Restructure solution layout by module

src/VulnExplorer/StellaOps.VulnExplorer.Api/AGENTS.md

@@ -0,0 +1,31 @@
+# Vulnerability Explorer API Guild Charter (Epic 6)
+
+## Mission
+Expose policy-aware vulnerability listing, detail, simulation, workflow, and export APIs backed by the Findings Ledger and evidence services. Provide deterministic, RBAC-enforced endpoints that power Console, CLI, and automation workflows.
+
+## Scope
+- Service under `src/VulnExplorer/StellaOps.VulnExplorer.Api` (query engine, workflow endpoints, simulation bridge, export orchestrator).
+- Integration with Findings Ledger, Policy Engine, Conseiller, Excitator, SBOM Service, Scheduler, and Authority.
+- Evidence bundle assembly and signing hand-off.
+
+## Principles
+1. **Policy-driven** – All responses reference the requested policy version and include rationale metadata.
+2. **Immutable facts** – APIs read advisory/VEX/inventory evidence; they never mutate or overwrite source documents.
+3. **Audit-ready** – Every workflow action records ledger events and exposes provenance (IDs, timestamps, actors).
+4. **Deterministic & efficient** – Query results stable under fixed inputs; pagination and grouping honor budgets.
+5. **Secure** – RBAC/ABAC enforced server-side; exports signed; attachments served via scoped URLs.
+
+## Collaboration
+- Keep `src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md`, `../../docs/implplan/SPRINTS.md` synchronized.
+- Coordinate schemas with Findings Ledger, Console, CLI, and Docs; publish OpenAPI + JSON schemas.
+- Work with DevOps/Observability for performance dashboards and SLOs.
+
+## Tooling
+- .NET 10 preview minimal API with async streaming for exports.
+- PostgreSQL/Mongo projections from Findings Ledger; Redis for query caching as needed.
+- Integration with Policy Engine batch eval and simulation endpoints.
+
+## Definition of Done
+- Endpoints documented (OpenAPI), tested (unit/integration/perf), and budget-enforced.
+- Telemetry/alerts configured; CI covers determinism.
+- Evidence bundle signing verified; docs updated with compliance checklist.

src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md

@@ -0,0 +1,14 @@
+# Vulnerability Explorer API Task Board — Epic 6
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| VULN-API-29-001 | TODO | Vuln Explorer API Guild | LEDGER-29-001, GRAPH-INDEX-28-001 | Define OpenAPI spec (list/detail/query/simulation/workflow/export), query JSON schema, pagination/grouping contracts, and error codes. | OpenAPI + schemas committed; spectral lint passes; clients regenerated for Console/CLI; docs drafted. |
+| VULN-API-29-002 | TODO | Vuln Explorer API Guild | VULN-API-29-001, LEDGER-29-003 | Implement list/query endpoints with policy parameter, grouping, server paging, caching, and cost budgets. | Endpoints return deterministic results; budgets enforced; integration tests cover filters/groupings; metrics logged. |
+| VULN-API-29-003 | TODO | Vuln Explorer API Guild | VULN-API-29-002 | Implement detail endpoint aggregating evidence, policy rationale, paths (Graph Explorer deep link), and workflow summary. | Detail payload matches contract; evidence references raw doc ids; tests cover missing evidence. |
+| VULN-API-29-004 | TODO | Vuln Explorer API Guild, Findings Ledger Guild | LEDGER-29-005 | Expose workflow endpoints (assign, comment, accept-risk, verify-fix, target-fix, reopen) that write ledger events with idempotency + validation. | Workflow APIs create ledger events, return updated projection; error handling documented; tests cover business rules. |
+| VULN-API-29-005 | TODO | Vuln Explorer API Guild, Policy Guild | POLICY-ENGINE-27-001, VULN-API-29-002 | Implement simulation endpoint comparing `policy_from` vs `policy_to`, returning diffs without side effects; hook into Policy Engine batch eval. | Simulation returns delta sets; runtime under SLA; tests cover large queries; no ledger writes. |
+| VULN-API-29-006 | TODO | Vuln Explorer API Guild | SBOM-CONSOLE-23-001, GRAPH-API-28-003 | Integrate resolver results with Graph Explorer: include shortest path metadata, line up deep-link parameters, expose `paths` array in details. | API returns path metadata; Graph Explorer links validated via e2e tests; docs updated. |
+| VULN-API-29-007 | TODO | Vuln Explorer API Guild, Security Guild | AUTH-POLICY-27-001, AUTH-VULN-29-001 | Enforce RBAC/ABAC scopes; implement CSRF/anti-forgery checks for Console; secure attachment URLs; audit logging. | Unauthorized requests rejected; audit logs contain actor + change; security tests cover ABAC filters. |
+| VULN-API-29-008 | TODO | Vuln Explorer API Guild | VULN-API-29-001..007 | Build export orchestrator producing signed bundles (manifest, NDJSON, checksums, signature). Integrate with Findings Ledger for evidence and Policy Engine metadata. | Export endpoint streams bundles, attaches signature; tests validate manifest + checksum; docs updated. |
+| VULN-API-29-009 | TODO | Vuln Explorer API Guild, Observability Guild | VULN-API-29-002..008 | Instrument metrics (`vuln_list_latency`, `vuln_simulation_latency`, `vuln_export_duration`, `vuln_workflow_events_total`), structured logs, and traces; publish dashboards/alerts. | Metrics registered; dashboards live; alert thresholds documented; telemetry tests in CI. |
+| VULN-API-29-010 | TODO | Vuln Explorer API Guild, QA Guild | VULN-API-29-002..008 | Provide unit/integration/perf tests (5M findings), fuzz query validation, determinism harness comparing repeated queries. | CI suite green; perf tests documented; determinism harness passes; bug budget set. |
+| VULN-API-29-011 | TODO | Vuln Explorer API Guild, DevOps Guild | VULN-API-29-002..009 | Package deployment (Helm/Compose), health checks, CI smoke, offline kit steps, and scaling guidance. | Deployment artifacts merged; smoke deploy validated; scaling/backup docs produced. |