feat(scanner): Complete PoE implementation with Windows compatibility fix

- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docs2/README.md

@@ -0,0 +1,38 @@
+# StellaOps docs2
+
+This directory is a cleaned, deduplicated documentation set rebuilt from the existing docs tree
+(excluding docs/implplan and docs/product-advisories). It keeps stable, product-level facts and
+removes old status notes, duplicated architecture snapshots, and dated implementation checklists.
+
+Assumptions baked into docs2
+- Runtime: .NET 10 (net10.0) for services and libraries
+- UI: Angular 17 for the console
+- Data: PostgreSQL as the only canonical database
+- Cache and queues: Valkey (Redis compatible)
+- Object storage: RustFS (S3 compatible)
+- Determinism and offline-first operation are non-negotiable
+
+How to navigate
+- product/overview.md - Vision, capabilities, and requirements
+- architecture/overview.md - System map and dependencies
+- architecture/workflows.md - Key data and control flows
+- architecture/evidence-and-trust.md - Evidence chain, DSSE, replay, AOC
+- architecture/reachability-vex.md - Reachability, VEX consensus, unknowns
+- modules/index.md - Module summaries (core and supporting)
+- operations/install-deploy.md - Install and deployment guidance
+- operations/airgap.md - Offline kit and air-gap operations
+- api/overview.md - API surface and conventions
+- api/auth-and-tokens.md - Authority, OpTok, DPoP and mTLS, PoE
+- cli-ui.md - CLI and console guide
+- data-and-schemas.md - Storage, schemas, and determinism rules
+- security-and-governance.md - Security policy, hardening, governance, compliance
+- testing-and-quality.md - Test strategy and quality gates
+- observability.md - Metrics, logs, tracing, telemetry stack
+- developer/onboarding.md - Local dev setup and workflows
+- developer/plugin-sdk.md - Plugin SDK summary
+- benchmarks.md - Benchmark program overview
+- glossary.md - Core terms
+
+Notes
+- Raw schemas, samples, and fixtures remain under docs/ and are referenced from docs2.
+- If you need a deep schema or fixture, follow the path in data-and-schemas.md.

docs2/api/auth-and-tokens.md

@@ -0,0 +1,43 @@
+# Auth and tokens
+
+## Authority (OIDC and OAuth2)
+- Issues short-lived OpTok access tokens.
+- Tokens are sender-constrained by DPoP or mTLS.
+- Audiences and scopes are enforced by each service.
+
+## Token types
+- OpTok: short-lived operational access token (minutes).
+- Offline token: signed token for air-gap use and local verification.
+- PoE: proof of entitlement enforced by Signer.
+
+## Claims (typical)
+- iss, sub, aud, exp, iat, nbf, jti, scope
+- tid (tenant), inst (installation), roles
+- cnf.jkt (DPoP) or cnf.x5t#S256 (mTLS)
+
+## Sender constraints
+- DPoP binds the access token to an ephemeral key (cnf.jkt).
+- mTLS binds the access token to a client certificate (cnf.x5t#S256).
+- High-value audiences should require a DPoP nonce challenge.
+
+## Proof of Entitlement (PoE)
+- PoE is enforced by Signer for signing operations.
+- OpTok proves who is calling; PoE proves entitlement.
+- Enrollment: License Token -> PoE, bound to installation key.
+
+## Recommended flows
+- Client credentials for services and automation.
+- Device code for CLI interactive login.
+- Authorization code with PKCE for UI logins.
+
+## Validation rules (resource servers)
+- Verify signature, issuer, audience, exp, nbf, and scope.
+- Enforce sender constraints (DPoP or mTLS).
+- Enforce tenant and installation boundaries.
+
+## Key rotation
+- JWKS exposes active and retired keys.
+- Keep old keys for the max token lifetime plus skew.
+
+## Introspection
+- Optional for services that require online token validation.

docs2/api/overview.md

@@ -0,0 +1,20 @@
+# API overview
+
+## Conventions
+- JSON payloads use camelCase and RFC 7807 for problem details.
+- Streaming endpoints support SSE or NDJSON.
+- Timestamps are UTC ISO 8601.
+
+## Major API groups
+- Scanner: scan submission, status, SBOM retrieval, diffs, reports.
+- Policy: policy import/export, validation, preview, and simulation.
+- Scheduler: schedules, runs, and impact selection.
+- Notify: rules, channels, deliveries, and test sends.
+- VEX and consensus: consensus evaluation and exports.
+- Signals: reachability, runtime facts, unknowns.
+- Export Center: export runs and offline bundles.
+- Authority: token issuance and administrative endpoints.
+
+## Contracts and schemas
+- OpenAPI specs live under docs/api/.
+- JSON schemas live under docs/schemas/ and docs/contracts/.

docs2/architecture/evidence-and-trust.md

@@ -0,0 +1,54 @@
+# Evidence and trust model
+
+## Determinism rules
+- Content-address all artifacts by digest.
+- Canonicalize JSON and sort arrays deterministically.
+- Use UTC timestamps only.
+- Do not use wall-clock or RNG in decision paths.
+- Pin inputs: analyzer versions, policy hash, advisory and VEX snapshots.
+
+## Evidence categories
+- Inputs: SBOMs, advisories, VEX statements, provenance, runtime facts.
+- Transforms: normalization outputs, linksets, reachability graphs.
+- Decisions: verdicts, explain traces, derived VEX.
+- Audit: token issuance, policy changes, signing events.
+
+## Decision Capsules
+A Decision Capsule is the minimal audit bundle for a decision. It includes:
+- The exact SBOM (inventory and usage views)
+- Advisory and VEX snapshot identifiers
+- Reachability evidence and unknowns metadata
+- Policy version and policy hash
+- Decision trace and derived VEX
+- DSSE envelopes and optional Rekor proofs
+
+## Attestation chain
+- in-toto statements wrapped in DSSE envelopes.
+- Signer produces DSSE; Attestor logs and verifies in Rekor when enabled.
+- Offline kits include cached proofs for air-gapped verification.
+
+## Aggregation-Only Contract (AOC)
+- Ingestion services store raw facts only.
+- No derived severity, consensus, or policy hints at ingest time.
+- All derived findings are produced by the Policy Engine.
+- Idempotent writes use content hash and supersedes chains.
+- Append-only revisions preserve upstream provenance and conflicts.
+
+## Content-addressed storage
+- RustFS stores SBOM fragments, reports, reachability graphs, and evidence bundles.
+- Replay bundles store inputs and outputs with deterministic ordering.
+
+## Replay bundles (typical layout)
+- manifest.json and manifest.dsse.json
+- input bundle with feeds, policy, and tool manifests
+- output bundle with SBOMs, findings, VEX, and logs
+
+## Verification steps (offline or online)
+1) Verify DSSE envelope signature against trusted keys.
+2) Recompute payload hash and compare to manifest digest.
+3) Verify Rekor proof when available or against offline checkpoints.
+4) Ensure all referenced CAS objects are present and hashed.
+
+## Retention
+- Evidence retention is configurable, but must preserve decision reproducibility
+  for the required audit window.

docs2/architecture/overview.md

@@ -0,0 +1,38 @@
+# Architecture overview
+
+## System boundary
+- Self-hosted by default with optional licensing validation.
+- Offline-first, with all critical verification paths available without network access.
+
+## Core infrastructure
+- PostgreSQL: the only canonical database, with schema isolation per module.
+- Valkey: cache, queues, and streams (Redis compatible).
+- RustFS: object storage for content-addressed artifacts.
+- Optional: NATS JetStream as an alternative queue and stream transport.
+
+## External dependencies
+- OCI registry with referrers for SBOM and attestation discovery.
+- Fulcio or KMS-backed signing (optional, depending on crypto profile).
+- Rekor (optional) for transparency log anchoring.
+
+## Core services (high level)
+- Authority: OIDC and OAuth2 token issuance, DPoP and mTLS sender constraints.
+- Signer: DSSE signing with entitlement checks and scanner integrity verification.
+- Attestor: transparency logging and attestation verification.
+- Scanner (Web + Worker): SBOM generation, analyzers, inventory and usage views, diffs.
+- Concelier: advisory ingest under the Aggregation-Only Contract (AOC).
+- Excititor: VEX ingest under AOC with consensus and evidence preservation.
+- Policy Engine: deterministic policy evaluation with explain traces.
+- Scheduler: impact selection and analysis-only re-evaluation.
+- Notify: rules, channels, and delivery workflows.
+- Export Center: deterministic exports and offline bundles.
+- UI and CLI: operator and automation surfaces.
+- Zastava: runtime observer and optional admission enforcement.
+- Advisory AI: evidence-based guidance with guardrails.
+- Orchestrator: job DAGs and pack runs.
+
+## Trust boundaries
+- Authority issues short-lived OpTok tokens with sender constraints (DPoP or mTLS).
+- Signer enforces Proof of Entitlement (PoE) and scanner image integrity before signing.
+- Only Signer produces DSSE; only Attestor writes to Rekor.
+- All evidence is content-addressed and immutable once written.

docs2/architecture/reachability-vex.md

@@ -0,0 +1,25 @@
+# Reachability and VEX
+
+## Reachability evidence
+- Static call graphs are produced by Scanner analyzers.
+- Runtime traces are collected by Zastava when enabled.
+- Union bundles combine static and runtime evidence for scoring and replay.
+
+## Hybrid reachability attestations
+- Graph-level DSSE is required for every reachability graph.
+- Optional edge-bundle DSSE captures contested or runtime edges.
+- Rekor publishing can be tiered; offline kits cache proofs when available.
+
+## Reachability scoring (Signals)
+- Bucket model: entrypoint, direct, runtime, unknown, unreachable.
+- Default weights: entrypoint 1.0, direct 0.85, runtime 0.45, unknown 0.5, unreachable 0.0.
+- Unknowns pressure reduces the final score to avoid false safety.
+
+## VEX consensus
+- Excititor ingests and normalizes VEX statements (OpenVEX, CSAF VEX).
+- Policy Engine merges evidence using lattice logic with explicit Unknown handling.
+- Decisions include evidence refs and can be exported as downstream VEX.
+
+## Unknowns registry
+- Unknowns are first-class objects with scoring, SLA bands, and evidence links.
+- Unknowns are stored with deterministic ordering and exported for offline review.

docs2/architecture/workflows.md

@@ -0,0 +1,36 @@
+# Architecture workflows
+
+## Advisory and VEX ingestion (AOC)
+1) Concelier and Excititor fetch upstream documents.
+2) AOC guards validate provenance and append-only rules.
+3) Raw facts are stored in PostgreSQL without derived severity.
+4) Deterministic exports are produced for downstream policy evaluation.
+
+## Scan and report
+1) CLI or API submits an image digest or SBOM.
+2) Scanner Worker analyzes layers and produces SBOM fragments.
+3) Scanner Web composes inventory and usage SBOMs and runs diffs.
+4) Policy Engine evaluates findings against advisories and VEX evidence.
+5) Signer produces DSSE bundles; Attestor logs to Rekor when enabled.
+
+## Reachability and unknowns
+1) Scanner produces static call graphs.
+2) Zastava produces runtime facts when enabled.
+3) Signals computes reachability scores and unknowns pressure.
+4) Policy Engine incorporates reachability evidence into VEX decisions.
+
+## Scheduler re-evaluation
+1) Concelier and Excititor emit delta events.
+2) Scheduler identifies impacted images using BOM index metadata.
+3) Scanner Web runs analysis-only reports against existing SBOMs.
+4) Notify emits delta notifications to operators.
+
+## Notifications
+1) Scanner and Scheduler publish events to Valkey streams.
+2) Notify Web applies routing rules and templates.
+3) Notify Worker delivers to Slack, Teams, email, or webhooks.
+
+## Export and offline bundles
+1) Export Center creates deterministic export bundles (JSON, Trivy DB, mirror layouts).
+2) Offline kits package feeds, images, analyzers, and manifests for air-gapped sites.
+3) CLI verifies signatures and imports bundles atomically.

docs2/benchmarks.md

@@ -0,0 +1,12 @@
+# Benchmarks and performance
+
+## Purpose
+- Validate accuracy, performance, and determinism claims.
+- Detect regressions across analyzers and policy logic.
+- Provide reproducible comparisons against external tools.
+
+## Core areas
+- Scanner performance (cold and warm paths).
+- Reachability accuracy using ground-truth corpora.
+- Determinism and replay verification.
+- Competitive parity for key ecosystems.

docs2/cli-ui.md

@@ -0,0 +1,12 @@
+# CLI and UI
+
+## CLI
+- stella: scan, diff, and export for CI workflows.
+- stellaops-cli: admin tooling for offline kits, policy, replay, and verification.
+- CLI never signs directly; it calls Signer and Attestor through APIs.
+- Typical verbs: scan, diff, export, policy, replay, graph verify, offline kit import.
+
+## UI (Console)
+- Angular 17 single page app for scans, policy, VEX, notifications, and audits.
+- Offline friendly with no external CDN dependencies.
+- Provides offline kit import, policy editing, and evidence exploration.

docs2/data-and-schemas.md

@@ -0,0 +1,40 @@
+# Data and schemas
+
+## Storage layers
+- PostgreSQL: canonical store with schema isolation per module.
+- Valkey: cache, queues, and event streams.
+- RustFS: content-addressed object storage for artifacts and evidence bundles.
+
+## Deterministic data rules
+- Use canonical JSON and stable ordering.
+- All timestamps are UTC ISO 8601.
+- Arrays are sorted by deterministic keys where defined.
+
+## Schema ownership
+- Each module owns its PostgreSQL schema and migrations.
+- Cross-schema reads are explicit and minimized.
+
+## Typical schemas
+- auth: Authority
+- vuln: Concelier advisories
+- vex: Excititor VEX statements
+- policy: policy packs, unknowns, decisions
+- scanner: scan manifests, SBOM metadata, reachability
+- scheduler: schedules, runs, impact snapshots
+- notify: rules, channels, deliveries
+
+## Content-addressed layouts (example)
+- layers/<sha256>/sbom.cdx.json.zst
+- images/<digest>/inventory.cdx.pb
+- indexes/<digest>/bom-index.bin
+- attest/<sha256>.dsse.json
+
+## Aggregation-Only Contract (AOC)
+- advisory_raw and vex_raw are append-only and immutable.
+- Idempotency uses content hash and supersedes chains.
+- Derived findings are produced only by the Policy Engine.
+
+## Schema catalogs
+- docs/schemas: JSON schemas and OpenAPI fragments.
+- docs/contracts: protocol and contract definitions.
+- docs/db: schema specs and migration rules.

docs2/developer/onboarding.md

@@ -0,0 +1,15 @@
+# Developer onboarding (summary)
+
+## Prerequisites
+- .NET 10 SDK
+- Node and npm for UI development
+- Docker for local infrastructure
+
+## Local stack
+- PostgreSQL, Valkey, and RustFS are required.
+- Services use layered configuration (env, appsettings, YAML).
+
+## Common workflows
+- Run the stack with compose or Helm profiles.
+- Debug a single service by running it locally and pointing others to localhost.
+- Use deterministic fixtures for replay and policy validation.

docs2/developer/plugin-sdk.md

@@ -0,0 +1,16 @@
+# Plugin SDK (summary)
+
+## Core rules
+- Plugins are restart-time load only; no hot reload.
+- All plugins must declare a version attribute.
+- Sign plugins and enforce signature verification in production.
+
+## Dependency injection
+- Use service binding attributes or a DI routine to register services.
+
+## Templates
+- Use the official templates to scaffold connectors, jobs, or analyzers.
+
+## Publishing
+- Build, sign, and package the plugin artifacts.
+- Copy into the plugin binaries directory for discovery.

docs2/glossary.md

@@ -0,0 +1,37 @@
+# Glossary
+
+AOC
+- Aggregation-Only Contract. Ingestion stores raw facts without derived verdicts.
+
+CAS
+- Content-addressed storage. Artifacts are addressed by digest.
+
+Decision Capsule
+- Signed bundle of inputs, outputs, and evidence for a decision.
+
+DPoP
+- Proof of possession for sender-constrained tokens.
+
+DSSE
+- Dead Simple Signing Envelope. Binds payload and type.
+
+OpTok
+- Short-lived operational token issued by Authority.
+
+PoE
+- Proof of Entitlement used by Signer to enforce licensing.
+
+Reachability
+- Evidence of whether vulnerable code is reachable from entrypoints.
+
+Rekor
+- Transparency log for signed artifacts.
+
+SBOM
+- Software Bill of Materials.
+
+VEX
+- Vulnerability Exploitability eXchange.
+
+Unknowns
+- Explicit records for missing or ambiguous evidence.

docs2/modules/index.md

@@ -0,0 +1,151 @@
+# Modules
+
+## Core services
+
+Authority
+- Purpose: issue OpTok tokens with DPoP or mTLS sender constraints.
+- Inputs: client credentials, device code, or auth code.
+- Outputs: JWT access tokens with tenant, audience, and scope claims.
+- Storage: PostgreSQL for client and tenant data, Valkey for DPoP nonce cache.
+
+Signer
+- Purpose: produce DSSE envelopes and enforce Proof of Entitlement (PoE).
+- Inputs: signing requests from trusted services and PoE proof.
+- Outputs: DSSE bundles for SBOMs, reports, and exports.
+- Storage: audit logs only; keys live in KMS or keyless providers.
+
+Attestor
+- Purpose: log DSSE bundles to Rekor and provide verification APIs.
+- Inputs: DSSE bundles from Signer or Scanner.
+- Outputs: Rekor entries and proofs, verification results.
+- Storage: PostgreSQL for receipts and indexes.
+
+Scanner (Web + Worker)
+- Purpose: deterministic SBOM generation, inventory and usage views, diffs.
+- Inputs: image digest or SBOM, analyzer manifests, policy snapshots.
+- Outputs: SBOMs, diffs, reachability graphs, evidence bundles.
+- Storage: RustFS for artifacts, PostgreSQL for metadata, Valkey for queues.
+
+Concelier
+- Purpose: ingest and normalize advisory sources under AOC.
+- Inputs: vendor and ecosystem advisory feeds.
+- Outputs: raw advisory facts, linksets, deterministic exports.
+- Storage: PostgreSQL (vuln schema).
+
+Excititor
+- Purpose: ingest VEX statements under AOC and preserve conflicts.
+- Inputs: OpenVEX, CSAF VEX, CycloneDX VEX.
+- Outputs: normalized VEX observations and consensus views.
+- Storage: PostgreSQL (vex schema).
+
+Policy Engine
+- Purpose: deterministic policy evaluation with explain traces and unknowns.
+- Inputs: SBOM inventory, advisory facts, VEX evidence, reachability.
+- Outputs: verdicts, effective findings, decision traces, derived VEX.
+- Storage: PostgreSQL (policy schema).
+
+Scheduler
+- Purpose: impact selection and analysis-only re-evaluation.
+- Inputs: advisory and VEX deltas, BOM index metadata.
+- Outputs: rescan jobs and delta events.
+- Storage: PostgreSQL (scheduler schema), Valkey for queues.
+
+Notify
+- Purpose: route events to channels with rules and templates.
+- Inputs: scan and scheduler events.
+- Outputs: deliveries to Slack, Teams, email, webhooks.
+- Storage: PostgreSQL (notify schema), Valkey for queues.
+
+Export Center
+- Purpose: deterministic export bundles and offline mirror layouts.
+- Inputs: raw facts, policy outputs, SBOMs and evidence bundles.
+- Outputs: JSON exports, Trivy DB exports, mirror bundles, offline kits.
+- Storage: RustFS and PostgreSQL.
+
+CLI
+- Purpose: automation and verification for scanning, export, and replay.
+- Inputs: user commands and offline bundles.
+- Outputs: API calls, local verification reports.
+
+UI and Console
+- Purpose: operator console for scans, policy, VEX, and notifications.
+- Inputs: API responses, SSE streams.
+- Outputs: operational workflows and audit views.
+
+Advisory AI
+- Purpose: evidence-grounded analysis with guardrails.
+- Inputs: SBOM and evidence bundles.
+- Outputs: structured findings and guidance artifacts.
+
+Orchestrator
+- Purpose: job DAGs and pack runs for automation.
+- Inputs: job definitions and run requests.
+- Outputs: run status, job artifacts.
+- Storage: PostgreSQL (orchestrator schema).
+
+Registry Token Service
+- Purpose: issue tokens for internal registry and scoped pulls.
+- Inputs: client credentials.
+- Outputs: short-lived registry tokens.
+
+Graph Explorer
+- Purpose: graph indexing and exploration for evidence and relationships.
+- Inputs: graph snapshots and overlays.
+- Outputs: graph queries and exports.
+
+VEX Lens
+- Purpose: reproducible consensus views over VEX statements.
+- Inputs: normalized VEX observations and trust weights.
+- Outputs: consensus status and evidence refs.
+
+Vulnerability Explorer
+- Purpose: triage workflows and evidence ledger views.
+- Inputs: effective findings and Decision Capsules.
+- Outputs: triage actions and audit records.
+
+Telemetry Stack
+- Purpose: metrics, logs, traces, and dashboards.
+- Inputs: service telemetry and audit events.
+- Outputs: dashboards and alerts.
+
+DevOps and Release
+- Purpose: release trains, signing, and distribution workflows.
+- Inputs: build artifacts and manifests.
+- Outputs: signed releases and offline kit bundles.
+
+Platform
+- Purpose: cross-cutting determinism, offline, and identity rules.
+
+CI Recipes
+- Purpose: deterministic CI templates and guardrails.
+
+Zastava
+- Purpose: runtime observer and optional admission enforcement.
+- Inputs: runtime facts and policy verdicts.
+- Outputs: runtime events and admission decisions.
+
+## Supporting and adjacent modules
+
+Issuer Directory
+- Trust registry for VEX issuers and keys.
+
+VexHub
+- Aggregation and distribution of VEX statements for downstream consumers.
+
+SBOM Service
+- Deterministic SBOM projections and lineage ledger.
+
+Signals
+- Reachability scoring, unknowns registry, and signal APIs.
+
+TaskRunner
+- Deterministic task pack execution with approvals and evidence capture.
+
+BinaryIndex
+- Binary identity mapping for patch-aware and backport-aware matching.
+
+Benchmark
+- Benchmark harness and ground-truth corpus management.
+
+Gateway and Router (optional)
+- Edge routing and transport abstraction for deployments that require a shared ingress.

docs2/observability.md

@@ -0,0 +1,14 @@
+# Observability
+
+## Telemetry signals
+- Metrics for scan latency, cache hit rate, policy evaluation time, queue depth.
+- Logs are structured and include correlation IDs.
+- Traces connect Scanner, Policy, Scheduler, and Notify workflows.
+
+## Audit trails
+- Signing and policy actions are recorded for compliance.
+- Tenant and actor metadata is included in audit records.
+
+## Telemetry stack
+- Telemetry module provides collectors, dashboards, and alert rules.
+- Offline bundles include telemetry assets for air-gapped installs.

docs2/operations/airgap.md

@@ -0,0 +1,34 @@
+# Air-gap and offline kit
+
+## Offline Kit contents (typical)
+- Signed advisory and VEX feeds
+- Container images for core services
+- Analyzer plugins and manifests
+- Debug symbol store for deterministic diagnostics
+- Telemetry collector bundle
+- Task packs and operator docs
+- Signed manifests and checksums
+
+## Verify and import
+- Verify the kit tarball signature before import.
+- Verify the manifest signature and checksum list.
+- Import is atomic and retains the previous feed set until validation passes.
+
+## Delta updates
+- Daily deltas apply only changed artifacts.
+- Full kits are used as reset baselines when needed.
+- Deltas must reference a known baseline manifest digest.
+
+## Sealed mode and time anchors
+- Sealed mode forbids external egress by default.
+- Time anchors and staleness budgets keep offline verification deterministic.
+- Air-gap installs should pin trusted roots and time anchor bundles.
+
+## AOC and raw-data verification
+- Run AOC verify checks against advisory_raw and vex_raw collections.
+- Reject any raw data that violates provenance or append-only rules.
+
+## Offline verification
+- DSSE envelopes and cached transparency proofs enable local verification.
+- Reachability and replay bundles can be verified without network access.
+- Keep analyzer manifests and policy hashes with the replay bundle.

docs2/operations/install-deploy.md

@@ -0,0 +1,32 @@
+# Install and deploy
+
+## Prerequisites (baseline)
+- Linux host with sufficient CPU, memory, and disk for SBOM and artifact storage.
+- Docker Compose or Kubernetes (Helm) for deployment.
+- TLS termination for external access.
+
+## Required infrastructure
+- PostgreSQL (single cluster, schema isolation per module).
+- Valkey for cache, queues, and streams.
+- RustFS for content-addressed artifacts.
+
+## Optional infrastructure
+- Rekor mirror for transparency log anchoring.
+- Fulcio or KMS-backed signing provider.
+- NATS JetStream as an alternative queue and stream transport.
+
+## Deployment models
+- Compose profiles for single-node and lab environments.
+- Helm charts for multi-node and HA deployments.
+- Air-gap deployment via Offline Kit (see operations/airgap.md).
+
+## Configuration hierarchy
+1) Environment variables
+2) appsettings.{Environment}.json
+3) appsettings.json
+4) YAML overlays under etc/
+
+## Operational baselines
+- Enforce non-root containers and read-only filesystems where possible.
+- Use digest-pinned images for releases.
+- Keep clocks synchronized and use UTC everywhere.

docs2/product/overview.md

@@ -0,0 +1,56 @@
+# Product overview
+
+## Problem and promise
+StellaOps is a deterministic, evidence-linked container security platform that works the same
+online or fully air-gapped. It focuses on reproducible decisions, explainable evidence, and
+offline-first operations rather than opaque SaaS judgments.
+
+## Core capabilities
+1) Decision Capsules
+- Every decision is packaged as a content-addressed bundle with the exact SBOM, feed snapshots,
+  reachability evidence, policy version, derived VEX, and signatures.
+
+2) Deterministic replay
+- Scans are reproducible using pinned inputs and snapshots. The same inputs yield the same outputs.
+
+3) Evidence-linked policy (lattice VEX)
+- Policy decisions merge SBOM, advisories, VEX, and waivers through deterministic logic with
+  explicit Unknown handling and explainable traces.
+
+4) Hybrid reachability
+- Static call graphs and runtime traces are combined; the resulting reachability evidence is
+  attestable and replayable.
+
+5) Sovereign and offline operation
+- Offline kits, mirrored feeds, and bring-your-own trust roots enable regulated or air-gapped use.
+
+## Capability clusters (what ships)
+- SBOM-first scanning with delta reuse and inventory vs usage views
+- Explainable policy and VEX-first decisioning with unknowns surfaced
+- Attestation and transparency via DSSE and optional Rekor
+- Offline operations with signed kits and local verification
+- Governance and observability with audit trails and quotas
+
+## Standards and interoperability
+- SBOM: CycloneDX 1.7 (CycloneDX 1.6 accepted for ingest), SPDX 3.0.1 for relationships
+- VEX: OpenVEX and CSAF VEX, CycloneDX VEX where applicable
+- Attestations: in-toto statements in DSSE envelopes
+- Transparency: Rekor (optional, mirror supported)
+- Findings interchange: SARIF optional for tooling compatibility
+
+## Target users
+- Security engineering: explainable, replayable decisions with verifiable evidence
+- Platform and SRE: deterministic scanning that works offline
+- Compliance and audit: signed evidence bundles and traceable policy decisions
+
+## Non-goals
+- Not a new package manager
+- Not a hosted-only scanner or closed pipeline
+- No hidden trust in external services for core verification
+
+## Requirements snapshot
+- Deterministic outputs, stable ordering, and UTC timestamps
+- Offline-first operation with mirrored feeds and local verification
+- Policy decisions always explainable and evidence-linked
+- Short-lived credentials and least-privilege design
+- Baseline deployment uses Linux, Docker or Kubernetes, and local storage

docs2/security-and-governance.md

@@ -0,0 +1,22 @@
+# Security and governance
+
+## Security policy
+- Coordinated disclosure with a defined SLA and published keys.
+- Security fixes are prioritized for supported release lines.
+
+## Hardening guidance
+- Non-root containers and read-only filesystems.
+- TLS for all external traffic, optional mTLS internally.
+- DPoP or mTLS sender constraints for tokens.
+- Signed artifacts and verified plugin signatures.
+- No mandatory outbound traffic for core verification paths.
+
+## Governance
+- Lazy consensus with maintainer review for non-trivial changes.
+- Explicit security review for sensitive changes.
+- Contribution rules and code of conduct apply to all repos.
+
+## Compliance and evidence
+- Evidence is content-addressed, signed, and replayable.
+- Audit packages include decision traces, inputs, and signatures.
+- Unknowns are preserved and surfaced, not hidden.

docs2/testing-and-quality.md

@@ -0,0 +1,19 @@
+# Testing and quality
+
+## Principles
+- Determinism is a contract: identical inputs must yield identical outputs.
+- Offline-first: tests should pass without network access.
+- Evidence-first: assertions cover evidence chains, not only verdicts.
+
+## Test layers
+- Unit and property tests for core libraries.
+- Integration tests with PostgreSQL and Valkey.
+- Contract tests for OpenAPI and schemas.
+- End-to-end tests for scan, policy, and offline workflows.
+- Replay verification against golden corpora.
+
+## Quality gates
+- Determinism checks on replay outputs.
+- Interop checks against external tooling formats.
+- Offline E2E runs as a release gate.
+- Policy and schema validation in CI.

docs2/topic-map.md

@@ -0,0 +1,75 @@
+# Topic map (docs to docs2)
+
+This map shows the source areas reviewed to build docs2. It lists directories and anchor docs
+rather than every single file.
+
+Product and positioning
+- Sources: docs/README.md, docs/overview.md, docs/key-features.md, docs/03_VISION.md,
+  docs/04_FEATURE_MATRIX.md, docs/05_SYSTEM_REQUIREMENTS_SPEC.md, docs/05_ROADMAP.md
+- Docs2: product/overview.md
+
+Architecture and system model
+- Sources: docs/07_HIGH_LEVEL_ARCHITECTURE.md, docs/high-level-architecture.md,
+  docs/ARCHITECTURE_DETAILED.md, docs/40_ARCHITECTURE_OVERVIEW.md,
+  docs/modules/platform/architecture-overview.md, docs/modules/*/architecture.md
+- Docs2: architecture/overview.md, architecture/workflows.md, modules/index.md
+
+Evidence and determinism
+- Sources: docs/replay/*, docs/contracts/*, docs/ingestion/*, docs/data/*,
+  docs/11_DATA_SCHEMAS.md, docs/ARCHITECTURE_DETAILED.md
+- Docs2: architecture/evidence-and-trust.md, data-and-schemas.md
+
+Reachability, VEX, unknowns
+- Sources: docs/reachability/*, docs/vex/*, docs/signals/*, docs/modules/signals/*,
+  docs/modules/vex-lens/architecture.md, docs/modules/vexlens/architecture.md
+- Docs2: architecture/reachability-vex.md
+
+Modules and services
+- Sources: docs/modules/* (architecture, README, operations, runbooks)
+- Docs2: modules/index.md
+
+Operations and deployment
+- Sources: docs/21_INSTALL_GUIDE.md, docs/deploy/*, docs/install/*,
+  docs/operations/*, docs/runbooks/*
+- Docs2: operations/install-deploy.md
+
+Air-gap and offline kit
+- Sources: docs/24_OFFLINE_KIT.md, docs/10_OFFLINE_KIT.md, docs/airgap/*
+- Docs2: operations/airgap.md
+
+API and contracts
+- Sources: docs/09_API_CLI_REFERENCE.md, docs/api/*, docs/schemas/*,
+  docs/contracts/*
+- Docs2: api/overview.md, api/auth-and-tokens.md, data-and-schemas.md
+
+Security, governance, compliance
+- Sources: docs/13_SECURITY_POLICY.md, docs/17_SECURITY_HARDENING_GUIDE.md,
+  docs/11_GOVERNANCE.md, docs/12_CODE_OF_CONDUCT.md, docs/28_LEGAL_COMPLIANCE.md,
+  docs/29_LEGAL_FAQ_QUOTA.md, docs/33_333_QUOTA_OVERVIEW.md
+- Docs2: security-and-governance.md
+
+CLI and UI
+- Sources: docs/15_UI_GUIDE.md, docs/cli/*, docs/ui/*, docs/console/*
+- Docs2: cli-ui.md
+
+Developer and contribution
+- Sources: docs/DEVELOPER_ONBOARDING.md, docs/10_PLUGIN_SDK_GUIDE.md,
+  docs/18_CODING_STANDARDS.md, docs/contributing/*
+- Docs2: developer/onboarding.md, developer/plugin-sdk.md
+
+Testing and quality
+- Sources: docs/19_TEST_SUITE_OVERVIEW.md, docs/testing/*
+- Docs2: testing-and-quality.md
+
+Observability and telemetry
+- Sources: docs/metrics/*, docs/observability/*, docs/modules/telemetry/*,
+  docs/technical/observability/*
+- Docs2: observability.md
+
+Benchmarks and performance
+- Sources: docs/benchmarks/*, docs/12_PERFORMANCE_WORKBOOK.md
+- Docs2: benchmarks.md
+
+Glossary
+- Sources: docs/14_GLOSSARY_OF_TERMS.md
+- Docs2: glossary.md