docs re-org, audit fixes, build fixes

2026-01-05 09:35:33 +02:00
parent eca4e964d3
commit dfab8a29c3
173 changed files with 1276 additions and 560 deletions
--- a/docs/technical/architecture/README.md
+++ b/docs/technical/architecture/README.md
@@ -3,11 +3,11 @@
 Use this index to locate platform-level architecture references and per-module dossiers.

 ## Core views
- [Architecture overview (10-minute tour)](../../40_ARCHITECTURE_OVERVIEW.md)
- [High-level architecture (reference map)](../../07_HIGH_LEVEL_ARCHITECTURE.md)
+- [Architecture overview (10-minute tour)](../../ARCHITECTURE_OVERVIEW.md)
+- [High-level architecture (reference map)](../../ARCHITECTURE_REFERENCE.md)
 - [Scanner core contracts](../../scanner-core-contracts.md)
- [Authority (legacy overview)](../../11_AUTHORITY.md)
- [Console operator guide](../../15_UI_GUIDE.md) and deep dives under [console](../../console/) and [ux](../../ux/)
+- [Authority (legacy overview)](../../AUTHORITY.md)
+- [Console operator guide](../../UI_GUIDE.md) and deep dives under [console](../../console/) and [ux](../../ux/)
 - [Component map](component-map.md) (quick descriptions of every module under `src/`)

 ## Detailed references
--- a/docs/technical/architecture/component-map.md
+++ b/docs/technical/architecture/component-map.md
@@ -5,7 +5,7 @@ Concise descriptions of every top-level component under `src/`, summarising the
 ## Advisory & Evidence Services
 - **AdvisoryAI** — Experimental intelligence helpers that summarise and prioritise advisory data for humans. Ingests canonical observations from Concelier/Excititor, adds explainable insights, and feeds UI/CLI and Policy workflows. See `docs/modules/advisory-ai/architecture.md`.
 - **Concelier** — Canonical advisory ingestion engine enforcing the Aggregation-Only Contract (AOC). Produces immutable observations/linksets consumed by Policy Engine, Graph, Scheduler, and Export Center. Docs in `docs/modules/concelier/architecture.md` and `docs/aoc/aggregation-only-contract.md`.
- **Excititor** — VEX statement normaliser applying AOC guardrails. Supplies VEX observations to Policy Engine, VEX Lens, Scheduler, and UI. Reference `docs/modules/excititor/architecture.md` and `docs/16_VEX_CONSENSUS_GUIDE.md`.
+- **Excititor** — VEX statement normaliser applying AOC guardrails. Supplies VEX observations to Policy Engine, VEX Lens, Scheduler, and UI. Reference `docs/modules/excititor/architecture.md` and `docs/VEX_CONSENSUS_GUIDE.md`.
 - **VexLens** — Provides focused exploration of VEX evidence, conflict analysis, and waiver insights for UI/CLI. Backed by Excititor and Policy Engine (`docs/modules/vex-lens/architecture.md`).
 - **EvidenceLocker** — Long-term store for signed evidence bundles (DSSE, SRM, policy waivers). Integrates with Attestor, Export Center, Policy, and replay tooling (`docs/forensics/evidence-locker.md`). 
 - **ExportCenter** — Packages reproducible evidence bundles and mirror artefacts for online/offline distribution. Pulls from Concelier, Excititor, Policy, Scanner, Attestor, and Registry (`docs/modules/export-center/architecture.md`). 
@@ -26,7 +26,7 @@ Concise descriptions of every top-level component under `src/`, summarising the
 - **Governance components** (Authority scopes, Policy governance, Console policy UI) are covered in `docs/security/policy-governance.md` and `docs/modules/ui/policies.md`.

 ## Identity, Signing & Provenance
- **Authority** — Identity provider issuing short-lived OpToks, enforcing scopes/tenancy, and powering every module’s authentication story (`docs/11_AUTHORITY.md`, `docs/modules/authority/architecture.md`). 
+- **Authority** — Identity provider issuing short-lived OpToks, enforcing scopes/tenancy, and powering every module's authentication story (`docs/AUTHORITY.md`, `docs/modules/authority/architecture.md`). 
 - **Signer** — DSSE signing backend supporting keyless/keyful modes with Authority-managed trust roots (`docs/modules/signer/architecture.md`). 
 - **Attestor** — Manages proof bundles, optional Rekor mirror, and distribution to consumers (`docs/modules/attestor/architecture.md`). 
 - **Provenance** — Utilities and services for DSSE/SLSA provenance verification, consumed by Export Center, EvidenceLocker, and Replay (`docs/modules/export-center/provenance-and-signing.md`). 
@@ -49,10 +49,10 @@ Concise descriptions of every top-level component under `src/`, summarising the
 - **Registry** — Anonymous registry/token service hosting platform images and Offline Kit artefacts (`docs/modules/registry/architecture.md`). 
 - **Zastava** — Runtime observer/admission controller ensuring signed images, SBOM availability, and policy verdict enforcement in live clusters (`docs/modules/zastava/architecture.md`). 
 - **Signals** (shared above) plus runtime components integrate tightly with Zastava and Policy Engine. 
- **Bench** — Performance benchmarking toolset validating platform SLAs (`docs/12_PERFORMANCE_WORKBOOK.md`). 
+- **Bench** — Performance benchmarking toolset validating platform SLAs (`docs/PERFORMANCE_WORKBOOK.md`). 

 ## Offline, Telemetry & Infrastructure
- **AirGap** — Bundles Offline Update Kits, enforces sealed-mode operations, and distributes trust roots/feeds (`docs/24_OFFLINE_KIT.md`, `docs/airgap/`). 
+- **AirGap** — Bundles Offline Update Kits, enforces sealed-mode operations, and distributes trust roots/feeds (`docs/OFFLINE_KIT.md`, `docs/airgap/`). 
 - **Telemetry** — OpenTelemetry collector/storage deployment tooling, observability integrations, and offline metrics packages (`docs/modules/telemetry/architecture.md`, `docs/observability/`). 
 - **Mirror** and **ExportCenter** (above) complement AirGap by keeping offline mirrors in sync. 
 - **Tools** — Collection of utility programs (fixture generators, smoke tests, migration scripts) supporting all modules (`docs/dev/fixtures.md`, module-specific tooling sections). 
@@ -67,7 +67,7 @@ Concise descriptions of every top-level component under `src/`, summarising the
 - **Aoc** library (mentioned above) is reused by ingestion components and verification tooling to enforce the Aggregation-Only Contract. 

 ## How It All Connects
-High-level flows (see `docs/40_ARCHITECTURE_OVERVIEW.md` for the 10-minute tour):
+High-level flows (see `docs/ARCHITECTURE_OVERVIEW.md` for the 10-minute tour):
 1. **Ingest** — Concelier and Excititor use AOC to ingest advisories/VEX; Scheduler observes deltas. 
 2. **Scan & Evaluate** — Scanner generates SBOM evidence and hands to Signer/Attestor; Policy Engine merges SBOM, advisory, VEX, runtime signals; RiskEngine prioritises. 
 3. **Store & Export** — EvidenceLocker and Export Center package results; Registry serves artefacts; AirGap bundles offline editions. 
--- a/docs/technical/architecture/sbom-analyzer-inventory.md
+++ b/docs/technical/architecture/sbom-analyzer-inventory.md
@@ -88,11 +88,11 @@ This document provides a complete inventory of all analyzers used in StellaOps S
 │  2. Parse legacy packages.config XML                                    │
 │  3. Parse *.deps.json for runtime dependencies                          │
 │  4. Resolve transitive dependencies from asset files                    │
-│  5. Extract framework targeting (net6.0, net8.0, etc.)                  │
+│  5. Extract framework targeting (net8.0, net10.0, etc.)                 │
 │                                                                          │
 │  PURL Format:                                                           │
 │  pkg:nuget/Newtonsoft.Json@13.0.1                                       │
-│  pkg:nuget/Microsoft.Extensions.Logging@8.0.0?framework=net8.0          │
+│  pkg:nuget/Microsoft.Extensions.Logging@10.0.0?framework=net10.0        │
 │                                                                          │
 │  Special Handling:                                                       │
 │  • Framework-specific dependencies                                      │