docs re-org, audit fixes, build fixes

docs/AGENTS.md

@@ -6,7 +6,7 @@
 - Only documentation and fixture assets live here; code changes belong to module repos and must be coordinated via the owning sprint.
 
 ## Required Reading (treat as read before DOING)
-- `docs/README.md` and `docs/07_HIGH_LEVEL_ARCHITECTURE.md`.
+- `docs/README.md` and `docs/ARCHITECTURE_REFERENCE.md`.
 - Module dossiers relevant to the document being edited (e.g., `docs/modules/advisory-ai/architecture.md`, `docs/modules/ui/architecture.md`, `docs/modules/airgap/architecture.md`, `docs/modules/platform/architecture-overview.md`).
 - Active sprint file: `docs/implplan/SPRINT_0301_0001_0001_docs_md_i.md` (Docs Tasks Md.I).
 

docs/ARCHITECTURE_OVERVIEW.md

@@ -1,17 +1,17 @@
-# Architecture Overview (High-Level)
-
+# Architecture Overview (High-Level)
+
 This document is the 10-minute tour for StellaOps: what components exist, how they fit together, and what "offline-first + deterministic + evidence-linked decisions" means in practice.
-
-For the full reference map (services, boundaries, detailed flows), see `docs/07_HIGH_LEVEL_ARCHITECTURE.md`.
-
-## Guiding Principles
-
-- **SBOM-first:** scan and reason over SBOMs; fall back to unpacking only when needed.
-- **Deterministic replay:** the same inputs yield the same outputs (stable ordering, canonical hashing, UTC timestamps).
-- **Evidence-linked decisions:** policy decisions link back to specific evidence artifacts (SBOM slices, advisory/VEX observations, reachability proofs, attestations).
-- **Aggregation-not-merge:** upstream advisories and VEX are stored and exposed with provenance; conflicts are visible, not silently collapsed.
-- **Offline-first:** the same workflow runs connected or air-gapped via Offline Kit snapshots and signed bundles.
-
+
+For the full reference map (services, boundaries, detailed flows), see `docs/ARCHITECTURE_REFERENCE.md`.
+
+## Guiding Principles
+
+- **SBOM-first:** scan and reason over SBOMs; fall back to unpacking only when needed.
+- **Deterministic replay:** the same inputs yield the same outputs (stable ordering, canonical hashing, UTC timestamps).
+- **Evidence-linked decisions:** policy decisions link back to specific evidence artifacts (SBOM slices, advisory/VEX observations, reachability proofs, attestations).
+- **Aggregation-not-merge:** upstream advisories and VEX are stored and exposed with provenance; conflicts are visible, not silently collapsed.
+- **Offline-first:** the same workflow runs connected or air-gapped via Offline Kit snapshots and signed bundles.
+
 ## System Map (What Runs)
 
 ```
@@ -23,9 +23,9 @@ At a high level, StellaOps is a set of services grouped by responsibility:
 - **Identity and authorization:** Authority (OIDC/OAuth2, scopes/tenancy)
 - **Scanning and SBOM:** Scanner WebService + Worker (facts generation)
 - **Advisories:** Concelier (ingest/normalize/export vulnerability sources)
-- **VEX:** Excititor + VEX Lens (VEX observations/linksets and exploration)
-- **Decisioning:** Policy Engine surfaces (lattice-style explainable policy)
-- **Signing and transparency:** Signer + Attestor (DSSE/in-toto and optional transparency)
+- **VEX:** Excititor + VEX Lens (VEX observations/linksets and exploration)
+- **Decisioning:** Policy Engine surfaces (lattice-style explainable policy)
+- **Signing and transparency:** Signer + Attestor (DSSE/in-toto and optional transparency)
 - **Orchestration and delivery:** Scheduler, Notify, Export Center
 - **Console:** Web UI for operators and auditors
 
@@ -38,18 +38,18 @@ At a high level, StellaOps is a set of services grouped by responsibility:
 | **Data plane** | PostgreSQL, Valkey, RustFS/object storage (optional NATS JetStream) | Canonical store, counters/queues, and artifact storage with deterministic layouts. |
 
 ## Infrastructure (What Is Required)
-
-**Required**
-
-- **PostgreSQL:** canonical persistent store for module schemas.
-- **Valkey:** Redis-compatible cache/streams and DPoP nonce store.
-- **RustFS (or equivalent S3-compatible store):** object storage for artifacts, bundles, and evidence.
-
-**Optional (deployment-dependent)**
-
-- **NATS JetStream:** optional messaging transport in some deployments.
-- **Transparency log services:** Rekor mirror (and CA services) when transparency is enabled.
-
+
+**Required**
+
+- **PostgreSQL:** canonical persistent store for module schemas.
+- **Valkey:** Redis-compatible cache/streams and DPoP nonce store.
+- **RustFS (or equivalent S3-compatible store):** object storage for artifacts, bundles, and evidence.
+
+**Optional (deployment-dependent)**
+
+- **NATS JetStream:** optional messaging transport in some deployments.
+- **Transparency log services:** Rekor mirror (and CA services) when transparency is enabled.
+
 ## End-to-End Flow (Typical)
 
 1. **Evidence enters** via Concelier and Excititor connectors (Aggregation-Only Contract).
@@ -58,12 +58,12 @@ At a high level, StellaOps is a set of services grouped by responsibility:
 4. **Policy Engine** merges advisories, VEX, and inventory/usage facts; emits explain traces and stable dispositions.
 5. **Signer + Attestor** wrap outputs into DSSE bundles and (optionally) anchor them in a Rekor mirror.
 6. **Console/CLI/Export** surface findings and package verifiable evidence; Notify emits digests/incidents.
-
+
 ## Extension Points (Where You Customize)
-
-- **Scanner analyzers** (restart-time plug-ins) for ecosystem-specific parsing and facts extraction.
-- **Concelier connectors** for new advisory sources (preserving aggregation-only guardrails).
-- **Policy packs** for organization-specific gating and waivers/justifications.
+
+- **Scanner analyzers** (restart-time plug-ins) for ecosystem-specific parsing and facts extraction.
+- **Concelier connectors** for new advisory sources (preserving aggregation-only guardrails).
+- **Policy packs** for organization-specific gating and waivers/justifications.
 - **Export profiles** for output formats and offline bundle shapes.
 
 ## Offline & Sovereign Notes
@@ -73,8 +73,8 @@ At a high level, StellaOps is a set of services grouped by responsibility:
 - Attestor can cache transparency proofs for offline verification.
 
 ## References
-
-- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
-- `docs/24_OFFLINE_KIT.md`
-- `docs/09_API_CLI_REFERENCE.md`
-- `docs/modules/platform/architecture-overview.md`
+
+- `docs/ARCHITECTURE_REFERENCE.md`
+- `docs/OFFLINE_KIT.md`
+- `docs/API_CLI_REFERENCE.md`
+- `docs/modules/platform/architecture-overview.md`

docs/ARCHITECTURE_REFERENCE.md

@@ -3,7 +3,7 @@
 This document is the canonical index for StellaOps architecture.
 It is intentionally a map, not a full re-statement of every module dossier.
 
-If you want a short walkthrough, start with `docs/40_ARCHITECTURE_OVERVIEW.md`.
+If you want a short walkthrough, start with `docs/ARCHITECTURE_OVERVIEW.md`.
 
 ## How the docs are organized
 
@@ -90,7 +90,7 @@ Tenancy and identity context are part of the platform contract:
 ## APIs and CLI reference
 
 Canonical entry points:
-- API and CLI reference hub: `docs/09_API_CLI_REFERENCE.md`
+- API and CLI reference hub: `docs/API_CLI_REFERENCE.md`
 - API conventions (headers, errors, pagination, determinism): `docs/api/overview.md`
 - API contracts and samples: `docs/api/`
 - CLI command guides: `docs/modules/cli/guides/commands/`
@@ -98,15 +98,15 @@ Canonical entry points:
 ## Offline, verification, and operations
 
 Canonical entry points:
-- Offline Kit: `docs/24_OFFLINE_KIT.md`
-- Security hardening: `docs/17_SECURITY_HARDENING_GUIDE.md`
-- Installation guide: `docs/21_INSTALL_GUIDE.md`
+- Offline Kit: `docs/OFFLINE_KIT.md`
+- Security hardening: `docs/SECURITY_HARDENING_GUIDE.md`
+- Installation guide: `docs/INSTALL_GUIDE.md`
 - Ops and runbooks: `docs/operations/`, `docs/modules/*/operations/`
 
 ## Data and schemas
 
 Use these as the canonical map for schemas and contracts:
-- Data schemas (high-level index): `docs/11_DATA_SCHEMAS.md`
+- Data schemas (high-level index): `docs/DATA_SCHEMAS.md`
 - Database specifications: `docs/db/`
 - Events (schemas + samples): `docs/events/`
 
@@ -114,5 +114,5 @@ Use these as the canonical map for schemas and contracts:
 
 - Product overview: `docs/overview.md`
 - Key features: `docs/key-features.md`
-- Roadmap (internal): `docs/05_ROADMAP.md`
-- Glossary: `docs/14_GLOSSARY_OF_TERMS.md`
+- Roadmap (internal): `docs/ROADMAP.md`
+- Glossary: `docs/GLOSSARY.md`

docs/CONCELIER_CLI_QUICKSTART.md

@@ -8,8 +8,8 @@ This quickstart gets an operator to a working advisory ingestion loop:
 This document stays high level and defers detailed configuration and connector behavior to the Concelier module dossier.
 
 ## 1) Prerequisites
-- Deployment: follow `docs/21_INSTALL_GUIDE.md` (Compose profiles under `deploy/compose/`).
-- Offline/air-gap: follow `docs/24_OFFLINE_KIT.md` and `docs/airgap/overview.md`.
+- Deployment: follow `docs/INSTALL_GUIDE.md` (Compose profiles under `deploy/compose/`).
+- Offline/air-gap: follow `docs/OFFLINE_KIT.md` and `docs/airgap/overview.md`.
 - Local dev (optional): .NET SDK version pinned by `global.json`.
 
 ## 2) Run Concelier
@@ -18,7 +18,7 @@ This document stays high level and defers detailed configuration and connector b
 Use the deterministic Compose profiles under `deploy/compose/` and enable Concelier in the selected profile.
 
 Start here:
-- `docs/21_INSTALL_GUIDE.md`
+- `docs/INSTALL_GUIDE.md`
 - `docs/modules/concelier/operations/`
 
 ### Option B: Run the service from source (dev/debug)
@@ -99,4 +99,4 @@ For read-only inspection (list/get/export), use:
 - Concelier module dossier: `docs/modules/concelier/README.md`
 - Concelier operations: `docs/modules/concelier/operations/`
 - CLI command guides: `docs/modules/cli/guides/commands/`
-- API + CLI reference index: `docs/09_API_CLI_REFERENCE.md`
+- API + CLI reference index: `docs/API_CLI_REFERENCE.md`

docs/DEVELOPER_ONBOARDING.md

@@ -20,8 +20,8 @@
 StellaOps is a deterministic, offline-first SBOM + VEX platform built as a microservice architecture. The system is designed so every verdict can be replayed from concrete evidence (SBOM slices, advisory/VEX observations, policy decision traces, and optional attestations).
 
 ### Canonical references
-- Architecture overview (10-minute tour): `docs/40_ARCHITECTURE_OVERVIEW.md`
-- High-level reference map: `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- Architecture overview (10-minute tour): `docs/ARCHITECTURE_OVERVIEW.md`
+- High-level reference map: `docs/ARCHITECTURE_REFERENCE.md`
 - Detailed architecture index: `docs/technical/architecture/README.md`
   - Topology: `docs/technical/architecture/platform-topology.md`
   - Infrastructure: `docs/technical/architecture/infrastructure-dependencies.md`
@@ -170,7 +170,7 @@ Canonical guide:
 
 Related references:
 - Compose profiles: `deploy/compose/README.md`
-- Install guide: `docs/21_INSTALL_GUIDE.md`
+- Install guide: `docs/INSTALL_GUIDE.md`
 - Service-specific runbooks: `docs/modules/<module>/operations/`
 ## Service-by-Service Debugging Guide
 
@@ -711,10 +711,10 @@ sudo docker compose -f docker-compose.dev.yaml up -d
 
 ### Key Documentation
 
-- **Architecture:** `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- **Architecture:** `docs/ARCHITECTURE_REFERENCE.md`
 - **Build Commands:** `CLAUDE.md`
 - **Database Spec:** `docs/db/SPECIFICATION.md`
-- **API Reference:** `docs/09_API_CLI_REFERENCE.md`
+- **API Reference:** `docs/API_CLI_REFERENCE.md`
 - **Module Architecture:** `docs/modules/<module>/architecture.md`
 
 ### Support

docs/FAQ_MATRIX.md

@@ -6,20 +6,20 @@
 | --- | --- |
 | What is StellaOps? | A sovereign, offline-first container-security platform focused on deterministic, replayable evidence: SBOMs, advisories, VEX, policy decisions, and attestations bound to image digests. |
 | What makes it "deterministic"? | The same inputs produce the same outputs (stable ordering, stable IDs, replayable artifacts). Determinism is treated as a product feature and enforced by tests and fixtures. |
-| Does it run fully offline? | Yes. Offline operation is a first-class workflow (bundles, mirrors, importer/controller). See `docs/24_OFFLINE_KIT.md` and `docs/airgap/overview.md`. |
+| Does it run fully offline? | Yes. Offline operation is a first-class workflow (bundles, mirrors, importer/controller). See `docs/OFFLINE_KIT.md` and `docs/airgap/overview.md`. |
 | Which formats are supported? | SBOMs: SPDX 3.0.1 and CycloneDX 1.7 (1.6 backward compatible). VEX: OpenVEX-first decisioning with issuer trust and consensus. Attestations: in-toto/DSSE where enabled. |
-| How do I deploy it? | Use deterministic bundles under `deploy/` (Compose/Helm) with digests sourced from `deploy/releases/`. Start with `docs/21_INSTALL_GUIDE.md`. |
+| How do I deploy it? | Use deterministic bundles under `deploy/` (Compose/Helm) with digests sourced from `deploy/releases/`. Start with `docs/INSTALL_GUIDE.md`. |
 | How do policy gates work? | Policy combines VEX-first inputs with lattice/precedence rules so outcomes are stable and explainable. See `docs/policy/vex-trust-model.md`. |
 | Is multi-tenancy supported? | Yes; tenancy boundaries and roles/scopes are documented and designed to support regulated environments. See `docs/security/tenancy-overview.md` and `docs/security/scopes-and-roles.md`. |
 | Can I extend it? | Yes: connectors, plugins, and policy packs are designed to be composable without losing determinism. Start with module dossiers under `docs/modules/`. |
-| Where is the roadmap? | `docs/05_ROADMAP.md` (priority bands + definition of "done"). |
+| Where is the roadmap? | `docs/ROADMAP.md` (priority bands + definition of "done"). |
 | Where do I find deeper docs? | `docs/technical/README.md` is the detailed index; `docs/modules/` contains per-module dossiers. |
 
 ## Further reading
-- Vision: `docs/03_VISION.md`
-- Feature matrix: `docs/04_FEATURE_MATRIX.md`
-- Architecture overview: `docs/40_ARCHITECTURE_OVERVIEW.md`
-- High-level architecture: `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
-- Offline kit: `docs/24_OFFLINE_KIT.md`
-- Install guide: `docs/21_INSTALL_GUIDE.md`
+- Vision: `docs/VISION.md`
+- Feature matrix: `docs/FEATURE_MATRIX.md`
+- Architecture overview: `docs/ARCHITECTURE_OVERVIEW.md`
+- High-level architecture: `docs/ARCHITECTURE_REFERENCE.md`
+- Offline kit: `docs/OFFLINE_KIT.md`
+- Install guide: `docs/INSTALL_GUIDE.md`
 - Quickstart: `docs/quickstart.md`

docs/GOVERNANCE.md

@@ -49,7 +49,7 @@ Approval is recorded via Git forge review or a signed commit trailer
 
 * Every tag is **co‑signed by at least one Security Maintainer**.  
 * CI emits a **signed SPDX SBOM** + **Cosign provenance**.  
-* Release cadence is fixed – see [Release Engineering Playbook](13_RELEASE_ENGINEERING_PLAYBOOK.md).  
+* Release cadence is fixed – see [Release Engineering Playbook](RELEASE_ENGINEERING_PLAYBOOK.md).  
 * Security fixes may create out‑of‑band `x.y.z‑hotfix` tags.
 
 ---
@@ -59,8 +59,8 @@ Approval is recorded via Git forge review or a signed commit trailer
 | Situation | Escalation |
 |-----------|------------|
 | Technical deadlock | **Maintainer Summit** (recorded & published) |
-| Security bug | Follow [Security Policy](13_SECURITY_POLICY.md) |
-| Code of Conduct violation | See `12_CODE_OF_CONDUCT.md` escalation ladder |
+| Security bug | Follow [Security Policy](SECURITY_POLICY.md) |
+| Code of Conduct violation | See `CODE_OF_CONDUCT.md` escalation ladder |
 
 ---
 

docs/README.md

@@ -4,7 +4,7 @@ StellaOps is a deterministic, offline-first container security platform: every v
 
 ## Two Levels of Documentation
 
-- **High-level (canonical):** the curated guides in `docs/*.md` (usually numbered).
+- **High-level (canonical):** the curated guides in `docs/*.md`.
 - **Detailed (reference):** deep dives under `docs/**` (module dossiers, architecture notes, API contracts/samples, runbooks, schemas). The entry point is `docs/technical/README.md`.
 
 This documentation set is internal and does not keep compatibility stubs for old paths. Content is consolidated to reduce duplication and outdated pages.
@@ -13,23 +13,23 @@ This documentation set is internal and does not keep compatibility stubs for old
 
 | Goal | Open this |
 | --- | --- |
-| Understand the product in 2 minutes | [overview.md](/docs/overview/) |
-| Run a first scan (CLI) | [quickstart.md](/docs/quickstart/) |
-| Browse capabilities | [key-features.md](/docs/key-features/) |
-| Roadmap (priorities + definition of "done") | [05_ROADMAP.md](/docs/05_roadmap/) |
-| Architecture: high-level overview | [40_ARCHITECTURE_OVERVIEW.md](/docs/40_architecture_overview/) |
-| Architecture: full reference map | [07_HIGH_LEVEL_ARCHITECTURE.md](/docs/07_high_level_architecture/) |
-| Architecture: user flows (UML) | [technical/architecture/user-flows.md](/docs/technical/architecture/user-flows/) |
-| Architecture: module matrix (46 modules) | [technical/architecture/module-matrix.md](/docs/technical/architecture/module-matrix/) |
-| Architecture: data flows | [technical/architecture/data-flows.md](/docs/technical/architecture/data-flows/) |
-| Architecture: schema mapping | [technical/architecture/schema-mapping.md](/docs/technical/architecture/schema-mapping/) |
-| Offline / air-gap operations | [24_OFFLINE_KIT.md](/docs/24_offline_kit/) |
-| Security deployment hardening | [17_SECURITY_HARDENING_GUIDE.md](/docs/17_security_hardening_guide/) |
-| Ingest advisories (Concelier + CLI) | [10_CONCELIER_CLI_QUICKSTART.md](/docs/10_concelier_cli_quickstart/) |
-| Develop plugins/connectors | [10_PLUGIN_SDK_GUIDE.md](/docs/10_plugin_sdk_guide/) |
-| Console (Web UI) operator guide | [15_UI_GUIDE.md](/docs/15_ui_guide/) |
-| VEX consensus and issuer trust | [16_VEX_CONSENSUS_GUIDE.md](/docs/16_vex_consensus_guide/) |
-| Vulnerability Explorer guide | [20_VULNERABILITY_EXPLORER_GUIDE.md](/docs/20_vulnerability_explorer_guide/) |
+| Understand the product in 2 minutes | [overview.md](overview.md) |
+| Run a first scan (CLI) | [quickstart.md](quickstart.md) |
+| Browse capabilities | [key-features.md](key-features.md) |
+| Roadmap (priorities + definition of "done") | [ROADMAP.md](ROADMAP.md) |
+| Architecture: high-level overview | [ARCHITECTURE_OVERVIEW.md](ARCHITECTURE_OVERVIEW.md) |
+| Architecture: full reference map | [ARCHITECTURE_REFERENCE.md](ARCHITECTURE_REFERENCE.md) |
+| Architecture: user flows (UML) | [technical/architecture/user-flows.md](technical/architecture/user-flows.md) |
+| Architecture: module matrix (46 modules) | [technical/architecture/module-matrix.md](technical/architecture/module-matrix.md) |
+| Architecture: data flows | [technical/architecture/data-flows.md](technical/architecture/data-flows.md) |
+| Architecture: schema mapping | [technical/architecture/schema-mapping.md](technical/architecture/schema-mapping.md) |
+| Offline / air-gap operations | [OFFLINE_KIT.md](OFFLINE_KIT.md) |
+| Security deployment hardening | [SECURITY_HARDENING_GUIDE.md](SECURITY_HARDENING_GUIDE.md) |
+| Ingest advisories (Concelier + CLI) | [CONCELIER_CLI_QUICKSTART.md](CONCELIER_CLI_QUICKSTART.md) |
+| Develop plugins/connectors | [PLUGIN_SDK_GUIDE.md](PLUGIN_SDK_GUIDE.md) |
+| Console (Web UI) operator guide | [UI_GUIDE.md](UI_GUIDE.md) |
+| VEX consensus and issuer trust | [VEX_CONSENSUS_GUIDE.md](VEX_CONSENSUS_GUIDE.md) |
+| Vulnerability Explorer guide | [VULNERABILITY_EXPLORER_GUIDE.md](VULNERABILITY_EXPLORER_GUIDE.md) |
 
 ## Detailed Indexes
 

docs/TEST_SUITE_OVERVIEW.md

@@ -242,7 +242,7 @@ flowchart LR
 
 1. Extend `scripts/dev-test.sh` so local contributors get the layer by default.
 2. Add a dedicated workflow in `.gitea/workflows/` (or GitLab job in `.gitlab-ci.yml`).
-3. Register the job in `docs/19_TEST_SUITE_OVERVIEW.md` *and* list its metric
+3. Register the job in `docs/TEST_SUITE_OVERVIEW.md` *and* list its metric
    in `docs/metrics/README.md`.
 4. If the test requires network isolation, inherit from `NetworkIsolatedTestBase`.
 5. If the test uses golden corpus, add cases to `bench/golden-corpus/`.
@@ -251,11 +251,12 @@ flowchart LR
 
 ## Related Documentation
 
-- [Sprint Epic 5100 - Testing Strategy](implplan/SPRINT_5100_0000_0000_epic_summary.md)
 - [Testing Strategy Models](testing/testing-strategy-models.md)
 - [Test Catalog](testing/TEST_CATALOG.yml)
+- [Testing README](testing/README.md) - Complete testing documentation index
+- [CI/CD Test Strategy](cicd/test-strategy.md) - CI/CD integration details
 - [tests/AGENTS.md](../tests/AGENTS.md)
-- [Offline Operation Guide](24_OFFLINE_KIT.md)
+- [Offline Operation Guide](OFFLINE_KIT.md)
 - [Module Architecture Dossiers](modules/)
 
 ---

docs/contributing/canonicalization-determinism.md

@@ -325,7 +325,7 @@ Before submitting a PR that involves digests or attestations:
 
 - [docs/testing/schemas/determinism-manifest.schema.json](../testing/schemas/determinism-manifest.schema.json) - JSON Schema for manifests
 - [docs/modules/policy/design/policy-determinism-tests.md](../modules/policy/design/policy-determinism-tests.md) - Policy engine determinism
-- [docs/19_TEST_SUITE_OVERVIEW.md](../19_TEST_SUITE_OVERVIEW.md) - Testing strategy
+- [docs/TEST_SUITE_OVERVIEW.md](../TEST_SUITE_OVERVIEW.md) - Testing strategy
 
 ---
 

docs/full-features-list.md

@@ -3,7 +3,7 @@
 > **Comprehensive table of every capability in the platform.**
 >
 > For competitive differentiation highlights, see [`key-features.md`](key-features.md).
-> For tier-based pricing details, see [`04_FEATURE_MATRIX.md`](04_FEATURE_MATRIX.md).
+> For tier-based pricing details, see [`FEATURE_MATRIX.md`](FEATURE_MATRIX.md).
 
 ---
 

docs/implplan/SPRINT_20260104_001_BE_determinism_timeprovider_injection.md

@@ -142,6 +142,16 @@ services.AddSingleton<IGuidProvider, SystemGuidProvider>();
 | 2026-01-04 | DET-019 complete: Scanner.WebService refactored - 12 endpoint/service files (EpssEndpoints, EvidenceEndpoints, SmartDiffEndpoints, UnknownsEndpoints, WitnessEndpoints, TriageInboxEndpoints, ProofBundleEndpoints, ReportSigner, ScoreReplayService, TestManifestRepository, SliceQueryService, UnifiedEvidenceService) plus dependency fixes in Scanner.Sources (SourceTriggerDispatcher, SourceContracts) and Scanner.WebService (EvidenceBundleExporter, GatingReasonService). All builds verified. | Agent |
 | 2026-01-04 | DET-020 in progress: Scanner.Analyzers.Native hardening extractors refactored - ElfHardeningExtractor, MachoHardeningExtractor, PeHardeningExtractor with TimeProvider injection. OfflineBuildIdIndex refactored. Build verified. RuntimeCapture adapters (LinuxEbpfCaptureAdapter, MacOsDyldCaptureAdapter, WindowsEtwCaptureAdapter) pending - require TimeProvider and IGuidProvider injection for 18+ usages across eBPF/DYLD/ETW tracing. | Agent |
 | 2026-01-04 | DET-020 complete: RuntimeCapture adapters refactored - LinuxEbpfCaptureAdapter, MacOsDyldCaptureAdapter, WindowsEtwCaptureAdapter with TimeProvider and IGuidProvider injection (SessionId, StartTime, EndTime, Timestamp fields). RuntimeEvidenceAggregator.MergeWithStaticAnalysis updated with optional TimeProvider parameter. StackTraceCapture.CollapsedStack.Parse updated with optional TimeProvider parameter. Added StellaOps.Determinism.Abstractions reference to project. All builds verified. | Agent |
+| 2026-01-06 | DET-021(d) continued: Cryptography.Kms module refactored - AwsKmsClient, GcpKmsClient, FileKmsClient (6 usages), Pkcs11KmsClient, Pkcs11Facade, GcpKmsFacade, AwsKmsFacade, Fido2KmsClient, Fido2Options with TimeProvider injection. Removed unnecessary TimeProvider.Abstractions package (built into .NET 10). All builds verified. | Agent |
+| 2026-01-06 | DET-021 continued: SbomService module refactored - Clock.cs (SystemClock delegates to TimeProvider), LineageGraphService, SbomLineageEdgeRepository, PostgresOrchestratorRepository, InMemoryOrchestratorRepository, ReplayVerificationService, LineageCompareService, LineageExportService, LineageHoverCache, RegistrySourceService, OrchestratorControlService, WatermarkService. DTOs changed from default timestamps to required fields. All builds verified. | Agent |
+| 2026-01-06 | DET-021 continued: Findings module refactored - LedgerEventMapping (TimeProvider parameter), Program.cs (TimeProvider injection), EvidenceGraphBuilder (TimeProvider constructor). Fixed pre-existing null reference issue in FindingWorkflowService.cs. All builds verified. | Agent |
+| 2026-01-06 | DET-021 continued: Notify module refactored - InMemoryRepositories.cs (15 repository adapters: Channel, Rule, Template, Delivery, Digest, Lock, EscalationPolicy, EscalationState, OnCallSchedule, QuietHours, MaintenanceWindow, Inbox with TimeProvider constructors). All builds verified. | Agent |
+| 2026-01-06 | DET-021 continued: ExportCenter module refactored - LineageEvidencePackService (12 usages), ExportRetentionService (1 usage), InMemorySchedulingStores (1 usage), ExportVerificationModels (VerifiedAt made required), ExportVerificationService (TimeProvider constructor + Failed factory calls), ExceptionReportGenerator (4 usages). All builds verified. | Agent |
+| 2026-01-07 | DET-021 continued: Orchestrator module refactored - Infrastructure/Postgres repositories (PostgresPackRunRepository, PostgresPackRegistryRepository, PostgresQuotaRepository, PostgresRunRepository, PostgresSourceRepository, PostgresThrottleRepository, PostgresWatermarkRepository with TimeProvider constructors and usage updates). WebService/Endpoints (HealthEndpoints, KpiEndpoints with TimeProvider injection via [FromServices]). Domain records (IBackfillRepository/BackfillCheckpoint.Create/Complete/Fail methods now accept timestamps). All DateTimeOffset.UtcNow usages in production Postgres/Endpoint code eliminated. Remaining: CLI module (~100 usages), Policy.Gateway module (~50 usages). | Agent |
+| 2026-01-07 | DET-021 continued: CLI module critical verifiers refactored - ForensicVerifier.cs (TimeProvider constructor, 2 usages updated), ImageAttestationVerifier.cs (TimeProvider constructor, 7 usages updated for verification timestamps and max age checks). Note: Pre-existing build errors in Policy.Tools and Scanner.Analyzers.Lang.Python unrelated to determinism changes. Further CLI refactoring deferred - large scope (~90+ remaining usages across 30+ files in short-lived CLI process). | Agent |
+| 2026-01-07 | DET-021 continued: Policy.Gateway module refactored - ExceptionEndpoints.cs (10 DateTimeOffset.UtcNow usages across 6 endpoints: POST, PUT, approve, activate, extend, revoke), GateEndpoints.cs (3 usages: evaluate endpoint + health check), GovernanceEndpoints.cs (9 usages across sealed mode + risk profile handlers, plus RecordAudit helper), RegistryWebhookEndpoints.cs (3 usages: Docker, Harbor, generic webhook handlers), ExceptionApprovalEndpoints.cs (2 usages: CreateApprovalRequestAsync), InMemoryGateEvaluationQueue.cs (constructor + 2 usages). All handlers now use TimeProvider via [FromServices] or constructor injection. Note: InitializeDefaultProfiles() static initializer retained DateTimeOffset.UtcNow for bootstrap/seed data - acceptable for one-time startup code. | Agent |
+| 2026-01-07 | DET-021 continued: Policy.Registry module refactored - InMemoryPolicyPackStore.cs (TimeProvider constructor, 4 usages: CreateAsync, UpdateAsync, UpdateStatusAsync, AddHistoryEntry), InMemorySnapshotStore.cs (TimeProvider constructor, 1 usage), InMemoryVerificationPolicyStore.cs (TimeProvider constructor, 2 usages: CreateAsync, UpdateAsync), InMemoryOverrideStore.cs (TimeProvider constructor, 2 usages: CreateAsync, ApproveAsync), InMemoryViolationStore.cs (TimeProvider constructor, 2 usages: AppendAsync, AppendBatchAsync). All builds verified. | Agent |
+| 2026-01-07 | DET-021 continued: Policy.Engine module refactored - InMemoryExceptionRepository.cs (TimeProvider constructor, 2 usages: RevokeAsync, ExpireAsync), InMemoryPolicyPackRepository.cs (TimeProvider constructor, 6 usages across CreateAsync, UpsertRevisionAsync, StoreBundleAsync). Remaining Policy.Engine usages in domain models (TenantContextModels, EvidenceBundle, ExceptionMapper), telemetry services (MigrationTelemetryService, EwsTelemetryService), and complex services (PoEValidationService, PolicyMergePreviewService, VerdictLinkService, RiskProfileConfigurationService) require additional pattern decisions - some are default property initializers requiring schema-level changes. All modified files build verified. | Agent |
 
 ## Decisions & Risks
 - **Decision:** Defer determinism refactoring from MAINT audit to dedicated sprint for focused, systematic approach.

docs/install/docker.md

@@ -3,7 +3,7 @@
 > **Audience:** Deployment Guild, Console Guild, platform operators.  
 > **Scope:** Acquire the `stellaops/web-ui` image, run it with Compose or Helm, mirror it for air‑gapped environments, and keep parity with CLI workflows.
 
-This guide focuses on the new **StellaOps Console** container. Start with the general [Installation Guide](../21_INSTALL_GUIDE.md) for shared prerequisites (Docker, registry access, TLS) and use the steps below to layer in the console.
+This guide focuses on the new **StellaOps Console** container. Start with the general [Installation Guide](../INSTALL_GUIDE.md) for shared prerequisites (Docker, registry access, TLS) and use the steps below to layer in the console.
 
 ---
 
@@ -205,7 +205,7 @@ Track progress for the CLI commands via `DOCS-CONSOLE-23-014` (CLI vs UI parity
 - `deploy/helm/stellaops/values-*.yaml` – Helm defaults per environment.  
 - `/docs/deploy/console.md` – Detailed environment variables, CSP, health checks.  
 - `/docs/security/console-security.md` – Auth flows, scopes, DPoP, monitoring.  
-- `docs/15_UI_GUIDE.md` – Console workflows and offline posture.
+- `docs/UI_GUIDE.md` – Console workflows and offline posture.
 
 ---
 

docs/key-features.md

@@ -2,7 +2,7 @@
 
 > **Core Thesis:** Stella Ops isn't a scanner that outputs findings. It's a platform that outputs **attestable decisions that can be replayed**. That difference survives auditors, regulators, and supply-chain propagation.
 
-> **Looking for the complete feature catalog?** See [`full-features-list.md`](full-features-list.md) for the comprehensive list of all platform capabilities, or [`04_FEATURE_MATRIX.md`](04_FEATURE_MATRIX.md) for tier-by-tier availability.
+> **Looking for the complete feature catalog?** See [`full-features-list.md`](full-features-list.md) for the comprehensive list of all platform capabilities, or [`FEATURE_MATRIX.md`](FEATURE_MATRIX.md) for tier-by-tier availability.
 
 ---
 
@@ -266,7 +266,7 @@ Layer 3 (Runtime): eBPF probe confirms function was actually executed
 
 **Why it matters:** Regression-proof audits. Evidence, not assumptions, drives releases.
 
-**Reference:** `docs/testing/testing-strategy-models.md`, `docs/19_TEST_SUITE_OVERVIEW.md`
+**Reference:** `docs/testing/testing-strategy-models.md`, `docs/TEST_SUITE_OVERVIEW.md`
 
 ---
 
@@ -299,6 +299,6 @@ stella scan --offline --image <digest>
 - **Competitive Landscape**: `docs/market/competitive-landscape.md`
 - **Moat Strategy**: `docs/market/moat-strategy-summary.md`
 - **Proof Architecture**: `docs/modules/platform/proof-driven-moats-architecture.md`
-- **Vision**: `docs/03_VISION.md`
-- **Architecture Overview**: `docs/40_ARCHITECTURE_OVERVIEW.md`
+- **Vision**: `docs/VISION.md`
+- **Architecture Overview**: `docs/ARCHITECTURE_OVERVIEW.md`
 - **Quickstart**: `docs/quickstart.md`

docs/market/competitive-landscape.md

@@ -132,8 +132,8 @@ This isn't a feature gap—it's a category difference. Retrofitting it requires:
 - Engineering: ensure new features keep determinism + sovereign crypto front-and-center; link reachability attestations into proof graph.
 
 ## Cross-links
-- Vision: `docs/03_VISION.md` (Moats section)
-- Architecture: `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- Vision: `docs/VISION.md` (Moats section)
+- Architecture: `docs/ARCHITECTURE_REFERENCE.md`
 - Reachability moat details: `docs/reachability/lead.md`
 - Source advisory: `docs/product-advisories/23-Nov-2025 - Stella Ops vs Competitors.md`
 - **Claims Citation Index**: [`docs/market/claims-citation-index.md`](claims-citation-index.md)

docs/moat.md

@@ -383,7 +383,7 @@ Produce **entrypoint‑aware differential SBOMs** and continually **re‑enrich*
 {
   "schema":"cyclonedx+stella-diff@1.0",
   "base_sbom":"sha256:...",
-  "entrypoint": ["/app/bin/Release/net8.0/app.dll"],
+  "entrypoint": ["/app/bin/Release/net10.0/app.dll"],
   "cmd": ["--urls","http://127.0.0.1:8080"], 
   "static_reachable": ["pkg:nuget/Kestrel@*", "pkg:nuget/System.Data@*"],
   "runtime_observed": ["pkg:rpm/openssl@3.0.9"],

docs/modules/_template/AGENTS.md

@@ -0,0 +1,57 @@
+# <Module Name> - AI Agent Instructions
+
+> Instructions for AI agents (Claude Code, GitHub Copilot, etc.) working on this module.
+
+## Module Context
+
+- **Primary Language**: C# (.NET 10)
+- **Project Type**: Library / WebService / Worker
+- **Test Framework**: xUnit with Testcontainers
+
+## Key Files
+
+| File | Purpose |
+|------|---------|
+| `src/<Module>/__Libraries/StellaOps.<Module>.Core/` | Core business logic |
+| `src/<Module>/StellaOps.<Module>.WebService/Program.cs` | Service entry point |
+| `src/<Module>/__Tests/` | Test projects |
+
+## Common Tasks
+
+### Adding a New Feature
+1. Start with the interface in `*.Core`
+2. Implement in the appropriate layer
+3. Add tests in the corresponding `*.Tests` project
+4. Update API contracts if WebService
+
+### Fixing a Bug
+1. Write a failing test first
+2. Fix the implementation
+3. Verify all related tests pass
+
+## Patterns to Follow
+
+- **Dependency Injection**: All dependencies via constructor injection
+- **Async/Await**: Propagate CancellationToken through all async chains
+- **Error Handling**: Use Result<T> pattern, not exceptions for expected failures
+- **Logging**: Structured logging with semantic properties
+
+## Anti-Patterns to Avoid
+
+- Direct `new HttpClient()` - use IHttpClientFactory
+- `DateTime.UtcNow` - use TimeProvider injection
+- `Guid.NewGuid()` - use IGuidGenerator injection
+- Culture-sensitive string operations - use InvariantCulture
+
+## Testing Requirements
+
+- Unit tests for all public APIs
+- Integration tests for database operations
+- Snapshot tests for serialization
+- All tests must be deterministic
+
+## Related Documentation
+
+- [Architecture](./architecture.md)
+- [CLAUDE.md](../../../CLAUDE.md) - Global coding rules
+- [src/__Tests/AGENTS.md](../../../src/__Tests/AGENTS.md) - Test infrastructure

docs/modules/_template/README.md

@@ -0,0 +1,62 @@
+# <Module Name>
+
+> One-line description of what this module does.
+
+## Purpose
+
+A brief paragraph (2-3 sentences) explaining the module's purpose, its primary responsibility, and why it exists in the StellaOps platform.
+
+## Quick Links
+
+- [Architecture](./architecture.md) - Technical design and implementation details
+- [Operations](./operations/) - Operational runbooks and dashboards
+- [API Reference](./api/) - API documentation (if applicable)
+
+## Status
+
+| Attribute | Value |
+|-----------|-------|
+| **Maturity** | Production / Beta / Alpha |
+| **Last Reviewed** | YYYY-MM-DD |
+| **Maintainer** | Guild/Team Name |
+
+## Key Features
+
+- Feature 1: Brief description
+- Feature 2: Brief description
+- Feature 3: Brief description
+
+## Dependencies
+
+### Upstream (this module depends on)
+- **Authority** - Authentication and authorization
+- **Other Module** - Why this dependency exists
+
+### Downstream (modules that depend on this)
+- **Other Module** - How they use this module
+
+## Quick Start
+
+```csharp
+// Minimal code example showing how to use this module
+var builder = Host.CreateApplicationBuilder(args);
+builder.Services.Add<ModuleName>Services();
+```
+
+## Configuration
+
+```yaml
+# Minimal configuration example
+module_name:
+  setting_1: value
+  setting_2: value
+```
+
+## Related Documentation
+
+- [Implementation Guides](../../<category>/) - If applicable
+- [Related Module](../other-module/) - Cross-references
+
+## Notes
+
+Any important caveats, migration notes, or known issues.

docs/modules/_template/architecture.md

@@ -0,0 +1,98 @@
+# <Module Name> Architecture
+
+> Technical architecture specification for <Module Name>.
+
+## Overview
+
+High-level description of the module's architecture and how it fits into the StellaOps platform.
+
+## Design Principles
+
+1. **Principle 1** - Description of how this module follows or implements this principle
+2. **Principle 2** - Description
+3. **Principle 3** - Description
+
+## Components
+
+```
+<module-name>/
+├── __Libraries/
+│   ├── StellaOps.<ModuleName>.Core/        # Core business logic
+│   ├── StellaOps.<ModuleName>.Storage/     # Data persistence (if applicable)
+│   └── StellaOps.<ModuleName>.Client/      # Client SDK (if applicable)
+├── StellaOps.<ModuleName>.WebService/      # HTTP API (if applicable)
+├── StellaOps.<ModuleName>.Worker/          # Background processing (if applicable)
+└── __Tests/
+    └── StellaOps.<ModuleName>.*.Tests/     # Test projects
+```
+
+## Data Flow
+
+```
+[Input Source] → [Processing] → [Output/Storage]
+```
+
+Describe the primary data flow through this module.
+
+## Key Abstractions
+
+### Interface 1
+```csharp
+public interface I<Something>
+{
+    Task<Result> DoSomethingAsync(Input input, CancellationToken ct);
+}
+```
+
+Purpose and usage of this interface.
+
+### Interface 2
+```csharp
+public interface I<SomethingElse>
+{
+    // ...
+}
+```
+
+Purpose and usage.
+
+## Database Schema (if applicable)
+
+| Table | Purpose |
+|-------|---------|
+| `schema.table_1` | Description |
+| `schema.table_2` | Description |
+
+## Invariants
+
+Non-negotiable design constraints that must always be maintained:
+
+1. **Invariant 1** - Description and why it matters
+2. **Invariant 2** - Description
+3. **Invariant 3** - Description
+
+## Error Handling
+
+How errors are handled, propagated, and logged in this module.
+
+## Observability
+
+- **Metrics**: Key metrics exposed by this module
+- **Traces**: OpenTelemetry trace spans
+- **Logs**: Structured logging patterns
+
+## Security Considerations
+
+Security-relevant aspects of this module's design.
+
+## Performance Characteristics
+
+- Expected throughput
+- Latency budgets
+- Resource constraints
+
+## References
+
+- [Module README](./README.md)
+- [API Documentation](./api/)
+- [Operations Guide](./operations/)

docs/modules/platform/README.md

@@ -17,7 +17,7 @@ Platform module describes cross-cutting architecture, contracts, and guardrails
 ## Key components
 - Architecture overview in `architecture-overview.md`.
 - Platform architecture summary in `architecture.md`.
-- High-level reference: `../../07_HIGH_LEVEL_ARCHITECTURE.md`.
+- High-level reference: `../../ARCHITECTURE_REFERENCE.md`.
 
 ## Integrations & dependencies
 - All StellaOps services via shared contracts (AOC, telemetry, security).

docs/modules/platform/architecture-overview.md

@@ -2,7 +2,7 @@
 
 > **Ownership:** Architecture Guild • Docs Guild  
 > **Audience:** Service owners, platform engineers, solution architects  
-> **Related:** [High-Level Architecture](../../07_HIGH_LEVEL_ARCHITECTURE.md), [Concelier Architecture](../concelier/architecture.md), [Policy Engine Architecture](../policy/architecture.md), [Aggregation-Only Contract](../../aoc/aggregation-only-contract.md)
+> **Related:** [High-Level Architecture](../../ARCHITECTURE_REFERENCE.md), [Concelier Architecture](../concelier/architecture.md), [Policy Engine Architecture](../policy/architecture.md), [Aggregation-Only Contract](../../aoc/aggregation-only-contract.md)
 
 This dossier summarises the end-to-end runtime topology after the Aggregation-Only Contract (AOC) rollout. It highlights where raw facts live, how ingest services enforce guardrails, and how downstream components consume those facts to derive policy decisions and user-facing experiences.
 

docs/modules/platform/architecture.md

@@ -3,7 +3,8 @@
 This module aggregates cross-cutting contracts and guardrails that every StellaOps service must follow.
 
 ## Anchors
-- High-level system view: `../../07_HIGH_LEVEL_ARCHITECTURE.md`
+- High-level system view: `../../ARCHITECTURE_REFERENCE.md`
+- Architecture overview: `../../ARCHITECTURE_OVERVIEW.md`
 - Platform overview: `architecture-overview.md`
 - Platform service definition: `platform-service.md`
 - Aggregation-Only Contract: `../../aoc/aggregation-only-contract.md` (referenced across ingestion/observability docs)

docs/modules/router/README.md

@@ -80,16 +80,26 @@ StellaOps.Router.slnx
 
 ## Key Documents
 
+### Module Documentation (this directory)
 | Document | Purpose |
 |----------|---------|
 | [architecture.md](architecture.md) | Canonical specification and requirements |
 | [schema-validation.md](schema-validation.md) | JSON Schema validation feature |
 | [openapi-aggregation.md](openapi-aggregation.md) | OpenAPI document generation |
 | [migration-guide.md](migration-guide.md) | WebService to Microservice migration |
-| [rate-limiting.md](rate-limiting.md) | Centralized router rate limiting |
+| [rate-limiting.md](rate-limiting.md) | Centralized router rate limiting (dossier) |
 | [aspnet-endpoint-bridge.md](aspnet-endpoint-bridge.md) | Using ASP.NET endpoint registration as Router endpoint registration |
 | [messaging-valkey-transport.md](messaging-valkey-transport.md) | Messaging transport over Valkey |
 
+### Implementation Guides (docs/router/)
+| Document | Purpose |
+|----------|---------|
+| [README.md](../../router/README.md) | Quick start and feature overview |
+| [ARCHITECTURE.md](../../router/ARCHITECTURE.md) | Detailed architecture walkthrough |
+| [GETTING_STARTED.md](../../router/GETTING_STARTED.md) | Step-by-step setup guide |
+| [rate-limiting.md](../../router/rate-limiting.md) | Rate limiting configuration guide |
+| [transports/](../../router/transports/) | Transport plugin documentation |
+
 ## Quick Start
 
 ### Gateway

docs/modules/scanner/operations/entrypoint-lang-dotnet.md

@@ -16,7 +16,7 @@
 
 ## Evidence & scoring
 - Large confidence boost when both host (`dotnet`) and DLL artefact are present.
-- Add evidence for runtimeconfig parsing (`"runtimeconfig TFM=net8.0"`), bundle markers, or ASP.NET env vars.
+- Add evidence for runtimeconfig parsing (`"runtimeconfig TFM=net10.0"`), bundle markers, or ASP.NET env vars.
 - Penalise detections lacking artefact confirmation.
 
 ## Edge cases

docs/router/README.md

@@ -277,12 +277,16 @@ dotnet run --project src/Router/examples/Examples.OrderService
 
 ## Documentation
 
+### Implementation Guides (this directory)
 - [Architecture Overview](./ARCHITECTURE.md)
 - [Getting Started Guide](./GETTING_STARTED.md)
 - [Transport Configuration](./transports/)
 - [Rate Limiting](./rate-limiting.md)
 - [Examples](./examples/README.md)
 
+### Module Dossier
+For architectural decisions, invariants, and module context, see the [Router Module Dossier](../modules/router/README.md).
+
 ## Related Modules
 
 - **Authority**: OAuth/OIDC integration for gateway authentication

docs/schemas/dotnet-il-metadata.schema.json

@@ -21,7 +21,7 @@
           "items": {
             "type": "string"
           },
-          "description": "Target framework monikers (e.g., net6.0, net8.0, netstandard2.1)"
+          "description": "Target framework monikers (e.g., net8.0, net10.0, netstandard2.1)"
         },
         "assembly_analysis": {
           "$ref": "#/definitions/AssemblyAnalysisConfig"
@@ -1483,7 +1483,7 @@
         {
           "config_id": "aspnet-core-analyzer",
           "version": "1.0.0",
-          "target_frameworks": ["net6.0", "net7.0", "net8.0"],
+          "target_frameworks": ["net8.0", "net9.0", "net10.0"],
           "assembly_analysis": {
             "enabled": true,
             "include_referenced_assemblies": true,

docs/sdks/overview.md

@@ -53,4 +53,4 @@ All SDKs and plugins must maintain determinism:
 
 - [Plugin Architecture](../plugins/ARCHITECTURE.md)
 - [Plugin Configuration](../plugins/CONFIGURATION.md)
-- [Plugin SDK Guide](../10_PLUGIN_SDK_GUIDE.md)
+- [Plugin SDK Guide](../PLUGIN_SDK_GUIDE.md)

docs/technical/architecture/README.md

@@ -3,11 +3,11 @@
 Use this index to locate platform-level architecture references and per-module dossiers.
 
 ## Core views
-- [Architecture overview (10-minute tour)](../../40_ARCHITECTURE_OVERVIEW.md)
-- [High-level architecture (reference map)](../../07_HIGH_LEVEL_ARCHITECTURE.md)
+- [Architecture overview (10-minute tour)](../../ARCHITECTURE_OVERVIEW.md)
+- [High-level architecture (reference map)](../../ARCHITECTURE_REFERENCE.md)
 - [Scanner core contracts](../../scanner-core-contracts.md)
-- [Authority (legacy overview)](../../11_AUTHORITY.md)
-- [Console operator guide](../../15_UI_GUIDE.md) and deep dives under [console](../../console/) and [ux](../../ux/)
+- [Authority (legacy overview)](../../AUTHORITY.md)
+- [Console operator guide](../../UI_GUIDE.md) and deep dives under [console](../../console/) and [ux](../../ux/)
 - [Component map](component-map.md) (quick descriptions of every module under `src/`)
 
 ## Detailed references

docs/technical/architecture/component-map.md

@@ -5,7 +5,7 @@ Concise descriptions of every top-level component under `src/`, summarising the
 ## Advisory & Evidence Services
 - **AdvisoryAI** — Experimental intelligence helpers that summarise and prioritise advisory data for humans. Ingests canonical observations from Concelier/Excititor, adds explainable insights, and feeds UI/CLI and Policy workflows. See `docs/modules/advisory-ai/architecture.md`.
 - **Concelier** — Canonical advisory ingestion engine enforcing the Aggregation-Only Contract (AOC). Produces immutable observations/linksets consumed by Policy Engine, Graph, Scheduler, and Export Center. Docs in `docs/modules/concelier/architecture.md` and `docs/aoc/aggregation-only-contract.md`.
-- **Excititor** — VEX statement normaliser applying AOC guardrails. Supplies VEX observations to Policy Engine, VEX Lens, Scheduler, and UI. Reference `docs/modules/excititor/architecture.md` and `docs/16_VEX_CONSENSUS_GUIDE.md`.
+- **Excititor** — VEX statement normaliser applying AOC guardrails. Supplies VEX observations to Policy Engine, VEX Lens, Scheduler, and UI. Reference `docs/modules/excititor/architecture.md` and `docs/VEX_CONSENSUS_GUIDE.md`.
 - **VexLens** — Provides focused exploration of VEX evidence, conflict analysis, and waiver insights for UI/CLI. Backed by Excititor and Policy Engine (`docs/modules/vex-lens/architecture.md`).
 - **EvidenceLocker** — Long-term store for signed evidence bundles (DSSE, SRM, policy waivers). Integrates with Attestor, Export Center, Policy, and replay tooling (`docs/forensics/evidence-locker.md`). 
 - **ExportCenter** — Packages reproducible evidence bundles and mirror artefacts for online/offline distribution. Pulls from Concelier, Excititor, Policy, Scanner, Attestor, and Registry (`docs/modules/export-center/architecture.md`). 
@@ -26,7 +26,7 @@ Concise descriptions of every top-level component under `src/`, summarising the
 - **Governance components** (Authority scopes, Policy governance, Console policy UI) are covered in `docs/security/policy-governance.md` and `docs/modules/ui/policies.md`.
 
 ## Identity, Signing & Provenance
-- **Authority** — Identity provider issuing short-lived OpToks, enforcing scopes/tenancy, and powering every module’s authentication story (`docs/11_AUTHORITY.md`, `docs/modules/authority/architecture.md`). 
+- **Authority** — Identity provider issuing short-lived OpToks, enforcing scopes/tenancy, and powering every module's authentication story (`docs/AUTHORITY.md`, `docs/modules/authority/architecture.md`). 
 - **Signer** — DSSE signing backend supporting keyless/keyful modes with Authority-managed trust roots (`docs/modules/signer/architecture.md`). 
 - **Attestor** — Manages proof bundles, optional Rekor mirror, and distribution to consumers (`docs/modules/attestor/architecture.md`). 
 - **Provenance** — Utilities and services for DSSE/SLSA provenance verification, consumed by Export Center, EvidenceLocker, and Replay (`docs/modules/export-center/provenance-and-signing.md`). 
@@ -49,10 +49,10 @@ Concise descriptions of every top-level component under `src/`, summarising the
 - **Registry** — Anonymous registry/token service hosting platform images and Offline Kit artefacts (`docs/modules/registry/architecture.md`). 
 - **Zastava** — Runtime observer/admission controller ensuring signed images, SBOM availability, and policy verdict enforcement in live clusters (`docs/modules/zastava/architecture.md`). 
 - **Signals** (shared above) plus runtime components integrate tightly with Zastava and Policy Engine. 
-- **Bench** — Performance benchmarking toolset validating platform SLAs (`docs/12_PERFORMANCE_WORKBOOK.md`). 
+- **Bench** — Performance benchmarking toolset validating platform SLAs (`docs/PERFORMANCE_WORKBOOK.md`). 
 
 ## Offline, Telemetry & Infrastructure
-- **AirGap** — Bundles Offline Update Kits, enforces sealed-mode operations, and distributes trust roots/feeds (`docs/24_OFFLINE_KIT.md`, `docs/airgap/`). 
+- **AirGap** — Bundles Offline Update Kits, enforces sealed-mode operations, and distributes trust roots/feeds (`docs/OFFLINE_KIT.md`, `docs/airgap/`). 
 - **Telemetry** — OpenTelemetry collector/storage deployment tooling, observability integrations, and offline metrics packages (`docs/modules/telemetry/architecture.md`, `docs/observability/`). 
 - **Mirror** and **ExportCenter** (above) complement AirGap by keeping offline mirrors in sync. 
 - **Tools** — Collection of utility programs (fixture generators, smoke tests, migration scripts) supporting all modules (`docs/dev/fixtures.md`, module-specific tooling sections). 
@@ -67,7 +67,7 @@ Concise descriptions of every top-level component under `src/`, summarising the
 - **Aoc** library (mentioned above) is reused by ingestion components and verification tooling to enforce the Aggregation-Only Contract. 
 
 ## How It All Connects
-High-level flows (see `docs/40_ARCHITECTURE_OVERVIEW.md` for the 10-minute tour):
+High-level flows (see `docs/ARCHITECTURE_OVERVIEW.md` for the 10-minute tour):
 1. **Ingest** — Concelier and Excititor use AOC to ingest advisories/VEX; Scheduler observes deltas. 
 2. **Scan & Evaluate** — Scanner generates SBOM evidence and hands to Signer/Attestor; Policy Engine merges SBOM, advisory, VEX, runtime signals; RiskEngine prioritises. 
 3. **Store & Export** — EvidenceLocker and Export Center package results; Registry serves artefacts; AirGap bundles offline editions. 

docs/technical/architecture/sbom-analyzer-inventory.md

@@ -88,11 +88,11 @@ This document provides a complete inventory of all analyzers used in StellaOps S
 │  2. Parse legacy packages.config XML                                    │
 │  3. Parse *.deps.json for runtime dependencies                          │
 │  4. Resolve transitive dependencies from asset files                    │
-│  5. Extract framework targeting (net6.0, net8.0, etc.)                  │
+│  5. Extract framework targeting (net8.0, net10.0, etc.)                 │
 │                                                                          │
 │  PURL Format:                                                           │
 │  pkg:nuget/Newtonsoft.Json@13.0.1                                       │
-│  pkg:nuget/Microsoft.Extensions.Logging@8.0.0?framework=net8.0          │
+│  pkg:nuget/Microsoft.Extensions.Logging@10.0.0?framework=net10.0        │
 │                                                                          │
 │  Special Handling:                                                       │
 │  • Framework-specific dependencies                                      │

docs/technical/development/README.md

@@ -3,15 +3,15 @@
 Resources for contributors building features, plug-ins, connectors, and tests.
 
 ## Engineering Standards & Quality
-- [../18_CODING_STANDARDS.md](../../18_CODING_STANDARDS.md) – language guidelines, project layout, review expectations.
-- [../19_TEST_SUITE_OVERVIEW.md](../../19_TEST_SUITE_OVERVIEW.md) – unit, integration, golden, and determinism test strategy.
-- [../12_PERFORMANCE_WORKBOOK.md](../../12_PERFORMANCE_WORKBOOK.md) – benchmark targets and reference rigs.
+- [../CODING_STANDARDS.md](../../CODING_STANDARDS.md) – language guidelines, project layout, review expectations.
+- [../TEST_SUITE_OVERVIEW.md](../../TEST_SUITE_OVERVIEW.md) – unit, integration, golden, and determinism test strategy.
+- [../PERFORMANCE_WORKBOOK.md](../../PERFORMANCE_WORKBOOK.md) – benchmark targets and reference rigs.
 - [../cli-vs-ui-parity.md](../../cli-vs-ui-parity.md) – CLI vs Console feature parity tracking.
 - [../scanner-core-contracts.md](../../scanner-core-contracts.md) – DTO fixtures consumed by tests.
 
 ## Plug-ins, Connectors & Extensions
-- [../10_PLUGIN_SDK_GUIDE.md](../../10_PLUGIN_SDK_GUIDE.md) – plug-in lifecycle, manifests, packaging.
-- [../10_CONCELIER_CLI_QUICKSTART.md](../../10_CONCELIER_CLI_QUICKSTART.md) – local Concelier + CLI workflow for advisory ingestion.
+- [../PLUGIN_SDK_GUIDE.md](../../PLUGIN_SDK_GUIDE.md) – plug-in lifecycle, manifests, packaging.
+- [../CONCELIER_CLI_QUICKSTART.md](../../CONCELIER_CLI_QUICKSTART.md) – local Concelier + CLI workflow for advisory ingestion.
 - Developer guides under [../dev/](../../dev/):
   - Connector playbooks (`30_EXCITITOR_CONNECTOR_GUIDE.md`, `kisa_connector_notes.md`).
   - Authority and DPoP guidance (`31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md`, `32_AUTH_CLIENT_GUIDE.md`).
@@ -20,7 +20,7 @@ Resources for contributors building features, plug-ins, connectors, and tests.
   - Operational templates and fixtures (`templates/`, `fixtures.md`).
 
 ## CLI, SDKs & Automation
-- [../09_API_CLI_REFERENCE.md](../../09_API_CLI_REFERENCE.md) – authoritative CLI commands and flags (use for scripting).
+- [../API_CLI_REFERENCE.md](../../API_CLI_REFERENCE.md) – authoritative CLI commands and flags (use for scripting).
 - [../api/sdk-openapi-program.md](../../api/sdk-openapi-program.md) – guidance for downstream SDK generation.
 - [../policy/gateway.md](../../policy/gateway.md) & [../policy/dsl.md](../../policy/dsl.md) – foundations for automating policy programs.
 

docs/technical/operations/README.md

@@ -3,22 +3,22 @@
 Deployment, runtime operations, and air-gap playbooks for running Stella Ops in production.
 
 ## Install & Upgrade
-- [../21_INSTALL_GUIDE.md](../../21_INSTALL_GUIDE.md) – canonical install guide (Docker, air-gap considerations).
+- [../INSTALL_GUIDE.md](../../INSTALL_GUIDE.md) – canonical install guide (Docker, air-gap considerations).
 - [../operations/console-docker-install.md](../../operations/console-docker-install.md) – Docker install recipes.
 - [../deploy/containers.md](../../deploy/containers.md) – container deployment guidance for AOC environments.
 - [../deploy/console.md](../../deploy/console.md) – console deployment specifics.
-- [../13_RELEASE_ENGINEERING_PLAYBOOK.md](../../13_RELEASE_ENGINEERING_PLAYBOOK.md) – release automation, signing, reproducibility.
+- [../RELEASE_ENGINEERING_PLAYBOOK.md](../../RELEASE_ENGINEERING_PLAYBOOK.md) – release automation, signing, reproducibility.
 - [../artifacts/bom-index/README.md](../../artifacts/bom-index/README.md) – BOM index artifact layout for Offline Kit exports.
 
 ## Offline & Sovereign Operations
 - [../quickstart.md](../../quickstart.md) – 5-minute path to first scan (useful for smoke testing installs).
-- [../24_OFFLINE_KIT.md](../../24_OFFLINE_KIT.md) – bundle contents, import/export workflow.
+- [../OFFLINE_KIT.md](../../OFFLINE_KIT.md) – bundle contents, import/export workflow.
 - [../airgap/airgap-mode.md](../../airgap/airgap-mode.md) – configuration for sealed environments.
 - [../license-jwt-quota.md](../../license-jwt-quota.md) – offline quota token lifecycle.
-- [../10_CONCELIER_CLI_QUICKSTART.md](../../10_CONCELIER_CLI_QUICKSTART.md) – workstation ingest/export workflow (operators).
+- [../CONCELIER_CLI_QUICKSTART.md](../../CONCELIER_CLI_QUICKSTART.md) – workstation ingest/export workflow (operators).
 
 ## Hardening & Governance
-- [../17_SECURITY_HARDENING_GUIDE.md](../../17_SECURITY_HARDENING_GUIDE.md) – platform hardening checklist.
+- [../SECURITY_HARDENING_GUIDE.md](../../SECURITY_HARDENING_GUIDE.md) – platform hardening checklist.
 - [../accessibility.md](../../accessibility.md) – accessibility checklist for console deployments.
 - [../security/console-security.md](../../security/console-security.md) – console-specific controls.
 - [../security/authority-scopes.md](../../security/authority-scopes.md) – Authority scope model.

docs/technical/security/README.md

@@ -3,13 +3,13 @@
 Authoritative sources for threat models, governance, compliance, and security operations.
 
 ## Policies & Governance
-- [../13_SECURITY_POLICY.md](../../13_SECURITY_POLICY.md) – responsible disclosure, support windows.
-- [../11_GOVERNANCE.md](../../11_GOVERNANCE.md) – project governance charter.
-- [../12_CODE_OF_CONDUCT.md](../../12_CODE_OF_CONDUCT.md) – community expectations.
-- [../17_SECURITY_HARDENING_GUIDE.md](../../17_SECURITY_HARDENING_GUIDE.md) – deployment hardening steps.
+- [../SECURITY_POLICY.md](../../SECURITY_POLICY.md) – responsible disclosure, support windows.
+- [../GOVERNANCE.md](../../GOVERNANCE.md) – project governance charter.
+- [../CODE_OF_CONDUCT.md](../../CODE_OF_CONDUCT.md) – community expectations.
+- [../SECURITY_HARDENING_GUIDE.md](../../SECURITY_HARDENING_GUIDE.md) – deployment hardening steps.
 - [../security/policy-governance.md](../../security/policy-governance.md) – policy governance specifics.
-- [../29_LEGAL_FAQ_QUOTA.md](../../29_LEGAL_FAQ_QUOTA.md) – legal interpretation of quota.
-- [../33_333_QUOTA_OVERVIEW.md](../../33_333_QUOTA_OVERVIEW.md) – quota policy reference.
+- [../LEGAL_FAQ_QUOTA.md](../../LEGAL_FAQ_QUOTA.md) – legal interpretation of quota.
+- [../QUOTA_OVERVIEW.md](../../QUOTA_OVERVIEW.md) – quota policy reference.
 - [../risk/risk-profiles.md](../../risk/risk-profiles.md) – organisational risk personas.
 
 ## Threat Models & Security Architecture
@@ -25,8 +25,8 @@ Authoritative sources for threat models, governance, compliance, and security op
 - [../security/audit-events.md](../../security/audit-events.md) – audit event taxonomy.
 - [../security/revocation-bundle.md](../../security/revocation-bundle.md) & [../security/revocation-bundle-example.json](../../security/revocation-bundle-example.json) – revocation process.
 - [../license-jwt-quota.md](../../license-jwt-quota.md) – licence/quota enforcement controls.
-- [../30_QUOTA_ENFORCEMENT_FLOW1.md](../../30_QUOTA_ENFORCEMENT_FLOW1.md) – quota enforcement sequence.
-- [../24_OFFLINE_KIT.md](../../24_OFFLINE_KIT.md) – tamper-evident offline artefacts.
+- [../QUOTA_ENFORCEMENT_FLOW.md](../../QUOTA_ENFORCEMENT_FLOW.md) – quota enforcement sequence.
+- [../OFFLINE_KIT.md](../../OFFLINE_KIT.md) – tamper-evident offline artefacts.
 - [../security/](../../security/) – browse for additional deep dives (audit, scopes, rate limits).
 
 ## Supporting Material

docs/technical/strategy/README.md

@@ -2,19 +2,19 @@
 
 Foundational, high-level documents that define StellaOps direction, scope, and differentiators.
 
-- [Vision](../../03_VISION.md) — north-star goals, KPIs, and themes.
-- [Feature matrix](../../04_FEATURE_MATRIX.md) — capability matrix by tier.
-- [System requirements spec](../../05_SYSTEM_REQUIREMENTS_SPEC.md) — functional and non-functional requirements baseline.
-- [Roadmap](../../05_ROADMAP.md) — date-free capability roadmap and definition of “done”.
-- [Architecture overview](../../40_ARCHITECTURE_OVERVIEW.md) — platform principles and module map.
+- [Vision](../../VISION.md) — north-star goals, KPIs, and themes.
+- [Feature matrix](../../FEATURE_MATRIX.md) — capability matrix by tier.
+- [System requirements spec](../../SYSTEM_REQUIREMENTS_SPEC.md) — functional and non-functional requirements baseline.
+- [Roadmap](../../ROADMAP.md) — date-free capability roadmap and definition of "done".
+- [Architecture overview](../../ARCHITECTURE_OVERVIEW.md) — platform principles and module map.
 - [Moat](../../moat.md) — differentiating workstreams (determinism, policy lattice, sovereign crypto readiness, attestation graph).
-- [Offline Kit](../../24_OFFLINE_KIT.md) — offline story and workflows.
-- [Security policy](../../13_SECURITY_POLICY.md) — disclosure and support expectations.
-- [Glossary](../../14_GLOSSARY_OF_TERMS.md) — canonical vocabulary.
-- [UI guide](../../15_UI_GUIDE.md) — console UX overview for evaluators.
-- [FAQ matrix](../../23_FAQ_MATRIX.md) — stakeholder FAQ.
+- [Offline Kit](../../OFFLINE_KIT.md) — offline story and workflows.
+- [Security policy](../../SECURITY_POLICY.md) — disclosure and support expectations.
+- [Glossary](../../GLOSSARY.md) — canonical vocabulary.
+- [UI guide](../../UI_GUIDE.md) — console UX overview for evaluators.
+- [FAQ matrix](../../FAQ_MATRIX.md) — stakeholder FAQ.
 
 ## Related concepts
-- [Quota framing](../../33_333_QUOTA_OVERVIEW.md) and [enforcement flow](../../30_QUOTA_ENFORCEMENT_FLOW1.md) align business policy with enforcement diagrams.
-- [Legal FAQ (quota)](../../29_LEGAL_FAQ_QUOTA.md) captures the AGPL-3.0 interpretation of quota enforcement.
+- [Quota framing](../../QUOTA_OVERVIEW.md) and [enforcement flow](../../QUOTA_ENFORCEMENT_FLOW.md) align business policy with enforcement diagrams.
+- [Legal FAQ (quota)](../../LEGAL_FAQ_QUOTA.md) captures the AGPL-3.0 interpretation of quota enforcement.
 - [License/JWT quota narrative](../../license-jwt-quota.md) documents the offline licensing story for quota tokens.

docs/testing/README.md

@@ -161,7 +161,9 @@ npm run storybook:build
 
 ## Related Documentation
 
+- [Test Suite Overview](../TEST_SUITE_OVERVIEW.md) - High-level entry point for testing
 - [CI/CD Overview](../cicd/README.md)
+- [CI/CD Test Strategy](../cicd/test-strategy.md) - Detailed CI/CD test integration
 - [Workflow Triggers](../cicd/workflow-triggers.md)
 - [Path Filters](../cicd/path-filters.md)
 - [Test Infrastructure](../../src/__Tests/AGENTS.md)

docs/testing/ci-quality-gates.md

@@ -149,9 +149,9 @@ If baselines become stale:
 
 ## Related Documentation
 
-- [Test Suite Overview](../19_TEST_SUITE_OVERVIEW.md)
+- [Test Suite Overview](../TEST_SUITE_OVERVIEW.md)
 - [Testing Strategy Models](./testing-strategy-models.md)
 - [Test Catalog](./TEST_CATALOG.yml)
 - [Reachability Corpus Plan](../reachability/corpus-plan.md)
-- [Performance Workbook](../12_PERFORMANCE_WORKBOOK.md)
+- [Performance Workbook](../PERFORMANCE_WORKBOOK.md)
 - [Testing Quality Guardrails](./testing-quality-guardrails-implementation.md)

docs/testing/testing-strategy-models.md

@@ -41,12 +41,12 @@ Supersedes/extends: `docs/product-advisories/archived/2025-12-21-testing-strateg
 
 ## Documentation moments (when to update)
 - New model or required test type: update `docs/testing/TEST_CATALOG.yml`.
-- New lane or gate: update `docs/19_TEST_SUITE_OVERVIEW.md` and `docs/testing/ci-quality-gates.md`.
+- New lane or gate: update `docs/TEST_SUITE_OVERVIEW.md` and `docs/testing/ci-quality-gates.md`.
 - Module-specific test policy change: update the module dossier under `docs/modules/<module>/`.
 - New fixtures or runnable harnesses: place under `docs/benchmarks/**` or `tests/**` and link here.
 
 ## Related artifacts
 - Test catalog (source of truth): `docs/testing/TEST_CATALOG.yml`
-- Test suite overview: `docs/19_TEST_SUITE_OVERVIEW.md`
+- Test suite overview: `docs/TEST_SUITE_OVERVIEW.md`
 - Quality guardrails: `docs/testing/testing-quality-guardrails-implementation.md`
 - Code samples from the advisory: `docs/benchmarks/testing/better-testing-strategy-samples.md`