feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance

## Summary

This commit completes Phase 2 of the configuration-driven crypto architecture, achieving
100% crypto compliance by eliminating all hardcoded cryptographic implementations.

## Key Changes

### Phase 1: Plugin Loader Infrastructure
- **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading
- **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support
- **Dependency Injection**: Extended DI to support plugin-based crypto provider registration
- **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml
- **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement

### Phase 2: Code Refactoring
- **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios
- **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support
  - Supports ES256/384/512, RS256/384/512, PS256/384/512
  - SubjectPublicKeyInfo (SPKI) public key format
- **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage
- **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests
- **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md
- **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis

### Testing Infrastructure (TestKit)
- **Determinism Gate**: Created DeterminismGate for reproducibility validation
- **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers
- **Traits System**: Implemented test lane attributes for parallel CI execution
- **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons
- **Test Lanes**: Created test-lanes.yml workflow for parallel test execution

### Documentation
- **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan
- **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE)
- **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md
- **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_*

## Compliance & Testing

- ✅ Zero direct System.Security.Cryptography usage in production code
- ✅ All crypto operations go through ICryptoProvider abstraction
- ✅ 39/39 unit tests passing for OfflineVerificationCryptoProvider
- ✅ Build successful (AirGap, Crypto plugin, DI infrastructure)
- ✅ Audit script validates crypto boundaries

## Files Modified

**Core Crypto Infrastructure:**
- src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension)
- src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor)
- src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier)

**Plugin Implementation:**
- src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new)
- src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new)

**Production Code Refactoring:**
- src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant)

**Tests:**
- src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests)
- src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new)

**Configuration:**
- etc/crypto-plugins-manifest.json (plugin registry)
- etc/appsettings.crypto.*.yaml (regional profiles)

**Documentation:**
- docs/security/offline-verification-crypto-provider.md (600+ lines)
- docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan)
- docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete)

## Next Steps

Phase 3: Docker & CI/CD Integration
- Create multi-stage Dockerfiles with all plugins
- Build regional Docker Compose files
- Implement runtime configuration selection
- Add deployment validation scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docs2/ui/accessibility.md

@@ -0,0 +1,31 @@
+# Console accessibility
+
+The console targets WCAG 2.2 AA and must remain usable with keyboard-only and
+screen-reader workflows in online and sealed environments.
+
+Core principles
+- Deterministic navigation and stable focus order.
+- Keyboard-first interaction with remappable shortcuts.
+- Assistive technology parity for status and progress updates.
+- Design tokens that maintain contrast targets.
+- Offline parity for banners, dialogs, and keyboard flows.
+
+Keyboard model
+- Global shortcuts for search, tenant switch, filters, and help.
+- Module shortcuts for findings, SBOM explorer, runs, and downloads.
+- Focus traps for dialogs and drawers with consistent return focus.
+
+Screen reader behavior
+- Polite live regions for background updates.
+- Assertive alerts for errors and blocking conditions.
+- Aria grid semantics for large tables.
+
+Testing
+- Automated axe checks in UI CI.
+- Playwright a11y sweeps on critical routes.
+- Manual screen reader spot checks before releases.
+
+Related references
+- docs/accessibility.md
+- docs/ui/*
+- docs/observability/ui-telemetry.md

docs2/ui/admin.md

@@ -0,0 +1,58 @@
+# Admin workspace
+
+Purpose
+- Centralize Authority-facing controls for tenants, roles, clients, tokens, integrations, and audit.
+
+Access and dependencies
+- Route: /console/admin with sub-routes for tenants, roles, users, clients, tokens, integrations, audit.
+- Scopes: ui.admin plus authority:* scopes for each tab.
+- Fresh-auth required for sensitive actions (revocations, key rotations, branding apply).
+- Depends on Authority admin APIs, revocation exports, JWKS, and licensing posture endpoints.
+
+Tenants
+- Create, edit, suspend, resume, and delete tenants (delete is gated and audited).
+- Tenant fields: slug, display name, status, isolation mode, default roles.
+- Offline snapshots show latest snapshot timestamp and checksum.
+- Export tenant bundle for air-gap distribution.
+- CLI parity: stella auth tenant create, stella auth tenant suspend.
+
+Roles and scopes
+- Table lists roles with mapped scopes and audiences.
+- Inline editor adds and removes scopes with validation and impact preview.
+- Role bundle catalog covers console, scanner, scheduler, policy, graph, observability.
+- CLI parity: stella auth role update.
+
+Users and tokens
+- User list includes roles, last login, and MFA status.
+- Token inventory lists access, refresh, and device tokens with status.
+- Token detail shows claims, sender constraint, issuance metadata, revocations.
+- Revoke and bulk revoke actions require fresh-auth and log audit events.
+- CLI parity: stella auth token revoke.
+
+Integrations
+- Client registrations list grant types, allowed scopes, DPoP or mTLS settings.
+- Bootstrap bundles provide templates for new clients and users.
+- External IdP connectors (SAML or OIDC) with metadata upload and test status.
+- Licensing posture panel is read-only.
+- Branding uploads are gated by fresh-auth.
+
+Audit
+- Timeline of admin events with filters (event type, actor, tenant, scope, correlation ID).
+- Export CSV or JSON for SOC ingestion.
+- Log pivot copies correlation ID search queries.
+
+Fresh-auth flow
+- Modal prompts for credential re-entry or hardware key touch.
+- Fresh-auth window lasts five minutes; sensitive buttons disabled outside the window.
+- Audit events recorded for fresh-auth start and success.
+
+Security guardrails
+- DPoP enforcement status and mTLS summaries for sensitive audiences.
+- Token policy checks for TTL and refresh rotation.
+- Revocation bundle export status with digest.
+- Signing key rotation panel with current kid and last rotation time.
+
+Offline behavior
+- Offline banner disables direct writes; UI generates offline apply scripts.
+- Token revocation and role changes produce bundles for offline Authority hosts.
+- Audit exports default to local paths with checksum output.

docs2/ui/advisories-vex.md

@@ -0,0 +1,75 @@
+# Advisories and VEX
+
+Purpose
+- Display Concelier advisories and Excititor VEX consensus without mutating upstream data.
+- Highlight provenance, conflicts, and verification status under Aggregation-Only rules.
+
+Access and dependencies
+- Routes: /console/advisories and /console/vex.
+- Scopes: advisory.read, vex.read; advisory.verify and vex.verify for verification actions; downloads.read for exports.
+- Depends on Concelier and Excititor aggregation APIs and Authority tenancy.
+- Feature flags: advisoryExplorer.enabled, vexExplorer.enabled, aggregation.conflictIndicators.
+
+Layout
+- Shared header with tenant badge, global filters, status ticker, and actions.
+- Tabs for Advisories and VEX; last view remembered per tenant.
+- Left rail includes saved views and provider filters.
+
+Advisory grid
+- Columns: vulnerability ID, title, source set, last merged, severity, KEV flag, affected count, merge hash.
+- Source chips list providers with precedence and timestamps.
+- Filters: ID search, provider, severity, KEV, affected count, time window.
+- Actions: open detail, compare sources, queue verify, copy CLI.
+
+Advisory detail drawer
+- Summary cards: title, timestamps, merge hash, total sources, exploited flag.
+- Sources timeline with signature status, precedence, and raw links.
+- Affected products table with semver or distro view toggle.
+- Conflict indicators for severity, fixed versions, affected sets.
+- References list and raw JSON viewer.
+- CLI parity for show, sources, and export commands.
+
+VEX explorer
+- Consensus table keyed by vulnerability and product.
+- Status badges: affected, not_affected, fixed, under_investigation.
+- Provider breakdown shows accepted or ignored claims with weights and justification.
+- Filters: product PURL, status, provider, justification code, confidence threshold.
+- Saved views for common triage scenarios.
+
+VEX detail drawer
+- Consensus summary with policy revision and confidence data.
+- Claims list grouped by provider tier with provenance and supersedes chains.
+- Conflict explainers show why claims were ignored.
+- Timeline events with correlation IDs.
+- Raw JSON viewer with CLI parity.
+
+Provenance and raw viewers
+- Provenance banner shows source URI, document digest, signature status, timestamps, collector version.
+- Raw documents are read-only and include DSSE bundle download when available.
+- Log pivot links copy correlation ID queries.
+
+Conflict indicators and AOC alignment
+- Conflicts are surfaced rather than merged in the UI.
+- Winning values and precedence are shown from Concelier metadata.
+- UI copy reminds users policy decisions happen elsewhere.
+
+Verification workflows
+- Verify actions call Concelier or Excititor endpoints scoped by tenant and filters.
+- Results summarize documents checked, signatures verified, and ERR_AOC codes.
+- Verification history is accessible from the status ticker.
+
+Exports and automation
+- Advisory exports: normalized advisory, affected products CSV, source bundle.
+- VEX exports: consensus snapshot, raw claims, provider deltas.
+- Export manifests include merge hash or consensus digest and signature state.
+- Webhook subscription snippets for export completion.
+
+Real-time updates
+- SSE refreshes advisory and VEX grids with delta badges.
+- Status ticker shows ingest lag and verification queue depth.
+
+Offline behavior
+- Snapshot banner shows staleness and disables live verification.
+- Raw downloads use local snapshot paths with checksum guidance.
+- Exports queue locally with removable media instructions.
+- Tenants missing from the snapshot are hidden.

docs2/ui/airgap.md

@@ -0,0 +1,25 @@
+# Console air-gap UI
+
+Purpose
+- Provide sealed-mode imports, staleness visibility, and guidance for offline operators.
+
+Surfaces
+- Air-gap status badge shows sealed state, mirrorGeneration, last import time, and staleness.
+- Import wizard uploads and verifies mirror bundles and records timeline events.
+- Staleness dashboard charts staleness by bundle and component.
+
+Staleness logic
+- Staleness = now minus bundle.createdAt using time anchors.
+- Color bands: green under 24h, amber 24h to 72h, red over 72h or missing anchor.
+
+Guidance banners
+- Sealed banner: egress denied, only registered bundles allowed.
+- Staleness red banner prompts import of the next bundle or time anchor refresh.
+
+Events
+- Successful import emits timeline event with bundleId, mirrorGeneration, manifest hash, actor.
+- Failed import emits error code without exposing stack traces.
+
+Security and guardrails
+- Admin scope required for imports; read-only users can view status only.
+- Hashes always include tenant and generation context.

docs2/ui/aoc-dashboard.md

@@ -0,0 +1,53 @@
+# AOC dashboard
+
+Purpose
+- Monitor Aggregation-Only Contract (AOC) ingestion guardrails across Concelier and Excititor sources.
+- Surface violations, verification results, and exportable evidence without mutating source data.
+
+Access and dependencies
+- Route: /console/sources.
+- Feature flag: aocDashboard.enabled.
+- Scopes: ui.read plus advisory.read and vex.read; aoc:verify for verify actions.
+- Depends on Concelier and Excititor guard endpoints and Authority tenant scoping.
+
+Layout
+- Source tiles for Concelier and Excititor feeds.
+- Violations and history table with filters.
+- Action bar: run verify, schedule verify, export evidence, open raw docs.
+
+Source tile fields
+- Status badge: healthy, warning, critical based on last ingest age and ERR_AOC violations.
+- Last ingest timestamp and relative age.
+- Violations in the last 24 hours grouped by ERR_AOC code.
+- Supersedes depth (average revision chain length).
+- Signature pass rate.
+- Ingestion latency P95.
+
+Violation drilldown
+- Filters by source, timeframe, ERR_AOC code, and severity.
+- Detail drawer shows provenance, signature status, supersedes chain, and redacted raw JSON.
+- Linked findings and policy overlays are shown as references only.
+- Annotations and acknowledgements are stored as structured audit notes.
+
+Verification and actions
+- Run verify posts to /aoc/verify with a since window; results include counts and top codes.
+- Schedule verify supports daily or weekly cadence with optional notifications.
+- Export evidence bundles include tile metrics, verification summaries, and annotations.
+- CLI parity: stella aoc verify --tenant <tenant> --since <window>.
+
+Observability
+- ingestion_write_total{source,tenant,result}
+- aoc_violation_total{source,tenant,code}
+- ingestion_signature_verified_total{source,result}
+- ingestion_latency_seconds{source,quantile}
+- advisory_revision_count{source}
+
+Security and tenancy
+- DPoP-bound tokens per tenant; data never crosses tenant boundaries.
+- Sensitive fields are redacted using Concelier rules.
+- Verify actions are rate limited and audited (action=aoc.verify.ui).
+
+Offline behavior
+- Offline snapshot banner shows snapshot time and bundle hash.
+- Verification requests queue for later execution and provide CLI guidance.
+- Evidence exports default to local paths for air-gap transfer.

docs2/ui/attestor.md

@@ -0,0 +1,19 @@
+# Attestor UI
+
+Purpose
+- View and verify attestations without deriving new verdicts.
+
+Surfaces
+- Attestation list and detail pages.
+- Verification status panel with raw results.
+
+Filters
+- Tenant, issuer, predicate type, verification status.
+
+Actions
+- Download DSSE bundle.
+- View transparency info when available.
+- Export verification record.
+
+Guardrails
+- UI displays raw verification state only; no derived judgments.

docs2/ui/branding.md

@@ -0,0 +1,42 @@
+# Console branding
+
+Purpose
+- Provide tenant-aware branding without rebuilding the UI.
+- Keep branding changes auditable, deterministic, and offline friendly.
+- Allow config defaults with per-tenant overrides after login.
+
+Branding record (Authority)
+- brandingId, tenantId, displayName
+- logo and favicon (data URI or asset reference)
+- themeTokens (CSS variable map for light, dark, high-contrast)
+- updatedBy, updatedAtUtc, hash (sha256 of canonical JSON)
+
+Constraints
+- Logo and favicon up to 256 KB each.
+- Allowed formats: image/svg+xml, image/png, image/jpeg.
+- Theme tokens limited to a whitelist; no arbitrary CSS.
+
+Configuration layering
+1) Static defaults from config.json.
+2) Tenant branding fetched after login.
+3) Session-only preview overrides (not persisted).
+- If Authority is unreachable, the UI uses static defaults.
+
+API surface
+- GET /console/branding (ui.read, authority:branding.read)
+- PUT /console/admin/branding (ui.admin, authority:branding.write, fresh-auth)
+- POST /console/admin/branding/preview (ui.admin, authority:branding.write)
+
+UI application
+- Branding service applies CSS variables to documentElement.
+- Updates header logo and document title.
+- Supports theme-specific tokens via data-theme selectors.
+
+Audit and offline
+- Branding updates emit authority.branding.updated events.
+- Branding bundles are exported with detached signatures for offline import.
+- Console displays the last applied branding hash for verification.
+
+Related references
+- docs/architecture/console-branding.md
+- docs/ui/branding.md

docs2/ui/console.md

@@ -0,0 +1,56 @@
+# Console overview
+
+Mission and principles
+- Single entry point for SBOMs, advisories, policies, runs, and admin controls.
+- Deterministic navigation with deep-linkable URLs.
+- Tenant isolation by default; explicit cross-tenant comparisons only.
+- Aggregation-only views for Concelier and Excititor outputs.
+- Offline parity for every view with visible staleness.
+
+Primary navigation
+- Dashboard: KPIs, feed age, queue depth, alerts.
+- Findings: policy verdicts, explain traces, and triage actions.
+- SBOM Explorer: catalog, components, overlays, exports.
+- Advisories and VEX: aggregated sources, provenance, conflicts.
+- Runs: scheduler runs, progress, evidence links.
+- Policies: editor, simulations, approvals.
+- Downloads: signed artifacts and offline kit parity.
+- Admin: tenants, roles, clients, tokens, branding.
+- Help: guides, tours, and release notes.
+
+Shared surfaces
+- Top bar: tenant picker, environment badge, offline status, user menu, notifications, command palette.
+- Global filter tray (Shift+F): tenant, time window, severity, tags, source providers, run status, policy view.
+- Context chips: active filters with one-click removal.
+- Status ticker: SSE-driven ingestion deltas and queue depth.
+
+Tenant model
+- Tenant list comes from Authority; switching issues a tenant-scoped, DPoP-bound token.
+- Cross-tenant comparisons are opt-in and render split panes with separate tokens.
+- Fresh-auth gates sensitive actions (admin changes, approvals).
+- Tenant switches emit audited events (ui.tenant.switch).
+
+Filters, presets, and deep links
+- Filters encoded in URLs (tenant, since/until, severity, view, panel, component).
+- Presets are saved per tenant and accessible via the command palette and Cmd/Ctrl+1..9.
+- Deep links map to CLI commands for deterministic offline replay.
+
+Aggregation-only alignment
+- Advisory and VEX pages read canonical aggregation endpoints.
+- Provenance badges show source lineage, precedence, and merge hashes.
+- UI does not reweight or rewrite aggregated data; actions route through guard endpoints.
+
+Performance and telemetry
+- LCP target under 2.5 seconds on a 4 vCPU offline runner with cached assets.
+- Route budget under 1.5 seconds after token resolution.
+- Telemetry signals: ui_route_render_seconds, ui_filter_apply_total, ui_tenant_switch_total, ui_offline_banner_seconds.
+
+Offline posture
+- Offline kits drive read-only views with snapshot ID and staleness banners.
+- Actions requiring Authority or verification show CLI guidance.
+- Tenants missing from the snapshot are hidden.
+
+Related references
+- ui/navigation.md
+- ui/downloads.md
+- ui/sbom-explorer.md

docs2/ui/downloads.md

@@ -0,0 +1,57 @@
+# Downloads workspace
+
+Purpose
+- Centralize signed artifacts, export bundles, and offline kit parity checks.
+- Provide CLI parity commands for reproducible artifact acquisition.
+
+Access and dependencies
+- Route: /console/downloads with /console/downloads/:artifactId detail drawer.
+- Scopes: downloads.read; downloads.manage for cancel or expire exports.
+- Depends on downloads manifest, offline kit metadata, and export orchestrator.
+- Feature flags: downloads.workspace.enabled, downloads.exportQueue, downloads.offlineParity.
+
+Workspace layout
+- Header shows manifest version, generatedAt, and signature status.
+- Cards for latest release, offline kit parity, export queue depth.
+- Tabs: artifacts, exports, offline kits, webhooks.
+- Filter bar: channel, kind, architecture, tags.
+
+Artifact catalog
+- Core containers, helm charts, compose bundles, offline kits, evidence exports, webhook configs.
+- Detail drawer shows metadata, provenance, commands, and history.
+- Digest-only pulls are the default; commands include arch hints.
+
+Manifest structure
+- version: monotonically increasing release integer.
+- generatedAt: ISO-8601 UTC timestamp.
+- signature: detached signature for manifest.json.
+- artifacts: ordered entries with id, kind, channel, version, digest, sizeBytes, downloadUrl, signatureUrl, sbomUrl, attestationUrl, docs, tags.
+- Console caches the manifest hash and highlights version changes.
+
+Download statuses
+- Ready: immutable artifacts with verified digests.
+- Pending export: queued bundles with owner and ETA.
+- Processing: stages collecting, compressing, signing.
+- Delivered: download links and resume tokens.
+- Expired: retention exceeded, regenerate via CLI.
+
+CLI parity
+- Copy buttons produce docker pull and oras copy commands with digests.
+- Helm and compose commands include values and env file hints.
+- Offline kit verification sequence includes cosign verify-blob.
+- Export entries include stella runs export or stella findings export commands.
+- Webhook tab provides curl subscription snippets.
+
+Offline and air-gap workflow
+- Offline users import offline-manifest.json with detached signature.
+- UI warns when offline manifest lags online by more than a week.
+- Mirror commands copy images to internal registries with custom trust roots.
+- Parity checks highlight diff between offline kit contents and manifest digests.
+- Audit logs record ui.download.commandCopied with artifact ID and digest.
+
+Observability and quotas
+- ui_download_manifest_refresh_seconds for manifest fetch and verify.
+- ui_download_export_queue_depth from the downloads API.
+- ui_download_command_copied_total from console logs.
+- downloads.export.duration histograms for export generation.
+- downloads.quota.remaining warns on quota saturation.

docs2/ui/exception-center.md

@@ -0,0 +1,24 @@
+# Exception center
+
+Purpose
+- Manage exception and waiver requests with explicit approval workflows.
+- Preserve Aggregation-Only and evidence-first expectations in every view.
+
+Core surfaces
+- List view with status, scope, owner, expiry, and evidence links.
+- Detail view with create, approve, reject actions and a full history timeline.
+- Badges for scope, risk level, and expiration status.
+
+Workflow expectations
+- Create requires reason, evidence references, and expiry.
+- Approve and reject actions are scope gated and audited.
+- Status changes emit timeline events with correlation IDs.
+
+Accessibility and offline
+- Keyboard shortcuts for list, filters, and detail drawer.
+- Offline mode shows snapshot ID and disables new approvals.
+- Exports default to local paths for transfer.
+
+Determinism and assets
+- Any captures or sample payloads must be stored locally with SHA256SUMS.
+- Exported views include filter and overlay metadata for replay.

docs2/ui/explainers.md

@@ -0,0 +1,34 @@
+# Policy explainers
+
+Purpose
+- Provide evidence-backed explanations for policy decisions.
+- Always show evidence hashes, signals, and rule rationale.
+
+Surfaces
+- Findings table links to the explainer drawer.
+- Explainer drawer shows rule stack, inputs, signals, and evidence hashes.
+- Timeline and runs tabs show policy events and run inputs.
+
+Drawer layout
+- Header: status, severity, policy version, shadow flag, AOC badge.
+- Evidence panel: SBOM digest, advisory snapshot, VEX IDs, reachability graph hash, runtime hit flag, attestation refs.
+- Rule hits: ordered list with because, signals snapshot, actions taken.
+- Reachability path: signed call path and edge bundle hash when available.
+- Signals: trust_score, reachability state and score, uncertainty level, runtime hits.
+
+Interactions
+- Verify evidence triggers the policy explain verify flow and shows DSSE status.
+- Toggle baseline compares against previous policy version.
+- Download exports JSON with evidence hashes for offline review.
+
+Accessibility
+- Keyboard navigation across header, evidence, rules, actions.
+- Screen reader labels include status, severity, reachability state, trust score.
+
+Offline behavior
+- Explainers work with offline bundles and embedded attestations.
+- If transparency logs are unavailable, show offline verify status with bundle digest.
+
+Error states
+- Missing evidence shows unknown chips and rerun guidance.
+- Attestation mismatch shows warning badge and governance links.

docs2/ui/findings.md

@@ -0,0 +1,72 @@
+# Findings workspace
+
+Purpose
+- Present materialized policy verdicts with explainability, filtering, and export support.
+- Preserve aggregation-only provenance while enabling triage and automation.
+
+Access and dependencies
+- Route: /console/findings with optional panel=explain.
+- Scopes: findings.read, policy:runs, policy:simulate, downloads.read.
+- Depends on Policy Engine effective findings, Concelier and Excititor provenance, SBOM service metadata.
+- Feature flags: findings.explain.enabled, findings.savedViews.enabled, findings.simulationDiff.enabled.
+
+Layout
+- Header with tenant badge, policy selector, global filters, and actions.
+- Summary cards: affected assets, critical count, KEV count.
+- Findings grid (virtualized) with right-side drawer for details.
+
+Filters and saved views
+- Status: affected, at_risk, quieted, fixed, not_applicable, mitigated.
+- Severity: critical, high, medium, low, informational, untriaged.
+- KEV toggle and exploitability hints.
+- Policy view: active, staged, simulation.
+- Component search by PURL or substring.
+- SBOM filter by image digest or SBOM ID.
+- Tags from policy outputs.
+- Run window and explain hints (rule ID, justification, VEX provider).
+- Saved views persist per tenant and policy; shared views appear in the rail.
+
+Grid columns and badges
+- Status badge with rationale and quieted expiry.
+- Severity with score tooltip.
+- Component PURL and SBOM link.
+- Policy name and revision digest.
+- Source signals (VEX, advisory, runtime overlays).
+- Age since last evaluation.
+- Row badges: KEV, override, simulation only, determinism alert.
+
+Bulk actions
+- Open explains (batch drawer).
+- Export CSV or JSON.
+- Copy CLI batch explain commands.
+- Create ticket using configured integrations.
+
+Explain drawer
+- Summary: status, severity, policy decision, rule ID, run ID, SBOM link.
+- Rule chain: ordered rule hits with actions and score contributions.
+- Evidence: advisory, VEX, runtime signals, overrides.
+- VEX impact: claims used, justification, acceptance.
+- History: state transitions with timestamps and operators.
+- Raw trace: canonical policy trace with CLI parity.
+
+Simulations and comparisons
+- Compare active vs staged or simulation snapshots with diff banners.
+- Side-by-side view highlights added, removed, and severity changes.
+- Simulation results expire after a retention window and prompt re-run.
+
+Exports and automation
+- Immediate CSV, JSON, and Markdown summary exports.
+- Scheduled exports produce full tenant reports with manifests.
+- Explain bundle export packages traces for audit.
+- Webhook subscription hints for export completion.
+
+Real-time updates
+- SSE stream updates new findings, status changes, and quieted expirations.
+- Metrics cards mirror findings_critical_total, findings_quieted_total, findings_kev_total.
+- Errors surface correlation IDs for logs.
+
+Offline behavior
+- Snapshot banner shows offline dataset and staleness.
+- Explain drawer notes cached evidence sources.
+- Exports default to local paths with transfer guidance.
+- Tenants missing in the snapshot are hidden.

docs2/ui/forensics.md

@@ -0,0 +1,20 @@
+# Forensics UI
+
+Purpose
+- Provide timeline exploration, evidence viewing, and attestation verification workflows.
+
+Core surfaces
+- Timeline explorer with filters and drilldowns.
+- Evidence viewer for attestations, signatures, and DSSE bundles.
+- Verifier steps with expected outputs and replay guidance.
+
+Determinism and assets
+- Captures and sample payloads must be stored locally with SHA256SUMS.
+- Tables and examples use UTC timestamps and stable ordering.
+
+Offline behavior
+- Evidence viewer works from offline bundles.
+- Verification steps prefer local bundles and recorded hashes.
+
+Troubleshooting
+- Error taxonomy, retry guidance, and deterministic repro steps.

docs2/ui/navigation.md

@@ -0,0 +1,61 @@
+# Console navigation
+
+Route map
+- /console/dashboard: KPIs, feed age, queue depth, alerts (min scope: ui.read).
+- /console/findings: policy verdicts, explain drawer, exports (min scope: findings.read).
+- /console/sbom: SBOM catalog, component graph, overlays (min scope: sbom.read).
+- /console/advisories: advisory aggregation with provenance (min scope: advisory.read).
+- /console/vex: VEX consensus and claims (min scope: vex.read).
+- /console/runs: scheduler runs, progress, evidence bundles (min scope: runs.read).
+- /console/policies: authoring, simulation, approvals (min scope: policy.read).
+- /console/downloads: artifacts and offline kit parity (min scope: downloads.read).
+- /console/admin: tenants, roles, clients, tokens, audit (min scope: ui.admin plus authority scopes).
+- /console/help: guides, tours, release notes (min scope: ui.read).
+
+Secondary navigation
+- Left rail: active route, quick metrics, saved views.
+- Breadcrumbs: Home / Module / Detail with shareable context.
+- Action shelf: context actions (export, verify, retry) gated by scopes.
+
+Command palette
+- Open with Cmd/Ctrl+K.
+- Jump to routes, saved views, tenants, and recent entities.
+- Actions apply stored filters without a full reload.
+- Offline mode restricts to cached routes and saved views.
+
+Global filter controls
+- Tenant picker (Cmd/Ctrl+T): requests a new Authority token and invalidates caches.
+- Filter tray (Shift+F): time window, severity, tags, source, status, policy view.
+- Component search: focus with / when tray is closed.
+- Time presets: Cmd/Ctrl+Shift+1..4 for 24h, 7d, 30d, custom.
+- Context chips: show active filters and allow one-click removal.
+
+Keyboard shortcuts
+- Cmd/Ctrl+K: command palette.
+- Cmd/Ctrl+T: tenant switcher.
+- Shift+F: filter tray.
+- Cmd/Ctrl+1..9: saved view presets.
+- ?: keyboard overlay with per-module shortcuts.
+- Module examples: Cmd/Ctrl+G (SBOM overlays), Cmd/Ctrl+R (runs refresh), Cmd/Ctrl+S (policy save).
+- Shortcuts are remappable and follow WCAG 2.2 guidance.
+
+Deep link schema
+- /console/<route>[/<id>]?tenant=<slug>&since=<iso>&until=<iso>&severity=<list>&view=<token>&panel=<drawer>&component=<purl>
+- tenant is required and matches Authority slugs.
+- panel selects drawers or tabs (panel=explain, panel=timeline).
+- Offline share links include snapshot=<hash>.
+- Share links map to CLI commands for parity and offline replay.
+
+Tenant switching lifecycle
+- User selects a tenant from the picker or palette.
+- UI requests a new tenant-scoped, DPoP-bound token from Authority.
+- Cache stores are invalidated; SSE streams reconnect with new headers.
+- Filters reapply where valid; incompatible presets prompt fallback selection.
+- Audit event ui.tenant.switch emitted with correlation ID.
+- Offline mode hides tenants missing from the snapshot.
+
+Focus and accessibility
+- Route changes move focus to the primary heading.
+- Drawers and modals trap focus until closed; Esc restores focus.
+- Tab lists are keyboard navigable and update the URL tab parameter.
+- Automated accessibility checks validate focus order and shortcut collisions.

docs2/ui/observability.md

@@ -0,0 +1,20 @@
+# Observability UI
+
+Purpose
+- Provide an Observability Hub for traces, logs, metrics, and overlay health.
+
+Core surfaces
+- Widget catalog for traces, logs, metrics, and alert status.
+- Search and filter examples for logs and traces.
+- Dashboard and alert import with local JSON artifacts.
+
+Determinism and assets
+- Widget captures and sample payloads are stored locally with SHA256SUMS.
+- Use UTC timestamps and stable ordering in examples.
+
+Offline behavior
+- Offline mode uses local dashboards and cached payloads only.
+- Import steps are explicit and verified with checksums.
+
+Accessibility
+- Keyboard navigation and focus order documented per widget.

docs2/ui/policies.md

@@ -0,0 +1,64 @@
+# Policies workspace
+
+Purpose
+- Author, simulate, review, approve, and promote stella-dsl policy packs.
+- Integrate with policy runs, findings, and audit bundles.
+
+Access and dependencies
+- Routes: /console/policies, /console/policies/:policyId, /console/policies/:policyId/:revision.
+- Scopes: policy:read, policy:author, policy:review, policy:approve, policy:operate, policy:simulate, policy:audit.
+- Depends on Policy Engine APIs, Policy Studio editor assets, Authority fresh-auth.
+- Feature flags: policy.studio.enabled, policy.simulation.diff, policy.runCharts.enabled, policy.offline.bundleUpload.
+
+List and detail views
+- Columns: policy name and ID, state, revision digest, owner, last change, pending approvals.
+- Row actions: open, duplicate, export pack, run simulation, compare revisions.
+- Filters: team, state, tags, pending approvals, simulation warnings.
+- Detail header shows active/staged revision, simulation status, last run duration and determinism hash.
+
+Editor shell
+- Context banner with tenant, policy ID, revision digest.
+- Inline lint and compile status with timestamps.
+- Checklist sidebar for lint, simulation, determinism, security review.
+- Monaco editor with schema hovers and snippets.
+- Autosave every 30 seconds with conflict warnings.
+
+Simulation workflows
+- Simulation runs async against selected SBOM sets.
+- Diff view shows added, removed, and severity changes.
+- Side-by-side compare active vs simulation.
+- Simulation results cached per draft revision and expire after the retention window.
+- CLI parity: stella policy simulate --policy <id> --sbom <sbomId>.
+
+Review and approval
+- Review requests include reviewers, due dates, and escalation contacts.
+- Threaded comments with markdown and attachments.
+- Approval checklist: lint pass, fresh simulation, determinism check, security review.
+- Fresh-auth required for approve and promote actions.
+- Approval events record correlation IDs and digests.
+
+Promotion and rollout
+- Promotion dialog summarizes staged changes, target tenants, and run plan.
+- Schedule or apply immediately; run progress shown in the UI.
+- Rollback guidance links to CLI commands.
+
+Runs and observability
+- Runs tab lists full, incremental, and simulation runs with determinism hashes.
+- Charts for findings trend, quieted trend, rule hit heatmap.
+- Run detail drawer links to evidence bundles and policy logs.
+
+RBAC and governance
+- Roles: author, reviewer, approver, operator, auditor, admin.
+- UI disables actions without required scopes and logs denied attempts.
+
+Exports and offline bundles
+- Export pack downloads zip with metadata and digests.
+- Offline bundle upload verifies signatures before apply.
+- Explain bundle export packages run traces for audit.
+- CLI parity: stella policy export, stella policy bundle import/export.
+
+Offline behavior
+- Sealed mode disables direct promotion and uses offline job manifests.
+- Simulation warns when enrichment data is stale.
+- Run charts use snapshot data and manual refresh.
+- Exports default to local paths for transfer.

docs2/ui/policy-editor.md

@@ -0,0 +1,42 @@
+# Policy editor workspace
+
+Purpose
+- Author, simulate, and approve stella-dsl policies in the Console.
+- Provide audit-ready workflows with offline parity.
+
+Access
+- Routes: /console/policy and /console/policy/:policyId/:version.
+- Scopes: policy:author, policy:review, policy:approve, policy:operate,
+  policy:simulate, policy:audit, findings:read.
+
+Workspace layout
+- Revision timeline and checklist in the sidebar.
+- Editor tabs for DSL, simulation, approvals, runs, and explain.
+- Context cards for VEX providers and CLI parity.
+
+Editing and validation
+- Monaco editor with lint and compile diagnostics.
+- Format and diff actions produce canonical ordering.
+- Schema tooltips link to DSL documentation.
+
+Simulation and diff
+- Summary cards for added or removed findings.
+- Rule hit tables and severity deltas.
+- Export simulation outputs in deterministic JSON.
+
+Review and approval
+- Line-level comments and approval checklist.
+- Fresh-auth required for approval and activation.
+- Audit log captures submit, review, approve, and archive events.
+
+Runs and observability
+- Run tab shows rule hit heatmaps and queue depth.
+- Replay bundles are downloadable for offline verification.
+
+Offline behavior
+- Sealed mode uses cached SBOM and advisory data only.
+- Bundle export enables offline reviews and approvals.
+
+Related references
+- docs/ui/policy-editor.md
+- docs/security/policy-governance.md

docs2/ui/reachability-overlays.md

@@ -0,0 +1,28 @@
+# Reachability overlays
+
+Purpose
+- Present reachability states on SBOM and vulnerability views with evidence-backed badges.
+
+Overlay states
+- Reachable, conditionally_reachable, unreachable, unknown.
+- State mapping follows the reachability lattice and evidence schemas.
+
+Evidence sources
+- Static analysis evidence (callgraph and symbol data).
+- Runtime evidence (entry traces and runtime hits).
+- Edge bundle evidence when provided by attested bundles.
+
+UI behavior
+- Badges include state, evidence source, and last evaluation timestamp.
+- Timeline view shows state transitions and evidence hashes.
+- Overlays are included in saved views and exports.
+
+Accessibility and offline
+- Keyboard shortcuts toggle overlays and open evidence drawers.
+- Offline mode shows snapshot staleness and disables live verification.
+
+Related references
+- architecture/reachability-lattice.md
+- architecture/reachability-evidence.md
+- ui/sbom-graph-explorer.md
+- ui/vulnerability-explorer.md

docs2/ui/risk-ui.md

@@ -0,0 +1,17 @@
+# Risk UI
+
+Purpose
+- Support risk authoring, simulation, and dashboards tied to policy and reachability.
+
+Core surfaces
+- Authoring and simulation views with deterministic inputs.
+- Dashboards for risk posture and trend analysis.
+- Export views include filters and overlay metadata.
+
+Determinism and assets
+- Captures and payloads stored locally with SHA256SUMS.
+- Examples use fixed seeds and stable ordering.
+
+Offline behavior
+- Offline bundles provide snapshot data for dashboards.
+- Actions that require live data are disabled with guidance.

docs2/ui/runs.md

@@ -0,0 +1,66 @@
+# Runs workspace
+
+Purpose
+- Monitor Scheduler runs, progress, deltas, and evidence bundles in real time.
+
+Access and dependencies
+- Route: /console/runs with /console/runs/:runId detail drawer.
+- Scopes: runs.read; runs.manage for cancel or retry; policy:runs; downloads.read.
+- Depends on Scheduler WebService, Policy Engine run summaries, Scanner evidence endpoints.
+- Feature flags: runs.dashboard.enabled, runs.sse.enabled, runs.retry.enabled, runs.evidenceBundles.
+
+Layout
+- Header with tenant badge, schedule selector, backlog metrics.
+- Cards for active runs, queue depth, new findings, KEV deltas.
+- Tabs: active, completed, scheduled, failures.
+- Runs table with detail drawer for summary, segments, deltas, evidence, logs.
+
+Runs table
+- Run ID: deterministic run:<tenant>:<timestamp>:<nonce>.
+- Trigger: cron, manual, concelier, excititor, policy, content-refresh.
+- State: planning, queued, running, completed, cancelled, error with ERR_RUN codes.
+- Progress: processed vs total, updated via SSE.
+- Duration: elapsed or total duration.
+- Deltas: severity deltas and KEV changes.
+- Filters: trigger, state, schedule, severity impact, policy revision, timeframe, shard, error code.
+
+Detail drawer
+- Summary: tenant, trigger, schedule, shard count, timestamps, correlation ID.
+- Progress: segmented bar (planner, queue, execution, post-processing).
+- Segments: retry failed segments with runs.manage.
+- Deltas: links back to Findings filtered by run ID.
+- Evidence: policy run summary, findings delta CSV, scanner bundle, DSSE links.
+- Logs: latest structured logs with correlation IDs and log pivot copy.
+
+Queue and schedule management
+- Side panel lists upcoming schedules with cron, timezone, enable toggles.
+- Preview impact estimates candidate counts before launch.
+- Manual run form supports analysis-only and content-refresh modes.
+- Pause and resume schedules with confirmation.
+
+Live updates
+- SSE endpoint /console/runs/{id}/stream with stateChanged, segmentProgress, deltaSummary, log.
+- UI reconnects with exponential backoff and heartbeat.
+- Offline mode disables SSE and uses polling.
+
+Retry and remediation
+- Segment-level retry with cooldown timers.
+- Full retry creates a new run ID with retryOf reference.
+- Escalation template includes run context and correlation IDs.
+- CLI parity: stella runs retry --run <id>, stella runs cancel --run <id>.
+
+Evidence downloads
+- Evidence tab aggregates run evidence bundles and manifest hashes.
+- Bundle for offline packages all evidence into a single tarball.
+- Completed bundles appear in the Downloads workspace.
+
+Observability
+- Metrics: scheduler_queue_depth, scheduler_runs_active, scheduler_runs_error_total, scheduler_runs_duration_seconds.
+- Trend charts for queue depth, runs per trigger, determinism score.
+- Alerts for planner lag, queue saturation, repeated error codes.
+
+Offline behavior
+- Snapshot banner shows staleness and disables SSE.
+- Manual run form produces CLI scripts for offline execution.
+- Evidence downloads default to local paths for transfer.
+- Tenants missing in the snapshot are hidden.

docs2/ui/sbom-explorer.md

@@ -0,0 +1,32 @@
+# SBOM Explorer
+
+Purpose
+- Browse SBOM catalogs and component inventories.
+- Apply overlays for vulnerabilities, reachability, and runtime usage.
+- Export deterministic SBOM bundles with evidence.
+
+Routes and scopes
+- /console/sbom and /console/sbom/:digest
+- sbom.read required; sbom.export for large exports; findings:read for explain.
+
+Key views
+- Catalog: searchable list of SBOMs with badges (attested, delta, snapshot).
+- Inventory: components with severity, supplier, license, and tags.
+- Usage: runtime usage overlays and entrypoint mapping.
+- Components: provenance timeline and evidence links.
+- Overlays: vulnerability, runtime, and vendor overlays with precedence metadata.
+- Explain: policy explanation and VEX references.
+- Exports: CycloneDX, SPDX, delta bundles, evidence bundles.
+
+Graph overlays
+- Dependency graph and optional runtime call graph overlays.
+- Depth controls and node limits for performance.
+- Exports to GraphML or JSON Lines when graph.export is granted.
+
+Offline posture
+- Reads from Offline Kit snapshots with staleness banners.
+- Exports queue locally and produce signed bundles.
+
+Related references
+- ui/sbom-graph-explorer.md
+- ui/reachability-overlays.md

docs2/ui/sbom-graph-explorer.md

@@ -0,0 +1,47 @@
+# SBOM graph explorer
+
+Purpose
+- Traverse components, dependencies, and overlays with deterministic filters.
+- Exports must include the overlay and filter set that produced them.
+
+Views and overlays
+- Inventory vs usage overlays for declared vs runtime-observed packages.
+- Reachability overlay highlights components reachable from entrypoints.
+- Policy overlay shows allow, deny, review verdicts with policy version.
+- VEX overlay marks components covered by claims and contested states.
+
+Filters
+- Package facets: ecosystem, name, version, license, supplier.
+- Reachability facets: entrypoint, call depth, evidence source.
+- Risk facets: severity, EPSS bucket, KEV flag, exploitability score.
+- Time facets: last-seen and last-scan timestamps.
+- Results are sorted deterministically by PURL then version.
+
+Saved views and exports
+- Saved views capture query, overlays, columns, sort, tenant, and graph_cache_epoch.
+- Exported NDJSON includes view_id, filters, overlays, results, and SHA-256 manifest.
+- Restoring a view warns when cache epochs differ.
+
+Interactions
+- Graph canvas supports zoom, pan, and node expansion with a max node cap.
+- Table panel stays in sync with canvas selection.
+- Details drawer shows PURL, provenance, and incoming or outgoing edges.
+- Search accepts PURL, package name, or CVE.
+
+Accessibility
+- Keyboard navigation across canvas, filters, table, and drawer.
+- Screen reader labels include overlay state.
+- High-contrast and reduced-motion modes are supported.
+
+Air-gap and caching
+- Offline bundles supply graph_cache_epoch for deterministic overlays.
+- Client cache invalidates on tenant switch or overlay version change.
+
+AOC visibility
+- Regulated tenants show an AOC enforced badge.
+- Exports include aoc=true flag when applicable.
+
+Related references
+- docs/api/graph.md
+- modules/graph.md
+- ui/reachability-overlays.md

docs2/ui/triage.md

@@ -0,0 +1,39 @@
+# Triage UX and state model
+
+The triage experience is narrative-first and proof-linked. It is designed to
+answer: can I ship, what blocks me, and what is the minimum safe change.
+
+Core concepts
+- Case: a finding tied to an asset and policy verdict.
+- Evidence: signed artifacts (SBOM, VEX, reachability, provenance).
+- Decision: signed, reversible action (mute, acknowledge, exception).
+- Snapshot: immutable inputs and outputs hash pair for smart diff.
+
+Layout and flow
+- Findings table for scanning and filters.
+- Case view with verdict banner, chips, and evidence rail.
+- Smart diff history for meaningful changes between snapshots.
+
+Deterministic UI model
+- State transitions are pure functions.
+- Side effects are explicit commands (HTTP, download, navigation).
+- Reducer outputs are replayable for debugging.
+
+Lanes and visibility
+- ACTIVE, BLOCKED, NEEDS_EXCEPTION.
+- MUTED_REACH, MUTED_VEX, COMPENSATED behind a toggle.
+
+Decisions
+- All decisions are signed and auditable.
+- Undo is a signed revoke, never a delete.
+- Decisions trigger new snapshots and re-evaluation.
+
+Performance and accessibility
+- Header loads first, evidence loads lazily.
+- ETag caching for case and evidence lists.
+- Keyboard-first navigation and screen reader parity.
+
+Related references
+- docs/ux/TRIAGE_UX_GUIDE.md
+- docs/ux/TRIAGE_UI_REDUCER_SPEC.md
+- docs/ui/triage.md

docs2/ui/vulnerability-explorer.md

@@ -0,0 +1,48 @@
+# Vulnerability explorer
+
+Purpose
+- Triage vulnerabilities with deterministic grouping, overlays, and exports.
+- Shared views must include data sources and overlays to prevent context loss.
+
+Table anatomy
+- Columns: CVE or alias, package PURL, version, severity, exploitability, reachability, VEX status, fix version, policy verdict, last seen.
+- Sorting: severity desc, exploitability desc, PURL, CVE.
+- Pagination is server-driven with stable cursors.
+
+Grouping and pivots
+- Group by package, CVE, image, or tenant.
+- Group summary includes severity counts and VEX disposition counts.
+- Why drawer explains grouping rules and data sources.
+
+Filters
+- Severity and exploitability (KEV, EPSS buckets, maturity).
+- Reachability states.
+- VEX status (affected, not_affected, under_investigation, disputed, contested).
+- Fix availability and policy verdict.
+- Staleness for SBOM, advisory, and VEX age.
+
+Why drawer
+- Shows data sources, overlay epochs, policy inputs, VEX claims, reachability evidence.
+- Includes correlation IDs and graph_cache_epoch.
+
+Fix suggestions
+- Fix chip shows nearest patched version and source.
+- Bulk fix export produces actions file with manifest hashes.
+- UI warns when fixes rely on contested or stale claims.
+
+Actions and triage
+- Multi-select for ticket creation, VEX waiver requests, SBOM diff exports.
+- Policy simulator opens with current overlays and can save staged views.
+
+Accessibility
+- Shortcuts: g for grouping, f for filters, w for Why drawer, / for search.
+- Screen reader labels include VEX and reachability state.
+
+Air-gap posture
+- Exports include overlays and cache epochs.
+- Offline bundles can replay triage views without network calls.
+
+Related references
+- ui/sbom-graph-explorer.md
+- docs/api/vuln.md
+- modules/graph.md