset flow + event tables; revisit once service implementations land. |
+> Follow-up: align diagrams/examples after `CONCELIER-LNM-21` & `EXCITITOR-LNM-21` work merges (currently TODO).
+| DOCS-LNM-22-007 | TODO | Docs Guild, Observability Guild | CONCELIER-LNM-21-005, EXCITITOR-LNM-21-005, DEVOPS-LNM-22-002 | Publish `/docs/observability/aggregation.md` with metrics/traces/logs/SLOs. | Observability doc merged; dashboards referenced; checklist appended. |
+| DOCS-LNM-22-008 | TODO | Docs Guild, DevOps Guild | MERGE-LNM-21-001, CONCELIER-LNM-21-102 | Write `/docs/migration/no-merge.md` describing migration plan, backfill steps, rollback, feature flags. | Migration doc approved by stakeholders; checklist appended. |
+
+## Policy Engine + Editor v1
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-POLICY-23-001 | TODO | Docs Guild, Policy Guild | POLICY-SPL-23-001..003 | Author `/docs/policy/overview.md` describing SPL philosophy, layering, and glossary with reviewer checklist. | Doc merged; lint passes; checklist appended. |
+| DOCS-POLICY-23-002 | TODO | Docs Guild, Policy Guild | POLICY-SPL-23-001 | Write `/docs/policy/spl-v1.md` (language reference, JSON Schema, examples). | Reference published with schema snippets; checklist completed. |
+| DOCS-POLICY-23-003 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-50-001..004 | Produce `/docs/policy/runtime.md` covering compiler, evaluator, caching, events, SLOs. | Runtime doc merged with diagrams; observability references included. |
+| DOCS-POLICY-23-004 | TODO | Docs Guild, UI Guild | UI-POLICY-23-001..006 | Document `/docs/policy/editor.md` (UI walkthrough, validation, simulation, approvals). | Editor doc merged with screenshots; accessibility checklist satisfied. |
+| DOCS-POLICY-23-005 | TODO | Docs Guild, Security Guild | AUTH-POLICY-23-001..002 | Publish `/docs/policy/governance.md` (roles, scopes, approvals, signing, exceptions). | Governance doc merged; checklist appended. |
+| DOCS-POLICY-23-006 | TODO | Docs Guild, BE-Base Platform Guild | WEB-POLICY-23-001..004 | Update `/docs/api/policy.md` with new endpoints, schemas, errors, pagination. | API doc aligns with OpenAPI; examples validated; checklist included. |
+| DOCS-POLICY-23-007 | TODO | Docs Guild, DevEx/CLI Guild | CLI-POLICY-23-004..006 | Update `/docs/cli/policy.md` for lint/simulate/activate/history commands, exit codes. | CLI doc updated; samples verified; checklist appended. |
+| DOCS-POLICY-23-008 | TODO | Docs Guild, Architecture Guild | POLICY-ENGINE-50-005..006 | Refresh `/docs/architecture/policy-engine.md` with data model, sequence diagrams, event flows. | Architecture doc merged with diagrams; checklist appended. |
+| DOCS-POLICY-23-009 | TODO | Docs Guild, DevOps Guild | MERGE-LNM-21-001, DEVOPS-LNM-22-001 | Create `/docs/migration/policy-parity.md` covering dual-run parity plan and rollback. | Migration doc approved; checklist appended. |
+| DOCS-POLICY-23-010 | TODO | Docs Guild, UI Guild | UI-POLICY-23-006 | Write `/docs/ui/explainers.md` showing explain trees, evidence overlays, interpretation guidance. | Doc merged with annotated screenshots; checklist appended. |
+
+## Graph & Vuln Explorer v1
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-GRAPH-24-001 | TODO | Docs Guild, UI Guild | UI-GRAPH-24-001..006 | Author `/docs/ui/sbom-graph-explorer.md` detailing overlays, filters, saved views, accessibility, and AOC visibility. | Doc merged; screenshots included; checklist appended. |
+| DOCS-GRAPH-24-002 | TODO | Docs Guild, UI Guild | UI-GRAPH-24-005 | Publish `/docs/ui/vulnerability-explorer.md` covering table usage, grouping, fix suggestions, Why drawer. | Doc merged with annotated images; accessibility checklist satisfied. |
+| DOCS-GRAPH-24-003 | TODO | Docs Guild, SBOM Service Guild | SBOM-GRAPH-24-001..003 | Create `/docs/architecture/graph-index.md` describing data model, ingestion pipeline, caches, events. | Architecture doc merged with diagrams; checklist appended. |
+| DOCS-GRAPH-24-004 | TODO | Docs Guild, BE-Base Platform Guild | WEB-GRAPH-24-001..003 | Document `/docs/api/graph.md` and `/docs/api/vuln.md` avec endpoints, parameters, errors, RBAC. | API docs aligned with OpenAPI; examples validated; checklist appended. |
+| DOCS-GRAPH-24-005 | TODO | Docs Guild, DevEx/CLI Guild | CLI-GRAPH-24-001..003 | Update `/docs/cli/graph-and-vuln.md` covering new CLI commands, exit codes, scripting. | CLI doc merged; examples tested; checklist appended. |
+| DOCS-GRAPH-24-006 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-60-001..002 | Write `/docs/policy/ui-integration.md` explaining overlays, cache usage, simulator contracts. | Doc merged; references cross-linked; checklist appended. |
+| DOCS-GRAPH-24-007 | TODO | Docs Guild, DevOps Guild | DEVOPS-GRAPH-24-001..003 | Produce `/docs/migration/graph-parity.md` with rollout plan, parity checks, fallback guidance. | Migration doc approved; checklist appended. |
+
+## Exceptions v1
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-EXC-25-001 | TODO | Docs Guild, Governance Guild | WEB-EXC-25-001 | Author `/docs/governance/exceptions.md` covering lifecycle, scope patterns, examples, compliance checklist. | Doc merged; reviewers sign off; checklist included. |
+| DOCS-EXC-25-002 | TODO | Docs Guild, Authority Core | AUTH-EXC-25-001 | Publish `/docs/governance/approvals-and-routing.md` detailing roles, routing matrix, MFA rules, audit trails. | Doc merged; routing examples validated; checklist appended. |
+| DOCS-EXC-25-003 | TODO | Docs Guild, BE-Base Platform Guild | WEB-EXC-25-001..003 | Create `/docs/api/exceptions.md` with endpoints, payloads, errors, idempotency notes. | API doc aligned with OpenAPI; examples tested; checklist appended. |
+| DOCS-EXC-25-004 | DONE (2025-10-27) | Docs Guild, Policy Guild | POLICY-ENGINE-70-001 | Document `/docs/policy/exception-effects.md` explaining evaluation order, conflicts, simulation. | Doc merged; tests cross-referenced; checklist appended. |
+| DOCS-EXC-25-005 | TODO | Docs Guild, UI Guild | UI-EXC-25-001..004 | Write `/docs/ui/exception-center.md` with UI walkthrough, badges, accessibility, shortcuts. | Doc merged with screenshots; accessibility checklist completed. |
+| DOCS-EXC-25-006 | TODO | Docs Guild, DevEx/CLI Guild | CLI-EXC-25-001..002 | Update `/docs/cli/exceptions.md` covering command usage and exit codes. | CLI doc updated; examples validated; checklist appended. |
+| DOCS-EXC-25-007 | TODO | Docs Guild, DevOps Guild | SCHED-WORKER-25-101, DEVOPS-GRAPH-24-003 | Publish `/docs/migration/exception-governance.md` describing cutover from legacy suppressions, notifications, rollback. | Migration doc approved; checklist included. |
+
+> Update statuses (TODO/DOING/REVIEW/DONE/BLOCKED) as progress changes. Keep guides in sync with configuration samples under `etc/`.
+
+> Remark (2025-10-13, DOC4.AUTH-PDG): Rate limit guide published (`docs/security/rate-limits.md`) and handed to plugin docs team for diagram uplift once PLG6.DIAGRAM lands.
+
+## Orchestrator Dashboard (Epic 9)
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-ORCH-32-001 | TODO | Docs Guild | ORCH-SVC-32-001, AUTH-ORCH-32-001 | Author `/docs/orchestrator/overview.md` covering mission, roles, AOC alignment, governance, with imposed rule reminder. | Doc merged with diagrams; imposed rule statement included; entry linked from docs index. |
+| DOCS-ORCH-32-002 | TODO | Docs Guild | ORCH-SVC-32-002 | Author `/docs/orchestrator/architecture.md` detailing scheduler, DAGs, rate limits, data model, message bus, storage layout, restating imposed rule. | Architecture doc merged; diagrams reviewed; imposed rule noted. |
+| DOCS-ORCH-33-001 | TODO | Docs Guild | ORCH-SVC-33-001..004, WEB-ORCH-33-001 | Publish `/docs/orchestrator/api.md` (REST/WebSocket endpoints, payloads, error codes) with imposed rule note. | API doc merged; examples validated; imposed rule appended. |
+| DOCS-ORCH-33-002 | TODO | Docs Guild | CONSOLE-ORCH-32-002, CONSOLE-ORCH-33-001..002 | Publish `/docs/orchestrator/console.md` covering screens, a11y, live updates, control actions, reiterating imposed rule. | Console doc merged with screenshots; accessibility checklist done; imposed rule statement present. |
+| DOCS-ORCH-33-003 | TODO | Docs Guild | CLI-ORCH-33-001 | Publish `/docs/orchestrator/cli.md` documenting commands, options, exit codes, streaming output, offline usage, and imposed rule. | CLI doc merged; examples tested; imposed rule appended. |
+| DOCS-ORCH-34-001 | TODO | Docs Guild | ORCH-SVC-34-002, LEDGER-34-101 | Author `/docs/orchestrator/run-ledger.md` covering ledger schema, provenance chain, audit workflows, with imposed rule reminder. | Run-ledger doc merged; payload samples validated; imposed rule included; cross-links added. |
+| DOCS-ORCH-34-002 | TODO | Docs Guild | AUTH-ORCH-32-001, AUTH-ORCH-34-001 | Update `/docs/security/secrets-handling.md` for orchestrator KMS refs, redaction badges, operator hygiene, reiterating imposed rule. | Security doc merged; checklists updated; imposed rule restated; references from Console/CLI docs added. |
+| DOCS-ORCH-34-003 | TODO | Docs Guild | ORCH-SVC-33-003, ORCH-SVC-34-001, DEVOPS-ORCH-34-001 | Publish `/docs/operations/orchestrator-runbook.md` (incident playbook, backfill guide, circuit breakers, throttling) with imposed rule statement. | Runbook merged; steps validated with DevOps; imposed rule included; runbook linked from ops index. |
+| DOCS-ORCH-34-004 | TODO | Docs Guild | ORCH-SVC-32-005, WORKER-GO-33-001, WORKER-PY-33-001 | Document `/docs/schemas/artifacts.md` describing artifact kinds, schema versions, hashing, storage layout, restating imposed rule. | Schema doc merged; JSON schema provided; imposed rule included; sample payload validated. |
+| DOCS-ORCH-34-005 | TODO | Docs Guild | ORCH-SVC-34-001, DEVOPS-ORCH-34-001 | Author `/docs/slo/orchestrator-slo.md` defining SLOs, burn alerts, measurement, and reiterating imposed rule. | SLO doc merged; dashboard screenshots embedded; imposed rule appended; alerts documented. |
+
+## Export Center (Epic 10)
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-EXPORT-35-001 | DONE (2025-10-29) | Docs Guild | EXPORT-SVC-35-001..006 | Author `/docs/export-center/overview.md` covering purpose, profiles, security, AOC alignment, surfaces, ending with imposed rule statement. | Doc merged with diagrams/examples; imposed rule line present; index updated. |
+| DOCS-EXPORT-35-002 | DONE (2025-10-29) | Docs Guild | EXPORT-SVC-35-002..005 | Publish `/docs/export-center/architecture.md` describing planner, adapters, manifests, signing, distribution flows, restating imposed rule. | Architecture doc merged; sequence diagrams included; rule statement appended. |
+| DOCS-EXPORT-35-003 | DONE (2025-10-29) | Docs Guild | EXPORT-SVC-35-003..004 | Publish `/docs/export-center/profiles.md` detailing schema fields, examples, compatibility, and imposed rule reminder. | Profiles doc merged; JSON schemas linked; imposed rule noted. |
+| DOCS-EXPORT-36-004 | DONE (2025-10-29) | Docs Guild | EXPORT-SVC-36-001..004, WEB-EXPORT-36-001 | Publish `/docs/export-center/api.md` covering endpoints, payloads, errors, and mention imposed rule. | API doc merged; examples validated; rule included. |
+| DOCS-EXPORT-36-005 | DONE (2025-10-29) | Docs Guild | CLI-EXPORT-35-001, CLI-EXPORT-36-001 | Publish `/docs/export-center/cli.md` with command reference, CI scripts, verification steps, restating imposed rule. | CLI doc merged; script snippets tested; rule appended. |
+| DOCS-EXPORT-36-006 | DONE (2025-10-29) | Docs Guild | EXPORT-SVC-36-001, DEVOPS-EXPORT-36-001 | Publish `/docs/export-center/trivy-adapter.md` covering field mappings, compatibility matrix, and imposed rule reminder. | Doc merged; mapping tables validated; rule included. |
+| DOCS-EXPORT-37-001 | DONE (2025-10-29) | Docs Guild | EXPORT-SVC-37-001, DEVOPS-EXPORT-37-001 | Publish `/docs/export-center/mirror-bundles.md` describing filesystem/OCI layouts, delta/encryption, import guide, ending with imposed rule. | Doc merged; diagrams provided; verification steps tested; rule stated. |
+| DOCS-EXPORT-37-002 | DONE (2025-10-29) | Docs Guild | EXPORT-SVC-35-005, EXPORT-SVC-37-002 | Publish `/docs/export-center/provenance-and-signing.md` detailing manifests, attestation flow, verification, reiterating imposed rule. | Doc merged; signature examples validated; rule appended. |
+| DOCS-EXPORT-37-003 | DONE (2025-10-29) | Docs Guild | DEVOPS-EXPORT-37-001 | Publish `/docs/operations/export-runbook.md` covering failures, tuning, capacity planning, with imposed rule reminder. | Runbook merged; procedures validated; rule included. |
+| DOCS-EXPORT-37-004 | TODO | Docs Guild | AUTH-EXPORT-37-001, EXPORT-SVC-37-002 | Publish `/docs/security/export-hardening.md` outlining RBAC, tenancy, encryption, redaction, restating imposed rule. | Security doc merged; checklist updated; rule appended. |
+| DOCS-EXPORT-37-101 | TODO | Docs Guild, DevEx/CLI Guild | CLI-EXPORT-37-001 | Refresh CLI verification sections once `stella export verify` lands (flags, exit codes, samples). | `docs/export-center/cli.md` & `docs/export-center/provenance-and-signing.md` updated with final command syntax; examples tested; rule reminder retained. |
+| DOCS-EXPORT-37-102 | TODO | Docs Guild, DevOps Guild | DEVOPS-EXPORT-37-001 | Embed export dashboards/alerts references into provenance/runbook docs after Grafana work ships. | Docs updated with dashboard IDs/alert notes; update logged; rule reminder present. |
+| DOCS-EXPORT-37-005 | TODO | Docs Guild, Exporter Service Guild | EXPORT-SVC-35-006, DEVOPS-EXPORT-36-001 | Validate Export Center docs against live Trivy/mirror bundles once implementation lands; refresh examples and CLI snippets accordingly. | Real bundle examples recorded; docs updated; verification steps confirmed with production artefacts. |
+> Note (2025-10-29): Blocked until exporter API (`EXPORT-SVC-35-006`) and Trivy/mirror adapters (`EXPORT-SVC-36-001`, `EXPORT-SVC-37-001`) ship. Requires access to CI smoke outputs (`DEVOPS-EXPORT-36-001`) for verification artifacts.
+
+## Reachability v1
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-SIG-26-001 | TODO | Docs Guild, Signals Guild | SIGNALS-24-004 | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. | Doc merged with diagrams/examples; checklist appended. |
+| DOCS-SIG-26-002 | TODO | Docs Guild, Signals Guild | SIGNALS-24-002 | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. | Doc merged; examples tested; checklist included. |
+| DOCS-SIG-26-003 | TODO | Docs Guild, Runtime Guild | SIGNALS-24-003 | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. | Doc merged; privacy review done; checklist appended. |
+| DOCS-SIG-26-004 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-80-001 | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. | Doc merged; sample policies validated; checklist appended. |
+| DOCS-SIG-26-005 | TODO | Docs Guild, UI Guild | UI-SIG-26-001..003 | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. | Doc merged with screenshots; accessibility checklist completed. |
+| DOCS-SIG-26-006 | TODO | Docs Guild, DevEx/CLI Guild | CLI-SIG-26-001..002 | Update `/docs/cli/reachability.md` for new commands and automation recipes. | Doc merged; examples verified; checklist appended. |
+| DOCS-SIG-26-007 | TODO | Docs Guild, BE-Base Platform Guild | WEB-SIG-26-001..003 | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. | API doc aligned with OpenAPI; examples tested; checklist appended. |
+| DOCS-SIG-26-008 | TODO | Docs Guild, DevOps Guild | DEVOPS-SIG-26-001..002 | Write `/docs/migration/enable-reachability.md` guiding rollout, fallbacks, monitoring. | Migration doc approved; checklist appended. |
+
+## Policy Studio (Sprint 27)
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-POLICY-27-001 | BLOCKED (2025-10-27) | Docs Guild, Policy Guild | REGISTRY-API-27-001, POLICY-ENGINE-27-001 | Publish `/docs/policy/studio-overview.md` covering lifecycle, roles, glossary, and compliance checklist. | Doc merged with diagrams + lifecycle table; checklist appended; stakeholders sign off. |
+> Blocked by `REGISTRY-API-27-001` and `POLICY-ENGINE-27-001`; need spec + compile data.
+> Blocker: Registry OpenAPI (`REGISTRY-API-27-001`) and policy compile enrichments (`POLICY-ENGINE-27-001`) are still TODO; need final interfaces before drafting overview.
+| DOCS-POLICY-27-002 | BLOCKED (2025-10-27) | Docs Guild, Console Guild | CONSOLE-STUDIO-27-001 | Write `/docs/policy/authoring.md` detailing workspace templates, snippets, lint rules, IDE shortcuts, and best practices. | Authoring doc includes annotated screenshots, snippet catalog, compliance checklist. |
+> Blocked by `CONSOLE-STUDIO-27-001` Studio authoring UI pending.
+> Blocker: Console Studio authoring UI (`CONSOLE-STUDIO-27-001`) not implemented; awaiting UX to capture flows/snippets.
+| DOCS-POLICY-27-003 | BLOCKED (2025-10-27) | Docs Guild, Policy Registry Guild | REGISTRY-API-27-007 | Document `/docs/policy/versioning-and-publishing.md` (semver rules, attestations, rollback) with compliance checklist. | Doc merged with flow diagrams; attestation steps documented; checklist appended. |
+> Blocked by `REGISTRY-API-27-007` publish/sign pipeline outstanding.
+> Blocker: Registry publish/sign workflow (`REGISTRY-API-27-007`) pending.
+| DOCS-POLICY-27-004 | BLOCKED (2025-10-27) | Docs Guild, Scheduler Guild | REGISTRY-API-27-005, SCHED-WORKER-27-301 | Write `/docs/policy/simulation.md` covering quick vs batch sim, thresholds, evidence bundles, CLI examples. | Simulation doc includes charts, sample manifests, checklist appended. |
+> Blocked by `REGISTRY-API-27-005`/`SCHED-WORKER-27-301` batch simulation not ready.
+> Blocker: Batch simulation APIs/workers (`REGISTRY-API-27-005`, `SCHED-WORKER-27-301`) still TODO.
+| DOCS-POLICY-27-005 | BLOCKED (2025-10-27) | Docs Guild, Product Ops | REGISTRY-API-27-006 | Publish `/docs/policy/review-and-approval.md` with approver requirements, comments, webhooks, audit trail guidance. | Doc merged with role matrix + webhook schema; checklist appended. |
+> Blocked by `REGISTRY-API-27-006` review workflow not implemented.
+> Blocker: Review workflow (`REGISTRY-API-27-006`) not landed.
+| DOCS-POLICY-27-006 | BLOCKED (2025-10-27) | Docs Guild, Policy Guild | REGISTRY-API-27-008 | Author `/docs/policy/promotion.md` covering environments, canary, rollback, and monitoring steps. | Promotion doc includes examples + checklist; verified by Policy Ops. |
+> Blocked by `REGISTRY-API-27-008` promotion APIs pending.
+> Blocker: Promotion/canary APIs (`REGISTRY-API-27-008`) outstanding.
+| DOCS-POLICY-27-007 | BLOCKED (2025-10-27) | Docs Guild, DevEx/CLI Guild | CLI-POLICY-27-001..004 | Update `/docs/policy/cli.md` with new commands, JSON schemas, CI usage, and compliance checklist. | CLI doc merged with transcripts; schema references validated; checklist appended. |
+> Blocked by `CLI-POLICY-27-001..004` CLI commands missing.
+> Blocker: Policy CLI commands (`CLI-POLICY-27-001..004`) yet to implement.
+| DOCS-POLICY-27-008 | BLOCKED (2025-10-27) | Docs Guild, Policy Registry Guild | REGISTRY-API-27-001..008 | Publish `/docs/policy/api.md` describing Registry endpoints, request/response schemas, errors, and feature flags. | API doc aligned with OpenAPI; examples validated; checklist appended. |
+> Blocked by `REGISTRY-API-27-001..008` OpenAPI + endpoints incomplete.
+> Blocker: Registry OpenAPI/spec suite (`REGISTRY-API-27-001..008`) incomplete.
+| DOCS-POLICY-27-009 | BLOCKED (2025-10-27) | Docs Guild, Security Guild | AUTH-POLICY-27-002 | Create `/docs/security/policy-attestations.md` covering signing, verification, key rotation, and compliance checklist. | Security doc approved by Security Guild; verifier steps documented; checklist appended. |
+> Blocked by `AUTH-POLICY-27-002` signing enforcement pending.
+> Blocker: Authority signing enforcement (`AUTH-POLICY-27-002`) pending.
+| DOCS-POLICY-27-010 | BLOCKED (2025-10-27) | Docs Guild, Architecture Guild | REGISTRY-API-27-001, SCHED-WORKER-27-301 | Author `/docs/architecture/policy-registry.md` (service design, schemas, queues, failure modes) with diagrams and checklist. | Architecture doc merged; diagrams committed; checklist appended. |
+> Blocked by `REGISTRY-API-27-001` & `SCHED-WORKER-27-301` need delivery.
+> Blocker: Policy Registry schema/workers not delivered (see `REGISTRY-API-27-001`, `SCHED-WORKER-27-301`).
+| DOCS-POLICY-27-011 | BLOCKED (2025-10-27) | Docs Guild, Observability Guild | DEVOPS-POLICY-27-004 | Publish `/docs/observability/policy-telemetry.md` with metrics/log tables, dashboards, alerts, and compliance checklist. | Observability doc merged; dashboards linked; checklist appended. |
+> Blocked by `DEVOPS-POLICY-27-004` observability dashboards outstanding.
+> Blocker: Observability dashboards (`DEVOPS-POLICY-27-004`) not built.
+| DOCS-POLICY-27-012 | BLOCKED (2025-10-27) | Docs Guild, Ops Guild | DEPLOY-POLICY-27-002 | Write `/docs/runbooks/policy-incident.md` detailing rollback, freeze, forensic steps, notifications. | Runbook merged; rehearsal recorded; checklist appended. |
+> Blocked by `DEPLOY-POLICY-27-002` incident runbook inputs pending.
+> Blocker: Ops runbook inputs (`DEPLOY-POLICY-27-002`) pending.
+| DOCS-POLICY-27-013 | BLOCKED (2025-10-27) | Docs Guild, Policy Guild | CONSOLE-STUDIO-27-001, REGISTRY-API-27-002 | Update `/docs/examples/policy-templates.md` with new templates, snippets, and sample policies. | Examples committed with commentary; lint passes; checklist appended. |
+> Blocked by `CONSOLE-STUDIO-27-001`/`REGISTRY-API-27-002` templates missing.
+> Blocker: Studio templates and registry storage (`CONSOLE-STUDIO-27-001`, `REGISTRY-API-27-002`) not available.
+| DOCS-POLICY-27-014 | BLOCKED (2025-10-27) | Docs Guild, Policy Registry Guild | REGISTRY-API-27-003, WEB-POLICY-27-001 | Refresh `/docs/aoc/aoc-guardrails.md` to include Studio-specific guardrails and validation scenarios. | Doc updated with Studio guardrails; compliance checklist appended. |
+> Blocked by `REGISTRY-API-27-003` & `WEB-POLICY-27-001` guardrails not implemented.
+> Blocker: Registry compile pipeline/web proxy (`REGISTRY-API-27-003`, `WEB-POLICY-27-001`) outstanding.
+
+## Vulnerability Explorer (Sprint 29)
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-VULN-29-001 | TODO | Docs Guild, Vuln Explorer Guild | VULN-API-29-001 | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. | Doc merged with diagrams/table; compliance checklist appended. |
+| DOCS-VULN-29-002 | TODO | Docs Guild, Console Guild | CONSOLE-VULN-29-001..006 | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. | Doc merged; images stored; WCAG notes included; checklist appended. |
+| DOCS-VULN-29-003 | TODO | Docs Guild, Vuln Explorer API Guild | VULN-API-29-001..009 | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). | Doc aligned with OpenAPI; examples validated; checklist appended. |
+| DOCS-VULN-29-004 | TODO | Docs Guild, DevEx/CLI Guild | CLI-VULN-29-001..005 | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. | CLI doc merged; transcripts/JSON outputs validated; checklist appended. |
+| DOCS-VULN-29-005 | TODO | Docs Guild, Findings Ledger Guild | LEDGER-29-001..009 | Write `/docs/vuln/findings-ledger.md` detailing event schema, hashing, Merkle roots, replay tooling. | Doc merged; compliance checklist appended; audit team sign-off. |
+| DOCS-VULN-29-006 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-29-001..003 | Update `/docs/policy/vuln-determinations.md` for new rationale, signals, simulation semantics. | Doc updated; examples validated; checklist appended. |
+| DOCS-VULN-29-007 | TODO | Docs Guild, Excititor Guild | EXCITITOR-VULN-29-001..004 | Publish `/docs/vex/explorer-integration.md` covering CSAF mapping, suppression precedence, status semantics. | Doc merged; compliance checklist appended. |
+| DOCS-VULN-29-008 | TODO | Docs Guild, Concelier Guild | CONCELIER-VULN-29-001..004 | Publish `/docs/advisories/explorer-integration.md` covering key normalization, withdrawn handling, provenance. | Doc merged; checklist appended. |
+| DOCS-VULN-29-009 | TODO | Docs Guild, SBOM Service Guild | SBOM-VULN-29-001..002 | Author `/docs/sbom/vuln-resolution.md` detailing version semantics, scope, paths, safe version hints. | Doc merged; ecosystem tables validated; checklist appended. |
+| DOCS-VULN-29-010 | TODO | Docs Guild, Observability Guild | VULN-API-29-009, DEVOPS-VULN-29-002 | Publish `/docs/observability/vuln-telemetry.md` (metrics, logs, tracing, dashboards, SLOs). | Doc merged; dashboards linked; checklist appended. |
+| DOCS-VULN-29-011 | TODO | Docs Guild, Security Guild | AUTH-VULN-29-001..003 | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. | Security doc approved; checklist appended. |
+| DOCS-VULN-29-012 | TODO | Docs Guild, Ops Guild | DEVOPS-VULN-29-002, SCHED-WORKER-29-003 | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). | Runbook merged; rehearsal recorded; checklist appended. |
+| DOCS-VULN-29-013 | TODO | Docs Guild, Deployment Guild | DEPLOY-VULN-29-001..002 | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. | Install doc updated; validation commands included; checklist appended. |
+
+## VEX Lens (Sprint 30)
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-VEX-30-001 | TODO | Docs Guild, VEX Lens Guild | VEXLENS-30-005 | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. | Doc merged with diagrams/terminology tables; compliance checklist appended. |
+| DOCS-VEX-30-002 | TODO | Docs Guild, VEX Lens Guild | VEXLENS-30-005 | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. | Doc merged; math reviewed by Policy; checklist appended. |
+| DOCS-VEX-30-003 | TODO | Docs Guild, Issuer Directory Guild | ISSUER-30-001..003 | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). | Doc merged; security review done; checklist appended. |
+| DOCS-VEX-30-004 | TODO | Docs Guild, VEX Lens Guild | VEXLENS-30-007 | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. | API doc aligned with OpenAPI; examples validated; checklist appended. |
+| DOCS-VEX-30-005 | TODO | Docs Guild, Console Guild | CONSOLE-VEX-30-001 | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. | Doc merged; screenshots added; checklist appended. |
+| DOCS-VEX-30-006 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-29-001, VEXLENS-30-004 | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. | Doc merged; policy review completed; checklist appended. |
+| DOCS-VEX-30-007 | TODO | Docs Guild, SBOM Service Guild | VEXLENS-30-002 | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). | Doc merged; mapping tables validated; checklist appended. |
+| DOCS-VEX-30-008 | TODO | Docs Guild, Security Guild | ISSUER-30-002, VEXLENS-30-003 | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). | Doc approved by Security; checklist appended. |
+| DOCS-VEX-30-009 | TODO | Docs Guild, DevOps Guild | VEXLENS-30-009, DEVOPS-VEX-30-001 | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. | Runbook merged; rehearsal logged; checklist appended. |
+
+## Advisory AI (Sprint 31)
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-AIAI-31-001 | TODO | Docs Guild, Advisory AI Guild | AIAI-31-006 | Publish `/docs/advisory-ai/overview.md` covering capabilities, guardrails, RBAC. | Doc merged with diagrams; compliance checklist appended. |
+| DOCS-AIAI-31-002 | TODO | Docs Guild, Advisory AI Guild | AIAI-31-004 | Author `/docs/advisory-ai/architecture.md` detailing RAG pipeline, deterministics, caching, model options. | Doc merged; architecture review done; checklist appended. |
+| DOCS-AIAI-31-003 | TODO | Docs Guild, Advisory AI Guild | AIAI-31-006 | Write `/docs/advisory-ai/api.md` describing endpoints, schemas, errors, rate limits. | API doc aligned with OpenAPI; examples validated; checklist appended. |
+| DOCS-AIAI-31-004 | TODO | Docs Guild, Console Guild | CONSOLE-VULN-29-001, CONSOLE-VEX-30-001 | Create `/docs/advisory-ai/console.md` with screenshots, a11y notes, copy-as-ticket instructions. | Doc merged; images stored; checklist appended. |
+| DOCS-AIAI-31-005 | TODO | Docs Guild, DevEx/CLI Guild | CLI-VULN-29-001, CLI-VEX-30-001 | Publish `/docs/advisory-ai/cli.md` covering commands, exit codes, scripting patterns. | Doc merged; examples tested; checklist appended. |
+| DOCS-AIAI-31-006 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-31-001 | Update `/docs/policy/assistant-parameters.md` covering temperature, token limits, ranking weights, TTLs. | Doc merged; policy review done; checklist appended. |
+| DOCS-AIAI-31-007 | TODO | Docs Guild, Security Guild | AIAI-31-005 | Write `/docs/security/assistant-guardrails.md` detailing redaction, injection defense, logging. | Doc approved by Security; checklist appended. |
+| DOCS-AIAI-31-008 | TODO | Docs Guild, SBOM Service Guild | SBOM-AIAI-31-001 | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). | Doc merged; heuristics reviewed; checklist appended. |
+| DOCS-AIAI-31-009 | TODO | Docs Guild, DevOps Guild | DEVOPS-AIAI-31-001 | Create `/docs/runbooks/assistant-ops.md` for warmup, cache priming, model outages, scaling. | Runbook merged; rehearsal logged; checklist appended. |
+
+## Notifications Studio
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-NOTIFY-38-001 | DONE (2025-10-29) | Docs Guild, Notifications Service Guild | NOTIFY-SVC-38-001..004 | Publish `/docs/notifications/overview.md` and `/docs/notifications/architecture.md`, each ending with imposed rule reminder. | Docs merged; diagrams verified; imposed rule appended. |
+| DOCS-NOTIFY-39-002 | DONE (2025-10-29) | Docs Guild, Notifications Service Guild | NOTIFY-SVC-39-001..004 | Publish `/docs/notifications/rules.md`, `/docs/notifications/templates.md`, `/docs/notifications/digests.md` with examples and imposed rule line. | Docs merged; examples validated; imposed rule appended. |
+| DOCS-NOTIFY-40-001 | TODO | Docs Guild, Security Guild | AUTH-NOTIFY-38-001, NOTIFY-SVC-40-001..004 | Publish `/docs/notifications/channels.md`, `/docs/notifications/escalations.md`, `/docs/notifications/api.md`, `/docs/operations/notifier-runbook.md`, `/docs/security/notifications-hardening.md`; each ends with imposed rule line. | Docs merged; accessibility checks passed; imposed rule appended. |
+
+## CLI Parity & Task Packs
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-CLI-41-001 | TODO | Docs Guild, DevEx/CLI Guild | CLI-CORE-41-001 | Publish `/docs/cli/overview.md`, `/docs/cli/configuration.md`, `/docs/cli/output-and-exit-codes.md` with imposed rule statements. | Docs merged; examples verified; imposed rule appended. |
+| DOCS-CLI-42-001 | TODO | Docs Guild | DOCS-CLI-41-001, CLI-PARITY-41-001 | Publish `/docs/cli/parity-matrix.md` and command guides under `/docs/cli/commands/*.md` (policy, sbom, vuln, vex, advisory, export, orchestrator, notify, aoc, auth). | Guides merged; parity automation documented; imposed rule appended. |
+| DOCS-PACKS-43-001 | DONE (2025-10-27) | Docs Guild, Task Runner Guild | PACKS-REG-42-001, TASKRUN-42-001 | Publish `/docs/task-packs/spec.md`, `/docs/task-packs/authoring-guide.md`, `/docs/task-packs/registry.md`, `/docs/task-packs/runbook.md`, `/docs/security/pack-signing-and-rbac.md`, `/docs/operations/cli-release-and-packaging.md` with imposed rule statements. | Docs merged; tutorials validated; imposed rule appended; cross-links added. |
+
+## Containerized Distribution (Epic 13)
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-INSTALL-44-001 | TODO | Docs Guild, Deployment Guild | COMPOSE-44-001 | Publish `/docs/install/overview.md` and `/docs/install/compose-quickstart.md` with imposed rule line and copy-ready commands. | Docs merged; screenshots/commands verified; imposed rule appended. |
+| DOCS-INSTALL-45-001 | TODO | Docs Guild, Deployment Guild | HELM-45-001 | Publish `/docs/install/helm-prod.md` and `/docs/install/configuration-reference.md` with values tables and imposed rule reminder. | Docs merged; configuration matrix verified; imposed rule appended. |
+| DOCS-INSTALL-46-001 | TODO | Docs Guild, Security Guild | DEPLOY-PACKS-43-001, CLI-PACKS-43-001 | Publish `/docs/install/airgap.md`, `/docs/security/supply-chain.md`, `/docs/operations/health-and-readiness.md`, `/docs/release/image-catalog.md`, `/docs/console/onboarding.md` (each with imposed rule). | Docs merged; checksum/signature sections validated; imposed rule appended. |
+
+## Authority-Backed Scopes & Tenancy (Epic 14)
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| DOCS-TEN-47-001 | TODO | Docs Guild, Authority Core | AUTH-TEN-47-001 | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Docs merged; diagrams included; imposed rule appended. |
+| DOCS-TEN-48-001 | TODO | Docs Guild, Platform Ops | WEB-TEN-48-001 | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. | Docs merged; examples validated; imposed rule appended. |
+| DOCS-TEN-49-001 | TODO | Docs & DevEx Guilds | CLI-TEN-47-001, AUTH-TEN-49-001 | Publish `/docs/cli/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars, all ending with imposed rule line. | Docs merged; command examples verified; imposed rule appended. |
diff --git a/docs/accessibility.md b/docs/accessibility.md
index 119b2603..09be0df3 100644
--- a/docs/accessibility.md
+++ b/docs/accessibility.md
@@ -1,131 +1,131 @@
-# StellaOps Console Accessibility Guide
-
-> **Audience:** Accessibility Guild, Console Guild, Docs Guild, QA.
-> **Scope:** Keyboard interaction model, screen-reader behaviour, colour & focus tokens, testing workflows, offline considerations, and compliance checklist for the StellaOps Console (Sprint 23).
-
-The console targets **WCAG 2.2 AA** across all supported browsers (Chromium, Firefox ESR) and honours StellaOps’ sovereign/offline constraints. Every build must keep keyboard-only users, screen-reader users, and high-contrast operators productive without relying on third-party services.
-
----
-
-## 1 · Accessibility Principles
-
-1. **Deterministic navigation** – Focus order, shortcuts, and announcements remain stable across releases; URLs encode state for deep links.
-2. **Keyboard-first design** – Every actionable element is reachable via keyboard; shortcuts provide accelerators, and remapping is available via *Settings → Accessibility → Keyboard shortcuts*.
-3. **Assistive technology parity** – ARIA roles and live regions mirror visual affordances (status banners, SSE tickers, progress drawers). Screen readers receive polite/atomic updates to avoid chatter.
-4. **Colour & contrast tokens** – All palettes derive from design tokens that achieve ≥ 4.5:1 contrast (text) and ≥ 3:1 for graphical indicators; tokens pass automated contrast linting.
-5. **Offline equivalence** – Accessibility features (shortcuts, offline banners, focus restoration) behave the same in sealed environments, with guidance when actions require online authority.
-
----
-
-## 2 · Keyboard Interaction Map
-
-### 2.1 Global shortcuts
-
-| Action | Macs | Windows/Linux | Notes |
-|--------|------|---------------|-------|
-| Command palette | `⌘ K` | `Ctrl K` | Focuses palette search; respects tenant scope. |
-| Tenant picker | `⌘ T` | `Ctrl T` | Opens modal; `Enter` confirms, `Esc` cancels. |
-| Filter tray toggle | `⇧ F` | `Shift F` | Focus lands on first filter; `Tab` cycles filters before returning to page. |
-| Saved view presets | `⌘ 1-9` | `Ctrl 1-9` | Bound per tenant; missing preset triggers tooltip. |
-| Keyboard reference | `?` | `?` | Opens overlay listing context-specific shortcuts; `Esc` closes. |
-| Global search (context) | `/` | `/` | When the filter tray is closed, focuses inline search field. |
-
-### 2.2 Module-specific shortcuts
-
-| Module | Action | Macs | Windows/Linux | Notes |
-|--------|--------|------|---------------|-------|
-| Findings | Explain search | `⌘ /` | `Ctrl /` | Only when Explain drawer open; announces results via live region. |
-| SBOM Explorer | Toggle overlays | `⌘ G` | `Ctrl G` | Persists per session (see `/docs/ui/sbom-explorer.md`). |
-| Advisories & VEX | Provider filter | `⌘ ⌥ F` | `Ctrl Alt F` | Moves focus to provider chip row. |
-| Runs | Refresh snapshot | `⌘ R` | `Ctrl R` | Soft refresh of SSE state; no full page reload. |
-| Policies | Save draft | `⌘ S` | `Ctrl S` | Requires edit scope; exposes toast + status live update. |
-| Downloads | Copy CLI command | `⇧ D` | `Shift D` | Copies manifest or export command; toast announces scope hints. |
-
-All shortcuts are remappable. Remaps persist in IndexedDB (per tenant) and export as part of profile bundles so operators can restore preferences offline.
-
----
-
-## 3 · Screen Reader & Focus Behaviour
-
-- **Skip navigation** – Each route exposes a “Skip to content” link revealed on keyboard focus. Focus order: global header → page breadcrumb → action shelf → data grid/list → drawers/dialogs.
-- **Live regions** – Status ticker and SSE progress bars use `aria-live="polite"` with throttling to avoid flooding AT. Error toasts use `aria-live="assertive"` and auto-focus dismiss buttons.
-- **Drawers & modals** – Dialog components trap focus, support `Esc` to close, and restore focus to the launching control. Screen readers announce title + purpose.
-- **Tables & grids** – Large tables (Findings, SBOM inventory) switch to virtualised rows but retain ARIA grid semantics (`aria-rowcount`, `aria-colindex`). Column headers include sorting state via `aria-sort`.
-- **Tenancy context** – Tenant badge exposes `aria-describedby` linking to context summary (environment, offline snapshot). Switching tenant queues a polite announcement summarising new scope.
-- **Command palette** – Uses `role="dialog"` with search input labelled. Keyboard navigation within results uses `Up/Down`; screen readers announce result category + command.
-- **Offline banner** – When offline, a dismissible banner announces reason and includes instructions for CLI fallback. The banner has `role="status"` so it announces once without stealing focus.
-
----
-
-## 4 · Colour & Focus Tokens
-
-Console consumes design tokens published by the Console Guild (tracked via CONSOLE-FEAT-23-102). Tokens live in the design system bundle (`ui/design/tokens/colors.json`, mirrored at build time). Key tokens:
-
-| Token | Purpose | Contrast target |
-|-------|---------|-----------------|
-| `so-color-surface-base` | Primary surface/background | ≥ 4.5:1 against `so-color-text-primary`. |
-| `so-color-surface-raised` | Cards, drawers, modals | ≥ 3:1 against surrounding surfaces. |
-| `so-color-text-primary` | Default text colour | ≥ 4.5:1 against base surfaces. |
-| `so-color-text-inverted` | Text on accent buttons | ≥ 4.5:1 against accent fills. |
-| `so-color-accent-primary` | Action buttons, focus headings | ≥ 3:1 against surface. |
-| `so-color-status-critical` | Error toasts, violation chips | ≥ 4.5:1 for text; `critical-bg` provides >3:1 on neutral surface. |
-| `so-color-status-warning` | Warning banners | Meets 3:1 on surface and 4.5:1 for text overlays. |
-| `so-color-status-success` | Success toasts, pass badges | ≥ 3:1 for iconography; text uses `text-primary`. |
-| `so-focus-ring` | 2 px outline used across focusable elements | 3:1 against both light/dark surfaces. |
-
-Colour tokens undergo automated linting (**axe-core contrast checks** + custom luminance script) during build. Any new token must include dark/light variants and pass the token contract tests.
-
----
-
-## 5 · Testing Workflow
-
-| Layer | Tooling | Frequency | Notes |
-|-------|---------|-----------|-------|
-| Component a11y | Storybook + axe-core addon | On PR (story CI) | Fails when axe detects violations. |
-| Route regression | Playwright a11y sweep (`pnpm test:a11y`) | Nightly & release pipeline | Executes keyboard navigation, checks focus trap, runs Axe on key routes (Dashboard, Findings, SBOM, Admin). |
-| Colour contrast lint | Token validator (`tools/a11y/check-contrast.ts`) | On token change | Guards design token updates. |
-| CI parity | Pending `scripts/check-console-cli-parity.sh` (CONSOLE-DOC-23-502) | Release CI | Ensures CLI commands documented for parity features. |
-| Screen-reader spot checks | Manual NVDA + VoiceOver scripts | Pre-release checklist | Scenarios: tenant switch, explain drawer, downloads parity copy. |
-| Offline smoke | `stella offline kit import` + Playwright sealed-mode run | Prior to Offline Kit cut | Validates offline banners, disabled actions, keyboard flows without Authority. |
-
-Accessibility QA (CONSOLE-QA-23-402) tracks failing scenarios via Playwright snapshots and publishes reports in the Downloads parity channel (`kind = "parity.report"` placeholder until CLI parity CI lands).
-
----
-
-## 6 · Offline & Internationalisation Considerations
-
-- Offline mode surfaces staleness badges and disables remote-only palette entries; keyboard focus skips disabled controls.
-- Saved shortcuts, presets, and remaps serialise into Offline Kit bundles so operators can restore preferences post-import.
-- Locale switching (future feature flag) will load translations at runtime; ensure ARIA labels use i18n tokens rather than hard-coded strings.
-- For sealed installs, guidance panels include CLI equivalents (`stella auth fresh-auth`, `stella runs export`) to unblock tasks when Authority is unavailable.
-
----
-
-## 7 · Compliance Checklist
-
-- [ ] Keyboard shortcut matrix validated (default + remapped) and documented.
-- [ ] Screen-reader pass recorded for tenant switch, Explain drawer, Downloads copy-to-clipboard.
-- [ ] Colour tokens audited; contrast reports stored with release artifacts.
-- [ ] Automated a11y pipelines (Storybook axe, Playwright a11y) green; failures feed the `#console-qa` channel.
-- [ ] Offline kit a11y smoke executed before publishing each bundle.
-- [ ] CLI parity gaps logged in `/docs/cli-vs-ui-parity.md`; UI callouts reference fallback commands until parity closes.
-- [ ] Accessibility Guild sign-off captured in sprint log and release notes reference this guide.
-- [ ] References cross-checked (`/docs/ui/navigation.md`, `/docs/ui/downloads.md`, `/docs/security/console-security.md`, `/docs/observability/ui-telemetry.md`).
-
----
-
-## 8 · References
-
-- `/docs/ui/navigation.md` – shortcut definitions, URL schema.
-- `/docs/ui/downloads.md` – CLI parity and offline copy workflows.
-- `/docs/ui/console-overview.md` – tenant model, filter behaviours.
-- `/docs/security/console-security.md` – security metrics and DPoP/fresh-auth requirements.
-- `/docs/observability/ui-telemetry.md` – telemetry metrics mapped to accessibility features.
-- `/docs/cli-vs-ui-parity.md` – parity status per console feature.
-- `CONSOLE-QA-23-402` – Accessibility QA backlog (Playwright + manual checks).
-- `CONSOLE-FEAT-23-102` – Design tokens & theming delivery.
-
----
-
-*Last updated: 2025-10-28 (Sprint 23).*
-
+# StellaOps Console Accessibility Guide
+
+> **Audience:** Accessibility Guild, Console Guild, Docs Guild, QA.
+> **Scope:** Keyboard interaction model, screen-reader behaviour, colour & focus tokens, testing workflows, offline considerations, and compliance checklist for the StellaOps Console (Sprint 23).
+
+The console targets **WCAG 2.2 AA** across all supported browsers (Chromium, Firefox ESR) and honours StellaOps’ sovereign/offline constraints. Every build must keep keyboard-only users, screen-reader users, and high-contrast operators productive without relying on third-party services.
+
+---
+
+## 1 · Accessibility Principles
+
+1. **Deterministic navigation** – Focus order, shortcuts, and announcements remain stable across releases; URLs encode state for deep links.
+2. **Keyboard-first design** – Every actionable element is reachable via keyboard; shortcuts provide accelerators, and remapping is available via *Settings → Accessibility → Keyboard shortcuts*.
+3. **Assistive technology parity** – ARIA roles and live regions mirror visual affordances (status banners, SSE tickers, progress drawers). Screen readers receive polite/atomic updates to avoid chatter.
+4. **Colour & contrast tokens** – All palettes derive from design tokens that achieve ≥ 4.5:1 contrast (text) and ≥ 3:1 for graphical indicators; tokens pass automated contrast linting.
+5. **Offline equivalence** – Accessibility features (shortcuts, offline banners, focus restoration) behave the same in sealed environments, with guidance when actions require online authority.
+
+---
+
+## 2 · Keyboard Interaction Map
+
+### 2.1 Global shortcuts
+
+| Action | Macs | Windows/Linux | Notes |
+|--------|------|---------------|-------|
+| Command palette | `⌘ K` | `Ctrl K` | Focuses palette search; respects tenant scope. |
+| Tenant picker | `⌘ T` | `Ctrl T` | Opens modal; `Enter` confirms, `Esc` cancels. |
+| Filter tray toggle | `⇧ F` | `Shift F` | Focus lands on first filter; `Tab` cycles filters before returning to page. |
+| Saved view presets | `⌘ 1-9` | `Ctrl 1-9` | Bound per tenant; missing preset triggers tooltip. |
+| Keyboard reference | `?` | `?` | Opens overlay listing context-specific shortcuts; `Esc` closes. |
+| Global search (context) | `/` | `/` | When the filter tray is closed, focuses inline search field. |
+
+### 2.2 Module-specific shortcuts
+
+| Module | Action | Macs | Windows/Linux | Notes |
+|--------|--------|------|---------------|-------|
+| Findings | Explain search | `⌘ /` | `Ctrl /` | Only when Explain drawer open; announces results via live region. |
+| SBOM Explorer | Toggle overlays | `⌘ G` | `Ctrl G` | Persists per session (see `/docs/ui/sbom-explorer.md`). |
+| Advisories & VEX | Provider filter | `⌘ ⌥ F` | `Ctrl Alt F` | Moves focus to provider chip row. |
+| Runs | Refresh snapshot | `⌘ R` | `Ctrl R` | Soft refresh of SSE state; no full page reload. |
+| Policies | Save draft | `⌘ S` | `Ctrl S` | Requires edit scope; exposes toast + status live update. |
+| Downloads | Copy CLI command | `⇧ D` | `Shift D` | Copies manifest or export command; toast announces scope hints. |
+
+All shortcuts are remappable. Remaps persist in IndexedDB (per tenant) and export as part of profile bundles so operators can restore preferences offline.
+
+---
+
+## 3 · Screen Reader & Focus Behaviour
+
+- **Skip navigation** – Each route exposes a “Skip to content” link revealed on keyboard focus. Focus order: global header → page breadcrumb → action shelf → data grid/list → drawers/dialogs.
+- **Live regions** – Status ticker and SSE progress bars use `aria-live="polite"` with throttling to avoid flooding AT. Error toasts use `aria-live="assertive"` and auto-focus dismiss buttons.
+- **Drawers & modals** – Dialog components trap focus, support `Esc` to close, and restore focus to the launching control. Screen readers announce title + purpose.
+- **Tables & grids** – Large tables (Findings, SBOM inventory) switch to virtualised rows but retain ARIA grid semantics (`aria-rowcount`, `aria-colindex`). Column headers include sorting state via `aria-sort`.
+- **Tenancy context** – Tenant badge exposes `aria-describedby` linking to context summary (environment, offline snapshot). Switching tenant queues a polite announcement summarising new scope.
+- **Command palette** – Uses `role="dialog"` with search input labelled. Keyboard navigation within results uses `Up/Down`; screen readers announce result category + command.
+- **Offline banner** – When offline, a dismissible banner announces reason and includes instructions for CLI fallback. The banner has `role="status"` so it announces once without stealing focus.
+
+---
+
+## 4 · Colour & Focus Tokens
+
+Console consumes design tokens published by the Console Guild (tracked via CONSOLE-FEAT-23-102). Tokens live in the design system bundle (`ui/design/tokens/colors.json`, mirrored at build time). Key tokens:
+
+| Token | Purpose | Contrast target |
+|-------|---------|-----------------|
+| `so-color-surface-base` | Primary surface/background | ≥ 4.5:1 against `so-color-text-primary`. |
+| `so-color-surface-raised` | Cards, drawers, modals | ≥ 3:1 against surrounding surfaces. |
+| `so-color-text-primary` | Default text colour | ≥ 4.5:1 against base surfaces. |
+| `so-color-text-inverted` | Text on accent buttons | ≥ 4.5:1 against accent fills. |
+| `so-color-accent-primary` | Action buttons, focus headings | ≥ 3:1 against surface. |
+| `so-color-status-critical` | Error toasts, violation chips | ≥ 4.5:1 for text; `critical-bg` provides >3:1 on neutral surface. |
+| `so-color-status-warning` | Warning banners | Meets 3:1 on surface and 4.5:1 for text overlays. |
+| `so-color-status-success` | Success toasts, pass badges | ≥ 3:1 for iconography; text uses `text-primary`. |
+| `so-focus-ring` | 2 px outline used across focusable elements | 3:1 against both light/dark surfaces. |
+
+Colour tokens undergo automated linting (**axe-core contrast checks** + custom luminance script) during build. Any new token must include dark/light variants and pass the token contract tests.
+
+---
+
+## 5 · Testing Workflow
+
+| Layer | Tooling | Frequency | Notes |
+|-------|---------|-----------|-------|
+| Component a11y | Storybook + axe-core addon | On PR (story CI) | Fails when axe detects violations. |
+| Route regression | Playwright a11y sweep (`pnpm test:a11y`) | Nightly & release pipeline | Executes keyboard navigation, checks focus trap, runs Axe on key routes (Dashboard, Findings, SBOM, Admin). |
+| Colour contrast lint | Token validator (`tools/a11y/check-contrast.ts`) | On token change | Guards design token updates. |
+| CI parity | Pending `scripts/check-console-cli-parity.sh` (CONSOLE-DOC-23-502) | Release CI | Ensures CLI commands documented for parity features. |
+| Screen-reader spot checks | Manual NVDA + VoiceOver scripts | Pre-release checklist | Scenarios: tenant switch, explain drawer, downloads parity copy. |
+| Offline smoke | `stella offline kit import` + Playwright sealed-mode run | Prior to Offline Kit cut | Validates offline banners, disabled actions, keyboard flows without Authority. |
+
+Accessibility QA (CONSOLE-QA-23-402) tracks failing scenarios via Playwright snapshots and publishes reports in the Downloads parity channel (`kind = "parity.report"` placeholder until CLI parity CI lands).
+
+---
+
+## 6 · Offline & Internationalisation Considerations
+
+- Offline mode surfaces staleness badges and disables remote-only palette entries; keyboard focus skips disabled controls.
+- Saved shortcuts, presets, and remaps serialise into Offline Kit bundles so operators can restore preferences post-import.
+- Locale switching (future feature flag) will load translations at runtime; ensure ARIA labels use i18n tokens rather than hard-coded strings.
+- For sealed installs, guidance panels include CLI equivalents (`stella auth fresh-auth`, `stella runs export`) to unblock tasks when Authority is unavailable.
+
+---
+
+## 7 · Compliance Checklist
+
+- [ ] Keyboard shortcut matrix validated (default + remapped) and documented.
+- [ ] Screen-reader pass recorded for tenant switch, Explain drawer, Downloads copy-to-clipboard.
+- [ ] Colour tokens audited; contrast reports stored with release artifacts.
+- [ ] Automated a11y pipelines (Storybook axe, Playwright a11y) green; failures feed the `#console-qa` channel.
+- [ ] Offline kit a11y smoke executed before publishing each bundle.
+- [ ] CLI parity gaps logged in `/docs/cli-vs-ui-parity.md`; UI callouts reference fallback commands until parity closes.
+- [ ] Accessibility Guild sign-off captured in sprint log and release notes reference this guide.
+- [ ] References cross-checked (`/docs/ui/navigation.md`, `/docs/ui/downloads.md`, `/docs/security/console-security.md`, `/docs/observability/ui-telemetry.md`).
+
+---
+
+## 8 · References
+
+- `/docs/ui/navigation.md` – shortcut definitions, URL schema.
+- `/docs/ui/downloads.md` – CLI parity and offline copy workflows.
+- `/docs/ui/console-overview.md` – tenant model, filter behaviours.
+- `/docs/security/console-security.md` – security metrics and DPoP/fresh-auth requirements.
+- `/docs/observability/ui-telemetry.md` – telemetry metrics mapped to accessibility features.
+- `/docs/cli-vs-ui-parity.md` – parity status per console feature.
+- `CONSOLE-QA-23-402` – Accessibility QA backlog (Playwright + manual checks).
+- `CONSOLE-FEAT-23-102` – Design tokens & theming delivery.
+
+---
+
+*Last updated: 2025-10-28 (Sprint 23).*
+
diff --git a/docs/advisories/aggregation.md b/docs/advisories/aggregation.md
index c1c0038c..cff7b79e 100644
--- a/docs/advisories/aggregation.md
+++ b/docs/advisories/aggregation.md
@@ -1,218 +1,218 @@
-# Advisory Observations & Linksets
-
-> Imposed rule: Work of this type or tasks of this type on this component must also
-> be applied everywhere else it should be applied.
-
-The Link-Not-Merge (LNM) initiative replaces the legacy "merge" pipeline with
-immutable observations and correlation linksets. This guide explains how
-Concelier ingests advisory statements, preserves upstream truth, and produces
-linksets that downstream services (Policy Engine, Vuln Explorer, Console) can
-use without collapsing sources together.
-
----
-
-## 1. Model overview
-
-### 1.1 Observation lifecycle
-
-1. **Ingest** – Connectors fetch upstream payloads (CSAF, OSV, vendor feeds),
- validate signatures, and drop any derived fields prohibited by the
- Aggregation-Only Contract (AOC).
-2. **Persist** – Concelier writes immutable `advisory_observations` scoped by
- `tenant`, `(source.vendor, upstreamId)`, and `contentHash`. Supersedes chains
- capture revisions without mutating history.
-3. **Expose** – WebService surfaces paged/read APIs; Offline Kit snapshots
- include the same documents for air-gapped installs.
-
-Observation schema highlights:
-
-```text
-observationId = {tenant}:{source.vendor}:{upstreamId}:{revision}
-tenant, source{vendor, stream, api, collectorVersion}
-upstream{upstreamId, documentVersion, fetchedAt, receivedAt,
- contentHash, signature{present, format, keyId, signature}}
-content{format, specVersion, raw}
-identifiers{cve?, ghsa?, aliases[], osvIds[]}
-linkset{purls[], cpes[], aliases[], references[], conflicts[]?}
-createdAt, attributes{batchId?, replayCursor?}
-```
-
-- **Immutable raw** (`content.raw`) mirrors upstream payloads exactly.
-- **Provenance** (`source.*`, `upstream.*`) satisfies AOC guardrails and enables
- cryptographic attestations.
-- **Identifiers** retain lossless extracts (CVE, GHSA, vendor aliases) that seed
- linksets.
-- **Linkset** captures join hints but never merges or adds derived severity.
-
-### 1.2 Linkset lifecycle
-
-Linksets correlate observations that describe the same vulnerable product while
-keeping each source intact.
-
-1. **Seed** – Observations emit normalized identifiers (`purl`, `cpe`,
- `alias`) during ingestion.
-2. **Correlate** – Linkset builder groups observations by tenant, product
- coordinates, and equivalence signals (PURL alias graph, CVE overlap, CVSS
- vector equality, fuzzy titles).
-3. **Annotate** – Detected conflicts (severity disagreements, affected-range
- mismatch, incompatible references) are recorded with structured payloads and
- preserved for UI/API export.
-4. **Persist** – Results land in `advisory_linksets` with deterministic IDs
- (`linksetId = {tenant}:{hash(aliases+purls+seedIds)}`) and append-only history
- for reproducibility.
-
-Linksets never suppress or prefer one source; they provide aligned evidence so
-other services can apply policy.
-
----
-
-## 2. Observation vs. linkset
-
-- **Purpose**
- - Observation: Immutable record per vendor and revision.
- - Linkset: Correlates observations that share product identity.
-- **Mutation**
- - Observation: Append-only via supersedes chain.
- - Linkset: Rebuilt deterministically from canonical signals.
-- **Allowed fields**
- - Observation: Raw payload, provenance, identifiers, join hints.
- - Linkset: Observation references, normalized product metadata, conflicts.
-- **Forbidden fields**
- - Observation: Derived severity, policy status, opinionated dedupe.
- - Linkset: Derived severity (conflicts recorded but unresolved).
-- **Consumers**
- - Observation: Evidence API, Offline Kit, CLI exports.
- - Linkset: Policy Engine overlay, UI evidence panel, Vuln Explorer.
-
-### 2.1 Example sequence
-
-1. Red Hat PSIRT publishes RHSA-2025:1234 for OpenSSL; Concelier inserts an
- observation for vendor `redhat` with `pkg:rpm/redhat/openssl@1.1.1w-12`.
-2. NVD issues CVE-2025-0001; a second observation is inserted for vendor `nvd`.
-3. Linkset builder runs, groups the two observations, records alias and PURL
- overlap, and flags a CVSS disagreement (`7.5` vs `7.2`).
-4. Policy Engine reads the linkset, recognises the severity variance, and relies
- on configured rules to decide the effective output.
-
----
-
-## 3. Conflict handling
-
-Conflicts record disagreements without altering source payloads. The builder
-emits structured entries:
-
-```json
-{
- "type": "severity-mismatch",
- "field": "cvss.baseScore",
- "observations": [
- {
- "source": "redhat",
- "value": "7.5",
- "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
- },
- {
- "source": "nvd",
- "value": "7.2",
- "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
- }
- ],
- "confidence": "medium",
- "detectedAt": "2025-10-27T14:00:00Z"
-}
-```
-
-Supported conflict classes:
-
-- `severity-mismatch` – CVSS or qualitative severities differ.
-- `affected-range-divergence` – Product ranges, fixed versions, or platforms
- disagree.
-- `statement-disagreement` – One observation declares `not_affected` while
- another states `affected`.
-- `reference-clash` – URL or classifier collisions (for example, exploit URL vs
- conflicting advisory).
-- `alias-inconsistency` – Aliases map to different canonical IDs (GHSA vs CVE).
-- `metadata-gap` – Required provenance missing on one source; logged as a
- warning.
-
-Conflict surfaces:
-
-- WebService endpoints (`GET /advisories/linksets/{id}` → `conflicts[]`).
-- UI evidence panel chips and conflict badges.
-- CLI exports (JSON/OSV) exposed through LNM commands.
-- Observability metrics (`advisory_linkset_conflicts_total{type}`).
-
----
-
-## 4. AOC alignment
-
-Observations and linksets must satisfy Aggregation-Only Contract invariants:
-
-- **No derived severity** – `content.raw` may include upstream severity, but the
- observation body never injects or edits severity.
-- **No merges** – Each upstream document stays separate; linksets reference
- observations via deterministic IDs.
-- **Provenance mandatory** – Missing `signature` or `source` metadata is an AOC
- violation (`ERR_AOC_004`).
-- **Idempotent writes** – Duplicate `contentHash` yields a no-op; supersedes
- pointer captures new revisions.
-- **Deterministic output** – Linkset builder sorts keys, normalizes timestamps
- (UTC ISO-8601), and uses canonical JSON hashing.
-
-Violations trigger guard errors (`ERR_AOC_00x`), emit `aoc_violation_total`
-metrics, and block persistence until corrected.
-
----
-
-## 5. Downstream consumption
-
-- **Policy Engine** – Computes effective severity and risk overlays from linkset
- evidence and conflicts.
-- **Console UI** – Renders per-source statements, signed hashes, and conflict
- banners inside the evidence panel.
-- **CLI (`stella advisories linkset …`)** – Exports observations and linksets as
- JSON or OSV for offline triage.
-- **Offline Kit** – Shipping snapshots include observation and linkset
- collections for air-gap parity.
-- **Observability** – Dashboards track ingestion latency, conflict counts, and
- supersedes depth.
-
-When adding new consumers, ensure they honour append-only semantics and do not
-mutate observation or linkset collections.
-
----
-
-## 6. Validation & testing
-
-- **Unit tests** (`StellaOps.Concelier.Core.Tests`) validate schema guards,
- deterministic linkset hashing, conflict detection fixtures, and supersedes
- chains.
-- **Mongo integration tests** (`StellaOps.Concelier.Storage.Mongo.Tests`) verify
- indexes and idempotent writes under concurrency.
-- **CLI smoke suites** confirm `stella advisories observations` and `stella
- advisories linksets` export stable JSON.
-- **Determinism checks** replay identical upstream payloads and assert that the
- resulting observation and linkset documents match byte for byte.
-- **Offline kit verification** simulates air-gapped bootstrap to confirm that
- snapshots align with live data.
-
-Add fixtures whenever a new conflict type or correlation signal is introduced.
-Ensure canonical JSON serialization remains stable across .NET runtime updates.
-
----
-
-## 7. Reviewer checklist
-
-- Observation schema segment matches the latest `StellaOps.Concelier.Models`
- contract.
-- Linkset lifecycle covers correlation signals, conflict classes, and
- deterministic IDs.
-- AOC invariants are explicitly called out with violation codes.
-- Examples include multi-source correlation plus conflict annotation.
-- Downstream consumer guidance reflects active APIs and CLI features.
-- Testing section lists required suites (Core, Storage, CLI, Offline).
-- Imposed rule reminder is present at the top of the document.
-
-Confirmed against Concelier Link-Not-Merge tasks:
-`CONCELIER-LNM-21-001..005`, `CONCELIER-LNM-21-101..103`,
-`CONCELIER-LNM-21-201..203`.
+# Advisory Observations & Linksets
+
+> Imposed rule: Work of this type or tasks of this type on this component must also
+> be applied everywhere else it should be applied.
+
+The Link-Not-Merge (LNM) initiative replaces the legacy "merge" pipeline with
+immutable observations and correlation linksets. This guide explains how
+Concelier ingests advisory statements, preserves upstream truth, and produces
+linksets that downstream services (Policy Engine, Vuln Explorer, Console) can
+use without collapsing sources together.
+
+---
+
+## 1. Model overview
+
+### 1.1 Observation lifecycle
+
+1. **Ingest** – Connectors fetch upstream payloads (CSAF, OSV, vendor feeds),
+ validate signatures, and drop any derived fields prohibited by the
+ Aggregation-Only Contract (AOC).
+2. **Persist** – Concelier writes immutable `advisory_observations` scoped by
+ `tenant`, `(source.vendor, upstreamId)`, and `contentHash`. Supersedes chains
+ capture revisions without mutating history.
+3. **Expose** – WebService surfaces paged/read APIs; Offline Kit snapshots
+ include the same documents for air-gapped installs.
+
+Observation schema highlights:
+
+```text
+observationId = {tenant}:{source.vendor}:{upstreamId}:{revision}
+tenant, source{vendor, stream, api, collectorVersion}
+upstream{upstreamId, documentVersion, fetchedAt, receivedAt,
+ contentHash, signature{present, format, keyId, signature}}
+content{format, specVersion, raw}
+identifiers{cve?, ghsa?, aliases[], osvIds[]}
+linkset{purls[], cpes[], aliases[], references[], conflicts[]?}
+createdAt, attributes{batchId?, replayCursor?}
+```
+
+- **Immutable raw** (`content.raw`) mirrors upstream payloads exactly.
+- **Provenance** (`source.*`, `upstream.*`) satisfies AOC guardrails and enables
+ cryptographic attestations.
+- **Identifiers** retain lossless extracts (CVE, GHSA, vendor aliases) that seed
+ linksets.
+- **Linkset** captures join hints but never merges or adds derived severity.
+
+### 1.2 Linkset lifecycle
+
+Linksets correlate observations that describe the same vulnerable product while
+keeping each source intact.
+
+1. **Seed** – Observations emit normalized identifiers (`purl`, `cpe`,
+ `alias`) during ingestion.
+2. **Correlate** – Linkset builder groups observations by tenant, product
+ coordinates, and equivalence signals (PURL alias graph, CVE overlap, CVSS
+ vector equality, fuzzy titles).
+3. **Annotate** – Detected conflicts (severity disagreements, affected-range
+ mismatch, incompatible references) are recorded with structured payloads and
+ preserved for UI/API export.
+4. **Persist** – Results land in `advisory_linksets` with deterministic IDs
+ (`linksetId = {tenant}:{hash(aliases+purls+seedIds)}`) and append-only history
+ for reproducibility.
+
+Linksets never suppress or prefer one source; they provide aligned evidence so
+other services can apply policy.
+
+---
+
+## 2. Observation vs. linkset
+
+- **Purpose**
+ - Observation: Immutable record per vendor and revision.
+ - Linkset: Correlates observations that share product identity.
+- **Mutation**
+ - Observation: Append-only via supersedes chain.
+ - Linkset: Rebuilt deterministically from canonical signals.
+- **Allowed fields**
+ - Observation: Raw payload, provenance, identifiers, join hints.
+ - Linkset: Observation references, normalized product metadata, conflicts.
+- **Forbidden fields**
+ - Observation: Derived severity, policy status, opinionated dedupe.
+ - Linkset: Derived severity (conflicts recorded but unresolved).
+- **Consumers**
+ - Observation: Evidence API, Offline Kit, CLI exports.
+ - Linkset: Policy Engine overlay, UI evidence panel, Vuln Explorer.
+
+### 2.1 Example sequence
+
+1. Red Hat PSIRT publishes RHSA-2025:1234 for OpenSSL; Concelier inserts an
+ observation for vendor `redhat` with `pkg:rpm/redhat/openssl@1.1.1w-12`.
+2. NVD issues CVE-2025-0001; a second observation is inserted for vendor `nvd`.
+3. Linkset builder runs, groups the two observations, records alias and PURL
+ overlap, and flags a CVSS disagreement (`7.5` vs `7.2`).
+4. Policy Engine reads the linkset, recognises the severity variance, and relies
+ on configured rules to decide the effective output.
+
+---
+
+## 3. Conflict handling
+
+Conflicts record disagreements without altering source payloads. The builder
+emits structured entries:
+
+```json
+{
+ "type": "severity-mismatch",
+ "field": "cvss.baseScore",
+ "observations": [
+ {
+ "source": "redhat",
+ "value": "7.5",
+ "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "source": "nvd",
+ "value": "7.2",
+ "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ }
+ ],
+ "confidence": "medium",
+ "detectedAt": "2025-10-27T14:00:00Z"
+}
+```
+
+Supported conflict classes:
+
+- `severity-mismatch` – CVSS or qualitative severities differ.
+- `affected-range-divergence` – Product ranges, fixed versions, or platforms
+ disagree.
+- `statement-disagreement` – One observation declares `not_affected` while
+ another states `affected`.
+- `reference-clash` – URL or classifier collisions (for example, exploit URL vs
+ conflicting advisory).
+- `alias-inconsistency` – Aliases map to different canonical IDs (GHSA vs CVE).
+- `metadata-gap` – Required provenance missing on one source; logged as a
+ warning.
+
+Conflict surfaces:
+
+- WebService endpoints (`GET /advisories/linksets/{id}` → `conflicts[]`).
+- UI evidence panel chips and conflict badges.
+- CLI exports (JSON/OSV) exposed through LNM commands.
+- Observability metrics (`advisory_linkset_conflicts_total{type}`).
+
+---
+
+## 4. AOC alignment
+
+Observations and linksets must satisfy Aggregation-Only Contract invariants:
+
+- **No derived severity** – `content.raw` may include upstream severity, but the
+ observation body never injects or edits severity.
+- **No merges** – Each upstream document stays separate; linksets reference
+ observations via deterministic IDs.
+- **Provenance mandatory** – Missing `signature` or `source` metadata is an AOC
+ violation (`ERR_AOC_004`).
+- **Idempotent writes** – Duplicate `contentHash` yields a no-op; supersedes
+ pointer captures new revisions.
+- **Deterministic output** – Linkset builder sorts keys, normalizes timestamps
+ (UTC ISO-8601), and uses canonical JSON hashing.
+
+Violations trigger guard errors (`ERR_AOC_00x`), emit `aoc_violation_total`
+metrics, and block persistence until corrected.
+
+---
+
+## 5. Downstream consumption
+
+- **Policy Engine** – Computes effective severity and risk overlays from linkset
+ evidence and conflicts.
+- **Console UI** – Renders per-source statements, signed hashes, and conflict
+ banners inside the evidence panel.
+- **CLI (`stella advisories linkset …`)** – Exports observations and linksets as
+ JSON or OSV for offline triage.
+- **Offline Kit** – Shipping snapshots include observation and linkset
+ collections for air-gap parity.
+- **Observability** – Dashboards track ingestion latency, conflict counts, and
+ supersedes depth.
+
+When adding new consumers, ensure they honour append-only semantics and do not
+mutate observation or linkset collections.
+
+---
+
+## 6. Validation & testing
+
+- **Unit tests** (`StellaOps.Concelier.Core.Tests`) validate schema guards,
+ deterministic linkset hashing, conflict detection fixtures, and supersedes
+ chains.
+- **Mongo integration tests** (`StellaOps.Concelier.Storage.Mongo.Tests`) verify
+ indexes and idempotent writes under concurrency.
+- **CLI smoke suites** confirm `stella advisories observations` and `stella
+ advisories linksets` export stable JSON.
+- **Determinism checks** replay identical upstream payloads and assert that the
+ resulting observation and linkset documents match byte for byte.
+- **Offline kit verification** simulates air-gapped bootstrap to confirm that
+ snapshots align with live data.
+
+Add fixtures whenever a new conflict type or correlation signal is introduced.
+Ensure canonical JSON serialization remains stable across .NET runtime updates.
+
+---
+
+## 7. Reviewer checklist
+
+- Observation schema segment matches the latest `StellaOps.Concelier.Models`
+ contract.
+- Linkset lifecycle covers correlation signals, conflict classes, and
+ deterministic IDs.
+- AOC invariants are explicitly called out with violation codes.
+- Examples include multi-source correlation plus conflict annotation.
+- Downstream consumer guidance reflects active APIs and CLI features.
+- Testing section lists required suites (Core, Storage, CLI, Offline).
+- Imposed rule reminder is present at the top of the document.
+
+Confirmed against Concelier Link-Not-Merge tasks:
+`CONCELIER-LNM-21-001..005`, `CONCELIER-LNM-21-101..103`,
+`CONCELIER-LNM-21-201..203`.
diff --git a/docs/airgap/EPIC_16_AIRGAP_MODE.md b/docs/airgap/EPIC_16_AIRGAP_MODE.md
index 9a11679c..3581e835 100644
--- a/docs/airgap/EPIC_16_AIRGAP_MODE.md
+++ b/docs/airgap/EPIC_16_AIRGAP_MODE.md
@@ -1,429 +1,429 @@
-> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.
-
----
-
-# Epic 16: Air‑Gapped Mode
-
-**Short name:** Air‑Gapped Mode
-**Primary components:** Web Services API, Console, CLI, Orchestrator, Task Runner, Conseiller (Feedser), Excitator (VEXer), Policy Engine, Findings Ledger, Export Center, Authority & Tenancy, Notifications, Observability & Forensics
-**Surfaces:** offline bootstrap, update ingestion via mirror bundles, sealed egress, deterministic jobs, offline advisories/VEX, offline policy packs, offline notifications, evidence exports
-**Dependencies:** Export Center, Containerized Distribution, Authority‑Backed Scopes & Tenancy, Observability & Forensics, Policy Studio
-
-**AOC ground rule reminder:** Conseiller and Excitator aggregate and link advisories/VEX. They never merge or mutate source records. Air‑Gapped Mode must preserve this invariant even when mirroring and importing updates.
-
----
-
-## 1) What it is
-
-A fully supported operating profile where StellaOps runs in a disconnected environment with:
-
-* **Zero external egress** from platform services and jobs.
-* **Deterministic inputs** provided via signed, offline **Mirror Bundles** (advisories, VEX, policy packs, vendor feeds, Stella metadata, container images, dashboards).
-* **Offline bootstrap** for images and charts, plus reproducible configuration and cryptographically verifiable updates.
-* **Graceful feature degradation** with explicit UX: features that require external connectivity are either backed by local artifacts or clearly disabled with an explanation.
-* **Auditable import/export** including provenance attestations, evidence bundles, and chain‑of‑custody for all offline exchanges.
-
-Air‑Gapped Mode is selectable at install time and enforceable at runtime. When enabled, all components operate under an “egress sealed” policy and only consume data from local stores.
-
----
-
-## 2) Why
-
-Many users operate in classified, regulated, or high‑sensitivity networks where egress is prohibited. They still need SBOM analysis, policy evaluation, advisory/VEX mapping, and reporting. Air‑Gapped Mode provides the same core outcomes with verifiable offline inputs and explicit operational guardrails.
-
----
-
-## 3) How it should work
-
-### 3.1 Modes and lifecycle
-
-* **Connected Mode:** normal operation; can create Mirror Bundles on a staging host.
-* **Sealed Air‑Gapped Mode:** platform enforces no egress. Only local resources are allowed.
-* **Transition flow:**
-
- 1. Prepare an offline **Bootstrap Pack** with all container images, Helm/compose charts, seed database, and initial Mirror Bundle.
- 2. Install in the air‑gapped enclave and **seal** egress.
- 3. Periodically import new **Mirror Bundles** via removable media.
- 4. Export evidence/reports as needed.
-
-### 3.2 Egress sealing
-
-* **Static guardrails:**
-
- * Platform flag `STELLA_AIRGAP=sealed` and database feature flag `env.mode='sealed'`.
- * NetworkPolicy/iptables/eBPF deny‑all egress for namespaces/pods except loopback and the internal object store.
- * Outbound DNS blocked.
- * HTTP clients in code use a single `EgressPolicy` facade. When sealed, it panics on direct network calls and returns a typed error with remediation (“import a Mirror Bundle”).
-* **Verification:** `GET /system/airgap/status` returns `sealed: true|false`, current policy hash, and last import timestamp. CLI prints warning if not sealed in declared air‑gapped install.
-
-### 3.3 Trusted time
-
-* Air‑gapped systems cannot NTP. Each Mirror Bundle includes a **signed time token** (Roughtime‑style or RFC 3161) from a trusted authority. On import, platform stores `time_anchor` for drift calculations and staleness checks.
-* If time drift exceeds policy threshold, UI shows “stale view” badges and some jobs are blocked until a new bundle provides a fresh anchor.
-
-### 3.4 Mirror Bundles (offline updates)
-
-* **Content types:**
-
- * Public advisories (OSV, GHSA, vendor advisories), NVD mappings, CPE/Package metadata.
- * VEX statements from vendors/communities.
- * Policy packs (templates, baselines, versioned rule sets).
- * StellaOps engine metadata and schema migrations.
- * Optional: **OCI image set** for platform and recommended runners.
- * Optional: dashboards and alert rule packs.
-* **Format:** a TUF‑like layout:
-
- ```
- root.json, snapshot.json, timestamp.json, targets/
- advisories/*.jsonl.zst
- vex/*.jsonl.zst
- policy/*.tar.zst
- images/* (OCI layout or oci-archive)
- meta/engine/*.tgz
- meta/time-anchor.json (signed)
- ```
-* **Integrity & trust:**
-
- * DSSE‑signed target manifests.
- * Root of trust rotated via `root.json` within strict policy; rotation requires manual dual approval in sealed mode.
- * Each content artifact has a content digest and a **Merkle root** for the overall bundle.
-* **Creation:** in connected networks, `stella mirror create --content advisories,vex,policy,images --since 2025-01-01 --out bundle.tgz`.
-* **Import:** in air‑gap, `stella airgap import bundle.tgz`. The importer verifies DSSE, TUF metadata, Merkle root, then writes to local object store and updates catalog tables.
-* **Idempotence:** imports are content‑addressed; re‑imports deduplicate.
-
-### 3.5 Deterministic jobs and sources
-
-* **Allowed sources:** filesystem, internal object store, tenant private registry, and pre‑approved connectors that don’t require external egress.
-* **Disallowed in sealed mode:** remote package registries, web scrapers, outbound webhooks, cloud KMS unless on the enclave network.
-* **Runner policy:** the Task Runner verifies job descriptors contain no network calls unless marked `internal:` with allow‑listed destinations. Violations fail at plan time with an explainable error.
-
-### 3.6 Conseiller and Excitator in air‑gap
-
-* **Conseiller (Feedser):** ingests advisories only from imported bundles or tenant local feeds. It preserves source identities and never merges. Linkage uses bundle‑provided cross‑refs and local heuristics.
-* **Excitator (VEXer):** imports VEX records as‑is, links them to components and advisories, and records the origin bundle and statement digests. Consensus Lens (Epic 7) operates offline across the imported sources.
-
-### 3.7 Policy Engine and Studio
-
-* Policy packs are versioned and imported via bundles.
-* Simulation and authoring work locally. Exports of new or updated policies can be packaged as **Policy Sub‑Bundles** for transfer back to connected environments if needed.
-* Engine shows which rules depend on external evidence and how they degrade in sealed mode (e.g., “No external EPSS; using cached percentile from last bundle.”).
-
-### 3.8 Notifications in sealed mode
-
-* Default to **local delivery** only: SMTP relay inside enclave, syslog, file sink.
-* External webhooks are disabled.
-* Notification templates show “air‑gap compliant channel” tags to avoid misconfiguration.
-
-### 3.9 Observability & Forensics
-
-* Traces, logs, metrics remain local.
-* Evidence Locker supports **portable evidence packages** for cross‑domain transfer: `stella forensic snapshot create --portable`.
-* Importing an evidence bundle in another enclave verifies signatures and maintains chain‑of‑custody.
-
-### 3.10 Console and CLI behavior
-
-* Console shows a prominent **Air‑Gapped: Sealed** badge with last import time and staleness indicators for advisories, VEX, and policy packs.
-* CLI commands gain `--sealed` awareness: any operation that would egress prints a refusal with remediation suggesting the appropriate import.
-
-### 3.11 Multi‑tenant and scope
-
-* Tenancy works unchanged. Bundle imports can target:
-
- * `--tenant-global`: shared catalogs (advisories, VEX, policy baselines).
- * `--tenant=`: tenant‑specific content (e.g., private advisories).
-* Authority scopes gain `airgap:import`, `airgap:status:read`, `airgap:seal` (admin‑only).
-
-### 3.12 Feature degradation matrix
-
-* **AI Assistant:** offline variants use local models if installed; otherwise feature is disabled with a message.
-* **External reputation feeds (e.g., EPSS‑like):** replaced by cached values from the bundle.
-* **Container base image lookups:** rely on imported metadata or tenant private registry.
-
----
-
-## 4) Architecture
-
-### 4.1 New modules
-
-* `airgap/controller`
-
- * Sealing state machine; status API; guardrails wiring into HTTP clients and runner.
-* `airgap/importer`
-
- * TUF/DSSE verification, Merkle validation, object store loader, catalog updater.
-* `mirror/creator`
-
- * Connected‑side builder for bundles; content plug‑ins for advisories/VEX/policy/images.
-* `airgap/policy`
-
- * Enforcement library exposing `EgressPolicy` facade and job plan validators.
-* `airgap/time`
-
- * Time anchor parser, drift checks, staleness annotations.
-* `console/airgap`
-
- * Sealed badge, import UI, staleness dashboards, degradation notices.
-* `cli/airgap`
-
- * `stella airgap seal|status|import|verify` commands; `stella mirror create|verify`.
-
-### 4.2 Data model additions
-
-* `airgap_state(id, sealed BOOLEAN, policy_hash TEXT, last_import_at TIMESTAMP, time_anchor JSONB)`
-* `bundle_catalog(id, kind ENUM, merkle_root TEXT, dsse_signer TEXT, created_at TIMESTAMP, imported_at TIMESTAMP, scope ENUM('global','tenant'), tenant_id NULLABLE, labels JSONB)`
-* `bundle_items(bundle_id, path TEXT, sha256 TEXT, size BIGINT, type TEXT, meta JSONB)`
-* `import_audit(id, bundle_id, actor, tenant_scope, verify_result, trace_id, created_at)`
-
-RLS: tenant‑scoped rows when `scope='tenant'`; global rows readable only with `stella:airgap:status:read`.
-
-### 4.3 Storage layout
-
-Object store paths:
-
-```
-tenants/_global/mirror//targets/...
-tenants//mirror/]