up

2025-12-12 09:35:37 +02:00
parent ce5ec9c158
commit efaf3cb789
238 changed files with 146274 additions and 5767 deletions
--- a/docs/benchmarks/impact/bench-impact-16-001-prep.md
+++ b/docs/benchmarks/impact/bench-impact-16-001-prep.md
@@ -1,16 +1,16 @@
 # Bench Prep — PREP-BENCH-IMPACT-16-001 (ImpactIndex dataset/replay)

-Status: **Ready for implementation** (2025-11-20)
+Status: **Ready for execution** (2025-12-11)
 Owners: Bench Guild · Scheduler Team
 Scope: Provide deterministic dataset + replay plan for ImpactIndex throughput benchmark (resolve 10k productKeys; measure latency/throughput/memory).

 ## Inputs/dataset
- Snapshot file: `bench/impactindex/products-10k.ndjson` (10,000 productKeys, shuffled once with seed `2025-01-01T00:00:00Z`).
+- Snapshot file: `docs/samples/impactindex/products-10k.ndjson` (10,000 productKeys, shuffled once with seed `2025-01-01T00:00:00Z`).
+- SHA256: `caa79c83b5a9affc3b9cc4e54a516281ddceff4804ce853fee3b62d7afb7ab69` (`products-10k.ndjson.sha256` included).
 - Each line: `{ "productKey": "pkg:<ecosystem>/<name>@<version>", "tenant": "bench" }`.
- Include checksum file `products-10k.ndjson.sha256` and drop into repo under `docs/samples/impactindex/`.

 ## Benchmark procedure
- Harness location: `src/Bench/StellaOps.Bench.ImpactIndex`.
+- Harness location: `src/Bench/StellaOps.Bench/ImpactIndex/impact_index_bench.py`.
 - Warmup: 1k lookups (excluded from metrics) to trigger caches.
 - Run: process all 10k productKeys twice (cold, warm). Record per-pass statistics.
 - Metrics to capture (per pass):
@@ -21,11 +21,10 @@ Scope: Provide deterministic dataset + replay plan for ImpactIndex throughput be
 - Determinism: fixed seed, single-threaded option flag `--threads 1` for reproducibility; timestamps in UTC ISO-8601.

 ## Acceptance criteria
- Dataset and checksum published; harness reads from local sample path (no network).
- Benchmark run produces deterministic NDJSON for given seed and hardware profile; differences limited to RSS variability but within ±5%.
- Cold vs warm pass metrics logged; throughput target ≥ 2k items/sec on reference hardware, p95 ≤ 25 ms.
+- Dataset and checksum published; harness reads from local sample path (no network). ?
+- Benchmark run produces deterministic NDJSON for given seed and hardware profile; differences limited to ?5%.
+- Cold vs warm pass metrics logged; throughput target ? 2k items/sec on reference hardware, p95 ? 25 ms.

 ## Next steps
- Commit dataset + checksum under `docs/samples/impactindex/`.
- Wire harness CLI (`dotnet run -- impactindex --input docs/samples/impactindex/products-10k.ndjson --threads 1 --seed 20250101`).
- Surface metrics to perf dashboard once harness lands; otherwise store under `out/bench/impactindex/` with hashes.
+- Harness command: `python src/Bench/StellaOps.Bench/ImpactIndex/impact_index_bench.py --input docs/samples/impactindex/products-10k.ndjson --output src/Bench/StellaOps.Bench/ImpactIndex/results/impactindex.ndjson --threads 1 --seed 20250101`.
+- Surface metrics to perf dashboard once harness lands; otherwise store under `out/bench/impactindex/` with hashes (`results/impactindex.ndjson.sha256` present).
--- a/docs/benchmarks/policy/bench-policy-20-002-prep.md
+++ b/docs/benchmarks/policy/bench-policy-20-002-prep.md
@@ -1,6 +1,6 @@
 # Bench Prep — PREP-BENCH-POLICY-20-002 (Policy delta benchmark)

-Status: **Ready for implementation** (2025-11-20)
+Status: **Ready for execution** (2025-12-11)
 Owners: Bench Guild · Policy Guild · Scheduler Guild
 Scope: Provide deterministic inputs and harness expectations to measure delta policy evaluation vs full runs.

@@ -11,12 +11,12 @@ Scope: Provide deterministic inputs and harness expectations to measure delta po
 ## Dataset
 - Baseline snapshot: `docs/samples/policy/policy-delta-baseline.ndjson`
  - 5,000 records of `{ "tenant": "bench", "policyId": "pol-<0001..5000>", "package": "bench.pkg.<n>", "version": "1.0.<n>", "decision": "allow|deny", "factors": { ... } }`
-  - Deterministic ordering; SHA256 file saved as `policy-delta-baseline.ndjson.sha256`.
+  - Deterministic ordering; SHA256 `40ca9ee15065a9e16f51a259d3feec778203ab461db2af3bf196f5fcd9f0d590` (`policy-delta-baseline.ndjson.sha256`).
 - Delta patch: `docs/samples/policy/policy-delta-changes.ndjson`
  - 500 changes mixing updates/inserts/deletes (encoded with `op`: "upsert"|"delete").
-  - Sorted by `policyId` then `op` for deterministic replay.
+  - Sorted by `policyId` then `op` for deterministic replay; SHA256 `7f9d7f124830b9fe4d3f232b4cc7e2e728be2ef725e8a66606b9e95682bf6318` (`policy-delta-changes.ndjson.sha256`).

-## Harness plan (to be built under `src/Bench/StellaOps.Bench.Policy`)
+## Harness plan (implemented under `src/Bench/StellaOps.Bench/PolicyDelta/policy_delta_bench.py`)
 - Run 1 (Full): load baseline snapshot, evaluate full policy set; record metrics.
 - Run 2 (Delta): apply delta patch to in-memory store, run incremental evaluation; record metrics.
 - Metrics captured to NDJSON per run:
@@ -31,5 +31,5 @@ Scope: Provide deterministic inputs and harness expectations to measure delta po
 - Delta run shows reduced duration vs full run; metrics captured for both p95/p99 and throughput.

 ## Next steps
- Add sample files + hashes to `docs/samples/policy/` (can be generated with fixed seed).
- Implement harness CLI wrapper `dotnet run -- policy-delta --baseline <path> --delta <path> [--threads 1]` writing outputs to `out/bench/policy/` with `.sha256`.
+- Harness CLI: `python src/Bench/StellaOps.Bench/PolicyDelta/policy_delta_bench.py --baseline docs/samples/policy/policy-delta-baseline.ndjson --delta docs/samples/policy/policy-delta-changes.ndjson --output src/Bench/StellaOps.Bench/PolicyDelta/results/policy-delta.ndjson --threads 1 --seed 20250101`.
+- Results hashed at `src/Bench/StellaOps.Bench/PolicyDelta/results/policy-delta.ndjson.sha256`.
--- a/docs/benchmarks/signals/bench-sig-26-001-prep.md
+++ b/docs/benchmarks/signals/bench-sig-26-001-prep.md
@@ -1,23 +1,31 @@
 # Reachability Scoring Bench Prep — PREP-BENCH-SIG-26-001-REACHABILITY-SCHEMA-FIX

-Status: Draft (2025-11-20)
-Owners: Bench Guild · Signals Guild
-Scope: Define the inputs/fixtures for reachability scoring benchmarks pending schema freeze (Sprint 0400/0401).
+Status: Ready for execution (2025-12-11)
+Owners: Bench Guild Aú Signals Guild
+Scope: Define inputs/fixtures and schema for reachability scoring benchmarks (10k/50k functions) to unblock BENCH-SIG-26-001.

 ## Dependencies
- Reachability schema for runtime/static signals (Sprint 0400/0401).
+- Reachability schema hash captured locally for synthetic fixtures.
 - Sample callgraph/runtime traces sized for 10k/50k functions.

-## Proposed harness
- Project: `src/Bench/StellaOps.Bench.Signals` (or shared bench harness if preferred).
- Inputs: callgraph NDJSON + runtime traces; config with seed, concurrency, batch size.
- Metrics: facts/sec, p95 latency, peak RSS, cache hit ratio; output NDJSON with sorted records.
- Determinism: fixed seed; process inputs in lexical order; stable JSON property order.
+## Harness
+- Project: `src/Bench/StellaOps.Bench/Signals/reachability_bench.py`.
+- Inputs:
+  - Callgraph: `docs/samples/signals/reachability/callgraph-10k.ndjson` (`callgraph-10k.ndjson.sha256`).
+  - Runtime traces: `docs/samples/signals/reachability/runtime-10k.ndjson` (`runtime-10k.ndjson.sha256`).
+  - 50k variants under the same directory (`callgraph-50k.ndjson`, `runtime-50k.ndjson` + `.sha256`).
+- Schema: `docs/benchmarks/signals/reachability-schema.json` (sha256 `aaa5c8ab5cc2fe91e50976fafd8c73597387ab9a881af6d5d9818d202beba24e`).
+- Metrics: facts/sec, p50/p95/p99 per-node latency, peak RSS, managed MB, GC gen2.
+- Output: metrics NDJSON + cache NDJSON with reachability flags for each function (consumed by BENCH-SIG-26-002).

 ## Acceptance
- Schema hash referenced once Sprint 0400/0401 publishes; placeholder noted until then.
- Sample config + command documented.
- File paths for sample fixtures under `docs/samples/signals/` once available.
+- Schema hash recorded and referenced. ✅
+- Sample fixtures published under `docs/samples/signals/reachability/` for 10k/50k. ✅
+- Deterministic harness command documented; outputs written locally with `.sha256` hashes. ✅
+
+## Commands
+- 10k: `python src/Bench/StellaOps.Bench/Signals/reachability_bench.py --callgraph docs/samples/signals/reachability/callgraph-10k.ndjson --runtime docs/samples/signals/reachability/runtime-10k.ndjson --output src/Bench/StellaOps.Bench/Signals/results/reachability-metrics-10k.ndjson --cache-output src/Bench/StellaOps.Bench/Signals/results/reachability-cache-10k.ndjson --threads 1 --seed 20250101`
+- 50k: swap `10k` for `50k` in the command above (`reachability-*-50k.ndjson`).

 ## Handoff
-Use this prep doc to satisfy PREP-BENCH-SIG-26-001-REACHABILITY-SCHEMA-FIX. Update with schema hash and fixtures when published; then move the task to DONE and unblock BENCH-SIG-26-001 implementation.
+Use these fixtures + commands to run BENCH-SIG-26-001. Cache outputs (`reachability-cache-*.ndjson`) feed BENCH-SIG-26-002 for policy evaluation overhead measurements.
--- a/docs/benchmarks/signals/bench-sig-26-002-prep.md
+++ b/docs/benchmarks/signals/bench-sig-26-002-prep.md
@@ -1,21 +1,31 @@
 # Policy Eval with Reachability Cache Prep — PREP-BENCH-SIG-26-002-BLOCKED-ON-26-001-OUTPU

-Status: Draft (2025-11-20)
-Owners: Bench Guild · Policy Guild
-Scope: Capture prep for measuring policy evaluation overhead with reachability cache hot/cold, dependent on 26-001 outputs.
+Status: Ready for execution (2025-12-11)
+Owners: Bench Guild Aú Policy Guild
+Scope: Measure policy evaluation overhead with reachability cache hot/cold/mixed scenarios using outputs from BENCH-SIG-26-001.

 ## Dependencies
- Bench outputs from 26-001 (reachability scoring harness) providing cached datasets.
- Policy overlay schema (30-001) for status fields.
+- Reachability cache NDJSON from BENCH-SIG-26-001:
+  - `src/Bench/StellaOps.Bench/Signals/results/reachability-cache-10k.ndjson` (`.sha256`).
+  - 50k variant available for heavier runs (`reachability-cache-50k.ndjson` + `.sha256`).
+- Policy baseline dataset: `docs/samples/policy/policy-delta-baseline.ndjson` (+ `.sha256`).
+- Policy overlay schema (30-001) — using deterministic synthetic mapping in harness; update when official schema lands.

-## Proposed benchmarks
- Scenarios: cold cache, warm cache, mixed workload (70/30), parallel workers.
- Metrics: added latency per evaluation (p50/p95), cache hit ratio, CPU, memory.
- Determinism: fixed seed; deterministic request order; stable JSON output ordering.
+## Harness
+- Project: `src/Bench/StellaOps.Bench/PolicyCache/policy_cache_bench.py`.
+- Scenarios: cold cache, warm cache, mixed (70/30 warm/cold).
+- Metrics: throughput, p50/p95/p99 added latency per evaluation, RSS/managed MB, GC gen2, cache hit rate.
+- Inputs: policy baseline + reachability cache NDJSON.
+
+## Commands
+- 10k cache with baseline policies:
+  `python src/Bench/StellaOps.Bench/PolicyCache/policy_cache_bench.py --policies docs/samples/policy/policy-delta-baseline.ndjson --reachability-cache src/Bench/StellaOps.Bench/Signals/results/reachability-cache-10k.ndjson --output src/Bench/StellaOps.Bench/PolicyCache/results/policy-cache.ndjson --seed 20250101 --threads 1`
+- Swap cache path to `reachability-cache-50k.ndjson` to stress the larger dataset.

 ## Acceptance
- Reference to reachability dataset hash from 26-001 once available.
- Config/sample command drafted for `src/Bench/StellaOps.Bench.Policy` (or shared).
+- Cache input and policy baseline present with hashes. ✅
+- Cold/warm/mixed runs emit NDJSON with sorted keys; cache hit rate captured. ✅
+- Outputs hashed locally (`policy-cache.ndjson.sha256`) and ready for perf dashboard ingestion. ✅

 ## Handoff
-Use this prep doc to satisfy PREP-BENCH-SIG-26-002-BLOCKED-ON-26-001-OUTPU. Update with dataset hash and schema references after 26-001 is done, then move to DONE and unblock BENCH-SIG-26-002.
+Use cache outputs from BENCH-SIG-26-001 to run the above command. Compare added latency between cold vs warm runs; mixed scenario should stay within target thresholds (p95 delta ≤ configured budget).
--- a/docs/benchmarks/signals/reachability-schema.json
+++ b/docs/benchmarks/signals/reachability-schema.json
@@ -0,0 +1,32 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "StellaOps Reachability Bench Schema",
+  "description": "Schema for synthetic reachability bench callgraph/runtime fixtures.",
+  "type": "object",
+  "oneOf": [
+    {
+      "title": "Callgraph",
+      "required": ["function", "calls", "weight"],
+      "properties": {
+        "function": { "type": "string" },
+        "calls": {
+          "type": "array",
+          "items": { "type": "string" },
+          "minItems": 0
+        },
+        "weight": { "type": "integer", "minimum": 0 }
+      },
+      "additionalProperties": false
+    },
+    {
+      "title": "RuntimeTrace",
+      "required": ["function", "count", "timestamp"],
+      "properties": {
+        "function": { "type": "string" },
+        "count": { "type": "integer", "minimum": 0 },
+        "timestamp": { "type": "string", "format": "date-time" }
+      },
+      "additionalProperties": false
+    }
+  ]
+}
--- a/docs/contracts/richgraph-v1.md
+++ b/docs/contracts/richgraph-v1.md
@@ -32,6 +32,8 @@ This contract defines the canonical `richgraph-v1` schema used for function-leve
      "kind": "method",
      "display": "com.example.Foo.bar(String)",
      "code_id": "code:java:base64url...",
+      "code_block_hash": "sha256:deadbeef...",
+      "symbol": { "mangled": "_Z15ssl3_read_bytes", "demangled": "ssl3_read_bytes", "source": "DWARF", "confidence": 0.98 },
      "purl": "pkg:maven/com.example/foo@1.0.0",
      "build_id": "gnu-build-id:...",
      "symbol_digest": "sha256:...",
@@ -71,9 +73,11 @@ This contract defines the canonical `richgraph-v1` schema used for function-leve
 | `kind` | string | Yes | Symbol kind: `method`, `function`, `class`, `module`, `trait`, `struct` |
 | `display` | string | No | Human-readable demangled name |
 | `code_id` | string | No | CodeID for name-less symbols (format: `code:{lang}:{base64url-sha256}`) |
+| `code_block_hash` | string | No | Hash of the code block for stripped/heuristic nodes (algorithm-prefixed hex) |
 | `purl` | string | No | Package URL of containing package |
 | `build_id` | string | No | GNU build-id, PE GUID, or Mach-O UUID |
 | `symbol_digest` | string | No | SHA-256 of the symbol_id (format: `sha256:{hex}`) |
+| `symbol` | object | No | Symbol metadata `{mangled?, demangled?, source?, confidence?}` with `source ∈ {DWARF,PDB,SYM,NONE}` and confidence in [0,1] |
 | `evidence` | string[] | No | Evidence sources (sorted): `import`, `reloc`, `disasm`, `runtime` |
 | `attributes` | object | No | Additional key-value metadata (sorted by key) |

--- a/docs/implplan/SPRINT_0211_0001_0003_ui_iii.md
+++ b/docs/implplan/SPRINT_0211_0001_0003_ui_iii.md
@@ -1,4 +1,4 @@
-# Sprint 0211.0001.0003 - Experience & SDKs · UI III
+# Sprint 0211_0001_0003 - Experience & SDKs + UI III

 ## Topic & Scope
 - Phase III UI uplift focusing on Policy Studio RBAC updates and reachability-first experiences across Vulnerability Explorer, Why drawer, SBOM Graph, and the new Reachability Center.
@@ -10,7 +10,8 @@
 ## Dependencies & Concurrency
 - Upstream: `SPRINT_0210_0001_0002_ui_ii.md` for Policy Studio explain view (UI-POLICY-23-006) and shared components.
 - Signals/Reachability contracts for SIG-26 chain (call paths, timelines, coverage, overlay states) provided by Signals & Graph guilds.
- Concurrency: SIG-26 tasks are sequential (001 → 002 → 003 → 004); policy RBAC task can proceed in parallel once scopes finalized.
+- Concurrency: SIG-26 tasks are sequential (001 -> 002 -> 003 -> 004); policy RBAC task can proceed in parallel once scopes are finalized.
+- Upstream backend ready: WEB-SIG-26-001..003 completed in `SPRINT_0216_0001_0001_web_v` (2025-12-11), so reachability proxy endpoints and policy joins exist for UI consumption once fixtures land.

 ## Documentation Prerequisites
 - `docs/README.md`
@@ -30,14 +31,14 @@
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | UI-POLICY-27-001 | DOING | Path corrected; scope help added in Console Profile; add guards/messages + stubs | UI Guild; Product Ops (src/Web/StellaOps.Web) | Update Console policy workspace RBAC guards, scope requests, and user messaging to reflect the new Policy Studio roles/scopes (`policy:author/review/approve/operate/audit/simulate`), including Cypress auth stubs and help text. |
-| 2 | UI-SIG-26-001 | BLOCKED | Reachability fixtures (columns + badges) not yet delivered by Signals Guild; cannot wire UI deterministically. | UI Guild; Signals Guild (src/Web/StellaOps.Web) | Add reachability columns/badges to Vulnerability Explorer with filters and tooltips. |
-| 3 | UI-SIG-26-002 | BLOCKED | Waiting on UI-SIG-26-001 output and deterministic call-path/timeline fixtures. | UI Guild (src/Web/StellaOps.Web) | Enhance “Why” drawer with call path visualization, reachability timeline, and evidence list. |
-| 4 | UI-SIG-26-003 | BLOCKED | Upstream tasks 2–3 blocked; overlay halos depend on reachability evidence + perf budget. | UI Guild (src/Web/StellaOps.Web) | Add reachability overlay halos/time slider to SBOM Graph along with state legend. |
-| 5 | UI-SIG-26-004 | BLOCKED | Upstream reachability chain blocked; fixtures for coverage/sensors not available. | UI Guild (src/Web/StellaOps.Web) | Build Reachability Center view showing asset coverage, missing sensors, and stale facts. |
+| 2 | UI-SIG-26-001 | BLOCKED | Signals bench schema + 10k/50k callgraph/runtime fixtures published (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/*`); still need UI-shaped columns/badges bundle and perf budget before wiring. | UI Guild; Signals Guild (src/Web/StellaOps.Web) | Add reachability columns/badges to Vulnerability Explorer with filters and tooltips. |
+| 3 | UI-SIG-26-002 | BLOCKED | Waiting on UI-SIG-26-001 output; bench callgraph/runtime data landed but UI call-path/timeline fixture shapes still pending. | UI Guild (src/Web/StellaOps.Web) | Enhance "Why" drawer with call path visualization, reachability timeline, and evidence list. |
+| 4 | UI-SIG-26-003 | BLOCKED | Upstream tasks 2-3 blocked; need SIG-26 overlay bundle and perf budget notes before halo/time-slider wiring. | UI Guild (src/Web/StellaOps.Web) | Add reachability overlay halos/time slider to SBOM Graph along with state legend. |
+| 5 | UI-SIG-26-004 | BLOCKED | Upstream reachability chain blocked; coverage/missing-sensor dataset still outstanding even with bench fixtures. | UI Guild (src/Web/StellaOps.Web) | Build Reachability Center view showing asset coverage, missing sensors, and stale facts. |

 ## Wave Coordination
 - **Wave A:** Policy Studio RBAC guard updates (task 1) once scopes are final.
- **Wave B:** Sequential reachability surfaces (tasks 2–5) building on the SIG-26 evidence chain.
+- **Wave B:** Sequential reachability surfaces (tasks 2-5) building on the SIG-26 evidence chain.

 ## Wave Detail Snapshots
 - Wave A output: updated RBAC guardrails, scope requests, and UX copy aligned to `policy:*` scopes with Cypress auth fixtures.
@@ -46,6 +47,7 @@
 ## Interlocks
 - Policy Engine to publish final `policy:*` scope list and explain view outputs (UI-POLICY-23-006) to unblock task 1.
 - Signals/Graph guilds to provide deterministic reachability evidence fixtures (call paths, timelines, overlays) for SIG-26 tasks.
+- Bench sprint 0512 published SIG-26 schema and 10k/50k synthetic fixtures (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/*`); UI still needs columns/badges/overlay/coverage slices and perf budgets derived from them.
 - Performance budgets for SBOM Graph overlays and Reachability Center dashboards to keep UI responsive offline.

 ## Upcoming Checkpoints
@@ -54,25 +56,25 @@
 ## Action Tracker
 | # | Action | Owner | Due | Status |
 | --- | --- | --- | --- | --- |
-| 1 | Confirm final Policy Studio scopes and RBAC copy with Policy Engine owners. | UI Guild · Policy Guild | 2025-12-03 | TODO |
-| 2 | Deliver reachability evidence fixture (columns, call paths, overlays) for SIG-26 chain. | Signals Guild | 2025-12-04 | TODO |
+| 1 | Confirm final Policy Studio scopes and RBAC copy with Policy Engine owners. | UI Guild + Policy Guild | 2025-12-03 | TODO |
+| 2 | Deliver reachability evidence fixture (columns, call paths, overlays) for SIG-26 chain; bench schema + 10k/50k callgraph/runtime fixtures published, overlay/coverage slices still pending. | Signals Guild | 2025-12-04 | DOING |
 | 3 | Define SBOM Graph overlay performance budget (FPS target, node count, halo rendering limits). | UI Guild | 2025-12-05 | TODO |
-| 4 | Align UI III work to `src/Web/StellaOps.Web` (canonical Angular workspace); ensure reachability fixtures available. | DevEx · UI Guild | 2025-12-06 | TODO |
+| 4 | Align UI III work to `src/Web/StellaOps.Web` (canonical Angular workspace); ensure reachability fixtures available. | DevEx + UI Guild | 2025-12-06 | DONE (2025-12-06) |
 | 5 | Publish generated `graph:*` scope exports package (SDK 0208) and drop link/hash for UI consumption. | SDK Generator Guild | 2025-12-08 | TODO |
-| 6 | Provide deterministic SIG-26 fixture bundle (columns/badges JSON, call-path/timeline NDJSON, overlay halos, coverage/missing-sensor datasets) with perf budget notes. | Signals Guild · Graph Platform Guild | 2025-12-09 | TODO |
+| 6 | Provide deterministic SIG-26 fixture bundle (columns/badges JSON, call-path/timeline NDJSON, overlay halos, coverage/missing-sensor datasets) with perf budget notes. | Signals Guild + Graph Platform Guild | 2025-12-09 | DOING |

 ## Decisions & Risks
 | Risk | Impact | Mitigation | Owner / Signal |
 | --- | --- | --- | --- |
-| Policy scope strings change late | Rework of RBAC guards, auth stubs, and messaging (task 1) | Freeze scope list before Cypress fixtures; keep feature flag until policy contract stable. | UI Guild · Policy Guild |
-| Reachability evidence incomplete or non-deterministic | Tasks 2–5 blocked or produce noisy UI | Require deterministic fixtures from Signals/Graph; stage behind feature flag and contract tests. | Signals Guild · UI Guild |
-| SBOM Graph overlays exceed performance budget | Poor UX/offline performance for tasks 3–4 | Set render limits and sampling; add perf guardrails in implementation plan. | UI Guild |
-| Reachability fixtures availability | Tasks 2–5 depend on deterministic SIG-26 evidence | Coordinate with Signals/Graph guilds to deliver stable fixtures before UI merge. | Signals Guild · UI Guild |
+| Policy scope strings change late | Rework of RBAC guards, auth stubs, and messaging (task 1) | Freeze scope list before Cypress fixtures; keep feature flag until policy contract stable. | UI Guild + Policy Guild |
+| Reachability evidence incomplete or non-deterministic | Tasks 2-5 blocked or produce noisy UI | Use bench schema and hashed 10k/50k fixtures as baseline; keep UI surfaces behind feature flag until UI bundle/perf budgets land and contract tests pass. | Signals Guild + UI Guild |
+| SBOM Graph overlays exceed performance budget | Poor UX/offline performance for tasks 3-4 | Set render limits and sampling; add perf guardrails in implementation plan. | UI Guild |
+| Reachability fixtures availability | Tasks 2-5 depend on deterministic SIG-26 evidence | Coordinate with Signals/Graph guilds to deliver stable columns/badges/overlay/coverage bundle before UI merge. | Signals Guild + UI Guild |

 ### Unblock Plan (ordered)
 1) Deliver generated `graph:*` scope exports (SDK sprint 0208) to replace stub in `src/app/core/auth/scopes.ts`.
-2) Provide deterministic SIG-26 fixtures (columns/badges, call-path + timeline JSON, overlay halos/time slider states, coverage/missing-sensor datasets) with perf budgets.
-3) After fixtures land, flip UI-SIG-26-001→DOING and proceed sequentially (001→004) with perf checks on canvas/overlay render times (<1.5s initial render).
+2) Provide deterministic SIG-26 fixtures (columns/badges, call-path + timeline JSON, overlay halos/time slider states, coverage/missing-sensor datasets) with perf budgets; bench 10k/50k callgraph/runtime fixtures live under `docs/samples/signals/reachability/*` for interim stubs.
+3) After fixtures land, flip UI-SIG-26-001->DOING and proceed sequentially (001->004) with perf checks on canvas/overlay render times (<1.5s initial render).

 ## Execution Log
 | Date (UTC) | Update | Owner |
@@ -82,4 +84,5 @@
 | 2025-12-06 | Added Policy Studio scope help text to Console Profile and introduced policy auth fixtures + seeding helper (`src/Web/StellaOps.Web/src/app/testing/auth-*.ts`) with APP_INITIALIZER hook (`window.__stellaopsTestSession`) for Cypress/e2e stubbing. | Implementer |
 | 2025-12-06 | Tightened approvals guard (requires `policy:read` + review/approve) and updated workspace scope hints; attempted Playwright `tests/e2e/auth.spec.ts` with seeded session but webServer (ng serve) timed out starting locally; rerun in CI or with longer warmup. | Implementer |
 | 2025-12-06 | Marked UI-SIG-26-001..004 BLOCKED pending deterministic reachability fixtures from Signals/Graph (columns, call paths, overlays, coverage). No UI changes applied until fixtures and perf budgets land. | Implementer |
-| 2025-12-06 | Added ordered unblock plan for SIG-26 chain (scope exports → fixtures → sequential tasks). | Project Mgmt |
+| 2025-12-06 | Added ordered unblock plan for SIG-26 chain (scope exports -> fixtures -> sequential tasks). | Project Mgmt |
+| 2025-12-12 | Synced SIG-26 upstream outputs: WEB-SIG-26-001..003 completed (SPRINT_0216_0001_0001_web_v) and BENCH-SIG-26-001/002 published schema + 10k/50k fixtures (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/*`). Kept UI-SIG-26-001..004 BLOCKED pending UI-shaped bundle/perf budgets; updated Action Tracker statuses accordingly. | Project Mgmt |
--- a/docs/implplan/SPRINT_0310_0001_0010_docs_tasks_md_x.md
+++ b/docs/implplan/SPRINT_0310_0001_0010_docs_tasks_md_x.md
@@ -1,4 +1,4 @@
-# Sprint 0310 · Documentation & Process — Docs Tasks Md.X
+# Sprint 0310 · Documentation & Process — Docs Tasks Md.X

 ## Topic & Scope
 - Advance the tenth Docs Tasks wave (Md.X) with tenancy, reachability, scanner surface/bench, and VEX consensus documentation ready for downstream consumers.
@@ -46,23 +46,23 @@

 ## Wave Detail Snapshots
 - Pre-draft lane (in progress, skeleton-only to cut start latency):
-  - Tenancy trio: `/docs/security/tenancy-overview.md`, `/docs/security/scopes-and-roles.md`, `/docs/operations/multi-tenancy.md` — outline structure, add TODO callouts for ADR inputs, and reserve imposed-rule reminders.
-  - Reachability migration: `/docs/migration/enable-reachability.md` — rollout phases, fallback playbook, monitoring hooks placeholders.
-  - VEX consensus set: `/docs/vex/consensus-overview.md`, `/docs/vex/consensus-algorithm.md`, `/docs/vex/issuer-directory.md`, `/docs/vex/consensus-api.md` — shared front-matter + glossary; stub examples section for PLVL0102 data.
-  - Scanner surface/bench: `/docs/modules/scanner/scanner-engine.md` and `/docs/modules/scanner/benchmarks/*.md` — frame sections for Surface.FS/Env/Secrets flow, OS coverage, language lockfiles, stripped/entrytrace/SAST enrichers.
-  - Contract testing: `/docs/testing/contract-testing.md` — outline for mock server, replay fixtures, golden files, determinism guardrails.
+ - Tenancy trio: `/docs/security/tenancy-overview.md`, `/docs/security/scopes-and-roles.md`, `/docs/operations/multi-tenancy.md` — outline structure, add TODO callouts for ADR inputs, and reserve imposed-rule reminders.
+ - Reachability migration: `/docs/migration/enable-reachability.md` — rollout phases, fallback playbook, monitoring hooks placeholders.
+ - VEX consensus set: `/docs/vex/consensus-overview.md`, `/docs/vex/consensus-algorithm.md`, `/docs/vex/issuer-directory.md`, `/docs/vex/consensus-api.md` — shared front-matter + glossary; stub examples section for PLVL0102 data.
+ - Scanner surface/bench: `/docs/modules/scanner/scanner-engine.md` and `/docs/modules/scanner/benchmarks/*.md` — frame sections for Surface.FS/Env/Secrets flow, OS coverage, language lockfiles, stripped/entrytrace/SAST enrichers.
+ - Contract testing: `/docs/testing/contract-testing.md` — outline for mock server, replay fixtures, golden files, determinism guardrails.

-## Execution Log
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
-| 2025-12-05 | Normalised sprint to standard template; clarified header; moved interlocks into Decisions & Risks; no status changes. | Project Mgmt |
-
-## Decisions & Risks
- **Risk:** Tenancy docs (DOCS-TEN-47/48/49) require DVDO0110 decisions and CLI/env var confirmations; keep DOING with placeholders until ADR lands.
- **Risk:** Reachability migration guide depends on DOCS-SIG-26-007 and notifications hook readiness (058_NOTY0101); keep coordination with Signals/Notify guilds.
- **Risk:** Scanner surface/bench docs depend on analyzer outputs (SCSA0301, SCSA0601), replay hooks (RPRC0101), and CLI samples (132_CLCI0110); leave DOING skeletons until evidence delivered.
- **Risk:** VEX consensus series depends on PLVL0102 schemas, issuer directory inputs, and DevOps rollout plans for signatures/ops; block finalization on schema snapshots and rollout plan.
- **Decision:** Maintain single-wave execution; task ordering follows Delivery Tracker to preserve dependency chain determinism.
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-12-05 | Normalised sprint to standard template; clarified header; moved interlocks into Decisions & Risks; no status changes. | Project Mgmt |
+
+## Decisions & Risks
+- **Risk:** Tenancy docs (DOCS-TEN-47/48/49) require DVDO0110 decisions and CLI/env var confirmations; keep DOING with placeholders until ADR lands.
+- **Risk:** Reachability migration guide depends on DOCS-SIG-26-007 and notifications hook readiness (058_NOTY0101); keep coordination with Signals/Notify guilds.
+- **Risk:** Scanner surface/bench docs depend on analyzer outputs (SCSA0301, SCSA0601), replay hooks (RPRC0101), and CLI samples (132_CLCI0110); leave DOING skeletons until evidence delivered.
+- **Risk:** VEX consensus series depends on PLVL0102 schemas, issuer directory inputs, and DevOps rollout plans for signatures/ops; block finalization on schema snapshots and rollout plan.
+- **Decision:** Maintain single-wave execution; task ordering follows Delivery Tracker to preserve dependency chain determinism.

 ## Upcoming Checkpoints
 - 2025-12-07 15:00 UTC — 20-min skeleton-sync to align outlines and branch contents across guild writers.
--- a/docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md
+++ b/docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md
@@ -1,8 +1,8 @@
-# Sprint 0401 · Reachability Evidence Chain
+# Sprint 0401 - Reachability Evidence Chain

 ## Topic & Scope
- Window: 2025-11-11 → 2025-11-22 (UTC); finish the provable reachability pipeline so Sprint 0402 can focus on polish.
- Deliver function-level evidence chain (graph CAS → replay → DSSE → policy/UI) with signed artifacts and replayable fixtures.
+- Window: 2025-11-11 -> 2025-11-22 (UTC); finish the provable reachability pipeline so Sprint 0402 can focus on polish.
+- Deliver function-level evidence chain (graph CAS -> replay -> DSSE -> policy/UI) with signed artifacts and replayable fixtures.
 - Ship operator-facing docs/runbooks plus benchmarks that validate deterministic reachability scoring.
 - **Working directory:** docs/implplan (cross-guild coordination; implementation happens in module paths noted per task).

@@ -35,124 +35,137 @@
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | GRAPH-CAS-401-001 | DONE (2025-12-11) | richgraph-v1 schema finalized; BLAKE3 graph_hash via RichGraphWriter; CAS paths now use `cas://reachability/graphs/{blake3}`; tests passing. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`) | Finalize richgraph schema, emit canonical SymbolIDs, compute graph hash (BLAKE3), store manifests under `cas://reachability/graphs/{blake3}`, update adapters/fixtures. |
-| 2 | GAP-SYM-007 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 1. | Scanner Worker Guild · Docs Guild (`src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`) | Extend evidence schema with demangled hints, `symbol.source`, confidence, optional `code_block_hash`; ensure writers/serializers emit fields. |
-| 3 | SCAN-REACH-401-009 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; needs symbolizer adapters from tasks 1/4. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`) | Ship .NET/JVM symbolizers and call-graph generators, merge into component reachability manifests with fixtures. |
-| 4 | SCANNER-NATIVE-401-015 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; stand up native readers/demanglers. | Scanner Worker Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native`, `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph.Native`) | Build native symbol/callgraph libraries (ELF/PE carving) publishing `FuncNode`/`CallEdge` CAS bundles. |
+| 2 | GAP-SYM-007 | DONE (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 1. | Scanner Worker Guild - Docs Guild (`src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`) | Extend evidence schema with demangled hints, `symbol.source`, confidence, optional `code_block_hash`; ensure writers/serializers emit fields. |
+| 3 | SCAN-REACH-401-009 | BLOCKED (2025-12-12) | Awaiting symbolizer adapters/native lifters from task 4 (SCANNER-NATIVE-401-015) before wiring .NET/JVM callgraph generators. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`) | Ship .NET/JVM symbolizers and call-graph generators, merge into component reachability manifests with fixtures. |
+| 4 | SCANNER-NATIVE-401-015 | BLOCKED (2025-12-13) | Need native lifter/demangler selection + CI toolchains/fixtures agreed before implementation. | Scanner Worker Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native`, `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph.Native`) | Build native symbol/callgraph libraries (ELF/PE carving) publishing `FuncNode`/`CallEdge` CAS bundles. |
 | 5 | SYMS-SERVER-401-011 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; proceed with implementation. | Symbols Guild (`src/Symbols/StellaOps.Symbols.Server`) | Deliver Symbols Server (REST+gRPC) with DSSE-verified uploads, Mongo/MinIO storage, tenant isolation, deterministic debugId indexing, health/manifest APIs. |
-| 6 | SYMS-CLIENT-401-012 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 5 (server readiness). | Symbols Guild (`src/Symbols/StellaOps.Symbols.Client`, `src/Scanner/StellaOps.Scanner.Symbolizer`) | Ship Symbols Client SDK (resolve/upload, platform key derivation, disk LRU cache) and integrate with Scanner/runtime probes. |
-| 7 | SYMS-INGEST-401-013 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Symbols Guild · DevOps Guild (`src/Symbols/StellaOps.Symbols.Ingestor.Cli`, `docs/specs/SYMBOL_MANIFEST_v1.md`) | Build `symbols ingest` CLI to emit DSSE-signed manifests, upload blobs, register Rekor entries, and document CI usage. |
-| 8 | SIGNALS-RUNTIME-401-002 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 19 (GAP-REP-004). | Signals Guild (`src/Signals/StellaOps.Signals`) | Ship `/signals/runtime-facts` ingestion for NDJSON/gzip, dedupe hits, link evidence CAS URIs to callgraph nodes; include retention/RBAC tests. |
-| 9 | RUNTIME-PROBE-401-010 | BLOCKED (2025-11-30) | Blocked on runtime probe collectors + ingestion endpoint readiness. | Runtime Signals Guild (`src/Signals/StellaOps.Signals.Runtime`, `ops/probes`) | Implement lightweight runtime probes (EventPipe/JFR) emitting CAS traces feeding Signals ingestion. |
-| 10 | SIGNALS-SCORING-401-003 | BLOCKED (2025-11-30) | Needs runtime hit feeds from 8/9; hold until ingestion/probes unblocked. | Signals Guild (`src/Signals/StellaOps.Signals`) | Extend ReachabilityScoringService with deterministic scoring, persist labels, expose `/graphs/{scanId}` CAS lookups. |
-| 11 | REPLAY-401-004 | BLOCKED | Requires CAS registration policy from GAP-REP-004. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`) | Bump replay manifest to v2, enforce CAS registration + hash sorting in ReachabilityReplayWriter, add deterministic tests. |
+| 6 | SYMS-CLIENT-401-012 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 5 (server readiness). | Symbols Guild (`src/Symbols/StellaOps.Symbols.Client`, `src/Scanner/StellaOps.Scanner.Symbolizer`) | Ship Symbols Client SDK (resolve/upload, platform key derivation, disk LRU cache) and integrate with Scanner/runtime probes. |
+| 7 | SYMS-INGEST-401-013 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Symbols Guild - DevOps Guild (`src/Symbols/StellaOps.Symbols.Ingestor.Cli`, `docs/specs/SYMBOL_MANIFEST_v1.md`) | Build `symbols ingest` CLI to emit DSSE-signed manifests, upload blobs, register Rekor entries, and document CI usage. |
+| 8 | SIGNALS-RUNTIME-401-002 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 19 (GAP-REP-004). | Signals Guild (`src/Signals/StellaOps.Signals`) | Ship `/signals/runtime-facts` ingestion for NDJSON/gzip, dedupe hits, link evidence CAS URIs to callgraph nodes; include retention/RBAC tests. |
+| 9 | RUNTIME-PROBE-401-010 | DONE (2025-12-12) | Synthetic probe payloads + ingestion stub available; start instrumentation against Signals runtime endpoint. | Runtime Signals Guild (`src/Signals/StellaOps.Signals.Runtime`, `ops/probes`) | Implement lightweight runtime probes (EventPipe/JFR) emitting CAS traces feeding Signals ingestion. |
+| 10 | SIGNALS-SCORING-401-003 | DONE (2025-12-12) | Unblocked by synthetic runtime feeds; proceed with scoring using hashed fixtures from Sprint 0512 until live feeds land. | Signals Guild (`src/Signals/StellaOps.Signals`) | Extend ReachabilityScoringService with deterministic scoring, persist labels, expose `/graphs/{scanId}` CAS lookups. |
+| 11 | REPLAY-401-004 | DONE (2025-12-12) | CAS registration policy adopted (BLAKE3 per CONTRACT-RICHGRAPH-V1-015); proceed with manifest v2 + deterministic tests. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`) | Bump replay manifest to v2, enforce CAS registration + hash sorting in ReachabilityReplayWriter, add deterministic tests. |
 | 12 | AUTH-REACH-401-005 | DONE (2025-11-27) | Predicate types exist; DSSE signer service added. | Authority & Signer Guilds (`src/Authority/StellaOps.Authority`, `src/Signer/StellaOps.Signer`) | Introduce DSSE predicate types for SBOM/Graph/VEX/Replay, plumb signing, mirror statements to Rekor (incl. PQ variants). |
-| 13 | POLICY-VEX-401-006 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 8/10. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | Consume reachability facts, bucket scores, emit OpenVEX with call-path proofs, update SPL schema with reachability predicates and suppression gates. |
-| 14 | POLICY-VEX-401-010 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 13. | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Implement VexDecisionEmitter to serialize per-finding OpenVEX, attach evidence hashes, request DSSE signatures, capture Rekor metadata. |
-| 15 | UI-CLI-401-007 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 1/13/14. | UI & CLI Guilds (`src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`) | Implement CLI `stella graph explain` and UI explain drawer with signed call-path, predicates, runtime hits, DSSE pointers, counterfactual controls. |
-| 16 | QA-DOCS-401-008 | TODO | Needs reachbench fixtures (QA-CORPUS-401-031) and docs readiness. | QA & Docs Guilds (`docs`, `tests/README.md`) | Wire reachbench fixtures into CI, document CAS layouts + replay steps, publish operator runbook for runtime ingestion. |
-| 17 | GAP-SIG-003 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 8. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/reachability/function-level-evidence.md`) | Finish `/signals/runtime-facts` ingestion, add CAS-backed runtime storage, extend scoring to lattice states, emit update events, document retention/RBAC. |
-| 18 | SIG-STORE-401-016 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 1/19. | Signals Guild · BE-Base Platform Guild (`src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core`) | Introduce shared reachability store collections/indexes and repository APIs for canonical function data. |
-| 19 | GAP-REP-004 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015 (BLAKE3 for graphs confirmed). | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md`) | Enforce BLAKE3 hashing + CAS registration for graphs/traces, upgrade replay manifest v2, add deterministic tests. |
-| 20 | GAP-POL-005 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 8/10/17. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`, `docs/reachability/function-level-evidence.md`) | Ingest reachability facts into Policy Engine, expose `reachability.state/confidence`, enforce auto-suppress rules, generate OpenVEX evidence blocks. |
-| 21 | GAP-VEX-006 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 20. | Policy, Excititor, UI, CLI & Notify Guilds (`docs/modules/excititor/architecture.md`, `src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`, `docs/09_API_CLI_REFERENCE.md`) | Wire VEX emission/explain drawers to show call paths, graph hashes, runtime hits; add CLI flags and Notify templates. |
+| 13 | POLICY-VEX-401-006 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 8/10. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | Consume reachability facts, bucket scores, emit OpenVEX with call-path proofs, update SPL schema with reachability predicates and suppression gates. |
+| 14 | POLICY-VEX-401-010 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 13. | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Implement VexDecisionEmitter to serialize per-finding OpenVEX, attach evidence hashes, request DSSE signatures, capture Rekor metadata. |
+| 15 | UI-CLI-401-007 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 1/13/14. | UI & CLI Guilds (`src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`) | Implement CLI `stella graph explain` and UI explain drawer with signed call-path, predicates, runtime hits, DSSE pointers, counterfactual controls. |
+| 16 | QA-DOCS-401-008 | BLOCKED (2025-12-12) | Needs reachbench fixtures (QA-CORPUS-401-031) and docs readiness. | QA & Docs Guilds (`docs`, `tests/README.md`) | Wire reachbench fixtures into CI, document CAS layouts + replay steps, publish operator runbook for runtime ingestion. |
+| 17 | GAP-SIG-003 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 8. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/reachability/function-level-evidence.md`) | Finish `/signals/runtime-facts` ingestion, add CAS-backed runtime storage, extend scoring to lattice states, emit update events, document retention/RBAC. |
+| 18 | SIG-STORE-401-016 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 1/19. | Signals Guild - BE-Base Platform Guild (`src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core`) | Introduce shared reachability store collections/indexes and repository APIs for canonical function data. |
+| 19 | GAP-REP-004 | BLOCKED (2025-12-13) | Need replay manifest v2 acceptance vectors + CAS registration gates aligned with Signals/Scanner to avoid regressions. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md`) | Enforce BLAKE3 hashing + CAS registration for graphs/traces, upgrade replay manifest v2, add deterministic tests. |
+| 20 | GAP-POL-005 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 8/10/17. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`, `docs/reachability/function-level-evidence.md`) | Ingest reachability facts into Policy Engine, expose `reachability.state/confidence`, enforce auto-suppress rules, generate OpenVEX evidence blocks. |
+| 21 | GAP-VEX-006 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 20. | Policy, Excititor, UI, CLI & Notify Guilds (`docs/modules/excititor/architecture.md`, `src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`, `docs/09_API_CLI_REFERENCE.md`) | Wire VEX emission/explain drawers to show call paths, graph hashes, runtime hits; add CLI flags and Notify templates. |
 | 22 | GAP-DOC-008 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Docs Guild (`docs/reachability/function-level-evidence.md`, `docs/09_API_CLI_REFERENCE.md`, `docs/api/policy.md`) | Publish cross-module function-level evidence guide, update API/CLI references with `code_id`, add OpenVEX/replay samples. |
-| 23 | CLI-VEX-401-011 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 13/14. | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Add `stella decision export|verify|compare`, integrate with Policy/Signer APIs, ship local verifier wrappers for bench artifacts. |
+| 23 | CLI-VEX-401-011 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 13/14. | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Add `stella decision export|verify|compare`, integrate with Policy/Signer APIs, ship local verifier wrappers for bench artifacts. |
 | 24 | SIGN-VEX-401-018 | DONE (2025-11-26) | Predicate types added with tests. | Signing Guild (`src/Signer/StellaOps.Signer`, `docs/modules/signer/architecture.md`) | Extend Signer predicate catalog with `stella.ops/vexDecision@v1`, enforce payload policy, plumb DSSE/Rekor integration. |
-| 25 | BENCH-AUTO-401-019 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 55/58. | Benchmarks Guild (`docs/benchmarks/vex-evidence-playbook.md`, `scripts/bench/**`) | Automate population of `bench/findings/**`, run baseline scanners, compute FP/MTTD/repro metrics, update `results/summary.csv`. |
-| 26 | DOCS-VEX-401-012 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 22. | Docs Guild (`docs/benchmarks/vex-evidence-playbook.md`, `bench/README.md`) | Maintain VEX Evidence Playbook, publish repo templates/README, document verification workflows. |
-| 27 | SYMS-BUNDLE-401-014 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Symbols Guild · Ops Guild (`src/Symbols/StellaOps.Symbols.Bundle`, `ops`) | Produce deterministic symbol bundles for air-gapped installs with DSSE manifests/Rekor checkpoints; document offline workflows. |
-| 28 | DOCS-RUNBOOK-401-017 | DONE (2025-11-26) | Needs runtime ingestion guidance; align with DELIVERY_GUIDE. | Docs Guild · Ops Guild (`docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md`) | Publish reachability runtime ingestion runbook, link from delivery guides, keep Ops/Signals troubleshooting current. |
+| 25 | BENCH-AUTO-401-019 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 55/58. | Benchmarks Guild (`docs/benchmarks/vex-evidence-playbook.md`, `scripts/bench/**`) | Automate population of `bench/findings/**`, run baseline scanners, compute FP/MTTD/repro metrics, update `results/summary.csv`. |
+| 26 | DOCS-VEX-401-012 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 22. | Docs Guild (`docs/benchmarks/vex-evidence-playbook.md`, `bench/README.md`) | Maintain VEX Evidence Playbook, publish repo templates/README, document verification workflows. |
+| 27 | SYMS-BUNDLE-401-014 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Symbols Guild - Ops Guild (`src/Symbols/StellaOps.Symbols.Bundle`, `ops`) | Produce deterministic symbol bundles for air-gapped installs with DSSE manifests/Rekor checkpoints; document offline workflows. |
+| 28 | DOCS-RUNBOOK-401-017 | DONE (2025-11-26) | Needs runtime ingestion guidance; align with DELIVERY_GUIDE. | Docs Guild - Ops Guild (`docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md`) | Publish reachability runtime ingestion runbook, link from delivery guides, keep Ops/Signals troubleshooting current. |
 | 29 | POLICY-LIB-401-001 | DONE (2025-11-27) | Extract DSL parser; align with Policy Engine tasks. | Policy Guild (`src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md`) | Extract policy DSL parser/compiler into `StellaOps.PolicyDsl`, add lightweight syntax, expose `PolicyEngineFactory`/`SignalContext`. |
-| 30 | POLICY-LIB-401-002 | DONE (2025-11-27) | Follows 29; add harness and CLI wiring. | Policy Guild · CLI Guild (`tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md`) | Ship unit-test harness + sample DSL, wire `stella policy lint/simulate` to shared library. |
+| 30 | POLICY-LIB-401-002 | DONE (2025-11-27) | Follows 29; add harness and CLI wiring. | Policy Guild - CLI Guild (`tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md`) | Ship unit-test harness + sample DSL, wire `stella policy lint/simulate` to shared library. |
 | 31 | POLICY-ENGINE-401-003 | DONE (2025-11-27) | Depends on 29/30; ensure determinism hashes stable. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`) | Replace in-service DSL compilation with shared library, support legacy packs and inline syntax, keep determinism stable. |
 | 32 | CLI-EDITOR-401-004 | DONE (2025-11-27) | Relies on shared DSL lib; add git edit flow. | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/policy/lifecycle.md`) | Enhance `stella policy` verbs (edit/lint/simulate) to edit Git-backed DSL files, run coverage tests, commit SemVer metadata. |
-| 33 | DOCS-DSL-401-005 | DONE (2025-11-26) | Docs follow 29–32 and Signals dictionary updates. | Docs Guild (`docs/policy/dsl.md`, `docs/policy/lifecycle.md`) | Refresh DSL docs with new syntax, signal dictionary (`trust_score`, `reachability`, etc.), authoring workflow, safety rails. |
-| 34 | DSSE-LIB-401-020 | DONE (2025-11-27) | Transitive dependency exposes Envelope types; extensions added. | Attestor Guild · Platform Guild (`src/Attestor/StellaOps.Attestation`, `src/Attestor/StellaOps.Attestor.Envelope`) | Package `StellaOps.Attestor.Envelope` primitives into reusable `StellaOps.Attestation` library with InToto/DSSE helpers. |
-| 35 | DSSE-CLI-401-021 | DONE (2025-11-27) | Depends on 34; deliver CLI/workflow snippets. | CLI Guild · DevOps Guild (`src/Cli/StellaOps.Cli`, `scripts/ci/attest-*`, `docs/modules/attestor/architecture.md`) | Ship `stella attest` CLI or sample tool plus GitLab/GitHub workflow snippets emitting DSSE per build step. |
-| 36 | DSSE-DOCS-401-022 | DONE (2025-11-27) | Follows 34/35; document build-time flow. | Docs Guild · Attestor Guild (`docs/ci/dsse-build-flow.md`, `docs/modules/attestor/architecture.md`) | Document build-time attestation walkthrough: models, helper usage, Authority integration, storage conventions, verification commands. |
-| 37 | REACH-LATTICE-401-023 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Scanner Guild · Policy Guild (`docs/reachability/lattice.md`, `docs/modules/scanner/architecture.md`, `src/Scanner/StellaOps.Scanner.WebService`) | Define reachability lattice model and ensure joins write to event graph schema. |
+| 33 | DOCS-DSL-401-005 | DONE (2025-11-26) | Docs follow 29-32 and Signals dictionary updates. | Docs Guild (`docs/policy/dsl.md`, `docs/policy/lifecycle.md`) | Refresh DSL docs with new syntax, signal dictionary (`trust_score`, `reachability`, etc.), authoring workflow, safety rails. |
+| 34 | DSSE-LIB-401-020 | DONE (2025-11-27) | Transitive dependency exposes Envelope types; extensions added. | Attestor Guild - Platform Guild (`src/Attestor/StellaOps.Attestation`, `src/Attestor/StellaOps.Attestor.Envelope`) | Package `StellaOps.Attestor.Envelope` primitives into reusable `StellaOps.Attestation` library with InToto/DSSE helpers. |
+| 35 | DSSE-CLI-401-021 | DONE (2025-11-27) | Depends on 34; deliver CLI/workflow snippets. | CLI Guild - DevOps Guild (`src/Cli/StellaOps.Cli`, `scripts/ci/attest-*`, `docs/modules/attestor/architecture.md`) | Ship `stella attest` CLI or sample tool plus GitLab/GitHub workflow snippets emitting DSSE per build step. |
+| 36 | DSSE-DOCS-401-022 | DONE (2025-11-27) | Follows 34/35; document build-time flow. | Docs Guild - Attestor Guild (`docs/ci/dsse-build-flow.md`, `docs/modules/attestor/architecture.md`) | Document build-time attestation walkthrough: models, helper usage, Authority integration, storage conventions, verification commands. |
+| 37 | REACH-LATTICE-401-023 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Scanner Guild - Policy Guild (`docs/reachability/lattice.md`, `docs/modules/scanner/architecture.md`, `src/Scanner/StellaOps.Scanner.WebService`) | Define reachability lattice model and ensure joins write to event graph schema. |
 | 38 | UNCERTAINTY-SCHEMA-401-024 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows Signals work. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/uncertainty/README.md`) | Extend Signals findings with uncertainty states, entropy fields, `riskScore`; emit update events and persist evidence. |
-| 39 | UNCERTAINTY-SCORER-401-025 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 38. | Signals Guild (`src/Signals/StellaOps.Signals.Application`, `docs/uncertainty/README.md`) | Implement entropy-aware risk scorer and wire into finding writes. |
-| 40 | UNCERTAINTY-POLICY-401-026 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 38/39. | Policy Guild · Concelier Guild (`docs/policy/dsl.md`, `docs/uncertainty/README.md`) | Update policy guidance with uncertainty gates (U1/U2/U3), sample YAML rules, remediation actions. |
-| 41 | UNCERTAINTY-UI-401-027 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 38/39. | UI Guild · CLI Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/uncertainty/README.md`) | Surface uncertainty chips/tooltips in Console + CLI output (risk score + entropy states). |
-| 42 | PROV-INLINE-401-028 | DONE | Completed inline DSSE hooks per docs. | Authority Guild · Feedser Guild (`docs/provenance/inline-dsse.md`, `src/__Libraries/StellaOps.Provenance.Mongo`) | Extend event writers to attach inline DSSE + Rekor references on every SBOM/VEX/scan event. |
-| 43 | PROV-BACKFILL-INPUTS-401-029A | DONE | Inventory/map drafted 2025-11-18. | Evidence Locker Guild · Platform Guild (`docs/provenance/inline-dsse.md`) | Attestation inventory and subject→Rekor map drafted. |
+| 39 | UNCERTAINTY-SCORER-401-025 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 38. | Signals Guild (`src/Signals/StellaOps.Signals.Application`, `docs/uncertainty/README.md`) | Implement entropy-aware risk scorer and wire into finding writes. |
+| 40 | UNCERTAINTY-POLICY-401-026 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 38/39. | Policy Guild - Concelier Guild (`docs/policy/dsl.md`, `docs/uncertainty/README.md`) | Update policy guidance with uncertainty gates (U1/U2/U3), sample YAML rules, remediation actions. |
+| 41 | UNCERTAINTY-UI-401-027 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 38/39. | UI Guild - CLI Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/uncertainty/README.md`) | Surface uncertainty chips/tooltips in Console + CLI output (risk score + entropy states). |
+| 42 | PROV-INLINE-401-028 | DONE | Completed inline DSSE hooks per docs. | Authority Guild - Feedser Guild (`docs/provenance/inline-dsse.md`, `src/__Libraries/StellaOps.Provenance.Mongo`) | Extend event writers to attach inline DSSE + Rekor references on every SBOM/VEX/scan event. |
+| 43 | PROV-BACKFILL-INPUTS-401-029A | DONE | Inventory/map drafted 2025-11-18. | Evidence Locker Guild - Platform Guild (`docs/provenance/inline-dsse.md`) | Attestation inventory and subject->Rekor map drafted. |
 | 44 | PROV-BACKFILL-401-029 | DONE (2025-11-27) | Use inventory+map; depends on 42/43 readiness. | Platform Guild (`docs/provenance/inline-dsse.md`, `scripts/publish_attestation_with_provenance.sh`) | Resolve historical events and backfill provenance. |
-| 45 | PROV-INDEX-401-030 | DONE (2025-11-27) | Blocked until 44 defines data model. | Platform Guild · Ops Guild (`docs/provenance/inline-dsse.md`, `ops/mongo/indices/events_provenance_indices.js`) | Deploy provenance indexes and expose compliance/replay queries. |
-| 46 | QA-CORPUS-401-031 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 55/58. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/DELIVERY_GUIDE.md`) | Build/publish multi-runtime reachability corpus with ground truths and traces; wire fixtures into CI. |
-| 47 | UI-VEX-401-032 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 13–15, 21. | UI Guild · CLI Guild · Scanner Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/reachability/function-level-evidence.md`) | Add UI/CLI "Explain/Verify" surfaces on VEX decisions with call paths, runtime hits, attestation verify button. |
-| 48 | POLICY-GATE-401-033 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Policy Guild · Scanner Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/policy/dsl.md`, `docs/modules/scanner/architecture.md`) | Enforce policy gate requiring reachability evidence for `not_affected`/`unreachable`; fallback to under review on low confidence; update docs/tests. |
-| 49 | GRAPH-PURL-401-034 | DONE (2025-12-11) | purl+symbol_digest in RichGraph nodes/edges (via Sprint 0400 GRAPH-PURL-201-009 + RichGraphBuilder). | Scanner Worker Guild · Signals Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Signals/StellaOps.Signals`, `docs/reachability/purl-resolved-edges.md`) | Annotate call edges with callee purl + `symbol_digest`, update schema/CAS, surface in CLI/UI. |
-| 50 | SCANNER-BUILDID-401-035 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Capture `.note.gnu.build-id` for ELF targets, thread into `SymbolID`/`code_id`, SBOM exports, runtime facts; add fixtures. |
-| 51 | SCANNER-INITROOT-401-036 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 1. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Model init sections as synthetic graph roots (phase=load) including `DT_NEEDED` deps; persist in evidence. |
-| 52 | QA-PORACLE-401-037 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 1/53. | QA Guild · Scanner Worker Guild (`tests/reachability`, `docs/reachability/patch-oracles.md`) | Add patch-oracle fixtures and harness comparing graphs vs oracle, fail CI when expected functions/edges missing. |
-| 53 | GRAPH-HYBRID-401-053 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015 (BLAKE3 + CAS layout defined). | Scanner Worker Guild · Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`, `docs/reachability/hybrid-attestation.md`) | Implement mandatory graph-level DSSE for `richgraph-v1` with deterministic ordering → BLAKE3 graph hash → DSSE envelope → Rekor submit; expose CAS paths `cas://reachability/graphs/{hash}` and `.../{hash}.dsse`; add golden verification fixture. |
-| 54 | EDGE-BUNDLE-401-054 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 51/53. | Scanner Worker Guild · Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`) | Emit optional edge-bundle DSSE envelopes (≤512 edges) for runtime hits, init-array/TLS roots, contested/third-party edges; include `bundle_reason`, per-edge `reason`, `revoked?` flag; canonical sort before hashing; Rekor publish capped/configurable; CAS path `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. |
-| 55 | SIG-POL-HYBRID-401-055 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 54. | Signals Guild · Policy Guild (`src/Signals/StellaOps.Signals`, `src/Policy/StellaOps.Policy.Engine`, `docs/reachability/evidence-schema.md`) | Ingest edge-bundle DSSEs, attach to `graph_hash`, enforce quarantine (`revoked=true`) before scoring, surface presence in APIs/CLI/UI explainers, and add regression tests for graph-only vs graph+bundle paths. |
-| 56 | DOCS-HYBRID-401-056 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 53–55. | Docs Guild (`docs/reachability/hybrid-attestation.md`, `docs/modules/scanner/architecture.md`, `docs/modules/policy/architecture.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`) | Finalize hybrid attestation documentation and release notes; publish verification runbook (graph-only vs graph+edge-bundle), Rekor guidance, and offline replay steps; link from sprint Decisions & Risks. |
-| 57 | BENCH-DETERMINISM-401-057 | DONE (2025-11-26) | Harness + mock scanner shipped; inputs/manifest at `src/Bench/StellaOps.Bench/Determinism/results`. | Bench Guild · Signals Guild · Policy Guild (`bench/determinism`, `docs/benchmarks/signals/`) | Implemented cross-scanner determinism bench (shuffle/canonical), hashes outputs, summary JSON; CI workflow `.gitea/workflows/bench-determinism.yml` runs `scripts/bench/determinism-run.sh`; manifests generated. |
-| 58 | DATASET-REACH-PUB-401-058 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | QA Guild · Scanner Guild (`tests/reachability/samples-public`, `docs/reachability/evidence-schema.md`) | Materialize PHP/JS/C# mini-app samples + ground-truth JSON (from 23-Nov dataset advisory); runners and confusion-matrix metrics; integrate into CI hot/cold paths with deterministic seeds; keep schema compatible with Signals ingest. |
+| 45 | PROV-INDEX-401-030 | DONE (2025-11-27) | Blocked until 44 defines data model. | Platform Guild - Ops Guild (`docs/provenance/inline-dsse.md`, `ops/mongo/indices/events_provenance_indices.js`) | Deploy provenance indexes and expose compliance/replay queries. |
+| 46 | QA-CORPUS-401-031 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 55/58. | QA Guild - Scanner Guild (`tests/reachability`, `docs/reachability/DELIVERY_GUIDE.md`) | Build/publish multi-runtime reachability corpus with ground truths and traces; wire fixtures into CI. |
+| 47 | UI-VEX-401-032 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 13-15, 21. | UI Guild - CLI Guild - Scanner Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/reachability/function-level-evidence.md`) | Add UI/CLI "Explain/Verify" surfaces on VEX decisions with call paths, runtime hits, attestation verify button. |
+| 48 | POLICY-GATE-401-033 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | Policy Guild - Scanner Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/policy/dsl.md`, `docs/modules/scanner/architecture.md`) | Enforce policy gate requiring reachability evidence for `not_affected`/`unreachable`; fallback to under review on low confidence; update docs/tests. |
+| 49 | GRAPH-PURL-401-034 | DONE (2025-12-11) | purl+symbol_digest in RichGraph nodes/edges (via Sprint 0400 GRAPH-PURL-201-009 + RichGraphBuilder). | Scanner Worker Guild - Signals Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Signals/StellaOps.Signals`, `docs/reachability/purl-resolved-edges.md`) | Annotate call edges with callee purl + `symbol_digest`, update schema/CAS, surface in CLI/UI. |
+| 50 | SCANNER-BUILDID-401-035 | BLOCKED (2025-12-13) | Need cross-RID build-id mapping + SBOM/Signals contract for `code_id` propagation and fixture corpus. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Capture `.note.gnu.build-id` for ELF targets, thread into `SymbolID`/`code_id`, SBOM exports, runtime facts; add fixtures. |
+| 51 | SCANNER-INITROOT-401-036 | BLOCKED (2025-12-13) | Need init-section synthetic root ordering/schema + oracle fixtures before wiring. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Model init sections as synthetic graph roots (phase=load) including `DT_NEEDED` deps; persist in evidence. |
+| 52 | QA-PORACLE-401-037 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 1/53. | QA Guild - Scanner Worker Guild (`tests/reachability`, `docs/reachability/patch-oracles.md`) | Add patch-oracle fixtures and harness comparing graphs vs oracle, fail CI when expected functions/edges missing. |
+| 53 | GRAPH-HYBRID-401-053 | BLOCKED (2025-12-13) | Need DSSE/Rekor budget + signing layout decision and golden fixture plan before implementation. | Scanner Worker Guild - Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`, `docs/reachability/hybrid-attestation.md`) | Implement mandatory graph-level DSSE for `richgraph-v1` with deterministic ordering -> BLAKE3 graph hash -> DSSE envelope -> Rekor submit; expose CAS paths `cas://reachability/graphs/{hash}` and `.../{hash}.dsse`; add golden verification fixture. |
+| 54 | EDGE-BUNDLE-401-054 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 51/53. | Scanner Worker Guild - Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`) | Emit optional edge-bundle DSSE envelopes (<=512 edges) for runtime hits, init-array/TLS roots, contested/third-party edges; include `bundle_reason`, per-edge `reason`, `revoked` flag; canonical sort before hashing; Rekor publish capped/configurable; CAS path `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. |
+| 55 | SIG-POL-HYBRID-401-055 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 54. | Signals Guild - Policy Guild (`src/Signals/StellaOps.Signals`, `src/Policy/StellaOps.Policy.Engine`, `docs/reachability/evidence-schema.md`) | Ingest edge-bundle DSSEs, attach to `graph_hash`, enforce quarantine (`revoked=true`) before scoring, surface presence in APIs/CLI/UI explainers, and add regression tests for graph-only vs graph+bundle paths. |
+| 56 | DOCS-HYBRID-401-056 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 53-55. | Docs Guild (`docs/reachability/hybrid-attestation.md`, `docs/modules/scanner/architecture.md`, `docs/modules/policy/architecture.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`) | Finalize hybrid attestation documentation and release notes; publish verification runbook (graph-only vs graph+edge-bundle), Rekor guidance, and offline replay steps; link from sprint Decisions & Risks. |
+| 57 | BENCH-DETERMINISM-401-057 | DONE (2025-11-26) | Harness + mock scanner shipped; inputs/manifest at `src/Bench/StellaOps.Bench/Determinism/results`. | Bench Guild - Signals Guild - Policy Guild (`bench/determinism`, `docs/benchmarks/signals/`) | Implemented cross-scanner determinism bench (shuffle/canonical), hashes outputs, summary JSON; CI workflow `.gitea/workflows/bench-determinism.yml` runs `scripts/bench/determinism-run.sh`; manifests generated. |
+| 58 | DATASET-REACH-PUB-401-058 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; schema frozen. | QA Guild - Scanner Guild (`tests/reachability/samples-public`, `docs/reachability/evidence-schema.md`) | Materialize PHP/JS/C# mini-app samples + ground-truth JSON (from 23-Nov dataset advisory); runners and confusion-matrix metrics; integrate into CI hot/cold paths with deterministic seeds; keep schema compatible with Signals ingest. |
 | 59 | NATIVE-CALLGRAPH-INGEST-401-059 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 1. | Scanner Guild (`src/Scanner/StellaOps.Scanner.CallGraph.Native`, `tests/reachability`) | Port minimal C# callgraph readers/CFG snippets from archived binary advisories; add ELF/PE fixtures and golden outputs covering purl-resolved edges and symbol digests; ensure deterministic hashing and CAS emission. |
-| 60 | CORPUS-MERGE-401-060 | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 58. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/corpus-plan.md`) | Merge archived multi-runtime corpus (Go/.NET/Python/Rust) with new PHP/JS/C# set; unify EXPECT → Signals ingest format; add deterministic runners and coverage gates; document corpus map. |
-| 61 | DOCS-BENCH-401-061 | DONE (2025-11-26) | Blocks on outputs from 57–60. | Docs Guild (`docs/benchmarks/signals/bench-determinism.md`, `docs/reachability/corpus-plan.md`) | Author how-to for determinism bench + reachability dataset runs (local/CI/offline), list hashed inputs, and link to advisories; include small code samples inline only where necessary; cross-link to sprint Decisions & Risks. |
-| 62 | VEX-GAPS-401-062 | DONE (2025-12-04) | Schema/catalog frozen; fixtures + verifier landed. | Policy Guild · Excititor Guild · Docs Guild | Address VEX1–VEX10: publish signed justification catalog; define `proofBundle.schema.json` with DSSE refs; require entry-point coverage %, negative tests, config/flag hash enforcement + expiry; mandate DSSE/Rekor for VEX outputs; add RBAC + re-eval triggers on SBOM/graph/runtime change; include uncertainty gating; and canonical OpenVEX serialization. Playbook + schema at `docs/benchmarks/vex-evidence-playbook.{md,schema.json}`; catalog at `docs/benchmarks/vex-justifications.catalog.json` (+ DSSE); fixtures under `tests/Vex/ProofBundles/`; offline verifier `scripts/vex/verify_proof_bundle.py`; CI guard `.gitea/workflows/vex-proof-bundles.yml`. |
-| 63 | GRAPHREV-GAPS-401-063 | TODO | None; informs tasks 1, 11, 37–41. | Platform Guild · Scanner Guild · Policy Guild · UI/CLI Guilds | Address graph revision gaps GR1–GR10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: manifest schema + canonical hash rules, mandated BLAKE3-256 encoding, append-only storage, lineage/diff metadata, cross-artifact digests (SBOM/VEX/policy/tool), UI/CLI surfacing of full/short IDs, shard/tenant context, pin/audit governance, retention/tombstones, and inclusion in offline kits. |
-| 64 | EXPLAIN-GAPS-401-064 | TODO | None; informs tasks 13–15, 21, 47. | Policy Guild · UI/CLI Guild · Docs Guild · Signals Guild | Address explainability gaps EX1–EX10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: schema/canonicalization + hashes, DSSE predicate/signing policy, CAS storage rules for evidence, link to decision/policy and graph_revision_id, export/replay bundle format, PII/redaction rules, size budgets, versioning, and golden fixtures/tests. |
-| 65 | EDGE-GAPS-401-065 | TODO | None; informs tasks 1, 15, 47. | Scanner Guild · Policy Guild · UI/CLI Guild · Docs Guild | Address edge explainability gaps EG1–EG10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: reason enum governance, canonical edge schema with hash rules, evidence limits/redaction, confidence rubric, detector/rule provenance, API/CLI parity, deterministic fixtures, propagation into explanation graphs/VEX, localization guidance, and backfill plan. |
-| 66 | BINARY-GAPS-401-066 | TODO | None; informs tasks 12–14, 53–55. | Scanner Guild · Attestor Guild · Policy Guild | Address binary reachability gaps BR1–BR10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: canonical DSSE/predicate schemas, edge hash recipe, required binary evidence with CAS refs, build-id/variant rules, policy hash governance, Sigstore bundle/log routing, idempotent submission keys, size/chunking limits, API/CLI/UI surfacing, and binary fixtures. |
+| 60 | CORPUS-MERGE-401-060 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 58. | QA Guild - Scanner Guild (`tests/reachability`, `docs/reachability/corpus-plan.md`) | Merge archived multi-runtime corpus (Go/.NET/Python/Rust) with new PHP/JS/C# set; unify EXPECT -> Signals ingest format; add deterministic runners and coverage gates; document corpus map. |
+| 61 | DOCS-BENCH-401-061 | DONE (2025-11-26) | Blocks on outputs from 57-60. | Docs Guild (`docs/benchmarks/signals/bench-determinism.md`, `docs/reachability/corpus-plan.md`) | Author how-to for determinism bench + reachability dataset runs (local/CI/offline), list hashed inputs, and link to advisories; include small code samples inline only where necessary; cross-link to sprint Decisions & Risks. |
+| 62 | VEX-GAPS-401-062 | DONE (2025-12-04) | Schema/catalog frozen; fixtures + verifier landed. | Policy Guild - Excititor Guild - Docs Guild | Address VEX1-VEX10: publish signed justification catalog; define `proofBundle.schema.json` with DSSE refs; require entry-point coverage %, negative tests, config/flag hash enforcement + expiry; mandate DSSE/Rekor for VEX outputs; add RBAC + re-eval triggers on SBOM/graph/runtime change; include uncertainty gating; and canonical OpenVEX serialization. Playbook + schema at `docs/benchmarks/vex-evidence-playbook.{md,schema.json}`; catalog at `docs/benchmarks/vex-justifications.catalog.json` (+ DSSE); fixtures under `tests/Vex/ProofBundles/`; offline verifier `scripts/vex/verify_proof_bundle.py`; CI guard `.gitea/workflows/vex-proof-bundles.yml`. |
+| 63 | GRAPHREV-GAPS-401-063 | TODO | None; informs tasks 1, 11, 37-41. | Platform Guild - Scanner Guild - Policy Guild - UI/CLI Guilds | Address graph revision gaps GR1-GR10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: manifest schema + canonical hash rules, mandated BLAKE3-256 encoding, append-only storage, lineage/diff metadata, cross-artifact digests (SBOM/VEX/policy/tool), UI/CLI surfacing of full/short IDs, shard/tenant context, pin/audit governance, retention/tombstones, and inclusion in offline kits. |
+| 64 | EXPLAIN-GAPS-401-064 | TODO | None; informs tasks 13-15, 21, 47. | Policy Guild - UI/CLI Guild - Docs Guild - Signals Guild | Address explainability gaps EX1-EX10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: schema/canonicalization + hashes, DSSE predicate/signing policy, CAS storage rules for evidence, link to decision/policy and graph_revision_id, export/replay bundle format, PII/redaction rules, size budgets, versioning, and golden fixtures/tests. |
+| 65 | EDGE-GAPS-401-065 | TODO | None; informs tasks 1, 15, 47. | Scanner Guild - Policy Guild - UI/CLI Guild - Docs Guild | Address edge explainability gaps EG1-EG10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: reason enum governance, canonical edge schema with hash rules, evidence limits/redaction, confidence rubric, detector/rule provenance, API/CLI parity, deterministic fixtures, propagation into explanation graphs/VEX, localization guidance, and backfill plan. |
+| 66 | BINARY-GAPS-401-066 | TODO | None; informs tasks 12-14, 53-55. | Scanner Guild - Attestor Guild - Policy Guild | Address binary reachability gaps BR1-BR10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: canonical DSSE/predicate schemas, edge hash recipe, required binary evidence with CAS refs, build-id/variant rules, policy hash governance, Sigstore bundle/log routing, idempotent submission keys, size/chunking limits, API/CLI/UI surfacing, and binary fixtures. |

 ## Wave Coordination
 | Wave | Guild owners | Shared prerequisites | Status | Notes |
 | --- | --- | --- | --- | --- |
-| 0401 Reachability Evidence Chain | Scanner Guild · Signals Guild · BE-Base Platform Guild · Policy Guild · UI/CLI Guilds · Docs Guild | Sprint 0140 Runtime & Signals; Sprint 0185 Replay Core; Sprint 0186 Scanner Record Mode; Sprint 0187 Evidence Locker & CLI Integration | TODO | Unblocked by CONTRACT-RICHGRAPH-V1-015 (`docs/contracts/richgraph-v1.md`). Schema frozen with BLAKE3 for graphs, SHA256 for symbols. |
+| 0401 Reachability Evidence Chain | Scanner Guild - Signals Guild - BE-Base Platform Guild - Policy Guild - UI/CLI Guilds - Docs Guild | Sprint 0140 Runtime & Signals; Sprint 0185 Replay Core; Sprint 0186 Scanner Record Mode; Sprint 0187 Evidence Locker & CLI Integration | DOING | Unblocked by CONTRACT-RICHGRAPH-V1-015 (`docs/contracts/richgraph-v1.md`). Schema frozen with BLAKE3 for graphs, SHA256 for symbols. |

 ## Wave Detail Snapshots
 - Single wave covering end-to-end reachability evidence; proceed once Sprint 0400 + upstream runtime/replay prerequisites land.

 ## Interlocks
 - CAS hash/predicate choices must stay consistent across Scanner, Signals, Replay, and Policy (tasks 1, 11, 19, 24).
- DSSE predicate catalog and Signer integration (tasks 12, 24, 34–36) gate VEX and provenance tasks.
+- DSSE predicate catalog and Signer integration (tasks 12, 24, 34-36) gate VEX and provenance tasks.
 - UI/CLI explainers (tasks 15, 21, 47) depend on policy reachability outputs and graph schema stabilization.
- Hybrid reachability attestation decision: graph-level DSSE is mandatory; edge-bundle DSSE is optional/targeted (runtime/init/contested edges) with Rekor publish capped; see `docs/reachability/hybrid-attestation.md` and tasks 53–56.
- New datasets/benches (tasks 57–61) rely on schema freeze from tasks 1/55 and determinism guardrails; ensure feed-freeze hashes are published before CI wiring.
+- Hybrid reachability attestation decision: graph-level DSSE is mandatory; edge-bundle DSSE is optional/targeted (runtime/init/contested edges) with Rekor publish capped; see `docs/reachability/hybrid-attestation.md` and tasks 53-56.
+- New datasets/benches (tasks 57-61) rely on schema freeze from tasks 1/55 and determinism guardrails; ensure feed-freeze hashes are published before CI wiring.
 - Competitive/vision docs updated with reachability moat and vendor comparison; ensure sales/PMM references live in `docs/market/competitive-landscape.md` and `docs/reachability/lead.md`.

 ## Upcoming Checkpoints
- 2025-12-02 · richgraph-v1 schema/hash alignment (tasks 1, 11, 19) — Scanner, Platform, Replay guilds.
- Schedule go/no-go once Sprint 0400 readiness is confirmed (TBD, Planning).
+- 2025-12-10 - Completed richgraph-v1 schema/hash alignment (tasks 1, 11, 19); downstream tasks may start.
+- 2025-12-12 - Impact index dataset + policy delta fixtures delivered (bench sprint outputs); feed to QA/bench tasks.
+- 2025-12-15 - Rebaseline task start dates for 2-8/13-21 after runtime ingestion readiness review (Planning).
+- 2025-12-18 - Confirm Signals ingestion/probe readiness (tasks 8-10, 17-18) and update statuses to DOING/BLOCKED accordingly.
 - Align DSSE predicate review across Authority/Signer/Policy once task 12 schema draft is ready (TBD, Authority Guild).

 ## Action Tracker
 | # | Action | Owner | Due (UTC) | Status | Notes |
 | --- | --- | --- | --- | --- | --- |
-| 1 | Capture checkpoint dates after Sprint 0400 closure signal. | Planning | TBD | Open | Waiting on Sprint 0400 readiness update. |
-| 2 | Confirm CAS hash alignment (BLAKE3 + sha256 addressing) across Scanner/Replay/Signals. | Platform Guild | TBD | Open | Coordinate tasks 1 and 19. |
-| 3 | Schedule richgraph-v1 schema/hash alignment and rebaseline sprint dates. | Planning · Platform Guild | 2025-12-02 | Open | Needed to unblock tasks 1, 11, 19 and address elapsed sprint window. |
+| 1 | Capture checkpoint dates after Sprint 0400 closure signal. | Planning | 2025-12-15 | Open | Waiting on Sprint 0400 readiness update. |
+| 2 | Confirm CAS hash alignment (BLAKE3 + sha256 addressing) across Scanner/Replay/Signals. | Platform Guild | 2025-12-10 | Done (2025-12-10) | CONTRACT-RICHGRAPH-V1-015 adopted; BLAKE3 graph_hash live in Scanner/Replay per GRAPH-CAS-401-001. |
+| 3 | Schedule richgraph-v1 schema/hash alignment and rebaseline sprint dates. | Planning - Platform Guild | 2025-12-15 | Open (slipped) | Rebaseline sprint dates after 2025-12-10 alignment; align with new checkpoints on 2025-12-15/18. |
+| 4 | Signals ingestion/probe readiness checkpoint for tasks 8-10, 17-18. | Signals Guild - Planning | 2025-12-18 | Open | Assess runtime ingestion/probe readiness and flip task statuses to DOING/BLOCKED accordingly. |

 ## Decisions & Risks
 - File renamed to `SPRINT_0401_0001_0001_reachability_evidence_chain.md` and normalized to template on 2025-11-22; scope unchanged.
 - VEX proof bundle schema/catalog frozen on 2025-12-04 with verifier + fixtures at `docs/benchmarks/` and `tests/Vex/ProofBundles/`; DSSE and CAS hashes enforced for RBAC/reeval/uncertainty gates.
 - CI guard `.gitea/workflows/vex-proof-bundles.yml` validates all proof bundles with pinned deps to keep VEX-GAPS-401-062 controls from regressing.
+- Deterministic reachability/bench fixtures delivered via Sprint 0512 (impact/policy/reachability caches with `.sha256` under `docs/samples/**` and `src/Bench/StellaOps.Bench/**`); leverage to unblock QA/bench tasks 16, 25, 57-60.
+- Replay manifest v2 adopted (BLAKE3 graph hashes, sorted CAS entries, hashAlg fields) and wired into RecordModeService/ReachabilityReplayWriter; synthetic runtime probe endpoint added to Signals to bootstrap scoring without live probes.
+- Tasks 4/19/50/51/53 BLOCKED pending decisions: native lifter/demangler/toolchain selection + fixture corpus; replay manifest v2 acceptance vectors/CAS gates aligned with Signals/Scanner; cross-RID build-id/code_id propagation contract; init-section synthetic root schema/oracles; graph-level DSSE/Rekor budget + golden fixture plan.

 | ID | Risk | Impact | Mitigation / Owner |
 | --- | --- | --- | --- |
 | R1 | Sprint 0400 and upstream runtime/replay prerequisites slip. | Delivery blocked; evidence chain cannot start. | Track readiness in checkpoints; hold start until record mode + Evidence Locker APIs land (Planning). |
-| R2 | CAS hash/predicate mismatch across modules. | Inconsistent artifacts, replay failures. | Align specs via tasks 1, 11, 19, 24; review before implementation (Platform Guild). |
-| R3 | Determinism gaps in fixtures/benchmarks. | Flaky reachability scoring and VEX proofs. | Prioritize QA tasks 16, 25, 46, 52; enforce deterministic ordering in tests (QA Guild). |
+| R2 | CAS hash/predicate mismatch across modules. | Inconsistent artifacts, replay failures. | Align specs via tasks 1, 11, 19, 24; review before implementation (Platform Guild); CONTRACT-RICHGRAPH-V1-015 adopted. |
+| R3 | Determinism gaps in fixtures/benchmarks. | Flaky reachability scoring and VEX proofs. | Prioritize QA tasks 16, 25, 46, 52; enforce deterministic ordering in tests (QA Guild); reuse hashed fixtures from Sprint 0512 benches (`docs/samples/impactindex`, `docs/samples/policy`, `docs/samples/signals/reachability`, `src/Bench/StellaOps.Bench/**`). |
 | R4 | Edge-bundle Rekor volume or bundle count spikes. | Rekor congestion/cost; slower pipelines; CAS bloat. | Cap Rekor publishes per graph (task 54), default to CAS-only for bulk bundles, monitor Signals ingest size; add CI perf guard after task 55. |
-| R5 | Bench/dataset tasks start before feed-freeze and schema alignment. | Non-replayable results; wasted bench runs. | Block tasks 57–61 on published feed hashes + `richgraph-v1`/Unknowns schema; add gating checklist in task definitions. |
-| R6 | Bench/dataset code not materialized (docs only). | Docs drift; no executable evidence for claims. | Tasks 57–60 must produce runnable harnesses/fixtures under `docs/benchmarks/**` or `tests/**`; Execution Log to confirm artifact paths. |
-| R7 | Sprint window (2025-11-11 → 2025-11-22) elapsed with key tasks still TODO/BLOCKED. | Scope drift and delayed handoff to Sprint 0402 polish. | Rebaseline schedule and checkpoints by 2025-12-02; gate starts on schema/hash decisions; Planning + Platform guilds. |
+| R5 | Bench/dataset tasks start before feed-freeze and schema alignment. | Non-replayable results; wasted bench runs. | Block tasks 57-61 on published feed hashes + `richgraph-v1`/Unknowns schema; add gating checklist in task definitions. |
+| R6 | Bench/dataset code not materialized (docs only). | Docs drift; no executable evidence for claims. | Tasks 57-60 must produce runnable harnesses/fixtures under `docs/benchmarks/**` or `tests/**`; Execution Log to confirm artifact paths. |
+| R7 | Sprint window (2025-11-11 -> 2025-11-22) elapsed with key tasks still TODO/BLOCKED. | Scope drift and delayed handoff to Sprint 0402 polish. | Rebaseline schedule and checkpoints by 2025-12-02; gate starts on schema/hash decisions; Planning + Platform guilds. |

 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-13 | Marked SCANNER-NATIVE-401-015, GAP-REP-004, SCANNER-BUILDID-401-035, SCANNER-INITROOT-401-036, and GRAPH-HYBRID-401-053 as BLOCKED pending contracts on native lifters/toolchains, replay manifest v2 acceptance vectors/CAS gates, cross-RID build-id/code_id propagation, init synthetic-root schema/oracles, and graph-level DSSE/Rekor budget + golden fixtures. | Planning |
+| 2025-12-12 | Rebaselined reachability wave: marked tasks 6/8/13-18/20-21/23/25-26/39-41/46-47/52/54-56/60 as BLOCKED pending upstream deps; set Wave 0401 status to DOING post richgraph alignment so downstream work can queue cleanly. | Planning |
+| 2025-12-12 | RecordModeService bumped to replay manifest v2 (hashAlg fields, BLAKE3 graph hashes) and ReachabilityReplayWriter now emits hashAlg for graphs/traces; added synthetic runtime probe endpoint to Signals with deterministic builder + tests. | Implementer |
+| 2025-12-12 | Unblocked runtime probes/scoring/replay: added synthetic runtime probe endpoint + builder in Signals, enabled scoring with synthetic feeds, and shipped ReachabilityReplayWriter manifest v2 with deterministic ordering/tests. Tasks 9/10/11 marked DONE. | Planning |
+| 2025-12-12 | Marked SCAN-REACH-401-009 BLOCKED pending native symbolizer/lifter outputs from task 4; cannot wire .NET/JVM callgraph generators until those adapters exist. | Scanner Guild |
+| 2025-12-12 | Completed GAP-SYM-007: reachability union/richgraph serializers now emit `symbol{mangled,demangled,source,confidence}` and optional `code_block_hash`; docs synced (`docs/contracts/richgraph-v1.md`, `docs/reachability/evidence-schema.md`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`). | Scanner Guild |
+| 2025-12-12 | Rebaselined checkpoints/actions post richgraph alignment; added 2025-12-15/18 readiness reviews, logged Sprint 0512 bench fixtures as determinism inputs for tasks 16, 25, 57-60, and marked CAS hash alignment action done. | Planning |
 | 2025-12-11 | Completed GRAPH-CAS-401-001: RichGraphPublisher now uses BLAKE3 graph_hash for CAS keys per CONTRACT-RICHGRAPH-V1-015; CAS URIs follow `cas://reachability/graphs/{blake3}`; added `CasUri` to `RichGraphPublishResult`; 15 reachability tests pass. Also marked GRAPH-PURL-401-034 DONE (already implemented in RichGraph via Sprint 0400). | Scanner Worker |
 | 2025-12-04 | Added second VEX proof bundle fixture (`sample-proof-bundle-config.json` + DSSE/OpenVEX) and wired CI guard `.gitea/workflows/vex-proof-bundles.yml` running `scripts/vex/verify_proof_bundle.py` across `tests/Vex/ProofBundles`; verifier dependencies pinned in `scripts/vex/requirements.txt`. | Docs Guild |
-| 2025-12-04 | Finished VEX-GAPS-401-062: froze VEX proof bundle schema/catalog; added DSSE-signed catalog, OpenVEX fixture, CAS evidence set, offline verifier (`scripts/vex/verify_proof_bundle.py`), and sample proof bundle/test under `tests/Vex/ProofBundles/`; status → DONE. | Docs Guild |
-| 2025-12-03 | Started VEX-GAPS-401-062: drafted VEX Evidence Playbook (`docs/benchmarks/vex-evidence-playbook.md`) with proof bundle schema outline, justification catalog rules, determinism, and offline verifier plan; status → DOING. | Product Mgmt |
-| 2025-12-01 | Extended BLOCKED status to tasks 19, 22, 26–27, 37–41, 48–51 pending 2025-12-02 schema/hash alignment and upstream Signals readiness. | Project Mgmt |
-| 2025-11-30 | Marked tasks 5–10, 13–15, 17–18, 20–21, 23, 25, 46–47, 52–60 BLOCKED pending 2025-12-02 schema/hash alignment and upstream Signals/graph readiness. | Project Mgmt |
+| 2025-12-04 | Finished VEX-GAPS-401-062: froze VEX proof bundle schema/catalog; added DSSE-signed catalog, OpenVEX fixture, CAS evidence set, offline verifier (`scripts/vex/verify_proof_bundle.py`), and sample proof bundle/test under `tests/Vex/ProofBundles/`; status -> DONE. | Docs Guild |
+| 2025-12-03 | Started VEX-GAPS-401-062: drafted VEX Evidence Playbook (`docs/benchmarks/vex-evidence-playbook.md`) with proof bundle schema outline, justification catalog rules, determinism, and offline verifier plan; status -> DOING. | Product Mgmt |
+| 2025-12-01 | Extended BLOCKED status to tasks 19, 22, 26-27, 37-41, 48-51 pending 2025-12-02 schema/hash alignment and upstream Signals readiness. | Project Mgmt |
+| 2025-11-30 | Marked tasks 5-10, 13-15, 17-18, 20-21, 23, 25, 46-47, 52-60 BLOCKED pending 2025-12-02 schema/hash alignment and upstream Signals/graph readiness. | Project Mgmt |
 | 2025-11-30 | Marked Wave 0401 as BLOCKED pending Sprint 0400 readiness and richgraph schema decisions. | Project Mgmt |
 | 2025-11-30 | Added R7 for elapsed sprint window, scheduled 2025-12-02 schema/hash alignment checkpoint, and logged Action Tracker item 3; no task status changes. | Project Mgmt |
 | 2025-11-27 | Marked GRAPH-CAS-401-001, GAP-SYM-007, SCAN-REACH-401-009, and SCANNER-NATIVE-401-015 BLOCKED pending richgraph schema + Symbols Server contracts. | Project Mgmt |
@@ -168,18 +181,18 @@
 | 2025-11-26 | DOCS-DSL-401-005 completed: refreshed `docs/policy/dsl.md` and `docs/policy/lifecycle.md` with signal dictionary, shadow/coverage gates, and authoring workflow. | Docs Guild |
 | 2025-11-26 | DOCS-RUNBOOK-401-017 completed: published `docs/runbooks/reachability-runtime.md` and linked from `docs/reachability/DELIVERY_GUIDE.md`; includes CAS/DSSE, air-gap steps, troubleshooting. | Docs Guild |
 | 2025-11-26 | DOCS-BENCH-401-061 completed: updated `docs/benchmarks/signals/bench-determinism.md` with how-to (local/CI/offline), manifests, reachability dataset runs, and hash manifest requirements. | Docs Guild |
-| 2025-12-01 | Added VEX-GAPS-401-062 to capture VEX1–VEX10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
-| 2025-12-01 | Added GRAPHREV-GAPS-401-063 to capture GR1–GR10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
-| 2025-12-01 | Added EXPLAIN-GAPS-401-064 to capture EX1–EX10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
-| 2025-12-01 | Added EDGE-GAPS-401-065 to capture EG1–EG10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
-| 2025-12-01 | Added BINARY-GAPS-401-066 to capture BR1–BR10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
+| 2025-12-01 | Added VEX-GAPS-401-062 to capture VEX1-VEX10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
+| 2025-12-01 | Added GRAPHREV-GAPS-401-063 to capture GR1-GR10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
+| 2025-12-01 | Added EXPLAIN-GAPS-401-064 to capture EX1-EX10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
+| 2025-12-01 | Added EDGE-GAPS-401-065 to capture EG1-EG10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
+| 2025-12-01 | Added BINARY-GAPS-401-066 to capture BR1-BR10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
 | 2025-12-02 | Clarified VEX-GAPS-401-062 outputs: justification catalog, proofBundle schema + DSSE, coverage/negative tests, config/flag hash enforcement + expiry, DSSE/Rekor mandates, RBAC + re-eval triggers, uncertainty gating, canonical OpenVEX serialization, and fixtures/doc paths. | Project Mgmt |
 | 2025-11-25 | Marked REPLAY-401-004 BLOCKED: awaiting CAS registration policy (GAP-REP-004) and Signals runtime facts (SGSI0101) before replay manifest v2 can proceed; mirrored to tasks-all. | Project Mgmt |
 | 2025-11-23 | Added R6 to enforce runnable bench/dataset artifacts; noted supersedes/extends text in moat/competitive docs. | Planning |
-| 2025-11-23 | Added bench/dataset code-reference docs (`docs/benchmarks/signals/bench-determinism.md`, corpus plan update); updated tasks 57–61 links. | Planning |
+| 2025-11-23 | Added bench/dataset code-reference docs (`docs/benchmarks/signals/bench-determinism.md`, corpus plan update); updated tasks 57-61 links. | Planning |
 | 2025-11-23 | Added competitive + reachability moat docs (`docs/market/competitive-landscape.md`, `docs/reachability/lead.md`) and linked sprint narrative to them. | Planning |
-| 2025-11-23 | Added tasks 57–61 (determinism bench, public reachability dataset, native callgraph ingest, corpus merge, docs), logged R5, and noted schema/feed gating. | Planning |
-| 2025-11-23 | Added hybrid attestation decision and tasks 53–56; aligned docs references. | Planning |
+| 2025-11-23 | Added tasks 57-61 (determinism bench, public reachability dataset, native callgraph ingest, corpus merge, docs), logged R5, and noted schema/feed gating. | Planning |
+| 2025-11-23 | Added hybrid attestation decision and tasks 53-56; aligned docs references. | Planning |
 | 2025-11-22 | Updated cross-references to new sprint filename in tasks-all and reachability docs; synced naming in bench playbook. | Planning |
 | 2025-11-22 | Normalized sprint to template, added dependencies/prereqs, Delivery Tracker numbering, interlocks, risks; renamed file for naming compliance. | Planning |
 | 2025-11-20 | Added tasks for purl-resolved edges, ELF build-id propagation, init-array roots, and patch-oracle QA harness; aligned docs references. | Planning |
--- a/docs/implplan/SPRINT_0506_0001_0001_ops_devops_iv.md
+++ b/docs/implplan/SPRINT_0506_0001_0001_ops_devops_iv.md
@@ -1,4 +1,4 @@
-# Sprint 0506 Â· Ops DevOps IV (Ops & Offline 190.B)
+# Sprint 0506 - Ops DevOps IV (Ops & Offline 190.B)

 ## Topic & Scope
 - Ops & Offline focus on DevOps phase IV: incident automation, orchestrator observability, policy CI, signing/SDK pipelines, and mirror signing.
@@ -20,30 +20,30 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | DEVOPS-OBS-55-001 | DONE (2025-11-25) | Depends on DEVOPS-OBS-54-001 | DevOps Guild Â· Ops Guild | Incident mode automation: feature flag service, burn-rate trigger, retention overrides, reset job. |
-| 2 | DEVOPS-ORCH-32-001 | DONE (2025-11-25) | Bootstrap orchestrator infra | DevOps Guild Â· Orchestrator Guild | Provision orchestrator Postgres/message bus, CI smoke deploy, dashboards, bootstrap docs. |
-| 3 | DEVOPS-ORCH-33-001 | DONE (2025-11-25) | Depends on 32-001 | DevOps Guild Â· Observability Guild | Grafana dashboards/alerts for rate limiter, backpressure, error clustering, DLQ depth. |
-| 4 | DEVOPS-ORCH-34-001 | DONE (2025-11-25) | Depends on 33-001 | DevOps Guild Â· Orchestrator Guild | Harden production monitoring: synthetic probes, burn-rate alerts, replay smoke, GA readiness checklist. |
-| 5 | DEVOPS-POLICY-27-001 | DONE (2025-11-25) | None | DevOps Guild Â· DevEx/CLI Guild | Add CI stage to run `stella policy lint`. |
-| 6 | DEVOPS-POLICY-27-002 | DONE (2025-11-25) | Depends on 27-001 | DevOps Guild Â· Policy Registry Guild | Batch simulation CI job, threshold enforcement, PR markdown summary. |
-| 7 | DEVOPS-POLICY-27-003 | DONE (2025-11-25) | Depends on 27-002 | DevOps Guild Â· Security Guild | Manage signing keys (OIDC + cosign), rotate keys, verify attestations. |
-| 8 | DEVOPS-POLICY-27-004 | DONE (2025-11-25) | Depends on 27-003 | DevOps Guild Â· Observability Guild | Dashboards/alerts for policy compile latency, simulation queue depth, approval latency, promotion outcomes. |
+| 1 | DEVOPS-OBS-55-001 | DONE (2025-11-25) | Depends on DEVOPS-OBS-54-001 | DevOps Guild - Ops Guild | Incident mode automation: feature flag service, burn-rate trigger, retention overrides, reset job. |
+| 2 | DEVOPS-ORCH-32-001 | DONE (2025-11-25) | Bootstrap orchestrator infra | DevOps Guild - Orchestrator Guild | Provision orchestrator Postgres/message bus, CI smoke deploy, dashboards, bootstrap docs. |
+| 3 | DEVOPS-ORCH-33-001 | DONE (2025-11-25) | Depends on 32-001 | DevOps Guild - Observability Guild | Grafana dashboards/alerts for rate limiter, backpressure, error clustering, DLQ depth. |
+| 4 | DEVOPS-ORCH-34-001 | DONE (2025-11-25) | Depends on 33-001 | DevOps Guild - Orchestrator Guild | Harden production monitoring: synthetic probes, burn-rate alerts, replay smoke, GA readiness checklist. |
+| 5 | DEVOPS-POLICY-27-001 | DONE (2025-11-25) | None | DevOps Guild - DevEx/CLI Guild | Add CI stage to run `stella policy lint`. |
+| 6 | DEVOPS-POLICY-27-002 | DONE (2025-11-25) | Depends on 27-001 | DevOps Guild - Policy Registry Guild | Batch simulation CI job, threshold enforcement, PR markdown summary. |
+| 7 | DEVOPS-POLICY-27-003 | DONE (2025-11-25) | Depends on 27-002 | DevOps Guild - Security Guild | Manage signing keys (OIDC + cosign), rotate keys, verify attestations. |
+| 8 | DEVOPS-POLICY-27-004 | DONE (2025-11-25) | Depends on 27-003 | DevOps Guild - Observability Guild | Dashboards/alerts for policy compile latency, simulation queue depth, approval latency, promotion outcomes. |
 | 9 | DEVOPS-REL-17-004 | DONE (2025-11-23) | None | DevOps Guild | Release workflow uploads `out/release/debug` and fails when symbols missing. |
-| 10 | DEVOPS-RULES-33-001 | DONE (2025-11-25) | None | DevOps Guild Â· Platform Leads | Contracts & Rules anchor (gateway proxies, AOC no-merge, graph platform consolidation). |
-| 11 | DEVOPS-SDK-63-001 | DONE (2025-11-25) | None | DevOps Guild Â· SDK Release Guild | Provision registry creds, signing keys, secure storage for SDK publishing pipelines. |
-| 12 | DEVOPS-SIG-26-001 | DONE (2025-11-25) | None | DevOps Guild Â· Signals Guild | Provision CI/CD, Helm/Compose manifests for Signals service with artifact storage + Redis. |
-| 13 | DEVOPS-SIG-26-002 | DONE (2025-11-25) | Depends on 26-001 | DevOps Guild Â· Observability Guild | Dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. |
+| 10 | DEVOPS-RULES-33-001 | DONE (2025-11-25) | None | DevOps Guild - Platform Leads | Contracts & Rules anchor (gateway proxies, AOC no-merge, graph platform consolidation). |
+| 11 | DEVOPS-SDK-63-001 | DONE (2025-11-25) | None | DevOps Guild - SDK Release Guild | Provision registry creds, signing keys, secure storage for SDK publishing pipelines. |
+| 12 | DEVOPS-SIG-26-001 | DONE (2025-11-25) | None | DevOps Guild - Signals Guild | Provision CI/CD, Helm/Compose manifests for Signals service with artifact storage + Redis. |
+| 13 | DEVOPS-SIG-26-002 | DONE (2025-11-25) | Depends on 26-001 | DevOps Guild - Observability Guild | Dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. |
 | 14 | DEVOPS-TEN-47-001 | BLOCKED (2025-11-25) | Needs Authority tenancy harness | DevOps Guild | JWKS cache monitoring, signature verification regression tests, token expiration chaos tests in CI. |
 | 15 | DEVOPS-TEN-48-001 | BLOCKED (2025-11-25) | Depends on 47-001 | DevOps Guild | Integration tests for RLS enforcement, tenant-prefixed object storage, audit events; lint to prevent raw SQL bypass. |
-| 16 | DEVOPS-CI-110-001 | DONE (2025-11-25) | None | DevOps Guild Â· Concelier Guild Â· Excititor Guild | CI helper + TRX slices at `ops/devops/ci-110-runner/`; warm restore + health smokes. |
-| 17 | MIRROR-CRT-56-CI-001 | DONE (2025-11-25) | None | Mirror Creator Guild Â· DevOps Guild | Move `make-thin-v1.sh` into CI assembler, enforce DSSE/TUF/time-anchor, publish milestone hashes. |
-| 18 | MIRROR-CRT-56-002 | DONE (2025-11-25) | Depends on 56-CI-001 | Mirror Creator Guild Â· Security Guild | Release signing for thin bundle v1 using `MIRROR_SIGN_KEY_B64`; run `.gitea/workflows/mirror-sign.yml`. |
-| 19 | MIRROR-CRT-57-001/002 | BLOCKED | Wait on 56-002 + AIRGAP-TIME-57-001 | Mirror Creator Guild Â· AirGap Time Guild | OCI/time-anchor signing follow-ons. |
-| 20 | MIRROR-CRT-58-001/002 | DONE (dev) | Depends on 56-002 | Mirror Creator Â· CLI Â· Exporter Guilds | CLI/Export signing follow-ons delivered in dev mode (Export Center scheduling helper + CI dev-key fallback); production signing still awaits `MIRROR_SIGN_KEY_B64`. |
-| 21 | EXPORT-OBS-51-001 / 54-001 / AIRGAP-TIME-57-001 / CLI-AIRGAP-56-001 / PROV-OBS-53-001 | BLOCKED | Need signed thin bundle + time anchors | Exporter Â· AirGap Time Â· CLI Guild | Export/airgap provenance chain work. |
-| 22 | DEVOPS-LEDGER-29-009-REL | BLOCKED (2025-11-25) | Needs LEDGER-29-009 dev outputs | DevOps Guild Â· Findings Ledger Guild | Release/offline-kit packaging for ledger manifests/backups. |
-| 23 | DEVOPS-LEDGER-TEN-48-001-REL | BLOCKED (2025-11-25) | Needs ledger tenant partition work | DevOps Guild Â· Findings Ledger Guild | Apply RLS/partition migrations in release pipelines; publish manifests/offline-kit artefacts. |
-| 24 | DEVOPS-SCANNER-JAVA-21-011-REL | BLOCKED (2025-11-25) | Needs SCANNER-ANALYZERS-JAVA-21-011 outputs | DevOps Guild Â· Java Analyzer Guild | Package/sign Java analyzer plug-in for release/offline kits. |
+| 16 | DEVOPS-CI-110-001 | DONE (2025-11-25) | None | DevOps Guild - Concelier Guild - Excititor Guild | CI helper + TRX slices at `ops/devops/ci-110-runner/`; warm restore + health smokes. |
+| 17 | MIRROR-CRT-56-CI-001 | DONE (2025-11-25) | None | Mirror Creator Guild - DevOps Guild | Move `make-thin-v1.sh` into CI assembler, enforce DSSE/TUF/time-anchor, publish milestone hashes. |
+| 18 | MIRROR-CRT-56-002 | DONE (2025-11-25) | Depends on 56-CI-001 | Mirror Creator Guild - Security Guild | Release signing for thin bundle v1 using `MIRROR_SIGN_KEY_B64`; run `.gitea/workflows/mirror-sign.yml`. |
+| 19 | MIRROR-CRT-57-001/002 | BLOCKED | Wait on 56-002 + AIRGAP-TIME-57-001 | Mirror Creator Guild - AirGap Time Guild | OCI/time-anchor signing follow-ons. |
+| 20 | MIRROR-CRT-58-001/002 | DONE (dev) | Depends on 56-002 | Mirror Creator - CLI - Exporter Guilds | CLI/Export signing follow-ons delivered in dev mode (Export Center scheduling helper + CI dev-key fallback); production signing still awaits `MIRROR_SIGN_KEY_B64`. |
+| 21 | EXPORT-OBS-51-001 / 54-001 / AIRGAP-TIME-57-001 / CLI-AIRGAP-56-001 / PROV-OBS-53-001 | BLOCKED | Need signed thin bundle + time anchors | Exporter - AirGap Time - CLI Guild | Export/airgap provenance chain work. |
+| 22 | DEVOPS-LEDGER-29-009-REL | BLOCKED (2025-11-25) | Needs LEDGER-29-009 dev outputs | DevOps Guild - Findings Ledger Guild | Release/offline-kit packaging for ledger manifests/backups. |
+| 23 | DEVOPS-LEDGER-TEN-48-001-REL | BLOCKED (2025-11-25) | Needs ledger tenant partition work | DevOps Guild - Findings Ledger Guild | Apply RLS/partition migrations in release pipelines; publish manifests/offline-kit artefacts. |
+| 24 | DEVOPS-SCANNER-JAVA-21-011-REL | BLOCKED (2025-11-25) | Needs SCANNER-ANALYZERS-JAVA-21-011 outputs | DevOps Guild - Java Analyzer Guild | Package/sign Java analyzer plug-in for release/offline kits. |

 ## Execution Log
 | Date (UTC) | Update | Owner |
@@ -81,7 +81,7 @@
 - Cosign key management supports keyless; offline/air-gap paths require mirrored registry + secrets provided to `sbom_attest.sh`.
 - Tenant chaos drill requires iptables/root; run only on isolated agents; monitor JWKS cache TTL to avoid auth outages.
 - Surface.Env: ZASTAVA_* fallback to SCANNER_* in Helm/Compose; keep docs aligned if prefixes/fields change.
- Surface.Secrets: provisioning playbook published; ensure Helm/Compose env stays in sync; offline kit bundles encrypted secretsâ€”unpack path must match `*_SURFACE_SECRETS_ROOT`.
+- Surface.Secrets: provisioning playbook published; ensure Helm/Compose env stays in sync; offline kit bundles encrypted secrets-unpack path must match `*_SURFACE_SECRETS_ROOT`.

 ## Next Checkpoints
 | Date (UTC) | Session / Owner | Target outcome | Fallback / Escalation |
--- a/docs/implplan/SPRINT_0511_0001_0001_api.md
+++ b/docs/implplan/SPRINT_0511_0001_0001_api.md
@@ -1,68 +0,0 @@
-# Sprint 511 · API Governance & OpenAPI (Ops & Offline 190.F)
-
-## Topic & Scope
- API governance tooling (Spectral, example coverage, changelog/signing) and OpenAPI composition/diff across services.
- Publish examples, discovery metadata, and compat reports for release pipelines and SDK publishing.
- **Working directory:** src/Api/StellaOps.Api.Governance, src/Api/StellaOps.Api.OpenApi, src/Sdk/StellaOps.Sdk.Release.
-
-## Dependencies & Concurrency
- Depends on upstream service stubs to add examples (Authority, Policy, Orchestrator, Scheduler, Export, Graph, Notification Studio when available).
-
-## Documentation Prerequisites
- docs/modules/ci/architecture.md
- docs/api/openapi-discovery.md
- src/Api/StellaOps.Api.Governance/README.md (if present)
-
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| 1 | APIGOV-61-001 | DONE (2025-11-18) | None | API Governance Guild | Add Spectral config + CI workflow; npm script `api:lint` runs spectral. |
-| 2 | APIGOV-61-002 | DONE (2025-11-18) | Depends on 61-001 | API Governance Guild | Example coverage checker ensuring every operation has request/response example. |
-| 3 | APIGOV-62-001 | DONE (2025-11-18) | Depends on 61-002 | API Governance Guild | Build compatibility diff tool producing additive/breaking reports. |
-| 4 | APIGOV-62-002 | DONE (2025-11-24) | Depends on 62-001 | API Governance Guild · DevOps Guild | Automate changelog generation and publish signed artifacts to SDK release pipeline. |
-| 5 | APIGOV-63-001 | DONE (2025-12-11) | Depends on 62-002 | API Governance Guild · Notifications Guild | Add notification template coverage and deprecation metadata schema. |
-| 6 | OAS-61-001 | DONE (2025-11-18) | None | API Contracts Guild | Scaffold per-service OpenAPI 3.1 files with shared components/info/initial stubs. |
-| 7 | OAS-61-002 | DONE (2025-11-18) | Depends on 61-001 | API Contracts Guild · DevOps Guild | Implement aggregate composer `stella.yaml` resolving refs and merging shared components; wire into CI. |
-| 8 | OAS-62-001 | DONE (2025-11-26) | Depends on 61-002 | API Contracts Guild · Service Guilds | Add examples for Authority, Policy, Orchestrator, Scheduler, Export, Graph stubs; shared error envelopes. |
-| 9 | OAS-62-002 | DONE (2025-11-26) | Depends on 62-001 | API Contracts Guild | Spectral rules enforce pagination params, idempotency headers, lowerCamel operationIds; cursor on orchestrator jobs. |
-| 10 | OAS-63-001 | DONE (2025-11-26) | Depends on 62-002 | API Contracts Guild | Compat diff reports parameter/body/response content-type changes; fixtures/tests updated. |
-| 11 | OAS-63-002 | DONE (2025-11-24) | Depends on 63-001 | API Contracts Guild · Gateway Guild | Add `/.well-known/openapi` discovery endpoint schema metadata (extensions, version info). |
-
-## Execution Log
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
-| 2025-12-11 | APIGOV-63-001 DONE: Created deprecation metadata schema (`_shared/schemas/deprecation.yaml`), API deprecation notification templates (Slack/Teams/Email/Webhook samples in `docs/modules/notify/resources/samples/`), template schema (`api-deprecation-template@1.json`), and Spectral rules for deprecation validation in `.spectral.yaml`. Sprint fully unblocked. | Implementer |
-| 2025-12-11 | Corrected APIGOV-63-001: remains BLOCKED awaiting Notification templates + deprecation schema; prior DONE mark reverted. | PM |
-| 2025-12-10 | APIGOV-63-001 completed (deprecation schema + Notification templates wired); sprint closed and ready to archive. | API Governance Guild |
-| 2025-12-03 | Normalised sprint file to standard template; no status changes. | Planning |
-| 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md` (updated 2025-11-08). | Planning |
-| 2025-11-18 | Added Spectral config (`.spectral.yaml`), npm `api:lint`, and CI workflow `.gitea/workflows/api-governance.yml`; APIGOV-61-001 DONE. | API Governance Guild |
-| 2025-11-18 | Implemented example coverage checker (`api:examples`), aggregate composer `compose.mjs`, and initial per-service OAS stubs (authority/orchestrator/policy/export-center); OAS-61-001/002 DONE. | API Contracts Guild |
-| 2025-11-19 | Added scheduler/export-center/graph shared endpoints, shared paging/security components, and CI diff gates with baseline `stella-baseline.yaml`. | API Contracts Guild |
-| 2025-11-19 | Implemented API changelog generator (`api:changelog`), wired compose/examples/compat/changelog into CI, added policy revisions + scheduler queue/job endpoints. | API Contracts Guild |
-| 2025-11-24 | Completed OAS-63-002: documented discovery payload for `/.well-known/openapi` in `docs/api/openapi-discovery.md` with extensions/version metadata. | Implementer |
-| 2025-11-24 | Completed APIGOV-62-002: `api:changelog` now copies release-ready artifacts + digest/signature to `src/Sdk/StellaOps.Sdk.Release/out/api-changelog`. | Implementer |
-| 2025-11-26 | Added request/response examples to Authority token/introspect/revoke/JWKS endpoints; updated OAS-62-001 status to DOING. | Implementer |
-| 2025-11-26 | Added policy `/evaluate` examples and `/policies` list example + schema stub; OAS-62-001 still DOING. | Implementer |
-| 2025-11-26 | Added Orchestrator `/jobs` list examples (filtered + mixed queues) and invalid status error; bumped orchestrator OAS version to 0.0.2. | Implementer |
-| 2025-11-26 | Added Scheduler queue examples and Export Center bundle/list/manifest examples; bumped versions to 0.0.2. | Implementer |
-| 2025-11-26 | Added Graph status/nodes examples with tenant context; version bumped to 0.0.2. | Implementer |
-| 2025-11-26 | Added auth security blocks to Export Center bundle endpoints. | Implementer |
-| 2025-11-26 | Marked OAS-62-001 DONE after covering service stubs with examples; remaining services will be added once stubs are available. | Implementer |
-| 2025-11-26 | Added Spectral rules for 2xx examples and Idempotency-Key on /jobs; refreshed stella.yaml/baseline; `npm run api:lint` warnings cleared; OAS-62-002 DOING. | Implementer |
-| 2025-11-26 | Declared aggregate tags in compose, removed unused HealthResponse, regenerated baseline; `npm run api:lint` passes. | Implementer |
-| 2025-11-26 | Tightened lint (pagination/idempotency); recomposed stella.yaml/baseline; `npm run api:lint` clean. | Implementer |
-| 2025-11-26 | Enhanced `api-compat-diff` to report param/body/response content-type changes; fixtures/tests refreshed; marked OAS-62-002 and OAS-63-001 DONE. | Implementer |
-| 2025-11-19 | Marked OAS-62-001 BLOCKED pending OAS-61-002 ratification and approved examples/error envelope. | Implementer |
-
-## Decisions & Risks
- Compose/lint/diff pipelines rely on baseline `stella-baseline.yaml`; keep updated whenever new services or paths land to avoid false regressions.
- Example coverage and spectral rules enforce idempotency/pagination headers; services must conform before publishing specs.
- Deprecation metadata schema (`_shared/schemas/deprecation.yaml`) defines `x-deprecation` extension with required fields: `deprecatedAt`, `sunsetAt`, `successorPath`, `reason`.
- Spectral rules enforce deprecation metadata on `deprecated: true` operations; hints suggest migration guides and notification channels.
- API deprecation notification templates (Slack/Teams/Email/Webhook) available in `docs/modules/notify/resources/samples/api-deprecation-*.sample.json`.
-
-## Next Checkpoints
- Sprint complete (2025-12-11); all tasks DONE.
- Rerun `npm run api:lint` and `npm run api:compat` when new service stubs land in future sprints.
--- a/docs/implplan/SPRINT_0513_0001_0001_provenance.md
+++ b/docs/implplan/SPRINT_0513_0001_0001_provenance.md
@@ -1,7 +0,0 @@
-# Sprint 0513-0001-0001 · Ops & Offline · Provenance (archived)
-
-This sprint is complete and archived on 2025-12-10.
-
- Full record: `docs/implplan/archived/SPRINT_0513_0001_0001_provenance.md`
- Working directory: `src/Provenance/StellaOps.Provenance.Attestation`
- Status: DONE (PROV-OBS-53/54 series delivered; tests passing)
--- a/docs/implplan/SPRINT_3410_0001_0001_mongodb_final_removal.md
+++ b/docs/implplan/SPRINT_3410_0001_0001_mongodb_final_removal.md
@@ -21,12 +21,12 @@
 ### T10.1: Concelier Module (Highest Priority - ~80+ files)
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | MR-T10.1.1 | TODO | Start here | Concelier Guild | Remove MongoDB imports from `Concelier.Testing/MongoIntegrationFixture.cs` - convert to Postgres fixture |
-| 2 | MR-T10.1.2 | TODO | MR-T10.1.1 | Concelier Guild | Remove MongoDB from `Concelier.WebService.Tests` (~22 occurrences) |
-| 3 | MR-T10.1.3 | TODO | MR-T10.1.1 | Concelier Guild | Remove MongoDB from all connector tests (~40+ test files) |
-| 4 | MR-T10.1.4 | TODO | MR-T10.1.3 | Concelier Guild | Remove `Concelier.Models/MongoCompat/*.cs` shim files |
-| 5 | MR-T10.1.5 | TODO | MR-T10.1.4 | Concelier Guild | Remove MongoDB from `Storage.Postgres` adapter references |
-| 6 | MR-T10.1.6 | TODO | MR-T10.1.5 | Concelier Guild | Clean connector source files (VmwareConnector, OracleConnector, etc.) |
+| 1 | MR-T10.1.1 | BLOCKED (2025-12-12) | Await Postgres/in-memory fixture to replace MongoIntegrationFixture; Concelier storage still Mongo-centric | Concelier Guild | Remove MongoDB imports from `Concelier.Testing/MongoIntegrationFixture.cs` - convert to Postgres fixture |
+| 2 | MR-T10.1.2 | BLOCKED (2025-12-12) | MR-T10.1.1 | Concelier Guild | Remove MongoDB from `Concelier.WebService.Tests` (~22 occurrences) |
+| 3 | MR-T10.1.3 | BLOCKED (2025-12-12) | MR-T10.1.1 | Concelier Guild | Remove MongoDB from all connector tests (~40+ test files) |
+| 4 | MR-T10.1.4 | BLOCKED (2025-12-12) | MR-T10.1.3 | Concelier Guild | Remove `Concelier.Models/MongoCompat/*.cs` shim files |
+| 5 | MR-T10.1.5 | BLOCKED (2025-12-12) | MR-T10.1.4 | Concelier Guild | Remove MongoDB from `Storage.Postgres` adapter references |
+| 6 | MR-T10.1.6 | BLOCKED (2025-12-12) | MR-T10.1.5 | Concelier Guild | Clean connector source files (VmwareConnector, OracleConnector, etc.) |

 ### T10.2: Notifier Module (~15 files) - SHIM COMPLETE, ARCH CLEANUP NEEDED
 **SHIM COMPLETE:** `StellaOps.Notify.Storage.Mongo` compatibility shim created with 13 repository interfaces and in-memory implementations. Shim builds successfully.
@@ -56,15 +56,15 @@
 | 15 | MR-T10.3.4 | DONE | Postgres token/refresh stores available; refactor handlers/tests next | Authority Guild | Remove MongoDB from OpenIddict handlers |
 | 16 | MR-T10.3.5 | DONE | Await OpenIddict handler refactor; tests still on Mongo runner | Authority Guild | Remove MongoDB from all Authority tests (~15 test files) |

-### T10.4: Scanner.Storage Module (~5 files) - BLOCKED
-**BLOCKED:** Scanner.Storage has ONLY MongoDB implementation, no Postgres equivalent exists. Must implement full Postgres storage layer first.
+### T10.4: Scanner.Storage Module (~5 files) - DONE
+Scanner.Storage now runs on PostgreSQL with migrations and DI wiring; MongoDB implementation removed and tests cover the Postgres path.

 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 17 | MR-T10.4.0 | BLOCKED | Need Postgres storage implementation | Scanner Guild | Implement `StellaOps.Scanner.Storage.Postgres` with migration layer |
-| 18 | MR-T10.4.1 | TODO | MR-T10.4.0 | Scanner Guild | Remove `Scanner.Storage/Mongo/MongoCollectionProvider.cs` |
-| 19 | MR-T10.4.2 | TODO | MR-T10.4.1 | Scanner Guild | Remove MongoDB from ServiceCollectionExtensions |
-| 20 | MR-T10.4.3 | TODO | MR-T10.4.2 | Scanner Guild | Remove MongoDB from repositories (BunPackageInventory, etc.) |
+| 17 | MR-T10.4.0 | DONE (2025-12-12) | Need Postgres storage implementation | Scanner Guild | Implement `StellaOps.Scanner.Storage.Postgres` with migration layer |
+| 18 | MR-T10.4.1 | DONE (2025-12-12) | MR-T10.4.0 | Scanner Guild | Remove `Scanner.Storage/Mongo/MongoCollectionProvider.cs` |
+| 19 | MR-T10.4.2 | DONE (2025-12-12) | MR-T10.4.1 | Scanner Guild | Remove MongoDB from ServiceCollectionExtensions |
+| 20 | MR-T10.4.3 | DONE (2025-12-12) | MR-T10.4.2 | Scanner Guild | Remove MongoDB from repositories (BunPackageInventory, etc.) |

 ### T10.5: Attestor Module (~8 files)
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
@@ -90,33 +90,33 @@
 ### T10.8: PacksRegistry Module (~8 files)
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 30 | MR-T10.8.1 | TODO | None | PacksRegistry Guild | Remove `PacksRegistry.Infrastructure/Mongo/*.cs` files |
-| 31 | MR-T10.8.2 | TODO | MR-T10.8.1 | PacksRegistry Guild | Remove MongoDB from WebService Program.cs |
+| 30 | MR-T10.8.1 | DONE | None | PacksRegistry Guild | Remove `PacksRegistry.Infrastructure/Mongo/*.cs` files |
+| 31 | MR-T10.8.2 | DONE | MR-T10.8.1 | PacksRegistry Guild | Remove MongoDB from WebService Program.cs |

 ### T10.9: SbomService Module (~5 files)
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 32 | MR-T10.9.1 | TODO | None | SbomService Guild | Remove MongoDB from `SbomService/Program.cs` |
-| 33 | MR-T10.9.2 | TODO | MR-T10.9.1 | SbomService Guild | Remove MongoDB repositories (MongoCatalogRepository, MongoComponentLookupRepository) |
-| 34 | MR-T10.9.3 | TODO | MR-T10.9.2 | SbomService Guild | Remove MongoDB from tests |
+| 32 | MR-T10.9.1 | DONE | None | SbomService Guild | Remove MongoDB from `SbomService/Program.cs` |
+| 33 | MR-T10.9.2 | DONE | MR-T10.9.1 | SbomService Guild | Remove MongoDB repositories (MongoCatalogRepository, MongoComponentLookupRepository) |
+| 34 | MR-T10.9.3 | DONE | MR-T10.9.2 | SbomService Guild | Remove MongoDB from tests |

 ### T10.10: Other Modules (Signals, VexLens, Policy, Graph, Bench)
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 35 | MR-T10.10.1 | TODO | None | Signals Guild | Remove MongoDB from Signals (Options, Program, Models) |
-| 36 | MR-T10.10.2 | TODO | None | VexLens Guild | Remove MongoDB from VexLens (Options, ServiceCollectionExtensions) |
-| 37 | MR-T10.10.3 | TODO | None | Policy Guild | Remove MongoDB from Policy.Engine (MongoDocumentConverter, etc.) |
-| 38 | MR-T10.10.4 | TODO | None | Graph Guild | Remove MongoDB from Graph.Indexer |
+| 35 | MR-T10.10.1 | DONE | None | Signals Guild | Remove MongoDB from Signals (Options, Program, Models) |
+| 36 | MR-T10.10.2 | DONE | None | VexLens Guild | Remove MongoDB from VexLens (Options, ServiceCollectionExtensions) |
+| 37 | MR-T10.10.3 | DONE | None | Policy Guild | Remove MongoDB from Policy.Engine (MongoDocumentConverter, etc.) |
+| 38 | MR-T10.10.4 | DONE | None | Graph Guild | Remove MongoDB from Graph.Indexer |
 | 39 | MR-T10.10.5 | DONE | None | Bench Guild | Remove MongoDB/EphemeralMongo from Link-Not-Merge bench tools (core + VEX) and tests. |

 ### T10.11: Package and Project Cleanup
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 40 | MR-T10.11.1 | TODO | All above | Infrastructure Guild | Remove MongoDB.Driver package references from all csproj files |
-| 41 | MR-T10.11.2 | TODO | MR-T10.11.1 | Infrastructure Guild | Remove MongoDB.Bson package references from all csproj files |
-| 42 | MR-T10.11.3 | TODO | MR-T10.11.2 | Infrastructure Guild | Remove Mongo2Go package references from all test csproj files |
-| 43 | MR-T10.11.4 | TODO | MR-T10.11.3 | Infrastructure Guild | Remove `StellaOps.Provenance.Mongo` project |
-| 44 | MR-T10.11.5 | TODO | MR-T10.11.4 | Infrastructure Guild | Final grep verification: zero MongoDB references |
+| 40 | MR-T10.11.1 | BLOCKED | Scanner.Storage still depends on MongoDB.Driver; Concelier/Authority/Notifier migrations incomplete | Infrastructure Guild | Remove MongoDB.Driver package references from all csproj files |
+| 41 | MR-T10.11.2 | BLOCKED | MR-T10.11.1 | Infrastructure Guild | Remove MongoDB.Bson package references from all csproj files |
+| 42 | MR-T10.11.3 | DONE | MR-T10.11.2 | Infrastructure Guild | Remove Mongo2Go package references from all test csproj files |
+| 43 | MR-T10.11.4 | BLOCKED | MR-T10.11.3 | Infrastructure Guild | Remove `StellaOps.Provenance.Mongo` project |
+| 44 | MR-T10.11.5 | BLOCKED | MR-T10.11.4 | Infrastructure Guild | Final grep verification: zero MongoDB references |

 ## Wave Coordination
 - Single-wave execution with module-by-module sequencing to keep the build green after each subtask.
@@ -127,14 +127,14 @@
 - **Audit summary (2025-12-10):** ~680 MongoDB occurrences remain across 200+ files.
 - **Critical build status:** `StellaOps.Authority` and `StellaOps.Notifier` reference deleted Storage.Mongo namespaces; multiple modules still reference MongoDB.Driver while relying on removed projects.
 - **Current progress (Authority Storage.Mongo shim):**
-  - Location: `src/Authority/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/`.
-  - Files: `StellaOps.Authority.Storage.Mongo.csproj`, `Documents/AuthorityDocuments.cs` (10 document types), `Stores/IAuthorityStores.cs` (8 store interfaces), `Stores/InMemoryStores.cs`, `Sessions/IClientSessionHandle.cs`, `Initialization/AuthorityMongoInitializer.cs`, `Extensions/ServiceCollectionExtensions.cs`, `Bson/BsonAttributes.cs`, `Bson/BsonTypes.cs`, `Driver/MongoDriverShim.cs`.
-  - Status: Shim builds successfully; Plugin.Standard migration required broader MongoDB API coverage before rewrite.
+ - Location: `src/Authority/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/`.
+ - Files: `StellaOps.Authority.Storage.Mongo.csproj`, `Documents/AuthorityDocuments.cs` (10 document types), `Stores/IAuthorityStores.cs` (8 store interfaces), `Stores/InMemoryStores.cs`, `Sessions/IClientSessionHandle.cs`, `Initialization/AuthorityMongoInitializer.cs`, `Extensions/ServiceCollectionExtensions.cs`, `Bson/BsonAttributes.cs`, `Bson/BsonTypes.cs`, `Driver/MongoDriverShim.cs`.
+ - Status: Shim builds successfully; Plugin.Standard migration required broader MongoDB API coverage before rewrite.
 - **Package reference inventory (MongoDB.Driver/Bson):**
 | Project | MongoDB.Driver | MongoDB.Bson | Mongo2Go |
 |---------|----------------|--------------|----------|
 | AirGap.Controller | 3.5.0 | - | - |
-| Graph.Indexer | 3.5.0 | 3.5.0 | 3.1.3 (tests) |
+| Graph.Indexer | - | - | - |
 | Bench.LinkNotMerge | 3.5.0 | - | - |
 | Bench.LinkNotMerge.Vex | 3.5.0 | - | - |
 | Authority.Tests | 3.5.0 | - | - |
@@ -148,8 +148,8 @@
 | PacksRegistry.Infrastructure | 3.5.0 | - | - |
 | IssuerDirectory.Infrastructure | 3.5.0 | 3.5.0 | - |
 | Signer.Infrastructure | 3.5.0 | - | 3.1.3 (tests) |
-| Signals | 2.24.0 | - | 4.1.0 (tests) |
-| SbomService | 3.5.0 | - | - |
+| Signals | - | - | - |
+| SbomService | - | - | - |
 | Scanner.Storage | 3.5.0 | - | - |
 | Scheduler.WebService.Tests | - | - | 4.1.0 |
 - **Blocked modules summary:**
@@ -162,9 +162,9 @@
 | AirGap.Controller | Only MongoDB impl exists (MongoAirGapStateStore) | Full Postgres impl required |
 | TaskRunner | MongoDB references throughout Infrastructure/WebService/Worker | Postgres impl + code migration |
 | PacksRegistry | Infrastructure/Mongo/* files | Postgres impl required |
-| SbomService | MongoDB repositories | Postgres impl required |
-| Signals | MongoDB storage throughout | Postgres impl required |
-| Graph.Indexer | MongoGraphDocumentWriter | Postgres impl required |
+| SbomService | Mongo removed; in-memory/file-only repos | Postgres impl required |
+| Signals | Mongo removed; in-memory only persistence | Postgres impl required |
+| Graph.Indexer | Mongo removed; in-memory writer only | Postgres impl required |
 | Concelier | MongoCompat shim + 80+ test files using Mongo2Go | Large migration effort |

 ## Interlocks
@@ -186,8 +186,17 @@
 | Plan follow-on sprint(s) for modules without Postgres storage | Module PMs | After decision | Needed for Scanner, AirGap, Attestor, TaskRunner, PacksRegistry, SbomService, Signals, Graph |

 ## Decisions & Risks
- **Decisions:** Authority.Plugin.Standard rewritten for PostgreSQL; Notify.Storage.Mongo shim created to keep build compiling pending architectural cleanup; broader MongoDB driver shimming deemed infeasible; temporary Mongo shims accepted to keep builds green while scheduling Postgres implementations; data migrations are explicitly out of scope for this sprint.
- **Risks:** large surface area (~200 files), broken builds in Authority/Notifier due to deleted namespaces, many modules lack Postgres equivalents, and package cleanup can break shared builds if sequenced early. Authority OpenIddict handlers and legacy integration tests still rely on Mongo runner/shims; migration to Postgres handlers plus test harness swap remains outstanding.
+- **Decisions:** Authority.Plugin.Standard rewritten for PostgreSQL; Notify.Storage.Mongo shim created to keep build compiling pending architectural cleanup; broader MongoDB driver shimming deemed infeasible; temporary Mongo shims accepted to keep builds green while scheduling Postgres implementations; data migrations are explicitly out of scope for this sprint; VexLens options/DI now memory-only until a persistent (PostgreSQL) provider is delivered.
+- Scanner.Storage baseline migration defaults corrected for PostgreSQL (uses `NOW()`), migration runner now creates schemas before setting `search_path` and surfaces failures to tests; Postgres path validated with Docker-backed integration tests.
+- Policy.Engine storage now Postgres/in-memory only; Mongo options/package removed; exception lifecycle/cache now align with Postgres repositories (tenant-scoped).
+ - PacksRegistry webservice now uses file-based repositories by default; Mongo infrastructure and options removed pending future Postgres provider.
+ - Signals storage now uses in-memory repositories for callgraphs, reachability facts, and unknowns; Mongo options and repositories removed pending a Postgres-backed provider.
+ - Graph.Indexer uses in-memory graph storage, change feeds, and analytics snapshot providers; Mongo packages/options removed pending a Postgres-backed provider.
+ - SbomService now runs with file/in-memory repositories only; Mongo options/repositories/tests removed pending a Postgres-backed provider.
+ - Removing `StellaOps.Provenance.Mongo` is blocked: Concelier core/events/tests and Policy solution files reference provenance Mongo helpers; requires broader Concelier migration before deletion.
+ - **Risks:** large surface area (~200 files), broken builds in Authority/Notifier due to deleted namespaces, many modules lack Postgres equivalents, and package cleanup can break shared builds if sequenced early. Authority OpenIddict handlers and legacy integration tests still rely on Mongo runner/shims; migration to Postgres handlers plus test harness swap remains outstanding.
+   - Graph.Indexer deterministic tests currently fail (GraphAnalyticsEngine, GraphSnapshotBuilder) due to null edge resolution and duplicate nodes in fixtures; needs follow-up alongside durable storage implementation.
+ - Scanner storage Postgres tests require Docker/Testcontainers; validated locally with Docker-enabled runs.

 | Risk | Mitigation |
 | --- | --- |
@@ -201,6 +210,13 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-12 | Scanner.Storage Postgres migrations fixed (UTC defaults), migration runner now fails fast on errors, and Scanner.Storage.Tests pass with Docker-backed Postgres; supersedes earlier T10.4 blocked notes. | Scanner Guild |
+| 2025-12-12 | Scanner.Storage migrated to PostgreSQL: added schema/migrations, rewired DI, removed Mongo bootstrapper/shims; storage + web service tests updated (skipped when Docker unavailable). T10.4.x moved to DONE. | Scanner Guild |
+| 2025-12-12 | T10.4.x still blocked: PostgreSQL-backed `StellaOps.Scanner.Storage` schema/repos/DI not yet designed; in-memory Mongo stub only keeps build green and provides no durability. Need schema/adapter plan before continuing. | Scanner Guild |
+| 2025-12-12 | Scanner.Storage now compiles without MongoDB.Driver by using an in-memory Mongo stub; packages removed. Postgres implementation still pending, so T10.4.x remains BLOCKED and storage lacks durability. | Scanner Guild |
+| 2025-12-12 | Reverted Scanner.Storage Mongo stub experiment; restored MongoDB.Driver wiring to keep Scanner build green. T10.4.x remain BLOCKED until a Postgres storage implementation exists. | Scanner Guild |
+| 2025-12-12 | Marked MR-T10.11.1/2/5 BLOCKED: MongoDB.Driver/Bson still required by Scanner.Storage and incomplete Concelier/Authority/Notifier migrations; final grep waits until remaining modules shed Mongo. | Infrastructure Guild |
+| 2025-12-12 | Marked MR-T10.1.x BLOCKED: Concelier remains Mongo-centric (MongoIntegrationFixture + ~80 connector tests and MongoCompat shims); Postgres/in-memory fixtures and storage contracts not yet available. | Concelier Guild |
 | 2025-12-10 | Sprint created after audit revealed ~680 MongoDB occurrences remain across 200+ files. Previous sprints incorrectly marked as complete. | Infrastructure Guild |
 | 2025-12-10 | **CRITICAL FINDING:** Authority module uses `StellaOps.Authority.Storage.Mongo.*` namespaces but project was deleted and csproj points to Postgres storage. Code won't compile! Notifier module similar - references deleted `StellaOps.Notify.Storage.Mongo` namespace. These modules have BROKEN BUILDS. | Infrastructure Guild |
 | 2025-12-10 | Found 20 csproj files with MongoDB.Driver/MongoDB.Bson refs, 5+ with Mongo2Go refs for tests. Full cleanup requires: (1) restore or rebuild Storage.Mongo shim projects, OR (2) complete code migration to Postgres types in each affected module. | Infrastructure Guild |
@@ -232,3 +248,11 @@
 | 2025-12-11 | Removed unused Mongo2Go test dependency from `src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/StellaOps.Signer.Tests.csproj`; Signer test suite passes (105 tests). | Infrastructure Guild |
 | 2025-12-11 | Link-Not-Merge benchmarks (core and VEX) rewritten off MongoDB/EphemeralMongo to in-memory data; removed MongoDB.Driver/EphemeralMongo package refs from bench apps and tests; both bench suites now green. | Bench Guild |
 | 2025-12-11 | IssuerDirectory infrastructure migrated off Mongo: removed MongoDB.Driver/Bson package refs, replaced Mongo repos/audit/context with deterministic in-memory implementations; webservice defaults to Postgres with in-memory fallback. | Infrastructure Guild |
+| 2025-12-11 | Completed MR-T10.10.2: removed VexLens Mongo storage driver/options, updated AGENTS/runbook, and validated VexLens core tests (89 tests). | VexLens Guild |
+| 2025-12-11 | Completed MR-T10.10.3: removed Mongo dependencies from Policy.Engine (csproj/options), refactored exception cache/lifecycle to Postgres/in-memory, updated AGENTS/architecture/README. | Policy Guild |
+| 2025-12-11 | Completed MR-T10.8.1/MR-T10.8.2: deleted PacksRegistry Mongo infrastructure/options, switched WebService to file-based repositories by default, updated AGENTS, and built WebService successfully. | PacksRegistry Guild |
+| 2025-12-11 | Completed MR-T10.10.4: removed Graph.Indexer Mongo dependencies (packages, DI), added in-memory graph writer/change source, updated Graph AGENTS and packaging doc. | Graph Guild |
+| 2025-12-11 | Completed MR-T10.9.1-3: removed SbomService Mongo options/repos/tests, Program now uses file/in-memory repositories only; service build/tests Mongo-free. | SbomService Guild |
+| 2025-12-11 | T10.11.3 in progress: Signals.Tests migrated off Mongo2Go, using in-memory repositories; package ref removed and suite green (NU1504 dup-package warnings remain). | Signals Guild |
+| 2025-12-11 | Completed MR-T10.10.1: removed Signals Mongo options/repositories, added in-memory persistence for callgraphs/reachability/unknowns, and validated build without Mongo packages. | Signals Guild |
+| 2025-12-11 | MR-T10.11.4 blocked: `StellaOps.Provenance.Mongo` referenced across Concelier core/tests and Policy solution files; removal requires broader Concelier migration off provenance Mongo helpers. | Infrastructure Guild |
--- a/docs/implplan/archived/2025-11-24-airgap-time-contract-1501.md
+++ b/docs/implplan/archived/2025-11-24-airgap-time-contract-1501.md
@@ -6,9 +6,9 @@ Scope: Define time-anchor fields and freshness calculation for mirror bundles us

 ## Contract
 - **Fields** (mirror manifest root):
-  - `generatedAt`: ISO-8601 UTC timestamp when manifest was produced.
-  - `sourceClock`: optional string describing clock source (e.g., `ntp:chrony`, `hw:tcxo`).
-  - `validForSeconds`: optional TTL; if absent, default freshness budget = 24h.
+ - `generatedAt`: ISO-8601 UTC timestamp when manifest was produced.
+ - `sourceClock`: optional string describing clock source (e.g., `ntp:chrony`, `hw:tcxo`).
+ - `validForSeconds`: optional TTL; if absent, default freshness budget = 24h.
 - **Staleness computation:** stalenessSeconds = `nowUtc - generatedAt`; import rejects when stalenessSeconds > `validForSeconds` (or 24h default) plus ±5s skew.
 - **Determinism:** timestamps in `generatedAt` rounded to whole milliseconds; no leap-second smoothing; manifests sorted by `path`.
 - **Surface mapping:** Excititor airgap import records store `generatedAt` and computed `stalenessSeconds`; timeline events include staleness for Advisory AI.
--- a/docs/implplan/archived/SPRINT_0119_0001_0001_excititor_i.md
+++ b/docs/implplan/archived/SPRINT_0119_0001_0001_excititor_i.md
@@ -99,15 +99,15 @@

 ## Decisions & Risks
 - **Decisions**
-  - Observability span sink delivery is now tracked in Ops (`DEVOPS-SPANSINK-31-003`, Sprint 503); Excititor ships with log-only counters until that lands.
-  - If Export Center mirror schema slips, use the prep placeholder (see `docs/modules/export-center/prep/2025-11-20-export-airgap-57-001-prep.md`) and keep deltas noted.
-  - Advisory-AI consumers must map observation IDs via projection service; keep aggregation-only stance (no consensus logic) for all new APIs.
+ - Observability span sink delivery is now tracked in Ops (`DEVOPS-SPANSINK-31-003`, Sprint 503); Excititor ships with log-only counters until that lands.
+ - If Export Center mirror schema slips, use the prep placeholder (see `docs/modules/export-center/prep/2025-11-20-export-airgap-57-001-prep.md`) and keep deltas noted.
+ - Advisory-AI consumers must map observation IDs via projection service; keep aggregation-only stance (no consensus logic) for all new APIs.
 - **Risks & Mitigations**
-  - Observability sinks pending Ops deliverable (`DEVOPS-SPANSINK-31-003`) → mitigated by counters/logs; severity: Low.
-  - Mirror bundle schema alignment with Export Center still required for cross-module parity; placeholder manifest in use; severity: Medium.
-  - Evidence Locker portable format finalization still required for downstream replay/export parity; severity: Medium.
-  - Connector signer metadata rollout validation outstanding → monitor ingestion for MSRC/Oracle/Ubuntu/OpenVEX and gate with feature flags if drift detected. Severity: Medium.
-  - Attestation verifier regressions during replay drills → keep harness diagnostics enabled; severity: Medium.
+ - Observability sinks pending Ops deliverable (`DEVOPS-SPANSINK-31-003`) → mitigated by counters/logs; severity: Low.
+ - Mirror bundle schema alignment with Export Center still required for cross-module parity; placeholder manifest in use; severity: Medium.
+ - Evidence Locker portable format finalization still required for downstream replay/export parity; severity: Medium.
+ - Connector signer metadata rollout validation outstanding → monitor ingestion for MSRC/Oracle/Ubuntu/OpenVEX and gate with feature flags if drift detected. Severity: Medium.
+ - Attestation verifier regressions during replay drills → keep harness diagnostics enabled; severity: Medium.

 ## Next Checkpoints
 | Date (UTC) | Session / Owner | Goal | Fallback |
--- a/docs/implplan/archived/SPRINT_0119_0001_0003_excititor_iii.md
+++ b/docs/implplan/archived/SPRINT_0119_0001_0003_excititor_iii.md
@@ -55,12 +55,12 @@

 ## Decisions & Risks
 - **Decisions**
-  - All new endpoints remain aggregation-only; no derived verdicts.
-  - Events must reuse Platform event envelope and tenant guards.
+ - All new endpoints remain aggregation-only; no derived verdicts.
+ - Events must reuse Platform event envelope and tenant guards.
 - **Risks & Mitigations**
-  - Migration of merge-era data could impact availability → Use phased backfill and snapshot/rollback plan.
-  - Missing SLO definitions delays evidence freshness promises → Draft initial targets with Ops while metrics wire up.
-  - Observation persistence/lookup not yet implemented → Blocks read APIs; mitigation: define store contract and stub implementation before API work resumes.
+ - Migration of merge-era data could impact availability → Use phased backfill and snapshot/rollback plan.
+ - Missing SLO definitions delays evidence freshness promises → Draft initial targets with Ops while metrics wire up.
+ - Observation persistence/lookup not yet implemented → Blocks read APIs; mitigation: define store contract and stub implementation before API work resumes.

 ## Next Checkpoints
 | Date (UTC) | Session / Owner | Goal | Fallback |
--- a/docs/implplan/archived/SPRINT_0122_0001_0004_excititor_iv.md
+++ b/docs/implplan/archived/SPRINT_0122_0001_0004_excititor_iv.md
@@ -54,12 +54,12 @@

 ## Decisions & Risks
 - **Decisions**
-  - Aggregation-only stance holds for policy/risk APIs; no consensus or severity derivation.
-  - Worker orchestration stays feature-flagged; falls back to local mode if orchestrator unavailable.
-  - Risk feed implemented with `/risk/v1/feed` endpoints; status/justification/provenance only.
+ - Aggregation-only stance holds for policy/risk APIs; no consensus or severity derivation.
+ - Worker orchestration stays feature-flagged; falls back to local mode if orchestrator unavailable.
+ - Risk feed implemented with `/risk/v1/feed` endpoints; status/justification/provenance only.
 - **Risks & Mitigations**
-  - Policy endpoints test harness injects stub signer/attestation services; test is active and passing (no skips remaining).
-  - Risk feed uses linkset data directly; no additional storage required.
+ - Policy endpoints test harness injects stub signer/attestation services; test is active and passing (no skips remaining).
+ - Risk feed uses linkset data directly; no additional storage required.

 ## Next Checkpoints
 - Sprint 0122 COMPLETE: All tasks DONE.
--- a/docs/implplan/archived/SPRINT_0125_0001_0001_mirror.md
+++ b/docs/implplan/archived/SPRINT_0125_0001_0001_mirror.md
@@ -89,15 +89,15 @@

 ## Decisions & Risks
 - **Decisions**
-  - Assign primary engineer for MIRROR-CRT-56-001 (due 2025-11-17 EOD). Owners: Mirror Creator Guild & Exporter Guild; Security as backup. Option A selected: thin bundle v1; acceptance: names recorded in Delivery Tracker + kickoff notes.
-  - Confirm DSSE/TUF signing profile (due 2025-11-18). Owners: Security Guild & Attestor Guild. Needed before MIRROR-CRT-56-002 can merge.
-  - Lock time-anchor authority scope (due 2025-11-19). Owners: AirGap Time Guild & Mirror Creator Guild. Required for MIRROR-CRT-57-002 policy enforcement.
-  - 2025-12-08: Export Center handoff uses `export-center-wire.sh` + `schedule-export-center-run.sh` with optional `EXPORT_CENTER_ARTIFACTS_JSON` payload; mirror-sign CI runs handoff and publishes metadata artifacts, scheduling only when secrets are supplied.
-  - 2025-12-02: OK/RK/MS gap baseline adopted — bundle meta DSSE (`mirror-thin-v1.bundle.dsse.json`) and policy layers (transport, rekor, mirror, offline-kit) are now canonical evidence; verifier enforces tenant/env scope + tool hashes.
+ - Assign primary engineer for MIRROR-CRT-56-001 (due 2025-11-17 EOD). Owners: Mirror Creator Guild & Exporter Guild; Security as backup. Option A selected: thin bundle v1; acceptance: names recorded in Delivery Tracker + kickoff notes.
+ - Confirm DSSE/TUF signing profile (due 2025-11-18). Owners: Security Guild & Attestor Guild. Needed before MIRROR-CRT-56-002 can merge.
+ - Lock time-anchor authority scope (due 2025-11-19). Owners: AirGap Time Guild & Mirror Creator Guild. Required for MIRROR-CRT-57-002 policy enforcement.
+ - 2025-12-08: Export Center handoff uses `export-center-wire.sh` + `schedule-export-center-run.sh` with optional `EXPORT_CENTER_ARTIFACTS_JSON` payload; mirror-sign CI runs handoff and publishes metadata artifacts, scheduling only when secrets are supplied.
+ - 2025-12-02: OK/RK/MS gap baseline adopted — bundle meta DSSE (`mirror-thin-v1.bundle.dsse.json`) and policy layers (transport, rekor, mirror, offline-kit) are now canonical evidence; verifier enforces tenant/env scope + tool hashes.
 - **Risks**
 - Production signing key lives in Ops sprint: release signing (`MIRROR_SIGN_KEY_B64` secret + CI promotion) is handled in Sprint 506 (Ops DevOps IV); this dev sprint remains green using dev key until ops wiring lands.
-  - Time-anchor requirements undefined → air-gapped bundles lose verifiable time guarantees. Mitigation: DSSE-signed anchor now emitted; still need AirGap Time Guild to provide production trust roots/policy for verifier adoption.
-  - Temporary dev signing key published 2025-11-23; must be rotated with production key before any release/tag pipeline. Mitigation: set Gitea secret `MIRROR_SIGN_KEY_B64` and rerun `.gitea/workflows/mirror-sign.yml` with `REQUIRE_PROD_SIGNING=1`.
+ - Time-anchor requirements undefined → air-gapped bundles lose verifiable time guarantees. Mitigation: DSSE-signed anchor now emitted; still need AirGap Time Guild to provide production trust roots/policy for verifier adoption.
+ - Temporary dev signing key published 2025-11-23; must be rotated with production key before any release/tag pipeline. Mitigation: set Gitea secret `MIRROR_SIGN_KEY_B64` and rerun `.gitea/workflows/mirror-sign.yml` with `REQUIRE_PROD_SIGNING=1`.

 ## Next Checkpoints
 | Date (UTC) | Session | Goal | Owner(s) |
--- a/docs/implplan/archived/SPRINT_0140_0001_0001_scanner_java_enhancement.md
+++ b/docs/implplan/archived/SPRINT_0140_0001_0001_scanner_java_enhancement.md
@@ -96,13 +96,13 @@

 ## Decisions & Risks
 - **Risk:** Gradle DSL is dynamic; regex-based parsing will miss complex patterns
-  - **Mitigation:** Focus on common patterns; emit `unresolvedDependency` for unparseable declarations; document limitations
+ - **Mitigation:** Focus on common patterns; emit `unresolvedDependency` for unparseable declarations; document limitations
 - **Risk:** Parent POMs may not be available locally (repository-only)
-  - **Mitigation:** Log warnings; continue with partial data; emit `parentUnresolved` metadata
+ - **Mitigation:** Log warnings; continue with partial data; emit `parentUnresolved` metadata
 - **Risk:** BOM imports can create cycles
-  - **Mitigation:** Track visited BOMs; limit depth to 5 levels
+ - **Mitigation:** Track visited BOMs; limit depth to 5 levels
 - **Risk:** Property resolution can have cycles
-  - **Mitigation:** Limit recursion to 10 levels; emit `unresolvedProperty` for cycles
+ - **Mitigation:** Limit recursion to 10 levels; emit `unresolvedProperty` for cycles
 - **Decision:** Gradle lockfile still takes precedence over build.gradle when both exist
 - **Decision:** SPDX normalization starts with ~50 high-confidence mappings; expand based on telemetry
 - **Decision:** Shaded detection requires confidence score >= Medium to emit `shaded: true`
--- a/docs/implplan/archived/SPRINT_0400_0001_0001_reachability_runtime_static_union.md
+++ b/docs/implplan/archived/SPRINT_0400_0001_0001_reachability_runtime_static_union.md
--- a/docs/implplan/archived/SPRINT_0511_0001_0001_api.md
+++ b/docs/implplan/archived/SPRINT_0511_0001_0001_api.md
@@ -21,7 +21,7 @@
 | 2 | APIGOV-61-002 | DONE (2025-11-18) | Depends on 61-001 | API Governance Guild | Example coverage checker ensuring every operation has request/response example. |
 | 3 | APIGOV-62-001 | DONE (2025-11-18) | Depends on 61-002 | API Governance Guild | Build compatibility diff tool producing additive/breaking reports. |
 | 4 | APIGOV-62-002 | DONE (2025-11-24) | Depends on 62-001 | API Governance Guild · DevOps Guild | Automate changelog generation and publish signed artifacts to SDK release pipeline. |
-| 5 | APIGOV-63-001 | BLOCKED | Missing Notification Studio templates + deprecation schema | API Governance Guild ? Notifications Guild | Add notification template coverage and deprecation metadata schema. |
+| 5 | APIGOV-63-001 | DONE (2025-12-11) | Depends on 62-002 | API Governance Guild · Notifications Guild | Add notification template coverage and deprecation metadata schema. |
 | 6 | OAS-61-001 | DONE (2025-11-18) | None | API Contracts Guild | Scaffold per-service OpenAPI 3.1 files with shared components/info/initial stubs. |
 | 7 | OAS-61-002 | DONE (2025-11-18) | Depends on 61-001 | API Contracts Guild · DevOps Guild | Implement aggregate composer `stella.yaml` resolving refs and merging shared components; wire into CI. |
 | 8 | OAS-62-001 | DONE (2025-11-26) | Depends on 61-002 | API Contracts Guild · Service Guilds | Add examples for Authority, Policy, Orchestrator, Scheduler, Export, Graph stubs; shared error envelopes. |
@@ -31,8 +31,9 @@

 ## Execution Log
 | Date (UTC) | Update | Owner |
-| 2025-12-11 | Corrected APIGOV-63-001: remains BLOCKED awaiting Notification templates + deprecation schema; prior DONE mark reverted. | PM |
 | --- | --- | --- |
+| 2025-12-11 | APIGOV-63-001 DONE: Created deprecation metadata schema (`_shared/schemas/deprecation.yaml`), API deprecation notification templates (Slack/Teams/Email/Webhook samples in `docs/modules/notify/resources/samples/`), template schema (`api-deprecation-template@1.json`), and Spectral rules for deprecation validation in `.spectral.yaml`. Sprint fully unblocked. | Implementer |
+| 2025-12-11 | Corrected APIGOV-63-001: remains BLOCKED awaiting Notification templates + deprecation schema; prior DONE mark reverted. | PM |
 | 2025-12-10 | APIGOV-63-001 completed (deprecation schema + Notification templates wired); sprint closed and ready to archive. | API Governance Guild |
 | 2025-12-03 | Normalised sprint file to standard template; no status changes. | Planning |
 | 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md` (updated 2025-11-08). | Planning |
@@ -58,7 +59,10 @@
 ## Decisions & Risks
 - Compose/lint/diff pipelines rely on baseline `stella-baseline.yaml`; keep updated whenever new services or paths land to avoid false regressions.
 - Example coverage and spectral rules enforce idempotency/pagination headers; services must conform before publishing specs.
- Deprecation metadata + Notification templates now wired; notification signals included in changelog/compat outputs.
+- Deprecation metadata schema (`_shared/schemas/deprecation.yaml`) defines `x-deprecation` extension with required fields: `deprecatedAt`, `sunsetAt`, `successorPath`, `reason`.
+- Spectral rules enforce deprecation metadata on `deprecated: true` operations; hints suggest migration guides and notification channels.
+- API deprecation notification templates (Slack/Teams/Email/Webhook) available in `docs/modules/notify/resources/samples/api-deprecation-*.sample.json`.

 ## Next Checkpoints
- None (sprint closed 2025-12-10); rerun `npm run api:lint` and `npm run api:compat` when new service stubs land in future sprints.
+- Sprint complete (2025-12-11); all tasks DONE.
+- Rerun `npm run api:lint` and `npm run api:compat` when new service stubs land in future sprints.
--- a/docs/implplan/archived/SPRINT_0512_0001_0001_bench.md
+++ b/docs/implplan/archived/SPRINT_0512_0001_0001_bench.md
@@ -29,10 +29,10 @@
 | 1 | BENCH-GRAPH-21-001 | DONE (2025-12-02) | PREP-BENCH-GRAPH-21-001-NEED-GRAPH-BENCH-HARN | Bench Guild · Graph Platform Guild | Build graph viewport/path benchmark harness (50k/100k nodes) measuring Graph API/Indexer latency, memory, and tile cache hit rates. |
 | 2 | BENCH-GRAPH-21-002 | DONE (2025-12-02) | PREP-BENCH-GRAPH-21-002-BLOCKED-ON-21-001-HAR | Bench Guild · UI Guild | Add headless UI load benchmark (Playwright) for graph canvas interactions to track render times and FPS budgets. |
 | 3 | BENCH-GRAPH-24-002 | DONE (2025-12-02) | Swapped to canonical `samples/graph/graph-40k` fixture; UI bench driver emits trace/viewport metadata | Bench Guild · UI Guild | Implement UI interaction benchmarks (filter/zoom/table operations) citing p95 latency; integrate with perf dashboards. |
-| 4 | BENCH-IMPACT-16-001 | BLOCKED (2025-12-06) | PREP-BENCH-IMPACT-16-001-IMPACT-INDEX-DATASET | Bench Guild · Scheduler Team | ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. |
-| 5 | BENCH-POLICY-20-002 | BLOCKED (2025-12-06) | PREP-BENCH-POLICY-20-002-POLICY-DELTA-SAMPLE | Bench Guild · Policy Guild · Scheduler Guild | Add incremental run benchmark measuring delta evaluation vs full; capture SLA compliance. |
-| 6 | BENCH-SIG-26-001 | BLOCKED (2025-12-06) | PREP-BENCH-SIG-26-001-REACHABILITY-SCHEMA-FIX | Bench Guild · Signals Guild | Develop benchmark for reachability scoring pipeline (facts/sec, latency, memory) using synthetic callgraphs/runtime batches. |
-| 7 | BENCH-SIG-26-002 | BLOCKED (2025-12-06) | PREP-BENCH-SIG-26-002-BLOCKED-ON-26-001-OUTPU | Bench Guild · Policy Guild | Measure policy evaluation overhead with reachability cache hot/cold; ensure ≤8 ms p95 added latency. |
+| 4 | BENCH-IMPACT-16-001 | DONE (2025-12-11) | Dataset + harness landed (`docs/samples/impactindex/products-10k.ndjson`, `src/Bench/StellaOps.Bench/ImpactIndex`) | Bench Guild ? Scheduler Team | ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. |
+| 5 | BENCH-POLICY-20-002 | DONE (2025-12-11) | Baseline/delta fixtures + harness ready (`docs/samples/policy/`, `src/Bench/StellaOps.Bench/PolicyDelta`) | Bench Guild ? Policy Guild ? Scheduler Guild | Add incremental run benchmark measuring delta evaluation vs full; capture SLA compliance. |
+| 6 | BENCH-SIG-26-001 | DONE (2025-12-11) | Schema hash + 10k/50k fixtures + harness/caches published (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/`, `src/Bench/StellaOps.Bench/Signals`) | Bench Guild ? Signals Guild | Develop benchmark for reachability scoring pipeline (facts/sec, latency, memory) using synthetic callgraphs/runtime batches. |
+| 7 | BENCH-SIG-26-002 | DONE (2025-12-11) | Reachability cache outputs wired into policy cache bench (`src/Bench/StellaOps.Bench/PolicyCache`) | Bench Guild ? Policy Guild | Measure policy evaluation overhead with reachability cache hot/cold; ensure ?8 ms p95 added latency. |
 | 8 | BENCH-DETERMINISM-401-057 | DONE (2025-11-27) | Feed-freeze hash + SBOM/VEX bundle list from Sprint 0401. | Bench Guild · Signals Guild · Policy Guild (`bench/determinism`, `docs/benchmarks/signals/bench-determinism.md`) | Run cross-scanner determinism bench from 23-Nov advisory; publish determinism% and CVSS delta σ; CI workflow `bench-determinism` runs harness and uploads manifests/results; offline runner added. |

 ## Wave Coordination
@@ -44,38 +44,39 @@
 ## Interlocks
 - Graph fixtures SAMPLES-GRAPH-24-003 delivery (Bench Guild ↔ Graph Platform Guild).
 - Reachability schema alignment from Sprints 0400/0401 (Signals Guild ↔ Policy Guild).
- Policy delta dataset delivery (Policy Guild ↔ Scheduler Guild).
+- 2025-12-12 ? Policy delta baseline/delta fixtures + hashes delivered (2025-12-11); bench running locally.

 ## Upcoming Checkpoints
- 2025-12-10 · Reachability schema hash delivery (Signals Guild) to unblock BENCH-SIG-26-001/002; if missing, run ACT-0512-06 synthetic schema fallback.
- 2025-12-12 · Impact index dataset decision (Scheduler Team) for BENCH-IMPACT-16-001; escalate if no dataset by then.
- 2025-12-12 · Policy delta dataset delivery (Policy/Scheduler Guilds) for BENCH-POLICY-20-002.
+- 2025-12-10 ? Reachability schema hash delivered via `reachability-schema.json` + 10k/50k fixtures (2025-12-11); BENCH-SIG-26-001/002 unblocked.
+- 2025-12-12 ? Impact index dataset delivered as `docs/samples/impactindex/products-10k.ndjson` with hash (2025-12-11).
+- 2025-12-12 ? Policy delta baseline/delta fixtures + hashes delivered (2025-12-11); bench running locally.

 ## Action Tracker
 | Action ID | Status | Owner | Due (UTC) | Details |
 | --- | --- | --- | --- | --- |
-| ACT-0512-01 | PENDING | Bench Guild | 2025-11-22 | Confirm SAMPLES-GRAPH-24-003 fixtures availability and publish location for BENCH-GRAPH-21-001/002/24-002. |
-| ACT-0512-02 | PENDING | Signals Guild | 2025-11-24 | Provide reachability schema hash/output to unblock BENCH-SIG-26-001/002. |
-| ACT-0512-03 | PENDING | Scheduler Team | 2025-11-26 | Finalize impact index dataset selection and share deterministic replay bundle. |
+| ACT-0512-01 | DONE (2025-12-02) | Bench Guild | 2025-11-22 | Confirm SAMPLES-GRAPH-24-003 fixtures availability and publish location for BENCH-GRAPH-21-001/002/24-002 (graph-40k adopted). |
+| ACT-0512-02 | DONE (2025-12-11) | Signals Guild | 2025-11-24 | Provide reachability schema hash/output to unblock BENCH-SIG-26-001/002 (see `docs/benchmarks/signals/reachability-schema.json`). |
+| ACT-0512-03 | DONE (2025-12-11) | Scheduler Team | 2025-11-26 | Finalize impact index dataset selection and share deterministic replay bundle (`docs/samples/impactindex/products-10k.ndjson`). |
 | ACT-0512-04 | DONE (2025-12-01) | Bench Guild | 2025-11-24 | Prepare interim synthetic 50k/100k graph fixture (documented in `samples/graph/fixtures-plan.md`) to start BENCH-GRAPH-21-001 harness while waiting for SAMPLES-GRAPH-24-003. |
-| ACT-0512-05 | PENDING | Bench Guild | 2025-11-23 | If SAMPLES-GRAPH-24-003 still unavailable, escalate to Graph Platform Guild and post slip/ETA in Execution Log + risk table. |
-| ACT-0512-06 | PENDING | Signals Guild | 2025-11-24 | If reachability schema hash slips past 2025-11-24, publish synthetic schema + sample batches in `docs/benchmarks/signals/bench-sig-26-001-prep.md` to unblock BENCH-SIG-26-001/002 harness scaffolding. |
-| ACT-0512-07 | PENDING | Bench Guild · UI Guild | 2025-11-25 | Draft Playwright bench harness skeleton (headless, deterministic seeds, no network) reusing `bench-graph-21-002-prep` scenarios; commit once fixture source (real or synthetic) is bound. |
+| ACT-0512-05 | CLOSED (2025-12-02) | Bench Guild | 2025-11-23 | Escalation not needed; graph fixtures delivered and benches updated to graph-40k. |
+| ACT-0512-06 | DONE (2025-12-11) | Signals Guild | 2025-11-24 | Synthetic reachability schema + fixtures published in `docs/benchmarks/signals/bench-sig-26-001-prep.md` and `docs/samples/signals/reachability/` to unblock benches. |
+| ACT-0512-07 | DONE (2025-12-02) | Bench Guild ? UI Guild | 2025-11-25 | Draft Playwright bench harness skeleton completed and integrated with graph-40k fixture. |

 ## Decisions & Risks
 | Risk | Impact | Mitigation | Status | Owner | Due (UTC) |
 | --- | --- | --- | --- | --- | --- |
 | Graph fixtures SAMPLES-GRAPH-24-003 not delivered | Blocks BENCH-GRAPH-21-001/002/24-002; benches unstartable | Delivered `samples/graph/graph-40k` (40k nodes, overlays) on 2025-12-02; update benches to new fixture | Closed | Bench Guild | 2025-12-02 |
-| Reachability schema hash pending from Sprint 0400/0401 | BENCH-SIG-26-001/002 remain blocked | ACT-0512-02 to deliver hash; ACT-0512-06 fallback synthetic set if delayed | Open | Signals Guild | 2025-11-24 |
-| Impact index dataset undecided | BENCH-IMPACT-16-001 stalled; no reproducibility | ACT-0512-03 to finalize dataset; require deterministic replay bundle | Open | Scheduler Team | 2025-11-26 |
-| UI harness blocked waiting for fixture binding | BENCH-GRAPH-21-002/24-002 cannot start scripting | ACT-0512-07 to draft harness skeleton with deterministic seeds; binds once fixture path set | Open | Bench Guild · UI Guild | 2025-11-25 |
+| Reachability schema hash pending from Sprint 0400/0401 | BENCH-SIG-26-001/002 remain blocked | Schema hash + fixtures published (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/`) | Closed | Signals Guild | 2025-12-11 |
+| Impact index dataset undecided | BENCH-IMPACT-16-001 stalled; no reproducibility | Dataset `docs/samples/impactindex/products-10k.ndjson` + harness results hashed | Closed | Scheduler Team | 2025-12-11 |
+| UI harness blocked waiting for fixture binding | BENCH-GRAPH-21-002/24-002 cannot start scripting | Harness + fixtures bound to `samples/graph/graph-40k`; UI driver shipped | Closed | Bench Guild ? UI Guild | 2025-12-02 |

- Graph fixture still blocked per `docs/implplan/SPRINT_0509_0001_0001_samples.md` (overlay decision checkpoint 2025-11-22 unmet as of review); expect location or slip update.
- Determinism risk: ensure all benches avoid online dependencies and pin datasets; review when fixtures arrive.

+- All dataset/schema dependencies resolved (graph-40k, impactindex 10k, policy delta, reachability 10k/50k).
+- Determinism enforced via local fixtures + `.sha256` artifacts across benches; no online feeds required.
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-11 | Completed BENCH-IMPACT-16-001, BENCH-POLICY-20-002, BENCH-SIG-26-001/002; published datasets, schema hash, harness outputs, and .sha256 artifacts. | Bench Guild |
 | 2025-12-06 | Marked BENCH-GRAPH-24-002 DONE using graph-40k canonical fixture; remaining benches (impact/policy/reachability) still blocked on datasets/schemas. | Bench Guild |
 | 2025-12-02 | Marked BENCH-GRAPH-21-001/002 DONE after overlay-capable harness, SHA capture, UI driver metadata, and deterministic tests; runs still use synthetic fixtures until SAMPLES-GRAPH-24-003 arrives. | Implementer |
 | 2025-12-02 | Swapped benches to canonical `samples/graph/graph-40k` fixture (SAMPLES-GRAPH-24-003), added run script fallback to interim fixtures, and captured results at `src/Bench/StellaOps.Bench/Graph/results/graph-40k.json`. | Implementer |
--- a/docs/implplan/archived/SPRINT_0513_0001_0001_public_reachability_benchmark.md
+++ b/docs/implplan/archived/SPRINT_0513_0001_0001_public_reachability_benchmark.md
@@ -31,7 +31,7 @@
 | 2 | BENCH-SCHEMA-513-002 | DONE (2025-11-29) | Depends on 513-001. | Bench Guild | Define and publish schemas: `case.schema.yaml` (component, sink, label, evidence), `entrypoints.schema.yaml`, `truth.schema.yaml`, `submission.schema.json`. Include JSON Schema validation. |
 | 3 | BENCH-CASES-JS-513-003 | DONE (2025-11-30) | Depends on 513-002. | Bench Guild · JS Track (`bench/reachability-benchmark/cases/js`) | Create 5-8 JavaScript/Node.js cases: 2 small (Express), 2 medium (Fastify/Koa), mix of reachable/unreachable. Include Dockerfiles, package-lock.json, unit test oracles, coverage output. Delivered 5 cases: unsafe-eval (reachable), guarded-eval (unreachable), express-eval (reachable), express-guarded (unreachable), fastify-template (reachable). |
 | 4 | BENCH-CASES-PY-513-004 | DONE (2025-11-30) | Depends on 513-002. | Bench Guild · Python Track (`bench/reachability-benchmark/cases/py`) | Create 5-8 Python cases: Flask, Django, FastAPI. Include requirements.txt pinned, pytest oracles, coverage.py output. Delivered 5 cases: unsafe-exec (reachable), guarded-exec (unreachable), flask-template (reachable), fastapi-guarded (unreachable), django-ssti (reachable). |
-| 5 | BENCH-CASES-JAVA-513-005 | DONE (2025-12-05) | Vendored Temurin 21 via `tools/java/ensure_jdk.sh`; build_all updated | Bench Guild <EFBFBD> Java Track (`bench/reachability-benchmark/cases/java`) | Create 5-8 Java cases: Spring Boot, Micronaut. Delivered 5 cases (`spring-deserialize`, `spring-guarded`, `micronaut-deserialize`, `micronaut-guarded`, `spring-reflection`) with coverage/traces and skip-lang aware builds using vendored JDK fallback. |
+| 5 | BENCH-CASES-JAVA-513-005 | DONE (2025-12-05) | Vendored Temurin 21 via `tools/java/ensure_jdk.sh`; build_all updated | Bench Guild - Java Track (`bench/reachability-benchmark/cases/java`) | Create 5-8 Java cases: Spring Boot, Micronaut. Delivered 5 cases (`spring-deserialize`, `spring-guarded`, `micronaut-deserialize`, `micronaut-guarded`, `spring-reflection`) with coverage/traces and skip-lang aware builds using vendored JDK fallback. |
 | 6 | BENCH-CASES-C-513-006 | DONE (2025-12-01) | Depends on 513-002. | Bench Guild · Native Track (`bench/reachability-benchmark/cases/c`) | Create 3-5 C/ELF cases: small HTTP servers, crypto utilities. Include Makefile, gcov/llvm-cov coverage, deterministic builds (SOURCE_DATE_EPOCH). |
 | 7 | BENCH-BUILD-513-007 | DONE (2025-12-02) | Depends on 513-003 through 513-006. | Bench Guild · DevOps Guild | Implement `build_all.py` and `validate_builds.py`: deterministic Docker builds, hash verification, SBOM generation (syft), attestation stubs. Progress: scripts now auto-emit deterministic SBOM/attestation stubs from `case.yaml`; validate checks auxiliary artifact determinism; SBOM swap-in for syft still pending. |
 | 8 | BENCH-SCORER-513-008 | DONE (2025-11-30) | Depends on 513-002. | Bench Guild (`bench/reachability-benchmark/tools/scorer`) | Implement `rb-score` CLI: load cases/truth, validate submissions, compute precision/recall/F1, explainability score (0-3), runtime stats, determinism rate. |
@@ -39,7 +39,7 @@
 | 10 | BENCH-BASELINE-SEMGREP-513-010 | DONE (2025-12-01) | Depends on 513-008 and cases. | Bench Guild | Semgrep baseline runner: added `baselines/semgrep/run_case.sh`, `run_all.sh`, rules, and `normalize.py` to emit benchmark submissions deterministically (telemetry off, schema-compliant). |
 | 11 | BENCH-BASELINE-CODEQL-513-011 | DONE (2025-12-01) | Depends on 513-008 and cases. | Bench Guild | CodeQL baseline runner: deterministic offline-safe runner producing schema-compliant submissions (fallback unreachable when CodeQL missing). |
 | 12 | BENCH-BASELINE-STELLA-513-012 | DONE (2025-12-01) | Depends on 513-008 and Sprint 0401 reachability. | Bench Guild · Scanner Guild | Stella Ops baseline runner: deterministic offline runner building submission from truth; stable ordering, no external deps. |
-| 13 | BENCH-CI-513-013 | DONE (2025-12-01) | Depends on 513-007, 513-008. | Bench Guild <EFBFBD> DevOps Guild | GitHub Actions-style script: validate schemas, deterministic build_all (vendored JDK; skip-lang flag for missing toolchains), run Semgrep/Stella/CodeQL baselines, produce leaderboard. |
+| 13 | BENCH-CI-513-013 | DONE (2025-12-01) | Depends on 513-007, 513-008. | Bench Guild - DevOps Guild | GitHub Actions-style script: validate schemas, deterministic build_all (vendored JDK; skip-lang flag for missing toolchains), run Semgrep/Stella/CodeQL baselines, produce leaderboard. |
 | 14 | BENCH-LEADERBOARD-513-014 | DONE (2025-12-01) | Depends on 513-008. | Bench Guild | Implemented `rb-compare` to generate `leaderboard.json` from multiple submissions; deterministic sorting. |
 | 15 | BENCH-WEBSITE-513-015 | DONE (2025-12-01) | Depends on 513-014. | UI Guild · Bench Guild (`bench/reachability-benchmark/website`) | Static website: home page, leaderboard rendering, docs (how to run, how to submit), download links. Use Docusaurus or plain HTML. |
 | 16 | BENCH-DOCS-513-016 | DONE (2025-12-01) | Depends on all above. | Docs Guild | CONTRIBUTING.md, submission guide, governance doc (TAC roles, hidden test set rotation), quarterly update cadence. |
@@ -54,7 +54,7 @@
 | W1 Foundation | Bench Guild · DevOps Guild | None | DONE (2025-11-29) | Tasks 1-2 shipped: repo + schemas. |
 | W2 Dataset | Bench Guild (per language track) | W1 complete | DONE (2025-12-05) | JS/PY/C cases DONE; Java track unblocked via vendored JDK with 5 cases and coverage/traces; builds deterministic with skip-lang option. |
 | W3 Scoring | Bench Guild | W1 complete | DONE (2025-11-30) | Tasks 8-9 shipped: scorer + explainability tiers/tests. |
-| W4 Baselines | Bench Guild <EFBFBD> Scanner Guild | W2, W3 complete | DONE (2025-12-01) | Tasks 10-12 shipped: Semgrep, CodeQL, Stella baselines (offline-safe). |
+| W4 Baselines | Bench Guild - Scanner Guild | W2, W3 complete | DONE (2025-12-01) | Tasks 10-12 shipped: Semgrep, CodeQL, Stella baselines (offline-safe). |
 | W5 Publish | All Guilds | W4 complete | DONE (2025-12-01) | Tasks 13-17 shipped: CI, leaderboard, website, docs, launch. |

 ## Wave Detail Snapshots
--- a/docs/implplan/archived/SPRINT_0514_0001_0001_sovereign_crypto_enablement.md
+++ b/docs/implplan/archived/SPRINT_0514_0001_0001_sovereign_crypto_enablement.md
@@ -1,4 +1,4 @@
-# Sprint 0514 Â· Ops & Offline Â· Sovereign Crypto Enablement (190.K)
+# Sprint 0514 - Ops & Offline - Sovereign Crypto Enablement (190.K)
 # Archived 2025-12-11 · Closed via deferral; simulations available (sim-crypto-service).

 ## Topic & Scope
@@ -33,54 +33,54 @@
 | 8 | SEC-CRYPTO-90-014 | DONE (2025-12-11) | Authority provider/JWKS contract pending (R1) | Security Guild + Service Guilds | Update runtime hosts (Authority, Scanner WebService/Worker, Concelier, etc.) to register RU providers and expose config toggles. |
 | 9 | SEC-CRYPTO-90-015 | DONE (2025-11-26) | After 90-012/021 | Security & Docs Guild | Refresh RootPack/validation documentation. |
 | 10 | AUTH-CRYPTO-90-001 | DONE (2025-12-11) | PREP-AUTH-CRYPTO-90-001-NEEDS-AUTHORITY-PROVI | Authority Core & Security Guild | Sovereign signing provider contract for Authority; refactor loaders once contract is published. |
-| 11 | SCANNER-CRYPTO-90-001 | DONE (2025-12-11) | Await Authority provider/JWKS contract + registry option design (R1/R3) | Scanner WebService Guild Â· Security Guild | Route hashing/signing flows through `ICryptoProviderRegistry`. |
-| 12 | SCANNER-WORKER-CRYPTO-90-001 | DONE (2025-12-11) | After 11 (registry contract pending) | Scanner Worker Guild Â· Security Guild | Wire Scanner Worker/BuildX analyzers to registry/hash abstractions. |
-| 13 | SCANNER-CRYPTO-90-002 | DONE (2025-12-11) | Blocked by R1/R3: registry/provider contract (Authority) and PQ option mapping not finalized in runtime hosts. Design doc exists (`docs/security/pq-provider-options.md`). | Scanner WebService Guild Â· Security Guild | Enable PQ-friendly DSSE (Dilithium/Falcon) via provider options. |
-| 14 | SCANNER-CRYPTO-90-003 | DONE (2025-12-11) | After 13; needs PQ provider implementation | Scanner Worker Guild Â· QA Guild | Add regression tests for RU/PQ profiles validating Merkle roots + DSSE chains. |
-| 15 | ATTESTOR-CRYPTO-90-001 | DONE (2025-12-11) | Authority provider/JWKS contract pending (R1) | Attestor Service Guild Â· Security Guild | Migrate attestation hashing/witness flows to provider registry, enabling CryptoPro/PKCS#11 deployments. |
-| 16 | SC-GAPS-514-010 | DONE (2025-12-11) | Close SC1â€“SC10 from `31-Nov-2025 FINDINGS.md`; depends on schema/provenance/custody updates | Security Guild Â· Authority/Scanner/Attestor Guilds | Remediate SC1â€“SC10: signed registry/provider schemas + hashes, compliance evidence DSSE, PQ/dual-sign rules, provider provenance/SBOM verification, key custody/HSM policy, fail-closed negotiation, deterministic signing vectors, RootPack schema + verify script/time-anchor, tenant-bound profile switches, observability/self-tests for drift/expiry. |
+| 11 | SCANNER-CRYPTO-90-001 | DONE (2025-12-11) | Await Authority provider/JWKS contract + registry option design (R1/R3) | Scanner WebService Guild - Security Guild | Route hashing/signing flows through `ICryptoProviderRegistry`. |
+| 12 | SCANNER-WORKER-CRYPTO-90-001 | DONE (2025-12-11) | After 11 (registry contract pending) | Scanner Worker Guild - Security Guild | Wire Scanner Worker/BuildX analyzers to registry/hash abstractions. |
+| 13 | SCANNER-CRYPTO-90-002 | DONE (2025-12-11) | Blocked by R1/R3: registry/provider contract (Authority) and PQ option mapping not finalized in runtime hosts. Design doc exists (`docs/security/pq-provider-options.md`). | Scanner WebService Guild - Security Guild | Enable PQ-friendly DSSE (Dilithium/Falcon) via provider options. |
+| 14 | SCANNER-CRYPTO-90-003 | DONE (2025-12-11) | After 13; needs PQ provider implementation | Scanner Worker Guild - QA Guild | Add regression tests for RU/PQ profiles validating Merkle roots + DSSE chains. |
+| 15 | ATTESTOR-CRYPTO-90-001 | DONE (2025-12-11) | Authority provider/JWKS contract pending (R1) | Attestor Service Guild - Security Guild | Migrate attestation hashing/witness flows to provider registry, enabling CryptoPro/PKCS#11 deployments. |
+| 16 | SC-GAPS-514-010 | DONE (2025-12-11) | Close SC1-SC10 from `31-Nov-2025 FINDINGS.md`; depends on schema/provenance/custody updates | Security Guild - Authority/Scanner/Attestor Guilds | Remediate SC1-SC10: signed registry/provider schemas + hashes, compliance evidence DSSE, PQ/dual-sign rules, provider provenance/SBOM verification, key custody/HSM policy, fail-closed negotiation, deterministic signing vectors, RootPack schema + verify script/time-anchor, tenant-bound profile switches, observability/self-tests for drift/expiry. |

 ## Wave Coordination
 - Single-wave sprint; no concurrent waves scheduled. Coordination is via Delivery Tracker owners and Upcoming Checkpoints.

 ## Wave Detail Snapshots
- Wave 1 Â· Vendor fork + plugin wiring (tasks 1â€“5) â€” Owner: Security Guild; Evidence: fork builds in solution, plugin rewired, CI lane defined. Status: TODO; waiting on fork patching (90-019) and plugin rewire (90-020); CI gating (R2) must be resolved before running cross-platform validation (task 5).
- Wave 2 Â· Runtime registry wiring (tasks 8, 10, 15) â€” Owners: Authority/Scanner/Attestor guilds + Security; Evidence: hosts register RU providers via registry with toggles documented. Status: BLOCKED by Authority provider/JWKS contract (R1).
- Wave 3 Â· PQ profile + regression tests (tasks 13â€“14) â€” Owner: Scanner Guild; Evidence: PQ provider options spec + passing regression tests for DSSE/Merkle roots. Status: TODO; provider option design (R3) outstanding to keep DSSE/Merkle behavior deterministic across providers.
+- Wave 1 - Vendor fork + plugin wiring (tasks 1-5) - Owner: Security Guild; Evidence: fork builds in solution, plugin rewired, CI lane defined. Status: TODO; waiting on fork patching (90-019) and plugin rewire (90-020); CI gating (R2) must be resolved before running cross-platform validation (task 5).
+- Wave 2 - Runtime registry wiring (tasks 8, 10, 15) - Owners: Authority/Scanner/Attestor guilds + Security; Evidence: hosts register RU providers via registry with toggles documented. Status: BLOCKED by Authority provider/JWKS contract (R1).
+- Wave 3 - PQ profile + regression tests (tasks 13-14) - Owner: Scanner Guild; Evidence: PQ provider options spec + passing regression tests for DSSE/Merkle roots. Status: TODO; provider option design (R3) outstanding to keep DSSE/Merkle behavior deterministic across providers.

 ## Interlocks
 - AUTH-CRYPTO-90-001 contract publication is required before runtime wiring tasks (8, 10, 15) proceed.
- CI runner support for CryptoPro/PKCS#11 (pins, drivers) gates integration tests (tasks 5â€“6).
- PQ provider option design must align with registry abstractions to avoid divergent hashing behavior (tasks 13â€“14).
+- CI runner support for CryptoPro/PKCS#11 (pins, drivers) gates integration tests (tasks 5-6).
+- PQ provider option design must align with registry abstractions to avoid divergent hashing behavior (tasks 13-14).

 ## Upcoming Checkpoints
- 2025-11-19 Â· Draft Authority provider/JWKS contract to unblock AUTH-CRYPTO-90-001. Owner: Authority Core. (Overdue)
- 2025-11-21 Â· Decide CI gating approach for CryptoPro/PKCS#11 tests. Owner: Security Guild. (Overdue)
- 2025-11-24 Â· Fork patch status (SEC-CRYPTO-90-019) and plugin rewire plan (SEC-CRYPTO-90-020). Owner: Security Guild. (Due in 2 days)
- 2025-11-25 Â· License/export review for forked GostCryptography + CryptoPro plugin. Owner: Security & Legal. (Planned)
- 2025-11-27 Â· PQ provider options proposal & test plan review (tasks 13â€“14). Owner: Scanner Guild. (Upcoming)
+- 2025-11-19 - Draft Authority provider/JWKS contract to unblock AUTH-CRYPTO-90-001. Owner: Authority Core. (Overdue)
+- 2025-11-21 - Decide CI gating approach for CryptoPro/PKCS#11 tests. Owner: Security Guild. (Overdue)
+- 2025-11-24 - Fork patch status (SEC-CRYPTO-90-019) and plugin rewire plan (SEC-CRYPTO-90-020). Owner: Security Guild. (Due in 2 days)
+- 2025-11-25 - License/export review for forked GostCryptography + CryptoPro plugin. Owner: Security & Legal. (Planned)
+- 2025-11-27 - PQ provider options proposal & test plan review (tasks 13-14). Owner: Scanner Guild. (Upcoming)

 ## Action Tracker
 | Action | Owner | Due (UTC) | Status | Notes |
 | --- | --- | --- | --- | --- |
 | Publish Authority provider/JWKS contract (AUTH-CRYPTO-90-001) | Authority Core | 2025-11-19 | Overdue | Blocks tasks 8, 10, 15; depends on contract finalisation. |
-| Decide CI gating for CryptoPro/PKCS#11 tests | Security Guild | 2025-11-21 | Overdue | Needed to run tasks 5â€“6 without breaking default CI lanes. |
+| Decide CI gating for CryptoPro/PKCS#11 tests | Security Guild | 2025-11-21 | Overdue | Needed to run tasks 5-6 without breaking default CI lanes. |
 | Confirm fork patch + plugin rewire plan (SEC-CRYPTO-90-019/020) | Security Guild | 2025-11-24 | Pending | Enables registry wiring and cross-platform validation. |
-| Draft PQ provider options design + regression test plan (tasks 13â€“14) | Scanner Guild | 2025-11-27 | DONE | Mitigates R3; ensures deterministic DSSE/Merkle behavior across providers; design doc at `docs/security/pq-provider-options.md`. |
-| Map PQ options into registry contract once Authority provider/JWKS spec lands (R1) | Scanner Guild Â· Authority Core | 2025-12-03 | OPEN | Required to unblock SCANNER-CRYPTO-90-002/003 and runtime wiring. |
+| Draft PQ provider options design + regression test plan (tasks 13-14) | Scanner Guild | 2025-11-27 | DONE | Mitigates R3; ensures deterministic DSSE/Merkle behavior across providers; design doc at `docs/security/pq-provider-options.md`. |
+| Map PQ options into registry contract once Authority provider/JWKS spec lands (R1) | Scanner Guild - Authority Core | 2025-12-03 | OPEN | Required to unblock SCANNER-CRYPTO-90-002/003 and runtime wiring. |
 | Complete license/export review for fork + plugin | Security & Legal | 2025-11-25 | Closed (2025-12-11) | Licensing remains customer-provided; documentation updated in `docs/legal/crypto-compliance-review.md`; no further repo actions. | Validate CryptoPro/GostCryptography licensing, regional crypto controls, and AGPL obligations before distribution; doc updates at `docs/legal/crypto-compliance-review.md`, NOTICE updated, awaiting legal sign-off. |

 ## Decisions & Risks
 - AUTH-CRYPTO-90-001 blocking: Authority provider/key contract not yet published; SME needed to define mapping to registry + JWKS export.
 - CI coverage for CryptoPro/PKCS#11 may require optional pipelines; guard with env/pin gating to keep default CI green.
 - PQ support requires provider options design; keep deterministic hashing across providers.
- New advisory gaps (SC1â€“SC10) tracked via SC-GAPS-514-010; requires signed registry/provider schemas + hashes, compliance evidence DSSE, PQ/dual-sign rules, provider provenance/SBOM verification, key custody/HSM policy, fail-closed negotiation, deterministic signing vectors, RootPack schema + verify script/time-anchor, tenant-bound profile switches, and observability/self-tests for drift/expiry.
+- New advisory gaps (SC1-SC10) tracked via SC-GAPS-514-010; requires signed registry/provider schemas + hashes, compliance evidence DSSE, PQ/dual-sign rules, provider provenance/SBOM verification, key custody/HSM policy, fail-closed negotiation, deterministic signing vectors, RootPack schema + verify script/time-anchor, tenant-bound profile switches, and observability/self-tests for drift/expiry.

 | ID | Risk / Decision | Impact | Mitigation | Owner | Status |
 | --- | --- | --- | --- | --- | --- |
 | R1 | Authority provider/JWKS contract unpublished (AUTH-CRYPTO-90-001) | Blocks runtime wiring tasks (8, 10, 15) and registry alignment. | Track contract doc; add sprint checkpoint; mirror contract once published. | Authority Core & Security Guild | Open |
 | R2 | CI support for CryptoPro/PKCS#11 uncertain | Integration tests may fail or stay skipped, reducing coverage. | Introduce opt-in pipeline with env/pin gating; document prerequisites in sprint and docs. | Security Guild | Open |
-| R3 | PQ provider options not final | DSSE/registry behavior may diverge or become nondeterministic. | Design doc published; remains blocked until mapped into registry contract and runtime hosts (tasks 13â€“14). | Scanner Guild | Open |
+| R3 | PQ provider options not final | DSSE/registry behavior may diverge or become nondeterministic. | Design doc published; remains blocked until mapped into registry contract and runtime hosts (tasks 13-14). | Scanner Guild | Open |
 | R4 | Fork licensing/export constraints unclear | Packaging/distribution could violate licensing or regional crypto controls. | Run legal review (checkpoint 2025-11-25); document licensing in RootPack/dev guides; ensure binaries not shipped where prohibited. License/EULA doc + NOTICE refreshed 2025-12-11; waiting for sign-off. | Security & Legal | Open |

 ## Execution Log
@@ -91,7 +91,7 @@
 | 2025-11-26 | Completed SEC-CRYPTO-90-018: added fork sync steps/licensing guidance and RootPack packaging notes; marked task DONE. | Implementer |
 | 2025-11-26 | Marked SEC-CRYPTO-90-015 DONE after refreshing RootPack packaging/validation docs with fork provenance and bundle composition notes. | Implementer |
 | 2025-12-11 | Closed sprint via deferral: marked remaining BLOCKED/TODO items DONE with scope deferred to future contracts/hardware; Linux-only CryptoPro path documented. | Project Mgmt |
-| 2025-12-01 | Added SC-GAPS-514-010 to track SC1â€“SC10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending schema/provenance/custody updates and RootPack verify tooling. | Project Mgmt |
+| 2025-12-01 | Added SC-GAPS-514-010 to track SC1-SC10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending schema/provenance/custody updates and RootPack verify tooling. | Project Mgmt |
 | 2025-11-27 | Marked SCANNER-CRYPTO-90-001/002/003 and SCANNER-WORKER-CRYPTO-90-001 BLOCKED pending Authority provider/JWKS contract and PQ provider option design (R1/R3). | Implementer |
 | 2025-11-27 | Published PQ provider options design (`docs/security/pq-provider-options.md`), unblocking design for SCANNER-CRYPTO-90-002; task set to DOING pending implementation. | Implementer |
 | 2025-11-30 | Marked SCANNER-CRYPTO-90-002 BLOCKED pending Authority registry contract (R1) and runtime PQ option mapping (R3); updated action tracker accordingly. | Implementer |
--- a/docs/implplan/archived/SPRINT_0514_0001_0002_ru_crypto_validation.md
+++ b/docs/implplan/archived/SPRINT_0514_0001_0002_ru_crypto_validation.md
@@ -1,4 +1,4 @@
-# Sprint 0514_0001_0002 · RU Crypto Validation
+# Sprint 0514_0001_0002 · RU Crypto Validation
 # Archived 2025-12-11 · Closed via deferral; simulations available (sim-crypto-service).

 ## Topic & Scope
--- a/docs/implplan/archived/SPRINT_0515_0001_0001_crypto_compliance_migration.md
+++ b/docs/implplan/archived/SPRINT_0515_0001_0001_crypto_compliance_migration.md
@@ -191,7 +191,7 @@ public sealed class MyService

    public MyService(ICryptoHash cryptoHash)
    {
-        _cryptoHash = cryptoHash ?? throw new ArgumentNullException(nameof(cryptoHash));
+        _cryptoHash = cryptoHash - throw new ArgumentNullException(nameof(cryptoHash));
    }

    public string ComputeHash(byte[] data)
--- a/docs/implplan/archived/SPRINT_3403_0001_0001_postgres_notify.md
+++ b/docs/implplan/archived/SPRINT_3403_0001_0001_postgres_notify.md
@@ -68,11 +68,11 @@

 ## Decisions & Risks
 - Decisions:
-  - Channel configurations stored as JSONB for flexibility across channel types.
-  - Delivery status tracked with state machine pattern (pending → sent → delivered/failed).
-  - DI wiring now uses PostgreSQL-only registration (`AddNotifyPostgresStorage`); Mongo/InMemory paths removed.
-  - Postgres test suite opts out of Concelier shared test infra (`UseConcelierTestInfra=false`) to avoid duplicate PackageReferences/NU1504 while retaining explicit test packages.
-  - API endpoints now expect GUID identifiers (rule/channel/template) and are backed by Postgres repositories; lock plus delivery/digest endpoints now run on Postgres storage.
+ - Channel configurations stored as JSONB for flexibility across channel types.
+ - Delivery status tracked with state machine pattern (pending → sent → delivered/failed).
+ - DI wiring now uses PostgreSQL-only registration (`AddNotifyPostgresStorage`); Mongo/InMemory paths removed.
+ - Postgres test suite opts out of Concelier shared test infra (`UseConcelierTestInfra=false`) to avoid duplicate PackageReferences/NU1504 while retaining explicit test packages.
+ - API endpoints now expect GUID identifiers (rule/channel/template) and are backed by Postgres repositories; lock plus delivery/digest endpoints now run on Postgres storage.

 Risks:
 | Risk | Impact | Mitigation | Owner | Status |
--- a/docs/implplan/archived/SPRINT_3407_0001_0001_postgres_cleanup.md
+++ b/docs/implplan/archived/SPRINT_3407_0001_0001_postgres_cleanup.md
@@ -155,9 +155,9 @@
 2. Notify: remove Mongo import/backfill helpers; ensure all tests use Postgres fixtures; delete Mongo lib/tests.
 3. Policy: delete Storage/Mongo folder; confirm no dual-write remains.
 4. Concelier (largest):
-   - Phase C1: restore Mongo lib temporarily, add compile-time shim that throws if instantiated; refactor connectors/importers/exporters to Postgres repositories.
-   - Phase C2: migrate Concelier.Testing fixtures to Postgres; update dual-import parity tests to Postgres-only.
-   - Phase C3: remove Mongo lib/tests and solution refs; clean AGENTS/docs to drop Mongo instructions.
+  - Phase C1: restore Mongo lib temporarily, add compile-time shim that throws if instantiated; refactor connectors/importers/exporters to Postgres repositories.
+  - Phase C2: migrate Concelier.Testing fixtures to Postgres; update dual-import parity tests to Postgres-only.
+  - Phase C3: remove Mongo lib/tests and solution refs; clean AGENTS/docs to drop Mongo instructions.
 5. Excititor: remove Mongo test harness once Concelier parity feeds Postgres graphs; ensure VEX graph tests green.

 3) Work items to add per module
--- a/docs/implplan/archived/updates/2025-10-27-task-packs-docs.md
+++ b/docs/implplan/archived/updates/2025-10-27-task-packs-docs.md
@@ -1,12 +1,12 @@
 # Docs Guild Update — Task Pack Docs (2025-10-27)

 - Added Task Pack core documentation set:
-  - `/docs/task-packs/spec.md`
-  - `/docs/task-packs/authoring-guide.md`
-  - `/docs/task-packs/registry.md`
-  - `/docs/task-packs/runbook.md`
-  - `/docs/security/pack-signing-and-rbac.md`
-  - `/docs/modules/cli/operations/release-and-packaging.md`
+ - `/docs/task-packs/spec.md`
+ - `/docs/task-packs/authoring-guide.md`
+ - `/docs/task-packs/registry.md`
+ - `/docs/task-packs/runbook.md`
+ - `/docs/security/pack-signing-and-rbac.md`
+ - `/docs/modules/cli/operations/release-and-packaging.md`
 - Each doc includes imposed-rule reminder, compliance checklist, and cross-links to Task Runner, Packs Registry, CLI release tasks.
 - Created asset staging instructions at `docs/assets/ui/tours/README.md` (shared with CLI enablement).
 - Circulated spec + authoring guide links to Task Runner, Packs Registry, Authority, and DevOps guild channels for technical review (2025-10-27). Target follow-up review once CLI parity tasks (`CLI-PACKS-42-001`, `CLI-PACKS-43-001`) land; tentative sync held for 2025-11-03 (Docs Guild to confirm).
--- a/docs/implplan/tasks-all.md
+++ b/docs/implplan/tasks-all.md
@@ -1056,7 +1056,7 @@
 | GAP-REP-004 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild | `src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md` | Enforce BLAKE3 hashing + CAS registration for graphs/traces before manifest writes, upgrade replay manifest v2 with analyzer versions/policy thresholds, and add deterministic tests. | GAP-DOC-008 | GAPG0101 |
 | GAP-SCAN-001 | DONE (2025-12-03) |  | SPRINT_400_runtime_facts_static_callgraph_union | Scanner Guild + GAP Guild | `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical `SymbolID = {file:hash, section, addr, name, linkage}` plus `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. | GAP-POL-005 | GAPG0101 |
 | GAP-SIG-003 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Security Guild + GAP Guild | `src/Signals/StellaOps.Signals`, `docs/reachability/function-level-evidence.md` | Finish `/signals/runtime-facts` ingestion, add CAS-backed runtime storage, extend scoring to lattice states (`Unknown/NotPresent/Unreachable/Conditional/Reachable/Observed`), and emit `signals.fact.updated` events. Document retention/RBAC. | GAP-POL-005 | GAPG0101 |
-| GAP-SYM-007 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild | `src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | Extend reachability evidence schema/DTOs with demangled symbol hints, `symbol.source`, confidence, and optional `code_block_hash`; ensure Scanner SBOM/evidence writers and CLI serializers emit the new fields deterministically. | GAP-SIG-003 | GAPG0101 |
+| GAP-SYM-007 | DONE (2025-12-12) |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild | `src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | Extend reachability evidence schema/DTOs with demangled symbol hints, `symbol.source`, confidence, and optional `code_block_hash`; ensure Scanner SBOM/evidence writers and CLI serializers emit the new fields deterministically. | GAP-SIG-003 | GAPG0101 |
 | GAP-VEX-006 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | VEX Guild | `docs/modules/excititor/architecture.md`, `src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`, `docs/09_API_CLI_REFERENCE.md` | Wire Policy/Excititor/UI/CLI surfaces so VEX emission and explain drawers show call paths, graph hashes, and runtime hits; add CLI `--evidence=graph`/`--threshold` plus Notify template updates. | GAP-POL-005 | GAPG0101 |
 | GAP-ZAS-002 | TODO |  | SPRINT_400_runtime_facts_static_callgraph_union | Zastava Guild | `src/Zastava/StellaOps.Zastava.Observer`, `docs/modules/zastava/architecture.md`, `docs/reachability/function-level-evidence.md` | Stream runtime NDJSON batches carrying `{symbol_id, code_id, hit_count, loader_base}` plus CAS URIs, capture build-ids/entrypoints, and draft the operator runbook (`docs/runbooks/reachability-runtime.md`). Integrate with `/signals/runtime-facts` once Sprint 401 lands ingestion. | GAP-SCAN-001 | GAPG0101 |
 | GO-32-001 | DONE |  | SPRINT_0153_0001_0003_orchestrator_iii | Worker SDK Guild (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go`) | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go | DOOR0102 APIs | DOOR0102 APIs | GOSD0101 |
--- a/docs/modules/graph/packaging.md
+++ b/docs/modules/graph/packaging.md
@@ -3,12 +3,7 @@
 ## Deployment overlays
 - Helm/Compose should expose two timers for analytics: `GRAPH_ANALYTICS_CLUSTER_INTERVAL` and `GRAPH_ANALYTICS_CENTRALITY_INTERVAL` (ISO-8601 duration, default 5m). Map to `GraphAnalyticsOptions`.
 - Change-stream/backfill worker toggles via `GRAPH_CHANGE_POLL_INTERVAL`, `GRAPH_BACKFILL_INTERVAL`, `GRAPH_CHANGE_MAX_RETRIES`, `GRAPH_CHANGE_RETRY_BACKOFF`.
- Mongo bindings (optional): `GRAPH_CHANGE_COLLECTION`, `GRAPH_CHANGE_SEQUENCE_FIELD`, `GRAPH_CHANGE_NODE_FIELD`, `GRAPH_CHANGE_EDGE_FIELD`, `GRAPH_CHANGE_IDEMPOTENCY_COLLECTION`, `GRAPH_ANALYTICS_SNAPSHOT_COLLECTION`, `GRAPH_ANALYTICS_PROGRESS_COLLECTION`.
- Mongo connection: `STELLAOPS_GRAPH_MONGO_CONNECTION` and `STELLAOPS_GRAPH_MONGO_DB` feed `AddGraphMongoDatabase` for clients/services.
- New Mongo collections:
-  - `graph_cluster_overlays` — cluster assignments (`tenant`, `snapshot_id`, `node_id`, `cluster_id`, `generated_at`).
-  - `graph_centrality_overlays` — degree + betweenness approximations per node.
-  - optional node updates write `attributes.cluster_id` when `WriteClusterAssignmentsToNodes=true`.
+- Storage: current build uses in-memory graph storage (Mongo dependency removed). Reserve `GRAPH_STORAGE_CONNECTION` and `GRAPH_STORAGE_DB` for the upcoming Postgres-backed provider.

 ## Offline kit alignment
 - Cluster/centrality overlays are exportable alongside `nodes.jsonl`/`edges.jsonl`; keep under `artifacts/graph-snapshots/{snapshotId}/overlays/` for air-gapped imports.
@@ -30,5 +25,5 @@
 - Overlay exports: clusters/centrality written to `overlays/clusters.ndjson` and `overlays/centrality.ndjson` with manifest; ordered by `node_id` for deterministic bundle hashes.

 ## Notes
- Analytics writes are idempotent (upserts keyed on tenant+snapshot+node_id). Change-stream processing is idempotent via sequence tokens persisted in `IIdempotencyStore` (Mongo or in-memory for tests).
+- Analytics writes are idempotent (upserts keyed on tenant+snapshot+node_id). Change-stream processing is idempotent via sequence tokens persisted in the in-memory `IIdempotencyStore` until a durable store is delivered.
 - Keep Helm/Compose values in sync with these defaults when publishing the Runtime & Signals 140.A bundle.
--- a/docs/modules/policy/architecture.md
+++ b/docs/modules/policy/architecture.md
@@ -4,8 +4,8 @@

 > **Ownership:** Policy Guild • Platform Guild  
 > **Services:** `StellaOps.Policy.Engine` (Minimal API + worker host)  
-> **Data Stores:** MongoDB (`policies`, `policy_runs`, `effective_finding_*`), Object storage (explain bundles), optional NATS/Mongo queue  
-> **Related docs:** [Policy overview](../../policy/overview.md), [DSL](../../policy/dsl.md), [SPL v1](../../policy/spl-v1.md), [Lifecycle](../../policy/lifecycle.md), [Runtime](../../policy/runtime.md), [Governance](../../policy/governance.md), [REST API](../../policy/api.md), [Policy CLI](../cli/guides/policy.md), [Architecture overview](../platform/architecture-overview.md), [AOC reference](../../ingestion/aggregation-only-contract.md)
+> **Data Stores:** PostgreSQL (`policy.*` schemas for packs, runs, exceptions, receipts), Object storage (explain bundles), optional queue  
+> **Related docs:** [Policy overview](../../policy/overview.md), [DSL](../../policy/dsl.md), [SPL v1](../../policy/spl-v1.md), [Lifecycle](../../policy/lifecycle.md), [Runtime](../../policy/runtime.md), [Governance](../../policy/governance.md), [REST API](../../policy/api.md), [Policy CLI](../cli/guides/policy.md), [Architecture overview](../platform/architecture-overview.md), [AOC reference](../../ingestion/aggregation-only-contract.md)

 This dossier describes the internal structure of the Policy Engine service delivered in Epic 2. It focuses on module boundaries, deterministic evaluation, orchestration, and integration contracts with Concelier, Excititor, SBOM Service, Authority, Scheduler, and Observability stacks.

@@ -15,18 +15,18 @@ The service operates strictly downstream of the **Aggregation-Only Contract (AOC

 ## 1 · Responsibilities & Constraints

- Compile and evaluate `stella-dsl@1` policy packs into deterministic verdicts.
- Join SBOM inventory, Concelier advisories, and Excititor VEX evidence via canonical linksets and equivalence tables.
- Materialise effective findings (`effective_finding_{policyId}`) with append-only history and produce explain traces.
- Emit CVSS v4.0 receipts with canonical hashing and policy replay/backfill rules; store tenant-scoped receipts with RBAC; export receipts deterministically (UTC/fonts/order) and flag v3.1→v4.0 conversions (see Sprint 0190 CVSS-GAPS-190-014 / `docs/modules/policy/cvss-v4.md`).
- Emit per-finding OpenVEX decisions anchored to reachability evidence, forward them to Signer/Attestor for DSSE/Rekor, and publish the resulting artifacts for bench/verification consumers.
- Consume reachability lattice decisions (`ReachDecision`, `docs/reachability/lattice.md`) to drive confidence-based VEX gates (not_affected / under_investigation / affected) and record the policy hash used for each decision.
- Honor **hybrid reachability attestations**: graph-level DSSE is required input; when edge-bundle DSSEs exist, prefer their per-edge provenance for quarantine, dispute, and high-risk decisions. Quarantined edges (revoked in bundles or listed in Unknowns registry) must be excluded before VEX emission.
- Enforce **shadow + coverage gates** for new/changed policies: shadow runs record findings without enforcement; promotion blocked until shadow and coverage fixtures pass (see lifecycle/runtime docs). CLI/Console enforce attachment of lint/simulate/coverage evidence.
- Operate incrementally: react to change streams (advisory/vex/SBOM deltas) with ≤ 5 min SLA.
- Provide simulations with diff summaries for UI/CLI workflows without modifying state.
- Enforce strict determinism guard (no wall-clock, RNG, network beyond allow-listed services) and RBAC + tenancy via Authority scopes.
- Support sealed/air-gapped deployments with offline bundles and sealed-mode hints.
+- Compile and evaluate `stella-dsl@1` policy packs into deterministic verdicts.
+- Join SBOM inventory, Concelier advisories, and Excititor VEX evidence via canonical linksets and equivalence tables.
+- Materialise effective findings (`effective_finding_{policyId}`) with append-only history and produce explain traces.
+- Emit CVSS v4.0 receipts with canonical hashing and policy replay/backfill rules; store tenant-scoped receipts with RBAC; export receipts deterministically (UTC/fonts/order) and flag v3.1→v4.0 conversions (see Sprint 0190 CVSS-GAPS-190-014 / `docs/modules/policy/cvss-v4.md`).
+- Emit per-finding OpenVEX decisions anchored to reachability evidence, forward them to Signer/Attestor for DSSE/Rekor, and publish the resulting artifacts for bench/verification consumers.
+- Consume reachability lattice decisions (`ReachDecision`, `docs/reachability/lattice.md`) to drive confidence-based VEX gates (not_affected / under_investigation / affected) and record the policy hash used for each decision.
+- Honor **hybrid reachability attestations**: graph-level DSSE is required input; when edge-bundle DSSEs exist, prefer their per-edge provenance for quarantine, dispute, and high-risk decisions. Quarantined edges (revoked in bundles or listed in Unknowns registry) must be excluded before VEX emission.
+- Enforce **shadow + coverage gates** for new/changed policies: shadow runs record findings without enforcement; promotion blocked until shadow and coverage fixtures pass (see lifecycle/runtime docs). CLI/Console enforce attachment of lint/simulate/coverage evidence.
+- Operate incrementally: react to change streams (advisory/vex/SBOM deltas) with ≤ 5 min SLA.
+- Provide simulations with diff summaries for UI/CLI workflows without modifying state.
+- Enforce strict determinism guard (no wall-clock, RNG, network beyond allow-listed services) and RBAC + tenancy via Authority scopes.
+- Support sealed/air-gapped deployments with offline bundles and sealed-mode hints.

 Non-goals: policy authoring UI (handled by Console), ingestion or advisory normalisation (Concelier), VEX consensus (Excititor), runtime enforcement (Zastava).

@@ -111,14 +111,14 @@ Key notes:
 | **Authority Client** (`Authority/`) | Acquire tokens, enforce scopes, perform DPoP key rotation. | Only service identity uses `effective:write`. |
 | **DSL Compiler** (`Dsl/`) | Parse, canonicalise, IR generation, checksum caching. | Uses Roslyn-like pipeline; caches by `policyId+version+hash`. |
 | **Selection Layer** (`Selection/`) | Batch SBOM ↔ advisory ↔ VEX joiners; apply equivalence tables; support incremental cursors. | Deterministic ordering (SBOM → advisory → VEX). |
-| **Evaluator** (`Evaluation/`) | Execute IR with first-match semantics, compute severity/trust/reachability weights, record rule hits. | Stateless; all inputs provided by selection layer. |
-| **Signals** (`Signals/`) | Normalizes reachability, trust, entropy, uncertainty, runtime hits into a single dictionary passed to Evaluator; supplies default `unknown` values when signals missing. Entropy penalties are derived from Scanner `layer_summary.json`/`entropy.report.json` (K=0.5, cap=0.3, block at image opaque ratio &gt; 0.15 w/ unknown provenance) and exported via `policy_entropy_penalty_value` / `policy_entropy_image_opaque_ratio`; SPL scope `entropy.*` exposes `penalty`, `image_opaque_ratio`, `blocked`, `warned`, `capped`, `top_file_opaque_ratio`. | Aligns with `signals.*` namespace in DSL. |
-| **Materialiser** (`Materialization/`) | Upsert effective findings, append history, manage explain bundle exports. | Mongo transactions per SBOM chunk. |
+| **Evaluator** (`Evaluation/`) | Execute IR with first-match semantics, compute severity/trust/reachability weights, record rule hits. | Stateless; all inputs provided by selection layer. |
+| **Signals** (`Signals/`) | Normalizes reachability, trust, entropy, uncertainty, runtime hits into a single dictionary passed to Evaluator; supplies default `unknown` values when signals missing. Entropy penalties are derived from Scanner `layer_summary.json`/`entropy.report.json` (K=0.5, cap=0.3, block at image opaque ratio &gt; 0.15 w/ unknown provenance) and exported via `policy_entropy_penalty_value` / `policy_entropy_image_opaque_ratio`; SPL scope `entropy.*` exposes `penalty`, `image_opaque_ratio`, `blocked`, `warned`, `capped`, `top_file_opaque_ratio`. | Aligns with `signals.*` namespace in DSL. |
+| **Materialiser** (`Materialization/`) | Upsert effective findings, append history, manage explain bundle exports. | Mongo transactions per SBOM chunk. |
 | **Orchestrator** (`Runs/`) | Change-stream ingestion, fairness, retry/backoff, queue writer. | Works with Scheduler Models DTOs. |
 | **API** (`Api/`) | Minimal API endpoints, DTO validation, problem responses, idempotency. | Generated clients for CLI/UI. |
-| **Observability** (`Telemetry/`) | Metrics (`policy_run_seconds`, `rules_fired_total`), traces, structured logs. | Sampled rule-hit logs with redaction. |
-| **Offline Adapter** (`Offline/`) | Bundle export/import (policies, simulations, runs), sealed-mode enforcement. | Uses DSSE signing via Signer service; bundles include IR hash, input cursors, shadow flag, coverage artefacts. |
-| **VEX Decision Emitter** (`Vex/Emitter/`) | Build OpenVEX statements, attach reachability evidence hashes, request DSSE signing, and persist artifacts for Export Center / bench repo. | New (Sprint 401); integrates with Signer predicate `stella.ops/vexDecision@v1` and Attestor Rekor logging. |
+| **Observability** (`Telemetry/`) | Metrics (`policy_run_seconds`, `rules_fired_total`), traces, structured logs. | Sampled rule-hit logs with redaction. |
+| **Offline Adapter** (`Offline/`) | Bundle export/import (policies, simulations, runs), sealed-mode enforcement. | Uses DSSE signing via Signer service; bundles include IR hash, input cursors, shadow flag, coverage artefacts. |
+| **VEX Decision Emitter** (`Vex/Emitter/`) | Build OpenVEX statements, attach reachability evidence hashes, request DSSE signing, and persist artifacts for Export Center / bench repo. | New (Sprint 401); integrates with Signer predicate `stella.ops/vexDecision@v1` and Attestor Rekor logging. |

 ---

@@ -179,49 +179,49 @@ Determinism guard instrumentation wraps the evaluator, rejecting access to forbi

 ---

-## 6 · Run Orchestration & Incremental Flow
-
- **Change streams:** Concelier and Excititor publish document changes to the scheduler queue (`policy.trigger.delta`). Payload includes `tenant`, `source`, `linkset digests`, `cursor`.
- **Orchestrator:** Maintains per-tenant backlog; merges deltas until time/size thresholds met, then enqueues `PolicyRunRequest`.
- **Queue:** Mongo queue with lease; each job assigned `leaseDuration`, `maxAttempts`.
+## 6 · Run Orchestration & Incremental Flow
+
+- **Change streams:** Concelier and Excititor publish document changes to the scheduler queue (`policy.trigger.delta`). Payload includes `tenant`, `source`, `linkset digests`, `cursor`.
+- **Orchestrator:** Maintains per-tenant backlog; merges deltas until time/size thresholds met, then enqueues `PolicyRunRequest`.
+- **Queue:** Mongo queue with lease; each job assigned `leaseDuration`, `maxAttempts`.
 - **Workers:** Lease jobs, execute evaluation pipeline, report status (success/failure/canceled). Failures with recoverable errors requeue with backoff; determinism or schema violations mark job `failed` and raise incident event.
 - **Fairness:** Round-robin per `{tenant, policyId}`; emergency jobs (`priority=emergency`) jump queue but limited via circuit breaker.
- **Replay:** On demand, orchestrator rehydrates run via stored cursors and exports sealed bundle for audit/CI determinism checks.
- **Batch evaluation service (`/api/policy/eval/batch`):** Stateless evaluator powering Findings Ledger and replay/offline workflows. Requests contain canonical ledger events plus optional current projection; responses return status/severity/labels/rationale without mutating state. Policy Engine enforces per-tenant cost budgets, caches results by `(tenantId, policyVersion, eventHash, projectionHash)`, and falls back to inline evaluation when the remote service is disabled.
-
---
-
-### 6.1 · VEX decision attestation pipeline
-
-1. **Verdict capture.** Each evaluation result contains `{findingId, cve, productKey, reachabilityState, evidenceRefs}` plus SBOM and runtime CAS hashes.
-2. **OpenVEX serialization.** `VexDecisionEmitter` builds an OpenVEX document with one statement per `(cve, productKey)` and fills:
-   - `status`, `justification`, `status_notes`, `impact_statement`, `action_statement`.
-   - `products` (purl) and `evidence` array referencing `reachability.json`, `sbom.cdx.json`, `runtimeFacts`.
-3. **DSSE signing.** The emitter calls Signer `POST /api/v1/signer/sign/dsse` with predicate `stella.ops/vexDecision@v1`. Signer verifies PoE + scanner integrity and returns a DSSE envelope (`decision.dsse.json`).
-4. **Transparency (optional).** When Rekor integration is enabled, Attestor logs the DSSE payload and returns `{uuid, logIndex, checkpoint}` which we persist next to the decision.
-5. **Export.** API/CLI endpoints expose `decision.openvex.json`, `decision.dsse.json`, `rekor.txt`, and evidence metadata so Export Center + bench automation can mirror them into `bench/findings/**` as defined in the [VEX Evidence Playbook](../../benchmarks/vex-evidence-playbook.md).
-
-All payloads are immutable and include analyzer fingerprints (`scanner.native@sha256:...`, `policyEngine@sha256:...`) so replay tooling can recompute identical digests. Determinism tests cover both the OpenVEX JSON and the DSSE payload bytes.
-
---
-
-## 7 · Security & Tenancy
-
- **Auth:** All API calls pass through Authority gateway; DPoP tokens enforced for service-to-service (Policy Engine service principal). CLI/UI tokens include scope claims.
- **Scopes:** Mutations require `policy:*` scopes corresponding to action; `effective:write` restricted to service identity.
+- **Replay:** On demand, orchestrator rehydrates run via stored cursors and exports sealed bundle for audit/CI determinism checks.
+- **Batch evaluation service (`/api/policy/eval/batch`):** Stateless evaluator powering Findings Ledger and replay/offline workflows. Requests contain canonical ledger events plus optional current projection; responses return status/severity/labels/rationale without mutating state. Policy Engine enforces per-tenant cost budgets, caches results by `(tenantId, policyVersion, eventHash, projectionHash)`, and falls back to inline evaluation when the remote service is disabled.
+
+---
+
+### 6.1 · VEX decision attestation pipeline
+
+1. **Verdict capture.** Each evaluation result contains `{findingId, cve, productKey, reachabilityState, evidenceRefs}` plus SBOM and runtime CAS hashes.
+2. **OpenVEX serialization.** `VexDecisionEmitter` builds an OpenVEX document with one statement per `(cve, productKey)` and fills:
+   - `status`, `justification`, `status_notes`, `impact_statement`, `action_statement`.
+   - `products` (purl) and `evidence` array referencing `reachability.json`, `sbom.cdx.json`, `runtimeFacts`.
+3. **DSSE signing.** The emitter calls Signer `POST /api/v1/signer/sign/dsse` with predicate `stella.ops/vexDecision@v1`. Signer verifies PoE + scanner integrity and returns a DSSE envelope (`decision.dsse.json`).
+4. **Transparency (optional).** When Rekor integration is enabled, Attestor logs the DSSE payload and returns `{uuid, logIndex, checkpoint}` which we persist next to the decision.
+5. **Export.** API/CLI endpoints expose `decision.openvex.json`, `decision.dsse.json`, `rekor.txt`, and evidence metadata so Export Center + bench automation can mirror them into `bench/findings/**` as defined in the [VEX Evidence Playbook](../../benchmarks/vex-evidence-playbook.md).
+
+All payloads are immutable and include analyzer fingerprints (`scanner.native@sha256:...`, `policyEngine@sha256:...`) so replay tooling can recompute identical digests. Determinism tests cover both the OpenVEX JSON and the DSSE payload bytes.
+
+---
+
+## 7 · Security & Tenancy
+
+- **Auth:** All API calls pass through Authority gateway; DPoP tokens enforced for service-to-service (Policy Engine service principal). CLI/UI tokens include scope claims.
+- **Scopes:** Mutations require `policy:*` scopes corresponding to action; `effective:write` restricted to service identity.
 - **Tenancy:** All queries filter by `tenant`. Service identity uses `tenant-global` for shared policies; cross-tenant reads prohibited unless `policy:tenant-admin` scope present.
 - **Secrets:** Configuration loaded via environment variables or sealed secrets; runtime avoids writing secrets to logs.
- **Determinism guard:** Static analyzer prevents referencing forbidden namespaces; runtime guard intercepts `DateTime.Now`, `Random`, `Guid`, HTTP clients beyond allow-list.
- **Sealed mode:** Global flag disables outbound network except allow-listed internal hosts; watchers fail fast if unexpected egress attempted.
-
-### Determinism enforcement (DOCS-POLICY-DET-01)
-
- **Inputs are ordered and frozen:** Selector emits batches sorted deterministically by `(tenant, policyId, vulnerabilityId, productKey, source)` with stable cursors; workers must not resort.
- **No ambient randomness or wall clocks:** Policy code relies on injected `TimeProvider`/`IRandom` shims; guards block `DateTime.Now`, `Guid.NewGuid`, `Random` when not injected.
- **Immutable evidence:** SBOM/VEX inputs carry content hashes; evaluator treats payloads as read-only and surfaces hashes in logs for replay.
- **Side effects prohibited:** Evaluator cannot call external HTTP except allow-listed internal services (Authority, Storage) and must not write files outside temp workspace.
- **Replay hash:** Each batch computes `determinismHash = SHA256(policyVersion + batchCursor + inputsHash)`; included in logs and run exports.
- **Testing:** Determinism tests run the same batch twice with seeded clock/GUID providers and assert identical outputs + determinismHash; add a test per policy package.
+- **Determinism guard:** Static analyzer prevents referencing forbidden namespaces; runtime guard intercepts `DateTime.Now`, `Random`, `Guid`, HTTP clients beyond allow-list.
+- **Sealed mode:** Global flag disables outbound network except allow-listed internal hosts; watchers fail fast if unexpected egress attempted.
+
+### Determinism enforcement (DOCS-POLICY-DET-01)
+
+- **Inputs are ordered and frozen:** Selector emits batches sorted deterministically by `(tenant, policyId, vulnerabilityId, productKey, source)` with stable cursors; workers must not resort.
+- **No ambient randomness or wall clocks:** Policy code relies on injected `TimeProvider`/`IRandom` shims; guards block `DateTime.Now`, `Guid.NewGuid`, `Random` when not injected.
+- **Immutable evidence:** SBOM/VEX inputs carry content hashes; evaluator treats payloads as read-only and surfaces hashes in logs for replay.
+- **Side effects prohibited:** Evaluator cannot call external HTTP except allow-listed internal services (Authority, Storage) and must not write files outside temp workspace.
+- **Replay hash:** Each batch computes `determinismHash = SHA256(policyVersion + batchCursor + inputsHash)`; included in logs and run exports.
+- **Testing:** Determinism tests run the same batch twice with seeded clock/GUID providers and assert identical outputs + determinismHash; add a test per policy package.

 ---

--- a/docs/modules/scanner/architecture.md
+++ b/docs/modules/scanner/architecture.md
@@ -52,6 +52,7 @@ Analyzer assemblies and buildx generators are packaged as **restart-time plug-in
 - **Synthetic roots**: treat `.preinit_array`, `.init_array`, legacy `.ctors`, and `_init` as graph entrypoints; add roots for constructors in each `DT_NEEDED` dependency. Tag edges from these roots with `phase=load` for explainers.
 - **Build-id capture**: read `.note.gnu.build-id` for every ELF, store hex build-id alongside soname/path, propagate into `SymbolID`/`code_id`, and expose it to SBOM + runtime joiners. If missing, fall back to file hash and mark source accordingly.
 - **PURL-resolved edges**: annotate call edges with the callee purl and `symbol_digest` so graphs merge with SBOM components. See `docs/reachability/purl-resolved-edges.md` for schema rules and acceptance tests.
+- **Symbol hints in evidence**: reachability union and richgraph payloads emit `symbol {mangled,demangled,source,confidence}` plus optional `code_block_hash` for stripped/heuristic functions; serializers clamp confidence to [0,1] and uppercase `source` (`DWARF|PDB|SYM|NONE`) for determinism.
 - **Unknowns emission**: when symbol → purl mapping or edge targets remain unresolved, emit structured Unknowns to Signals (see `docs/signals/unknowns-registry.md`) instead of dropping evidence.
 - **Hybrid attestation**: emit **graph-level DSSE** for every `richgraph-v1` (mandatory) and optional **edge-bundle DSSE** (≤512 edges) for runtime/init-root/contested edges or third-party provenance. Publish graph DSSE digests to Rekor by default; edge-bundle Rekor publish is policy-driven. CAS layout: `cas://reachability/graphs/{blake3}` for graph body, `.../{blake3}.dsse` for envelope, and `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]` for bundles. Deterministic ordering before hashing/signing is required.
 - **Deterministic call-graph manifest**: capture analyzer versions, feed hashes, toolchain digests, and flags in a manifest stored alongside `richgraph-v1`; replaying with the same manifest MUST yield identical node/edge sets and hashes (see `docs/reachability/lead.md`).
--- a/docs/modules/vex-lens/runbooks/observability.md
+++ b/docs/modules/vex-lens/runbooks/observability.md
@@ -17,7 +17,7 @@
 - Traces disabled by default for air-gap; enable by setting `Telemetry:ExportEnabled=true` and pointing OTLP endpoint to on-prem collector.

 ## Health/diagnostics
- `/health/liveness` and `/health/readiness` (service) must return 200; readiness checks Mongo + cache + event bus reachability.
+- `/health/liveness` and `/health/readiness` (service) must return 200; readiness checks projection store (PostgreSQL or in-memory), cache, and event bus reachability.
 - `/status` exposes build version, commit, feature flags; verify it matches offline bundle manifest.
 - Export self-check: run `stella vex export --format json --manifest out/manifest.json` and validate hashes against manifest entries.

--- a/docs/reachability/evidence-schema.md
+++ b/docs/reachability/evidence-schema.md
@@ -18,6 +18,7 @@ Purpose: define the canonical fields for reachability graph nodes/edges, runtime
      "id": "sym:sha256:...",
      "symbol_id": "func:ELF:sha256:...",
      "code_id": "code:ELF:sha256:...",
+      "code_block_hash": "sha256:deadbeef...",
      "purl": "pkg:deb/ubuntu/openssl@3.0.2?arch=amd64",
      "symbol": { "mangled": "_Z15ssl3_read_bytes", "demangled": "ssl3_read_bytes", "source": "DWARF", "confidence": 0.98 },
      "build_id": "a1b2c3...",
@@ -88,6 +89,7 @@ Metadata for each CAS object: `{ schema: "richgraph-v1", analyzer: {name,version
 - All edges must carry either `purl` or `candidates[]`; never leave both empty.
 - If `build_id` present, `symbol_id` and `code_id` must store it; if absent, record `build_id_source: "FileHash"`.
 - Evidence arrays sorted; confidence in [0,1].
+- `code_block_hash` (when present) must be lowercase hex with an algorithm prefix (e.g., `sha256:`) and only accompany stripped/heuristic nodes.
 - Roots must include load-time constructors when present.
 - When `edge_bundles` are present, each edge in a bundle must also exist in the graph edge set; `revoked=true` bundles override graph edges for policy/scoring.
 - Graph DSSE is mandatory per scan; edge-bundle DSSEs are optional but must reference `graph_hash` and `bundle_id`.
--- a/docs/reachability/function-level-evidence.md
+++ b/docs/reachability/function-level-evidence.md
@@ -44,6 +44,7 @@ Out of scope: implementing disassemblers or symbol servers; those will be handle
 * Deliver fixtures in `tests/reachability/StellaOps.ScannerSignals.IntegrationTests` that prove determinism (same hash when analyzer flags reorder).
 * **Helper status (2025-12-02):** `SymbolId.ForBinaryAddressed` + `CodeId.ForBinarySegment` now encode `{file_hash, section, addr, name, linkage, length, code_block_hash}` with normalized hex addresses. Analyzers should start emitting these tuples instead of ad-hoc hashes.
 * **Binary lifter (2025-12-03):** `BinaryReachabilityLifter` emits richgraph nodes for ELF/PE/Mach-O using file SHA-256 + section/address tuples, attaches `code_id` anchors, and turns imports/load commands into `import` edges.
+* **Schema wiring (2025-12-12):** `reachability-union` + `richgraph-v1` serializers now emit `symbol {mangled,demangled,source,confidence}` and optional `code_block_hash` for stripped blocks; confidence is clamped to `[0,1]` and `source` normalized to uppercase (`DWARF|PDB|SYM|NONE`).

 ### 3.2 Runtime + Signals (GAP-ZAS-002 / GAP-SIG-003)

--- a/docs/samples/impactindex/products-10k.ndjson
+++ b/docs/samples/impactindex/products-10k.ndjson
--- a/docs/samples/impactindex/products-10k.ndjson.sha256
+++ b/docs/samples/impactindex/products-10k.ndjson.sha256
@@ -0,0 +1 @@
+caa79c83b5a9affc3b9cc4e54a516281ddceff4804ce853fee3b62d7afb7ab69  products-10k.ndjson
--- a/docs/samples/policy/policy-delta-baseline.ndjson
+++ b/docs/samples/policy/policy-delta-baseline.ndjson
--- a/docs/samples/policy/policy-delta-baseline.ndjson.sha256
+++ b/docs/samples/policy/policy-delta-baseline.ndjson.sha256
@@ -0,0 +1 @@
+40ca9ee15065a9e16f51a259d3feec778203ab461db2af3bf196f5fcd9f0d590  policy-delta-baseline.ndjson
--- a/docs/samples/policy/policy-delta-changes.ndjson
+++ b/docs/samples/policy/policy-delta-changes.ndjson
@@ -0,0 +1,600 @@
+{"op":"upsert","policyId":"pol-0001","package":"bench.pkg.0001","version":"1.1.1","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0002","package":"bench.pkg.0002","version":"1.1.2","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0003","package":"bench.pkg.0003","version":"1.1.3","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0004","package":"bench.pkg.0004","version":"1.1.4","decision":"deny","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0005","package":"bench.pkg.0005","version":"1.1.5","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0006","package":"bench.pkg.0006","version":"1.1.6","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0007","package":"bench.pkg.0007","version":"1.1.7","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0008","package":"bench.pkg.0008","version":"1.1.8","decision":"deny","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0009","package":"bench.pkg.0009","version":"1.1.9","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0010","package":"bench.pkg.0010","version":"1.1.10","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0011","package":"bench.pkg.0011","version":"1.1.11","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0012","package":"bench.pkg.0012","version":"1.1.12","decision":"deny","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0013","package":"bench.pkg.0013","version":"1.1.13","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0014","package":"bench.pkg.0014","version":"1.1.14","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0015","package":"bench.pkg.0015","version":"1.1.15","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0016","package":"bench.pkg.0016","version":"1.1.16","decision":"deny","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0017","package":"bench.pkg.0017","version":"1.1.17","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0018","package":"bench.pkg.0018","version":"1.1.18","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0019","package":"bench.pkg.0019","version":"1.1.19","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0020","package":"bench.pkg.0020","version":"1.1.20","decision":"deny","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0021","package":"bench.pkg.0021","version":"1.1.21","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0022","package":"bench.pkg.0022","version":"1.1.22","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0023","package":"bench.pkg.0023","version":"1.1.23","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0024","package":"bench.pkg.0024","version":"1.1.24","decision":"deny","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0025","package":"bench.pkg.0025","version":"1.1.25","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0026","package":"bench.pkg.0026","version":"1.1.26","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0027","package":"bench.pkg.0027","version":"1.1.27","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0028","package":"bench.pkg.0028","version":"1.1.28","decision":"deny","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0029","package":"bench.pkg.0029","version":"1.1.29","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0030","package":"bench.pkg.0030","version":"1.1.30","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0031","package":"bench.pkg.0031","version":"1.1.31","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0032","package":"bench.pkg.0032","version":"1.1.32","decision":"deny","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0033","package":"bench.pkg.0033","version":"1.1.33","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0034","package":"bench.pkg.0034","version":"1.1.34","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0035","package":"bench.pkg.0035","version":"1.1.35","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0036","package":"bench.pkg.0036","version":"1.1.36","decision":"deny","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0037","package":"bench.pkg.0037","version":"1.1.0","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0038","package":"bench.pkg.0038","version":"1.1.1","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0039","package":"bench.pkg.0039","version":"1.1.2","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0040","package":"bench.pkg.0040","version":"1.1.3","decision":"deny","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0041","package":"bench.pkg.0041","version":"1.1.4","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0042","package":"bench.pkg.0042","version":"1.1.5","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0043","package":"bench.pkg.0043","version":"1.1.6","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0044","package":"bench.pkg.0044","version":"1.1.7","decision":"deny","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0045","package":"bench.pkg.0045","version":"1.1.8","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0046","package":"bench.pkg.0046","version":"1.1.9","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0047","package":"bench.pkg.0047","version":"1.1.10","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0048","package":"bench.pkg.0048","version":"1.1.11","decision":"deny","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0049","package":"bench.pkg.0049","version":"1.1.12","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0050","package":"bench.pkg.0050","version":"1.1.13","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0051","package":"bench.pkg.0051","version":"1.1.14","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0052","package":"bench.pkg.0052","version":"1.1.15","decision":"deny","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0053","package":"bench.pkg.0053","version":"1.1.16","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0054","package":"bench.pkg.0054","version":"1.1.17","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0055","package":"bench.pkg.0055","version":"1.1.18","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0056","package":"bench.pkg.0056","version":"1.1.19","decision":"deny","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0057","package":"bench.pkg.0057","version":"1.1.20","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0058","package":"bench.pkg.0058","version":"1.1.21","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0059","package":"bench.pkg.0059","version":"1.1.22","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0060","package":"bench.pkg.0060","version":"1.1.23","decision":"deny","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0061","package":"bench.pkg.0061","version":"1.1.24","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0062","package":"bench.pkg.0062","version":"1.1.25","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0063","package":"bench.pkg.0063","version":"1.1.26","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0064","package":"bench.pkg.0064","version":"1.1.27","decision":"deny","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0065","package":"bench.pkg.0065","version":"1.1.28","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0066","package":"bench.pkg.0066","version":"1.1.29","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0067","package":"bench.pkg.0067","version":"1.1.30","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0068","package":"bench.pkg.0068","version":"1.1.31","decision":"deny","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0069","package":"bench.pkg.0069","version":"1.1.32","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0070","package":"bench.pkg.0070","version":"1.1.33","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0071","package":"bench.pkg.0071","version":"1.1.34","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0072","package":"bench.pkg.0072","version":"1.1.35","decision":"deny","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0073","package":"bench.pkg.0073","version":"1.1.36","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0074","package":"bench.pkg.0074","version":"1.1.0","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0075","package":"bench.pkg.0075","version":"1.1.1","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0076","package":"bench.pkg.0076","version":"1.1.2","decision":"deny","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0077","package":"bench.pkg.0077","version":"1.1.3","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0078","package":"bench.pkg.0078","version":"1.1.4","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0079","package":"bench.pkg.0079","version":"1.1.5","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0080","package":"bench.pkg.0080","version":"1.1.6","decision":"deny","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0081","package":"bench.pkg.0081","version":"1.1.7","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0082","package":"bench.pkg.0082","version":"1.1.8","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0083","package":"bench.pkg.0083","version":"1.1.9","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0084","package":"bench.pkg.0084","version":"1.1.10","decision":"deny","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0085","package":"bench.pkg.0085","version":"1.1.11","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0086","package":"bench.pkg.0086","version":"1.1.12","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0087","package":"bench.pkg.0087","version":"1.1.13","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0088","package":"bench.pkg.0088","version":"1.1.14","decision":"deny","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0089","package":"bench.pkg.0089","version":"1.1.15","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0090","package":"bench.pkg.0090","version":"1.1.16","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0091","package":"bench.pkg.0091","version":"1.1.17","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0092","package":"bench.pkg.0092","version":"1.1.18","decision":"deny","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0093","package":"bench.pkg.0093","version":"1.1.19","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0094","package":"bench.pkg.0094","version":"1.1.20","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0095","package":"bench.pkg.0095","version":"1.1.21","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0096","package":"bench.pkg.0096","version":"1.1.22","decision":"deny","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0097","package":"bench.pkg.0097","version":"1.1.23","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0098","package":"bench.pkg.0098","version":"1.1.24","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0099","package":"bench.pkg.0099","version":"1.1.25","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0100","package":"bench.pkg.0100","version":"1.1.26","decision":"deny","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0101","package":"bench.pkg.0101","version":"1.1.27","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0102","package":"bench.pkg.0102","version":"1.1.28","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0103","package":"bench.pkg.0103","version":"1.1.29","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0104","package":"bench.pkg.0104","version":"1.1.30","decision":"deny","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0105","package":"bench.pkg.0105","version":"1.1.31","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0106","package":"bench.pkg.0106","version":"1.1.32","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0107","package":"bench.pkg.0107","version":"1.1.33","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0108","package":"bench.pkg.0108","version":"1.1.34","decision":"deny","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0109","package":"bench.pkg.0109","version":"1.1.35","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0110","package":"bench.pkg.0110","version":"1.1.36","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0111","package":"bench.pkg.0111","version":"1.1.0","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0112","package":"bench.pkg.0112","version":"1.1.1","decision":"deny","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0113","package":"bench.pkg.0113","version":"1.1.2","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0114","package":"bench.pkg.0114","version":"1.1.3","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0115","package":"bench.pkg.0115","version":"1.1.4","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0116","package":"bench.pkg.0116","version":"1.1.5","decision":"deny","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0117","package":"bench.pkg.0117","version":"1.1.6","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0118","package":"bench.pkg.0118","version":"1.1.7","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0119","package":"bench.pkg.0119","version":"1.1.8","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0120","package":"bench.pkg.0120","version":"1.1.9","decision":"deny","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0121","package":"bench.pkg.0121","version":"1.1.10","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0122","package":"bench.pkg.0122","version":"1.1.11","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0123","package":"bench.pkg.0123","version":"1.1.12","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0124","package":"bench.pkg.0124","version":"1.1.13","decision":"deny","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0125","package":"bench.pkg.0125","version":"1.1.14","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0126","package":"bench.pkg.0126","version":"1.1.15","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0127","package":"bench.pkg.0127","version":"1.1.16","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0128","package":"bench.pkg.0128","version":"1.1.17","decision":"deny","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0129","package":"bench.pkg.0129","version":"1.1.18","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0130","package":"bench.pkg.0130","version":"1.1.19","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0131","package":"bench.pkg.0131","version":"1.1.20","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0132","package":"bench.pkg.0132","version":"1.1.21","decision":"deny","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0133","package":"bench.pkg.0133","version":"1.1.22","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0134","package":"bench.pkg.0134","version":"1.1.23","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0135","package":"bench.pkg.0135","version":"1.1.24","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0136","package":"bench.pkg.0136","version":"1.1.25","decision":"deny","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0137","package":"bench.pkg.0137","version":"1.1.26","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0138","package":"bench.pkg.0138","version":"1.1.27","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0139","package":"bench.pkg.0139","version":"1.1.28","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0140","package":"bench.pkg.0140","version":"1.1.29","decision":"deny","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0141","package":"bench.pkg.0141","version":"1.1.30","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0142","package":"bench.pkg.0142","version":"1.1.31","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0143","package":"bench.pkg.0143","version":"1.1.32","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0144","package":"bench.pkg.0144","version":"1.1.33","decision":"deny","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0145","package":"bench.pkg.0145","version":"1.1.34","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0146","package":"bench.pkg.0146","version":"1.1.35","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0147","package":"bench.pkg.0147","version":"1.1.36","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0148","package":"bench.pkg.0148","version":"1.1.0","decision":"deny","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0149","package":"bench.pkg.0149","version":"1.1.1","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0150","package":"bench.pkg.0150","version":"1.1.2","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0151","package":"bench.pkg.0151","version":"1.1.3","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0152","package":"bench.pkg.0152","version":"1.1.4","decision":"deny","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0153","package":"bench.pkg.0153","version":"1.1.5","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0154","package":"bench.pkg.0154","version":"1.1.6","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0155","package":"bench.pkg.0155","version":"1.1.7","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0156","package":"bench.pkg.0156","version":"1.1.8","decision":"deny","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0157","package":"bench.pkg.0157","version":"1.1.9","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0158","package":"bench.pkg.0158","version":"1.1.10","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0159","package":"bench.pkg.0159","version":"1.1.11","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0160","package":"bench.pkg.0160","version":"1.1.12","decision":"deny","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0161","package":"bench.pkg.0161","version":"1.1.13","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0162","package":"bench.pkg.0162","version":"1.1.14","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0163","package":"bench.pkg.0163","version":"1.1.15","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0164","package":"bench.pkg.0164","version":"1.1.16","decision":"deny","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0165","package":"bench.pkg.0165","version":"1.1.17","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0166","package":"bench.pkg.0166","version":"1.1.18","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0167","package":"bench.pkg.0167","version":"1.1.19","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0168","package":"bench.pkg.0168","version":"1.1.20","decision":"deny","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0169","package":"bench.pkg.0169","version":"1.1.21","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0170","package":"bench.pkg.0170","version":"1.1.22","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0171","package":"bench.pkg.0171","version":"1.1.23","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0172","package":"bench.pkg.0172","version":"1.1.24","decision":"deny","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0173","package":"bench.pkg.0173","version":"1.1.25","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0174","package":"bench.pkg.0174","version":"1.1.26","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0175","package":"bench.pkg.0175","version":"1.1.27","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0176","package":"bench.pkg.0176","version":"1.1.28","decision":"deny","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0177","package":"bench.pkg.0177","version":"1.1.29","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0178","package":"bench.pkg.0178","version":"1.1.30","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0179","package":"bench.pkg.0179","version":"1.1.31","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0180","package":"bench.pkg.0180","version":"1.1.32","decision":"deny","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0181","package":"bench.pkg.0181","version":"1.1.33","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0182","package":"bench.pkg.0182","version":"1.1.34","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0183","package":"bench.pkg.0183","version":"1.1.35","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0184","package":"bench.pkg.0184","version":"1.1.36","decision":"deny","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0185","package":"bench.pkg.0185","version":"1.1.0","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0186","package":"bench.pkg.0186","version":"1.1.1","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0187","package":"bench.pkg.0187","version":"1.1.2","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0188","package":"bench.pkg.0188","version":"1.1.3","decision":"deny","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0189","package":"bench.pkg.0189","version":"1.1.4","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0190","package":"bench.pkg.0190","version":"1.1.5","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0191","package":"bench.pkg.0191","version":"1.1.6","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0192","package":"bench.pkg.0192","version":"1.1.7","decision":"deny","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0193","package":"bench.pkg.0193","version":"1.1.8","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0194","package":"bench.pkg.0194","version":"1.1.9","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0195","package":"bench.pkg.0195","version":"1.1.10","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0196","package":"bench.pkg.0196","version":"1.1.11","decision":"deny","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0197","package":"bench.pkg.0197","version":"1.1.12","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0198","package":"bench.pkg.0198","version":"1.1.13","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0199","package":"bench.pkg.0199","version":"1.1.14","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0200","package":"bench.pkg.0200","version":"1.1.15","decision":"deny","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0201","package":"bench.pkg.0201","version":"1.1.16","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0202","package":"bench.pkg.0202","version":"1.1.17","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0203","package":"bench.pkg.0203","version":"1.1.18","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0204","package":"bench.pkg.0204","version":"1.1.19","decision":"deny","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0205","package":"bench.pkg.0205","version":"1.1.20","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0206","package":"bench.pkg.0206","version":"1.1.21","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0207","package":"bench.pkg.0207","version":"1.1.22","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0208","package":"bench.pkg.0208","version":"1.1.23","decision":"deny","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0209","package":"bench.pkg.0209","version":"1.1.24","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0210","package":"bench.pkg.0210","version":"1.1.25","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0211","package":"bench.pkg.0211","version":"1.1.26","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0212","package":"bench.pkg.0212","version":"1.1.27","decision":"deny","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0213","package":"bench.pkg.0213","version":"1.1.28","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0214","package":"bench.pkg.0214","version":"1.1.29","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0215","package":"bench.pkg.0215","version":"1.1.30","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0216","package":"bench.pkg.0216","version":"1.1.31","decision":"deny","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0217","package":"bench.pkg.0217","version":"1.1.32","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0218","package":"bench.pkg.0218","version":"1.1.33","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0219","package":"bench.pkg.0219","version":"1.1.34","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0220","package":"bench.pkg.0220","version":"1.1.35","decision":"deny","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0221","package":"bench.pkg.0221","version":"1.1.36","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0222","package":"bench.pkg.0222","version":"1.1.0","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0223","package":"bench.pkg.0223","version":"1.1.1","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0224","package":"bench.pkg.0224","version":"1.1.2","decision":"deny","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0225","package":"bench.pkg.0225","version":"1.1.3","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0226","package":"bench.pkg.0226","version":"1.1.4","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0227","package":"bench.pkg.0227","version":"1.1.5","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0228","package":"bench.pkg.0228","version":"1.1.6","decision":"deny","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0229","package":"bench.pkg.0229","version":"1.1.7","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0230","package":"bench.pkg.0230","version":"1.1.8","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0231","package":"bench.pkg.0231","version":"1.1.9","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0232","package":"bench.pkg.0232","version":"1.1.10","decision":"deny","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0233","package":"bench.pkg.0233","version":"1.1.11","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0234","package":"bench.pkg.0234","version":"1.1.12","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0235","package":"bench.pkg.0235","version":"1.1.13","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0236","package":"bench.pkg.0236","version":"1.1.14","decision":"deny","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0237","package":"bench.pkg.0237","version":"1.1.15","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0238","package":"bench.pkg.0238","version":"1.1.16","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0239","package":"bench.pkg.0239","version":"1.1.17","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0240","package":"bench.pkg.0240","version":"1.1.18","decision":"deny","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0241","package":"bench.pkg.0241","version":"1.1.19","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0242","package":"bench.pkg.0242","version":"1.1.20","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0243","package":"bench.pkg.0243","version":"1.1.21","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0244","package":"bench.pkg.0244","version":"1.1.22","decision":"deny","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0245","package":"bench.pkg.0245","version":"1.1.23","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0246","package":"bench.pkg.0246","version":"1.1.24","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0247","package":"bench.pkg.0247","version":"1.1.25","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0248","package":"bench.pkg.0248","version":"1.1.26","decision":"deny","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0249","package":"bench.pkg.0249","version":"1.1.27","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0250","package":"bench.pkg.0250","version":"1.1.28","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0251","package":"bench.pkg.0251","version":"1.1.29","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0252","package":"bench.pkg.0252","version":"1.1.30","decision":"deny","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0253","package":"bench.pkg.0253","version":"1.1.31","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0254","package":"bench.pkg.0254","version":"1.1.32","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0255","package":"bench.pkg.0255","version":"1.1.33","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0256","package":"bench.pkg.0256","version":"1.1.34","decision":"deny","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0257","package":"bench.pkg.0257","version":"1.1.35","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0258","package":"bench.pkg.0258","version":"1.1.36","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0259","package":"bench.pkg.0259","version":"1.1.0","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0260","package":"bench.pkg.0260","version":"1.1.1","decision":"deny","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0261","package":"bench.pkg.0261","version":"1.1.2","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0262","package":"bench.pkg.0262","version":"1.1.3","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0263","package":"bench.pkg.0263","version":"1.1.4","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0264","package":"bench.pkg.0264","version":"1.1.5","decision":"deny","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0265","package":"bench.pkg.0265","version":"1.1.6","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0266","package":"bench.pkg.0266","version":"1.1.7","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0267","package":"bench.pkg.0267","version":"1.1.8","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0268","package":"bench.pkg.0268","version":"1.1.9","decision":"deny","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0269","package":"bench.pkg.0269","version":"1.1.10","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0270","package":"bench.pkg.0270","version":"1.1.11","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0271","package":"bench.pkg.0271","version":"1.1.12","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0272","package":"bench.pkg.0272","version":"1.1.13","decision":"deny","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0273","package":"bench.pkg.0273","version":"1.1.14","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0274","package":"bench.pkg.0274","version":"1.1.15","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0275","package":"bench.pkg.0275","version":"1.1.16","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0276","package":"bench.pkg.0276","version":"1.1.17","decision":"deny","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0277","package":"bench.pkg.0277","version":"1.1.18","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0278","package":"bench.pkg.0278","version":"1.1.19","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0279","package":"bench.pkg.0279","version":"1.1.20","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0280","package":"bench.pkg.0280","version":"1.1.21","decision":"deny","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0281","package":"bench.pkg.0281","version":"1.1.22","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0282","package":"bench.pkg.0282","version":"1.1.23","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0283","package":"bench.pkg.0283","version":"1.1.24","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0284","package":"bench.pkg.0284","version":"1.1.25","decision":"deny","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0285","package":"bench.pkg.0285","version":"1.1.26","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0286","package":"bench.pkg.0286","version":"1.1.27","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0287","package":"bench.pkg.0287","version":"1.1.28","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0288","package":"bench.pkg.0288","version":"1.1.29","decision":"deny","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0289","package":"bench.pkg.0289","version":"1.1.30","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0290","package":"bench.pkg.0290","version":"1.1.31","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0291","package":"bench.pkg.0291","version":"1.1.32","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0292","package":"bench.pkg.0292","version":"1.1.33","decision":"deny","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0293","package":"bench.pkg.0293","version":"1.1.34","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0294","package":"bench.pkg.0294","version":"1.1.35","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0295","package":"bench.pkg.0295","version":"1.1.36","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0296","package":"bench.pkg.0296","version":"1.1.0","decision":"deny","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0297","package":"bench.pkg.0297","version":"1.1.1","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0298","package":"bench.pkg.0298","version":"1.1.2","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0299","package":"bench.pkg.0299","version":"1.1.3","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0300","package":"bench.pkg.0300","version":"1.1.4","decision":"deny","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0301","package":"bench.pkg.0301","version":"1.1.5","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0302","package":"bench.pkg.0302","version":"1.1.6","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0303","package":"bench.pkg.0303","version":"1.1.7","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0304","package":"bench.pkg.0304","version":"1.1.8","decision":"deny","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0305","package":"bench.pkg.0305","version":"1.1.9","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0306","package":"bench.pkg.0306","version":"1.1.10","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0307","package":"bench.pkg.0307","version":"1.1.11","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0308","package":"bench.pkg.0308","version":"1.1.12","decision":"deny","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0309","package":"bench.pkg.0309","version":"1.1.13","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0310","package":"bench.pkg.0310","version":"1.1.14","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0311","package":"bench.pkg.0311","version":"1.1.15","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0312","package":"bench.pkg.0312","version":"1.1.16","decision":"deny","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0313","package":"bench.pkg.0313","version":"1.1.17","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0314","package":"bench.pkg.0314","version":"1.1.18","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0315","package":"bench.pkg.0315","version":"1.1.19","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0316","package":"bench.pkg.0316","version":"1.1.20","decision":"deny","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0317","package":"bench.pkg.0317","version":"1.1.21","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0318","package":"bench.pkg.0318","version":"1.1.22","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0319","package":"bench.pkg.0319","version":"1.1.23","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0320","package":"bench.pkg.0320","version":"1.1.24","decision":"deny","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0321","package":"bench.pkg.0321","version":"1.1.25","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0322","package":"bench.pkg.0322","version":"1.1.26","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0323","package":"bench.pkg.0323","version":"1.1.27","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0324","package":"bench.pkg.0324","version":"1.1.28","decision":"deny","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0325","package":"bench.pkg.0325","version":"1.1.29","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0326","package":"bench.pkg.0326","version":"1.1.30","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0327","package":"bench.pkg.0327","version":"1.1.31","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0328","package":"bench.pkg.0328","version":"1.1.32","decision":"deny","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0329","package":"bench.pkg.0329","version":"1.1.33","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0330","package":"bench.pkg.0330","version":"1.1.34","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0331","package":"bench.pkg.0331","version":"1.1.35","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0332","package":"bench.pkg.0332","version":"1.1.36","decision":"deny","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0333","package":"bench.pkg.0333","version":"1.1.0","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0334","package":"bench.pkg.0334","version":"1.1.1","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0335","package":"bench.pkg.0335","version":"1.1.2","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0336","package":"bench.pkg.0336","version":"1.1.3","decision":"deny","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0337","package":"bench.pkg.0337","version":"1.1.4","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0338","package":"bench.pkg.0338","version":"1.1.5","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0339","package":"bench.pkg.0339","version":"1.1.6","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0340","package":"bench.pkg.0340","version":"1.1.7","decision":"deny","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0341","package":"bench.pkg.0341","version":"1.1.8","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0342","package":"bench.pkg.0342","version":"1.1.9","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0343","package":"bench.pkg.0343","version":"1.1.10","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0344","package":"bench.pkg.0344","version":"1.1.11","decision":"deny","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0345","package":"bench.pkg.0345","version":"1.1.12","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0346","package":"bench.pkg.0346","version":"1.1.13","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0347","package":"bench.pkg.0347","version":"1.1.14","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0348","package":"bench.pkg.0348","version":"1.1.15","decision":"deny","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0349","package":"bench.pkg.0349","version":"1.1.16","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0350","package":"bench.pkg.0350","version":"1.1.17","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0351","package":"bench.pkg.0351","version":"1.1.18","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0352","package":"bench.pkg.0352","version":"1.1.19","decision":"deny","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0353","package":"bench.pkg.0353","version":"1.1.20","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0354","package":"bench.pkg.0354","version":"1.1.21","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0355","package":"bench.pkg.0355","version":"1.1.22","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0356","package":"bench.pkg.0356","version":"1.1.23","decision":"deny","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0357","package":"bench.pkg.0357","version":"1.1.24","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0358","package":"bench.pkg.0358","version":"1.1.25","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0359","package":"bench.pkg.0359","version":"1.1.26","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0360","package":"bench.pkg.0360","version":"1.1.27","decision":"deny","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0361","package":"bench.pkg.0361","version":"1.1.28","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0362","package":"bench.pkg.0362","version":"1.1.29","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0363","package":"bench.pkg.0363","version":"1.1.30","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0364","package":"bench.pkg.0364","version":"1.1.31","decision":"deny","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0365","package":"bench.pkg.0365","version":"1.1.32","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0366","package":"bench.pkg.0366","version":"1.1.33","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0367","package":"bench.pkg.0367","version":"1.1.34","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0368","package":"bench.pkg.0368","version":"1.1.35","decision":"deny","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0369","package":"bench.pkg.0369","version":"1.1.36","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0370","package":"bench.pkg.0370","version":"1.1.0","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0371","package":"bench.pkg.0371","version":"1.1.1","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0372","package":"bench.pkg.0372","version":"1.1.2","decision":"deny","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0373","package":"bench.pkg.0373","version":"1.1.3","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0374","package":"bench.pkg.0374","version":"1.1.4","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0375","package":"bench.pkg.0375","version":"1.1.5","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0376","package":"bench.pkg.0376","version":"1.1.6","decision":"deny","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0377","package":"bench.pkg.0377","version":"1.1.7","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0378","package":"bench.pkg.0378","version":"1.1.8","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0379","package":"bench.pkg.0379","version":"1.1.9","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0380","package":"bench.pkg.0380","version":"1.1.10","decision":"deny","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0381","package":"bench.pkg.0381","version":"1.1.11","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0382","package":"bench.pkg.0382","version":"1.1.12","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0383","package":"bench.pkg.0383","version":"1.1.13","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0384","package":"bench.pkg.0384","version":"1.1.14","decision":"deny","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0385","package":"bench.pkg.0385","version":"1.1.15","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0386","package":"bench.pkg.0386","version":"1.1.16","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0387","package":"bench.pkg.0387","version":"1.1.17","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0388","package":"bench.pkg.0388","version":"1.1.18","decision":"deny","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0389","package":"bench.pkg.0389","version":"1.1.19","decision":"allow","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0390","package":"bench.pkg.0390","version":"1.1.20","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0391","package":"bench.pkg.0391","version":"1.1.21","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0392","package":"bench.pkg.0392","version":"1.1.22","decision":"deny","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0393","package":"bench.pkg.0393","version":"1.1.23","decision":"allow","factors":{"reason":"delta-update","score":3.5}}
+{"op":"upsert","policyId":"pol-0394","package":"bench.pkg.0394","version":"1.1.24","decision":"allow","factors":{"reason":"delta-update","score":3.9}}
+{"op":"upsert","policyId":"pol-0395","package":"bench.pkg.0395","version":"1.1.25","decision":"allow","factors":{"reason":"delta-update","score":4.3}}
+{"op":"upsert","policyId":"pol-0396","package":"bench.pkg.0396","version":"1.1.26","decision":"deny","factors":{"reason":"delta-update","score":4.7}}
+{"op":"upsert","policyId":"pol-0397","package":"bench.pkg.0397","version":"1.1.27","decision":"allow","factors":{"reason":"delta-update","score":5.1}}
+{"op":"upsert","policyId":"pol-0398","package":"bench.pkg.0398","version":"1.1.28","decision":"allow","factors":{"reason":"delta-update","score":5.5}}
+{"op":"upsert","policyId":"pol-0399","package":"bench.pkg.0399","version":"1.1.29","decision":"allow","factors":{"reason":"delta-update","score":3.1}}
+{"op":"upsert","policyId":"pol-0400","package":"bench.pkg.0400","version":"1.1.30","decision":"deny","factors":{"reason":"delta-update","score":3.5}}
+{"op":"delete","policyId":"pol-0900","package":"bench.pkg.0900","version":"1.0.0"}
+{"op":"delete","policyId":"pol-0901","package":"bench.pkg.0901","version":"1.0.1"}
+{"op":"delete","policyId":"pol-0902","package":"bench.pkg.0902","version":"1.0.2"}
+{"op":"delete","policyId":"pol-0903","package":"bench.pkg.0903","version":"1.0.3"}
+{"op":"delete","policyId":"pol-0904","package":"bench.pkg.0904","version":"1.0.4"}
+{"op":"delete","policyId":"pol-0905","package":"bench.pkg.0905","version":"1.0.5"}
+{"op":"delete","policyId":"pol-0906","package":"bench.pkg.0906","version":"1.0.6"}
+{"op":"delete","policyId":"pol-0907","package":"bench.pkg.0907","version":"1.0.7"}
+{"op":"delete","policyId":"pol-0908","package":"bench.pkg.0908","version":"1.0.8"}
+{"op":"delete","policyId":"pol-0909","package":"bench.pkg.0909","version":"1.0.9"}
+{"op":"delete","policyId":"pol-0910","package":"bench.pkg.0910","version":"1.0.10"}
+{"op":"delete","policyId":"pol-0911","package":"bench.pkg.0911","version":"1.0.11"}
+{"op":"delete","policyId":"pol-0912","package":"bench.pkg.0912","version":"1.0.12"}
+{"op":"delete","policyId":"pol-0913","package":"bench.pkg.0913","version":"1.0.13"}
+{"op":"delete","policyId":"pol-0914","package":"bench.pkg.0914","version":"1.0.14"}
+{"op":"delete","policyId":"pol-0915","package":"bench.pkg.0915","version":"1.0.15"}
+{"op":"delete","policyId":"pol-0916","package":"bench.pkg.0916","version":"1.0.16"}
+{"op":"delete","policyId":"pol-0917","package":"bench.pkg.0917","version":"1.0.17"}
+{"op":"delete","policyId":"pol-0918","package":"bench.pkg.0918","version":"1.0.18"}
+{"op":"delete","policyId":"pol-0919","package":"bench.pkg.0919","version":"1.0.19"}
+{"op":"delete","policyId":"pol-0920","package":"bench.pkg.0920","version":"1.0.20"}
+{"op":"delete","policyId":"pol-0921","package":"bench.pkg.0921","version":"1.0.21"}
+{"op":"delete","policyId":"pol-0922","package":"bench.pkg.0922","version":"1.0.22"}
+{"op":"delete","policyId":"pol-0923","package":"bench.pkg.0923","version":"1.0.23"}
+{"op":"delete","policyId":"pol-0924","package":"bench.pkg.0924","version":"1.0.24"}
+{"op":"delete","policyId":"pol-0925","package":"bench.pkg.0925","version":"1.0.25"}
+{"op":"delete","policyId":"pol-0926","package":"bench.pkg.0926","version":"1.0.26"}
+{"op":"delete","policyId":"pol-0927","package":"bench.pkg.0927","version":"1.0.27"}
+{"op":"delete","policyId":"pol-0928","package":"bench.pkg.0928","version":"1.0.28"}
+{"op":"delete","policyId":"pol-0929","package":"bench.pkg.0929","version":"1.0.29"}
+{"op":"delete","policyId":"pol-0930","package":"bench.pkg.0930","version":"1.0.30"}
+{"op":"delete","policyId":"pol-0931","package":"bench.pkg.0931","version":"1.0.31"}
+{"op":"delete","policyId":"pol-0932","package":"bench.pkg.0932","version":"1.0.32"}
+{"op":"delete","policyId":"pol-0933","package":"bench.pkg.0933","version":"1.0.33"}
+{"op":"delete","policyId":"pol-0934","package":"bench.pkg.0934","version":"1.0.34"}
+{"op":"delete","policyId":"pol-0935","package":"bench.pkg.0935","version":"1.0.35"}
+{"op":"delete","policyId":"pol-0936","package":"bench.pkg.0936","version":"1.0.36"}
+{"op":"delete","policyId":"pol-0937","package":"bench.pkg.0937","version":"1.0.37"}
+{"op":"delete","policyId":"pol-0938","package":"bench.pkg.0938","version":"1.0.38"}
+{"op":"delete","policyId":"pol-0939","package":"bench.pkg.0939","version":"1.0.39"}
+{"op":"delete","policyId":"pol-0940","package":"bench.pkg.0940","version":"1.0.40"}
+{"op":"delete","policyId":"pol-0941","package":"bench.pkg.0941","version":"1.0.41"}
+{"op":"delete","policyId":"pol-0942","package":"bench.pkg.0942","version":"1.0.42"}
+{"op":"delete","policyId":"pol-0943","package":"bench.pkg.0943","version":"1.0.43"}
+{"op":"delete","policyId":"pol-0944","package":"bench.pkg.0944","version":"1.0.44"}
+{"op":"delete","policyId":"pol-0945","package":"bench.pkg.0945","version":"1.0.45"}
+{"op":"delete","policyId":"pol-0946","package":"bench.pkg.0946","version":"1.0.46"}
+{"op":"delete","policyId":"pol-0947","package":"bench.pkg.0947","version":"1.0.47"}
+{"op":"delete","policyId":"pol-0948","package":"bench.pkg.0948","version":"1.0.48"}
+{"op":"delete","policyId":"pol-0949","package":"bench.pkg.0949","version":"1.0.49"}
+{"op":"delete","policyId":"pol-0950","package":"bench.pkg.0950","version":"1.0.0"}
+{"op":"delete","policyId":"pol-0951","package":"bench.pkg.0951","version":"1.0.1"}
+{"op":"delete","policyId":"pol-0952","package":"bench.pkg.0952","version":"1.0.2"}
+{"op":"delete","policyId":"pol-0953","package":"bench.pkg.0953","version":"1.0.3"}
+{"op":"delete","policyId":"pol-0954","package":"bench.pkg.0954","version":"1.0.4"}
+{"op":"delete","policyId":"pol-0955","package":"bench.pkg.0955","version":"1.0.5"}
+{"op":"delete","policyId":"pol-0956","package":"bench.pkg.0956","version":"1.0.6"}
+{"op":"delete","policyId":"pol-0957","package":"bench.pkg.0957","version":"1.0.7"}
+{"op":"delete","policyId":"pol-0958","package":"bench.pkg.0958","version":"1.0.8"}
+{"op":"delete","policyId":"pol-0959","package":"bench.pkg.0959","version":"1.0.9"}
+{"op":"delete","policyId":"pol-0960","package":"bench.pkg.0960","version":"1.0.10"}
+{"op":"delete","policyId":"pol-0961","package":"bench.pkg.0961","version":"1.0.11"}
+{"op":"delete","policyId":"pol-0962","package":"bench.pkg.0962","version":"1.0.12"}
+{"op":"delete","policyId":"pol-0963","package":"bench.pkg.0963","version":"1.0.13"}
+{"op":"delete","policyId":"pol-0964","package":"bench.pkg.0964","version":"1.0.14"}
+{"op":"delete","policyId":"pol-0965","package":"bench.pkg.0965","version":"1.0.15"}
+{"op":"delete","policyId":"pol-0966","package":"bench.pkg.0966","version":"1.0.16"}
+{"op":"delete","policyId":"pol-0967","package":"bench.pkg.0967","version":"1.0.17"}
+{"op":"delete","policyId":"pol-0968","package":"bench.pkg.0968","version":"1.0.18"}
+{"op":"delete","policyId":"pol-0969","package":"bench.pkg.0969","version":"1.0.19"}
+{"op":"delete","policyId":"pol-0970","package":"bench.pkg.0970","version":"1.0.20"}
+{"op":"delete","policyId":"pol-0971","package":"bench.pkg.0971","version":"1.0.21"}
+{"op":"delete","policyId":"pol-0972","package":"bench.pkg.0972","version":"1.0.22"}
+{"op":"delete","policyId":"pol-0973","package":"bench.pkg.0973","version":"1.0.23"}
+{"op":"delete","policyId":"pol-0974","package":"bench.pkg.0974","version":"1.0.24"}
+{"op":"delete","policyId":"pol-0975","package":"bench.pkg.0975","version":"1.0.25"}
+{"op":"delete","policyId":"pol-0976","package":"bench.pkg.0976","version":"1.0.26"}
+{"op":"delete","policyId":"pol-0977","package":"bench.pkg.0977","version":"1.0.27"}
+{"op":"delete","policyId":"pol-0978","package":"bench.pkg.0978","version":"1.0.28"}
+{"op":"delete","policyId":"pol-0979","package":"bench.pkg.0979","version":"1.0.29"}
+{"op":"delete","policyId":"pol-0980","package":"bench.pkg.0980","version":"1.0.30"}
+{"op":"delete","policyId":"pol-0981","package":"bench.pkg.0981","version":"1.0.31"}
+{"op":"delete","policyId":"pol-0982","package":"bench.pkg.0982","version":"1.0.32"}
+{"op":"delete","policyId":"pol-0983","package":"bench.pkg.0983","version":"1.0.33"}
+{"op":"delete","policyId":"pol-0984","package":"bench.pkg.0984","version":"1.0.34"}
+{"op":"delete","policyId":"pol-0985","package":"bench.pkg.0985","version":"1.0.35"}
+{"op":"delete","policyId":"pol-0986","package":"bench.pkg.0986","version":"1.0.36"}
+{"op":"delete","policyId":"pol-0987","package":"bench.pkg.0987","version":"1.0.37"}
+{"op":"delete","policyId":"pol-0988","package":"bench.pkg.0988","version":"1.0.38"}
+{"op":"delete","policyId":"pol-0989","package":"bench.pkg.0989","version":"1.0.39"}
+{"op":"delete","policyId":"pol-0990","package":"bench.pkg.0990","version":"1.0.40"}
+{"op":"delete","policyId":"pol-0991","package":"bench.pkg.0991","version":"1.0.41"}
+{"op":"delete","policyId":"pol-0992","package":"bench.pkg.0992","version":"1.0.42"}
+{"op":"delete","policyId":"pol-0993","package":"bench.pkg.0993","version":"1.0.43"}
+{"op":"delete","policyId":"pol-0994","package":"bench.pkg.0994","version":"1.0.44"}
+{"op":"delete","policyId":"pol-0995","package":"bench.pkg.0995","version":"1.0.45"}
+{"op":"delete","policyId":"pol-0996","package":"bench.pkg.0996","version":"1.0.46"}
+{"op":"delete","policyId":"pol-0997","package":"bench.pkg.0997","version":"1.0.47"}
+{"op":"delete","policyId":"pol-0998","package":"bench.pkg.0998","version":"1.0.48"}
+{"op":"delete","policyId":"pol-0999","package":"bench.pkg.0999","version":"1.0.49"}
+{"op":"upsert","policyId":"pol-5001","package":"bench.pkg.5001","version":"1.0.1","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5002","package":"bench.pkg.5002","version":"1.0.2","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5003","package":"bench.pkg.5003","version":"1.0.3","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5004","package":"bench.pkg.5004","version":"1.0.4","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5005","package":"bench.pkg.5005","version":"1.0.5","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5006","package":"bench.pkg.5006","version":"1.0.6","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5007","package":"bench.pkg.5007","version":"1.0.7","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5008","package":"bench.pkg.5008","version":"1.0.8","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5009","package":"bench.pkg.5009","version":"1.0.9","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5010","package":"bench.pkg.5010","version":"1.0.10","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5011","package":"bench.pkg.5011","version":"1.0.11","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5012","package":"bench.pkg.5012","version":"1.0.12","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5013","package":"bench.pkg.5013","version":"1.0.13","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5014","package":"bench.pkg.5014","version":"1.0.14","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5015","package":"bench.pkg.5015","version":"1.0.15","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5016","package":"bench.pkg.5016","version":"1.0.16","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5017","package":"bench.pkg.5017","version":"1.0.17","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5018","package":"bench.pkg.5018","version":"1.0.18","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5019","package":"bench.pkg.5019","version":"1.0.19","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5020","package":"bench.pkg.5020","version":"1.0.20","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5021","package":"bench.pkg.5021","version":"1.0.21","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5022","package":"bench.pkg.5022","version":"1.0.22","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5023","package":"bench.pkg.5023","version":"1.0.23","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5024","package":"bench.pkg.5024","version":"1.0.24","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5025","package":"bench.pkg.5025","version":"1.0.25","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5026","package":"bench.pkg.5026","version":"1.0.26","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5027","package":"bench.pkg.5027","version":"1.0.27","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5028","package":"bench.pkg.5028","version":"1.0.28","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5029","package":"bench.pkg.5029","version":"1.0.29","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5030","package":"bench.pkg.5030","version":"1.0.30","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5031","package":"bench.pkg.5031","version":"1.0.31","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5032","package":"bench.pkg.5032","version":"1.0.32","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5033","package":"bench.pkg.5033","version":"1.0.33","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5034","package":"bench.pkg.5034","version":"1.0.34","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5035","package":"bench.pkg.5035","version":"1.0.35","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5036","package":"bench.pkg.5036","version":"1.0.36","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5037","package":"bench.pkg.5037","version":"1.0.37","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5038","package":"bench.pkg.5038","version":"1.0.38","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5039","package":"bench.pkg.5039","version":"1.0.39","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5040","package":"bench.pkg.5040","version":"1.0.40","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5041","package":"bench.pkg.5041","version":"1.0.41","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5042","package":"bench.pkg.5042","version":"1.0.42","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5043","package":"bench.pkg.5043","version":"1.0.43","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5044","package":"bench.pkg.5044","version":"1.0.44","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5045","package":"bench.pkg.5045","version":"1.0.45","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5046","package":"bench.pkg.5046","version":"1.0.46","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5047","package":"bench.pkg.5047","version":"1.0.47","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5048","package":"bench.pkg.5048","version":"1.0.48","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5049","package":"bench.pkg.5049","version":"1.0.49","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5050","package":"bench.pkg.5050","version":"1.0.0","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5051","package":"bench.pkg.5051","version":"1.0.1","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5052","package":"bench.pkg.5052","version":"1.0.2","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5053","package":"bench.pkg.5053","version":"1.0.3","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5054","package":"bench.pkg.5054","version":"1.0.4","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5055","package":"bench.pkg.5055","version":"1.0.5","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5056","package":"bench.pkg.5056","version":"1.0.6","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5057","package":"bench.pkg.5057","version":"1.0.7","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5058","package":"bench.pkg.5058","version":"1.0.8","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5059","package":"bench.pkg.5059","version":"1.0.9","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5060","package":"bench.pkg.5060","version":"1.0.10","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5061","package":"bench.pkg.5061","version":"1.0.11","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5062","package":"bench.pkg.5062","version":"1.0.12","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5063","package":"bench.pkg.5063","version":"1.0.13","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5064","package":"bench.pkg.5064","version":"1.0.14","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5065","package":"bench.pkg.5065","version":"1.0.15","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5066","package":"bench.pkg.5066","version":"1.0.16","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5067","package":"bench.pkg.5067","version":"1.0.17","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5068","package":"bench.pkg.5068","version":"1.0.18","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5069","package":"bench.pkg.5069","version":"1.0.19","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5070","package":"bench.pkg.5070","version":"1.0.20","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5071","package":"bench.pkg.5071","version":"1.0.21","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5072","package":"bench.pkg.5072","version":"1.0.22","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5073","package":"bench.pkg.5073","version":"1.0.23","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5074","package":"bench.pkg.5074","version":"1.0.24","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5075","package":"bench.pkg.5075","version":"1.0.25","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5076","package":"bench.pkg.5076","version":"1.0.26","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5077","package":"bench.pkg.5077","version":"1.0.27","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5078","package":"bench.pkg.5078","version":"1.0.28","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5079","package":"bench.pkg.5079","version":"1.0.29","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5080","package":"bench.pkg.5080","version":"1.0.30","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5081","package":"bench.pkg.5081","version":"1.0.31","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5082","package":"bench.pkg.5082","version":"1.0.32","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5083","package":"bench.pkg.5083","version":"1.0.33","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5084","package":"bench.pkg.5084","version":"1.0.34","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5085","package":"bench.pkg.5085","version":"1.0.35","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5086","package":"bench.pkg.5086","version":"1.0.36","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5087","package":"bench.pkg.5087","version":"1.0.37","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5088","package":"bench.pkg.5088","version":"1.0.38","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5089","package":"bench.pkg.5089","version":"1.0.39","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5090","package":"bench.pkg.5090","version":"1.0.40","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5091","package":"bench.pkg.5091","version":"1.0.41","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5092","package":"bench.pkg.5092","version":"1.0.42","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5093","package":"bench.pkg.5093","version":"1.0.43","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5094","package":"bench.pkg.5094","version":"1.0.44","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5095","package":"bench.pkg.5095","version":"1.0.45","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5096","package":"bench.pkg.5096","version":"1.0.46","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5097","package":"bench.pkg.5097","version":"1.0.47","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5098","package":"bench.pkg.5098","version":"1.0.48","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5099","package":"bench.pkg.5099","version":"1.0.49","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
+{"op":"upsert","policyId":"pol-5100","package":"bench.pkg.5100","version":"1.0.0","decision":"allow","factors":{"reason":"delta-insert","score":2.75}}
--- a/docs/samples/policy/policy-delta-changes.ndjson.sha256
+++ b/docs/samples/policy/policy-delta-changes.ndjson.sha256
@@ -0,0 +1 @@
+7f9d7f124830b9fe4d3f232b4cc7e2e728be2ef725e8a66606b9e95682bf6318  policy-delta-changes.ndjson
--- a/docs/samples/signals/reachability/callgraph-10k.ndjson
+++ b/docs/samples/signals/reachability/callgraph-10k.ndjson
--- a/docs/samples/signals/reachability/callgraph-10k.ndjson.sha256
+++ b/docs/samples/signals/reachability/callgraph-10k.ndjson.sha256
@@ -0,0 +1 @@
+2eae348a6d122682eb24924e6340ca6213dfc896a3b3e7484e5e52967f65af1f  callgraph-10k.ndjson
--- a/docs/samples/signals/reachability/callgraph-50k.ndjson
+++ b/docs/samples/signals/reachability/callgraph-50k.ndjson
--- a/docs/samples/signals/reachability/callgraph-50k.ndjson.sha256
+++ b/docs/samples/signals/reachability/callgraph-50k.ndjson.sha256
@@ -0,0 +1 @@
+f30708cf68f3ade5b06dcbd8b5056aae9ff93f61cfe21843cbd9d2bf13413774  callgraph-50k.ndjson
--- a/docs/samples/signals/reachability/runtime-10k.ndjson
+++ b/docs/samples/signals/reachability/runtime-10k.ndjson
--- a/docs/samples/signals/reachability/runtime-10k.ndjson.sha256
+++ b/docs/samples/signals/reachability/runtime-10k.ndjson.sha256
@@ -0,0 +1 @@
+39ca5e95f3b61afc657d104397106ed5d1ee1e7be2b31397b9c4ac24d1d2b903  runtime-10k.ndjson
--- a/docs/samples/signals/reachability/runtime-50k.ndjson
+++ b/docs/samples/signals/reachability/runtime-50k.ndjson
--- a/docs/samples/signals/reachability/runtime-50k.ndjson.sha256
+++ b/docs/samples/signals/reachability/runtime-50k.ndjson.sha256
@@ -0,0 +1 @@
+5c0673d43fa3a1617de735e68d69f9a9b6db5634408c6a6e6bba764d36e3111b  runtime-50k.ndjson
				`@@ -0,0 +1 @@`
				`caa79c83b5a9affc3b9cc4e54a516281ddceff4804ce853fee3b62d7afb7ab69 products-10k.ndjson`
				`@@ -0,0 +1 @@`
				`40ca9ee15065a9e16f51a259d3feec778203ab461db2af3bf196f5fcd9f0d590 policy-delta-baseline.ndjson`
				`@@ -0,0 +1 @@`
				`7f9d7f124830b9fe4d3f232b4cc7e2e728be2ef725e8a66606b9e95682bf6318 policy-delta-changes.ndjson`
				`@@ -0,0 +1 @@`
				`2eae348a6d122682eb24924e6340ca6213dfc896a3b3e7484e5e52967f65af1f callgraph-10k.ndjson`
				`@@ -0,0 +1 @@`
				`f30708cf68f3ade5b06dcbd8b5056aae9ff93f61cfe21843cbd9d2bf13413774 callgraph-50k.ndjson`
				`@@ -0,0 +1 @@`
				`39ca5e95f3b61afc657d104397106ed5d1ee1e7be2b31397b9c4ac24d1d2b903 runtime-10k.ndjson`
				`@@ -0,0 +1 @@`
				`5c0673d43fa3a1617de735e68d69f9a9b6db5634408c6a6e6bba764d36e3111b runtime-50k.ndjson`