feat: Add DigestUpsertRequest and LockEntity models

- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.

docs/modules/notify/architecture.md

@@ -25,7 +25,8 @@ src/
  │    └─ *.Tests/
  ├─ StellaOps.Notify.Engine/            # rules engine, templates, idempotency, digests, throttles
  ├─ StellaOps.Notify.Models/            # DTOs (Rule, Channel, Event, Delivery, Template)
- ├─ StellaOps.Notify.Storage.Mongo/     # rules, channels, deliveries, digests, locks
+ ├─ StellaOps.Notify.Storage.Postgres/  # canonical persistence (notify schema)
+ ├─ StellaOps.Notify.Storage.Mongo/     # legacy shim kept only for data export/migrations
  ├─ StellaOps.Notify.Queue/             # bus client (Redis Streams/NATS JetStream)
  └─ StellaOps.Notify.Tests.*            # unit/integration/e2e
 ```
@@ -35,9 +36,9 @@ src/
 * **Notify.WebService** (stateless API)
 * **Notify.Worker** (horizontal scale)
 
-**Dependencies**: Authority (OpToks; DPoP/mTLS), MongoDB, Redis/NATS (bus), HTTP egress to Slack/Teams/Webhooks, SMTP relay for Email.
+**Dependencies**: Authority (OpToks; DPoP/mTLS), **PostgreSQL** (notify schema), Redis/NATS (bus), HTTP egress to Slack/Teams/Webhooks, SMTP relay for Email. MongoDB remains only for archival/export tooling until Phase 7 cleanup.
 
-> **Configuration.** Notify.WebService bootstraps from `notify.yaml` (see `etc/notify.yaml.sample`). Use `storage.driver: mongo` with a production connection string; the optional `memory` driver exists only for tests. Authority settings follow the platform defaults—when running locally without Authority, set `authority.enabled: false` and supply `developmentSigningKey` so JWTs can be validated offline.
+> **Configuration.** Notify.WebService bootstraps from `notify.yaml` (see `etc/notify.yaml.sample`). Use `storage.driver: postgres` and provide `postgres.notify` options (`connectionString`, `schemaName`, pool sizing, timeouts). Authority settings follow the platform defaults—when running locally without Authority, set `authority.enabled: false` and supply `developmentSigningKey` so JWTs can be validated offline.
 >
 > `api.rateLimits` exposes token-bucket controls for delivery history queries and test-send previews (`deliveryHistory`, `testSend`). Default values allow generous browsing while preventing accidental bursts; operators can relax/tighten the buckets per deployment.
 
@@ -408,8 +409,11 @@ notify:
       - "scheduler.events"
       - "attestor.events"
       - "zastava.events"
-  mongo:
-    uri: "mongodb://mongo/notify"
+  postgres:
+    notify:
+      connectionString: "Host=postgres;Port=5432;Database=stellaops_notify;Username=stellaops;Password=stellaops;Pooling=true"
+      schemaName: "notify"
+      commandTimeoutSeconds: 45
   limits:
     perTenantRpm: 600
     perChannel:

docs/modules/orchestrator/job-export-contract.md

@@ -0,0 +1,51 @@
+# Orchestrator → Findings Ledger Export Contract
+
+Status: Available (2025-12-03)
+Scope: defines the deterministic payload Orchestrator emits for job/run exports that Findings Ledger ingests for provenance (LEDGER-34-101).
+
+## Payload shape
+```jsonc
+{
+  "runId": "uuid",                 // job/run correlation id
+  "jobType": "string",             // e.g., mirror-build, policy-sim, scan
+  "artifactHash": "sha256:...",    // CAS digest of primary artifact
+  "policyHash": "sha256:...",      // optional; policy bundle hash
+  "startedAt": "2025-12-02T00:00:00Z",
+  "completedAt": "2025-12-02T00:05:30Z",
+  "status": "succeeded|failed|canceled",
+  "manifestPath": "cas://.../manifest.json",  // DSSE or CAS path
+  "logsPath": "cas://.../logs.ndjson",
+  "tenantId": "string",
+  "environment": "prod|stage|dev",
+  "idempotencyKey": "sha256:...",   // runId+artifactHash
+  "signatures": [ { "type": "dsse", "keyId": "...", "signature": "..." } ]
+}
+```
+
+## Determinism & ordering
+- Entries sorted by `runId` when streamed; pagination stable via `runId, startedAt` ascending.
+- `idempotencyKey = sha256(runId + artifactHash + tenantId)`; duplicate submissions are rejected with 409.
+- Timestamps UTC ISO-8601; no clock-skew correction performed by Ledger.
+
+## Transport
+- REST: `POST /internal/orchestrator/exports` (Orchestrator) → Findings Ledger ingest queue.
+- Events: `orchestrator.export.created` carries the same payload; consumers must verify DSSE before persistence.
+
+## Validation rules (Ledger side)
+- Require DSSE signature (Ed25519) when `signatures` present; fail closed if verification fails.
+- Enforce presence of `runId`, `artifactHash`, `startedAt`, `status`.
+- Hash fields must match `^sha256:[A-Fa-f0-9]{64}$`.
+- Allowed status transitions: pending→running→succeeded/failed/canceled; replays only allowed when `idempotencyKey` matches existing record.
+
+## Mapping to Findings Ledger
+- Stored in collection/table `orchestrator_exports` with index `(artifactHash, runId)` and TTL optional on logs if configured.
+- Timeline entry type `ledger_export` references `runId`, `artifactHash`, `policyHash`, `manifestPath`, `logsPath`, DSSE envelope digest, and `idempotencyKey`.
+- Cross-links: `bundleId` (if mirror build) or `scanId` (if scan job) may be added as optional fields; Ledger treats them as opaque strings.
+
+## Security / scopes
+- Required scope: `orchestrator:exports:write` for producer; Ledger ingress validates tenant headers and scope.
+- Max payload: 1 MiB; logs must be CAS/DSSE referenced, not inline.
+
+## Offline/air-gap considerations
+- CAS/DSSE paths must resolve within offline kit bundles; no external URIs permitted.
+- Deterministic ordering + idempotency allow replay without side effects; Ledger rejects writes when DSSE or hash mismatch.

docs/modules/policy/contracts/spine-versioning-plan.md

@@ -0,0 +1,64 @@
+# SBOM/VEX Spine Versioning Plan (SP1)
+
+## Purpose
+Establish versioned spine API/DTO schemas with migration rules, determinism guarantees, and DSSE-backed manifests, covering SP1–SP10 gaps from the 31-Nov-2025 findings advisory.
+
+## Scope
+- Spine APIs and DTOs shared by Scanner, Policy, Authority, and Graph.
+- Manifest/signing layers for spine bundles (online + offline).
+- Pagination/performance envelopes and Unknowns workflow.
+
+## Deliverables (SP tasks)
+- SP1: Versioned schemas + header/version negotiation rules; deprecation timetable.
+- SP2: Evidence requirements per predicate/edge (reachability proof, package identity, build metadata) with MUST/SHOULD fields.
+- SP3: Unknowns registry contract (states, SLA, surfacing rules, expiry/decay).
+- SP4: DSSE-signed spine manifest listing hashes for all artifacts; Rekor/mirror policy hooks.
+- SP5: Deterministic diff rules + fixtures (ordered deltas, canonical sorting, hash expectations).
+- SP6: Feed snapshot freshness/staleness thresholds and validation steps.
+- SP7: Stage-by-stage DSSE requirements, Rekor/mirror policy matrices (online/offline).
+- SP8: Policy lattice version field and embedding rules in spine objects.
+- SP9: Pagination/ordering/perf budgets (stable sort keys, default page size limits, deterministic cursors).
+- SP10: Crosswalk mappings SBOM ↔ VEX ↔ graph ↔ policy (table + sample payloads).
+
+## Migration & Determinism
+- Version headers and DTO version fields must be required; rejects if missing or downgraded without declared adapter.
+- Canonical JSON ordering for manifests; hashes computed over canonical form (UTF-8, no BOM).
+- Pagination uses deterministic primary/secondary sort keys; cursors are opaque, HMAC-free, reproducible from sort key + last id.
+
+### Versioning mechanics (v0.1)
+- Header: `X-Spine-Version: v1` (required). DTO field mirror: `schemaVersion` (string, semver).
+- Deprecation window: N-1 supported for 90 days; adapters required to downgrade v2→v1 (CSV in `docs/modules/policy/fixtures/spine-adapters/`).
+- Hashing: canonical JSON, sorted properties, UTF-8 no BOM, normalized decimals (4dp), timestamps UTC ISO-8601.
+
+### Evidence minima per edge (SP2, draft)
+- `reachability`: state, confidence, score, method, evidenceRef (hash or URI), runtimeEvidence flag (bool).
+- `package_identity`: purl, name, version, supplier, hashes[] (at least SHA256).
+- `build_metadata`: buildId, sourceRepo, sourceRef, buildInvokerHash, provenanceHash (DSSE).
+
+### Unknowns workflow (SP3, draft)
+- States: `unknown`, `under_review`, `resolved`, `expired`.
+- SLA: auto-review escalation after 7 days; decay to `expired` at 30 days unless refreshed.
+- Surfacing: APIs must include `unknowns.count` and list endpoint with deterministic pagination; optional policy lattice flag to penalize unknowns.
+
+### Signing (SP4/SP7)
+- Manifest structure: list of artifacts (type, id, hash, version, uri), signed using DSSE/ED25519 by default; Rekor optional online, mirrored checkpoints offline.
+- Stage policy: compile → ingest → materialize → export; each stage produces DSSE, carries prior stage hash for chain-of-custody.
+
+### Pagination/perf budgets (SP9)
+- Default page size 200; max 500; stable sort: tenant asc, subjectPurl asc, advisoryId asc, createdAt asc.
+- Cursors: base64-encoded tuple of sort keys; must round-trip deterministically.
+
+### Crosswalk (SP10)
+- Provide table mapping: SBOM component ↔ spine node ↔ graph node ↔ policy evaluation input; include sample payloads in `docs/modules/policy/fixtures/spine-crosswalk/`.
+
+## Signing & Offline
+- DSSE envelope mandatory for spine manifest; Rekor entry optional online, mirrored checkpoints for offline kits.
+- Mirror bundles carry: manifest hash list, time-anchor digest, toolkit hashes, version map for adapters.
+
+## Open Items
+- Finalize evidence minima per predicate with Signals/Reachability guild once runtime schema lands.
+- Confirm lattice versioning alignment with policy engine release cadence.
+
+## Links
+- Sprint: `docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md` (SP1–SP10)
+- Advisory: `docs/product-advisories/31-Nov-2025 FINDINGS.md`

docs/modules/policy/fixtures/spine-adapters/README.md

@@ -0,0 +1,4 @@
+# Spine Adapters (SP1/SP4)
+- Version downgrade/upgrade tables for spine DTOs (e.g., v2→v1) stored as CSV.
+- Each table must have recorded BLAKE3 and SHA256 in `hashes.txt`.
+- Use canonical field ordering; adapters must be deterministic and offline.

docs/modules/policy/fixtures/spine-adapters/hashes.txt

@@ -0,0 +1 @@
+v2-to-v1.csv: BLAKE3=<TBD> SHA256=<TBD>

docs/modules/policy/fixtures/spine-crosswalk/README.md

@@ -0,0 +1,3 @@
+# Spine Crosswalk Fixtures (SP10)
+- Holds tables and sample payloads mapping SBOM ↔ VEX ↔ graph ↔ policy inputs.
+- Include golden examples with deterministic ordering and recorded hashes (BLAKE3, SHA256).

docs/modules/policy/fixtures/spine-crosswalk/hashes.txt

@@ -0,0 +1 @@
+crosswalk.csv: BLAKE3=<TBD> SHA256=<TBD>

docs/modules/scanner/design/competitor-ingest-normalization.md

@@ -0,0 +1,70 @@
+# Competitor Ingest Normalization (CM1)
+
+## Purpose
+Define how external SBOM/scan outputs (Syft, Trivy, Clair) are normalized into StellaOps schemas with deterministic ordering, provenance checks, and offline-ready adapters. Covers CM1–CM10 in the 31-Nov-2025 findings advisory.
+
+## Scope
+- Import pipeline for external SBOM + vulnerability scan payloads.
+- Adapter mappings, validation, provenance/signature verification, and fallback rules.
+- Offline ingest kits (adapters + fixtures) and regression tests.
+
+## Deliverables (CM tasks)
+- CM1: Mapping tables per tool → StellaOps SBOM/scan schema; required/optional fields; deterministic sort rules.
+- CM2: Signature/provenance verification policy (acceptable algorithms, trust roots, failure modes).
+- CM3: Snapshot governance: versioning, freshness SLA, rollback plan for imported feeds.
+- CM4: Anomaly regression suite (schema drift, nullables, encoding, ordering). Golden fixtures + hashes.
+- CM5: Offline ingest kit: DSSE-signed adapters/mappings/fixtures with tool versions and hashes.
+- CM6: Fallback hierarchy when data incomplete (signed SBOM → unsigned SBOM → scan → defaults) with explicit decision trace.
+- CM7: Source transparency fields (tool name/version/hash, build metadata) persisted and surfaced.
+- CM8: Benchmark parity plan with upstream tools (pinned versions, hash-logged runs).
+- CM9: Coverage matrix by ecosystem; gap tracker.
+- CM10: Retry/backoff/error taxonomy and deterministic diagnostics.
+
+## Determinism & Validation
+- Adapters must sort components and vulnerabilities deterministically (locale-invariant, stable keys).
+- All mapping rules and fixtures carry BLAKE3/SHA256 hashes; adapters are pure functions (no network).
+- Signature verification rejects unverifiable payloads; logs reason codes; can run offline using bundled trust roots.
+
+## Adapter mapping skeleton (CM1)
+- Tool coverage v0.1: Syft 1.0.x, Trivy 0.50.x, Clair 6.x (pin exact versions in fixtures).
+- Mapping tables (CSV, checked in under `docs/modules/scanner/fixtures/competitor-adapters/`):
+  - component: external fields → `name`, `version`, `purl`, `type`, `hashes`, `licenses`, `evidenceRef`.
+  - vulnerability: `id`, `source`, `severity` (normalised), `cvss` (score/vector), `fixVersions`, `evidenceRef`.
+  - metadata: tool name/version/hash, scan timestamp (UTC), data source.
+- Sorting: components by `purl` → `name` → `version`; vulns by `id` → `source` → `severityScore` desc → `cvss.vector`.
+
+## Verification policy (CM2)
+- Acceptable signatures: DSSE/COSE/JWS with SHA256/Ed25519/ECDSA; trust roots bundled in offline kit.
+- Provenance check: require signer identity + hash match; if missing, mark provenance = `unknown` and apply fallback (CM6).
+
+## Snapshot governance (CM3)
+- Freshness budget: max age 7 days from `scanTimestamp`; reject older unless override flag set (logged).
+- Versioning: stored as `snapshot_version` (semver) and `source_tool_hash`; rollback plan requires prior snapshot hash.
+
+## Regression + fixtures (CM4/CM5)
+- Fixtures under `docs/modules/scanner/fixtures/competitor-adapters/fixtures/` with golden hashes (BLAKE3/SHA256) and expected normalized output.
+- CI step runs adapter → normalized → hash compare; offline, no network.
+
+## Fallback hierarchy (CM6)
+1) Signed SBOM w/ valid provenance → accepted.
+2) Unsigned SBOM → accepted with `provenance=unknown`, warnings emitted.
+3) Scan-only results → accepted with degraded confidence; policy lattice may penalize.
+4) If all absent: reject with reason code `no_evidence`.
+
+## Transparency & coverage (CM7–CM9)
+- Persist: `source.tool`, `source.version`, `source.hash`, `adapter.version`, `normalized_hash`.
+- Coverage matrix maintained in `docs/modules/scanner/fixtures/competitor-adapters/coverage.csv` (ecosystem yes/no, notes).
+- Bench parity (CM8): pin upstream versions; store run hashes/logs in fixtures folder.
+
+## Error taxonomy (CM10)
+- Retryable: network/unavailable (should not occur in offline mode), rate-limit, transient IO.
+- Non-retryable: signature_invalid, schema_invalid, unsupported_version, no_evidence.
+- All errors must carry deterministic reason codes and be logged in normalized output metadata.
+
+## Open Items
+- Decide minimal evidence set for accepting unsigned SBOMs (intermediate level before scan-only fallback).
+- Confirm which hash (BLAKE3/SHA256) is canonical for adapter outputs.
+
+## Links
+- Sprint: `docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md` (CM1–CM10)
+- Advisory: `docs/product-advisories/31-Nov-2025 FINDINGS.md`

docs/modules/scanner/design/standards-convergence-roadmap.md

@@ -0,0 +1,70 @@
+# Scanner Standards Convergence Roadmap (SC1)
+
+## Purpose
+Define the concrete steps for adopting CVSS v4.0, CycloneDX 1.7 (incl. CBOM), and SLSA 1.2 across Scanner surfaces while keeping outputs deterministic and downgrade-friendly.
+
+## Scope
+- Scanner WebService + Worker + Replay bundles.
+- Surface contracts, CLI outputs, and CAS artifacts.
+- Downgrade adapters to CVSS v3.1, CDX 1.6, SLSA 1.0 (see SC4).
+
+## Deliverables (tie to SC tasks)
+- SC1: Roadmap with milestones, owners, and schema bump governance.
+- SC2: Deterministic CDX 1.7 + CBOM contract (fields, ordering, evidence citations).
+- SC3: SLSA Source Track capture fields for replay bundles (build-id, repo refs, provenance hooks).
+- SC4: Mapping tables for downgrade adapters; deterministic mapping rules and hashes.
+- SC5/SC8: Fixture set + determinism CI (stable ordering, seeded RNG, golden hashes).
+- SC6: Binary ↔ source evidence alignment requirements (build-id, symbols, patch oracle) feeding policy/VEX.
+- SC7: API/UI surfacing contract (filters, columns, pagination defaults) with deterministic ordering.
+- SC9: Governance/RACI for schema bumps and adapter tables.
+- SC10: Offline-kit parity: DSSE-signed schemas/mappings/fixtures, frozen bundle.
+
+## Contracts & owners (v0.1)
+- Schema leads: Scanner Guild (CDX 1.7/CBOM), Sbomer Guild (mapping), Policy Guild (severity/vectors), Ops Guild (offline kit).
+- Canonical CDX 1.7/CBOM fields (min set):
+  - `metadata/component` (purl, hashes, evidence refs),
+  - `services` with CBOM channels (ingress/egress),
+  - `vulnerabilities[*].ratings[]` must carry CVSS v4 and v3.1 side-by-side; deterministic order: v4 first, then v3.1.
+  - Evidence citations: `properties["evidence:source"]`, `properties["evidence:proof-id"]`, `properties["evidence:hash"]`.
+- SLSA Source Track (SC3):
+  - replay bundle fields: `source.repo`, `source.ref`, `build.id`, `build.invocation.hash`, `provenance.dsse` (hash), all required.
+- Deterministic ordering rules (apply across SC2/SC5/SC8):
+  - sort components by `purl`, ties by `name`, then `version` (ordinal, case-insensitive);
+  - vulnerabilities sorted by `id`, then `source`, then severity score desc;
+  - timestamps UTC ISO-8601 without sub-ms; decimal rounding 4dp for ratios, 2dp for scores.
+- Adapter tables (SC4): mapping CSVs checked in under `docs/modules/scanner/fixtures/adapters/` with BLAKE3 + SHA256 hashes; adapters are pure, no net.
+
+## Fixtures (SC5/SC8)
+- Add to `docs/modules/scanner/fixtures/cdx17-cbom/`:
+  - `sample-cdx17-cbom.json` (golden), `sample-cdx16-downgraded.json`, `hashes.txt` (BLAKE3, SHA256).
+  - Include CBOM ingress/egress example, CVSS v4 vector, SLSA Source Track fields, evidence properties.
+- CI step: `dotnet test` hook runs deterministic serializer + hash assertion; env `DOTNET_DISABLE_BUILTIN_GRAPH=1`, fixed `TZ=UTC`, `LC_ALL=C`.
+
+## Governance (SC1/SC9)
+- Propose RACI: Product (A), Scanner TL (R), Sbomer TL (C), Policy TL (C), Ops (I).
+- Schema bump flow: draft → review → freeze → DSSE-sign schemas + fixtures → publish hash list → lock downgrade adapters.
+- Downgrade adapters cannot ship without approved mapping CSV + updated hashes.
+
+## Offline (SC10)
+- Offline kit must include: schemas, adapter CSVs, fixtures, hash list, DSSE envelope, tool versions (Syft/Trivy pinned) and their hashes.
+- Bundle path: `out/offline/scanner-standards-kit-v1/`. DSSE envelope references manifest with all hashes.
+
+## Milestones (proposed)
+1) Schema draft freeze (CDX 1.7/CBOM + CVSS v4 fields) — owners: Scanner Guild, due T+5d.
+2) Replay bundle field list for Source Track — owners: Scanner + Sbomer, due T+7d.
+3) Determinism harness upgrade (CI + fixtures) — owners: QA + Scanner, due T+10d.
+4) Downgrade adapter tables + hash tests — owners: Scanner, due T+12d.
+5) Offline-kit bundle update & DSSE signing — owners: Ops, due T+14d.
+
+## Determinism & Offline requirements
+- Stable field ordering, culture-invariant formatting, UTC ISO-8601 timestamps.
+- No network calls during conversion/adapters; fixed seeds for any RNG.
+- All schemas/adapters/fixtures shipped in offline kit with DSSE envelope and recorded hashes.
+
+## Open Items
+- Confirm CBOM section subset required for policy engine (ingredients vs evidence-only).
+- Decide default CVSS v4 vector precision and rounding rules.
+
+## Links
+- Sprint: `docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md` (tasks SC1–SC10)
+- Advisory: `docs/product-advisories/31-Nov-2025 FINDINGS.md`

docs/modules/scanner/fixtures/adapters/README.md

@@ -0,0 +1,4 @@
+# Downgrade Adapters (SC4)
+- Location for mapping CSVs converting CVSS v4→v3.1, CDX 1.7→1.6, SLSA 1.2→1.0.
+- Each CSV must include BLAKE3 and SHA256 hash recorded in accompanying `hashes.txt`.
+- Adapters are pure (no network); determinism enforced in CI.

docs/modules/scanner/fixtures/adapters/hashes.txt

@@ -0,0 +1 @@
+mapping-cdx17-to-cdx16.csv: BLAKE3=<TBD> SHA256=<TBD>

docs/modules/scanner/fixtures/cdx17-cbom/README.md

@@ -0,0 +1,4 @@
+# CDX 1.7 + CBOM Fixtures (SC2/SC5/SC8)
+- Golden payloads: `sample-cdx17-cbom.json`, downgraded `sample-cdx16.json`, with `hashes.txt` (BLAKE3, SHA256).
+- Must include CVSS v4 + v3.1 ratings, CBOM ingress/egress, evidence properties, SLSA Source Track fields.
+- Used by determinism CI to assert stable ordering/hashes.

docs/modules/scanner/fixtures/cdx17-cbom/hashes.txt

@@ -0,0 +1,3 @@
+# placeholder; compute BLAKE3 and SHA256 after schemas stabilize
+sample-cdx17-cbom.json: BLAKE3=<TBD> SHA256=<TBD>
+sample-cdx16.json: BLAKE3=<TBD> SHA256=<TBD>

docs/modules/scanner/fixtures/cdx17-cbom/sample-cdx17-cbom.json

@@ -0,0 +1,41 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:00000000-0000-4000-8000-000000000001",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2025-01-01T00:00:00Z",
+    "component": {
+      "type": "application",
+      "name": "demo-app",
+      "version": "1.0.0",
+      "purl": "pkg:demo/demo-app@1.0.0",
+      "hashes": [ { "alg": "SHA-256", "content": "d" } ],
+      "evidence": { "properties": [ { "name": "evidence:source", "value": "fixture" } ] }
+    },
+    "tools": [ { "vendor": "stellaops", "name": "scanner", "version": "0.0.0-fixture" } ]
+  },
+  "services": [
+    {
+      "name": "api",
+      "properties": [
+        { "name": "cbom:ingress", "value": "https" },
+        { "name": "cbom:egress", "value": "postgres" }
+      ]
+    }
+  ],
+  "components": [
+    { "type": "library", "name": "lib-a", "version": "1.2.3", "purl": "pkg:demo/lib-a@1.2.3" },
+    { "type": "library", "name": "lib-b", "version": "2.0.0", "purl": "pkg:demo/lib-b@2.0.0" }
+  ],
+  "vulnerabilities": [
+    {
+      "id": "CVE-0000-0001",
+      "source": { "name": "NVD" },
+      "ratings": [
+        { "source": { "name": "NVD" }, "method": "CVSSv4", "score": 8.0, "vector": "CVSS:4.0/AV:N/AC:L" },
+        { "source": { "name": "NVD" }, "method": "CVSSv3.1", "score": 7.5, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }
+      ]
+    }
+  ]
+}

docs/modules/scanner/fixtures/competitor-adapters/README.md

@@ -0,0 +1,4 @@
+# Competitor Adapters (CM1–CM10)
+- Place mapping CSVs for Syft/Trivy/Clair → StellaOps normalized schema.
+- Store golden fixtures under `fixtures/` with expected normalized output + `hashes.txt` (BLAKE3, SHA256).
+- Keep coverage matrix in `coverage.csv`; benchmark logs/hashes alongside fixtures.

docs/modules/scanner/fixtures/competitor-adapters/fixtures/hashes.txt

@@ -0,0 +1 @@
+# Golden outputs for Syft/Trivy/Clair fixtures; fill after adapter code lands

docs/modules/signals/evidence/README.md

@@ -14,10 +14,12 @@ Planned Evidence Locker paths (to fill post-signing):
 - `evidence-locker/signals/heuristics/2025-12-01/fixtures/` (golden inputs/outputs)
 
 Pending steps:
+0) Provide signing key: CI/ops should supply `COSIGN_PRIVATE_KEY_B64` (base64 of private key) and optional `COSIGN_PASSWORD`. Local dev can place a key at `tools/cosign/cosign.key` (see `tools/cosign/cosign.key.example` stub) or decode the env var to `/tmp/cosign.key`. The helper script `tools/cosign/sign-signals.sh` auto-detects the key and cosign version.
 1) Sign each artifact with its predicate (cosign v3.0.2 in `/usr/local/bin`, use `--bundle`; v2.6.0 fallback in `tools/cosign` also works with `--output-signature`):
    - `stella.ops/confidenceDecayConfig@v1`
    - `stella.ops/unknownsScoringManifest@v1`
    - `stella.ops/heuristicCatalog@v1`
+   Shortcut: `OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh`
    Example (v3, replace KEY):
    ```bash
    cosign sign-blob \

docs/modules/zastava/evidence/README.md

@@ -23,6 +23,11 @@ Public key copy: `docs/modules/zastava/kit/ed25519.pub`.
 
 Local staging: all files above are present under `evidence-locker/zastava/2025-12-02/` in the repo root, ready for locker upload/mirroring.
 
+Helper script for manual push (expects `EVIDENCE_LOCKER_URL` and `CI_EVIDENCE_LOCKER_TOKEN`):
+```bash
+tools/zastava-upload-evidence.sh
+```
+
 ## CI delivery note
 - Locker upload in CI requires a write credential (e.g., `CI_EVIDENCE_LOCKER_TOKEN`) with access to the `evidence-locker/zastava/` namespace.
 - If the secret is absent, perform a manual upload from the staged folder and record the locker URI in the sprint log.