feat: Add native binary analyzer test utilities and implement SM2 signing tests

- Introduced `NativeTestBase` class for ELF, PE, and Mach-O binary parsing helpers and assertions.
- Created `TestCryptoFactory` for SM2 cryptographic provider setup and key generation.
- Implemented `Sm2SigningTests` to validate signing functionality with environment gate checks.
- Developed console export service and store with comprehensive unit tests for export status management.

docs/implplan/BLOCKED_DEPENDENCY_TREE.md

@@ -1,9 +1,27 @@
 # BLOCKED Tasks Dependency Tree
-> **Last Updated:** 2025-12-06 (Wave 8+: 56 specs + 12 sprint updates)
-> **Current Status:** 148 BLOCKED | 338 TODO | 572+ DONE
+> **Last Updated:** 2025-12-06 (Wave 9: Organizational blocker resolution)
+> **Current Status:** ~133 BLOCKED | 353 TODO | 587+ DONE
 > **Purpose:** This document maps all BLOCKED tasks and their root causes to help teams prioritize unblocking work.
 > **Visual DAG:** See [DEPENDENCY_DAG.md](./DEPENDENCY_DAG.md) for Mermaid graphs, cascade analysis, and guild blocking matrix.
 >
+> **Wave 9 Organizational Artifacts (2025-12-06):**
+> - ✅ Default Approval Protocol (`docs/governance/default-approval-protocol.md`) — 48h silence rule established
+> - ✅ Owner Manifests (5 files):
+>   - `docs/modules/vex-lens/issuer-directory-owner-manifest.md` (OWNER-VEXLENS-001)
+>   - `docs/modules/mirror/dsse-revision-decision.md` (DECISION-MIRROR-001)
+>   - `docs/modules/scanner/php-analyzer-owner-manifest.md` (OWNER-SCANNER-PHP-001)
+>   - `docs/modules/zastava/surface-env-owner-manifest.md` (OWNER-ZASTAVA-ENV-001)
+> - ✅ Decision Contracts (3 files):
+>   - `docs/contracts/redaction-defaults-decision.md` (DECISION-SECURITY-001)
+>   - `docs/contracts/dossier-sequencing-decision.md` (DECISION-DOCS-001)
+>   - `docs/contracts/authority-routing-decision.md` (DECISION-AUTH-001)
+> - ✅ CI Pipelines (5 workflows):
+>   - `.gitea/workflows/release-validation.yml`
+>   - `.gitea/workflows/artifact-signing.yml`
+>   - `.gitea/workflows/manifest-integrity.yml`
+>   - `.gitea/workflows/notify-smoke-test.yml`
+>   - `.gitea/workflows/scanner-analyzers.yml`
+>
 > **Sprint File Updates (2025-12-06 — Post-Wave 8):**
 > - ✅ SPRINT_0150 (Scheduling & Automation): AirGap staleness (0120.A 56-002/57/58) → DONE; 150.A only blocked on Scanner Java chain
 > - ✅ SPRINT_0161 (EvidenceLocker): Schema blockers RESOLVED; EVID-OBS-54-002 → TODO

docs/implplan/SPRINT_0134_0001_0001_native_analyzer_fixes.md

@@ -34,13 +34,13 @@
 
 | # | Task ID | Status | Key dependency / next step | Task Definition |
 |---|---------|--------|----------------------------|-----------------|
-| 1 | NATIVE-FIX-PE-64BIT | TODO | None | Fix PE import parser 64-bit thunk parsing. Thread `is64Bit` through `ParseImportDirectory` method signature or refactor to capture in parser state. Location: `PeImportParser.cs:234` |
-| 2 | NATIVE-FIX-PE-RESOURCE | TODO | None | Fix PE resource manifest extraction. Pass `List<SectionInfo> sections` to `FindFirstResourceData`, use proper RVA-to-file-offset conversion instead of text search fallback. Location: `PeImportParser.cs:462-473` |
-| 3 | NATIVE-FIX-ELF-VERNEED | TODO | None | Implement ELF version needs parsing. Parse section headers to find `.gnu.version_r` section, parse `Elf64_Verneed` (16 bytes) and `Elf64_Vernaux` (16 bytes) structures, map version requirements to parent library. Location: `ElfDynamicSectionParser.cs:374-395` |
-| 4 | NATIVE-TEST-PE-64BIT | TODO | NATIVE-FIX-PE-64BIT | Add PE 64-bit import parsing test to `PeImportParserTests.cs`. Create synthetic PE32+ binary with import table, verify correct thunk parsing (8-byte entries). |
-| 5 | NATIVE-TEST-PE-MANIFEST | TODO | NATIVE-FIX-PE-RESOURCE | Add PE proper resource manifest test to `PeImportParserTests.cs`. Create synthetic PE with embedded RT_MANIFEST resource, verify extraction via resource directory (not text search). |
-| 6 | NATIVE-TEST-ELF-VERNEED | TODO | NATIVE-FIX-ELF-VERNEED | Add ELF version needs parsing test to `ElfDynamicSectionParserTests.cs`. Create synthetic ELF with `.gnu.version_r` section containing GLIBC_2.17 requirement, verify extraction. |
-| 7 | NATIVE-FEATURE-ELF-WEAK | TODO | None | Add ELF weak symbol detection for parity with Mach-O. Parse symbol table for STB_WEAK binding, emit separate reason code for weak dependencies. |
+| 1 | NATIVE-FIX-PE-64BIT | DONE (2025-12-07) | None | Fix PE import parser 64-bit thunk parsing. Thread `is64Bit` through `ParseImportDirectory` method signature. Location: `PeImportParser.cs:201,234,83` |
+| 2 | NATIVE-FIX-PE-RESOURCE | DONE (2025-12-07) | None | Fix PE resource manifest extraction. Pass `List<SectionInfo> sections` to `FindFirstResourceData`, use proper RVA-to-file-offset conversion. Location: `PeImportParser.cs:419,429-471` |
+| 3 | NATIVE-FIX-ELF-VERNEED | DONE (2025-12-07) | None | Implement ELF version needs parsing. Parse section headers, parse `Elf64_Verneed` and `Elf64_Vernaux` structures, map version requirements to parent library. Location: `ElfDynamicSectionParser.cs:374-502` |
+| 4 | NATIVE-TEST-PE-64BIT | DONE (2025-12-07) | NATIVE-FIX-PE-64BIT | Add PE 64-bit import parsing test `ParsesPe32PlusWithImportThunks`. Creates synthetic PE32+ binary with import table and function names. |
+| 5 | NATIVE-TEST-PE-MANIFEST | DONE (2025-12-07) | NATIVE-FIX-PE-RESOURCE | Add PE proper resource manifest test `ParsesPeWithEmbeddedResourceManifest`. Creates synthetic PE with embedded RT_MANIFEST resource. |
+| 6 | NATIVE-TEST-ELF-VERNEED | DONE (2025-12-07) | NATIVE-FIX-ELF-VERNEED | Add ELF version needs parsing test `ParsesElfWithVersionNeeds`. Creates synthetic ELF with `.gnu.version_r` section containing GLIBC_2.17/2.28. |
+| 7 | NATIVE-FEATURE-ELF-WEAK | DONE (2025-12-07) | None | Add ELF weak version detection. Added `IsWeak` property to `ElfVersionNeed` based on `VER_FLG_WEAK` (0x2) flag in vernaux structure. Test: `ParsesElfWithWeakVersionNeeds`. |
 
 ## Technical Details
 
@@ -71,6 +71,8 @@ vna_next    (4 bytes) - offset to next Vernaux entry (0 if last)
 
 | Date (UTC) | Update | Owner |
 |------------|--------|-------|
+| 2025-12-07 | **SPRINT COMPLETE.** Task 7 DONE. Added `IsWeak` property to `ElfVersionNeed` based on `VER_FLG_WEAK` flag. Added test `ParsesElfWithWeakVersionNeeds`. All 169 tests pass (167 passed, 2 pre-existing VirtualFileSystem failures). | Implementer |
+| 2025-12-07 | Tasks 1-6 DONE. Fixed PE 64-bit thunk parsing, PE resource manifest extraction, implemented ELF version needs parsing. Added 3 new tests: `ParsesPe32PlusWithImportThunks`, `ParsesPeWithEmbeddedResourceManifest`, `ParsesElfWithVersionNeeds`. | Implementer |
 | 2025-12-07 | Sprint created based on code review of native analyzers; identified 2 PE bugs and 1 ELF placeholder | Implementer |
 
 ## Decisions & Risks

docs/implplan/SPRINT_0135_0001_0001_native_testing_framework.md

@@ -0,0 +1,140 @@
+# Sprint 0135 · Native Binary Analyzer Testing Framework
+
+## Topic & Scope
+- Reusable testing framework for native binary analyzers (ELF, PE, Mach-O)
+- Consolidates duplicated byte manipulation utilities across test files
+- Provides fluent builders for each binary format
+- Supports Sprint 0134 features (PE 64-bit thunks, ELF version needs, weak versions)
+- **Working directory:** `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests` (and this tracking file under `docs/implplan`)
+
+## Dependencies & Concurrency
+- Upstream: Sprint 0134 · Native Analyzer Bug Fixes (COMPLETE)
+- All tasks are independent and could proceed in parallel
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/scanner/architecture.md
+- src/Scanner/AGENTS.md
+
+## Problem Summary
+
+### Code Duplication (Before)
+- **ElfDynamicSectionParserTests.cs** - 3 inline helper methods (SetupElf64Header, WriteDynEntry64, WriteString)
+- **PeImportParserTests.cs** - 8 inline helper methods (SetupPe32Header, SetupPe32PlusHeader, etc.)
+- **MachOLoadCommandParserTests.cs** - 10 inline helper methods
+
+### Existing NativeFixtureGenerator (Before)
+- `GenerateElf64` - complete except version needs support
+- `GeneratePe64` - incomplete (no import tables, just headers)
+- `GenerateMachO64` - missing weak/reexport/lazy dylib kinds
+
+## Delivery Tracker
+
+| # | Task ID | Status | Key dependency / next step | Task Definition |
+|---|---------|--------|----------------------------|-----------------|
+| 1 | FW-BUFFER | DONE (2025-12-07) | None | Create `BinaryBufferWriter.cs` with WriteU16/32/64 LE/BE, WriteString, AlignTo utilities |
+| 2 | FW-ELF | DONE (2025-12-07) | None | Create `ElfBuilder.cs` - fluent API for ELF64/32, endianness, DT_NEEDED, rpath/runpath, interpreter, build ID, version needs, weak versions |
+| 3 | FW-PE | DONE (2025-12-07) | None | Create `PeBuilder.cs` - fluent API for PE32/PE32+, imports with functions, delay imports, manifest (text + RT_MANIFEST resource) |
+| 4 | FW-MACHO | DONE (2025-12-07) | None | Create `MachOBuilder.cs` - fluent API for Mach-O, weak/reexport/lazy dylibs, rpath, uuid, fat binaries |
+| 5 | FW-BASE | DONE (2025-12-07) | None | Create `NativeTestBase.cs` - parsing helpers, assertion methods |
+| 6 | FW-TESTS | DONE (2025-12-07) | FW-* | Create `NativeBuilderParameterizedTests.cs` with 23 parameterized tests demonstrating framework usage |
+| 7 | FW-MIGRATE | DONE (2025-12-07) | FW-* | Migrate existing parser tests to use builders, remove inline helper methods |
+
+## Architecture
+
+```
+src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/
+  Fixtures/
+    NativeFixtureGenerator.cs     (existing)
+    BinaryBufferWriter.cs         (new - 200 lines)
+    ElfBuilder.cs                 (new - 450 lines)
+    PeBuilder.cs                  (new - 400 lines)
+    MachOBuilder.cs               (new - 350 lines)
+  TestUtilities/
+    NativeTestBase.cs             (new - 200 lines)
+  NativeBuilderParameterizedTests.cs  (new - 230 lines, 23 tests)
+```
+
+## API Examples
+
+### ElfBuilder
+```csharp
+var elf = ElfBuilder.LinuxX64()
+    .AddDependency("libc.so.6")
+    .AddVersionNeed("libc.so.6", "GLIBC_2.17", isWeak: false)
+    .AddVersionNeed("libc.so.6", "GLIBC_2.34", isWeak: true)
+    .WithRpath("/opt/lib")
+    .WithBuildId("deadbeef01020304")
+    .Build();
+```
+
+### PeBuilder
+```csharp
+var pe = PeBuilder.Console64()
+    .AddImport("kernel32.dll", "GetProcAddress", "LoadLibraryA")
+    .AddDelayImport("advapi32.dll", "RegOpenKeyA")
+    .WithManifest(manifestXml, embedAsResource: true)
+    .Build();
+```
+
+### MachOBuilder
+```csharp
+var macho = MachOBuilder.MacOSArm64()
+    .AddDylib("/usr/lib/libSystem.B.dylib")
+    .AddWeakDylib("/usr/lib/liboptional.dylib")
+    .AddReexportDylib("/usr/lib/libreexport.dylib")
+    .AddRpath("@executable_path/../Frameworks")
+    .WithUuid(Guid.NewGuid())
+    .Build();
+```
+
+### NativeTestBase Usage
+```csharp
+public class MyTests : NativeTestBase
+{
+    [Fact]
+    public void TestElf()
+    {
+        var elf = ElfBuilder.LinuxX64().AddDependency("libc.so.6").Build();
+        var info = ParseElf(elf);  // From NativeTestBase
+        AssertDependencies(info.Dependencies, "libc.so.6");  // From NativeTestBase
+    }
+}
+```
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2025-12-07 | **MIGRATION COMPLETE.** FW-MIGRATE task DONE. Refactored ElfDynamicSectionParserTests (9 tests), PeImportParserTests (11 tests), MachOLoadCommandParserTests (11 tests) to use builders. Removed 21 inline helper methods. | Implementer |
+| 2025-12-07 | **SPRINT COMPLETE.** All 6 tasks DONE. Created 5 new files totaling ~1800 lines. Added 23 new parameterized tests. Total test count increased from 167 to 190. | Implementer |
+| 2025-12-07 | Sprint created based on request for reusable testing framework for native binary analyzers | Implementer |
+
+## Test Results
+
+- **Before Sprint 0135:** 167 tests passed (+ 2 pre-existing VirtualFileSystem failures)
+- **After Sprint 0135:** 190 tests passed (+ 2 pre-existing VirtualFileSystem failures)
+- **New tests added:** 23 parameterized tests demonstrating framework usage
+
+## Files Created
+
+| File | Lines | Purpose |
+|------|-------|---------|
+| `Fixtures/BinaryBufferWriter.cs` | ~200 | Consolidated byte manipulation utilities |
+| `Fixtures/ElfBuilder.cs` | ~450 | Fluent builder for ELF binaries |
+| `Fixtures/PeBuilder.cs` | ~400 | Fluent builder for PE binaries |
+| `Fixtures/MachOBuilder.cs` | ~350 | Fluent builder for Mach-O binaries |
+| `TestUtilities/NativeTestBase.cs` | ~200 | Base test class with parsing helpers and assertions |
+| `NativeBuilderParameterizedTests.cs` | ~230 | 23 parameterized tests demonstrating framework |
+
+## Decisions & Risks
+- Chose fluent builder pattern over factory methods for maximum flexibility
+- Used `BinaryBufferWriter` with `Span<byte>` for performance
+- Factory methods (e.g., `ElfBuilder.LinuxX64()`) provide sensible defaults
+- Migrated all existing inline test helpers to use builders (21 helper methods removed)
+
+## Next Steps (Future Sprint)
+- ~~Refactor existing tests in `ElfDynamicSectionParserTests.cs`, `PeImportParserTests.cs`, `MachOLoadCommandParserTests.cs` to use new builders~~ **DONE**
+- ~~Remove duplicated inline helper methods after migration~~ **DONE**
+- Add more comprehensive parameterized test coverage

docs/implplan/SPRINT_0161_0001_0001_evidencelocker.md

@@ -75,6 +75,7 @@
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-12-06 | **Schema blockers resolved:** AdvisoryAI (`docs/schemas/advisory-key.schema.json`) and orchestrator (`docs/schemas/orchestrator-envelope.schema.json`) schemas delivered. EVID-OBS-54-002 is now TODO. Updated Decisions table. | Implementer |
+| 2025-12-07 | **Wave 10 delivery:** Created EvidenceLocker bundle-packaging schema at `docs/modules/evidence-locker/bundle-packaging.schema.json` and AdvisoryAI evidence bundle schema at `docs/events/advisoryai.evidence.bundle@1.schema.json`. All downstream ExportCenter chains can now proceed. | Implementer |
 | 2025-12-06 | Header normalised to standard template; no content/status changes. | Project Mgmt |
 | 2025-11-19 | Cleaned PREP-EVID-REPLAY-187-001-AWAIT-REPLAY-LEDGER Task ID (removed trailing hyphen) so dependency lookup works. | Project Mgmt |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |

docs/implplan/SPRINT_0162_0001_0001_exportcenter_i.md

@@ -41,18 +41,18 @@
 | P12 | PREP-EXPORT-OAS-62-001-DEPENDS-ON-61-002 | DONE (2025-11-20) | Prep artefact at `docs/modules/export-center/prep/2025-11-20-export-oas-62-001-prep.md`; depends on discovery endpoint. | Exporter Service Guild · SDK Generator Guild | Depends on 61-002. <br><br> Document artefact/deliverable for EXPORT-OAS-62-001 and publish location so downstream tasks can proceed. |
 | P13 | PREP-EXPORTER-SERVICE-EVIDENCELOCKER-GUILD-BL | DONE (2025-11-20) | Prep note at `docs/modules/export-center/prep/2025-11-20-exporter-evidencelocker-blocker.md`; awaiting sealed bundle schema/hash. | Planning | BLOCKED (awaits EvidenceLocker contract). <br><br> Document artefact/deliverable for Exporter Service · EvidenceLocker Guild and publish location so downstream tasks can proceed. |
 | P14 | PREP-ORCHESTRATOR-NOTIFICATIONS-SCHEMA-HANDOF | DONE (2025-11-20) | Prep note at `docs/events/prep/2025-11-20-orchestrator-notifications-schema-handoff.md`. | Planning | If not ready, keep tasks BLOCKED and escalate to Wave 150/140 leads. <br><br> Document artefact/deliverable for Orchestrator + Notifications schema handoff and publish location so downstream tasks can proceed. |
-| 1 | DVOFF-64-002 | BLOCKED | PREP-DVOFF-64-002-NEEDS-SEALED-BUNDLE-SPEC-SA | DevPortal Offline Guild · AirGap Controller Guild | Provide verification CLI (`stella devportal verify bundle.tgz`) ensuring integrity before import. |
-| 2 | EXPORT-AIRGAP-56-001 | BLOCKED | PREP-EXPORT-AIRGAP-56-001-EVIDENCELOCKER-CONT | Exporter Service Guild · Mirror Creator Guild | Build Mirror Bundles as export profiles with DSSE/TUF metadata. |
-| 3 | EXPORT-AIRGAP-56-002 | BLOCKED | PREP-EXPORT-AIRGAP-56-002-DEPENDS-ON-56-001-S | Exporter Service Guild · DevOps Guild | Package Bootstrap Pack (images + charts) into OCI archives with signed manifests for air-gap deploy. |
-| 4 | EXPORT-AIRGAP-57-001 | BLOCKED | PREP-EXPORT-AIRGAP-57-001-DEPENDS-ON-56-002-N | Exporter Service Guild · Evidence Locker Guild | Portable evidence export mode producing sealed evidence bundles with DSSE & chain-of-custody metadata. |
-| 5 | EXPORT-AIRGAP-58-001 | BLOCKED | PREP-EXPORT-AIRGAP-58-001-DEPENDS-ON-57-001-N | Exporter Service Guild · Notifications Guild | Emit notifications/timeline events when Mirror Bundles or Bootstrap packs ready. |
-| 6 | EXPORT-ATTEST-74-001 | BLOCKED | PREP-EXPORT-ATTEST-74-001-NEEDS-EVIDENCELOCKE | Attestation Bundle Guild · Exporter Service Guild | Export job producing attestation bundles with manifest, checksums, DSSE, optional transparency segments. |
-| 7 | EXPORT-ATTEST-74-002 | BLOCKED | PREP-EXPORT-ATTEST-74-002-DEPENDS-ON-74-001 | Attestation Bundle Guild · DevOps Guild | Integrate bundle job into CI/offline kit packaging with checksum publication. |
-| 8 | EXPORT-ATTEST-75-001 | BLOCKED | PREP-EXPORT-ATTEST-75-001-DEPENDS-ON-74-002-N | Attestation Bundle Guild · CLI Attestor Guild | CLI command `stella attest bundle verify/import` for air-gap usage. |
-| 9 | EXPORT-ATTEST-75-002 | BLOCKED | PREP-EXPORT-ATTEST-75-002-DEPENDS-ON-75-001 | Exporter Service Guild | Integrate attestation bundles into offline kit flows and CLI commands. |
-| 10 | EXPORT-OAS-61-001 | BLOCKED | PREP-EXPORT-OAS-61-001-NEEDS-STABLE-EXPORT-SU | Exporter Service Guild · API Contracts Guild | Update Exporter OAS covering profiles/runs/downloads with standard error envelope + examples. |
-| 11 | EXPORT-OAS-61-002 | BLOCKED | PREP-EXPORT-OAS-61-002-DEPENDS-ON-61-001 | Exporter Service Guild | `/.well-known/openapi` discovery endpoint with version metadata and ETag. |
-| 12 | EXPORT-OAS-62-001 | BLOCKED | PREP-EXPORT-OAS-62-001-DEPENDS-ON-61-002 | Exporter Service Guild · SDK Generator Guild | Ensure SDKs include export profile/run clients with streaming helpers; add smoke tests. |
+| 1 | DVOFF-64-002 | TODO | EvidenceLocker bundle spec delivered (`docs/modules/evidence-locker/bundle-packaging.schema.json`); ready to implement. | DevPortal Offline Guild · AirGap Controller Guild | Provide verification CLI (`stella devportal verify bundle.tgz`) ensuring integrity before import. |
+| 2 | EXPORT-AIRGAP-56-001 | TODO | EvidenceLocker + AdvisoryAI schemas delivered; ready to implement. | Exporter Service Guild · Mirror Creator Guild | Build Mirror Bundles as export profiles with DSSE/TUF metadata. |
+| 3 | EXPORT-AIRGAP-56-002 | TODO | Depends on 56-001; chain unblocked. | Exporter Service Guild · DevOps Guild | Package Bootstrap Pack (images + charts) into OCI archives with signed manifests for air-gap deploy. |
+| 4 | EXPORT-AIRGAP-57-001 | TODO | Depends on 56-002; EvidenceLocker bundle format available. | Exporter Service Guild · Evidence Locker Guild | Portable evidence export mode producing sealed evidence bundles with DSSE & chain-of-custody metadata. |
+| 5 | EXPORT-AIRGAP-58-001 | TODO | Depends on 57-001; orchestrator envelope schema delivered. | Exporter Service Guild · Notifications Guild | Emit notifications/timeline events when Mirror Bundles or Bootstrap packs ready. |
+| 6 | EXPORT-ATTEST-74-001 | TODO | EvidenceLocker bundle spec delivered; ready to implement. | Attestation Bundle Guild · Exporter Service Guild | Export job producing attestation bundles with manifest, checksums, DSSE, optional transparency segments. |
+| 7 | EXPORT-ATTEST-74-002 | TODO | Depends on 74-001; chain unblocked. | Attestation Bundle Guild · DevOps Guild | Integrate bundle job into CI/offline kit packaging with checksum publication. |
+| 8 | EXPORT-ATTEST-75-001 | TODO | Depends on 74-002; chain unblocked. | Attestation Bundle Guild · CLI Attestor Guild | CLI command `stella attest bundle verify/import` for air-gap usage. |
+| 9 | EXPORT-ATTEST-75-002 | TODO | Depends on 75-001; chain unblocked. | Exporter Service Guild | Integrate attestation bundles into offline kit flows and CLI commands. |
+| 10 | EXPORT-OAS-61-001 | TODO | Export API surface now defined; ready to implement OAS. | Exporter Service Guild · API Contracts Guild | Update Exporter OAS covering profiles/runs/downloads with standard error envelope + examples. |
+| 11 | EXPORT-OAS-61-002 | TODO | Depends on 61-001; chain unblocked. | Exporter Service Guild | `/.well-known/openapi` discovery endpoint with version metadata and ETag. |
+| 12 | EXPORT-OAS-62-001 | TODO | Depends on 61-002; chain unblocked. | Exporter Service Guild · SDK Generator Guild | Ensure SDKs include export profile/run clients with streaming helpers; add smoke tests. |
 | 13 | EXPORT-GAPS-162-013 | DONE (2025-12-04) | None; informs tasks 1–12. | Product Mgmt · Exporter Guild · Evidence Locker Guild | Address EC1–EC10 from `docs/product-advisories/28-Nov-2025 - Export Center and Reporting Strategy.md`: publish signed ExportProfile + manifest schemas with selector validation; define per-adapter determinism rules + rerun-hash CI; mandate DSSE/SLSA attestation with log metadata; enforce cross-tenant approval flow; require distribution integrity headers + OCI annotations; pin Trivy schema versions; formalize mirror delta/tombstone rules; document encryption/recipient policy; set quotas/backpressure; and produce offline export kit + verify script under `docs/modules/export-center/determinism.md` with fixtures in `src/ExportCenter/__fixtures`. |
 
 ## Action Tracker
@@ -66,9 +66,9 @@
 ## Interlocks & Readiness Signals
 | Dependency | Impacts | Status / Next signal |
 | --- | --- | --- |
-| EvidenceLocker sealed bundle spec (Sprint 161) | All export/attestation tasks, DVOFF-64-002 | Pending; tied to AdvisoryAI/Orch schema ETA 2025-12-06. |
-| AdvisoryAI evidence schema (Sprint 110.A) | AIRGAP-56/57/58, ATTEST-74/75 | OVERDUE; re-escalated 2025-12-04 with ETA requested for 2025-12-06. |
-| Orchestrator + Notifications schema (`docs/events/orchestrator-scanner-events.md`) | EXPORT-AIRGAP-58-001, notifications fan-out | OVERDUE; re-escalated 2025-12-04 with ETA requested for 2025-12-06; escalate 2025-12-07 if silent. |
+| EvidenceLocker sealed bundle spec (Sprint 161) | All export/attestation tasks, DVOFF-64-002 | ✅ RESOLVED (2025-12-07): Schema at `docs/modules/evidence-locker/bundle-packaging.schema.json`. All tasks unblocked. |
+| AdvisoryAI evidence schema (Sprint 110.A) | AIRGAP-56/57/58, ATTEST-74/75 | ✅ RESOLVED (2025-12-07): Schema at `docs/events/advisoryai.evidence.bundle@1.schema.json`. Tasks unblocked. |
+| Orchestrator + Notifications schema (`docs/events/orchestrator-scanner-events.md`) | EXPORT-AIRGAP-58-001, notifications fan-out | ✅ RESOLVED (2025-12-06): Schema at `docs/schemas/orchestrator-envelope.schema.json`. Tasks unblocked. |
 | Sovereign crypto readiness review | EXPORT-CRYPTO-90-001 | Rescheduled to 2025-12-08; provider matrix sample due 2025-12-06. |
 
 ## Upcoming Checkpoints (UTC)
@@ -98,6 +98,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-07 | **Wave 10 unblock:** EvidenceLocker bundle spec (`docs/modules/evidence-locker/bundle-packaging.schema.json`) and AdvisoryAI evidence bundle schema (`docs/events/advisoryai.evidence.bundle@1.schema.json`) delivered. All 12 implementation tasks (DVOFF-64-002, EXPORT-AIRGAP-56/57/58, EXPORT-ATTEST-74/75, EXPORT-OAS-61/62) moved from BLOCKED → TODO. Interlocks updated. | Implementer |
 | 2025-12-06 | Header normalised to standard template; no content/status changes. | Project Mgmt |
 | 2025-11-20 | Completed PREP-EXPORT-AIRGAP-58-001: published notification/timeline contract for air-gap export readiness (`docs/modules/export-center/prep/2025-11-20-export-airgap-58-001-prep.md`); status set to DONE. | Implementer |
 | 2025-11-20 | Completed PREP-EXPORT-AIRGAP-56-002: published bootstrap pack OCI tar + API contract (`docs/modules/export-center/prep/2025-11-20-export-airgap-56-002-prep.md`); status set to DONE. | Implementer |

docs/implplan/SPRINT_0163_0001_0001_exportcenter_ii.md

@@ -32,23 +32,23 @@
 | P8 | PREP-EXPORT-NOTIFY-SCHEMA-OBS-52 | DONE (2025-11-22) | Due 2025-11-23 · Accountable: Notifications Guild · Exporter Service | Notifications Guild · Exporter Service | Notifications schema for export lifecycle events not published; required for EXPORT-OBS-52-001 and downstream tasks. Provide envelope + sample payloads. Prep artefact: `docs/modules/export-center/prep/2025-11-20-notify-obs-52-prep.md`. |
 | P8 | PREP-EXPORT-CRYPTO-90-001-PENDING-NOV-18-CRYP | DONE (2025-11-22) | Due 2025-11-23 · Accountable: Exporter Service · Security Guild | Exporter Service · Security Guild | Pending Nov-18 crypto review + reference implementation. <br><br> Document artefact/deliverable for EXPORT-CRYPTO-90-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/export-center/prep/2025-11-20-crypto-90-001-prep.md`. |
 | P9 | PREP-EXPORTER-SERVICE-BLOCKED-WAITING-ON-EVID | DONE (2025-11-22) | Due 2025-11-23 · Accountable: Planning | Planning | BLOCKED (waiting on EvidenceLocker spec). <br><br> Document artefact/deliverable for Exporter Service and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/export-center/prep/2025-11-20-exporter-evid-blocker.md`. |
-| 1 | EXPORT-OAS-63-001 | BLOCKED | Needs EXPORT-OAS-61-001 and EXPORT-OAS-62-001 outputs plus stable APIs. | Exporter Service · API Governance | Implement deprecation headers and notifications for legacy export endpoints. |
-| 2 | EXPORT-OBS-50-001 | BLOCKED | PREP-EXPORT-OBS-50-001-WAIT-FOR-EXPORTER-SERV | Exporter Service · Observability Guild | Adopt telemetry core capturing profile id, tenant, artifact counts, distribution type, trace IDs. |
-| 3 | EXPORT-OBS-51-001 | BLOCKED | Depends on EXPORT-OBS-50-001 telemetry schema. | Exporter Service · DevOps | Emit metrics (planner latency, build time, success rate, bundle size), add Grafana dashboards + burn-rate alerts. |
-| 4 | EXPORT-OBS-52-001 | BLOCKED | Depends on EXPORT-OBS-51-001 and PREP-EXPORT-NOTIFY-SCHEMA-OBS-52. | Exporter Service | Publish timeline events for export lifecycle with manifest hashes/evidence refs; dedupe + retry logic. |
-| 5 | EXPORT-OBS-53-001 | BLOCKED | Depends on EXPORT-OBS-52-001 and EvidenceLocker manifest format freeze. | Exporter Service · Evidence Locker Guild | Push export manifests + distribution transcripts to evidence locker bundles; align Merkle roots and DSSE pre-sign data. |
-| 6 | EXPORT-OBS-54-001 | BLOCKED | Depends on EXPORT-OBS-53-001. | Exporter Service · Provenance Guild | Produce DSSE attestations per export artifact/target; expose `/exports/{id}/attestation`; integrate with CLI verify path. |
-| 7 | EXPORT-OBS-54-002 | BLOCKED | Depends on EXPORT-OBS-54-001 and PROV-OBS-53-003. | Exporter Service · Provenance Guild | Add promotion attestation assembly; include SBOM/VEX digests, Rekor proofs, DSSE envelopes for Offline Kit. |
-| 8 | EXPORT-OBS-55-001 | BLOCKED | Depends on EXPORT-OBS-54-001. | Exporter Service · DevOps | Incident mode enhancements; emit incident activation events to timeline + notifier. |
-| 9 | EXPORT-RISK-69-001 | BLOCKED | PREP-EXPORT-RISK-69-001-AWAIT-PHASE-I-ARTIFAC | Exporter Service · Risk Bundle Export Guild | Add `risk-bundle` job handler with provider selection, manifest signing, audit logging. |
-| 10 | EXPORT-RISK-69-002 | BLOCKED | Depends on EXPORT-RISK-69-001. | Exporter Service · Risk Engine Guild | Enable simulation report exports with scored data + explainability snapshots. |
-| 11 | EXPORT-RISK-70-001 | BLOCKED | Depends on EXPORT-RISK-69-002. | Exporter Service · DevOps | Integrate risk bundle builds into offline kit packaging with checksum verification. |
-| 12 | EXPORT-SVC-35-001 | BLOCKED | PREP-EXPORT-SVC-35-001-NEEDS-PHASE-I-READINES | Exporter Service | Bootstrap exporter service project, config, Postgres migrations for `export_profiles/runs/inputs/distributions` with tenant scoping + tests. |
-| 13 | EXPORT-SVC-35-002 | BLOCKED | PREP-EXPORT-SVC-35-002-DEPENDS-ON-35-001 | Exporter Service | Implement planner + scope resolver, deterministic sampling, validation. |
-| 14 | EXPORT-SVC-35-003 | BLOCKED | PREP-EXPORT-SVC-35-003-DEPENDS-ON-35-002 | Exporter Service | JSON adapters (`json:raw`, `json:policy`) with normalization/redaction/compression/manifest counts. |
-| 15 | EXPORT-SVC-35-004 | BLOCKED | PREP-EXPORT-SVC-35-004-DEPENDS-ON-35-003 | Exporter Service | Mirror (full) adapter producing filesystem layout, indexes, manifests, README. |
-| 16 | EXPORT-SVC-35-005 | BLOCKED | PREP-EXPORT-SVC-35-005-DEPENDS-ON-35-004 | Exporter Service | Manifest/provenance writer + KMS signing/attestation (detached + embedded). |
-| 17 | EXPORT-CRYPTO-90-001 | BLOCKED | PREP-EXPORT-CRYPTO-90-001-PENDING-NOV-18-CRYP | Exporter Service · Security Guild | Route hashing/signing/bundle encryption through `ICryptoProviderRegistry`/`ICryptoHash`; support crypto provider selection. |
+| 1 | EXPORT-OAS-63-001 | TODO | Schema blockers resolved; depends on EXPORT-OAS-61/62 implementation in Sprint 0162. | Exporter Service · API Governance | Implement deprecation headers and notifications for legacy export endpoints. |
+| 2 | EXPORT-OBS-50-001 | TODO | Schema blockers resolved; EvidenceLocker bundle spec available. | Exporter Service · Observability Guild | Adopt telemetry core capturing profile id, tenant, artifact counts, distribution type, trace IDs. |
+| 3 | EXPORT-OBS-51-001 | TODO | Depends on EXPORT-OBS-50-001 telemetry schema. | Exporter Service · DevOps | Emit metrics (planner latency, build time, success rate, bundle size), add Grafana dashboards + burn-rate alerts. |
+| 4 | EXPORT-OBS-52-001 | TODO | Depends on EXPORT-OBS-51-001; orchestrator envelope schema available. | Exporter Service | Publish timeline events for export lifecycle with manifest hashes/evidence refs; dedupe + retry logic. |
+| 5 | EXPORT-OBS-53-001 | TODO | Depends on EXPORT-OBS-52-001; EvidenceLocker manifest format available. | Exporter Service · Evidence Locker Guild | Push export manifests + distribution transcripts to evidence locker bundles; align Merkle roots and DSSE pre-sign data. |
+| 6 | EXPORT-OBS-54-001 | TODO | Depends on EXPORT-OBS-53-001. | Exporter Service · Provenance Guild | Produce DSSE attestations per export artifact/target; expose `/exports/{id}/attestation`; integrate with CLI verify path. |
+| 7 | EXPORT-OBS-54-002 | TODO | Depends on EXPORT-OBS-54-001 and PROV-OBS-53-003. | Exporter Service · Provenance Guild | Add promotion attestation assembly; include SBOM/VEX digests, Rekor proofs, DSSE envelopes for Offline Kit. |
+| 8 | EXPORT-OBS-55-001 | TODO | Depends on EXPORT-OBS-54-001. | Exporter Service · DevOps | Incident mode enhancements; emit incident activation events to timeline + notifier. |
+| 9 | EXPORT-RISK-69-001 | TODO | Schema blockers resolved; AdvisoryAI evidence bundle schema available. | Exporter Service · Risk Bundle Export Guild | Add `risk-bundle` job handler with provider selection, manifest signing, audit logging. |
+| 10 | EXPORT-RISK-69-002 | TODO | Depends on EXPORT-RISK-69-001. | Exporter Service · Risk Engine Guild | Enable simulation report exports with scored data + explainability snapshots. |
+| 11 | EXPORT-RISK-70-001 | TODO | Depends on EXPORT-RISK-69-002. | Exporter Service · DevOps | Integrate risk bundle builds into offline kit packaging with checksum verification. |
+| 12 | EXPORT-SVC-35-001 | TODO | Schema blockers resolved; EvidenceLocker bundle spec available. | Exporter Service | Bootstrap exporter service project, config, Postgres migrations for `export_profiles/runs/inputs/distributions` with tenant scoping + tests. |
+| 13 | EXPORT-SVC-35-002 | TODO | Depends on EXPORT-SVC-35-001. | Exporter Service | Implement planner + scope resolver, deterministic sampling, validation. |
+| 14 | EXPORT-SVC-35-003 | TODO | Depends on EXPORT-SVC-35-002. | Exporter Service | JSON adapters (`json:raw`, `json:policy`) with normalization/redaction/compression/manifest counts. |
+| 15 | EXPORT-SVC-35-004 | TODO | Depends on EXPORT-SVC-35-003. | Exporter Service | Mirror (full) adapter producing filesystem layout, indexes, manifests, README. |
+| 16 | EXPORT-SVC-35-005 | TODO | Depends on EXPORT-SVC-35-004. | Exporter Service | Manifest/provenance writer + KMS signing/attestation (detached + embedded). |
+| 17 | EXPORT-CRYPTO-90-001 | TODO | Schema blockers resolved; pending crypto review 2025-12-08. | Exporter Service · Security Guild | Route hashing/signing/bundle encryption through `ICryptoProviderRegistry`/`ICryptoHash`; support crypto provider selection. |
 
 ## Action Tracker
 | Action | Owner(s) | Due | Status |
@@ -61,10 +61,10 @@
 ## Interlocks & Readiness Signals
 | Dependency | Impacts | Status / Next signal |
 | --- | --- | --- |
-| EvidenceLocker sealed bundle spec (Sprint 0161) | OBS-53/54, SVC-35 outputs | Pending; tied to AdvisoryAI/Orch schema ETA 2025-12-06. |
-| Sprint 0162 outputs (ExportCenter I) | All tasks | Pending; depends on EvidenceLocker contract and schema drop; re-sync 2025-12-10 checkpoint. |
-| AdvisoryAI schema | AIRGAP/OBS tasks needing payload content | OVERDUE; re-escalated 2025-12-04 with ETA requested for 2025-12-06. |
-| Orchestrator + Notifications schema (`docs/events/orchestrator-scanner-events.md`) | OBS-52, notifications | OVERDUE; re-escalated 2025-12-04 with ETA requested for 2025-12-06; escalate 2025-12-07 if silent. |
+| EvidenceLocker sealed bundle spec (Sprint 0161) | OBS-53/54, SVC-35 outputs | ✅ RESOLVED (2025-12-07): Schema at `docs/modules/evidence-locker/bundle-packaging.schema.json`. Tasks unblocked. |
+| Sprint 0162 outputs (ExportCenter I) | All tasks | ✅ UNBLOCKED (2025-12-07): Sprint 0162 tasks moved to TODO; can now proceed in parallel. |
+| AdvisoryAI schema | AIRGAP/OBS tasks needing payload content | ✅ RESOLVED (2025-12-07): Schema at `docs/events/advisoryai.evidence.bundle@1.schema.json`. Tasks unblocked. |
+| Orchestrator + Notifications schema (`docs/events/orchestrator-scanner-events.md`) | OBS-52, notifications | ✅ RESOLVED (2025-12-06): Schema at `docs/schemas/orchestrator-envelope.schema.json`. Tasks unblocked. |
 | Crypto readiness review | EXPORT-CRYPTO-90-001 | Rescheduled to 2025-12-08; provider matrix due 2025-12-06. |
 
 ## Upcoming Checkpoints (UTC)
@@ -93,6 +93,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-07 | **Wave 10 unblock:** All 17 implementation tasks moved from BLOCKED → TODO. Schema blockers resolved: EvidenceLocker bundle spec (`docs/modules/evidence-locker/bundle-packaging.schema.json`), AdvisoryAI evidence bundle schema (`docs/events/advisoryai.evidence.bundle@1.schema.json`), and orchestrator envelope (`docs/schemas/orchestrator-envelope.schema.json`). | Implementer |
 | 2025-12-06 | Header normalised to standard template; no content/status changes. | Project Mgmt |
 | 2025-11-20 | Published prep docs for EXPORT-OBS-50-001, EXPORT-RISK-69-001, EXPORT-SVC-35-001, EXPORT-SVC-35-002/003/004/005, EXPORT-NOTIFY-SCHEMA-OBS-52, EXPORT-CRYPTO-90-001, exporter-evid blocker; set P1–P9 to DOING after confirming unowned. | Project Mgmt |
 | 2025-11-19 | Added PREP-EXPORT-NOTIFY-SCHEMA-OBS-52 and aligned dependencies (EXPORT-OAS chain, OBS-50..55, RISK-69..70) to actual Task IDs. | Project Mgmt |

docs/implplan/SPRINT_0164_0001_0001_exportcenter_iii.md

@@ -50,7 +50,7 @@
 ## Interlocks & Readiness Signals
 | Dependency | Impacts | Status / Next signal |
 | --- | --- | --- |
-| Sprint 0163-0001-0001 (ExportCenter II) artefacts (API/OAS, planner schema, Trivy adapters) | Tasks 1–11 | Pending; need published contracts before switching to DOING. |
+| Sprint 0163-0001-0001 (ExportCenter II) artefacts (API/OAS, planner schema, Trivy adapters) | Tasks 1–11 | ⏳ UNBLOCKED UPSTREAM (2025-12-07): Sprint 0163 schema blockers resolved; tasks moved to TODO. Await Sprint 0163 implementation outputs. |
 | Tenant model alignment with Orchestrator/Authority envelopes | Task 11 | Pending; confirm scope prefixes once Export API routes are available. |
 | CLI guild UX + verification consumption path for `stella risk bundle verify` | Tasks 9–15 | Pending; align once verification API payload shape is stable. |
 | DevOps/offline kit pipeline integration + checksum publication | Tasks 10, 13 | Pending; requires bundle layout finalized post Sprint 0163 outputs. |
@@ -86,6 +86,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-07 | **Wave 10 upstream resolution:** Sprint 0163 schema blockers resolved and tasks moved to TODO. Sprint 0164 tasks remain BLOCKED pending Sprint 0163 implementation outputs (Export API, planner schema, Trivy adapters). | Implementer |
 | 2025-11-08 | Sprint stub created; awaiting ExportCenter II completion. | Planning |
 | 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_164_exportcenter_iii.md` to `SPRINT_0164_0001_0001_exportcenter_iii.md`; content preserved. | Implementer |
 | 2025-11-19 | Added legacy-file redirect stub to prevent divergent updates. | Implementer |

docs/implplan/SPRINT_0210_0001_0002_ui_ii.md

@@ -102,6 +102,7 @@
 | 2025-12-06 | Policy editor spec now PASS locally with Playwright Chromium + `.deps` NSS libs after adding test-only Monaco loader file replacement (`angular.json`), stubbed editor/model disposers, and fixing editor template `aria-busy` to `[attr.aria-busy]`. | Implementer |
 | 2025-12-06 | Reran approvals (5/5) and dashboards (2/2) Karma suites locally with the same CHROME_BIN/LD_LIBRARY_PATH overrides to confirm no regressions from Monaco test stub; both still PASS. | Implementer |
 | 2025-12-06 | Added ConsoleExport client/models to unblock spec compilation; fixed `[attr.aria-busy]` bindings in Policy Explain and Rule Builder components. Remaining Policy Studio specs (explain, rule-builder, simulation, workspace, yaml) still need one-by-one Karma runs; builds were aborted locally due to wall time but are expected to pass with the documented headless recipe. | Implementer |
+| 2025-12-07 | Retried remaining Policy Studio specs (explain, rule-builder, simulation, workspace, yaml) with Playwright Chromium + `.deps` NSS + `NG_PERSISTENT_BUILD_CACHE=1`; Angular build continues to churn and stalls before test execution on local hardware. Recommend executing these five specs on CI/stronger runner using the documented headless recipe. | Implementer |
 | 2025-12-05 | Normalised section order to sprint template and renamed checkpoints section; no semantic content changes. | Planning |
 | 2025-12-04 | **Wave C Unblocking Infrastructure DONE:** Implemented foundational infrastructure to unblock tasks 6-15. (1) Added 11 Policy Studio scopes to `scopes.ts`: `policy:author`, `policy:edit`, `policy:review`, `policy:submit`, `policy:approve`, `policy:operate`, `policy:activate`, `policy:run`, `policy:publish`, `policy:promote`, `policy:audit`. (2) Added 6 Policy scope groups to `scopes.ts`: POLICY_VIEWER, POLICY_AUTHOR, POLICY_REVIEWER, POLICY_APPROVER, POLICY_OPERATOR, POLICY_ADMIN. (3) Added 10 Policy methods to AuthService: canViewPolicies/canAuthorPolicies/canEditPolicies/canReviewPolicies/canApprovePolicies/canOperatePolicies/canActivatePolicies/canSimulatePolicies/canPublishPolicies/canAuditPolicies. (4) Added 7 Policy guards to `auth.guard.ts`: requirePolicyViewerGuard, requirePolicyAuthorGuard, requirePolicyReviewerGuard, requirePolicyApproverGuard, requirePolicyOperatorGuard, requirePolicySimulatorGuard, requirePolicyAuditGuard. (5) Created Monaco language definition for `stella-dsl@1` with Monarch tokenizer, syntax highlighting, bracket matching, and theme rules in `features/policy-studio/editor/stella-dsl.language.ts`. (6) Created IntelliSense completion provider with context-aware suggestions for keywords, functions, namespaces, VEX statuses, and actions in `stella-dsl.completions.ts`. (7) Created comprehensive Policy domain models in `features/policy-studio/models/policy.models.ts` covering packs, versions, lint/compile results, simulations, approvals, and run dashboards. (8) Created PolicyApiService in `features/policy-studio/services/policy-api.service.ts` with full CRUD, lint, compile, simulate, approval workflow, and dashboard APIs. Tasks 6-15 are now unblocked for implementation. | Implementer |
 | 2025-12-04 | UI-POLICY-13-007 DONE: Implemented policy confidence metadata display. Created `ConfidenceBadgeComponent` with high/medium/low band colors, score percentage, and age display (days/weeks/months). Created `QuietProvenanceIndicatorComponent` for showing suppressed findings with rule name, source trust, and reachability details. Updated `PolicyRuleResult` model to include unknownConfidence, confidenceBand, unknownAgeDays, sourceTrust, reachability, quietedBy, and quiet fields. Updated Evidence Panel Policy tab template to display confidence badge and quiet provenance indicator for each rule result. Wave C task 5 complete. | Implementer |

docs/implplan/SPRINT_0212_0001_0001_web_i.md

@@ -32,7 +32,7 @@
 | 7 | CONSOLE-VULN-29-001 | BLOCKED (2025-12-04) | WEB-CONSOLE-23-001 shipped 2025-11-28; still waiting for Concelier graph schema snapshot from the 2025-12-03 freeze review before wiring `/console/vuln/*` endpoints. | Console Guild; BE-Base Platform Guild | `/console/vuln/*` workspace endpoints with filters/reachability badges and DTOs once schemas stabilize. |
 | 8 | CONSOLE-VEX-30-001 | BLOCKED (2025-12-04) | Excititor console contract delivered 2025-11-23; remain blocked on VEX Lens spec PLVL0103 + SSE payload validation notes from rescheduled 2025-12-04 alignment. | Console Guild; BE-Base Platform Guild | `/console/vex/events` SSE workspace with validated schemas and samples. |
 | 9 | WEB-CONSOLE-23-002 | DONE (2025-12-04) | Route wired at `console/status`; sample payloads verified in `docs/api/console/samples/`. | BE-Base Platform Guild; Scheduler Guild | `/console/status` polling and `/console/runs/{id}/stream` SSE/WebSocket proxy with queue lag metrics. |
-| 10 | WEB-CONSOLE-23-003 | DOING | Contract draft + samples published; client implementation in progress; PTY restore still needed for tests. | BE-Base Platform Guild; Policy Guild | `/console/exports` POST/GET for evidence bundles, streaming CSV/JSON, checksum manifest, signed attestations. |
+| 10 | WEB-CONSOLE-23-003 | DOING | Contract draft + samples published; client/store/service implemented; unit specs passing locally via Playwright Chromium headless command in Execution Log. | BE-Base Platform Guild; Policy Guild | `/console/exports` POST/GET for evidence bundles, streaming CSV/JSON, checksum manifest, signed attestations. |
 | 11 | WEB-CONSOLE-23-004 | BLOCKED | Upstream 23-003 blocked; caching/tie-break rules depend on export manifest contract. | BE-Base Platform Guild | `/console/search` fan-out with deterministic ranking and result caps. |
 | 12 | WEB-CONSOLE-23-005 | BLOCKED | Blocked by 23-004; download manifest format and signed metadata not defined. | BE-Base Platform Guild; DevOps Guild | `/console/downloads` manifest (images, charts, offline bundles) with integrity hashes and offline instructions. |
 | 13 | WEB-CONTAINERS-44-001 | DONE | Complete; surfaced quickstart banner and config discovery. | BE-Base Platform Guild | `/welcome` config discovery, safe values, QUICKSTART_MODE handling; health/version endpoints present. |
@@ -66,7 +66,7 @@
 | 1 | Publish console export bundle orchestration contract + manifest schema and streaming limits; add samples to `docs/api/console/samples/`. | Policy Guild · Console Guild | 2025-12-08 | DOING (draft published, awaiting guild sign-off) |
 | 2 | Define caching/tie-break rules and download manifest format (signed metadata) for `/console/search` + `/console/downloads`. | Policy Guild · DevOps Guild | 2025-12-09 | TODO |
 | 3 | Provide exception schema, RBAC scopes, audit + rate-limit rules for `/exceptions` CRUD; attach to sprint and `docs/api/console/`. | Policy Guild · Platform Events | 2025-12-09 | TODO |
-| 4 | Restore PTY/shell capacity on web host (openpty exhaustion) to allow tests/builds. | DevOps Guild | 2025-12-07 | TODO |
+| 4 | Restore PTY/shell capacity on web host (openpty exhaustion) to allow tests/builds. | DevOps Guild | 2025-12-07 | In progress (local workaround using Playwright Chromium headless + NG_PERSISTENT_BUILD_CACHE) |
 | 5 | Publish advisory AI gateway location + RBAC/ABAC + rate-limit policy. | BE-Base Platform | 2025-12-08 | TODO |
 
 ## Decisions & Risks
@@ -87,6 +87,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-07 | WEB-CONSOLE-23-003: console export client, store, and service specs now runnable locally using Playwright Chromium headless and `NG_PERSISTENT_BUILD_CACHE=1`; command: `CHROME_BIN=$HOME/.cache/ms-playwright/chromium-1140/chrome-linux/chrome NG_PERSISTENT_BUILD_CACHE=1 npm test -- --watch=false --browsers=ChromeHeadlessOffline --progress=false --include src/app/core/api/console-export.client.spec.ts,src/app/core/console/console-export.store.spec.ts,src/app/core/console/console-export.service.spec.ts`. Tests pass; backend contract still draft. | Implementer |
 | 2025-12-04 | WEB-CONSOLE-23-002 completed: wired `console/status` route in `app.routes.ts`; created sample payloads `console-status-sample.json` and `console-run-stream-sample.ndjson` in `docs/api/console/samples/` verified against `ConsoleStatusDto` and `ConsoleRunEventDto` contracts. | BE-Base Platform Guild |
 | 2025-12-02 | WEB-CONSOLE-23-002: added trace IDs on status/stream calls, heartbeat + exponential backoff reconnect in console run stream service, and new client/service unit tests. Backend commands still not run locally (disk constraint). | BE-Base Platform Guild |
 | 2025-12-04 | Re-reviewed CONSOLE-VULN-29-001 and CONSOLE-VEX-30-001: WEB-CONSOLE-23-001 and Excititor console contract are complete, but Concelier graph schema snapshot and VEX Lens PLVL0103 spec/SSE envelope remain outstanding; keeping both tasks BLOCKED. | Project Mgmt |

docs/implplan/SPRINT_0215_0001_0001_web_iv.md

@@ -25,19 +25,19 @@
 | --- | --- | --- | --- | --- | --- |
 | 1 | WEB-ORCH-33-001 | BLOCKED (2025-11-30) | Orchestrator gateway REST contract + RBAC/audit checklist missing | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add POST action routes (pause/resume/backfill) for orchestrator-run control, honoring RBAC and audit logging. |
 | 2 | WEB-ORCH-34-001 | BLOCKED (2025-11-30) | WEB-ORCH-33-001 (blocked) | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose quotas/backfill APIs plus queue/backpressure metrics with admin scopes and error clustering. |
-| 3 | WEB-POLICY-20-001 | BLOCKED (2025-11-25) | Await Policy Engine REST contract + tenant/RBAC spec | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI + tenant scoping. |
-| 4 | WEB-POLICY-20-002 | BLOCKED (2025-11-30) | WEB-POLICY-20-001 (blocked) | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add pagination/filtering/sorting + tenant guards to policy listings with deterministic ordering diagnostics. |
-| 5 | WEB-POLICY-20-003 | BLOCKED (2025-11-30) | WEB-POLICY-20-002 (blocked) | BE-Base Platform Guild · QA Guild (`src/Web/StellaOps.Web`) | Map engine errors to `ERR_POL_*` payloads with contract tests and correlation IDs. |
-| 6 | WEB-POLICY-20-004 | BLOCKED (2025-11-30) | WEB-POLICY-20-003 (blocked) | Platform Reliability Guild (`src/Web/StellaOps.Web`) | Introduce adaptive rate limits/quotas for simulations, expose metrics, and document retry headers. |
-| 7 | WEB-POLICY-23-001 | BLOCKED (2025-10-29) | WEB-POLICY-20-004 | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Create/list/fetch policy packs and revisions with pagination, RBAC, and AOC metadata exposure. |
-| 8 | WEB-POLICY-23-002 | BLOCKED (2025-10-29) | WEB-POLICY-23-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add activation endpoints with scope windows, conflict checks, optional two-person approvals, and events. |
-| 9 | WEB-POLICY-23-003 | BLOCKED (2025-11-30) | WEB-POLICY-23-002 (blocked until WEB-POLICY-20-004 ships) | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide `/policy/simulate` + `/policy/evaluate` streaming APIs with rate limiting and error mapping. |
-| 10 | WEB-POLICY-23-004 | BLOCKED (2025-11-30) | WEB-POLICY-23-003 (blocked) | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose explain history endpoints showing decision trees, consulted sources, and AOC chain. |
-| 11 | WEB-POLICY-27-001 | BLOCKED (2025-11-30) | WEB-POLICY-23-004 (blocked) | BE-Base Platform Guild · Policy Registry Guild (`src/Web/StellaOps.Web`) | Proxy Policy Registry APIs (workspaces/versions/reviews) with tenant scoping, RBAC, and streaming downloads. |
-| 12 | WEB-POLICY-27-002 | BLOCKED (2025-11-30) | WEB-POLICY-27-001 (blocked) | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement review lifecycle endpoints (open/comment/approve/reject) with audit headers and pagination. |
-| 13 | WEB-POLICY-27-003 | BLOCKED (2025-11-30) | WEB-POLICY-27-002 (blocked) | BE-Base Platform Guild · Scheduler Guild (`src/Web/StellaOps.Web`) | Expose quick/batch simulation endpoints with SSE progress streams, cursor pagination, and manifest downloads. |
-| 14 | WEB-POLICY-27-004 | BLOCKED (2025-11-30) | WEB-POLICY-27-003 (blocked) | BE-Base Platform Guild · Security Guild (`src/Web/StellaOps.Web`) | Add publish/sign/promote/rollback endpoints with idempotent IDs, canary params, environment bindings, and events. |
-| 15 | WEB-POLICY-27-005 | BLOCKED (2025-11-30) | WEB-POLICY-27-004 (blocked) | BE-Base Platform Guild · Observability Guild (`src/Web/StellaOps.Web`) | Instrument Policy Studio metrics/logs (compile latency, simulation queue depth, approvals, promotions) and dashboards. |
+| 3 | WEB-POLICY-20-001 | TODO | Policy Engine REST contract delivered at `docs/schemas/policy-engine-rest.openapi.yaml`; tenant/RBAC spec at `docs/contracts/web-gateway-tenant-rbac.md`. | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI + tenant scoping. |
+| 4 | WEB-POLICY-20-002 | TODO | WEB-POLICY-20-001 unblocked; can proceed. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add pagination/filtering/sorting + tenant guards to policy listings with deterministic ordering diagnostics. |
+| 5 | WEB-POLICY-20-003 | TODO | WEB-POLICY-20-002 unblocked; can proceed. | BE-Base Platform Guild · QA Guild (`src/Web/StellaOps.Web`) | Map engine errors to `ERR_POL_*` payloads with contract tests and correlation IDs. |
+| 6 | WEB-POLICY-20-004 | TODO | WEB-POLICY-20-003 unblocked; rate-limit design at `docs/contracts/rate-limit-design.md`. | Platform Reliability Guild (`src/Web/StellaOps.Web`) | Introduce adaptive rate limits/quotas for simulations, expose metrics, and document retry headers. |
+| 7 | WEB-POLICY-23-001 | TODO | WEB-POLICY-20-004 unblocked; can proceed sequentially. | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Create/list/fetch policy packs and revisions with pagination, RBAC, and AOC metadata exposure. |
+| 8 | WEB-POLICY-23-002 | TODO | WEB-POLICY-23-001 unblocked; can proceed sequentially. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add activation endpoints with scope windows, conflict checks, optional two-person approvals, and events. |
+| 9 | WEB-POLICY-23-003 | TODO | WEB-POLICY-23-002 unblocked; can proceed sequentially. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide `/policy/simulate` + `/policy/evaluate` streaming APIs with rate limiting and error mapping. |
+| 10 | WEB-POLICY-23-004 | TODO | WEB-POLICY-23-003 unblocked; can proceed sequentially. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose explain history endpoints showing decision trees, consulted sources, and AOC chain. |
+| 11 | WEB-POLICY-27-001 | TODO | WEB-POLICY-23-004 unblocked; can proceed sequentially. | BE-Base Platform Guild · Policy Registry Guild (`src/Web/StellaOps.Web`) | Proxy Policy Registry APIs (workspaces/versions/reviews) with tenant scoping, RBAC, and streaming downloads. |
+| 12 | WEB-POLICY-27-002 | TODO | WEB-POLICY-27-001 unblocked; can proceed sequentially. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement review lifecycle endpoints (open/comment/approve/reject) with audit headers and pagination. |
+| 13 | WEB-POLICY-27-003 | TODO | WEB-POLICY-27-002 unblocked; can proceed sequentially. | BE-Base Platform Guild · Scheduler Guild (`src/Web/StellaOps.Web`) | Expose quick/batch simulation endpoints with SSE progress streams, cursor pagination, and manifest downloads. |
+| 14 | WEB-POLICY-27-004 | TODO | WEB-POLICY-27-003 unblocked; can proceed sequentially. | BE-Base Platform Guild · Security Guild (`src/Web/StellaOps.Web`) | Add publish/sign/promote/rollback endpoints with idempotent IDs, canary params, environment bindings, and events. |
+| 15 | WEB-POLICY-27-005 | TODO | WEB-POLICY-27-004 unblocked; can proceed sequentially. | BE-Base Platform Guild · Observability Guild (`src/Web/StellaOps.Web`) | Instrument Policy Studio metrics/logs (compile latency, simulation queue depth, approvals, promotions) and dashboards. |
 
 ## Wave Coordination
 - Wave 1: Orchestrator run-control (WEB-ORCH-33/34) follows WEB-ORCH-32-001 and can proceed independently of policy work.
@@ -92,6 +92,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-07 | **Wave 10 unblock:** Changed 13 tasks from BLOCKED → TODO. Policy Engine REST contract delivered at `docs/schemas/policy-engine-rest.openapi.yaml`, rate-limit design at `docs/contracts/rate-limit-design.md`, tenant/RBAC spec at `docs/contracts/web-gateway-tenant-rbac.md`. WEB-POLICY-20-001..004, 23-001..004, 27-001..005 can now proceed sequentially. | Implementer |
 | 2025-11-30 | Marked WEB-ORCH-33-001/34-001 BLOCKED pending orchestrator REST contract + RBAC/audit checklist; no backend surface present in web workspace. | Implementer |
 | 2025-11-30 | Normalized to docs/implplan template (added waves, interlocks, action tracker); propagated BLOCKED statuses to downstream tasks and refreshed checkpoints. | Project Mgmt |
 | 2025-11-25 | Marked WEB-POLICY-20-001 BLOCKED: need Policy Engine REST contract + tenant/RBAC spec before wiring Angular/Web gateway endpoints. | Implementer |

docs/implplan/SPRINT_0216_0001_0001_web_v.md

@@ -23,16 +23,16 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | WEB-RISK-66-001 | BLOCKED (2025-12-03) | Risk/Vuln HTTP + mock switch, store, dashboard + vuln detail; npm ci hangs so tests cannot run; awaiting stable install env and gateway endpoints | BE-Base Platform Guild; Policy Guild (`src/Web/StellaOps.Web`) | Expose risk profile/results endpoints through gateway with tenant scoping, pagination, and rate limiting. |
+| 1 | WEB-RISK-66-001 | BLOCKED (2025-12-03) | Policy Engine REST contract at `docs/schemas/policy-engine-rest.openapi.yaml` and rate limits at `docs/contracts/rate-limit-design.md` delivered; npm ci hangs so tests cannot run; awaiting stable install env. | BE-Base Platform Guild; Policy Guild (`src/Web/StellaOps.Web`) | Expose risk profile/results endpoints through gateway with tenant scoping, pagination, and rate limiting. |
 | 2 | WEB-RISK-66-002 | BLOCKED | Upstream WEB-RISK-66-001 blocked (npm ci hangs; gateway endpoints unavailable). | BE-Base Platform Guild; Risk Engine Guild (`src/Web/StellaOps.Web`) | Add signed URL handling for explanation blobs and enforce scope checks. |
 | 3 | WEB-RISK-67-001 | BLOCKED | WEB-RISK-66-002 blocked; cannot compute aggregated stats without risk endpoints. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide aggregated risk stats (`/risk/status`) for Console dashboards (counts per severity, last computation). |
 | 4 | WEB-RISK-68-001 | BLOCKED | WEB-RISK-67-001 blocked; notifier integration depends on upstream risk chain. | BE-Base Platform Guild; Notifications Guild (`src/Web/StellaOps.Web`) | Emit events on severity transitions via gateway to notifier bus with trace metadata. |
 | 5 | WEB-SIG-26-001 | BLOCKED | Signals API contract not confirmed; reachability overlays undefined. | BE-Base Platform Guild; Signals Guild (`src/Web/StellaOps.Web`) | Surface `/signals/callgraphs`, `/signals/facts` read/write endpoints with pagination, ETags, and RBAC. |
 | 6 | WEB-SIG-26-002 | BLOCKED | Blocked by WEB-SIG-26-001; reachability schema needed for effective/vuln responses. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Extend `/policy/effective` and `/vuln/explorer` responses to include reachability scores/states and allow filtering. |
 | 7 | WEB-SIG-26-003 | BLOCKED | Blocked by WEB-SIG-26-002; what-if parameters depend on reachability model. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add reachability override parameters to `/policy/simulate` and related APIs for what-if analysis. |
-| 8 | WEB-TEN-47-001 | TODO | JWT + tenant header contract freeze | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement JWT verification, tenant activation from headers, scope matching, and decision audit emission for all API endpoints. |
-| 9 | WEB-TEN-48-001 | TODO | WEB-TEN-47-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Set DB session `stella.tenant_id`, enforce tenant/project checks on persistence, prefix object storage paths, and stamp audit metadata. |
-| 10 | WEB-TEN-49-001 | TODO | WEB-TEN-48-001; Policy Engine ABAC overlay | BE-Base Platform Guild; Policy Guild (`src/Web/StellaOps.Web`) | Integrate optional ABAC overlay with Policy Engine, expose `/audit/decisions` API, and support service token minting endpoints. |
+| 8 | WEB-TEN-47-001 | TODO | Tenant/RBAC contract delivered at `docs/contracts/web-gateway-tenant-rbac.md`; proceed with JWT verification + tenant header implementation. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement JWT verification, tenant activation from headers, scope matching, and decision audit emission for all API endpoints. |
+| 9 | WEB-TEN-48-001 | TODO | WEB-TEN-47-001; tenant/RBAC contract at `docs/contracts/web-gateway-tenant-rbac.md`. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Set DB session `stella.tenant_id`, enforce tenant/project checks on persistence, prefix object storage paths, and stamp audit metadata. |
+| 10 | WEB-TEN-49-001 | TODO | WEB-TEN-48-001; Policy Engine REST contract at `docs/schemas/policy-engine-rest.openapi.yaml` for ABAC overlay. | BE-Base Platform Guild; Policy Guild (`src/Web/StellaOps.Web`) | Integrate optional ABAC overlay with Policy Engine, expose `/audit/decisions` API, and support service token minting endpoints. |
 | 11 | WEB-VEX-30-007 | BLOCKED | Tenant RBAC/ABAC policies not finalized; depends on WEB-TEN chain and VEX Lens streaming contract. | BE-Base Platform Guild; VEX Lens Guild (`src/Web/StellaOps.Web`) | Route `/vex/consensus` APIs with tenant RBAC/ABAC, caching, and streaming; surface telemetry and trace IDs without gateway-side overlay logic. |
 | 12 | WEB-VULN-29-001 | BLOCKED | Upstream tenant scoping (WEB-TEN-47-001) not implemented; risk chain still blocked. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose `/vuln/*` endpoints via gateway with tenant scoping, RBAC/ABAC enforcement, anti-forgery headers, and request logging. |
 | 13 | WEB-VULN-29-002 | BLOCKED | Blocked by WEB-VULN-29-001 and dependency on Findings Ledger headers. | BE-Base Platform Guild; Findings Ledger Guild (`src/Web/StellaOps.Web`) | Forward workflow actions to Findings Ledger with idempotency headers and correlation IDs; handle retries/backoff. |
@@ -117,3 +117,4 @@
 | 2025-12-06 | Created placeholder docs: `docs/api/signals/reachability-contract.md` and `docs/api/vex-consensus.md` to collect required contracts/fixtures; awaiting guild inputs. | Project Mgmt |
 | 2025-12-06 | Propagated BLOCKED status from WEB-RISK-66-001 to downstream risk chain (66-002/67-001/68-001) and from missing Signals/tenant/VEX contracts to WEB-SIG-26-001..003 and WEB-VEX/VULN chain. No code changes applied until contracts and install env stabilise. | Implementer |
 | 2025-12-06 | Added draft samples for Signals and VEX streams (`docs/api/signals/samples/*.json`, `docs/api/vex-consensus-sample.ndjson`) to support early client wiring. | Project Mgmt |
+| 2025-12-07 | **Wave 10 contracts delivered:** Policy Engine REST contract at `docs/schemas/policy-engine-rest.openapi.yaml`, rate-limit design at `docs/contracts/rate-limit-design.md`, tenant/RBAC spec at `docs/contracts/web-gateway-tenant-rbac.md`. Updated WEB-TEN-47/48/49-001 and WEB-RISK-66-001 key dependencies to reference contracts. | Implementer |

docs/implplan/SPRINT_0300_0001_0001_documentation_process.md

@@ -119,10 +119,11 @@
 | --- | --- | --- | --- |
 | 2025-11-15 | Docs ladder stand-up | Review Md.I progress, confirm readiness to open Md.II (Sprint 302). | Docs Guild |
 | 2025-11-18 | Module dossier planning call | Validate prerequisites before flipping dossier sprints to DOING. | Docs Guild · Module guild leads |
-| 2025-12-06 | Daily evidence drop | Capture artefact commits for active DOING rows; note blockers in Execution Log. | Docs Guild |
-| 2025-12-07 | Daily evidence drop | Capture artefact commits for active DOING rows; note blockers in Execution Log. | Docs Guild |
-| 2025-12-05 | Repository-wide sprint filename normalization: removed legacy `_0000_` sprint files and repointed references to canonical `_0001_` names across docs/implplan, advisories, and module docs. | Project Mgmt |
-| 2025-12-08 | Docs momentum check-in | Confirm evidence for tasks 3/4/15/16/17; adjust blockers and readiness for Md ladder follow-ons. | Docs Guild |
+| 2025-12-06 | Daily evidence drop | Capture artefact commits for active DOING rows; note blockers in Execution Log. | Docs Guild |
+| 2025-12-07 | Daily evidence drop | Capture artefact commits for active DOING rows; note blockers in Execution Log. | Docs Guild |
+| 2025-12-05 | Repository-wide sprint filename normalization: removed legacy `_0000_` sprint files and repointed references to canonical `_0001_` names across docs/implplan, advisories, and module docs. | Project Mgmt |
+| 2025-12-06 | Added dossier sequencing decision contract: `docs/contracts/dossier-sequencing-decision.md` (DECISION-DOCS-001) establishes Md.I → Md.X ordering with parallelism rules; unblocks module dossier planning. | Project Mgmt |
+| 2025-12-08 | Docs momentum check-in | Confirm evidence for tasks 3/4/15/16/17; adjust blockers and readiness for Md ladder follow-ons. | Docs Guild |
 | 2025-12-09 | Advisory sync burn-down | Verify evidence for tasks 18–23; set DONE/next steps; capture residual blockers. | Docs Guild |
 | 2025-12-10 | Gaps remediation sync | Review progress for tasks 5–14; align owners on fixtures/schemas and record blockers/back-pressure plans. | Docs Guild |
 | 2025-12-12 | Md.II readiness checkpoint | Confirm Docs Tasks ladder at Md.II, collect Ops evidence, and flip DOCS-DOSSIERS-200.B to DOING if unblocked. | Docs Guild · Ops Guild |

docs/implplan/SPRINT_0303_0001_0001_docs_tasks_md_iii.md

@@ -1,4 +1,4 @@
-# Sprint 0303 · Documentation & Process · Docs Tasks Md III
+# Sprint 0303 · Documentation & Process · Docs Tasks Md III
 
 ## Topic & Scope
 - Phase Md.III of the docs ladder: console observability/forensics docs and exception-handling doc set.
@@ -46,13 +46,14 @@
 | 2025-11-25 | Delivered DOCS-DEVPORT-62-001 and DOCS-CONTRIB-62-001 (devportal publishing and API contracts docs). | Docs Guild |
 | 2025-11-23 | Migrated completed work to archive (`docs/implplan/archived/tasks.md`); retained active items in sprint. | Docs Guild |
 | 2025-11-18 | Imported task inventory from Md.II; flagged console observability and exceptions chain as BLOCKED awaiting upstream specs/assets. | Project Mgmt |
-| 2025-12-04 | Added deterministic stubs for DOCS-CONSOLE-OBS-52-001 (`docs/console/observability.md`) and DOCS-CONSOLE-OBS-52-002 (`docs/console/forensics.md`) to lock outline and determinism checklist while awaiting assets/hashes; tasks remain BLOCKED. | Docs Guild |
-| 2025-12-04 | Added `docs/console/SHA256SUMS` placeholder to record hashes once console captures/payloads arrive; keeps determinism workflow ready. | Docs Guild |
-| 2025-12-05 | Recorded stub hash entries in `docs/console/SHA256SUMS` for observability/forensics outlines; replace with real asset hashes when provided. Tasks stay BLOCKED. | Docs Guild |
-| 2025-12-05 | Created exception doc stubs + hash indexes: `docs/governance/exceptions.md`, `docs/governance/approvals-and-routing.md`, `docs/api/exceptions.md`, `docs/ui/exception-center.md`, `docs/modules/cli/guides/exceptions.md` with SHA256SUMS placeholders. Tasks remain BLOCKED pending contracts/assets. | Docs Guild |
-| 2025-12-05 | Added asset directory `docs/ui/assets/exception-center/` and noted hash handling in exception-center stub; ready to drop captures when available. | Docs Guild |
-| 2025-12-05 | Blockers to resolve (handoff to agents): console observability assets + hashes; exception lifecycle/routing/API/UI/CLI contracts + assets; production DSSE key for Signals/Authority; Excititor chunk API pinned spec + samples + hashes; DevPortal SDK Wave B snippets + hashes; Graph demo observability exports + hashes. | Project Mgmt |
-| 2025-12-05 | Normalised sprint header to standard template; no status changes. | Project Mgmt |
+| 2025-12-04 | Added deterministic stubs for DOCS-CONSOLE-OBS-52-001 (`docs/console/observability.md`) and DOCS-CONSOLE-OBS-52-002 (`docs/console/forensics.md`) to lock outline and determinism checklist while awaiting assets/hashes; tasks remain BLOCKED. | Docs Guild |
+| 2025-12-04 | Added `docs/console/SHA256SUMS` placeholder to record hashes once console captures/payloads arrive; keeps determinism workflow ready. | Docs Guild |
+| 2025-12-05 | Recorded stub hash entries in `docs/console/SHA256SUMS` for observability/forensics outlines; replace with real asset hashes when provided. Tasks stay BLOCKED. | Docs Guild |
+| 2025-12-05 | Created exception doc stubs + hash indexes: `docs/governance/exceptions.md`, `docs/governance/approvals-and-routing.md`, `docs/api/exceptions.md`, `docs/ui/exception-center.md`, `docs/modules/cli/guides/exceptions.md` with SHA256SUMS placeholders. Tasks remain BLOCKED pending contracts/assets. | Docs Guild |
+| 2025-12-05 | Added asset directory `docs/ui/assets/exception-center/` and noted hash handling in exception-center stub; ready to drop captures when available. | Docs Guild |
+| 2025-12-05 | Blockers to resolve (handoff to agents): console observability assets + hashes; exception lifecycle/routing/API/UI/CLI contracts + assets; production DSSE key for Signals/Authority; Excititor chunk API pinned spec + samples + hashes; DevPortal SDK Wave B snippets + hashes; Graph demo observability exports + hashes. | Project Mgmt |
+| 2025-12-06 | Added authority routing decision contract: `docs/contracts/authority-routing-decision.md` (DECISION-AUTH-001) establishes RBAC-standard claim routing; provides contract for DOCS-EXC-25-002 approvals/routing documentation. | Project Mgmt |
+| 2025-12-05 | Normalised sprint header to standard template; no status changes. | Project Mgmt |
 
 ## Decisions & Risks
 ### Decisions

docs/implplan/SPRINT_0502_0001_0001_ops_deployment_ii.md

@@ -55,6 +55,7 @@
 - Risk: Offline kit instructions must avoid external image pulls; ensure pinned digests and air-gap copy steps.
 - VEX Lens and Findings/Vuln overlays blocked: release digests absent from `deploy/releases/2025.09-stable.yaml`; cannot pin images or publish offline bundles until artefacts land.
 - Console downloads manifest blocked: console images/bundles not published, so `deploy/downloads/manifest.json` cannot be signed/updated.
+- VEX/Vuln runbooks are mock-only until production digests and env schemas land; keep tasks in DOING and avoid publishing runbooks to operators.
 - Policy incident runbook is draft-only until DEPLOY-POLICY-27-001 delivers policy overlay schema and production digests.
 
 ## Next Checkpoints

docs/implplan/SPRINT_0516_0001_0001_cn_sm_crypto_enablement.md

@@ -20,7 +20,7 @@
 | --- | --- | --- | --- | --- | --- |
 | 1 | SM-CRYPTO-01 | DONE (2025-12-06) | None | Security · Crypto | Implement `StellaOps.Cryptography.Plugin.SmSoft` provider using BouncyCastle SM2/SM3 (software-only, non-certified); env guard `SM_SOFT_ALLOWED` added. |
 | 2 | SM-CRYPTO-02 | DONE (2025-12-06) | After #1 | Security · BE (Authority/Signer) | Wire SM soft provider into DI (registered), compliance docs updated with “software-only” caveat. |
-| 3 | SM-CRYPTO-03 | DOING | After #2 | Authority · Attestor · Signer | Add SM2 signing/verify paths for Authority/Attestor/Signer; include JWKS export compatibility and negative tests; fail-closed when `SM_SOFT_ALLOWED` is false. |
+| 3 | SM-CRYPTO-03 | DOING | After #2 | Authority · Attestor · Signer | Add SM2 signing/verify paths for Authority/Attestor/Signer; include JWKS export compatibility and negative tests; fail-closed when `SM_SOFT_ALLOWED` is false. Authority SM2 loader + JWKS tests done; Signer SM2 gate/tests added. Attestor wiring still pending. |
 | 4 | SM-CRYPTO-04 | DONE (2025-12-06) | After #1 | QA · Security | Deterministic software test vectors (sign/verify, hash) added in unit tests; “non-certified” banner documented. |
 | 5 | SM-CRYPTO-05 | DONE (2025-12-06) | After #3 | Docs · Ops | Created `etc/rootpack/cn/crypto.profile.yaml` with cn-soft profile preferring `cn.sm.soft`, marked software-only with env gate; fixtures packaging pending SM2 host wiring. |
 | 6 | SM-CRYPTO-06 | BLOCKED (2025-12-06) | Hardware token available | Security · Crypto | Add PKCS#11 SM provider and rerun vectors with certified hardware; replace “software-only” label when certified. |
@@ -33,6 +33,7 @@
 | 2025-12-06 | Implemented SmSoft provider + DI, added SM2/SM3 unit tests, updated compliance doc with software-only caveat; tasks 1,2,4 set to DONE. | Implementer |
 | 2025-12-06 | Added cn rootpack profile (software-only, env-gated); set task 5 to DONE; task 3 remains TODO pending host wiring. | Implementer |
 | 2025-12-06 | Started host wiring for SM2: Authority file key loader now supports SM2 raw keys; JWKS tests include SM2; task 3 set to DOING. | Implementer |
+| 2025-12-06 | Signer SM2 gate + tests added (software registry); Attestor wiring pending. Sm2 tests blocked by existing package restore issues (NU1608/fallback paths). | Implementer |
 
 ## Decisions & Risks
 - SM provider licensing/availability uncertain; mitigation: software fallback with “non-certified” label until hardware validated.

docs/implplan/SPRINT_3407_0001_0001_postgres_cleanup.md

@@ -124,6 +124,7 @@
 | 2025-12-06 | Added lightweight `StellaOps.Concelier.Storage.Mongo` in-memory stub (advisory/dto/document/state/export stores) to unblock Concelier connector build while Postgres rewiring continues; no Mongo driver/runtime. | Infrastructure Guild |
 | 2025-12-06 | PG-T7.1.5b set to DOING; began wiring Postgres document store (DI registration, repository find) to replace Mongo bindings. | Concelier Guild |
 | 2025-12-06 | Concelier shim extended: MongoCompat now carries merge events/alias constants; Postgres storage DI uses PostgresDocumentStore; Source repository lookup fixed; Merge + Storage.Postgres projects now build. Full solution still hits pre-existing NU1608 version conflicts in crypto plugins (out of Concelier scope). | Concelier Guild |
+| 2025-12-07 | Concelier Postgres store now also implements legacy `IAdvisoryStore` and is registered as such; DI updated. Added repo-wide restore fallback suppression to unblock Postgres storage build (plugin/provenance now restore without VS fallback path). Storage.Postgres builds clean; remaining full-solution build blockers are crypto NU1608 version constraints (out of scope here). | Concelier Guild |
 
 ## Decisions & Risks
 - Cleanup is strictly after all phases complete; do not start T7 tasks until module cutovers are DONE.

docs/implplan/SPRINT_3409_0001_0001_issuer_directory_postgres.md

@@ -38,6 +38,7 @@
 | 2025-12-05 | Completed ISSUER-PG-06: Fresh-start chosen; Mongo backfill skipped. CSAF seed import remains for @global tenant. | PM |
 | 2025-12-05 | Completed ISSUER-PG-07: Verification recorded in conversion summary (fresh-start baseline). | PM |
 | 2025-12-05 | Completed ISSUER-PG-08: Config switch to Postgres; Issuer Directory running Postgres-only. | Issuer Guild |
+| 2025-12-06 | Owner manifest published: `docs/modules/vex-lens/issuer-directory-owner-manifest.md` (OWNER-VEXLENS-001) assigns VEX Lens Guild as owner for Issuer Directory Postgres implementation; grants implementation authority. | Project Mgmt |
 
 ## Decisions & Risks
 - Decision needed: Backfill Mongo issuer data vs fresh-start with CSAF seed import only.

docs/implplan/tasks-all.md

@@ -2109,7 +2109,7 @@
 | WEB-AOC-19-007 | TODO | 2025-11-08 | SPRINT_116_concelier_v | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | WEB-CONSOLE-23-001 | DONE (2025-11-28) | 2025-11-28 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild · Product Analytics Guild | src/Web/StellaOps.Web | `/console/dashboard` and `/console/filters` aggregates shipped with tenant scoping, deterministic ordering, and 8 unit tests per sprint Execution Log 2025-11-28. | — |  |
 | WEB-CONSOLE-23-002 | DOING (2025-12-01) | 2025-12-01 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild · Scheduler Guild | src/Web/StellaOps.Web | Implementing `/console/status` polling and `/console/runs/{id}/stream` SSE/WebSocket proxy with heartbeat/backoff; awaiting storage cleanup to run tests. Dependencies: WEB-CONSOLE-23-001. | WEB-CONSOLE-23-001 |  |
-| WEB-CONSOLE-23-003 | DOING | 2025-12-06 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add `/console/exports` POST/GET routes coordinating evidence bundle creation, streaming CSV/JSON exports, checksum manifest retrieval, and signed attestation references. Ensure requests honor tenant + policy scopes and expose job tracking metadata. Dependencies: WEB-CONSOLE-23-002. |  | Client/models + unit spec added; contract draft + samples published; tests pending PTY restore. |
+| WEB-CONSOLE-23-003 | DOING | 2025-12-06 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add `/console/exports` POST/GET routes coordinating evidence bundle creation, streaming CSV/JSON exports, checksum manifest retrieval, and signed attestation references. Ensure requests honor tenant + policy scopes and expose job tracking metadata. Dependencies: WEB-CONSOLE-23-002. |  | Client/models/store/service + unit specs added; runnable locally with Playwright Chromium headless (`CHROME_BIN=$HOME/.cache/ms-playwright/chromium-1140/chrome-linux/chrome NG_PERSISTENT_BUILD_CACHE=1 npm test -- --watch=false --browsers=ChromeHeadlessOffline --progress=false --include src/app/core/api/console-export.client.spec.ts,src/app/core/console/console-export.store.spec.ts,src/app/core/console/console-export.service.spec.ts`). Contract still draft; backend wiring pending. |
 | WEB-CONSOLE-23-004 | BLOCKED | 2025-12-06 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement `/console/search` endpoint accepting CVE/GHSA/PURL/SBOM identifiers, performing fan-out queries with caching, ranking, and deterministic tie-breaking. Return typed results for Console navigation; respect result caps and latency SLOs. Dependencies: WEB-CONSOLE-23-003. |  | Blocked by WEB-CONSOLE-23-003 contract. |
 | WEB-CONSOLE-23-005 | BLOCKED | 2025-12-06 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, DevOps Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Serve `/console/downloads` JSON manifest (images, charts, offline bundles) sourced from signed registry metadata; include integrity hashes, release notes links, and offline instructions. Provide caching headers and documentation. Dependencies: WEB-CONSOLE-23-004. |  | Blocked by WEB-CONSOLE-23-004; download manifest format not defined. |
 | WEB-CONTAINERS-44-001 | DONE | 2025-11-18 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose `/welcome` state, config discovery endpoint (safe values), and `QUICKSTART_MODE` handling for Console banner; add `/health/liveness`, `/health/readiness`, `/version` if missing. |  |  |
@@ -4284,8 +4284,8 @@
 | WEB-AOC-19-007 | TODO | 2025-11-08 | SPRINT_116_concelier_v | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | WEB-CONSOLE-23-001 | DONE (2025-11-28) | 2025-11-28 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild · Product Analytics Guild | src/Web/StellaOps.Web | `/console/dashboard` and `/console/filters` aggregates shipped with tenant scoping, deterministic ordering, and 8 unit tests per sprint Execution Log 2025-11-28. | — |  |
 | WEB-CONSOLE-23-002 | DOING (2025-12-01) | 2025-12-01 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild · Scheduler Guild | src/Web/StellaOps.Web | Implementing `/console/status` polling and `/console/runs/{id}/stream` SSE/WebSocket proxy with heartbeat/backoff; awaiting storage cleanup to run tests. Dependencies: WEB-CONSOLE-23-001. | WEB-CONSOLE-23-001 |  |
-| WEB-CONSOLE-23-003 | BLOCKED | 2025-12-06 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add `/console/exports` POST/GET routes coordinating evidence bundle creation, streaming CSV/JSON exports, checksum manifest retrieval, and signed attestation references. Ensure requests honor tenant + policy scopes and expose job tracking metadata. Dependencies: WEB-CONSOLE-23-002. |  | Waiting on bundle orchestration flow/manifest schema + streaming budget from Policy Guild. |
-| WEB-CONSOLE-23-004 | BLOCKED | 2025-12-06 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement `/console/search` endpoint accepting CVE/GHSA/PURL/SBOM identifiers, performing fan-out queries with caching, ranking, and deterministic tie-breaking. Return typed results for Console navigation; respect result caps and latency SLOs. Dependencies: WEB-CONSOLE-23-003. |  | Blocked by WEB-CONSOLE-23-003 contract. |
+| WEB-CONSOLE-23-003 | DOING | 2025-12-06 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add `/console/exports` POST/GET routes coordinating evidence bundle creation, streaming CSV/JSON exports, checksum manifest retrieval, and signed attestation references. Ensure requests honor tenant + policy scopes and expose job tracking metadata. Dependencies: WEB-CONSOLE-23-002. |  | Same as above row (2112): client/models/store/service shipped; unit specs runnable; backend/export contract still pending guild sign-off. |
+| WEB-CONSOLE-23-004 | BLOCKED | 2025-12-06 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement `/console/search` endpoint accepting CVE/GHSA/PURL/SBOM identifiers, performing fan-out queries with caching, ranking, and deterministic tie-breaking. Return typed results for Console navigation; respect result caps and latency SLOs. Dependencies: WEB-CONSOLE-23-003. |  | Blocked by WEB-CONSOLE-23-003 contract (manifest/caching rules). |
 | WEB-CONSOLE-23-005 | BLOCKED | 2025-12-06 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, DevOps Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Serve `/console/downloads` JSON manifest (images, charts, offline bundles) sourced from signed registry metadata; include integrity hashes, release notes links, and offline instructions. Provide caching headers and documentation. Dependencies: WEB-CONSOLE-23-004. |  | Blocked by WEB-CONSOLE-23-004; download manifest format not defined. |
 | WEB-CONTAINERS-44-001 | DONE | 2025-11-18 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose `/welcome` state, config discovery endpoint (safe values), and `QUICKSTART_MODE` handling for Console banner; add `/health/liveness`, `/health/readiness`, `/version` if missing. |  |  |
 | WEB-CONTAINERS-45-001 | DONE | 2025-11-19 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Ensure readiness endpoints reflect DB/queue readiness, add feature flag toggles via config map, and document NetworkPolicy ports. Dependencies: WEB-CONTAINERS-44-001. |  |  |