test

Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org
feat: Implement distro-native version comparison for RPM, Debian, and Alpine packages
2025-12-22 09:56:20 +02:00 · 2025-12-22 09:50:17 +02:00 · 2025-12-22 09:50:12 +02:00 · 2025-12-22 09:49:53 +02:00 · 2025-12-22 08:00:47 +02:00 · 2025-12-22 08:00:44 +02:00
7493 changed files with 1272528 additions and 879439 deletions
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -25,7 +25,10 @@
      "Bash(timeout /t)",
      "Bash(dotnet clean:*)",
      "Bash(if not exist \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Java.Tests\\Internal\" mkdir \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Java.Tests\\Internal\")",
-      "Bash(if not exist \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Node.Tests\\Internal\" mkdir \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Node.Tests\\Internal\")"
+      "Bash(if not exist \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Node.Tests\\Internal\" mkdir \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Node.Tests\\Internal\")",
+      "Bash(rm:*)",
+      "Bash(if not exist \"C:\\dev\\New folder\\git.stella-ops.org\\docs\\implplan\\archived\" mkdir \"C:\\dev\\New folder\\git.stella-ops.org\\docs\\implplan\\archived\")",
+      "Bash(del \"C:\\dev\\New folder\\git.stella-ops.org\\docs\\implplan\\SPRINT_0510_0001_0001_airgap.md\")"
    ],
    "deny": [],
    "ask": []
--- a/.config/dotnet-tools.json
+++ b/.config/dotnet-tools.json
@@ -0,0 +1,12 @@
+{
+  "version": 1,
+  "isRoot": true,
+  "tools": {
+    "dotnet-stryker": {
+      "version": "4.4.0",
+      "commands": [
+        "stryker"
+      ]
+    }
+  }
+}
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,23 @@
+.git
+.gitignore
+.gitea
+.venv
+bin
+obj
+**/bin
+**/obj
+local-nugets
+.nuget
+**/node_modules
+**/dist
+**/coverage
+**/*.user
+**/*.suo
+**/*.cache
+**/.vscode
+**/.idea
+**/.DS_Store
+**/TestResults
+**/out
+**/packages
+/tmp
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,5 @@
 # Ensure analyzer fixture assets keep LF endings for deterministic hashes
 src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/** text eol=lf
+
+# Ensure reachability sample assets keep LF endings for deterministic hashes
+tests/reachability/samples-public/** text eol=lf
--- a/.gitea/workflows/advisory-ai-release.yml
+++ b/.gitea/workflows/advisory-ai-release.yml
@@ -0,0 +1,70 @@
+name: Advisory AI Feed Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      allow_dev_key:
+        description: 'Allow dev key for testing (1=yes)'
+        required: false
+        default: '0'
+  push:
+    branches: [main]
+    paths:
+      - 'src/AdvisoryAI/feeds/**'
+      - 'docs/samples/advisory-feeds/**'
+
+jobs:
+  package-feeds:
+    runs-on: ubuntu-22.04
+    env:
+      COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
+      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup cosign
+        uses: sigstore/cosign-installer@v3
+        with:
+          cosign-release: 'v2.6.0'
+
+      - name: Fallback to dev key when secret is absent
+        run: |
+          if [ -z "${COSIGN_PRIVATE_KEY_B64}" ]; then
+            echo "[warn] COSIGN_PRIVATE_KEY_B64 not set; using dev key for non-production"
+            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
+            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
+          fi
+          # Manual override
+          if [ "${{ github.event.inputs.allow_dev_key }}" = "1" ]; then
+            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
+            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
+          fi
+
+      - name: Package advisory feeds
+        run: |
+          chmod +x ops/deployment/advisory-ai/package-advisory-feeds.sh
+          ops/deployment/advisory-ai/package-advisory-feeds.sh
+
+      - name: Generate SBOM
+        run: |
+          # Install syft
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.0.0
+
+          # Generate SBOM for feed bundle
+          syft dir:out/advisory-ai/feeds/stage \
+            -o spdx-json=out/advisory-ai/feeds/advisory-feeds.sbom.json \
+            --name advisory-feeds
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: advisory-feeds-${{ github.run_number }}
+          path: |
+            out/advisory-ai/feeds/advisory-feeds.tar.gz
+            out/advisory-ai/feeds/advisory-feeds.manifest.json
+            out/advisory-ai/feeds/advisory-feeds.manifest.dsse.json
+            out/advisory-ai/feeds/advisory-feeds.sbom.json
+            out/advisory-ai/feeds/provenance.json
+          if-no-files-found: warn
+          retention-days: 30
--- a/.gitea/workflows/aoc-backfill-release.yml
+++ b/.gitea/workflows/aoc-backfill-release.yml
@@ -0,0 +1,83 @@
+name: AOC Backfill Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      dataset_hash:
+        description: 'Dataset hash from dev rehearsal (leave empty for dev mode)'
+        required: false
+        default: ''
+      allow_dev_key:
+        description: 'Allow dev key for testing (1=yes)'
+        required: false
+        default: '0'
+
+jobs:
+  package-backfill:
+    runs-on: ubuntu-22.04
+    env:
+      COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
+      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.100
+          include-prerelease: true
+
+      - name: Setup cosign
+        uses: sigstore/cosign-installer@v3
+        with:
+          cosign-release: 'v2.6.0'
+
+      - name: Restore AOC CLI
+        run: dotnet restore src/Aoc/StellaOps.Aoc.Cli/StellaOps.Aoc.Cli.csproj
+
+      - name: Configure signing
+        run: |
+          if [ -z "${COSIGN_PRIVATE_KEY_B64}" ]; then
+            echo "[info] No production key; using dev key"
+            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
+            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
+          fi
+          if [ "${{ github.event.inputs.allow_dev_key }}" = "1" ]; then
+            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
+            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
+          fi
+
+      - name: Package AOC backfill release
+        run: |
+          chmod +x ops/devops/aoc/package-backfill-release.sh
+          DATASET_HASH="${{ github.event.inputs.dataset_hash }}" \
+            ops/devops/aoc/package-backfill-release.sh
+        env:
+          DATASET_HASH: ${{ github.event.inputs.dataset_hash }}
+
+      - name: Generate SBOM with syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.0.0
+          syft dir:out/aoc/cli \
+            -o spdx-json=out/aoc/aoc-backfill-runner.sbom.json \
+            --name aoc-backfill-runner || true
+
+      - name: Verify checksums
+        run: |
+          cd out/aoc
+          sha256sum -c SHA256SUMS
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: aoc-backfill-release-${{ github.run_number }}
+          path: |
+            out/aoc/aoc-backfill-runner.tar.gz
+            out/aoc/aoc-backfill-runner.manifest.json
+            out/aoc/aoc-backfill-runner.sbom.json
+            out/aoc/aoc-backfill-runner.provenance.json
+            out/aoc/aoc-backfill-runner.dsse.json
+            out/aoc/SHA256SUMS
+          if-no-files-found: warn
+          retention-days: 30
--- a/.gitea/workflows/aoc-guard.yml
+++ b/.gitea/workflows/aoc-guard.yml
@@ -56,10 +56,41 @@ jobs:
          dotnet build src/Authority/StellaOps.Authority.Ingestion/StellaOps.Authority.Ingestion.csproj -c Release /p:RunAnalyzers=true /p:TreatWarningsAsErrors=true
          dotnet build src/Excititor/StellaOps.Excititor.Ingestion/StellaOps.Excititor.Ingestion.csproj -c Release /p:RunAnalyzers=true /p:TreatWarningsAsErrors=true

-      - name: Run analyzer tests
+      - name: Run analyzer tests with coverage
        run: |
          mkdir -p $ARTIFACT_DIR
-          dotnet test src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj -c Release --logger "trx;LogFileName=aoc-tests.trx" --results-directory $ARTIFACT_DIR
+          dotnet test src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj -c Release \
+            --settings src/Aoc/aoc.runsettings \
+            --collect:"XPlat Code Coverage" \
+            --logger "trx;LogFileName=aoc-analyzers-tests.trx" \
+            --results-directory $ARTIFACT_DIR
+
+      - name: Run AOC library tests with coverage
+        run: |
+          dotnet test src/Aoc/__Tests/StellaOps.Aoc.Tests/StellaOps.Aoc.Tests.csproj -c Release \
+            --settings src/Aoc/aoc.runsettings \
+            --collect:"XPlat Code Coverage" \
+            --logger "trx;LogFileName=aoc-lib-tests.trx" \
+            --results-directory $ARTIFACT_DIR
+
+      - name: Run AOC CLI tests with coverage
+        run: |
+          dotnet test src/Aoc/__Tests/StellaOps.Aoc.Cli.Tests/StellaOps.Aoc.Cli.Tests.csproj -c Release \
+            --settings src/Aoc/aoc.runsettings \
+            --collect:"XPlat Code Coverage" \
+            --logger "trx;LogFileName=aoc-cli-tests.trx" \
+            --results-directory $ARTIFACT_DIR
+
+      - name: Generate coverage report
+        run: |
+          dotnet tool install --global dotnet-reportgenerator-globaltool || true
+          reportgenerator \
+            -reports:"$ARTIFACT_DIR/**/coverage.cobertura.xml" \
+            -targetdir:"$ARTIFACT_DIR/coverage-report" \
+            -reporttypes:"Html;Cobertura;TextSummary" || true
+          if [ -f "$ARTIFACT_DIR/coverage-report/Summary.txt" ]; then
+            cat "$ARTIFACT_DIR/coverage-report/Summary.txt"
+          fi

      - name: Upload artifacts
        uses: actions/upload-artifact@v4
@@ -96,13 +127,37 @@ jobs:
      - name: Run AOC verify
        env:
          STAGING_MONGO_URI: ${{ secrets.STAGING_MONGO_URI || vars.STAGING_MONGO_URI }}
+          STAGING_POSTGRES_URI: ${{ secrets.STAGING_POSTGRES_URI || vars.STAGING_POSTGRES_URI }}
        run: |
-          if [ -z "${STAGING_MONGO_URI:-}" ]; then
-            echo "::warning::STAGING_MONGO_URI not set; skipping aoc verify"
+          mkdir -p $ARTIFACT_DIR
+
+          # Prefer PostgreSQL, fall back to MongoDB (legacy)
+          if [ -n "${STAGING_POSTGRES_URI:-}" ]; then
+            echo "Using PostgreSQL for AOC verification"
+            dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify \
+              --since "$AOC_VERIFY_SINCE" \
+              --postgres "$STAGING_POSTGRES_URI" \
+              --output "$ARTIFACT_DIR/aoc-verify.json" \
+              --ndjson "$ARTIFACT_DIR/aoc-verify.ndjson" \
+              --verbose || VERIFY_EXIT=$?
+          elif [ -n "${STAGING_MONGO_URI:-}" ]; then
+            echo "Using MongoDB for AOC verification (deprecated)"
+            dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify \
+              --since "$AOC_VERIFY_SINCE" \
+              --mongo "$STAGING_MONGO_URI" \
+              --output "$ARTIFACT_DIR/aoc-verify.json" \
+              --ndjson "$ARTIFACT_DIR/aoc-verify.ndjson" \
+              --verbose || VERIFY_EXIT=$?
+          else
+            echo "::warning::Neither STAGING_POSTGRES_URI nor STAGING_MONGO_URI set; running dry-run verification"
+            dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify \
+              --since "$AOC_VERIFY_SINCE" \
+              --postgres "placeholder" \
+              --dry-run \
+              --verbose
            exit 0
          fi
-          mkdir -p $ARTIFACT_DIR
-          dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify --since "$AOC_VERIFY_SINCE" --mongo "$STAGING_MONGO_URI" --output "$ARTIFACT_DIR/aoc-verify.json" --ndjson "$ARTIFACT_DIR/aoc-verify.ndjson" || VERIFY_EXIT=$?
+
          if [ -n "${VERIFY_EXIT:-}" ] && [ "${VERIFY_EXIT}" -ne 0 ]; then
            echo "::error::AOC verify reported violations"; exit ${VERIFY_EXIT}
          fi
--- a/.gitea/workflows/build-test-deploy.yml
+++ b/.gitea/workflows/build-test-deploy.yml
@@ -575,6 +575,209 @@ PY
          if-no-files-found: ignore
          retention-days: 7

+  # ============================================================================
+  # Quality Gates Foundation (Sprint 0350)
+  # ============================================================================
+  quality-gates:
+    runs-on: ubuntu-22.04
+    needs: build-test
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Reachability quality gate
+        id: reachability
+        run: |
+          set -euo pipefail
+          echo "::group::Computing reachability metrics"
+          if [ -f scripts/ci/compute-reachability-metrics.sh ]; then
+            chmod +x scripts/ci/compute-reachability-metrics.sh
+            METRICS=$(./scripts/ci/compute-reachability-metrics.sh --dry-run 2>/dev/null || echo '{}')
+            echo "metrics=$METRICS" >> $GITHUB_OUTPUT
+            echo "Reachability metrics: $METRICS"
+          else
+            echo "Reachability script not found, skipping"
+          fi
+          echo "::endgroup::"
+
+      - name: TTFS regression gate
+        id: ttfs
+        run: |
+          set -euo pipefail
+          echo "::group::Computing TTFS metrics"
+          if [ -f scripts/ci/compute-ttfs-metrics.sh ]; then
+            chmod +x scripts/ci/compute-ttfs-metrics.sh
+            METRICS=$(./scripts/ci/compute-ttfs-metrics.sh --dry-run 2>/dev/null || echo '{}')
+            echo "metrics=$METRICS" >> $GITHUB_OUTPUT
+            echo "TTFS metrics: $METRICS"
+          else
+            echo "TTFS script not found, skipping"
+          fi
+          echo "::endgroup::"
+
+      - name: Performance SLO gate
+        id: slo
+        run: |
+          set -euo pipefail
+          echo "::group::Enforcing performance SLOs"
+          if [ -f scripts/ci/enforce-performance-slos.sh ]; then
+            chmod +x scripts/ci/enforce-performance-slos.sh
+            ./scripts/ci/enforce-performance-slos.sh --warn-only || true
+          else
+            echo "Performance SLO script not found, skipping"
+          fi
+          echo "::endgroup::"
+
+      - name: RLS policy validation
+        id: rls
+        run: |
+          set -euo pipefail
+          echo "::group::Validating RLS policies"
+          if [ -f deploy/postgres-validation/001_validate_rls.sql ]; then
+            echo "RLS validation script found"
+            # Check that all tenant-scoped schemas have RLS enabled
+            SCHEMAS=("scheduler" "vex" "authority" "notify" "policy" "findings_ledger")
+            for schema in "${SCHEMAS[@]}"; do
+              echo "Checking RLS for schema: $schema"
+              # Validate migration files exist
+              if ls src/*/Migrations/*enable_rls*.sql 2>/dev/null | grep -q "$schema"; then
+                echo "  ✓ RLS migration exists for $schema"
+              fi
+            done
+            echo "RLS validation passed (static check)"
+          else
+            echo "RLS validation script not found, skipping"
+          fi
+          echo "::endgroup::"
+
+      - name: Upload quality gate results
+        uses: actions/upload-artifact@v4
+        with:
+          name: quality-gate-results
+          path: |
+            scripts/ci/*.json
+            scripts/ci/*.yaml
+          if-no-files-found: ignore
+          retention-days: 14
+
+  security-testing:
+    runs-on: ubuntu-22.04
+    needs: build-test
+    if: github.event_name == 'pull_request' || github.event_name == 'schedule'
+    permissions:
+      contents: read
+    env:
+      DOTNET_VERSION: '10.0.100'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: ${{ env.DOTNET_VERSION }}
+
+      - name: Restore dependencies
+        run: dotnet restore tests/security/StellaOps.Security.Tests/StellaOps.Security.Tests.csproj
+
+      - name: Run OWASP security tests
+        run: |
+          set -euo pipefail
+          echo "::group::Running security tests"
+          dotnet test tests/security/StellaOps.Security.Tests/StellaOps.Security.Tests.csproj \
+            --no-restore \
+            --logger "trx;LogFileName=security-tests.trx" \
+            --results-directory ./security-test-results \
+            --filter "Category=Security" \
+            --verbosity normal
+          echo "::endgroup::"
+
+      - name: Upload security test results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: security-test-results
+          path: security-test-results/
+          if-no-files-found: ignore
+          retention-days: 30
+
+  mutation-testing:
+    runs-on: ubuntu-22.04
+    needs: build-test
+    if: github.event_name == 'schedule' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'mutation-test'))
+    permissions:
+      contents: read
+    env:
+      DOTNET_VERSION: '10.0.100'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: ${{ env.DOTNET_VERSION }}
+
+      - name: Restore tools
+        run: dotnet tool restore
+
+      - name: Run mutation tests - Scanner.Core
+        id: scanner-mutation
+        run: |
+          set -euo pipefail
+          echo "::group::Mutation testing Scanner.Core"
+          cd src/Scanner/__Libraries/StellaOps.Scanner.Core
+          dotnet stryker --reporter json --reporter html --output ../../../mutation-results/scanner-core || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
+          echo "::endgroup::"
+        continue-on-error: true
+
+      - name: Run mutation tests - Policy.Engine
+        id: policy-mutation
+        run: |
+          set -euo pipefail
+          echo "::group::Mutation testing Policy.Engine"
+          cd src/Policy/__Libraries/StellaOps.Policy
+          dotnet stryker --reporter json --reporter html --output ../../../mutation-results/policy-engine || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
+          echo "::endgroup::"
+        continue-on-error: true
+
+      - name: Run mutation tests - Authority.Core
+        id: authority-mutation
+        run: |
+          set -euo pipefail
+          echo "::group::Mutation testing Authority.Core"
+          cd src/Authority/StellaOps.Authority
+          dotnet stryker --reporter json --reporter html --output ../../mutation-results/authority-core || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
+          echo "::endgroup::"
+        continue-on-error: true
+
+      - name: Upload mutation results
+        uses: actions/upload-artifact@v4
+        with:
+          name: mutation-testing-results
+          path: mutation-results/
+          if-no-files-found: ignore
+          retention-days: 30
+
+      - name: Check mutation thresholds
+        run: |
+          set -euo pipefail
+          echo "Checking mutation score thresholds..."
+          # Parse JSON results and check against thresholds
+          if [ -f "mutation-results/scanner-core/mutation-report.json" ]; then
+            SCORE=$(jq '.mutationScore // 0' mutation-results/scanner-core/mutation-report.json)
+            echo "Scanner.Core mutation score: $SCORE%"
+            if (( $(echo "$SCORE < 65" | bc -l) )); then
+              echo "::error::Scanner.Core mutation score below threshold"
+            fi
+          fi
+
  sealed-mode-ci:
    runs-on: ubuntu-22.04
    needs: build-test
--- a/.gitea/workflows/console-ci.yml
+++ b/.gitea/workflows/console-ci.yml
@@ -14,7 +14,7 @@ jobs:
    defaults:
      run:
        shell: bash
-        working-directory: src/Web
+        working-directory: src/Web/StellaOps.Web
    env:
      PLAYWRIGHT_BROWSERS_PATH: ~/.cache/ms-playwright
      CI: true
@@ -27,7 +27,7 @@ jobs:
        with:
          node-version: '20'
          cache: npm
-          cache-dependency-path: src/Web/package-lock.json
+          cache-dependency-path: src/Web/StellaOps.Web/package-lock.json

      - name: Install deps (offline-friendly)
        run: npm ci --prefer-offline --no-audit --progress=false
@@ -37,6 +37,12 @@ jobs:

      - name: Console export specs (targeted)
        run: bash ./scripts/ci-console-exports.sh
+        continue-on-error: true
+
+      - name: Unit tests
+        run: npm run test:ci
+        env:
+          CHROME_BIN: chromium

      - name: Build
        run: npm run build -- --configuration=production --progress=false
--- a/.gitea/workflows/crypto-sim-smoke.yml
+++ b/.gitea/workflows/crypto-sim-smoke.yml
@@ -0,0 +1,41 @@
+name: crypto-sim-smoke
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - "ops/crypto/sim-crypto-service/**"
+      - "ops/crypto/sim-crypto-smoke/**"
+      - "scripts/crypto/run-sim-smoke.ps1"
+      - "docs/security/crypto-simulation-services.md"
+      - ".gitea/workflows/crypto-sim-smoke.yml"
+
+jobs:
+  sim-smoke:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: "10.0.x"
+
+      - name: Build sim service and smoke harness
+        run: |
+          dotnet build ops/crypto/sim-crypto-service/SimCryptoService.csproj -c Release
+          dotnet build ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj -c Release
+
+      - name: Run smoke (sim profile: sm)
+        env:
+          ASPNETCORE_URLS: http://localhost:5000
+          STELLAOPS_CRYPTO_SIM_URL: http://localhost:5000
+          SIM_PROFILE: sm
+        run: |
+          set -euo pipefail
+          dotnet run --project ops/crypto/sim-crypto-service/SimCryptoService.csproj --no-build -c Release &
+          service_pid=$!
+          sleep 6
+          dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj --no-build -c Release
+          kill $service_pid
--- a/.gitea/workflows/cryptopro-linux-csp.yml
+++ b/.gitea/workflows/cryptopro-linux-csp.yml
@@ -0,0 +1,55 @@
+name: cryptopro-linux-csp
+on:
+  push:
+    branches: [main, develop]
+    paths:
+      - 'ops/cryptopro/linux-csp-service/**'
+      - 'opt/cryptopro/downloads/**'
+      - '.gitea/workflows/cryptopro-linux-csp.yml'
+  pull_request:
+    paths:
+      - 'ops/cryptopro/linux-csp-service/**'
+      - 'opt/cryptopro/downloads/**'
+      - '.gitea/workflows/cryptopro-linux-csp.yml'
+
+env:
+  IMAGE_NAME: cryptopro-linux-csp
+  DOCKERFILE: ops/cryptopro/linux-csp-service/Dockerfile
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build image (accept EULA explicitly)
+        run: |
+          docker build -t $IMAGE_NAME \
+            --build-arg CRYPTOPRO_ACCEPT_EULA=1 \
+            -f $DOCKERFILE .
+
+      - name: Run container
+        run: |
+          docker run -d --rm --name $IMAGE_NAME -p 18080:8080 $IMAGE_NAME
+          for i in {1..20}; do
+            if curl -sf http://127.0.0.1:18080/health >/dev/null; then
+              exit 0
+            fi
+            sleep 3
+          done
+          echo "Service failed to start" && exit 1
+
+      - name: Test endpoints
+        run: |
+          curl -sf http://127.0.0.1:18080/health
+          curl -sf http://127.0.0.1:18080/license || true
+          curl -sf -X POST http://127.0.0.1:18080/hash \
+            -H "Content-Type: application/json" \
+            -d '{"data_b64":"SGVsbG8="}'
+
+      - name: Stop container
+        if: always()
+        run: docker rm -f $IMAGE_NAME || true
--- a/.gitea/workflows/epss-ingest-perf.yml
+++ b/.gitea/workflows/epss-ingest-perf.yml
@@ -0,0 +1,98 @@
+name: EPSS Ingest Perf
+
+# Sprint: SPRINT_3410_0001_0001_epss_ingestion_storage
+# Tasks: EPSS-3410-013B, EPSS-3410-014
+#
+# Runs the EPSS ingest perf harness against a Dockerized PostgreSQL instance (Testcontainers).
+#
+# Runner requirements:
+# - Linux runner with Docker Engine available to the runner user (Testcontainers).
+# - Label: `ubuntu-22.04` (adjust `runs-on` if your labels differ).
+# - >= 4 CPU / >= 8GB RAM recommended for stable baselines.
+
+on:
+  workflow_dispatch:
+    inputs:
+      rows:
+        description: 'Row count to generate (default: 310000)'
+        required: false
+        default: '310000'
+      postgres_image:
+        description: 'PostgreSQL image (default: postgres:16-alpine)'
+        required: false
+        default: 'postgres:16-alpine'
+  schedule:
+    # Nightly at 03:00 UTC
+    - cron: '0 3 * * *'
+  pull_request:
+    paths:
+      - 'src/Scanner/__Libraries/StellaOps.Scanner.Storage/**'
+      - 'src/Scanner/StellaOps.Scanner.Worker/**'
+      - 'src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/**'
+      - '.gitea/workflows/epss-ingest-perf.yml'
+  push:
+    branches: [ main ]
+    paths:
+      - 'src/Scanner/__Libraries/StellaOps.Scanner.Storage/**'
+      - 'src/Scanner/StellaOps.Scanner.Worker/**'
+      - 'src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/**'
+      - '.gitea/workflows/epss-ingest-perf.yml'
+
+jobs:
+  perf:
+    runs-on: ubuntu-22.04
+    env:
+      DOTNET_NOLOGO: 1
+      DOTNET_CLI_TELEMETRY_OPTOUT: 1
+      DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
+      TZ: UTC
+      STELLAOPS_OFFLINE: 'true'
+      STELLAOPS_DETERMINISTIC: 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET 10
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.100
+          include-prerelease: true
+
+      - name: Cache NuGet packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
+          restore-keys: |
+            ${{ runner.os }}-nuget-
+
+      - name: Restore
+        run: |
+          dotnet restore src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/StellaOps.Scanner.Storage.Epss.Perf.csproj \
+            --configfile nuget.config
+
+      - name: Build
+        run: |
+          dotnet build src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/StellaOps.Scanner.Storage.Epss.Perf.csproj \
+            -c Release \
+            --no-restore
+
+      - name: Run perf harness
+        run: |
+          mkdir -p bench/results
+          dotnet run \
+            --project src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/StellaOps.Scanner.Storage.Epss.Perf.csproj \
+            -c Release \
+            --no-build \
+            -- \
+            --rows ${{ inputs.rows || '310000' }} \
+            --postgres-image '${{ inputs.postgres_image || 'postgres:16-alpine' }}' \
+            --output bench/results/epss-ingest-perf-${{ github.sha }}.json
+
+      - name: Upload results
+        uses: actions/upload-artifact@v4
+        with:
+          name: epss-ingest-perf-${{ github.sha }}
+          path: |
+            bench/results/epss-ingest-perf-${{ github.sha }}.json
+          retention-days: 90
--- a/.gitea/workflows/exporter-ci.yml
+++ b/.gitea/workflows/exporter-ci.yml
@@ -0,0 +1,46 @@
+name: exporter-ci
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - 'src/ExportCenter/**'
+      - '.gitea/workflows/exporter-ci.yml'
+
+env:
+  DOTNET_CLI_TELEMETRY_OPTOUT: 1
+  DOTNET_NOLOGO: 1
+
+jobs:
+  build-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '10.0.x'
+
+      - name: Restore
+        run: dotnet restore src/ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj
+
+      - name: Build
+        run: dotnet build src/ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj --configuration Release --no-restore
+
+      - name: Test
+        run: dotnet test src/ExportCenter/__Tests/StellaOps.ExportCenter.Tests/StellaOps.ExportCenter.Tests.csproj --configuration Release --no-build --verbosity normal
+
+      - name: Publish
+        run: |
+          dotnet publish src/ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj \
+            --configuration Release \
+            --output artifacts/exporter
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: exporter-${{ github.run_id }}
+          path: artifacts/
+          retention-days: 14
--- a/.gitea/workflows/icscisa-kisa-refresh.yml
+++ b/.gitea/workflows/icscisa-kisa-refresh.yml
@@ -0,0 +1,68 @@
+name: ICS/KISA Feed Refresh
+
+on:
+  schedule:
+    - cron: '0 2 * * MON'
+  workflow_dispatch:
+    inputs:
+      live_fetch:
+        description: 'Attempt live RSS fetch (fallback to samples on failure)'
+        required: false
+        default: true
+        type: boolean
+      offline_snapshot:
+        description: 'Force offline samples only (no network)'
+        required: false
+        default: false
+        type: boolean
+
+jobs:
+  refresh:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+    env:
+      ICSCISA_FEED_URL: ${{ secrets.ICSCISA_FEED_URL }}
+      KISA_FEED_URL: ${{ secrets.KISA_FEED_URL }}
+      FEED_GATEWAY_HOST: concelier-webservice
+      FEED_GATEWAY_SCHEME: http
+      LIVE_FETCH: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.live_fetch || 'true' }}
+      OFFLINE_SNAPSHOT: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.offline_snapshot || 'false' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set run metadata
+        id: meta
+        run: |
+          RUN_DATE=$(date -u +%Y%m%d)
+          RUN_ID="icscisa-kisa-$(date -u +%Y%m%dT%H%M%SZ)"
+          echo "run_date=$RUN_DATE" >> $GITHUB_OUTPUT
+          echo "run_id=$RUN_ID" >> $GITHUB_OUTPUT
+          echo "RUN_DATE=$RUN_DATE" >> $GITHUB_ENV
+          echo "RUN_ID=$RUN_ID" >> $GITHUB_ENV
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Run ICS/KISA refresh
+        run: |
+          python scripts/feeds/run_icscisa_kisa_refresh.py \
+            --out-dir out/feeds/icscisa-kisa \
+            --run-date "${{ steps.meta.outputs.run_date }}" \
+            --run-id "${{ steps.meta.outputs.run_id }}"
+
+      - name: Show fetch log
+        run: cat out/feeds/icscisa-kisa/${{ steps.meta.outputs.run_date }}/fetch.log
+
+      - name: Upload refresh artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: icscisa-kisa-${{ steps.meta.outputs.run_date }}
+          path: out/feeds/icscisa-kisa/${{ steps.meta.outputs.run_date }}
+          if-no-files-found: error
+          retention-days: 21
--- a/.gitea/workflows/integration-tests-gate.yml
+++ b/.gitea/workflows/integration-tests-gate.yml
@@ -0,0 +1,375 @@
+# Sprint 3500.0004.0003 - T6: Integration Tests CI Gate
+# Runs integration tests on PR and gates merges on failures
+
+name: integration-tests-gate
+
+on:
+  pull_request:
+    branches: [main, develop]
+    paths:
+      - 'src/**'
+      - 'tests/integration/**'
+      - 'bench/golden-corpus/**'
+  push:
+    branches: [main]
+  workflow_dispatch:
+    inputs:
+      run_performance:
+        description: 'Run performance baseline tests'
+        type: boolean
+        default: false
+      run_airgap:
+        description: 'Run air-gap tests'
+        type: boolean
+        default: false
+
+concurrency:
+  group: integration-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  # ==========================================================================
+  # T6-AC1: Integration tests run on PR
+  # ==========================================================================
+  integration-tests:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_USER: stellaops
+          POSTGRES_PASSWORD: test-only
+          POSTGRES_DB: stellaops_test
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: "10.0.100"
+
+      - name: Restore dependencies
+        run: dotnet restore tests/integration/**/*.csproj
+
+      - name: Build integration tests
+        run: dotnet build tests/integration/**/*.csproj --configuration Release --no-restore
+
+      - name: Run Proof Chain Tests
+        run: |
+          dotnet test tests/integration/StellaOps.Integration.ProofChain \
+            --configuration Release \
+            --no-build \
+            --logger "trx;LogFileName=proofchain.trx" \
+            --results-directory ./TestResults
+        env:
+          ConnectionStrings__StellaOps: "Host=localhost;Database=stellaops_test;Username=stellaops;Password=test-only"
+
+      - name: Run Reachability Tests
+        run: |
+          dotnet test tests/integration/StellaOps.Integration.Reachability \
+            --configuration Release \
+            --no-build \
+            --logger "trx;LogFileName=reachability.trx" \
+            --results-directory ./TestResults
+
+      - name: Run Unknowns Workflow Tests
+        run: |
+          dotnet test tests/integration/StellaOps.Integration.Unknowns \
+            --configuration Release \
+            --no-build \
+            --logger "trx;LogFileName=unknowns.trx" \
+            --results-directory ./TestResults
+
+      - name: Run Determinism Tests
+        run: |
+          dotnet test tests/integration/StellaOps.Integration.Determinism \
+            --configuration Release \
+            --no-build \
+            --logger "trx;LogFileName=determinism.trx" \
+            --results-directory ./TestResults
+
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: integration-test-results
+          path: TestResults/**/*.trx
+
+      - name: Publish test summary
+        uses: dorny/test-reporter@v1
+        if: always()
+        with:
+          name: Integration Test Results
+          path: TestResults/**/*.trx
+          reporter: dotnet-trx
+
+  # ==========================================================================
+  # T6-AC2: Corpus validation on release branch
+  # ==========================================================================
+  corpus-validation:
+    name: Golden Corpus Validation
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: "10.0.100"
+
+      - name: Validate corpus manifest
+        run: |
+          python3 -c "
+          import json
+          import hashlib
+          import os
+
+          manifest_path = 'bench/golden-corpus/corpus-manifest.json'
+          with open(manifest_path) as f:
+              manifest = json.load(f)
+
+          print(f'Corpus version: {manifest.get(\"corpus_version\", \"unknown\")}')
+          print(f'Total cases: {manifest.get(\"total_cases\", 0)}')
+
+          errors = []
+          for case in manifest.get('cases', []):
+              case_path = os.path.join('bench/golden-corpus', case['path'])
+              if not os.path.isdir(case_path):
+                  errors.append(f'Missing case directory: {case_path}')
+              else:
+                  required_files = ['case.json', 'expected-score.json']
+                  for f in required_files:
+                      if not os.path.exists(os.path.join(case_path, f)):
+                          errors.append(f'Missing file: {case_path}/{f}')
+
+          if errors:
+              print('\\nValidation errors:')
+              for e in errors:
+                  print(f'  - {e}')
+              exit(1)
+          else:
+              print('\\nCorpus validation passed!')
+          "
+
+      - name: Run corpus scoring tests
+        run: |
+          dotnet test tests/integration/StellaOps.Integration.Determinism \
+            --filter "Category=GoldenCorpus" \
+            --configuration Release \
+            --logger "trx;LogFileName=corpus.trx" \
+            --results-directory ./TestResults
+
+  # ==========================================================================
+  # T6-AC3: Determinism tests on nightly
+  # ==========================================================================
+  nightly-determinism:
+    name: Nightly Determinism Check
+    runs-on: ubuntu-latest
+    if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.run_performance == 'true')
+    timeout-minutes: 45
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: "10.0.100"
+
+      - name: Run full determinism suite
+        run: |
+          dotnet test tests/integration/StellaOps.Integration.Determinism \
+            --configuration Release \
+            --logger "trx;LogFileName=determinism-full.trx" \
+            --results-directory ./TestResults
+
+      - name: Run cross-run determinism check
+        run: |
+          # Run scoring 3 times and compare hashes
+          for i in 1 2 3; do
+            dotnet test tests/integration/StellaOps.Integration.Determinism \
+              --filter "FullyQualifiedName~IdenticalInput_ProducesIdenticalHash" \
+              --results-directory ./TestResults/run-$i
+          done
+
+          # Compare all results
+          echo "Comparing determinism across runs..."
+
+      - name: Upload determinism results
+        uses: actions/upload-artifact@v4
+        with:
+          name: nightly-determinism-results
+          path: TestResults/**
+
+  # ==========================================================================
+  # T6-AC4: Test coverage reported to dashboard
+  # ==========================================================================
+  coverage-report:
+    name: Coverage Report
+    runs-on: ubuntu-latest
+    needs: [integration-tests]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: "10.0.100"
+
+      - name: Run tests with coverage
+        run: |
+          dotnet test tests/integration/**/*.csproj \
+            --configuration Release \
+            --collect:"XPlat Code Coverage" \
+            --results-directory ./TestResults/Coverage
+
+      - name: Generate coverage report
+        uses: danielpalme/ReportGenerator-GitHub-Action@5.2.0
+        with:
+          reports: TestResults/Coverage/**/coverage.cobertura.xml
+          targetdir: TestResults/CoverageReport
+          reporttypes: 'Html;Cobertura;MarkdownSummary'
+
+      - name: Upload coverage report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: TestResults/CoverageReport/**
+
+      - name: Add coverage to PR comment
+        uses: marocchino/sticky-pull-request-comment@v2
+        if: github.event_name == 'pull_request'
+        with:
+          recreate: true
+          path: TestResults/CoverageReport/Summary.md
+
+  # ==========================================================================
+  # T6-AC5: Flaky test quarantine process
+  # ==========================================================================
+  flaky-test-check:
+    name: Flaky Test Detection
+    runs-on: ubuntu-latest
+    needs: [integration-tests]
+    if: failure()
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Check for known flaky tests
+        run: |
+          # Check if failure is from a known flaky test
+          QUARANTINE_FILE=".github/flaky-tests-quarantine.json"
+          if [ -f "$QUARANTINE_FILE" ]; then
+            echo "Checking against quarantine list..."
+            # Implementation would compare failed tests against quarantine
+          fi
+
+      - name: Create flaky test issue
+        uses: actions/github-script@v7
+        if: always()
+        with:
+          script: |
+            // After 2 consecutive failures, create issue for quarantine review
+            console.log('Checking for flaky test patterns...');
+            // Implementation would analyze test history
+
+  # ==========================================================================
+  # Performance Tests (optional, on demand)
+  # ==========================================================================
+  performance-tests:
+    name: Performance Baseline Tests
+    runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch' && github.event.inputs.run_performance == 'true'
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: "10.0.100"
+
+      - name: Run performance tests
+        run: |
+          dotnet test tests/integration/StellaOps.Integration.Performance \
+            --configuration Release \
+            --logger "trx;LogFileName=performance.trx" \
+            --results-directory ./TestResults
+
+      - name: Upload performance report
+        uses: actions/upload-artifact@v4
+        with:
+          name: performance-report
+          path: |
+            TestResults/**
+            tests/integration/StellaOps.Integration.Performance/output/**
+
+      - name: Check for regressions
+        run: |
+          # Check if any test exceeded 20% threshold
+          if [ -f "tests/integration/StellaOps.Integration.Performance/output/performance-report.json" ]; then
+            python3 -c "
+          import json
+          with open('tests/integration/StellaOps.Integration.Performance/output/performance-report.json') as f:
+              report = json.load(f)
+          regressions = [m for m in report.get('Metrics', []) if m.get('DeltaPercent', 0) > 20]
+          if regressions:
+              print('Performance regressions detected!')
+              for r in regressions:
+                  print(f'  {r[\"Name\"]}: +{r[\"DeltaPercent\"]:.1f}%')
+              exit(1)
+          print('No performance regressions detected.')
+          "
+          fi
+
+  # ==========================================================================
+  # Air-Gap Tests (optional, on demand)
+  # ==========================================================================
+  airgap-tests:
+    name: Air-Gap Integration Tests
+    runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch' && github.event.inputs.run_airgap == 'true'
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: "10.0.100"
+
+      - name: Run air-gap tests
+        run: |
+          dotnet test tests/integration/StellaOps.Integration.AirGap \
+            --configuration Release \
+            --logger "trx;LogFileName=airgap.trx" \
+            --results-directory ./TestResults
+
+      - name: Upload air-gap test results
+        uses: actions/upload-artifact@v4
+        with:
+          name: airgap-test-results
+          path: TestResults/**
--- a/.gitea/workflows/ledger-oas-ci.yml
+++ b/.gitea/workflows/ledger-oas-ci.yml
@@ -0,0 +1,81 @@
+name: Ledger OpenAPI CI
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+    paths:
+      - 'api/ledger/**'
+      - 'ops/devops/ledger/**'
+  pull_request:
+    paths:
+      - 'api/ledger/**'
+
+jobs:
+  validate-oas:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install tools
+        run: |
+          npm install -g @stoplight/spectral-cli
+          npm install -g @openapitools/openapi-generator-cli
+
+      - name: Validate OpenAPI spec
+        run: |
+          chmod +x ops/devops/ledger/validate-oas.sh
+          ops/devops/ledger/validate-oas.sh
+
+      - name: Upload validation report
+        uses: actions/upload-artifact@v4
+        with:
+          name: ledger-oas-validation-${{ github.run_number }}
+          path: |
+            out/ledger/oas/lint-report.json
+            out/ledger/oas/validation-report.txt
+            out/ledger/oas/spec-summary.json
+          if-no-files-found: warn
+
+  check-wellknown:
+    runs-on: ubuntu-22.04
+    needs: validate-oas
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Check .well-known/openapi structure
+        run: |
+          # Validate .well-known structure if exists
+          if [ -d ".well-known" ]; then
+            echo "Checking .well-known/openapi..."
+            if [ -f ".well-known/openapi.json" ]; then
+              python3 -c "import json; json.load(open('.well-known/openapi.json'))"
+              echo ".well-known/openapi.json is valid JSON"
+            fi
+          else
+            echo "[info] .well-known directory not present (OK for dev)"
+          fi
+
+  deprecation-check:
+    runs-on: ubuntu-22.04
+    needs: validate-oas
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Check deprecation policy
+        run: |
+          if [ -f "ops/devops/ledger/deprecation-policy.yaml" ]; then
+            echo "Validating deprecation policy..."
+            python3 -c "import yaml; yaml.safe_load(open('ops/devops/ledger/deprecation-policy.yaml'))"
+            echo "Deprecation policy is valid"
+          else
+            echo "[info] No deprecation policy yet (OK for initial setup)"
+          fi
--- a/.gitea/workflows/ledger-packs-ci.yml
+++ b/.gitea/workflows/ledger-packs-ci.yml
@@ -0,0 +1,101 @@
+name: Ledger Packs CI
+
+on:
+  workflow_dispatch:
+    inputs:
+      snapshot_id:
+        description: 'Snapshot ID (leave empty for auto)'
+        required: false
+        default: ''
+      sign:
+        description: 'Sign pack (1=yes)'
+        required: false
+        default: '0'
+  push:
+    branches: [main]
+    paths:
+      - 'ops/devops/ledger/**'
+
+jobs:
+  build-pack:
+    runs-on: ubuntu-22.04
+    env:
+      COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Configure signing
+        run: |
+          if [ -z "${COSIGN_PRIVATE_KEY_B64}" ] || [ "${{ github.event.inputs.sign }}" = "1" ]; then
+            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
+            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
+          fi
+
+      - name: Build pack
+        run: |
+          chmod +x ops/devops/ledger/build-pack.sh
+          SNAPSHOT_ID="${{ github.event.inputs.snapshot_id }}"
+          if [ -z "$SNAPSHOT_ID" ]; then
+            SNAPSHOT_ID="ci-$(date +%Y%m%d%H%M%S)"
+          fi
+
+          SIGN_FLAG=""
+          if [ "${{ github.event.inputs.sign }}" = "1" ] || [ -n "${COSIGN_PRIVATE_KEY_B64}" ]; then
+            SIGN_FLAG="--sign"
+          fi
+
+          SNAPSHOT_ID="$SNAPSHOT_ID" ops/devops/ledger/build-pack.sh $SIGN_FLAG
+
+      - name: Verify checksums
+        run: |
+          cd out/ledger/packs
+          for f in *.SHA256SUMS; do
+            if [ -f "$f" ]; then
+              sha256sum -c "$f"
+            fi
+          done
+
+      - name: Upload pack
+        uses: actions/upload-artifact@v4
+        with:
+          name: ledger-pack-${{ github.run_number }}
+          path: |
+            out/ledger/packs/*.pack.tar.gz
+            out/ledger/packs/*.SHA256SUMS
+            out/ledger/packs/*.dsse.json
+          if-no-files-found: warn
+          retention-days: 30
+
+  verify-pack:
+    runs-on: ubuntu-22.04
+    needs: build-pack
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download pack
+        uses: actions/download-artifact@v4
+        with:
+          name: ledger-pack-${{ github.run_number }}
+          path: out/ledger/packs/
+
+      - name: Verify pack structure
+        run: |
+          cd out/ledger/packs
+          for pack in *.pack.tar.gz; do
+            if [ -f "$pack" ]; then
+              echo "Verifying $pack..."
+              tar -tzf "$pack" | head -20
+
+              # Extract and check manifest
+              tar -xzf "$pack" -C /tmp manifest.json 2>/dev/null || true
+              if [ -f /tmp/manifest.json ]; then
+                python3 -c "import json; json.load(open('/tmp/manifest.json'))"
+                echo "Pack manifest is valid JSON"
+              fi
+            fi
+          done
--- a/.gitea/workflows/lighthouse-ci.yml
+++ b/.gitea/workflows/lighthouse-ci.yml
@@ -0,0 +1,188 @@
+# .gitea/workflows/lighthouse-ci.yml
+# Lighthouse CI for performance and accessibility testing of the StellaOps Web UI
+
+name: Lighthouse CI
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'src/Web/StellaOps.Web/**'
+      - '.gitea/workflows/lighthouse-ci.yml'
+  pull_request:
+    branches: [main, develop]
+    paths:
+      - 'src/Web/StellaOps.Web/**'
+  schedule:
+    # Run weekly on Sunday at 2 AM UTC
+    - cron: '0 2 * * 0'
+  workflow_dispatch:
+
+env:
+  NODE_VERSION: '20'
+  LHCI_BUILD_CONTEXT__CURRENT_BRANCH: ${{ github.head_ref || github.ref_name }}
+  LHCI_BUILD_CONTEXT__COMMIT_SHA: ${{ github.sha }}
+
+jobs:
+  lighthouse:
+    name: Lighthouse Audit
+    runs-on: ubuntu-22.04
+    defaults:
+      run:
+        working-directory: src/Web/StellaOps.Web
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
+          cache-dependency-path: src/Web/StellaOps.Web/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build production bundle
+        run: npm run build -- --configuration production
+
+      - name: Install Lighthouse CI
+        run: npm install -g @lhci/cli@0.13.x
+
+      - name: Run Lighthouse CI
+        run: |
+          lhci autorun \
+            --collect.staticDistDir=./dist/stella-ops-web/browser \
+            --collect.numberOfRuns=3 \
+            --assert.preset=lighthouse:recommended \
+            --assert.assertions.categories:performance=off \
+            --assert.assertions.categories:accessibility=off \
+            --upload.target=filesystem \
+            --upload.outputDir=./lighthouse-results
+
+      - name: Evaluate Lighthouse Results
+        id: lhci-results
+        run: |
+          # Parse the latest Lighthouse report
+          REPORT=$(ls -t lighthouse-results/*.json | head -1)
+
+          if [ -f "$REPORT" ]; then
+            PERF=$(jq '.categories.performance.score * 100' "$REPORT" | cut -d. -f1)
+            A11Y=$(jq '.categories.accessibility.score * 100' "$REPORT" | cut -d. -f1)
+            BP=$(jq '.categories["best-practices"].score * 100' "$REPORT" | cut -d. -f1)
+            SEO=$(jq '.categories.seo.score * 100' "$REPORT" | cut -d. -f1)
+
+            echo "performance=$PERF" >> $GITHUB_OUTPUT
+            echo "accessibility=$A11Y" >> $GITHUB_OUTPUT
+            echo "best-practices=$BP" >> $GITHUB_OUTPUT
+            echo "seo=$SEO" >> $GITHUB_OUTPUT
+
+            echo "## Lighthouse Results" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "| Category | Score | Threshold | Status |" >> $GITHUB_STEP_SUMMARY
+            echo "|----------|-------|-----------|--------|" >> $GITHUB_STEP_SUMMARY
+
+            # Performance: target >= 90
+            if [ "$PERF" -ge 90 ]; then
+              echo "| Performance | $PERF | >= 90 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
+            else
+              echo "| Performance | $PERF | >= 90 | :warning: |" >> $GITHUB_STEP_SUMMARY
+            fi
+
+            # Accessibility: target >= 95
+            if [ "$A11Y" -ge 95 ]; then
+              echo "| Accessibility | $A11Y | >= 95 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
+            else
+              echo "| Accessibility | $A11Y | >= 95 | :x: |" >> $GITHUB_STEP_SUMMARY
+            fi
+
+            # Best Practices: target >= 90
+            if [ "$BP" -ge 90 ]; then
+              echo "| Best Practices | $BP | >= 90 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
+            else
+              echo "| Best Practices | $BP | >= 90 | :warning: |" >> $GITHUB_STEP_SUMMARY
+            fi
+
+            # SEO: target >= 90
+            if [ "$SEO" -ge 90 ]; then
+              echo "| SEO | $SEO | >= 90 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
+            else
+              echo "| SEO | $SEO | >= 90 | :warning: |" >> $GITHUB_STEP_SUMMARY
+            fi
+          fi
+
+      - name: Check Quality Gates
+        run: |
+          PERF=${{ steps.lhci-results.outputs.performance }}
+          A11Y=${{ steps.lhci-results.outputs.accessibility }}
+
+          FAILED=0
+
+          # Performance gate (warning only, not blocking)
+          if [ "$PERF" -lt 90 ]; then
+            echo "::warning::Performance score ($PERF) is below target (90)"
+          fi
+
+          # Accessibility gate (blocking)
+          if [ "$A11Y" -lt 95 ]; then
+            echo "::error::Accessibility score ($A11Y) is below required threshold (95)"
+            FAILED=1
+          fi
+
+          if [ "$FAILED" -eq 1 ]; then
+            exit 1
+          fi
+
+      - name: Upload Lighthouse Reports
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: lighthouse-reports
+          path: src/Web/StellaOps.Web/lighthouse-results/
+          retention-days: 30
+
+  axe-accessibility:
+    name: Axe Accessibility Audit
+    runs-on: ubuntu-22.04
+    defaults:
+      run:
+        working-directory: src/Web/StellaOps.Web
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
+          cache-dependency-path: src/Web/StellaOps.Web/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Install Playwright browsers
+        run: npx playwright install --with-deps chromium
+
+      - name: Build production bundle
+        run: npm run build -- --configuration production
+
+      - name: Start preview server
+        run: |
+          npx serve -s dist/stella-ops-web/browser -l 4200 &
+          sleep 5
+
+      - name: Run Axe accessibility tests
+        run: |
+          npm run test:a11y || true
+
+      - name: Upload Axe results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: axe-accessibility-results
+          path: src/Web/StellaOps.Web/test-results/
+          retention-days: 30
--- a/.gitea/workflows/lnm-migration-ci.yml
+++ b/.gitea/workflows/lnm-migration-ci.yml
@@ -0,0 +1,83 @@
+name: LNM Migration CI
+
+on:
+  workflow_dispatch:
+    inputs:
+      run_staging:
+        description: 'Run staging backfill (1=yes)'
+        required: false
+        default: '0'
+  push:
+    branches: [main]
+    paths:
+      - 'src/Concelier/__Libraries/StellaOps.Concelier.Migrations/**'
+      - 'ops/devops/lnm/**'
+
+jobs:
+  build-runner:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.100
+          include-prerelease: true
+
+      - name: Setup cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Configure signing
+        run: |
+          if [ -z "${{ secrets.COSIGN_PRIVATE_KEY_B64 }}" ]; then
+            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
+            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
+          fi
+        env:
+          COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
+
+      - name: Build and package runner
+        run: |
+          chmod +x ops/devops/lnm/package-runner.sh
+          ops/devops/lnm/package-runner.sh
+
+      - name: Verify checksums
+        run: |
+          cd out/lnm
+          sha256sum -c SHA256SUMS
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: lnm-migration-runner-${{ github.run_number }}
+          path: |
+            out/lnm/lnm-migration-runner.tar.gz
+            out/lnm/lnm-migration-runner.manifest.json
+            out/lnm/lnm-migration-runner.dsse.json
+            out/lnm/SHA256SUMS
+          if-no-files-found: warn
+
+  validate-metrics:
+    runs-on: ubuntu-22.04
+    needs: build-runner
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Validate monitoring config
+        run: |
+          # Validate alert rules syntax
+          if [ -f "ops/devops/lnm/alerts/lnm-alerts.yaml" ]; then
+            echo "Validating alert rules..."
+            python3 -c "import yaml; yaml.safe_load(open('ops/devops/lnm/alerts/lnm-alerts.yaml'))"
+          fi
+
+          # Validate dashboard JSON
+          if [ -f "ops/devops/lnm/dashboards/lnm-migration.json" ]; then
+            echo "Validating dashboard..."
+            python3 -c "import json; json.load(open('ops/devops/lnm/dashboards/lnm-migration.json'))"
+          fi
+
+          echo "Monitoring config validation complete"
--- a/.gitea/workflows/mirror-sign.yml
+++ b/.gitea/workflows/mirror-sign.yml
@@ -46,6 +46,16 @@ jobs:
        run: |
          scripts/mirror/verify_thin_bundle.py out/mirror/thin/mirror-thin-v1.tar.gz

+      - name: Prepare Export Center handoff (metadata + optional schedule)
+        run: |
+          scripts/mirror/export-center-wire.sh
+        env:
+          EXPORT_CENTER_BASE_URL: ${{ secrets.EXPORT_CENTER_BASE_URL }}
+          EXPORT_CENTER_TOKEN: ${{ secrets.EXPORT_CENTER_TOKEN }}
+          EXPORT_CENTER_TENANT: ${{ secrets.EXPORT_CENTER_TENANT }}
+          EXPORT_CENTER_PROJECT: ${{ secrets.EXPORT_CENTER_PROJECT }}
+          EXPORT_CENTER_AUTO_SCHEDULE: ${{ secrets.EXPORT_CENTER_AUTO_SCHEDULE }}
+
      - name: Upload signed artifacts
        uses: actions/upload-artifact@v4
        with:
@@ -57,5 +67,8 @@ jobs:
            out/mirror/thin/tuf/
            out/mirror/thin/oci/
            out/mirror/thin/milestone.json
+            out/mirror/thin/export-center/export-center-handoff.json
+            out/mirror/thin/export-center/export-center-targets.json
+            out/mirror/thin/export-center/schedule-response.json
          if-no-files-found: error
          retention-days: 14
--- a/.gitea/workflows/reachability-bench.yaml
+++ b/.gitea/workflows/reachability-bench.yaml
@@ -0,0 +1,306 @@
+name: Reachability Benchmark
+
+# Sprint: SPRINT_3500_0003_0001
+# Task: CORPUS-009 - Create Gitea workflow for reachability benchmark
+# Task: CORPUS-010 - Configure nightly + per-PR benchmark runs
+
+on:
+  workflow_dispatch:
+    inputs:
+      baseline_version:
+        description: 'Baseline version to compare against'
+        required: false
+        default: 'latest'
+      verbose:
+        description: 'Enable verbose output'
+        required: false
+        type: boolean
+        default: false
+  push:
+    branches: [ main ]
+    paths:
+      - 'datasets/reachability/**'
+      - 'src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/**'
+      - 'bench/reachability-benchmark/**'
+      - '.gitea/workflows/reachability-bench.yaml'
+  pull_request:
+    paths:
+      - 'datasets/reachability/**'
+      - 'src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/**'
+      - 'bench/reachability-benchmark/**'
+  schedule:
+    # Nightly at 02:00 UTC
+    - cron: '0 2 * * *'
+
+jobs:
+  benchmark:
+    runs-on: ubuntu-22.04
+    env:
+      DOTNET_NOLOGO: 1
+      DOTNET_CLI_TELEMETRY_OPTOUT: 1
+      DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
+      TZ: UTC
+      STELLAOPS_OFFLINE: 'true'
+      STELLAOPS_DETERMINISTIC: 'true'
+    outputs:
+      precision: ${{ steps.metrics.outputs.precision }}
+      recall: ${{ steps.metrics.outputs.recall }}
+      f1: ${{ steps.metrics.outputs.f1 }}
+      pr_auc: ${{ steps.metrics.outputs.pr_auc }}
+      regression: ${{ steps.compare.outputs.regression }}
+      
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup .NET 10
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.100
+          include-prerelease: true
+
+      - name: Cache NuGet packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
+          restore-keys: |
+            ${{ runner.os }}-nuget-
+
+      - name: Restore benchmark project
+        run: |
+          dotnet restore src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/StellaOps.Scanner.Benchmarks.csproj \
+            --configfile nuget.config
+
+      - name: Build benchmark project
+        run: |
+          dotnet build src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/StellaOps.Scanner.Benchmarks.csproj \
+            -c Release \
+            --no-restore
+
+      - name: Validate corpus integrity
+        run: |
+          echo "::group::Validating corpus index"
+          if [ ! -f datasets/reachability/corpus.json ]; then
+            echo "::error::corpus.json not found"
+            exit 1
+          fi
+          python3 -c "import json; data = json.load(open('datasets/reachability/corpus.json')); print(f'Corpus contains {len(data.get(\"samples\", []))} samples')"
+          echo "::endgroup::"
+
+      - name: Run benchmark
+        id: benchmark
+        run: |
+          echo "::group::Running reachability benchmark"
+          mkdir -p bench/results
+          
+          # Run the corpus benchmark
+          dotnet run \
+            --project src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/StellaOps.Scanner.Benchmarks.csproj \
+            -c Release \
+            --no-build \
+            -- corpus run \
+            --corpus datasets/reachability/corpus.json \
+            --output bench/results/benchmark-${{ github.sha }}.json \
+            --format json \
+            ${{ inputs.verbose == 'true' && '--verbose' || '' }}
+          
+          echo "::endgroup::"
+
+      - name: Extract metrics
+        id: metrics
+        run: |
+          echo "::group::Extracting metrics"
+          RESULT_FILE="bench/results/benchmark-${{ github.sha }}.json"
+          
+          if [ -f "$RESULT_FILE" ]; then
+            PRECISION=$(jq -r '.metrics.precision // 0' "$RESULT_FILE")
+            RECALL=$(jq -r '.metrics.recall // 0' "$RESULT_FILE")
+            F1=$(jq -r '.metrics.f1 // 0' "$RESULT_FILE")
+            PR_AUC=$(jq -r '.metrics.pr_auc // 0' "$RESULT_FILE")
+            
+            echo "precision=$PRECISION" >> $GITHUB_OUTPUT
+            echo "recall=$RECALL" >> $GITHUB_OUTPUT
+            echo "f1=$F1" >> $GITHUB_OUTPUT
+            echo "pr_auc=$PR_AUC" >> $GITHUB_OUTPUT
+            
+            echo "Precision: $PRECISION"
+            echo "Recall: $RECALL"
+            echo "F1: $F1"
+            echo "PR-AUC: $PR_AUC"
+          else
+            echo "::error::Benchmark result file not found"
+            exit 1
+          fi
+          echo "::endgroup::"
+
+      - name: Get baseline
+        id: baseline
+        run: |
+          echo "::group::Loading baseline"
+          BASELINE_VERSION="${{ inputs.baseline_version || 'latest' }}"
+          
+          if [ "$BASELINE_VERSION" = "latest" ]; then
+            BASELINE_FILE=$(ls -t bench/baselines/*.json 2>/dev/null | head -1)
+          else
+            BASELINE_FILE="bench/baselines/$BASELINE_VERSION.json"
+          fi
+          
+          if [ -f "$BASELINE_FILE" ]; then
+            echo "baseline_file=$BASELINE_FILE" >> $GITHUB_OUTPUT
+            echo "Using baseline: $BASELINE_FILE"
+          else
+            echo "::warning::No baseline found, skipping comparison"
+            echo "baseline_file=" >> $GITHUB_OUTPUT
+          fi
+          echo "::endgroup::"
+
+      - name: Compare to baseline
+        id: compare
+        if: steps.baseline.outputs.baseline_file != ''
+        run: |
+          echo "::group::Comparing to baseline"
+          BASELINE_FILE="${{ steps.baseline.outputs.baseline_file }}"
+          RESULT_FILE="bench/results/benchmark-${{ github.sha }}.json"
+          
+          # Extract baseline metrics
+          BASELINE_PRECISION=$(jq -r '.metrics.precision // 0' "$BASELINE_FILE")
+          BASELINE_RECALL=$(jq -r '.metrics.recall // 0' "$BASELINE_FILE")
+          BASELINE_PR_AUC=$(jq -r '.metrics.pr_auc // 0' "$BASELINE_FILE")
+          
+          # Extract current metrics
+          CURRENT_PRECISION=$(jq -r '.metrics.precision // 0' "$RESULT_FILE")
+          CURRENT_RECALL=$(jq -r '.metrics.recall // 0' "$RESULT_FILE")
+          CURRENT_PR_AUC=$(jq -r '.metrics.pr_auc // 0' "$RESULT_FILE")
+          
+          # Calculate deltas
+          PRECISION_DELTA=$(echo "$CURRENT_PRECISION - $BASELINE_PRECISION" | bc -l)
+          RECALL_DELTA=$(echo "$CURRENT_RECALL - $BASELINE_RECALL" | bc -l)
+          PR_AUC_DELTA=$(echo "$CURRENT_PR_AUC - $BASELINE_PR_AUC" | bc -l)
+          
+          echo "Precision delta: $PRECISION_DELTA"
+          echo "Recall delta: $RECALL_DELTA"
+          echo "PR-AUC delta: $PR_AUC_DELTA"
+          
+          # Check for regression (PR-AUC drop > 2%)
+          REGRESSION_THRESHOLD=-0.02
+          if (( $(echo "$PR_AUC_DELTA < $REGRESSION_THRESHOLD" | bc -l) )); then
+            echo "::error::PR-AUC regression detected: $PR_AUC_DELTA (threshold: $REGRESSION_THRESHOLD)"
+            echo "regression=true" >> $GITHUB_OUTPUT
+          else
+            echo "regression=false" >> $GITHUB_OUTPUT
+          fi
+          echo "::endgroup::"
+
+      - name: Generate markdown report
+        run: |
+          echo "::group::Generating report"
+          RESULT_FILE="bench/results/benchmark-${{ github.sha }}.json"
+          REPORT_FILE="bench/results/benchmark-${{ github.sha }}.md"
+          
+          cat > "$REPORT_FILE" << 'EOF'
+          # Reachability Benchmark Report
+          
+          **Commit:** ${{ github.sha }}
+          **Run:** ${{ github.run_number }}
+          **Date:** $(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          
+          ## Metrics
+          
+          | Metric | Value |
+          |--------|-------|
+          | Precision | ${{ steps.metrics.outputs.precision }} |
+          | Recall | ${{ steps.metrics.outputs.recall }} |
+          | F1 Score | ${{ steps.metrics.outputs.f1 }} |
+          | PR-AUC | ${{ steps.metrics.outputs.pr_auc }} |
+          
+          ## Comparison
+          
+          ${{ steps.compare.outputs.regression == 'true' && '⚠️ **REGRESSION DETECTED**' || '✅ No regression' }}
+          EOF
+          
+          echo "Report generated: $REPORT_FILE"
+          echo "::endgroup::"
+
+      - name: Upload results
+        uses: actions/upload-artifact@v4
+        with:
+          name: benchmark-results-${{ github.sha }}
+          path: |
+            bench/results/benchmark-${{ github.sha }}.json
+            bench/results/benchmark-${{ github.sha }}.md
+          retention-days: 90
+
+      - name: Fail on regression
+        if: steps.compare.outputs.regression == 'true' && github.event_name == 'pull_request'
+        run: |
+          echo "::error::Benchmark regression detected. PR-AUC dropped below threshold."
+          exit 1
+
+  update-baseline:
+    needs: benchmark
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.benchmark.outputs.regression != 'true'
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download results
+        uses: actions/download-artifact@v4
+        with:
+          name: benchmark-results-${{ github.sha }}
+          path: bench/results/
+
+      - name: Update baseline (nightly only)
+        if: github.event_name == 'schedule'
+        run: |
+          DATE=$(date +%Y%m%d)
+          cp bench/results/benchmark-${{ github.sha }}.json bench/baselines/baseline-$DATE.json
+          echo "Updated baseline to baseline-$DATE.json"
+
+  notify-pr:
+    needs: benchmark
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Comment on PR
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const precision = '${{ needs.benchmark.outputs.precision }}';
+            const recall = '${{ needs.benchmark.outputs.recall }}';
+            const f1 = '${{ needs.benchmark.outputs.f1 }}';
+            const prAuc = '${{ needs.benchmark.outputs.pr_auc }}';
+            const regression = '${{ needs.benchmark.outputs.regression }}' === 'true';
+            
+            const status = regression ? '⚠️ REGRESSION' : '✅ PASS';
+            
+            const body = `## Reachability Benchmark Results ${status}
+            
+            | Metric | Value |
+            |--------|-------|
+            | Precision | ${precision} |
+            | Recall | ${recall} |
+            | F1 Score | ${f1} |
+            | PR-AUC | ${prAuc} |
+            
+            ${regression ? '### ⚠️ Regression Detected\nPR-AUC dropped below threshold. Please review changes.' : ''}
+            
+            <details>
+            <summary>Details</summary>
+            
+            - Commit: \`${{ github.sha }}\`
+            - Run: [#${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
+            
+            </details>`;
+            
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: body
+            });
--- a/.gitea/workflows/reachability-corpus-ci.yml
+++ b/.gitea/workflows/reachability-corpus-ci.yml
@@ -0,0 +1,267 @@
+name: Reachability Corpus Validation
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main ]
+    paths:
+      - 'tests/reachability/corpus/**'
+      - 'tests/reachability/fixtures/**'
+      - 'tests/reachability/StellaOps.Reachability.FixtureTests/**'
+      - 'scripts/reachability/**'
+      - '.gitea/workflows/reachability-corpus-ci.yml'
+  pull_request:
+    paths:
+      - 'tests/reachability/corpus/**'
+      - 'tests/reachability/fixtures/**'
+      - 'tests/reachability/StellaOps.Reachability.FixtureTests/**'
+      - 'scripts/reachability/**'
+      - '.gitea/workflows/reachability-corpus-ci.yml'
+
+jobs:
+  validate-corpus:
+    runs-on: ubuntu-22.04
+    env:
+      DOTNET_NOLOGO: 1
+      DOTNET_CLI_TELEMETRY_OPTOUT: 1
+      DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
+      TZ: UTC
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup .NET 10 RC
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.100
+          include-prerelease: true
+
+      - name: Verify corpus manifest integrity
+        run: |
+          echo "Verifying corpus manifest..."
+          cd tests/reachability/corpus
+          if [ ! -f manifest.json ]; then
+            echo "::error::Corpus manifest.json not found"
+            exit 1
+          fi
+          echo "Manifest exists, checking JSON validity..."
+          python3 -c "import json; json.load(open('manifest.json'))"
+          echo "Manifest is valid JSON"
+
+      - name: Verify reachbench index integrity
+        run: |
+          echo "Verifying reachbench fixtures..."
+          cd tests/reachability/fixtures/reachbench-2025-expanded
+          if [ ! -f INDEX.json ]; then
+            echo "::error::Reachbench INDEX.json not found"
+            exit 1
+          fi
+          echo "INDEX exists, checking JSON validity..."
+          python3 -c "import json; json.load(open('INDEX.json'))"
+          echo "INDEX is valid JSON"
+
+      - name: Restore test project
+        run: dotnet restore tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj --configfile nuget.config
+
+      - name: Build test project
+        run: dotnet build tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj -c Release --no-restore
+
+      - name: Run corpus fixture tests
+        run: |
+          dotnet test tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj \
+            -c Release \
+            --no-build \
+            --logger "trx;LogFileName=corpus-results.trx" \
+            --results-directory ./TestResults \
+            --filter "FullyQualifiedName~CorpusFixtureTests"
+
+      - name: Run reachbench fixture tests
+        run: |
+          dotnet test tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj \
+            -c Release \
+            --no-build \
+            --logger "trx;LogFileName=reachbench-results.trx" \
+            --results-directory ./TestResults \
+            --filter "FullyQualifiedName~ReachbenchFixtureTests"
+
+      - name: Verify deterministic hashes
+        run: |
+          echo "Verifying SHA-256 hashes in corpus manifest..."
+          chmod +x scripts/reachability/verify_corpus_hashes.sh || true
+          if [ -f scripts/reachability/verify_corpus_hashes.sh ]; then
+            scripts/reachability/verify_corpus_hashes.sh
+          else
+            echo "Hash verification script not found, using inline verification..."
+            cd tests/reachability/corpus
+            python3 << 'EOF'
+          import json
+          import hashlib
+          import sys
+          import os
+
+          with open('manifest.json') as f:
+              manifest = json.load(f)
+
+          errors = []
+          for entry in manifest:
+              case_id = entry['id']
+              lang = entry['language']
+              case_dir = os.path.join(lang, case_id)
+              for filename, expected_hash in entry['files'].items():
+                  filepath = os.path.join(case_dir, filename)
+                  if not os.path.exists(filepath):
+                      errors.append(f"{case_id}: missing {filename}")
+                      continue
+                  with open(filepath, 'rb') as f:
+                      actual_hash = hashlib.sha256(f.read()).hexdigest()
+                  if actual_hash != expected_hash:
+                      errors.append(f"{case_id}: {filename} hash mismatch (expected {expected_hash}, got {actual_hash})")
+
+          if errors:
+              for err in errors:
+                  print(f"::error::{err}")
+              sys.exit(1)
+          print(f"All {len(manifest)} corpus entries verified")
+          EOF
+          fi
+
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: corpus-test-results-${{ github.run_number }}
+          path: ./TestResults/*.trx
+          retention-days: 14
+
+  validate-ground-truths:
+    runs-on: ubuntu-22.04
+    env:
+      TZ: UTC
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Validate ground-truth schema version
+        run: |
+          echo "Validating ground-truth files..."
+          cd tests/reachability
+          python3 << 'EOF'
+          import json
+          import os
+          import sys
+
+          EXPECTED_SCHEMA = "reachbench.reachgraph.truth/v1"
+          ALLOWED_VARIANTS = {"reachable", "unreachable"}
+          errors = []
+
+          # Validate corpus ground-truths
+          corpus_manifest = 'corpus/manifest.json'
+          if os.path.exists(corpus_manifest):
+              with open(corpus_manifest) as f:
+                  manifest = json.load(f)
+              for entry in manifest:
+                  case_id = entry['id']
+                  lang = entry['language']
+                  truth_path = os.path.join('corpus', lang, case_id, 'ground-truth.json')
+                  if not os.path.exists(truth_path):
+                      errors.append(f"corpus/{case_id}: missing ground-truth.json")
+                      continue
+                  with open(truth_path) as f:
+                      truth = json.load(f)
+                  if truth.get('schema_version') != EXPECTED_SCHEMA:
+                      errors.append(f"corpus/{case_id}: wrong schema_version")
+                  if truth.get('variant') not in ALLOWED_VARIANTS:
+                      errors.append(f"corpus/{case_id}: invalid variant '{truth.get('variant')}'")
+                  if not isinstance(truth.get('paths'), list):
+                      errors.append(f"corpus/{case_id}: paths must be an array")
+
+          # Validate reachbench ground-truths
+          reachbench_index = 'fixtures/reachbench-2025-expanded/INDEX.json'
+          if os.path.exists(reachbench_index):
+              with open(reachbench_index) as f:
+                  index = json.load(f)
+              for case in index.get('cases', []):
+                  case_id = case['id']
+                  case_path = case.get('path', os.path.join('cases', case_id))
+                  for variant in ['reachable', 'unreachable']:
+                      truth_path = os.path.join('fixtures/reachbench-2025-expanded', case_path, 'images', variant, 'reachgraph.truth.json')
+                      if not os.path.exists(truth_path):
+                          errors.append(f"reachbench/{case_id}/{variant}: missing reachgraph.truth.json")
+                          continue
+                      with open(truth_path) as f:
+                          truth = json.load(f)
+                      if not truth.get('schema_version'):
+                          errors.append(f"reachbench/{case_id}/{variant}: missing schema_version")
+                      if not isinstance(truth.get('paths'), list):
+                          errors.append(f"reachbench/{case_id}/{variant}: paths must be an array")
+
+          if errors:
+              for err in errors:
+                  print(f"::error::{err}")
+              sys.exit(1)
+          print("All ground-truth files validated successfully")
+          EOF
+
+  determinism-check:
+    runs-on: ubuntu-22.04
+    env:
+      TZ: UTC
+    needs: validate-corpus
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Verify JSON determinism (sorted keys, no trailing whitespace)
+        run: |
+          echo "Checking JSON determinism..."
+          cd tests/reachability
+          python3 << 'EOF'
+          import json
+          import os
+          import sys
+
+          def check_json_sorted(filepath):
+              """Check if JSON has sorted keys (deterministic)."""
+              with open(filepath) as f:
+                  content = f.read()
+              parsed = json.loads(content)
+              reserialized = json.dumps(parsed, sort_keys=True, indent=2)
+              # Normalize line endings
+              content_normalized = content.replace('\r\n', '\n').strip()
+              reserialized_normalized = reserialized.strip()
+              return content_normalized == reserialized_normalized
+
+          errors = []
+          json_files = []
+
+          # Collect JSON files from corpus
+          for root, dirs, files in os.walk('corpus'):
+              for f in files:
+                  if f.endswith('.json'):
+                      json_files.append(os.path.join(root, f))
+
+          # Check determinism
+          non_deterministic = []
+          for filepath in json_files:
+              try:
+                  if not check_json_sorted(filepath):
+                      non_deterministic.append(filepath)
+              except json.JSONDecodeError as e:
+                  errors.append(f"{filepath}: invalid JSON - {e}")
+
+          if non_deterministic:
+              print(f"::warning::Found {len(non_deterministic)} non-deterministic JSON files (keys not sorted or whitespace differs)")
+              for f in non_deterministic[:10]:
+                  print(f"  - {f}")
+              if len(non_deterministic) > 10:
+                  print(f"  ... and {len(non_deterministic) - 10} more")
+
+          if errors:
+              for err in errors:
+                  print(f"::error::{err}")
+              sys.exit(1)
+
+          print(f"Checked {len(json_files)} JSON files")
+          EOF
--- a/.gitea/workflows/scanner-analyzers-release.yml
+++ b/.gitea/workflows/scanner-analyzers-release.yml
@@ -34,6 +34,22 @@ jobs:
        run: |
          RID="${{ github.event.inputs.rid }}" scripts/scanner/package-analyzer.sh src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/StellaOps.Scanner.Analyzers.Lang.Ruby.csproj ruby-analyzer

+      - name: Package Native analyzer
+        run: |
+          RID="${{ github.event.inputs.rid }}" scripts/scanner/package-analyzer.sh src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.csproj native-analyzer
+
+      - name: Package Java analyzer
+        run: |
+          RID="${{ github.event.inputs.rid }}" scripts/scanner/package-analyzer.sh src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/StellaOps.Scanner.Analyzers.Lang.Java.csproj java-analyzer
+
+      - name: Package DotNet analyzer
+        run: |
+          RID="${{ github.event.inputs.rid }}" scripts/scanner/package-analyzer.sh src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj dotnet-analyzer
+
+      - name: Package Node analyzer
+        run: |
+          RID="${{ github.event.inputs.rid }}" scripts/scanner/package-analyzer.sh src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/StellaOps.Scanner.Analyzers.Lang.Node.csproj node-analyzer
+
      - name: Upload analyzer artifacts
        uses: actions/upload-artifact@v4
        with:
--- a/.gitea/workflows/signals-dsse-sign.yml
+++ b/.gitea/workflows/signals-dsse-sign.yml
@@ -28,6 +28,8 @@ jobs:
      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
      OUT_DIR: ${{ github.event.inputs.out_dir || 'evidence-locker/signals/2025-12-01' }}
      COSIGN_ALLOW_DEV_KEY: ${{ github.event.inputs.allow_dev_key || '0' }}
+      CI_EVIDENCE_LOCKER_TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN || vars.CI_EVIDENCE_LOCKER_TOKEN }}
+      EVIDENCE_LOCKER_URL: ${{ secrets.EVIDENCE_LOCKER_URL || vars.EVIDENCE_LOCKER_URL }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -42,6 +44,16 @@ jobs:
        with:
          cosign-release: 'v2.2.4'

+      - name: Check signing key configured
+        run: |
+          if [[ -z "$COSIGN_PRIVATE_KEY_B64" && "$COSIGN_ALLOW_DEV_KEY" != "1" ]]; then
+            echo "::error::COSIGN_PRIVATE_KEY_B64 is missing and dev key fallback is disabled. Set COSIGN_PRIVATE_KEY_B64 (and COSIGN_PASSWORD if needed) or rerun with allow_dev_key=1 for smoke only."
+            exit 1
+          fi
+          if [[ "$COSIGN_ALLOW_DEV_KEY" == "1" ]]; then
+            echo "::notice::Using dev key for signing (allow_dev_key=1) - not suitable for production uploads."
+          fi
+
      - name: Verify artifacts exist
        run: |
          cd docs/modules/signals
@@ -90,9 +102,9 @@ jobs:
          retention-days: 90

      - name: Push to Evidence Locker
-        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
        env:
-          TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN }}
+          TOKEN: ${{ env.CI_EVIDENCE_LOCKER_TOKEN }}
          URL: ${{ env.EVIDENCE_LOCKER_URL }}
        run: |
          tar -cf /tmp/signals-dsse.tar -C "$OUT_DIR" .
@@ -102,7 +114,7 @@ jobs:
          echo "Pushed to Evidence Locker"

      - name: Evidence Locker skip notice
-        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
        run: |
          echo "::notice::Evidence Locker push skipped (CI_EVIDENCE_LOCKER_TOKEN or EVIDENCE_LOCKER_URL not set)"
          echo "Artifacts available as workflow artifact for manual ingestion"
--- a/.gitea/workflows/signals-evidence-locker.yml
+++ b/.gitea/workflows/signals-evidence-locker.yml
@@ -2,6 +2,14 @@ name: signals-evidence-locker
 on:
  workflow_dispatch:
    inputs:
+      out_dir:
+        description: "Output directory containing signed artifacts"
+        required: false
+        default: "evidence-locker/signals/2025-12-05"
+      allow_dev_key:
+        description: "Allow dev key fallback (1=yes, 0=no)"
+        required: false
+        default: "0"
      retention_target:
        description: "Retention days target"
        required: false
@@ -12,7 +20,12 @@ jobs:
    runs-on: ubuntu-latest
    env:
      MODULE_ROOT: docs/modules/signals
-      OUT_DIR: evidence-locker/signals/2025-12-05
+      OUT_DIR: ${{ github.event.inputs.out_dir || 'evidence-locker/signals/2025-12-05' }}
+      COSIGN_ALLOW_DEV_KEY: ${{ github.event.inputs.allow_dev_key || '0' }}
+      COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
+      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+      EVIDENCE_LOCKER_URL: ${{ secrets.EVIDENCE_LOCKER_URL || vars.EVIDENCE_LOCKER_URL }}
+      CI_EVIDENCE_LOCKER_TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN || vars.CI_EVIDENCE_LOCKER_TOKEN }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -20,6 +33,31 @@ jobs:
      - name: Task Pack offline bundle fixtures
        run: python3 scripts/packs/run-fixtures-check.sh

+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+        with:
+          cosign-release: 'v2.2.4'
+
+      - name: Check signing key configured
+        run: |
+          if [[ -z "$COSIGN_PRIVATE_KEY_B64" && "$COSIGN_ALLOW_DEV_KEY" != "1" ]]; then
+            echo "::error::COSIGN_PRIVATE_KEY_B64 is missing and dev key fallback is disabled. Set COSIGN_PRIVATE_KEY_B64 (and COSIGN_PASSWORD if needed) or rerun with allow_dev_key=1 for smoke only."
+            exit 1
+          fi
+          if [[ "$COSIGN_ALLOW_DEV_KEY" == "1" ]]; then
+            echo "::notice::Using dev key for signing (allow_dev_key=1) - not suitable for production uploads."
+          fi
+
+      - name: Verify artifacts exist
+        run: |
+          cd "$MODULE_ROOT"
+          sha256sum -c SHA256SUMS
+
+      - name: Sign signals artifacts
+        run: |
+          chmod +x tools/cosign/sign-signals.sh
+          OUT_DIR="${OUT_DIR}" tools/cosign/sign-signals.sh
+
      - name: Build deterministic signals evidence tar
        run: |
          set -euo pipefail
@@ -52,16 +90,17 @@ jobs:
            /tmp/signals-evidence.tar.sha256

      - name: Push to Evidence Locker
-        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
        env:
-          TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN }}
+          TOKEN: ${{ env.CI_EVIDENCE_LOCKER_TOKEN }}
          URL: ${{ env.EVIDENCE_LOCKER_URL }}
        run: |
-          curl -f -X PUT "$URL/signals/2025-12-05/signals-evidence.tar" \
+          upload_path="${OUT_DIR#evidence-locker/}"
+          curl -f -X PUT "$URL/${upload_path}/signals-evidence.tar" \
            -H "Authorization: Bearer $TOKEN" \
            --data-binary @/tmp/signals-evidence.tar

      - name: Skip push (missing secret or URL)
-        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
        run: |
          echo "Locker push skipped: set CI_EVIDENCE_LOCKER_TOKEN and EVIDENCE_LOCKER_URL to enable." >&2
--- a/.gitea/workflows/signals-reachability.yml
+++ b/.gitea/workflows/signals-reachability.yml
@@ -0,0 +1,127 @@
+name: Signals Reachability Scoring & Events
+
+on:
+  workflow_dispatch:
+    inputs:
+      allow_dev_key:
+        description: "Allow dev signing key fallback (1=yes, 0=no)"
+        required: false
+        default: "0"
+      evidence_out_dir:
+        description: "Evidence output dir for signing/upload"
+        required: false
+        default: "evidence-locker/signals/2025-12-05"
+  push:
+    branches: [ main ]
+    paths:
+      - 'src/Signals/**'
+      - 'scripts/signals/reachability-smoke.sh'
+      - '.gitea/workflows/signals-reachability.yml'
+      - 'tools/cosign/sign-signals.sh'
+
+jobs:
+  reachability-smoke:
+    runs-on: ubuntu-22.04
+    env:
+      DOTNET_NOLOGO: 1
+      DOTNET_CLI_TELEMETRY_OPTOUT: 1
+      DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
+      TZ: UTC
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Task Pack offline bundle fixtures
+        run: python3 scripts/packs/run-fixtures-check.sh
+
+      - name: Setup .NET 10 RC
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.100
+          include-prerelease: true
+
+      - name: Restore
+        run: dotnet restore src/Signals/StellaOps.Signals.sln --configfile nuget.config
+
+      - name: Build
+        run: dotnet build src/Signals/StellaOps.Signals.sln -c Release --no-restore
+
+      - name: Reachability scoring + cache/events smoke
+        run: |
+          chmod +x scripts/signals/reachability-smoke.sh
+          scripts/signals/reachability-smoke.sh
+
+  sign-and-upload:
+    runs-on: ubuntu-22.04
+    needs: reachability-smoke
+    env:
+      COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
+      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+      COSIGN_ALLOW_DEV_KEY: ${{ github.event.inputs.allow_dev_key || '0' }}
+      OUT_DIR: ${{ github.event.inputs.evidence_out_dir || 'evidence-locker/signals/2025-12-05' }}
+      CI_EVIDENCE_LOCKER_TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN || vars.CI_EVIDENCE_LOCKER_TOKEN }}
+      EVIDENCE_LOCKER_URL: ${{ secrets.EVIDENCE_LOCKER_URL || vars.EVIDENCE_LOCKER_URL }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Task Pack offline bundle fixtures
+        run: python3 scripts/packs/run-fixtures-check.sh
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+        with:
+          cosign-release: 'v2.2.4'
+
+      - name: Check signing key configured
+        run: |
+          if [[ -z "$COSIGN_PRIVATE_KEY_B64" && "$COSIGN_ALLOW_DEV_KEY" != "1" ]]; then
+            echo "::error::COSIGN_PRIVATE_KEY_B64 is missing and dev key fallback is disabled. Set COSIGN_PRIVATE_KEY_B64 (and COSIGN_PASSWORD if needed) or rerun with allow_dev_key=1 for smoke only."
+            exit 1
+          fi
+          if [[ "$COSIGN_ALLOW_DEV_KEY" == "1" ]]; then
+            echo "::notice::Using dev key for signing (allow_dev_key=1) - not suitable for production uploads."
+          fi
+
+      - name: Verify artifacts exist
+        run: |
+          cd docs/modules/signals
+          sha256sum -c SHA256SUMS
+
+      - name: Sign signals artifacts
+        run: |
+          chmod +x tools/cosign/sign-signals.sh
+          OUT_DIR="${OUT_DIR}" tools/cosign/sign-signals.sh
+
+      - name: Upload signed artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: signals-evidence-${{ github.run_number }}
+          path: |
+            ${{ env.OUT_DIR }}/*.sigstore.json
+            ${{ env.OUT_DIR }}/*.dsse
+            ${{ env.OUT_DIR }}/SHA256SUMS
+          if-no-files-found: error
+          retention-days: 30
+
+      - name: Push to Evidence Locker
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
+        env:
+          TOKEN: ${{ env.CI_EVIDENCE_LOCKER_TOKEN }}
+          URL: ${{ env.EVIDENCE_LOCKER_URL }}
+        run: |
+          tar -cf /tmp/signals-evidence.tar -C "$OUT_DIR" .
+          sha256sum /tmp/signals-evidence.tar
+          curl -f -X PUT "$URL/signals/$(date -u +%Y-%m-%d)/signals-evidence.tar" \
+            -H "Authorization: Bearer $TOKEN" \
+            --data-binary @/tmp/signals-evidence.tar
+          echo "Uploaded to Evidence Locker"
+
+      - name: Evidence Locker skip notice
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
+        run: |
+          echo "::notice::Evidence Locker upload skipped (CI_EVIDENCE_LOCKER_TOKEN or EVIDENCE_LOCKER_URL not set)"
--- a/.gitea/workflows/sm-remote-ci.yml
+++ b/.gitea/workflows/sm-remote-ci.yml
@@ -0,0 +1,33 @@
+name: sm-remote-ci
+
+on:
+  push:
+    paths:
+      - "src/SmRemote/**"
+      - "src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote/**"
+      - "src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote.Tests/**"
+      - "ops/sm-remote/**"
+      - ".gitea/workflows/sm-remote-ci.yml"
+  pull_request:
+    paths:
+      - "src/SmRemote/**"
+      - "src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote/**"
+      - "src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote.Tests/**"
+      - "ops/sm-remote/**"
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
+      - name: Restore
+        run: dotnet restore src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote.Tests/StellaOps.Cryptography.Plugin.SmRemote.Tests.csproj
+      - name: Test
+        run: dotnet test src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote.Tests/StellaOps.Cryptography.Plugin.SmRemote.Tests.csproj --no-build --verbosity normal
+      - name: Publish service
+        run: dotnet publish src/SmRemote/StellaOps.SmRemote.Service/StellaOps.SmRemote.Service.csproj -c Release -o out/sm-remote
--- a/.gitea/workflows/wine-csp-build.yml
+++ b/.gitea/workflows/wine-csp-build.yml
@@ -1,449 +0,0 @@
-name: wine-csp-build
-on:
-  push:
-    branches: [main, develop]
-    paths:
-      - 'src/__Tools/WineCspService/**'
-      - 'ops/wine-csp/**'
-      - 'third_party/forks/AlexMAS.GostCryptography/**'
-      - '.gitea/workflows/wine-csp-build.yml'
-  pull_request:
-    paths:
-      - 'src/__Tools/WineCspService/**'
-      - 'ops/wine-csp/**'
-      - 'third_party/forks/AlexMAS.GostCryptography/**'
-  workflow_dispatch:
-    inputs:
-      push:
-        description: "Push to registry"
-        required: false
-        default: "false"
-      version:
-        description: "Version tag (e.g., 2025.10.0-edge)"
-        required: false
-        default: "2025.10.0-edge"
-      skip_tests:
-        description: "Skip integration tests"
-        required: false
-        default: "false"
-
-env:
-  IMAGE_NAME: registry.stella-ops.org/stellaops/wine-csp
-  DOCKERFILE: ops/wine-csp/Dockerfile
-  # Wine CSP only supports linux/amd64 (Wine ARM64 has compatibility issues with Windows x64 apps)
-  PLATFORMS: linux/amd64
-  PYTHON_VERSION: "3.11"
-
-jobs:
-  # ===========================================================================
-  # Job 1: Build Docker Image
-  # ===========================================================================
-  build:
-    name: Build Wine CSP Image
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    outputs:
-      image_tag: ${{ steps.version.outputs.tag }}
-      image_digest: ${{ steps.build.outputs.digest }}
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          install: true
-
-      - name: Set version tag
-        id: version
-        run: |
-          if [[ -n "${{ github.event.inputs.version }}" ]]; then
-            echo "tag=${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
-          elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
-            echo "tag=2025.10.0-edge" >> $GITHUB_OUTPUT
-          else
-            echo "tag=pr-${{ github.event.pull_request.number || github.sha }}" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Docker metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.IMAGE_NAME }}
-          tags: |
-            type=raw,value=${{ steps.version.outputs.tag }}
-            type=sha,format=short
-
-      - name: Build image
-        id: build
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ${{ env.DOCKERFILE }}
-          platforms: ${{ env.PLATFORMS }}
-          push: false
-          load: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Save image for testing
-        run: |
-          mkdir -p /tmp/images
-          docker save "${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }}" | gzip > /tmp/images/wine-csp.tar.gz
-
-      - name: Upload image artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: wine-csp-image
-          path: /tmp/images/wine-csp.tar.gz
-          retention-days: 1
-
-  # ===========================================================================
-  # Job 2: Integration Tests
-  # ===========================================================================
-  test:
-    name: Integration Tests
-    runs-on: ubuntu-latest
-    needs: build
-    if: ${{ github.event.inputs.skip_tests != 'true' }}
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Download image artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: wine-csp-image
-          path: /tmp/images
-
-      - name: Load Docker image
-        run: |
-          gunzip -c /tmp/images/wine-csp.tar.gz | docker load
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Install test dependencies
-        run: |
-          pip install -r ops/wine-csp/tests/requirements.txt
-
-      - name: Start Wine CSP container
-        id: container
-        run: |
-          echo "Starting Wine CSP container..."
-          docker run -d --name wine-csp-test \
-            -e WINE_CSP_MODE=limited \
-            -e WINE_CSP_LOG_LEVEL=Debug \
-            -p 5099:5099 \
-            "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}"
-
-          echo "container_id=$(docker ps -q -f name=wine-csp-test)" >> $GITHUB_OUTPUT
-
-      - name: Wait for service startup
-        run: |
-          echo "Waiting for Wine CSP service to be ready (up to 120s)..."
-          for i in $(seq 1 24); do
-            if curl -sf http://127.0.0.1:5099/health > /dev/null 2>&1; then
-              echo "Service ready after $((i * 5))s"
-              exit 0
-            fi
-            echo "Waiting... ($((i * 5))s elapsed)"
-            sleep 5
-          done
-          echo "Service failed to start!"
-          docker logs wine-csp-test
-          exit 1
-
-      - name: Run integration tests (pytest)
-        id: pytest
-        run: |
-          mkdir -p test-results
-          export WINE_CSP_URL=http://127.0.0.1:5099
-
-          pytest ops/wine-csp/tests/test_wine_csp.py \
-            -v \
-            --tb=short \
-            --junitxml=test-results/junit.xml \
-            --timeout=60 \
-            -x \
-            2>&1 | tee test-results/pytest-output.txt
-
-      - name: Run shell integration tests
-        if: always()
-        run: |
-          chmod +x ops/wine-csp/tests/run-tests.sh
-          ops/wine-csp/tests/run-tests.sh \
-            --url http://127.0.0.1:5099 \
-            --ci \
-            --verbose || true
-
-      - name: Collect container logs
-        if: always()
-        run: |
-          docker logs wine-csp-test > test-results/container.log 2>&1 || true
-
-      - name: Stop container
-        if: always()
-        run: |
-          docker stop wine-csp-test || true
-          docker rm wine-csp-test || true
-
-      - name: Upload test results
-        uses: actions/upload-artifact@v4
-        if: always()
-        with:
-          name: wine-csp-test-results
-          path: test-results/
-
-      - name: Publish test results
-        uses: mikepenz/action-junit-report@v4
-        if: always()
-        with:
-          report_paths: 'test-results/junit.xml'
-          check_name: 'Wine CSP Integration Tests'
-          fail_on_failure: true
-
-  # ===========================================================================
-  # Job 3: Security Scan
-  # ===========================================================================
-  security:
-    name: Security Scan
-    runs-on: ubuntu-latest
-    needs: build
-    permissions:
-      security-events: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Download image artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: wine-csp-image
-          path: /tmp/images
-
-      - name: Load Docker image
-        run: |
-          gunzip -c /tmp/images/wine-csp.tar.gz | docker load
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}"
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH'
-          ignore-unfixed: true
-
-      - name: Upload Trivy scan results
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: 'trivy-results.sarif'
-
-      - name: Run Trivy for JSON report
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}"
-          format: 'json'
-          output: 'trivy-results.json'
-          severity: 'CRITICAL,HIGH,MEDIUM'
-
-      - name: Upload Trivy JSON report
-        uses: actions/upload-artifact@v4
-        with:
-          name: wine-csp-security-scan
-          path: trivy-results.json
-
-  # ===========================================================================
-  # Job 4: Generate SBOM
-  # ===========================================================================
-  sbom:
-    name: Generate SBOM
-    runs-on: ubuntu-latest
-    needs: build
-
-    steps:
-      - name: Download image artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: wine-csp-image
-          path: /tmp/images
-
-      - name: Load Docker image
-        run: |
-          gunzip -c /tmp/images/wine-csp.tar.gz | docker load
-
-      - name: Install syft
-        uses: anchore/sbom-action/download-syft@v0
-
-      - name: Generate SBOM (SPDX)
-        run: |
-          mkdir -p out/sbom
-          syft "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}" \
-            -o spdx-json=out/sbom/wine-csp.spdx.json
-
-      - name: Generate SBOM (CycloneDX)
-        run: |
-          syft "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}" \
-            -o cyclonedx-json=out/sbom/wine-csp.cdx.json
-
-      - name: Upload SBOM artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: wine-csp-sbom-${{ needs.build.outputs.image_tag }}
-          path: out/sbom/
-
-  # ===========================================================================
-  # Job 5: Publish (only on main branch or manual trigger)
-  # ===========================================================================
-  publish:
-    name: Publish Image
-    runs-on: ubuntu-latest
-    needs: [build, test, security]
-    if: ${{ (github.event.inputs.push == 'true' || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && needs.test.result == 'success' }}
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-
-    steps:
-      - name: Download image artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: wine-csp-image
-          path: /tmp/images
-
-      - name: Load Docker image
-        run: |
-          gunzip -c /tmp/images/wine-csp.tar.gz | docker load
-
-      - name: Install cosign
-        uses: sigstore/cosign-installer@v3.7.0
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: registry.stella-ops.org
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
-
-      - name: Push to registry
-        run: |
-          docker push "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}"
-
-          # Also tag as latest if on main
-          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
-            docker tag "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}" "${{ env.IMAGE_NAME }}:latest"
-            docker push "${{ env.IMAGE_NAME }}:latest"
-          fi
-
-      - name: Sign image with cosign
-        env:
-          COSIGN_EXPERIMENTAL: "1"
-        run: |
-          cosign sign --yes "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}" || echo "Signing skipped (no OIDC available)"
-
-      - name: Create release summary
-        run: |
-          echo "## Wine CSP Image Published" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "**Image:** \`${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}\`" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "**WARNING:** This image is for TEST VECTOR GENERATION ONLY." >> $GITHUB_STEP_SUMMARY
-
-  # ===========================================================================
-  # Job 6: Air-Gap Bundle
-  # ===========================================================================
-  airgap:
-    name: Air-Gap Bundle
-    runs-on: ubuntu-latest
-    needs: [build, test]
-    if: ${{ needs.test.result == 'success' }}
-
-    steps:
-      - name: Download image artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: wine-csp-image
-          path: /tmp/images
-
-      - name: Create air-gap bundle
-        run: |
-          mkdir -p out/bundles
-
-          # Copy the image tarball
-          cp /tmp/images/wine-csp.tar.gz out/bundles/wine-csp-${{ needs.build.outputs.image_tag }}.tar.gz
-
-          # Generate bundle manifest
-          cat > out/bundles/wine-csp-${{ needs.build.outputs.image_tag }}.manifest.json <<EOF
-          {
-            "name": "wine-csp",
-            "version": "${{ needs.build.outputs.image_tag }}",
-            "image": "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}",
-            "platform": "linux/amd64",
-            "sha256": "$(sha256sum out/bundles/wine-csp-${{ needs.build.outputs.image_tag }}.tar.gz | cut -d' ' -f1)",
-            "created": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
-            "git_commit": "${{ github.sha }}",
-            "git_ref": "${{ github.ref }}",
-            "warning": "FOR TEST VECTOR GENERATION ONLY - NOT FOR PRODUCTION SIGNING"
-          }
-          EOF
-
-          # Create checksums file
-          cd out/bundles
-          sha256sum *.tar.gz *.json > SHA256SUMS
-
-          echo "Air-gap bundle contents:"
-          ls -lh
-
-      - name: Upload air-gap bundle
-        uses: actions/upload-artifact@v4
-        with:
-          name: wine-csp-bundle-${{ needs.build.outputs.image_tag }}
-          path: out/bundles/
-
-  # ===========================================================================
-  # Job 7: Test Summary
-  # ===========================================================================
-  summary:
-    name: Test Summary
-    runs-on: ubuntu-latest
-    needs: [build, test, security, sbom]
-    if: always()
-
-    steps:
-      - name: Download test results
-        uses: actions/download-artifact@v4
-        with:
-          name: wine-csp-test-results
-          path: test-results/
-        continue-on-error: true
-
-      - name: Create summary
-        run: |
-          echo "## Wine CSP Build Summary" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Stage | Status |" >> $GITHUB_STEP_SUMMARY
-          echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Build | ${{ needs.build.result }} |" >> $GITHUB_STEP_SUMMARY
-          echo "| Tests | ${{ needs.test.result }} |" >> $GITHUB_STEP_SUMMARY
-          echo "| Security | ${{ needs.security.result }} |" >> $GITHUB_STEP_SUMMARY
-          echo "| SBOM | ${{ needs.sbom.result }} |" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "**Image Tag:** \`${{ needs.build.outputs.image_tag }}\`" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "---" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "**SECURITY WARNING:** Wine CSP is for TEST VECTOR GENERATION ONLY." >> $GITHUB_STEP_SUMMARY
--- a/.github/flaky-tests-quarantine.json
+++ b/.github/flaky-tests-quarantine.json
@@ -0,0 +1,12 @@
+{
+  "$schema": "https://stellaops.io/schemas/flaky-tests-quarantine.v1.json",
+  "version": "1.0.0",
+  "updated_at": "2025-01-15T00:00:00Z",
+  "policy": {
+    "consecutive_failures_to_quarantine": 2,
+    "quarantine_duration_days": 14,
+    "auto_reactivate_after_fix": true
+  },
+  "quarantined_tests": [],
+  "notes": "Tests are quarantined after 2 consecutive failures. Review and fix within 14 days or escalate."
+}
--- a/.nuget-cache/microsoft.extensions.logging.abstractions/10.0.0-rc.2.25502.107/Microsoft.Extensions.Logging.Abstractions.nuspec
+++ b/.nuget-cache/microsoft.extensions.logging.abstractions/10.0.0-rc.2.25502.107/Microsoft.Extensions.Logging.Abstractions.nuspec
@@ -1,52 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
-  <metadata>
-    <id>Microsoft.Extensions.Logging.Abstractions</id>
-    <version>10.0.0-rc.2.25502.107</version>
-    <authors>Microsoft</authors>
-    <license type="expression">MIT</license>
-    <licenseUrl>https://licenses.nuget.org/MIT</licenseUrl>
-    <icon>Icon.png</icon>
-    <readme>PACKAGE.md</readme>
-    <projectUrl>https://dot.net/</projectUrl>
-    <description>Logging abstractions for Microsoft.Extensions.Logging.
-
-Commonly Used Types:
-Microsoft.Extensions.Logging.ILogger
-Microsoft.Extensions.Logging.ILoggerFactory
-Microsoft.Extensions.Logging.ILogger&lt;TCategoryName&gt;
-Microsoft.Extensions.Logging.LogLevel
-Microsoft.Extensions.Logging.Logger&lt;T&gt;
-Microsoft.Extensions.Logging.LoggerMessage
-Microsoft.Extensions.Logging.Abstractions.NullLogger</description>
-    <releaseNotes>https://go.microsoft.com/fwlink/?LinkID=799421</releaseNotes>
-    <copyright>© Microsoft Corporation. All rights reserved.</copyright>
-    <serviceable>true</serviceable>
-    <repository type="git" url="https://github.com/dotnet/dotnet" commit="89c8f6a112d37d2ea8b77821e56d170a1bccdc5a" />
-    <dependencies>
-      <group targetFramework=".NETFramework4.6.2">
-        <dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
-        <dependency id="System.Diagnostics.DiagnosticSource" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
-        <dependency id="System.Buffers" version="4.6.1" exclude="Build,Analyzers" />
-        <dependency id="System.Memory" version="4.6.3" exclude="Build,Analyzers" />
-      </group>
-      <group targetFramework="net8.0">
-        <dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
-        <dependency id="System.Diagnostics.DiagnosticSource" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
-      </group>
-      <group targetFramework="net9.0">
-        <dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
-        <dependency id="System.Diagnostics.DiagnosticSource" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
-      </group>
-      <group targetFramework="net10.0">
-        <dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
-      </group>
-      <group targetFramework=".NETStandard2.0">
-        <dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
-        <dependency id="System.Diagnostics.DiagnosticSource" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
-        <dependency id="System.Buffers" version="4.6.1" exclude="Build,Analyzers" />
-        <dependency id="System.Memory" version="4.6.3" exclude="Build,Analyzers" />
-      </group>
-    </dependencies>
-  </metadata>
-</package>
--- a/.nuget-cache/microsoft.extensions.logging.abstractions/10.0.0-rc.2.25502.107/v3wr4h43.dju
+++ b/.nuget-cache/microsoft.extensions.logging.abstractions/10.0.0-rc.2.25502.107/v3wr4h43.dju
--- a/.spectral.yaml
+++ b/.spectral.yaml
@@ -165,3 +165,69 @@ rules:
              in:
                const: header
            required: [name, in]
+
+  # --- Deprecation Metadata Rules (per APIGOV-63-001) ---
+
+  stella-deprecated-has-metadata:
+    description: "Deprecated operations must have x-deprecation extension with required fields"
+    message: "Add x-deprecation metadata (deprecatedAt, sunsetAt, successorPath, reason) to deprecated operations"
+    given: "$.paths[*][*][?(@.deprecated == true)]"
+    severity: error
+    then:
+      field: x-deprecation
+      function: schema
+      functionOptions:
+        schema:
+          type: object
+          required:
+            - deprecatedAt
+            - sunsetAt
+            - successorPath
+            - reason
+          properties:
+            deprecatedAt:
+              type: string
+              format: date-time
+            sunsetAt:
+              type: string
+              format: date-time
+            successorPath:
+              type: string
+            successorOperationId:
+              type: string
+            reason:
+              type: string
+            migrationGuide:
+              type: string
+              format: uri
+            notificationChannels:
+              type: array
+              items:
+                type: string
+                enum: [slack, teams, email, webhook]
+
+  stella-deprecated-sunset-future:
+    description: "Sunset dates should be in the future (warn if sunset already passed)"
+    message: "x-deprecation.sunsetAt should be a future date"
+    given: "$.paths[*][*].x-deprecation.sunsetAt"
+    severity: warn
+    then:
+      function: truthy
+
+  stella-deprecated-migration-guide:
+    description: "Deprecated operations should include a migration guide URL"
+    message: "Consider adding x-deprecation.migrationGuide for consumer guidance"
+    given: "$.paths[*][*][?(@.deprecated == true)].x-deprecation"
+    severity: hint
+    then:
+      field: migrationGuide
+      function: truthy
+
+  stella-deprecated-notification-channels:
+    description: "Deprecated operations should specify notification channels"
+    message: "Add x-deprecation.notificationChannels to enable deprecation notifications"
+    given: "$.paths[*][*][?(@.deprecated == true)].x-deprecation"
+    severity: hint
+    then:
+      field: notificationChannels
+      function: truthy
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -58,8 +58,8 @@ When you are told you are working in a particular module or directory, assume yo

 * **Runtime**: .NET 10 (`net10.0`) with latest C# preview features. Microsoft.* dependencies should target the closest compatible versions.
 * **Frontend**: Angular v17 for the UI.
-* **NuGet**: Use the single curated feed and cache at `local-nugets/` (inputs and restored packages live together).
-* **Data**: MongoDB as canonical store and for job/export state. Use a MongoDB driver version ≥ 3.0.
+* **NuGet**: Uses standard NuGet feeds configured in `nuget.config` (dotnet-public, nuget-mirror, nuget.org). Packages restore to the global NuGet cache.
+* **Data**: PostgreSQL as canonical store and for job/export state. Use a PostgreSQL driver version ≥ 3.0.
 * **Observability**: Structured logs, counters, and (optional) OpenTelemetry traces.
 * **Ops posture**: Offline-first, remote host allowlist, strict schema validation, and gated LLM usage (only where explicitly configured).

@@ -126,7 +126,7 @@ It ships as containerised building blocks; each module owns a clear boundary and
 | Scanner                | `src/Scanner/StellaOps.Scanner.WebService`<br>`src/Scanner/StellaOps.Scanner.Worker`<br>`src/Scanner/__Libraries/StellaOps.Scanner.*` | `docs/modules/scanner/architecture.md`           |
 | Scheduler              | `src/Scheduler/StellaOps.Scheduler.WebService`<br>`src/Scheduler/StellaOps.Scheduler.Worker`                                          | `docs/modules/scheduler/architecture.md`         |
 | CLI                    | `src/Cli/StellaOps.Cli`<br>`src/Cli/StellaOps.Cli.Core`<br>`src/Cli/StellaOps.Cli.Plugins.*`                                          | `docs/modules/cli/architecture.md`               |
-| UI / Console           | `src/UI/StellaOps.UI`                                                                                                                 | `docs/modules/ui/architecture.md`                |
+| UI / Console           | `src/Web/StellaOps.Web`                                                                                                               | `docs/modules/ui/architecture.md`                |
 | Notify                 | `src/Notify/StellaOps.Notify.WebService`<br>`src/Notify/StellaOps.Notify.Worker`                                                      | `docs/modules/notify/architecture.md`            |
 | Export Center          | `src/ExportCenter/StellaOps.ExportCenter.WebService`<br>`src/ExportCenter/StellaOps.ExportCenter.Worker`                              | `docs/modules/export-center/architecture.md`     |
 | Registry Token Service | `src/Registry/StellaOps.Registry.TokenService`<br>`src/Registry/__Tests/StellaOps.Registry.TokenService.Tests`                        | `docs/modules/registry/architecture.md`          |
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -41,7 +41,7 @@ dotnet test --filter "FullyQualifiedName~TestMethodName"
 dotnet test src/StellaOps.sln --verbosity normal
 ```

-**Note:** Tests use Mongo2Go which requires OpenSSL 1.1 on Linux. Run `scripts/enable-openssl11-shim.sh` before testing if needed.
+**Note:** Integration tests use Testcontainers for PostgreSQL. Ensure Docker is running before executing tests.

 ## Linting and Validation

@@ -60,11 +60,11 @@ helm lint deploy/helm/stellaops

 ### Technology Stack
 - **Runtime:** .NET 10 (`net10.0`) with latest C# preview features
- **Frontend:** Angular v17 (in `src/UI/StellaOps.UI`)
- **Database:** MongoDB (driver version ≥ 3.0)
- **Testing:** xUnit with Mongo2Go, Moq, Microsoft.AspNetCore.Mvc.Testing
+- **Frontend:** Angular v17 (in `src/Web/StellaOps.Web`)
+- **Database:** PostgreSQL (≥16) with per-module schema isolation; see `docs/db/` for specification
+- **Testing:** xUnit with Testcontainers (PostgreSQL), Moq, Microsoft.AspNetCore.Mvc.Testing
 - **Observability:** Structured logging, OpenTelemetry traces
- **NuGet:** Use the single curated feed and cache at `local-nugets/`
+- **NuGet:** Uses standard NuGet feeds configured in `nuget.config` (dotnet-public, nuget-mirror, nuget.org)

 ### Module Structure

@@ -89,7 +89,7 @@ The codebase follows a monorepo pattern with modules under `src/`:
 - **Libraries:** `src/<Module>/__Libraries/StellaOps.<Module>.*`
 - **Tests:** `src/<Module>/__Tests/StellaOps.<Module>.*.Tests/`
 - **Plugins:** Follow naming `StellaOps.<Module>.Connector.*` or `StellaOps.<Module>.Plugin.*`
- **Shared test infrastructure:** `StellaOps.Concelier.Testing` provides MongoDB fixtures
+- **Shared test infrastructure:** `StellaOps.Concelier.Testing` and `StellaOps.Infrastructure.Postgres.Testing` provide PostgreSQL fixtures

 ### Naming Conventions

@@ -127,7 +127,7 @@ The codebase follows a monorepo pattern with modules under `src/`:

 - Module tests: `StellaOps.<Module>.<Component>.Tests`
 - Shared fixtures/harnesses: `StellaOps.<Module>.Testing`
- Tests use xUnit, Mongo2Go for MongoDB integration tests
+- Tests use xUnit, Testcontainers for PostgreSQL integration tests

 ### Documentation Updates

@@ -200,6 +200,8 @@ Before coding, confirm required docs are read:

 - **Architecture overview:** `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 - **Module dossiers:** `docs/modules/<module>/architecture.md`
+- **Database specification:** `docs/db/SPECIFICATION.md`
+- **PostgreSQL operations:** `docs/operations/postgresql-guide.md`
 - **API/CLI reference:** `docs/09_API_CLI_REFERENCE.md`
 - **Offline operation:** `docs/24_OFFLINE_KIT.md`
 - **Quickstart:** `docs/10_CONCELIER_CLI_QUICKSTART.md`
@@ -216,5 +218,5 @@ Workflows are in `.gitea/workflows/`. Key workflows:
 ## Environment Variables

 - `STELLAOPS_BACKEND_URL` - Backend API URL for CLI
- `STELLAOPS_TEST_MONGO_URI` - MongoDB connection string for integration tests
+- `STELLAOPS_TEST_POSTGRES_CONNECTION` - PostgreSQL connection string for integration tests
 - `StellaOpsEnableCryptoPro` - Enable GOST crypto support (set to `true` in build)
--- a/0
+++ b/0
--- a/0
+++ b/0
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -2,23 +2,15 @@

  <PropertyGroup>
    <StellaOpsRepoRoot Condition="'$(StellaOpsRepoRoot)' == ''">$([System.IO.Path]::GetFullPath('$(MSBuildThisFileDirectory)'))</StellaOpsRepoRoot>
-    <StellaOpsLocalNuGetSource Condition="'$(StellaOpsLocalNuGetSource)' == ''">$([System.IO.Path]::GetFullPath('$(StellaOpsRepoRoot)local-nugets/'))</StellaOpsLocalNuGetSource>
    <StellaOpsDotNetPublicSource Condition="'$(StellaOpsDotNetPublicSource)' == ''">https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json</StellaOpsDotNetPublicSource>
-    <StellaOpsNuGetOrgSource Condition="'$(StellaOpsNuGetOrgSource)' == ''">https://api.nuget.org/v3/index.json</StellaOpsNuGetOrgSource>
-    <_StellaOpsDefaultRestoreSources>$(StellaOpsLocalNuGetSource);$(StellaOpsDotNetPublicSource);$(StellaOpsNuGetOrgSource)</_StellaOpsDefaultRestoreSources>
-    <_StellaOpsOriginalRestoreSources Condition="'$(_StellaOpsOriginalRestoreSources)' == ''">$(RestoreSources)</_StellaOpsOriginalRestoreSources>
-    <RestorePackagesPath Condition="'$(RestorePackagesPath)' == ''">$([System.IO.Path]::GetFullPath('$(StellaOpsRepoRoot).nuget/packages'))</RestorePackagesPath>
    <RestoreConfigFile Condition="'$(RestoreConfigFile)' == ''">$([System.IO.Path]::Combine('$(StellaOpsRepoRoot)','NuGet.config'))</RestoreConfigFile>
-    <RestoreSources Condition="'$(_StellaOpsOriginalRestoreSources)' == ''">$(_StellaOpsDefaultRestoreSources)</RestoreSources>
-    <RestoreSources Condition="'$(_StellaOpsOriginalRestoreSources)' != ''">$(_StellaOpsDefaultRestoreSources);$(_StellaOpsOriginalRestoreSources)</RestoreSources>
-    <DisableImplicitNuGetFallbackFolder>true</DisableImplicitNuGetFallbackFolder>
  </PropertyGroup>

  <PropertyGroup>
    <StellaOpsEnableCryptoPro Condition="'$(StellaOpsEnableCryptoPro)' == ''">false</StellaOpsEnableCryptoPro>
-    <NoWarn>$(NoWarn);NU1608;NU1605</NoWarn>
-    <WarningsNotAsErrors>$(WarningsNotAsErrors);NU1608;NU1605</WarningsNotAsErrors>
-    <RestoreNoWarn>$(RestoreNoWarn);NU1608;NU1605</RestoreNoWarn>
+    <NoWarn>$(NoWarn);NU1608;NU1605;NU1202</NoWarn>
+    <WarningsNotAsErrors>$(WarningsNotAsErrors);NU1608;NU1605;NU1202</WarningsNotAsErrors>
+    <RestoreNoWarn>$(RestoreNoWarn);NU1608;NU1605;NU1202</RestoreNoWarn>
    <RestoreWarningsAsErrors></RestoreWarningsAsErrors>
    <RestoreTreatWarningsAsErrors>false</RestoreTreatWarningsAsErrors>
    <RestoreDisableImplicitNuGetFallbackFolder>true</RestoreDisableImplicitNuGetFallbackFolder>
@@ -31,6 +23,10 @@
    <DisableImplicitNuGetFallbackFolder>true</DisableImplicitNuGetFallbackFolder>
  </PropertyGroup>

+  <PropertyGroup>
+    <AssetTargetFallback>$(AssetTargetFallback);net8.0;net7.0;net6.0;netstandard2.1;netstandard2.0</AssetTargetFallback>
+  </PropertyGroup>
+
  <PropertyGroup Condition="'$(StellaOpsEnableCryptoPro)' == 'true'">
    <DefineConstants>$(DefineConstants);STELLAOPS_CRYPTO_PRO</DefineConstants>
  </PropertyGroup>
@@ -43,4 +39,52 @@
    <PackageReference Update="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.0" />
  </ItemGroup>

+  <!-- .NET 10 compatible package version overrides -->
+  <ItemGroup>
+    <!-- Cryptography packages - updated for net10.0 compatibility -->
+    <PackageReference Update="BouncyCastle.Cryptography" Version="2.6.2" />
+    <PackageReference Update="Pkcs11Interop" Version="5.1.2" />
+
+    <!-- Resilience - Polly 8.x for .NET 6+ -->
+    <PackageReference Update="Polly" Version="8.5.2" />
+    <PackageReference Update="Polly.Core" Version="8.5.2" />
+
+    <!-- YAML - updated for net10.0 -->
+    <PackageReference Update="YamlDotNet" Version="16.3.0" />
+
+    <!-- JSON Schema packages -->
+    <PackageReference Update="JsonSchema.Net" Version="7.3.2" />
+    <PackageReference Update="Json.More.Net" Version="2.1.0" />
+    <PackageReference Update="JsonPointer.Net" Version="5.1.0" />
+
+    <!-- HTML parsing -->
+    <PackageReference Update="AngleSharp" Version="1.2.0" />
+
+    <!-- Scheduling -->
+    <PackageReference Update="Cronos" Version="0.9.0" />
+
+    <!-- Testing - xUnit 2.9.3 for .NET 10 -->
+    <PackageReference Update="xunit" Version="2.9.3" />
+    <PackageReference Update="xunit.assert" Version="2.9.3" />
+    <PackageReference Update="xunit.extensibility.core" Version="2.9.3" />
+    <PackageReference Update="xunit.extensibility.execution" Version="2.9.3" />
+    <PackageReference Update="xunit.runner.visualstudio" Version="3.0.1" />
+    <PackageReference Update="xunit.abstractions" Version="2.0.3" />
+
+    <!-- JSON -->
+    <PackageReference Update="Newtonsoft.Json" Version="13.0.4" />
+
+    <!-- Annotations -->
+    <PackageReference Update="JetBrains.Annotations" Version="2024.3.0" />
+
+    <!-- Async interfaces -->
+    <PackageReference Update="Microsoft.Bcl.AsyncInterfaces" Version="10.0.0" />
+
+    <!-- HTTP Resilience integration (replaces Http.Polly) -->
+    <PackageReference Update="Microsoft.Extensions.Http.Resilience" Version="10.0.0" />
+
+    <!-- Testing packages - aligned to 10.0.0 -->
+    <PackageReference Update="Microsoft.Extensions.TimeProvider.Testing" Version="10.0.0" />
+  </ItemGroup>
+
 </Project>
--- a/NOTICE.md
+++ b/NOTICE.md
@@ -1,8 +1,10 @@
 # Third-Party Notices

-This project bundles or links against the following third-party components in the scanner Ruby analyzer implementation:
+This project bundles or links against the following third-party components:

- **tree-sitter** (MIT License, © 2018 Max Brunsfeld)
- **tree-sitter-ruby** (MIT License, © 2016 Rob Rix)
+- **tree-sitter** (MIT License, (c) 2018 Max Brunsfeld)
+- **tree-sitter-ruby** (MIT License, (c) 2016 Rob Rix)
+- **GostCryptography (fork)** (MIT License, (c) 2014-2024 AlexMAS) — vendored under `third_party/forks/AlexMAS.GostCryptography` for GOST support in `StellaOps.Cryptography.Plugin.CryptoPro` and related sovereign crypto plug-ins.
+- **CryptoPro CSP integration** (Commercial, customer-provided) — StellaOps ships only integration code; CryptoPro CSP binaries and licenses are not redistributed and must be supplied by the operator per vendor EULA.

 License texts are available under third-party-licenses/.
--- a/NuGet.config
+++ b/NuGet.config
@@ -2,13 +2,8 @@
 <configuration>
  <packageSources>
    <clear />
-    <add key="local-nugets" value="./local-nugets" />
-    <add key="dotnet-public" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json" />
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
  </packageSources>
-  <config>
-    <add key="globalPackagesFolder" value="./.nuget/packages" />
-  </config>
  <fallbackPackageFolders>
    <clear />
  </fallbackPackageFolders>
--- a/README.md
+++ b/README.md
@@ -1,14 +1,20 @@
 # StellaOps Concelier & CLI

+[![Build Status](https://git.stella-ops.org/stellaops/feedser/actions/workflows/build-test-deploy.yml/badge.svg)](https://git.stella-ops.org/stellaops/feedser/actions/workflows/build-test-deploy.yml)
+[![Quality Gates](https://git.stella-ops.org/stellaops/feedser/actions/workflows/build-test-deploy.yml/badge.svg?job=quality-gates)](https://git.stella-ops.org/stellaops/feedser/actions/workflows/build-test-deploy.yml)
+[![Reachability](https://img.shields.io/badge/reachability-≥95%25-brightgreen)](docs/testing/ci-quality-gates.md)
+[![TTFS SLO](https://img.shields.io/badge/TTFS_P95-≤1.2s-blue)](docs/testing/ci-quality-gates.md)
+[![Mutation Score](https://img.shields.io/badge/mutation_score-≥80%25-purple)](docs/testing/mutation-testing-baselines.md)
+
 This repository hosts the StellaOps Concelier service, its plug-in ecosystem, and the
 first-party CLI (`stellaops-cli`). Concelier ingests vulnerability advisories from
-authoritative sources, stores them in MongoDB, and exports deterministic JSON and
+authoritative sources, stores them in PostgreSQL, and exports deterministic JSON and
 Trivy DB artefacts. The CLI drives scanner distribution, scan execution, and job
 control against the Concelier API.

 ## Quickstart

-1. Prepare a MongoDB instance and (optionally) install `trivy-db`/`oras`.
+1. Prepare a PostgreSQL instance and (optionally) install `trivy-db`/`oras`.
 2. Copy `etc/concelier.yaml.sample` to `etc/concelier.yaml` and update the storage + telemetry
   settings.
 3. Copy `etc/authority.yaml.sample` to `etc/authority.yaml`, review the issuer, token
--- a/StellaOps.Router.slnx
+++ b/StellaOps.Router.slnx
@@ -1,19 +1,17 @@
 <Solution>
  <Folder Name="/src/" />
-  <Folder Name="/src/Gateway/">
-    <Project Path="src/Gateway/StellaOps.Gateway.WebService/StellaOps.Gateway.WebService.csproj" />
-  </Folder>
  <Folder Name="/src/__Libraries/">
    <Project Path="src/__Libraries/StellaOps.Microservice.SourceGen/StellaOps.Microservice.SourceGen.csproj" />
    <Project Path="src/__Libraries/StellaOps.Microservice/StellaOps.Microservice.csproj" />
    <Project Path="src/__Libraries/StellaOps.Router.Common/StellaOps.Router.Common.csproj" />
    <Project Path="src/__Libraries/StellaOps.Router.Config/StellaOps.Router.Config.csproj" />
+    <Project Path="src/__Libraries/StellaOps.Router.Gateway/StellaOps.Router.Gateway.csproj" />
    <Project Path="src/__Libraries/StellaOps.Router.Transport.InMemory/StellaOps.Router.Transport.InMemory.csproj" />
  </Folder>
  <Folder Name="/tests/">
-    <Project Path="tests/StellaOps.Gateway.WebService.Tests/StellaOps.Gateway.WebService.Tests.csproj" />
    <Project Path="tests/StellaOps.Microservice.Tests/StellaOps.Microservice.Tests.csproj" />
    <Project Path="tests/StellaOps.Router.Common.Tests/StellaOps.Router.Common.Tests.csproj" />
+    <Project Path="tests/StellaOps.Router.Gateway.Tests/StellaOps.Router.Gateway.Tests.csproj" />
    <Project Path="tests/StellaOps.Router.Transport.InMemory.Tests/StellaOps.Router.Transport.InMemory.Tests.csproj" />
  </Folder>
 </Solution>
--- a/bench/README.md
+++ b/bench/README.md
@@ -1,7 +1,7 @@
-# Stella Ops Bench Repository
+# Stella Ops Bench Repository

-> **Status:** Draft — aligns with `docs/benchmarks/vex-evidence-playbook.md` (Sprint 401).  
-> **Purpose:** Host reproducible VEX decisions and comparison data that prove Stella Ops’ signal quality vs. baseline scanners.
+> **Status:** Active · Last updated: 2025-12-13
+> **Purpose:** Host reproducible VEX decisions, reachability evidence, and comparison data proving Stella Ops' signal quality vs. baseline scanners.

 ## Layout

@@ -11,20 +11,122 @@ bench/
  findings/                 # per CVE/product bundles
    CVE-YYYY-NNNNN/
      evidence/
-        reachability.json
-        sbom.cdx.json
-      decision.openvex.json
-      decision.dsse.json
-      rekor.txt
-      metadata.json
+        reachability.json   # richgraph-v1 excerpt
+        sbom.cdx.json       # CycloneDX SBOM
+      decision.openvex.json # OpenVEX decision
+      decision.dsse.json    # DSSE envelope
+      rekor.txt             # Rekor log index + inclusion proof
+      metadata.json         # finding metadata (purl, CVE, version)
  tools/
-    verify.sh               # DSSE + Rekor verifier
+    verify.sh               # DSSE + Rekor verifier (online)
    verify.py               # offline verifier
    compare.py              # baseline comparison script
-    replay.sh               # runs reachability replay manifolds
+    replay.sh               # runs reachability replay manifests
  results/
-    summary.csv
+    summary.csv             # aggregated metrics
    runs/<date>/...         # raw outputs + replay manifests
+  reachability-benchmark/   # reachability benchmark with JDK fixtures
 ```

-Refer to `docs/benchmarks/vex-evidence-playbook.md` for artifact contracts and automation tasks. The `bench/` tree will be populated once `BENCH-AUTO-401-019` and `DOCS-VEX-401-012` land.
+## Related Documentation
+
+| Document | Purpose |
+|----------|---------|
+| [VEX Evidence Playbook](../docs/benchmarks/vex-evidence-playbook.md) | Proof bundle schema, justification catalog, verification workflow |
+| [Hybrid Attestation](../docs/reachability/hybrid-attestation.md) | Graph-level and edge-bundle DSSE decisions |
+| [Function-Level Evidence](../docs/reachability/function-level-evidence.md) | Cross-module evidence chain guide |
+| [Deterministic Replay](../docs/replay/DETERMINISTIC_REPLAY.md) | Replay manifest specification |
+
+## Verification Workflows
+
+### Quick Verification (Online)
+
+```bash
+# Verify a VEX proof bundle with DSSE and Rekor
+./tools/verify.sh findings/CVE-2021-44228/decision.dsse.json
+
+# Output:
+# ✓ DSSE signature valid
+# ✓ Rekor inclusion verified (log index: 12345678)
+# ✓ Evidence hashes match
+# ✓ Justification catalog membership confirmed
+```
+
+### Offline Verification
+
+```bash
+# Verify without network access
+python tools/verify.py \
+  --bundle findings/CVE-2021-44228/decision.dsse.json \
+  --cas-root ./findings/CVE-2021-44228/evidence/ \
+  --catalog ../docs/benchmarks/vex-justifications.catalog.json
+
+# Or use the VEX proof bundle verifier
+python ../scripts/vex/verify_proof_bundle.py \
+  --bundle ../tests/Vex/ProofBundles/sample-proof-bundle.json \
+  --cas-root ../tests/Vex/ProofBundles/cas/
+```
+
+### Reachability Graph Verification
+
+```bash
+# Verify graph DSSE
+stella graph verify --hash blake3:a1b2c3d4...
+
+# Verify with edge bundles
+stella graph verify --hash blake3:a1b2c3d4... --include-bundles
+
+# Offline with local CAS
+stella graph verify --hash blake3:a1b2c3d4... --cas-root ./offline-cas/
+```
+
+### Baseline Comparison
+
+```bash
+# Compare Stella Ops findings against baseline scanners
+python tools/compare.py \
+  --stellaops results/runs/2025-12-13/findings.json \
+  --baseline results/baselines/trivy-latest.json \
+  --output results/comparison-2025-12-13.csv
+
+# Metrics generated:
+# - True positives (reachability-confirmed)
+# - False positives (unreachable code paths)
+# - MTTD (mean time to detect)
+# - Reproducibility score
+```
+
+## Artifact Contracts
+
+All bench artifacts must comply with:
+
+1. **VEX Proof Bundle Schema** (`docs/benchmarks/vex-evidence-playbook.schema.json`)
+   - BLAKE3-256 primary hash, SHA-256 secondary
+   - Canonical JSON with sorted keys
+   - DSSE envelope with Rekor-ready digest
+
+2. **Justification Catalog** (`docs/benchmarks/vex-justifications.catalog.json`)
+   - VEX1-VEX10 justification codes
+   - Required evidence types per justification
+   - Expiry and re-evaluation rules
+
+3. **Reachability Graph** (`docs/contracts/richgraph-v1.md`)
+   - BLAKE3 graph_hash for content addressing
+   - Deterministic node/edge ordering
+   - SymbolID/EdgeID format compliance
+
+## CI Integration
+
+The bench directory is validated by:
+
+- `.gitea/workflows/vex-proof-bundles.yml` - Verifies all proof bundles
+- `.gitea/workflows/bench-determinism.yml` - Runs determinism benchmarks
+- `.gitea/workflows/hybrid-attestation.yml` - Verifies graph/edge-bundle fixtures
+
+## Contributing
+
+1. Add new findings under `findings/CVE-YYYY-NNNNN/`
+2. Include all required evidence artifacts
+3. Generate DSSE envelope and Rekor proof
+4. Update `results/summary.csv`
+5. Run verification: `./tools/verify.sh findings/CVE-YYYY-NNNNN/decision.dsse.json`
--- a/bench/baselines/performance-baselines.json
+++ b/bench/baselines/performance-baselines.json
@@ -0,0 +1,22 @@
+{
+  "schema_version": "stellaops.perf.baselines/v1",
+  "updated_at": "2025-01-15T00:00:00Z",
+  "environment": {
+    "runtime": ".NET 10",
+    "os": "ubuntu-22.04",
+    "cpu": "8 cores",
+    "memory_gb": 16
+  },
+  "baselines": {
+    "score_computation_ms": 100,
+    "score_computation_large_ms": 500,
+    "proof_bundle_generation_ms": 200,
+    "proof_signing_ms": 50,
+    "dotnet_callgraph_extraction_ms": 500,
+    "reachability_computation_ms": 100,
+    "reachability_large_graph_ms": 500,
+    "reachability_deep_path_ms": 200
+  },
+  "threshold_percent": 20,
+  "notes": "Initial baselines established on CI runner. Update after algorithm changes."
+}
--- a/bench/baselines/ttfs-baseline.json
+++ b/bench/baselines/ttfs-baseline.json
@@ -0,0 +1,56 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema#",
+  "title": "TTFS Baseline",
+  "description": "Time-to-First-Signal baseline metrics for regression detection",
+  "version": "1.0.0",
+  "created_at": "2025-12-16T00:00:00Z",
+  "updated_at": "2025-12-16T00:00:00Z",
+  "metrics": {
+    "ttfs_ms": {
+      "p50": 1500,
+      "p95": 4000,
+      "p99": 6000,
+      "min": 500,
+      "max": 10000,
+      "mean": 2000,
+      "sample_count": 500
+    },
+    "by_scan_type": {
+      "image_scan": {
+        "p50": 2500,
+        "p95": 5000,
+        "p99": 7500,
+        "description": "Container image scanning TTFS baseline"
+      },
+      "filesystem_scan": {
+        "p50": 1000,
+        "p95": 2000,
+        "p99": 3000,
+        "description": "Filesystem/directory scanning TTFS baseline"
+      },
+      "sbom_scan": {
+        "p50": 400,
+        "p95": 800,
+        "p99": 1200,
+        "description": "SBOM-only scanning TTFS baseline"
+      }
+    }
+  },
+  "thresholds": {
+    "p50_max_ms": 2000,
+    "p95_max_ms": 5000,
+    "p99_max_ms": 8000,
+    "max_regression_pct": 10,
+    "description": "Thresholds that will trigger CI gate failures"
+  },
+  "collection_info": {
+    "test_environment": "ci-standard-runner",
+    "runner_specs": {
+      "cpu_cores": 4,
+      "memory_gb": 8,
+      "storage_type": "ssd"
+    },
+    "sample_corpus": "tests/reachability/corpus",
+    "collection_window_days": 30
+  }
+}
--- a/bench/determinism/README.md
+++ b/bench/determinism/README.md
@@ -0,0 +1,129 @@
+# Determinism Benchmark Suite
+
+> **Purpose:** Verify that StellaOps produces bit-identical results across replays.
+> **Status:** Active
+> **Sprint:** SPRINT_3850_0001_0001 (Competitive Gap Closure)
+
+## Overview
+
+Determinism is a core differentiator for StellaOps:
+- Same inputs → same outputs (bit-identical)
+- Replay manifests enable audit verification
+- No hidden state or environment leakage
+
+## What Gets Tested
+
+### Canonical JSON
+- Object key ordering (alphabetical)
+- Number formatting consistency
+- UTF-8 encoding without BOM
+- No whitespace variation
+
+### Scan Manifests
+- Same artifact + same feeds → same manifest hash
+- Seed values propagate correctly
+- Timestamp handling (fixed UTC)
+
+### Proof Bundles
+- Root hash computation
+- DSSE envelope determinism
+- ProofLedger node ordering
+
+### Score Computation
+- Same manifest → same score
+- Lattice merge is associative/commutative
+- Policy rule ordering doesn't affect outcome
+
+## Test Cases
+
+### TC-001: Canonical JSON Determinism
+
+```bash
+# Run same object through CanonJson 100 times
+# All hashes must match
+```
+
+### TC-002: Manifest Hash Stability
+
+```bash
+# Create manifest with identical inputs
+# Verify ComputeHash() returns same value
+```
+
+### TC-003: Cross-Platform Determinism
+
+```bash
+# Run on Linux, Windows, macOS
+# Compare output hashes
+```
+
+### TC-004: Feed Snapshot Determinism
+
+```bash
+# Same feed snapshot hash → same scan results
+```
+
+## Fixtures
+
+```
+fixtures/
+├── sample-manifest.json
+├── sample-ledger.json
+├── expected-hashes.json
+└── cross-platform/
+    ├── linux-x64.hashes.json
+    ├── windows-x64.hashes.json
+    └── macos-arm64.hashes.json
+```
+
+## Running the Suite
+
+```bash
+# Run determinism tests
+dotnet test tests/StellaOps.Determinism.Tests
+
+# Run replay verification
+./run-replay.sh --manifest fixtures/sample-manifest.json --runs 10
+
+# Cross-platform verification (requires CI matrix)
+./verify-cross-platform.sh
+```
+
+## Metrics
+
+| Metric | Target | Description |
+|--------|--------|-------------|
+| Hash stability | 100% | All runs produce identical hash |
+| Replay success | 100% | All replays match original |
+| Cross-platform parity | 100% | Same hash across OS/arch |
+
+## Integration with CI
+
+```yaml
+# .gitea/workflows/bench-determinism.yaml
+name: Determinism Benchmark
+on:
+  push:
+    paths:
+      - 'src/__Libraries/StellaOps.Canonical.Json/**'
+      - 'src/Scanner/__Libraries/StellaOps.Scanner.Core/**'
+      - 'bench/determinism/**'
+
+jobs:
+  determinism:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Determinism Tests
+        run: dotnet test tests/StellaOps.Determinism.Tests
+      - name: Capture Hashes
+        run: ./bench/determinism/capture-hashes.sh
+      - name: Upload Hashes
+        uses: actions/upload-artifact@v4
+        with:
+          name: hashes-${{ matrix.os }}
+          path: bench/determinism/results/
+```
--- a/bench/determinism/run-replay.sh
+++ b/bench/determinism/run-replay.sh
@@ -0,0 +1,133 @@
+#!/usr/bin/env bash
+# run-replay.sh
+# Deterministic Replay Benchmark
+# Sprint: SPRINT_3850_0001_0001
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+RESULTS_DIR="$SCRIPT_DIR/results/$(date -u +%Y%m%d_%H%M%S)"
+
+# Parse arguments
+MANIFEST_FILE=""
+RUNS=5
+VERBOSE=false
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --manifest)
+            MANIFEST_FILE="$2"
+            shift 2
+            ;;
+        --runs)
+            RUNS="$2"
+            shift 2
+            ;;
+        --verbose|-v)
+            VERBOSE=true
+            shift
+            ;;
+        *)
+            echo "Unknown option: $1"
+            exit 1
+            ;;
+    esac
+done
+
+echo "╔════════════════════════════════════════════════╗"
+echo "║       Deterministic Replay Benchmark           ║"
+echo "╚════════════════════════════════════════════════╝"
+echo ""
+echo "Configuration:"
+echo "  Manifest:    ${MANIFEST_FILE:-<default sample>}"
+echo "  Runs:        $RUNS"
+echo "  Results dir: $RESULTS_DIR"
+echo ""
+
+mkdir -p "$RESULTS_DIR"
+
+# Use sample manifest if none provided
+if [ -z "$MANIFEST_FILE" ] && [ -f "$SCRIPT_DIR/fixtures/sample-manifest.json" ]; then
+    MANIFEST_FILE="$SCRIPT_DIR/fixtures/sample-manifest.json"
+fi
+
+declare -a HASHES
+
+echo "Running $RUNS iterations..."
+echo ""
+
+for i in $(seq 1 $RUNS); do
+    echo -n "  Run $i: "
+    
+    OUTPUT_FILE="$RESULTS_DIR/run_$i.json"
+    
+    if command -v dotnet &> /dev/null; then
+        # Run the replay service
+        dotnet run --project "$SCRIPT_DIR/../../src/Scanner/StellaOps.Scanner.WebService" -- \
+            replay \
+            --manifest "$MANIFEST_FILE" \
+            --output "$OUTPUT_FILE" \
+            --format json 2>/dev/null || {
+                echo "⊘ Skipped (replay command not available)"
+                continue
+            }
+        
+        if [ -f "$OUTPUT_FILE" ]; then
+            HASH=$(sha256sum "$OUTPUT_FILE" | cut -d' ' -f1)
+            HASHES+=("$HASH")
+            echo "sha256:${HASH:0:16}..."
+        else
+            echo "⊘ No output generated"
+        fi
+    else
+        echo "⊘ Skipped (dotnet not available)"
+    fi
+done
+
+echo ""
+
+# Verify all hashes match
+if [ ${#HASHES[@]} -gt 1 ]; then
+    FIRST_HASH="${HASHES[0]}"
+    ALL_MATCH=true
+    
+    for hash in "${HASHES[@]}"; do
+        if [ "$hash" != "$FIRST_HASH" ]; then
+            ALL_MATCH=false
+            break
+        fi
+    done
+    
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo "Results"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    
+    if $ALL_MATCH; then
+        echo "✓ PASS: All $RUNS runs produced identical output"
+        echo "  Hash: sha256:$FIRST_HASH"
+    else
+        echo "✗ FAIL: Outputs differ between runs"
+        echo ""
+        echo "Hashes:"
+        for i in "${!HASHES[@]}"; do
+            echo "  Run $((i+1)): ${HASHES[$i]}"
+        done
+    fi
+else
+    echo "ℹ️  Insufficient runs to verify determinism"
+fi
+
+# Create summary JSON
+cat > "$RESULTS_DIR/summary.json" <<EOF
+{
+  "benchmark": "determinism-replay",
+  "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
+  "manifest": "$MANIFEST_FILE",
+  "runs": $RUNS,
+  "hashes": [$(printf '"%s",' "${HASHES[@]}" | sed 's/,$//')],
+  "deterministic": ${ALL_MATCH:-null}
+}
+EOF
+
+echo ""
+echo "Results saved to: $RESULTS_DIR"
--- a/bench/findings/CVE-2015-7547-reachable/decision.dsse.json
+++ b/bench/findings/CVE-2015-7547-reachable/decision.dsse.json
@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpiZTMwNDMzZTE4OGEyNTg4NTY0NDYzMzZkYmIxMDk1OWJmYjRhYjM5NzQzODBhOGVhMTI2NDZiZjI2ODdiZjlhIiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL2dsaWJjLUNWRS0yMDIzLTQ5MTEtbG9vbmV5LXR1bmFibGVzQDEuMC4wIn1dLCJzdGF0dXMiOiJhZmZlY3RlZCIsInZ1bG5lcmFiaWxpdHkiOnsiQGlkIjoiaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLTIwMTUtNzU0NyIsIm5hbWUiOiJDVkUtMjAxNS03NTQ3In19XSwidGltZXN0YW1wIjoiMjAyNS0xMi0xNFQwMjoxMzozOFoiLCJ0b29saW5nIjoiU3RlbGxhT3BzL2JlbmNoLWF1dG9AMS4wLjAiLCJ2ZXJzaW9uIjoxfQ==",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}
--- a/bench/findings/CVE-2015-7547-reachable/decision.openvex.json
+++ b/bench/findings/CVE-2015-7547-reachable/decision.openvex.json
@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "action_statement": "Upgrade to patched version or apply mitigation.",
+      "impact_statement": "Evidence hash: sha256:be30433e188a258856446336dbb10959bfb4ab3974380a8ea12646bf2687bf9a",
+      "products": [
+        {
+          "@id": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0"
+        }
+      ],
+      "status": "affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2015-7547",
+        "name": "CVE-2015-7547"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}
--- a/bench/findings/CVE-2015-7547-reachable/evidence/reachability.json
+++ b/bench/findings/CVE-2015-7547-reachable/evidence/reachability.json
@@ -0,0 +1,25 @@
+{
+  "case_id": "glibc-CVE-2023-4911-looney-tunables",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "glibc-CVE-2023-4911-looney-tunables",
+    "paths": [
+      [
+        "sym://net:handler#read",
+        "sym://glibc:glibc.c#entry",
+        "sym://glibc:glibc.c#sink"
+      ]
+    ],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "reachable"
+  },
+  "paths": [
+    [
+      "sym://net:handler#read",
+      "sym://glibc:glibc.c#entry",
+      "sym://glibc:glibc.c#sink"
+    ]
+  ],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "reachable"
+}
--- a/bench/findings/CVE-2015-7547-reachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-2015-7547-reachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "glibc-CVE-2023-4911-looney-tunables",
+      "purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}
--- a/bench/findings/CVE-2015-7547-reachable/metadata.json
+++ b/bench/findings/CVE-2015-7547-reachable/metadata.json
@@ -0,0 +1,11 @@
+{
+  "case_id": "glibc-CVE-2023-4911-looney-tunables",
+  "cve_id": "CVE-2015-7547",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
+  "reachability_status": "reachable",
+  "variant": "reachable"
+}
--- a/bench/findings/CVE-2015-7547-reachable/rekor.txt
+++ b/bench/findings/CVE-2015-7547-reachable/rekor.txt
@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z
--- a/bench/findings/CVE-2015-7547-unreachable/decision.dsse.json
+++ b/bench/findings/CVE-2015-7547-unreachable/decision.dsse.json
@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpjNDJlYzAxNGE0MmQwZTNmYjQzZWQ0ZGRhZDg5NTM4MjFlNDQ0NTcxMTlkYTY2ZGRiNDFhMzVhODAxYTNiNzI3IiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9nbGliYy1DVkUtMjAyMy00OTExLWxvb25leS10dW5hYmxlc0AxLjAuMCJ9XSwic3RhdHVzIjoibm90X2FmZmVjdGVkIiwidnVsbmVyYWJpbGl0eSI6eyJAaWQiOiJodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAxNS03NTQ3IiwibmFtZSI6IkNWRS0yMDE1LTc1NDcifX1dLCJ0aW1lc3RhbXAiOiIyMDI1LTEyLTE0VDAyOjEzOjM4WiIsInRvb2xpbmciOiJTdGVsbGFPcHMvYmVuY2gtYXV0b0AxLjAuMCIsInZlcnNpb24iOjF9",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}
--- a/bench/findings/CVE-2015-7547-unreachable/decision.openvex.json
+++ b/bench/findings/CVE-2015-7547-unreachable/decision.openvex.json
@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "impact_statement": "Evidence hash: sha256:c42ec014a42d0e3fb43ed4ddad8953821e44457119da66ddb41a35a801a3b727",
+      "justification": "vulnerable_code_not_present",
+      "products": [
+        {
+          "@id": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0"
+        }
+      ],
+      "status": "not_affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2015-7547",
+        "name": "CVE-2015-7547"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}
--- a/bench/findings/CVE-2015-7547-unreachable/evidence/reachability.json
+++ b/bench/findings/CVE-2015-7547-unreachable/evidence/reachability.json
@@ -0,0 +1,13 @@
+{
+  "case_id": "glibc-CVE-2023-4911-looney-tunables",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "glibc-CVE-2023-4911-looney-tunables",
+    "paths": [],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "unreachable"
+  },
+  "paths": [],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "unreachable"
+}
--- a/bench/findings/CVE-2015-7547-unreachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-2015-7547-unreachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "glibc-CVE-2023-4911-looney-tunables",
+      "purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}
--- a/bench/findings/CVE-2015-7547-unreachable/metadata.json
+++ b/bench/findings/CVE-2015-7547-unreachable/metadata.json
@@ -0,0 +1,11 @@
+{
+  "case_id": "glibc-CVE-2023-4911-looney-tunables",
+  "cve_id": "CVE-2015-7547",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
+  "reachability_status": "unreachable",
+  "variant": "unreachable"
+}
--- a/bench/findings/CVE-2015-7547-unreachable/rekor.txt
+++ b/bench/findings/CVE-2015-7547-unreachable/rekor.txt
@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z
--- a/bench/findings/CVE-2022-3602-reachable/decision.dsse.json
+++ b/bench/findings/CVE-2022-3602-reachable/decision.dsse.json
@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjowMTQzMWZmMWVlZTc5OWM2ZmFkZDU5M2E3ZWMxOGVlMDk0Zjk4MzE0MDk2M2RhNmNiZmQ0YjdmMDZiYTBmOTcwIiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL29wZW5zc2wtQ1ZFLTIwMjItMzYwMi14NTA5LW5hbWUtY29uc3RyYWludHNAMS4wLjAifV0sInN0YXR1cyI6ImFmZmVjdGVkIiwidnVsbmVyYWJpbGl0eSI6eyJAaWQiOiJodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMi0zNjAyIiwibmFtZSI6IkNWRS0yMDIyLTM2MDIifX1dLCJ0aW1lc3RhbXAiOiIyMDI1LTEyLTE0VDAyOjEzOjM4WiIsInRvb2xpbmciOiJTdGVsbGFPcHMvYmVuY2gtYXV0b0AxLjAuMCIsInZlcnNpb24iOjF9",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}
--- a/bench/findings/CVE-2022-3602-reachable/decision.openvex.json
+++ b/bench/findings/CVE-2022-3602-reachable/decision.openvex.json
@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "action_statement": "Upgrade to patched version or apply mitigation.",
+      "impact_statement": "Evidence hash: sha256:01431ff1eee799c6fadd593a7ec18ee094f983140963da6cbfd4b7f06ba0f970",
+      "products": [
+        {
+          "@id": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0"
+        }
+      ],
+      "status": "affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2022-3602",
+        "name": "CVE-2022-3602"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}
--- a/bench/findings/CVE-2022-3602-reachable/evidence/reachability.json
+++ b/bench/findings/CVE-2022-3602-reachable/evidence/reachability.json
@@ -0,0 +1,25 @@
+{
+  "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
+    "paths": [
+      [
+        "sym://net:handler#read",
+        "sym://openssl:openssl.c#entry",
+        "sym://openssl:openssl.c#sink"
+      ]
+    ],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "reachable"
+  },
+  "paths": [
+    [
+      "sym://net:handler#read",
+      "sym://openssl:openssl.c#entry",
+      "sym://openssl:openssl.c#sink"
+    ]
+  ],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "reachable"
+}
--- a/bench/findings/CVE-2022-3602-reachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-2022-3602-reachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "openssl-CVE-2022-3602-x509-name-constraints",
+      "purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}
--- a/bench/findings/CVE-2022-3602-reachable/metadata.json
+++ b/bench/findings/CVE-2022-3602-reachable/metadata.json
@@ -0,0 +1,11 @@
+{
+  "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
+  "cve_id": "CVE-2022-3602",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
+  "reachability_status": "reachable",
+  "variant": "reachable"
+}
--- a/bench/findings/CVE-2022-3602-reachable/rekor.txt
+++ b/bench/findings/CVE-2022-3602-reachable/rekor.txt
@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z
--- a/bench/findings/CVE-2022-3602-unreachable/decision.dsse.json
+++ b/bench/findings/CVE-2022-3602-unreachable/decision.dsse.json
@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpkOWJhZjRjNjQ3NDE4Nzc4NTUxYWZjNDM3NTJkZWY0NmQ0YWYyN2Q1MzEyMmU2YzQzNzVjMzUxMzU1YjEwYTMzIiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9vcGVuc3NsLUNWRS0yMDIyLTM2MDIteDUwOS1uYW1lLWNvbnN0cmFpbnRzQDEuMC4wIn1dLCJzdGF0dXMiOiJub3RfYWZmZWN0ZWQiLCJ2dWxuZXJhYmlsaXR5Ijp7IkBpZCI6Imh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIyLTM2MDIiLCJuYW1lIjoiQ1ZFLTIwMjItMzYwMiJ9fV0sInRpbWVzdGFtcCI6IjIwMjUtMTItMTRUMDI6MTM6MzhaIiwidG9vbGluZyI6IlN0ZWxsYU9wcy9iZW5jaC1hdXRvQDEuMC4wIiwidmVyc2lvbiI6MX0=",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}
--- a/bench/findings/CVE-2022-3602-unreachable/decision.openvex.json
+++ b/bench/findings/CVE-2022-3602-unreachable/decision.openvex.json
@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "impact_statement": "Evidence hash: sha256:d9baf4c647418778551afc43752def46d4af27d53122e6c4375c351355b10a33",
+      "justification": "vulnerable_code_not_present",
+      "products": [
+        {
+          "@id": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0"
+        }
+      ],
+      "status": "not_affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2022-3602",
+        "name": "CVE-2022-3602"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}
--- a/bench/findings/CVE-2022-3602-unreachable/evidence/reachability.json
+++ b/bench/findings/CVE-2022-3602-unreachable/evidence/reachability.json
@@ -0,0 +1,13 @@
+{
+  "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
+    "paths": [],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "unreachable"
+  },
+  "paths": [],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "unreachable"
+}
--- a/bench/findings/CVE-2022-3602-unreachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-2022-3602-unreachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "openssl-CVE-2022-3602-x509-name-constraints",
+      "purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}
--- a/bench/findings/CVE-2022-3602-unreachable/metadata.json
+++ b/bench/findings/CVE-2022-3602-unreachable/metadata.json
@@ -0,0 +1,11 @@
+{
+  "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
+  "cve_id": "CVE-2022-3602",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
+  "reachability_status": "unreachable",
+  "variant": "unreachable"
+}
--- a/bench/findings/CVE-2022-3602-unreachable/rekor.txt
+++ b/bench/findings/CVE-2022-3602-unreachable/rekor.txt
@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z
--- a/bench/findings/CVE-2023-38545-reachable/decision.dsse.json
+++ b/bench/findings/CVE-2023-38545-reachable/decision.dsse.json
@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpmMWMxZmRiZTk1YjMyNTNiMTNjYTZjNzMzZWMwM2FkYTNlYTg3MWU2NmI1ZGRlZGJiNmMxNGI5ZGM2N2IwNzQ4IiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL2N1cmwtQ1ZFLTIwMjMtMzg1NDUtc29ja3M1LWhlYXBAMS4wLjAifV0sInN0YXR1cyI6ImFmZmVjdGVkIiwidnVsbmVyYWJpbGl0eSI6eyJAaWQiOiJodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMy0zODU0NSIsIm5hbWUiOiJDVkUtMjAyMy0zODU0NSJ9fV0sInRpbWVzdGFtcCI6IjIwMjUtMTItMTRUMDI6MTM6MzhaIiwidG9vbGluZyI6IlN0ZWxsYU9wcy9iZW5jaC1hdXRvQDEuMC4wIiwidmVyc2lvbiI6MX0=",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}
--- a/bench/findings/CVE-2023-38545-reachable/decision.openvex.json
+++ b/bench/findings/CVE-2023-38545-reachable/decision.openvex.json
@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "action_statement": "Upgrade to patched version or apply mitigation.",
+      "impact_statement": "Evidence hash: sha256:f1c1fdbe95b3253b13ca6c733ec03ada3ea871e66b5ddedbb6c14b9dc67b0748",
+      "products": [
+        {
+          "@id": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0"
+        }
+      ],
+      "status": "affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2023-38545",
+        "name": "CVE-2023-38545"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}
--- a/bench/findings/CVE-2023-38545-reachable/evidence/reachability.json
+++ b/bench/findings/CVE-2023-38545-reachable/evidence/reachability.json
@@ -0,0 +1,25 @@
+{
+  "case_id": "curl-CVE-2023-38545-socks5-heap",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "curl-CVE-2023-38545-socks5-heap",
+    "paths": [
+      [
+        "sym://net:handler#read",
+        "sym://curl:curl.c#entry",
+        "sym://curl:curl.c#sink"
+      ]
+    ],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "reachable"
+  },
+  "paths": [
+    [
+      "sym://net:handler#read",
+      "sym://curl:curl.c#entry",
+      "sym://curl:curl.c#sink"
+    ]
+  ],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "reachable"
+}
--- a/bench/findings/CVE-2023-38545-reachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-2023-38545-reachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "curl-CVE-2023-38545-socks5-heap",
+      "purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}
--- a/bench/findings/CVE-2023-38545-reachable/metadata.json
+++ b/bench/findings/CVE-2023-38545-reachable/metadata.json
@@ -0,0 +1,11 @@
+{
+  "case_id": "curl-CVE-2023-38545-socks5-heap",
+  "cve_id": "CVE-2023-38545",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
+  "reachability_status": "reachable",
+  "variant": "reachable"
+}
--- a/bench/findings/CVE-2023-38545-reachable/rekor.txt
+++ b/bench/findings/CVE-2023-38545-reachable/rekor.txt
@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z
--- a/bench/findings/CVE-2023-38545-unreachable/decision.dsse.json
+++ b/bench/findings/CVE-2023-38545-unreachable/decision.dsse.json
@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjplNGIxOTk0ZTU5NDEwNTYyZjQwYWI0YTVmZTIzNjM4YzExZTU4MTdiYjcwMDM5M2VkOTlmMjBkM2M5ZWY5ZmEwIiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9jdXJsLUNWRS0yMDIzLTM4NTQ1LXNvY2tzNS1oZWFwQDEuMC4wIn1dLCJzdGF0dXMiOiJub3RfYWZmZWN0ZWQiLCJ2dWxuZXJhYmlsaXR5Ijp7IkBpZCI6Imh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIzLTM4NTQ1IiwibmFtZSI6IkNWRS0yMDIzLTM4NTQ1In19XSwidGltZXN0YW1wIjoiMjAyNS0xMi0xNFQwMjoxMzozOFoiLCJ0b29saW5nIjoiU3RlbGxhT3BzL2JlbmNoLWF1dG9AMS4wLjAiLCJ2ZXJzaW9uIjoxfQ==",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}
--- a/bench/findings/CVE-2023-38545-unreachable/decision.openvex.json
+++ b/bench/findings/CVE-2023-38545-unreachable/decision.openvex.json
@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "impact_statement": "Evidence hash: sha256:e4b1994e59410562f40ab4a5fe23638c11e5817bb700393ed99f20d3c9ef9fa0",
+      "justification": "vulnerable_code_not_present",
+      "products": [
+        {
+          "@id": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0"
+        }
+      ],
+      "status": "not_affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2023-38545",
+        "name": "CVE-2023-38545"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}
--- a/bench/findings/CVE-2023-38545-unreachable/evidence/reachability.json
+++ b/bench/findings/CVE-2023-38545-unreachable/evidence/reachability.json
@@ -0,0 +1,13 @@
+{
+  "case_id": "curl-CVE-2023-38545-socks5-heap",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "curl-CVE-2023-38545-socks5-heap",
+    "paths": [],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "unreachable"
+  },
+  "paths": [],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "unreachable"
+}
--- a/bench/findings/CVE-2023-38545-unreachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-2023-38545-unreachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "curl-CVE-2023-38545-socks5-heap",
+      "purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}
--- a/bench/findings/CVE-2023-38545-unreachable/metadata.json
+++ b/bench/findings/CVE-2023-38545-unreachable/metadata.json
@@ -0,0 +1,11 @@
+{
+  "case_id": "curl-CVE-2023-38545-socks5-heap",
+  "cve_id": "CVE-2023-38545",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
+  "reachability_status": "unreachable",
+  "variant": "unreachable"
+}
--- a/bench/findings/CVE-2023-38545-unreachable/rekor.txt
+++ b/bench/findings/CVE-2023-38545-unreachable/rekor.txt
@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z
--- a/bench/findings/CVE-BENCH-LINUX-CG-reachable/decision.dsse.json
+++ b/bench/findings/CVE-BENCH-LINUX-CG-reachable/decision.dsse.json
@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjoxNTRiYTZlMzU5YzA5NTQ1NzhhOTU2MDM2N2YxY2JhYzFjMTUzZTVkNWRmOTNjMmI5MjljZDM4NzkyYTIxN2JiIiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL2xpbnV4LWNncm91cHMtQ1ZFLTIwMjItMDQ5Mi1yZWxlYXNlX2FnZW50QDEuMC4wIn1dLCJzdGF0dXMiOiJhZmZlY3RlZCIsInZ1bG5lcmFiaWxpdHkiOnsiQGlkIjoiaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLUJFTkNILUxJTlVYLUNHIiwibmFtZSI6IkNWRS1CRU5DSC1MSU5VWC1DRyJ9fV0sInRpbWVzdGFtcCI6IjIwMjUtMTItMTRUMDI6MTM6MzhaIiwidG9vbGluZyI6IlN0ZWxsYU9wcy9iZW5jaC1hdXRvQDEuMC4wIiwidmVyc2lvbiI6MX0=",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}
--- a/bench/findings/CVE-BENCH-LINUX-CG-reachable/decision.openvex.json
+++ b/bench/findings/CVE-BENCH-LINUX-CG-reachable/decision.openvex.json
@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "action_statement": "Upgrade to patched version or apply mitigation.",
+      "impact_statement": "Evidence hash: sha256:154ba6e359c0954578a9560367f1cbac1c153e5d5df93c2b929cd38792a217bb",
+      "products": [
+        {
+          "@id": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0"
+        }
+      ],
+      "status": "affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-BENCH-LINUX-CG",
+        "name": "CVE-BENCH-LINUX-CG"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}
--- a/bench/findings/CVE-BENCH-LINUX-CG-reachable/evidence/reachability.json
+++ b/bench/findings/CVE-BENCH-LINUX-CG-reachable/evidence/reachability.json
@@ -0,0 +1,25 @@
+{
+  "case_id": "linux-cgroups-CVE-2022-0492-release_agent",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "linux-cgroups-CVE-2022-0492-release_agent",
+    "paths": [
+      [
+        "sym://net:handler#read",
+        "sym://linux:linux.c#entry",
+        "sym://linux:linux.c#sink"
+      ]
+    ],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "reachable"
+  },
+  "paths": [
+    [
+      "sym://net:handler#read",
+      "sym://linux:linux.c#entry",
+      "sym://linux:linux.c#sink"
+    ]
+  ],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "reachable"
+}
--- a/bench/findings/CVE-BENCH-LINUX-CG-reachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-BENCH-LINUX-CG-reachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "linux-cgroups-CVE-2022-0492-release_agent",
+      "purl": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}
--- a/bench/findings/CVE-BENCH-LINUX-CG-reachable/metadata.json
+++ b/bench/findings/CVE-BENCH-LINUX-CG-reachable/metadata.json
@@ -0,0 +1,11 @@
+{
+  "case_id": "linux-cgroups-CVE-2022-0492-release_agent",
+  "cve_id": "CVE-BENCH-LINUX-CG",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0",
+  "reachability_status": "reachable",
+  "variant": "reachable"
+}
--- a/bench/findings/CVE-BENCH-LINUX-CG-reachable/rekor.txt
+++ b/bench/findings/CVE-BENCH-LINUX-CG-reachable/rekor.txt
@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z
--- a/bench/findings/CVE-BENCH-LINUX-CG-unreachable/decision.dsse.json
+++ b/bench/findings/CVE-BENCH-LINUX-CG-unreachable/decision.dsse.json
@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpjOTUwNmRhMjc0YTdkNmJmZGJiZmE0NmVjMjZkZWNmNWQ2YjcxZmFhNDA0MjY5MzZkM2NjYmFlNjQxNjJkMWE2IiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9saW51eC1jZ3JvdXBzLUNWRS0yMDIyLTA0OTItcmVsZWFzZV9hZ2VudEAxLjAuMCJ9XSwic3RhdHVzIjoibm90X2FmZmVjdGVkIiwidnVsbmVyYWJpbGl0eSI6eyJAaWQiOiJodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtQkVOQ0gtTElOVVgtQ0ciLCJuYW1lIjoiQ1ZFLUJFTkNILUxJTlVYLUNHIn19XSwidGltZXN0YW1wIjoiMjAyNS0xMi0xNFQwMjoxMzozOFoiLCJ0b29saW5nIjoiU3RlbGxhT3BzL2JlbmNoLWF1dG9AMS4wLjAiLCJ2ZXJzaW9uIjoxfQ==",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}
--- a/bench/findings/CVE-BENCH-LINUX-CG-unreachable/decision.openvex.json
+++ b/bench/findings/CVE-BENCH-LINUX-CG-unreachable/decision.openvex.json
@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "impact_statement": "Evidence hash: sha256:c9506da274a7d6bfdbbfa46ec26decf5d6b71faa40426936d3ccbae64162d1a6",
+      "justification": "vulnerable_code_not_present",
+      "products": [
+        {
+          "@id": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0"
+        }
+      ],
+      "status": "not_affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-BENCH-LINUX-CG",
+        "name": "CVE-BENCH-LINUX-CG"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}
--- a/bench/findings/CVE-BENCH-LINUX-CG-unreachable/evidence/reachability.json
+++ b/bench/findings/CVE-BENCH-LINUX-CG-unreachable/evidence/reachability.json
@@ -0,0 +1,13 @@
+{
+  "case_id": "linux-cgroups-CVE-2022-0492-release_agent",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "linux-cgroups-CVE-2022-0492-release_agent",
+    "paths": [],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "unreachable"
+  },
+  "paths": [],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "unreachable"
+}
--- a/bench/findings/CVE-BENCH-LINUX-CG-unreachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-BENCH-LINUX-CG-unreachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "linux-cgroups-CVE-2022-0492-release_agent",
+      "purl": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}
--- a/bench/findings/CVE-BENCH-LINUX-CG-unreachable/metadata.json
+++ b/bench/findings/CVE-BENCH-LINUX-CG-unreachable/metadata.json
@@ -0,0 +1,11 @@
+{
+  "case_id": "linux-cgroups-CVE-2022-0492-release_agent",
+  "cve_id": "CVE-BENCH-LINUX-CG",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0",
+  "reachability_status": "unreachable",
+  "variant": "unreachable"
+}
--- a/bench/findings/CVE-BENCH-LINUX-CG-unreachable/rekor.txt
+++ b/bench/findings/CVE-BENCH-LINUX-CG-unreachable/rekor.txt
@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z
--- a/bench/findings/CVE-BENCH-RUNC-CVE-reachable/decision.dsse.json
+++ b/bench/findings/CVE-BENCH-RUNC-CVE-reachable/decision.dsse.json
@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpjNDRmYjJlMmVmYjc5Yzc4YmJhYTZhOGUyYzZiYjM4MzE3ODJhMmQ1MzU4ZGU4N2ZjN2QxNzEwMmU4YzJlMzA1IiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL3J1bmMtQ1ZFLTIwMjQtMjE2MjYtc3ltbGluay1icmVha291dEAxLjAuMCJ9XSwic3RhdHVzIjoiYWZmZWN0ZWQiLCJ2dWxuZXJhYmlsaXR5Ijp7IkBpZCI6Imh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS1CRU5DSC1SVU5DLUNWRSIsIm5hbWUiOiJDVkUtQkVOQ0gtUlVOQy1DVkUifX1dLCJ0aW1lc3RhbXAiOiIyMDI1LTEyLTE0VDAyOjEzOjM4WiIsInRvb2xpbmciOiJTdGVsbGFPcHMvYmVuY2gtYXV0b0AxLjAuMCIsInZlcnNpb24iOjF9",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}
--- a/bench/findings/CVE-BENCH-RUNC-CVE-reachable/decision.openvex.json
+++ b/bench/findings/CVE-BENCH-RUNC-CVE-reachable/decision.openvex.json
@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "action_statement": "Upgrade to patched version or apply mitigation.",
+      "impact_statement": "Evidence hash: sha256:c44fb2e2efb79c78bbaa6a8e2c6bb3831782a2d5358de87fc7d17102e8c2e305",
+      "products": [
+        {
+          "@id": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0"
+        }
+      ],
+      "status": "affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-BENCH-RUNC-CVE",
+        "name": "CVE-BENCH-RUNC-CVE"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}
--- a/bench/findings/CVE-BENCH-RUNC-CVE-reachable/evidence/reachability.json
+++ b/bench/findings/CVE-BENCH-RUNC-CVE-reachable/evidence/reachability.json
@@ -0,0 +1,25 @@
+{
+  "case_id": "runc-CVE-2024-21626-symlink-breakout",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "runc-CVE-2024-21626-symlink-breakout",
+    "paths": [
+      [
+        "sym://net:handler#read",
+        "sym://runc:runc.c#entry",
+        "sym://runc:runc.c#sink"
+      ]
+    ],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "reachable"
+  },
+  "paths": [
+    [
+      "sym://net:handler#read",
+      "sym://runc:runc.c#entry",
+      "sym://runc:runc.c#sink"
+    ]
+  ],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "reachable"
+}
--- a/bench/findings/CVE-BENCH-RUNC-CVE-reachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-BENCH-RUNC-CVE-reachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "runc-CVE-2024-21626-symlink-breakout",
+      "purl": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}
--- a/bench/findings/CVE-BENCH-RUNC-CVE-reachable/metadata.json
+++ b/bench/findings/CVE-BENCH-RUNC-CVE-reachable/metadata.json
@@ -0,0 +1,11 @@
+{
+  "case_id": "runc-CVE-2024-21626-symlink-breakout",
+  "cve_id": "CVE-BENCH-RUNC-CVE",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0",
+  "reachability_status": "reachable",
+  "variant": "reachable"
+}
--- a/bench/findings/CVE-BENCH-RUNC-CVE-reachable/rekor.txt
+++ b/bench/findings/CVE-BENCH-RUNC-CVE-reachable/rekor.txt
@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z
--- a/Show More
+++ b/Show More