5100* tests strengthtenen work

docs consolidation
Add determinism tests for verdict artifact generation and update SHA256 sums script
2025-12-24 12:38:34 +02:00 · 2025-12-24 12:38:14 +02:00 · 2025-12-24 02:17:34 +02:00 · 2025-12-24 00:37:11 +02:00 · 2025-12-24 00:36:14 +02:00 · 2025-12-23 23:51:58 +02:00
10111 changed files with 1787516 additions and 899244 deletions
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -25,7 +25,10 @@
      "Bash(timeout /t)",
      "Bash(dotnet clean:*)",
      "Bash(if not exist \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Java.Tests\\Internal\" mkdir \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Java.Tests\\Internal\")",
-      "Bash(if not exist \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Node.Tests\\Internal\" mkdir \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Node.Tests\\Internal\")"
+      "Bash(if not exist \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Node.Tests\\Internal\" mkdir \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Node.Tests\\Internal\")",
      "Bash(rm:*)",
      "Bash(if not exist \"C:\\dev\\New folder\\git.stella-ops.org\\docs\\implplan\\archived\" mkdir \"C:\\dev\\New folder\\git.stella-ops.org\\docs\\implplan\\archived\")",
      "Bash(del \"C:\\dev\\New folder\\git.stella-ops.org\\docs\\implplan\\SPRINT_0510_0001_0001_airgap.md\")"
    ],
    "deny": [],
    "ask": []
--- a/.config/dotnet-tools.json
+++ b/.config/dotnet-tools.json
@@ -0,0 +1,12 @@
 {
  "version": 1,
  "isRoot": true,
  "tools": {
    "dotnet-stryker": {
      "version": "4.4.0",
      "commands": [
        "stryker"
      ]
    }
  }
 }
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,23 @@
 .git
 .gitignore
 .gitea
 .venv
 bin
 obj
 **/bin
 **/obj
 local-nugets
 .nuget
 **/node_modules
 **/dist
 **/coverage
 **/*.user
 **/*.suo
 **/*.cache
 **/.vscode
 **/.idea
 **/.DS_Store
 **/TestResults
 **/out
 **/packages
 /tmp
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,5 @@
 # Ensure analyzer fixture assets keep LF endings for deterministic hashes
 src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/** text eol=lf
 # Ensure reachability sample assets keep LF endings for deterministic hashes
 tests/reachability/samples-public/** text eol=lf
--- a/.gitea/AGENTS.md
+++ b/.gitea/AGENTS.md
@@ -0,0 +1,22 @@
 # .gitea AGENTS
 ## Purpose & Scope
 - Working directory: `.gitea/` (CI workflows, templates, pipeline configs).
 - Roles: DevOps engineer, QA automation.
 ## Required Reading (treat as read before DOING)
 - `docs/README.md`
 - `docs/modules/ci/architecture.md`
 - `docs/modules/devops/architecture.md`
 - Relevant sprint file(s).
 ## Working Agreements
 - Keep workflows deterministic and offline-friendly.
 - Pin versions for tooling where possible.
 - Use UTC timestamps in comments/logs.
 - Avoid adding external network calls unless the sprint explicitly requires them.
 - Record workflow changes in the sprint Execution Log and Decisions & Risks.
 ## Validation
 - Manually validate YAML structure and paths.
 - Ensure workflow paths match repository layout.
--- a/.gitea/workflows/advisory-ai-release.yml
+++ b/.gitea/workflows/advisory-ai-release.yml
@@ -0,0 +1,70 @@
 name: Advisory AI Feed Release
 on:
  workflow_dispatch:
    inputs:
      allow_dev_key:
        description: 'Allow dev key for testing (1=yes)'
        required: false
        default: '0'
  push:
    branches: [main]
    paths:
      - 'src/AdvisoryAI/feeds/**'
      - 'docs/samples/advisory-feeds/**'
 jobs:
  package-feeds:
    runs-on: ubuntu-22.04
    env:
      COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup cosign
        uses: sigstore/cosign-installer@v3
        with:
          cosign-release: 'v2.6.0'
      - name: Fallback to dev key when secret is absent
        run: |
          if [ -z "${COSIGN_PRIVATE_KEY_B64}" ]; then
            echo "[warn] COSIGN_PRIVATE_KEY_B64 not set; using dev key for non-production"
            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
          fi
          # Manual override
          if [ "${{ github.event.inputs.allow_dev_key }}" = "1" ]; then
            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
          fi
      - name: Package advisory feeds
        run: |
          chmod +x ops/deployment/advisory-ai/package-advisory-feeds.sh
          ops/deployment/advisory-ai/package-advisory-feeds.sh
      - name: Generate SBOM
        run: |
          # Install syft
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.0.0
          # Generate SBOM for feed bundle
          syft dir:out/advisory-ai/feeds/stage \
            -o spdx-json=out/advisory-ai/feeds/advisory-feeds.sbom.json \
            --name advisory-feeds
      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: advisory-feeds-${{ github.run_number }}
          path: |
            out/advisory-ai/feeds/advisory-feeds.tar.gz
            out/advisory-ai/feeds/advisory-feeds.manifest.json
            out/advisory-ai/feeds/advisory-feeds.manifest.dsse.json
            out/advisory-ai/feeds/advisory-feeds.sbom.json
            out/advisory-ai/feeds/provenance.json
          if-no-files-found: warn
          retention-days: 30
--- a/.gitea/workflows/aoc-backfill-release.yml
+++ b/.gitea/workflows/aoc-backfill-release.yml
@@ -0,0 +1,83 @@
 name: AOC Backfill Release
 on:
  workflow_dispatch:
    inputs:
      dataset_hash:
        description: 'Dataset hash from dev rehearsal (leave empty for dev mode)'
        required: false
        default: ''
      allow_dev_key:
        description: 'Allow dev key for testing (1=yes)'
        required: false
        default: '0'
 jobs:
  package-backfill:
    runs-on: ubuntu-22.04
    env:
      COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: 10.0.100
          include-prerelease: true
      - name: Setup cosign
        uses: sigstore/cosign-installer@v3
        with:
          cosign-release: 'v2.6.0'
      - name: Restore AOC CLI
        run: dotnet restore src/Aoc/StellaOps.Aoc.Cli/StellaOps.Aoc.Cli.csproj
      - name: Configure signing
        run: |
          if [ -z "${COSIGN_PRIVATE_KEY_B64}" ]; then
            echo "[info] No production key; using dev key"
            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
          fi
          if [ "${{ github.event.inputs.allow_dev_key }}" = "1" ]; then
            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
          fi
      - name: Package AOC backfill release
        run: |
          chmod +x ops/devops/aoc/package-backfill-release.sh
          DATASET_HASH="${{ github.event.inputs.dataset_hash }}" \
            ops/devops/aoc/package-backfill-release.sh
        env:
          DATASET_HASH: ${{ github.event.inputs.dataset_hash }}
      - name: Generate SBOM with syft
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.0.0
          syft dir:out/aoc/cli \
            -o spdx-json=out/aoc/aoc-backfill-runner.sbom.json \
            --name aoc-backfill-runner || true
      - name: Verify checksums
        run: |
          cd out/aoc
          sha256sum -c SHA256SUMS
      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: aoc-backfill-release-${{ github.run_number }}
          path: |
            out/aoc/aoc-backfill-runner.tar.gz
            out/aoc/aoc-backfill-runner.manifest.json
            out/aoc/aoc-backfill-runner.sbom.json
            out/aoc/aoc-backfill-runner.provenance.json
            out/aoc/aoc-backfill-runner.dsse.json
            out/aoc/SHA256SUMS
          if-no-files-found: warn
          retention-days: 30
--- a/.gitea/workflows/aoc-guard.yml
+++ b/.gitea/workflows/aoc-guard.yml
@@ -56,10 +56,41 @@ jobs:
          dotnet build src/Authority/StellaOps.Authority.Ingestion/StellaOps.Authority.Ingestion.csproj -c Release /p:RunAnalyzers=true /p:TreatWarningsAsErrors=true
          dotnet build src/Excititor/StellaOps.Excititor.Ingestion/StellaOps.Excititor.Ingestion.csproj -c Release /p:RunAnalyzers=true /p:TreatWarningsAsErrors=true
-      - name: Run analyzer tests
+      - name: Run analyzer tests with coverage
        run: |
          mkdir -p $ARTIFACT_DIR
-          dotnet test src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj -c Release --logger "trx;LogFileName=aoc-tests.trx" --results-directory $ARTIFACT_DIR
+          dotnet test src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj -c Release \
            --settings src/Aoc/aoc.runsettings \
            --collect:"XPlat Code Coverage" \
            --logger "trx;LogFileName=aoc-analyzers-tests.trx" \
            --results-directory $ARTIFACT_DIR
      - name: Run AOC library tests with coverage
        run: |
          dotnet test src/Aoc/__Tests/StellaOps.Aoc.Tests/StellaOps.Aoc.Tests.csproj -c Release \
            --settings src/Aoc/aoc.runsettings \
            --collect:"XPlat Code Coverage" \
            --logger "trx;LogFileName=aoc-lib-tests.trx" \
            --results-directory $ARTIFACT_DIR
      - name: Run AOC CLI tests with coverage
        run: |
          dotnet test src/Aoc/__Tests/StellaOps.Aoc.Cli.Tests/StellaOps.Aoc.Cli.Tests.csproj -c Release \
            --settings src/Aoc/aoc.runsettings \
            --collect:"XPlat Code Coverage" \
            --logger "trx;LogFileName=aoc-cli-tests.trx" \
            --results-directory $ARTIFACT_DIR
      - name: Generate coverage report
        run: |
          dotnet tool install --global dotnet-reportgenerator-globaltool || true
          reportgenerator \
            -reports:"$ARTIFACT_DIR/**/coverage.cobertura.xml" \
            -targetdir:"$ARTIFACT_DIR/coverage-report" \
            -reporttypes:"Html;Cobertura;TextSummary" || true
          if [ -f "$ARTIFACT_DIR/coverage-report/Summary.txt" ]; then
            cat "$ARTIFACT_DIR/coverage-report/Summary.txt"
          fi
      - name: Upload artifacts
        uses: actions/upload-artifact@v4
@@ -96,13 +127,37 @@ jobs:
      - name: Run AOC verify
        env:
          STAGING_MONGO_URI: ${{ secrets.STAGING_MONGO_URI || vars.STAGING_MONGO_URI }}
          STAGING_POSTGRES_URI: ${{ secrets.STAGING_POSTGRES_URI || vars.STAGING_POSTGRES_URI }}
        run: |
-          if [ -z "${STAGING_MONGO_URI:-}" ]; then
+          mkdir -p $ARTIFACT_DIR
-            echo "::warning::STAGING_MONGO_URI not set; skipping aoc verify"
+
          # Prefer PostgreSQL, fall back to MongoDB (legacy)
          if [ -n "${STAGING_POSTGRES_URI:-}" ]; then
            echo "Using PostgreSQL for AOC verification"
            dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify \
              --since "$AOC_VERIFY_SINCE" \
              --postgres "$STAGING_POSTGRES_URI" \
              --output "$ARTIFACT_DIR/aoc-verify.json" \
              --ndjson "$ARTIFACT_DIR/aoc-verify.ndjson" \
              --verbose || VERIFY_EXIT=$?
          elif [ -n "${STAGING_MONGO_URI:-}" ]; then
            echo "Using MongoDB for AOC verification (deprecated)"
            dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify \
              --since "$AOC_VERIFY_SINCE" \
              --mongo "$STAGING_MONGO_URI" \
              --output "$ARTIFACT_DIR/aoc-verify.json" \
              --ndjson "$ARTIFACT_DIR/aoc-verify.ndjson" \
              --verbose || VERIFY_EXIT=$?
          else
            echo "::warning::Neither STAGING_POSTGRES_URI nor STAGING_MONGO_URI set; running dry-run verification"
            dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify \
              --since "$AOC_VERIFY_SINCE" \
              --postgres "placeholder" \
              --dry-run \
              --verbose
            exit 0
          fi
-          mkdir -p $ARTIFACT_DIR
+
          dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify --since "$AOC_VERIFY_SINCE" --mongo "$STAGING_MONGO_URI" --output "$ARTIFACT_DIR/aoc-verify.json" --ndjson "$ARTIFACT_DIR/aoc-verify.ndjson" || VERIFY_EXIT=$?
          if [ -n "${VERIFY_EXIT:-}" ] && [ "${VERIFY_EXIT}" -ne 0 ]; then
            echo "::error::AOC verify reported violations"; exit ${VERIFY_EXIT}
          fi
--- a/.gitea/workflows/benchmark-vs-competitors.yml
+++ b/.gitea/workflows/benchmark-vs-competitors.yml
@@ -0,0 +1,173 @@
 name: Benchmark vs Competitors
 on:
  schedule:
    # Run weekly on Sunday at 00:00 UTC
    - cron: '0 0 * * 0'
  workflow_dispatch:
    inputs:
      competitors:
        description: 'Comma-separated list of competitors to benchmark against'
        required: false
        default: 'trivy,grype'
      corpus_size:
        description: 'Number of images from corpus to test'
        required: false
        default: '50'
  push:
    paths:
      - 'src/Scanner/__Libraries/StellaOps.Scanner.Benchmark/**'
      - 'bench/competitors/**'
 env:
  DOTNET_VERSION: '10.0.x'
  TRIVY_VERSION: '0.50.1'
  GRYPE_VERSION: '0.74.0'
  SYFT_VERSION: '0.100.0'
 jobs:
  benchmark:
    name: Run Competitive Benchmark
    runs-on: ubuntu-latest
    timeout-minutes: 60
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
          trivy --version
      - name: Install Grype
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v${{ env.GRYPE_VERSION }}
          grype version
      - name: Install Syft
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v${{ env.SYFT_VERSION }}
          syft version
      - name: Build benchmark library
        run: |
          dotnet build src/Scanner/__Libraries/StellaOps.Scanner.Benchmark/StellaOps.Scanner.Benchmark.csproj -c Release
      - name: Load corpus manifest
        id: corpus
        run: |
          echo "corpus_path=bench/competitors/corpus/corpus-manifest.json" >> $GITHUB_OUTPUT
      - name: Run Stella Ops scanner
        run: |
          echo "Running Stella Ops scanner on corpus..."
          # TODO: Implement actual scan command
          # stella scan --corpus ${{ steps.corpus.outputs.corpus_path }} --output bench/results/stellaops.json
      - name: Run Trivy on corpus
        run: |
          echo "Running Trivy on corpus images..."
          # Process each image in corpus
          mkdir -p bench/results/trivy
      - name: Run Grype on corpus
        run: |
          echo "Running Grype on corpus images..."
          mkdir -p bench/results/grype
      - name: Calculate metrics
        run: |
          echo "Calculating precision/recall/F1 metrics..."
          # dotnet run --project src/Scanner/__Libraries/StellaOps.Scanner.Benchmark \
          #   --calculate-metrics \
          #   --ground-truth ${{ steps.corpus.outputs.corpus_path }} \
          #   --results bench/results/ \
          #   --output bench/results/metrics.json
      - name: Generate comparison report
        run: |
          echo "Generating comparison report..."
          mkdir -p bench/results
          cat > bench/results/summary.json << 'EOF'
          {
            "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
            "competitors": ["trivy", "grype", "syft"],
            "status": "pending_implementation"
          }
          EOF
      - name: Upload benchmark results
        uses: actions/upload-artifact@v4
        with:
          name: benchmark-results-${{ github.run_id }}
          path: bench/results/
          retention-days: 90
      - name: Update claims index
        if: github.ref == 'refs/heads/main'
        run: |
          echo "Updating claims index with new evidence..."
          # dotnet run --project src/Scanner/__Libraries/StellaOps.Scanner.Benchmark \
          #   --update-claims \
          #   --metrics bench/results/metrics.json \
          #   --output docs/claims-index.md
      - name: Comment on PR
        if: github.event_name == 'pull_request'
        uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
            const metrics = fs.existsSync('bench/results/metrics.json')
              ? JSON.parse(fs.readFileSync('bench/results/metrics.json', 'utf8'))
              : { status: 'pending' };
            const body = `## Benchmark Results
            | Tool | Precision | Recall | F1 Score |
            |------|-----------|--------|----------|
            | Stella Ops | ${metrics.stellaops?.precision || 'N/A'} | ${metrics.stellaops?.recall || 'N/A'} | ${metrics.stellaops?.f1 || 'N/A'} |
            | Trivy | ${metrics.trivy?.precision || 'N/A'} | ${metrics.trivy?.recall || 'N/A'} | ${metrics.trivy?.f1 || 'N/A'} |
            | Grype | ${metrics.grype?.precision || 'N/A'} | ${metrics.grype?.recall || 'N/A'} | ${metrics.grype?.f1 || 'N/A'} |
            [Full report](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})
            `;
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: body
            });
  verify-claims:
    name: Verify Claims
    runs-on: ubuntu-latest
    needs: benchmark
    if: github.ref == 'refs/heads/main'
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Download benchmark results
        uses: actions/download-artifact@v4
        with:
          name: benchmark-results-${{ github.run_id }}
          path: bench/results/
      - name: Verify all claims
        run: |
          echo "Verifying all claims against new evidence..."
          # stella benchmark verify --all
      - name: Report claim status
        run: |
          echo "Generating claim verification report..."
          # Output claim status summary
--- a/.gitea/workflows/build-test-deploy.yml
+++ b/.gitea/workflows/build-test-deploy.yml
@@ -575,6 +575,209 @@ PY
          if-no-files-found: ignore
          retention-days: 7
  # ============================================================================
  # Quality Gates Foundation (Sprint 0350)
  # ============================================================================
  quality-gates:
    runs-on: ubuntu-22.04
    needs: build-test
    permissions:
      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Reachability quality gate
        id: reachability
        run: |
          set -euo pipefail
          echo "::group::Computing reachability metrics"
          if [ -f scripts/ci/compute-reachability-metrics.sh ]; then
            chmod +x scripts/ci/compute-reachability-metrics.sh
            METRICS=$(./scripts/ci/compute-reachability-metrics.sh --dry-run 2>/dev/null || echo '{}')
            echo "metrics=$METRICS" >> $GITHUB_OUTPUT
            echo "Reachability metrics: $METRICS"
          else
            echo "Reachability script not found, skipping"
          fi
          echo "::endgroup::"
      - name: TTFS regression gate
        id: ttfs
        run: |
          set -euo pipefail
          echo "::group::Computing TTFS metrics"
          if [ -f scripts/ci/compute-ttfs-metrics.sh ]; then
            chmod +x scripts/ci/compute-ttfs-metrics.sh
            METRICS=$(./scripts/ci/compute-ttfs-metrics.sh --dry-run 2>/dev/null || echo '{}')
            echo "metrics=$METRICS" >> $GITHUB_OUTPUT
            echo "TTFS metrics: $METRICS"
          else
            echo "TTFS script not found, skipping"
          fi
          echo "::endgroup::"
      - name: Performance SLO gate
        id: slo
        run: |
          set -euo pipefail
          echo "::group::Enforcing performance SLOs"
          if [ -f scripts/ci/enforce-performance-slos.sh ]; then
            chmod +x scripts/ci/enforce-performance-slos.sh
            ./scripts/ci/enforce-performance-slos.sh --warn-only || true
          else
            echo "Performance SLO script not found, skipping"
          fi
          echo "::endgroup::"
      - name: RLS policy validation
        id: rls
        run: |
          set -euo pipefail
          echo "::group::Validating RLS policies"
          if [ -f deploy/postgres-validation/001_validate_rls.sql ]; then
            echo "RLS validation script found"
            # Check that all tenant-scoped schemas have RLS enabled
            SCHEMAS=("scheduler" "vex" "authority" "notify" "policy" "findings_ledger")
            for schema in "${SCHEMAS[@]}"; do
              echo "Checking RLS for schema: $schema"
              # Validate migration files exist
              if ls src/*/Migrations/*enable_rls*.sql 2>/dev/null | grep -q "$schema"; then
                echo "  ✓ RLS migration exists for $schema"
              fi
            done
            echo "RLS validation passed (static check)"
          else
            echo "RLS validation script not found, skipping"
          fi
          echo "::endgroup::"
      - name: Upload quality gate results
        uses: actions/upload-artifact@v4
        with:
          name: quality-gate-results
          path: |
            scripts/ci/*.json
            scripts/ci/*.yaml
          if-no-files-found: ignore
          retention-days: 14
  security-testing:
    runs-on: ubuntu-22.04
    needs: build-test
    if: github.event_name == 'pull_request' || github.event_name == 'schedule'
    permissions:
      contents: read
    env:
      DOTNET_VERSION: '10.0.100'
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Restore dependencies
        run: dotnet restore tests/security/StellaOps.Security.Tests/StellaOps.Security.Tests.csproj
      - name: Run OWASP security tests
        run: |
          set -euo pipefail
          echo "::group::Running security tests"
          dotnet test tests/security/StellaOps.Security.Tests/StellaOps.Security.Tests.csproj \
            --no-restore \
            --logger "trx;LogFileName=security-tests.trx" \
            --results-directory ./security-test-results \
            --filter "Category=Security" \
            --verbosity normal
          echo "::endgroup::"
      - name: Upload security test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: security-test-results
          path: security-test-results/
          if-no-files-found: ignore
          retention-days: 30
  mutation-testing:
    runs-on: ubuntu-22.04
    needs: build-test
    if: github.event_name == 'schedule' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'mutation-test'))
    permissions:
      contents: read
    env:
      DOTNET_VERSION: '10.0.100'
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Restore tools
        run: dotnet tool restore
      - name: Run mutation tests - Scanner.Core
        id: scanner-mutation
        run: |
          set -euo pipefail
          echo "::group::Mutation testing Scanner.Core"
          cd src/Scanner/__Libraries/StellaOps.Scanner.Core
          dotnet stryker --reporter json --reporter html --output ../../../mutation-results/scanner-core || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
          echo "::endgroup::"
        continue-on-error: true
      - name: Run mutation tests - Policy.Engine
        id: policy-mutation
        run: |
          set -euo pipefail
          echo "::group::Mutation testing Policy.Engine"
          cd src/Policy/__Libraries/StellaOps.Policy
          dotnet stryker --reporter json --reporter html --output ../../../mutation-results/policy-engine || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
          echo "::endgroup::"
        continue-on-error: true
      - name: Run mutation tests - Authority.Core
        id: authority-mutation
        run: |
          set -euo pipefail
          echo "::group::Mutation testing Authority.Core"
          cd src/Authority/StellaOps.Authority
          dotnet stryker --reporter json --reporter html --output ../../mutation-results/authority-core || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
          echo "::endgroup::"
        continue-on-error: true
      - name: Upload mutation results
        uses: actions/upload-artifact@v4
        with:
          name: mutation-testing-results
          path: mutation-results/
          if-no-files-found: ignore
          retention-days: 30
      - name: Check mutation thresholds
        run: |
          set -euo pipefail
          echo "Checking mutation score thresholds..."
          # Parse JSON results and check against thresholds
          if [ -f "mutation-results/scanner-core/mutation-report.json" ]; then
            SCORE=$(jq '.mutationScore // 0' mutation-results/scanner-core/mutation-report.json)
            echo "Scanner.Core mutation score: $SCORE%"
            if (( $(echo "$SCORE < 65" | bc -l) )); then
              echo "::error::Scanner.Core mutation score below threshold"
            fi
          fi
  sealed-mode-ci:
    runs-on: ubuntu-22.04
    needs: build-test
--- a/.gitea/workflows/connector-fixture-drift.yml
+++ b/.gitea/workflows/connector-fixture-drift.yml
@@ -0,0 +1,248 @@
 # -----------------------------------------------------------------------------
 # connector-fixture-drift.yml
 # Sprint: SPRINT_5100_0007_0005_connector_fixtures
 # Task: CONN-FIX-016
 # Description: Weekly schema drift detection for connector fixtures with auto-PR
 # -----------------------------------------------------------------------------
 name: Connector Fixture Drift
 on:
  # Weekly schedule: Sunday at 2:00 UTC
  schedule:
    - cron: '0 2 * * 0'
  # Manual trigger for on-demand drift detection
  workflow_dispatch:
    inputs:
      auto_update:
        description: 'Auto-update fixtures if drift detected'
        required: false
        default: 'true'
        type: boolean
      create_pr:
        description: 'Create PR for updated fixtures'
        required: false
        default: 'true'
        type: boolean
 env:
  DOTNET_NOLOGO: 1
  DOTNET_CLI_TELEMETRY_OPTOUT: 1
  TZ: UTC
 jobs:
  detect-drift:
    runs-on: ubuntu-22.04
    permissions:
      contents: write
      pull-requests: write
    outputs:
      has_drift: ${{ steps.drift.outputs.has_drift }}
      drift_count: ${{ steps.drift.outputs.drift_count }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.100'
          include-prerelease: true
      - name: Cache NuGet packages
        uses: actions/cache@v4
        with:
          path: |
            ~/.nuget/packages
            local-nugets/packages
          key: fixture-drift-nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln --configfile nuget.config
      - name: Build test projects
        run: |
          dotnet build src/Concelier/__Tests/StellaOps.Concelier.Connector.Ghsa.Tests/StellaOps.Concelier.Connector.Ghsa.Tests.csproj -c Release --no-restore
          dotnet build src/Excititor/__Tests/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests.csproj -c Release --no-restore
      - name: Run Live schema drift tests
        id: drift
        env:
          STELLAOPS_LIVE_TESTS: 'true'
          STELLAOPS_UPDATE_FIXTURES: ${{ inputs.auto_update || 'true' }}
        run: |
          set +e
          # Run Live tests and capture output
          dotnet test src/StellaOps.sln \
            --filter "Category=Live" \
            --no-build \
            -c Release \
            --logger "console;verbosity=detailed" \
            --results-directory out/drift-results \
            2>&1 | tee out/drift-output.log
          EXIT_CODE=$?
          # Check for fixture changes
          CHANGED_FILES=$(git diff --name-only -- '**/Fixtures/*.json' '**/Expected/*.json' | wc -l)
          if [ "$CHANGED_FILES" -gt 0 ]; then
            echo "has_drift=true" >> $GITHUB_OUTPUT
            echo "drift_count=$CHANGED_FILES" >> $GITHUB_OUTPUT
            echo "::warning::Schema drift detected in $CHANGED_FILES fixture files"
          else
            echo "has_drift=false" >> $GITHUB_OUTPUT
            echo "drift_count=0" >> $GITHUB_OUTPUT
            echo "::notice::No schema drift detected"
          fi
          # Don't fail workflow on test failures (drift is expected)
          exit 0
      - name: Show changed fixtures
        if: steps.drift.outputs.has_drift == 'true'
        run: |
          echo "## Changed fixture files:"
          git diff --name-only -- '**/Fixtures/*.json' '**/Expected/*.json'
          echo ""
          echo "## Diff summary:"
          git diff --stat -- '**/Fixtures/*.json' '**/Expected/*.json'
      - name: Upload drift report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: drift-report-${{ github.run_id }}
          path: |
            out/drift-output.log
            out/drift-results/**
          retention-days: 30
  create-pr:
    needs: detect-drift
    if: needs.detect-drift.outputs.has_drift == 'true' && (github.event.inputs.create_pr == 'true' || github.event_name == 'schedule')
    runs-on: ubuntu-22.04
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.100'
          include-prerelease: true
      - name: Restore and run Live tests with updates
        env:
          STELLAOPS_LIVE_TESTS: 'true'
          STELLAOPS_UPDATE_FIXTURES: 'true'
        run: |
          dotnet restore src/StellaOps.sln --configfile nuget.config
          dotnet test src/StellaOps.sln \
            --filter "Category=Live" \
            -c Release \
            --logger "console;verbosity=minimal" \
            || true
      - name: Configure Git
        run: |
          git config user.name "StellaOps Bot"
          git config user.email "bot@stellaops.local"
      - name: Create branch and commit
        id: commit
        run: |
          BRANCH_NAME="fixture-drift/$(date +%Y-%m-%d)"
          echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT
          # Check for changes
          if git diff --quiet -- '**/Fixtures/*.json' '**/Expected/*.json'; then
            echo "No fixture changes to commit"
            echo "has_changes=false" >> $GITHUB_OUTPUT
            exit 0
          fi
          echo "has_changes=true" >> $GITHUB_OUTPUT
          # Create branch
          git checkout -b "$BRANCH_NAME"
          # Stage fixture changes
          git add '**/Fixtures/*.json' '**/Expected/*.json'
          # Get list of changed connectors
          CHANGED_DIRS=$(git diff --cached --name-only | xargs -I{} dirname {} | sort -u | head -10)
          # Create commit message
          COMMIT_MSG="chore(fixtures): Update connector fixtures for schema drift
 Detected schema drift in live upstream sources.
 Updated fixture files to match current API responses.
 Changed directories:
 $CHANGED_DIRS
 This commit was auto-generated by the connector-fixture-drift workflow.
 🤖 Generated with [StellaOps CI](https://stellaops.local)"
          git commit -m "$COMMIT_MSG"
          git push origin "$BRANCH_NAME"
      - name: Create Pull Request
        if: steps.commit.outputs.has_changes == 'true'
        uses: actions/github-script@v7
        with:
          script: |
            const branch = '${{ steps.commit.outputs.branch }}';
            const driftCount = '${{ needs.detect-drift.outputs.drift_count }}';
            const { data: pr } = await github.rest.pulls.create({
              owner: context.repo.owner,
              repo: context.repo.repo,
              title: `chore(fixtures): Update ${driftCount} connector fixtures for schema drift`,
              head: branch,
              base: 'main',
              body: `## Summary
            Automated fixture update due to schema drift detected in live upstream sources.
            - **Fixtures Updated**: ${driftCount}
            - **Detection Date**: ${new Date().toISOString().split('T')[0]}
            - **Workflow Run**: [#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
            ## Review Checklist
            - [ ] Review fixture diffs for expected schema changes
            - [ ] Verify no sensitive data in fixtures
            - [ ] Check that tests still pass with updated fixtures
            - [ ] Update Expected/ snapshots if normalization changed
            ## Test Plan
            - [ ] Run \`dotnet test --filter "Category=Snapshot"\` to verify fixture-based tests
            ---
            🤖 Generated by [connector-fixture-drift workflow](${{ github.server_url }}/${{ github.repository }}/actions/workflows/connector-fixture-drift.yml)
            `
            });
            console.log(`Created PR #${pr.number}: ${pr.html_url}`);
            // Add labels
            await github.rest.issues.addLabels({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: pr.number,
              labels: ['automated', 'fixtures', 'schema-drift']
            });
--- a/.gitea/workflows/console-ci.yml
+++ b/.gitea/workflows/console-ci.yml
@@ -14,7 +14,7 @@ jobs:
    defaults:
      run:
        shell: bash
-        working-directory: src/Web
+        working-directory: src/Web/StellaOps.Web
    env:
      PLAYWRIGHT_BROWSERS_PATH: ~/.cache/ms-playwright
      CI: true
@@ -27,7 +27,7 @@ jobs:
        with:
          node-version: '20'
          cache: npm
-          cache-dependency-path: src/Web/package-lock.json
+          cache-dependency-path: src/Web/StellaOps.Web/package-lock.json
      - name: Install deps (offline-friendly)
        run: npm ci --prefer-offline --no-audit --progress=false
@@ -37,6 +37,12 @@ jobs:
      - name: Console export specs (targeted)
        run: bash ./scripts/ci-console-exports.sh
        continue-on-error: true
      - name: Unit tests
        run: npm run test:ci
        env:
          CHROME_BIN: chromium
      - name: Build
        run: npm run build -- --configuration=production --progress=false
--- a/.gitea/workflows/crypto-compliance.yml
+++ b/.gitea/workflows/crypto-compliance.yml
@@ -0,0 +1,44 @@
 name: Crypto Compliance Audit
 on:
  pull_request:
    paths:
      - 'src/**/*.cs'
      - 'etc/crypto-plugins-manifest.json'
      - 'scripts/audit-crypto-usage.ps1'
      - '.gitea/workflows/crypto-compliance.yml'
  push:
    branches: [ main ]
    paths:
      - 'src/**/*.cs'
      - 'etc/crypto-plugins-manifest.json'
      - 'scripts/audit-crypto-usage.ps1'
      - '.gitea/workflows/crypto-compliance.yml'
 jobs:
  crypto-audit:
    runs-on: ubuntu-22.04
    env:
      DOTNET_NOLOGO: 1
      DOTNET_CLI_TELEMETRY_OPTOUT: 1
      TZ: UTC
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 1
      - name: Run crypto usage audit
        shell: pwsh
        run: |
          Write-Host "Running crypto compliance audit..."
          ./scripts/audit-crypto-usage.ps1 -RootPath "$PWD" -FailOnViolations $true -Verbose
      - name: Upload audit report on failure
        if: failure()
        uses: actions/upload-artifact@v4
        with:
          name: crypto-compliance-violations
          path: |
            scripts/audit-crypto-usage.ps1
          retention-days: 30
--- a/.gitea/workflows/crypto-sim-smoke.yml
+++ b/.gitea/workflows/crypto-sim-smoke.yml
@@ -0,0 +1,41 @@
 name: crypto-sim-smoke
 on:
  workflow_dispatch:
  push:
    paths:
      - "ops/crypto/sim-crypto-service/**"
      - "ops/crypto/sim-crypto-smoke/**"
      - "scripts/crypto/run-sim-smoke.ps1"
      - "docs/security/crypto-simulation-services.md"
      - ".gitea/workflows/crypto-sim-smoke.yml"
 jobs:
  sim-smoke:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "10.0.x"
      - name: Build sim service and smoke harness
        run: |
          dotnet build ops/crypto/sim-crypto-service/SimCryptoService.csproj -c Release
          dotnet build ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj -c Release
      - name: Run smoke (sim profile: sm)
        env:
          ASPNETCORE_URLS: http://localhost:5000
          STELLAOPS_CRYPTO_SIM_URL: http://localhost:5000
          SIM_PROFILE: sm
        run: |
          set -euo pipefail
          dotnet run --project ops/crypto/sim-crypto-service/SimCryptoService.csproj --no-build -c Release &
          service_pid=$!
          sleep 6
          dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj --no-build -c Release
          kill $service_pid
--- a/.gitea/workflows/cryptopro-linux-csp.yml
+++ b/.gitea/workflows/cryptopro-linux-csp.yml
@@ -0,0 +1,55 @@
 name: cryptopro-linux-csp
 on:
  push:
    branches: [main, develop]
    paths:
      - 'ops/cryptopro/linux-csp-service/**'
      - 'opt/cryptopro/downloads/**'
      - '.gitea/workflows/cryptopro-linux-csp.yml'
  pull_request:
    paths:
      - 'ops/cryptopro/linux-csp-service/**'
      - 'opt/cryptopro/downloads/**'
      - '.gitea/workflows/cryptopro-linux-csp.yml'
 env:
  IMAGE_NAME: cryptopro-linux-csp
  DOCKERFILE: ops/cryptopro/linux-csp-service/Dockerfile
 jobs:
  build-and-test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Build image (accept EULA explicitly)
        run: |
          docker build -t $IMAGE_NAME \
            --build-arg CRYPTOPRO_ACCEPT_EULA=1 \
            -f $DOCKERFILE .
      - name: Run container
        run: |
          docker run -d --rm --name $IMAGE_NAME -p 18080:8080 $IMAGE_NAME
          for i in {1..20}; do
            if curl -sf http://127.0.0.1:18080/health >/dev/null; then
              exit 0
            fi
            sleep 3
          done
          echo "Service failed to start" && exit 1
      - name: Test endpoints
        run: |
          curl -sf http://127.0.0.1:18080/health
          curl -sf http://127.0.0.1:18080/license || true
          curl -sf -X POST http://127.0.0.1:18080/hash \
            -H "Content-Type: application/json" \
            -d '{"data_b64":"SGVsbG8="}'
      - name: Stop container
        if: always()
        run: docker rm -f $IMAGE_NAME || true
--- a/.gitea/workflows/determinism-gate.yml
+++ b/.gitea/workflows/determinism-gate.yml
@@ -0,0 +1,233 @@
 # .gitea/workflows/determinism-gate.yml
 # Determinism gate for artifact reproducibility validation
 # Implements Tasks 10-11 from SPRINT 5100.0007.0003
 name: Determinism Gate
 on:
  push:
    branches: [ main ]
    paths:
      - 'src/**'
      - 'tests/integration/StellaOps.Integration.Determinism/**'
      - 'tests/baselines/determinism/**'
      - '.gitea/workflows/determinism-gate.yml'
  pull_request:
    branches: [ main ]
    types: [ closed ]
  workflow_dispatch:
    inputs:
      update_baselines:
        description: 'Update baselines with current hashes'
        required: false
        default: false
        type: boolean
      fail_on_missing:
        description: 'Fail if baselines are missing'
        required: false
        default: false
        type: boolean
 env:
  DOTNET_VERSION: '10.0.100'
  BUILD_CONFIGURATION: Release
  DETERMINISM_OUTPUT_DIR: ${{ github.workspace }}/out/determinism
  BASELINE_DIR: tests/baselines/determinism
 jobs:
  # ===========================================================================
  # Determinism Validation Gate
  # ===========================================================================
  determinism-gate:
    name: Determinism Validation
    runs-on: ubuntu-22.04
    timeout-minutes: 30
    outputs:
      status: ${{ steps.check.outputs.status }}
      drifted: ${{ steps.check.outputs.drifted }}
      missing: ${{ steps.check.outputs.missing }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln
      - name: Build solution
        run: dotnet build src/StellaOps.sln --configuration $BUILD_CONFIGURATION --no-restore
      - name: Create output directories
        run: |
          mkdir -p "$DETERMINISM_OUTPUT_DIR"
          mkdir -p "$DETERMINISM_OUTPUT_DIR/hashes"
          mkdir -p "$DETERMINISM_OUTPUT_DIR/manifests"
      - name: Run determinism tests
        id: tests
        run: |
          dotnet test tests/integration/StellaOps.Integration.Determinism/StellaOps.Integration.Determinism.csproj \
            --configuration $BUILD_CONFIGURATION \
            --no-build \
            --logger "trx;LogFileName=determinism-tests.trx" \
            --results-directory "$DETERMINISM_OUTPUT_DIR" \
            --verbosity normal
        env:
          DETERMINISM_OUTPUT_DIR: ${{ env.DETERMINISM_OUTPUT_DIR }}
          UPDATE_BASELINES: ${{ github.event.inputs.update_baselines || 'false' }}
          FAIL_ON_MISSING: ${{ github.event.inputs.fail_on_missing || 'false' }}
      - name: Generate determinism summary
        id: check
        run: |
          # Create determinism.json summary
          cat > "$DETERMINISM_OUTPUT_DIR/determinism.json" << 'EOF'
          {
            "schemaVersion": "1.0",
            "generatedAt": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
            "sourceRef": "${{ github.sha }}",
            "ciRunId": "${{ github.run_id }}",
            "status": "pass",
            "statistics": {
              "total": 0,
              "matched": 0,
              "drifted": 0,
              "missing": 0
            }
          }
          EOF
          # Output status for downstream jobs
          echo "status=pass" >> $GITHUB_OUTPUT
          echo "drifted=0" >> $GITHUB_OUTPUT
          echo "missing=0" >> $GITHUB_OUTPUT
      - name: Upload determinism artifacts
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: determinism-artifacts
          path: |
            ${{ env.DETERMINISM_OUTPUT_DIR }}/determinism.json
            ${{ env.DETERMINISM_OUTPUT_DIR }}/hashes/**
            ${{ env.DETERMINISM_OUTPUT_DIR }}/manifests/**
            ${{ env.DETERMINISM_OUTPUT_DIR }}/*.trx
          if-no-files-found: warn
          retention-days: 30
      - name: Upload hash files as individual artifacts
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: determinism-hashes
          path: ${{ env.DETERMINISM_OUTPUT_DIR }}/hashes/**
          if-no-files-found: ignore
          retention-days: 30
      - name: Generate summary
        if: always()
        run: |
          echo "## Determinism Gate Results" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Metric | Value |" >> $GITHUB_STEP_SUMMARY
          echo "|--------|-------|" >> $GITHUB_STEP_SUMMARY
          echo "| Status | ${{ steps.check.outputs.status || 'unknown' }} |" >> $GITHUB_STEP_SUMMARY
          echo "| Source Ref | \`${{ github.sha }}\` |" >> $GITHUB_STEP_SUMMARY
          echo "| CI Run | ${{ github.run_id }} |" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### Artifact Summary" >> $GITHUB_STEP_SUMMARY
          echo "- **Drifted**: ${{ steps.check.outputs.drifted || '0' }}" >> $GITHUB_STEP_SUMMARY
          echo "- **Missing Baselines**: ${{ steps.check.outputs.missing || '0' }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "See \`determinism.json\` artifact for full details." >> $GITHUB_STEP_SUMMARY
  # ===========================================================================
  # Baseline Update (only on workflow_dispatch with update_baselines=true)
  # ===========================================================================
  update-baselines:
    name: Update Baselines
    runs-on: ubuntu-22.04
    needs: determinism-gate
    if: github.event_name == 'workflow_dispatch' && github.event.inputs.update_baselines == 'true'
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Download determinism artifacts
        uses: actions/download-artifact@v4
        with:
          name: determinism-hashes
          path: new-hashes
      - name: Update baseline files
        run: |
          mkdir -p "$BASELINE_DIR"
          if [ -d "new-hashes" ]; then
            cp -r new-hashes/* "$BASELINE_DIR/" || true
            echo "Updated baseline files from new-hashes"
          fi
      - name: Commit baseline updates
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git add "$BASELINE_DIR"
          if git diff --cached --quiet; then
            echo "No baseline changes to commit"
          else
            git commit -m "chore: update determinism baselines
          Updated by Determinism Gate workflow run #${{ github.run_id }}
          Source: ${{ github.sha }}
          Co-Authored-By: github-actions[bot] <github-actions[bot]@users.noreply.github.com>"
            git push
            echo "Baseline updates committed and pushed"
          fi
  # ===========================================================================
  # Drift Detection Gate (fails workflow if drift detected)
  # ===========================================================================
  drift-check:
    name: Drift Detection Gate
    runs-on: ubuntu-22.04
    needs: determinism-gate
    if: always()
    steps:
      - name: Check for drift
        run: |
          DRIFTED="${{ needs.determinism-gate.outputs.drifted || '0' }}"
          STATUS="${{ needs.determinism-gate.outputs.status || 'unknown' }}"
          echo "Determinism Status: $STATUS"
          echo "Drifted Artifacts: $DRIFTED"
          if [ "$STATUS" = "fail" ] || [ "$DRIFTED" != "0" ]; then
            echo "::error::Determinism drift detected! $DRIFTED artifact(s) have changed."
            echo "Run workflow with 'update_baselines=true' to update baselines if changes are intentional."
            exit 1
          fi
          echo "No determinism drift detected. All artifacts match baselines."
      - name: Gate status
        run: |
          echo "## Drift Detection Gate" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "Status: ${{ needs.determinism-gate.outputs.status || 'pass' }}" >> $GITHUB_STEP_SUMMARY
--- a/.gitea/workflows/docker-regional-builds.yml
+++ b/.gitea/workflows/docker-regional-builds.yml
@@ -0,0 +1,218 @@
 name: Regional Docker Builds
 on:
  push:
    branches:
      - main
    paths:
      - 'deploy/docker/**'
      - 'deploy/compose/docker-compose.*.yml'
      - 'etc/appsettings.crypto.*.yaml'
      - 'etc/crypto-plugins-manifest.json'
      - 'src/__Libraries/StellaOps.Cryptography.Plugin.**'
      - '.gitea/workflows/docker-regional-builds.yml'
  pull_request:
    paths:
      - 'deploy/docker/**'
      - 'deploy/compose/docker-compose.*.yml'
      - 'etc/appsettings.crypto.*.yaml'
      - 'etc/crypto-plugins-manifest.json'
      - 'src/__Libraries/StellaOps.Cryptography.Plugin.**'
  workflow_dispatch:
 env:
  REGISTRY: registry.stella-ops.org
  PLATFORM_IMAGE_NAME: stellaops/platform
  DOCKER_BUILDKIT: 1
 jobs:
  # Build the base platform image containing all crypto plugins
  build-platform:
    name: Build Platform Image (All Plugins)
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ gitea.actor }}
          password: ${{ secrets.GITEA_TOKEN }}
      - name: Extract metadata (tags, labels)
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.PLATFORM_IMAGE_NAME }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=sha,prefix={{branch}}-
            type=raw,value=latest,enable={{is_default_branch}}
      - name: Build and push platform image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./deploy/docker/Dockerfile.platform
          target: runtime-base
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.PLATFORM_IMAGE_NAME }}:buildcache
          cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.PLATFORM_IMAGE_NAME }}:buildcache,mode=max
          build-args: |
            BUILDKIT_INLINE_CACHE=1
      - name: Export platform image tag
        id: platform
        run: |
          echo "tag=${{ env.REGISTRY }}/${{ env.PLATFORM_IMAGE_NAME }}:${{ github.sha }}" >> $GITHUB_OUTPUT
    outputs:
      platform-tag: ${{ steps.platform.outputs.tag }}
  # Build regional profile images for each service
  build-regional-profiles:
    name: Build Regional Profiles
    runs-on: ubuntu-latest
    needs: build-platform
    permissions:
      contents: read
      packages: write
    strategy:
      fail-fast: false
      matrix:
        profile: [international, russia, eu, china]
        service:
          - authority
          - signer
          - attestor
          - concelier
          - scanner
          - excititor
          - policy
          - scheduler
          - notify
          - zastava
          - gateway
          - airgap-importer
          - airgap-exporter
          - cli
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ gitea.actor }}
          password: ${{ secrets.GITEA_TOKEN }}
      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/stellaops/${{ matrix.service }}
          tags: |
            type=raw,value=${{ matrix.profile }},enable={{is_default_branch}}
            type=raw,value=${{ matrix.profile }}-${{ github.sha }}
            type=raw,value=${{ matrix.profile }}-pr-${{ github.event.pull_request.number }},enable=${{ github.event_name == 'pull_request' }}
      - name: Build and push regional service image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./deploy/docker/Dockerfile.crypto-profile
          target: ${{ matrix.service }}
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            CRYPTO_PROFILE=${{ matrix.profile }}
            BASE_IMAGE=${{ needs.build-platform.outputs.platform-tag }}
            SERVICE_NAME=${{ matrix.service }}
  # Validate regional configurations
  validate-configs:
    name: Validate Regional Configurations
    runs-on: ubuntu-latest
    needs: build-regional-profiles
    strategy:
      fail-fast: false
      matrix:
        profile: [international, russia, eu, china]
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Validate crypto configuration YAML
        run: |
          # Install yq for YAML validation
          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
          sudo chmod +x /usr/local/bin/yq
          # Validate YAML syntax
          yq eval 'true' etc/appsettings.crypto.${{ matrix.profile }}.yaml
      - name: Validate docker-compose file
        run: |
          docker compose -f deploy/compose/docker-compose.${{ matrix.profile }}.yml config --quiet
      - name: Check required crypto configuration fields
        run: |
          # Verify ManifestPath is set
          MANIFEST_PATH=$(yq eval '.StellaOps.Crypto.Plugins.ManifestPath' etc/appsettings.crypto.${{ matrix.profile }}.yaml)
          if [ -z "$MANIFEST_PATH" ] || [ "$MANIFEST_PATH" == "null" ]; then
            echo "Error: ManifestPath not set in ${{ matrix.profile }} configuration"
            exit 1
          fi
          # Verify at least one plugin is enabled
          ENABLED_COUNT=$(yq eval '.StellaOps.Crypto.Plugins.Enabled | length' etc/appsettings.crypto.${{ matrix.profile }}.yaml)
          if [ "$ENABLED_COUNT" -eq 0 ]; then
            echo "Error: No plugins enabled in ${{ matrix.profile }} configuration"
            exit 1
          fi
          echo "Configuration valid: ${{ matrix.profile }}"
  # Summary job
  summary:
    name: Build Summary
    runs-on: ubuntu-latest
    needs: [build-platform, build-regional-profiles, validate-configs]
    if: always()
    steps:
      - name: Generate summary
        run: |
          echo "## Regional Docker Builds Summary" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "Platform image built successfully: ${{ needs.build-platform.result == 'success' }}" >> $GITHUB_STEP_SUMMARY
          echo "Regional profiles built: ${{ needs.build-regional-profiles.result == 'success' }}" >> $GITHUB_STEP_SUMMARY
          echo "Configurations validated: ${{ needs.validate-configs.result == 'success' }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### Build Details" >> $GITHUB_STEP_SUMMARY
          echo "- Commit: ${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
          echo "- Branch: ${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY
          echo "- Event: ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
--- a/.gitea/workflows/epss-ingest-perf.yml
+++ b/.gitea/workflows/epss-ingest-perf.yml
@@ -0,0 +1,98 @@
 name: EPSS Ingest Perf
 # Sprint: SPRINT_3410_0001_0001_epss_ingestion_storage
 # Tasks: EPSS-3410-013B, EPSS-3410-014
 #
 # Runs the EPSS ingest perf harness against a Dockerized PostgreSQL instance (Testcontainers).
 #
 # Runner requirements:
 # - Linux runner with Docker Engine available to the runner user (Testcontainers).
 # - Label: `ubuntu-22.04` (adjust `runs-on` if your labels differ).
 # - >= 4 CPU / >= 8GB RAM recommended for stable baselines.
 on:
  workflow_dispatch:
    inputs:
      rows:
        description: 'Row count to generate (default: 310000)'
        required: false
        default: '310000'
      postgres_image:
        description: 'PostgreSQL image (default: postgres:16-alpine)'
        required: false
        default: 'postgres:16-alpine'
  schedule:
    # Nightly at 03:00 UTC
    - cron: '0 3 * * *'
  pull_request:
    paths:
      - 'src/Scanner/__Libraries/StellaOps.Scanner.Storage/**'
      - 'src/Scanner/StellaOps.Scanner.Worker/**'
      - 'src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/**'
      - '.gitea/workflows/epss-ingest-perf.yml'
  push:
    branches: [ main ]
    paths:
      - 'src/Scanner/__Libraries/StellaOps.Scanner.Storage/**'
      - 'src/Scanner/StellaOps.Scanner.Worker/**'
      - 'src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/**'
      - '.gitea/workflows/epss-ingest-perf.yml'
 jobs:
  perf:
    runs-on: ubuntu-22.04
    env:
      DOTNET_NOLOGO: 1
      DOTNET_CLI_TELEMETRY_OPTOUT: 1
      DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
      TZ: UTC
      STELLAOPS_OFFLINE: 'true'
      STELLAOPS_DETERMINISTIC: 'true'
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET 10
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: 10.0.100
          include-prerelease: true
      - name: Cache NuGet packages
        uses: actions/cache@v4
        with:
          path: ~/.nuget/packages
          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
          restore-keys: |
            ${{ runner.os }}-nuget-
      - name: Restore
        run: |
          dotnet restore src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/StellaOps.Scanner.Storage.Epss.Perf.csproj \
            --configfile nuget.config
      - name: Build
        run: |
          dotnet build src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/StellaOps.Scanner.Storage.Epss.Perf.csproj \
            -c Release \
            --no-restore
      - name: Run perf harness
        run: |
          mkdir -p bench/results
          dotnet run \
            --project src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/StellaOps.Scanner.Storage.Epss.Perf.csproj \
            -c Release \
            --no-build \
            -- \
            --rows ${{ inputs.rows || '310000' }} \
            --postgres-image '${{ inputs.postgres_image || 'postgres:16-alpine' }}' \
            --output bench/results/epss-ingest-perf-${{ github.sha }}.json
      - name: Upload results
        uses: actions/upload-artifact@v4
        with:
          name: epss-ingest-perf-${{ github.sha }}
          path: |
            bench/results/epss-ingest-perf-${{ github.sha }}.json
          retention-days: 90
--- a/.gitea/workflows/exporter-ci.yml
+++ b/.gitea/workflows/exporter-ci.yml
@@ -0,0 +1,46 @@
 name: exporter-ci
 on:
  workflow_dispatch:
  pull_request:
    paths:
      - 'src/ExportCenter/**'
      - '.gitea/workflows/exporter-ci.yml'
 env:
  DOTNET_CLI_TELEMETRY_OPTOUT: 1
  DOTNET_NOLOGO: 1
 jobs:
  build-test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.x'
      - name: Restore
        run: dotnet restore src/ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj
      - name: Build
        run: dotnet build src/ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj --configuration Release --no-restore
      - name: Test
        run: dotnet test src/ExportCenter/__Tests/StellaOps.ExportCenter.Tests/StellaOps.ExportCenter.Tests.csproj --configuration Release --no-build --verbosity normal
      - name: Publish
        run: |
          dotnet publish src/ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj \
            --configuration Release \
            --output artifacts/exporter
      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: exporter-${{ github.run_id }}
          path: artifacts/
          retention-days: 14
--- a/.gitea/workflows/icscisa-kisa-refresh.yml
+++ b/.gitea/workflows/icscisa-kisa-refresh.yml
@@ -0,0 +1,68 @@
 name: ICS/KISA Feed Refresh
 on:
  schedule:
    - cron: '0 2 * * MON'
  workflow_dispatch:
    inputs:
      live_fetch:
        description: 'Attempt live RSS fetch (fallback to samples on failure)'
        required: false
        default: true
        type: boolean
      offline_snapshot:
        description: 'Force offline samples only (no network)'
        required: false
        default: false
        type: boolean
 jobs:
  refresh:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
    env:
      ICSCISA_FEED_URL: ${{ secrets.ICSCISA_FEED_URL }}
      KISA_FEED_URL: ${{ secrets.KISA_FEED_URL }}
      FEED_GATEWAY_HOST: concelier-webservice
      FEED_GATEWAY_SCHEME: http
      LIVE_FETCH: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.live_fetch || 'true' }}
      OFFLINE_SNAPSHOT: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.offline_snapshot || 'false' }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set run metadata
        id: meta
        run: |
          RUN_DATE=$(date -u +%Y%m%d)
          RUN_ID="icscisa-kisa-$(date -u +%Y%m%dT%H%M%SZ)"
          echo "run_date=$RUN_DATE" >> $GITHUB_OUTPUT
          echo "run_id=$RUN_ID" >> $GITHUB_OUTPUT
          echo "RUN_DATE=$RUN_DATE" >> $GITHUB_ENV
          echo "RUN_ID=$RUN_ID" >> $GITHUB_ENV
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'
      - name: Run ICS/KISA refresh
        run: |
          python scripts/feeds/run_icscisa_kisa_refresh.py \
            --out-dir out/feeds/icscisa-kisa \
            --run-date "${{ steps.meta.outputs.run_date }}" \
            --run-id "${{ steps.meta.outputs.run_id }}"
      - name: Show fetch log
        run: cat out/feeds/icscisa-kisa/${{ steps.meta.outputs.run_date }}/fetch.log
      - name: Upload refresh artifacts
        uses: actions/upload-artifact@v4
        with:
          name: icscisa-kisa-${{ steps.meta.outputs.run_date }}
          path: out/feeds/icscisa-kisa/${{ steps.meta.outputs.run_date }}
          if-no-files-found: error
          retention-days: 21
--- a/.gitea/workflows/integration-tests-gate.yml
+++ b/.gitea/workflows/integration-tests-gate.yml
@@ -0,0 +1,375 @@
 # Sprint 3500.0004.0003 - T6: Integration Tests CI Gate
 # Runs integration tests on PR and gates merges on failures
 name: integration-tests-gate
 on:
  pull_request:
    branches: [main, develop]
    paths:
      - 'src/**'
      - 'tests/integration/**'
      - 'bench/golden-corpus/**'
  push:
    branches: [main]
  workflow_dispatch:
    inputs:
      run_performance:
        description: 'Run performance baseline tests'
        type: boolean
        default: false
      run_airgap:
        description: 'Run air-gap tests'
        type: boolean
        default: false
 concurrency:
  group: integration-${{ github.ref }}
  cancel-in-progress: true
 jobs:
  # ==========================================================================
  # T6-AC1: Integration tests run on PR
  # ==========================================================================
  integration-tests:
    name: Integration Tests
    runs-on: ubuntu-latest
    timeout-minutes: 30
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_USER: stellaops
          POSTGRES_PASSWORD: test-only
          POSTGRES_DB: stellaops_test
        ports:
          - 5432:5432
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "10.0.100"
      - name: Restore dependencies
        run: dotnet restore tests/integration/**/*.csproj
      - name: Build integration tests
        run: dotnet build tests/integration/**/*.csproj --configuration Release --no-restore
      - name: Run Proof Chain Tests
        run: |
          dotnet test tests/integration/StellaOps.Integration.ProofChain \
            --configuration Release \
            --no-build \
            --logger "trx;LogFileName=proofchain.trx" \
            --results-directory ./TestResults
        env:
          ConnectionStrings__StellaOps: "Host=localhost;Database=stellaops_test;Username=stellaops;Password=test-only"
      - name: Run Reachability Tests
        run: |
          dotnet test tests/integration/StellaOps.Integration.Reachability \
            --configuration Release \
            --no-build \
            --logger "trx;LogFileName=reachability.trx" \
            --results-directory ./TestResults
      - name: Run Unknowns Workflow Tests
        run: |
          dotnet test tests/integration/StellaOps.Integration.Unknowns \
            --configuration Release \
            --no-build \
            --logger "trx;LogFileName=unknowns.trx" \
            --results-directory ./TestResults
      - name: Run Determinism Tests
        run: |
          dotnet test tests/integration/StellaOps.Integration.Determinism \
            --configuration Release \
            --no-build \
            --logger "trx;LogFileName=determinism.trx" \
            --results-directory ./TestResults
      - name: Upload test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: integration-test-results
          path: TestResults/**/*.trx
      - name: Publish test summary
        uses: dorny/test-reporter@v1
        if: always()
        with:
          name: Integration Test Results
          path: TestResults/**/*.trx
          reporter: dotnet-trx
  # ==========================================================================
  # T6-AC2: Corpus validation on release branch
  # ==========================================================================
  corpus-validation:
    name: Golden Corpus Validation
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
    timeout-minutes: 15
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "10.0.100"
      - name: Validate corpus manifest
        run: |
          python3 -c "
          import json
          import hashlib
          import os
          manifest_path = 'bench/golden-corpus/corpus-manifest.json'
          with open(manifest_path) as f:
              manifest = json.load(f)
          print(f'Corpus version: {manifest.get(\"corpus_version\", \"unknown\")}')
          print(f'Total cases: {manifest.get(\"total_cases\", 0)}')
          errors = []
          for case in manifest.get('cases', []):
              case_path = os.path.join('bench/golden-corpus', case['path'])
              if not os.path.isdir(case_path):
                  errors.append(f'Missing case directory: {case_path}')
              else:
                  required_files = ['case.json', 'expected-score.json']
                  for f in required_files:
                      if not os.path.exists(os.path.join(case_path, f)):
                          errors.append(f'Missing file: {case_path}/{f}')
          if errors:
              print('\\nValidation errors:')
              for e in errors:
                  print(f'  - {e}')
              exit(1)
          else:
              print('\\nCorpus validation passed!')
          "
      - name: Run corpus scoring tests
        run: |
          dotnet test tests/integration/StellaOps.Integration.Determinism \
            --filter "Category=GoldenCorpus" \
            --configuration Release \
            --logger "trx;LogFileName=corpus.trx" \
            --results-directory ./TestResults
  # ==========================================================================
  # T6-AC3: Determinism tests on nightly
  # ==========================================================================
  nightly-determinism:
    name: Nightly Determinism Check
    runs-on: ubuntu-latest
    if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.run_performance == 'true')
    timeout-minutes: 45
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "10.0.100"
      - name: Run full determinism suite
        run: |
          dotnet test tests/integration/StellaOps.Integration.Determinism \
            --configuration Release \
            --logger "trx;LogFileName=determinism-full.trx" \
            --results-directory ./TestResults
      - name: Run cross-run determinism check
        run: |
          # Run scoring 3 times and compare hashes
          for i in 1 2 3; do
            dotnet test tests/integration/StellaOps.Integration.Determinism \
              --filter "FullyQualifiedName~IdenticalInput_ProducesIdenticalHash" \
              --results-directory ./TestResults/run-$i
          done
          # Compare all results
          echo "Comparing determinism across runs..."
      - name: Upload determinism results
        uses: actions/upload-artifact@v4
        with:
          name: nightly-determinism-results
          path: TestResults/**
  # ==========================================================================
  # T6-AC4: Test coverage reported to dashboard
  # ==========================================================================
  coverage-report:
    name: Coverage Report
    runs-on: ubuntu-latest
    needs: [integration-tests]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "10.0.100"
      - name: Run tests with coverage
        run: |
          dotnet test tests/integration/**/*.csproj \
            --configuration Release \
            --collect:"XPlat Code Coverage" \
            --results-directory ./TestResults/Coverage
      - name: Generate coverage report
        uses: danielpalme/ReportGenerator-GitHub-Action@5.2.0
        with:
          reports: TestResults/Coverage/**/coverage.cobertura.xml
          targetdir: TestResults/CoverageReport
          reporttypes: 'Html;Cobertura;MarkdownSummary'
      - name: Upload coverage report
        uses: actions/upload-artifact@v4
        with:
          name: coverage-report
          path: TestResults/CoverageReport/**
      - name: Add coverage to PR comment
        uses: marocchino/sticky-pull-request-comment@v2
        if: github.event_name == 'pull_request'
        with:
          recreate: true
          path: TestResults/CoverageReport/Summary.md
  # ==========================================================================
  # T6-AC5: Flaky test quarantine process
  # ==========================================================================
  flaky-test-check:
    name: Flaky Test Detection
    runs-on: ubuntu-latest
    needs: [integration-tests]
    if: failure()
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Check for known flaky tests
        run: |
          # Check if failure is from a known flaky test
          QUARANTINE_FILE=".github/flaky-tests-quarantine.json"
          if [ -f "$QUARANTINE_FILE" ]; then
            echo "Checking against quarantine list..."
            # Implementation would compare failed tests against quarantine
          fi
      - name: Create flaky test issue
        uses: actions/github-script@v7
        if: always()
        with:
          script: |
            // After 2 consecutive failures, create issue for quarantine review
            console.log('Checking for flaky test patterns...');
            // Implementation would analyze test history
  # ==========================================================================
  # Performance Tests (optional, on demand)
  # ==========================================================================
  performance-tests:
    name: Performance Baseline Tests
    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch' && github.event.inputs.run_performance == 'true'
    timeout-minutes: 30
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "10.0.100"
      - name: Run performance tests
        run: |
          dotnet test tests/integration/StellaOps.Integration.Performance \
            --configuration Release \
            --logger "trx;LogFileName=performance.trx" \
            --results-directory ./TestResults
      - name: Upload performance report
        uses: actions/upload-artifact@v4
        with:
          name: performance-report
          path: |
            TestResults/**
            tests/integration/StellaOps.Integration.Performance/output/**
      - name: Check for regressions
        run: |
          # Check if any test exceeded 20% threshold
          if [ -f "tests/integration/StellaOps.Integration.Performance/output/performance-report.json" ]; then
            python3 -c "
          import json
          with open('tests/integration/StellaOps.Integration.Performance/output/performance-report.json') as f:
              report = json.load(f)
          regressions = [m for m in report.get('Metrics', []) if m.get('DeltaPercent', 0) > 20]
          if regressions:
              print('Performance regressions detected!')
              for r in regressions:
                  print(f'  {r[\"Name\"]}: +{r[\"DeltaPercent\"]:.1f}%')
              exit(1)
          print('No performance regressions detected.')
          "
          fi
  # ==========================================================================
  # Air-Gap Tests (optional, on demand)
  # ==========================================================================
  airgap-tests:
    name: Air-Gap Integration Tests
    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch' && github.event.inputs.run_airgap == 'true'
    timeout-minutes: 30
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "10.0.100"
      - name: Run air-gap tests
        run: |
          dotnet test tests/integration/StellaOps.Integration.AirGap \
            --configuration Release \
            --logger "trx;LogFileName=airgap.trx" \
            --results-directory ./TestResults
      - name: Upload air-gap test results
        uses: actions/upload-artifact@v4
        with:
          name: airgap-test-results
          path: TestResults/**
--- a/.gitea/workflows/interop-e2e.yml
+++ b/.gitea/workflows/interop-e2e.yml
@@ -0,0 +1,128 @@
 name: Interop E2E Tests
 on:
  pull_request:
    paths:
      - 'src/Scanner/**'
      - 'src/Excititor/**'
      - 'tests/interop/**'
  schedule:
    - cron: '0 6 * * *'  # Nightly at 6 AM UTC
  workflow_dispatch:
 env:
  DOTNET_VERSION: '10.0.100'
 jobs:
  interop-tests:
    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false
      matrix:
        format: [cyclonedx, spdx]
        arch: [amd64]
        include:
          - format: cyclonedx
            format_flag: cyclonedx-json
          - format: spdx
            format_flag: spdx-json
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install Syft
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
          syft --version
      - name: Install Grype
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
          grype --version
      - name: Install cosign
        run: |
          curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 -o /usr/local/bin/cosign
          chmod +x /usr/local/bin/cosign
          cosign version
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Restore dependencies
        run: dotnet restore src/StellaOps.sln
      - name: Build Stella CLI
        run: dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj -c Release
      - name: Build interop tests
        run: dotnet build tests/interop/StellaOps.Interop.Tests/StellaOps.Interop.Tests.csproj
      - name: Run interop tests
        run: |
          dotnet test tests/interop/StellaOps.Interop.Tests \
            --filter "Format=${{ matrix.format }}" \
            --logger "trx;LogFileName=interop-${{ matrix.format }}.trx" \
            --logger "console;verbosity=detailed" \
            --results-directory ./results \
            -- RunConfiguration.TestSessionTimeout=900000
      - name: Generate parity report
        if: always()
        run: |
          # TODO: Generate parity report from test results
          echo '{"format": "${{ matrix.format }}", "parityPercent": 0}' > ./results/parity-report-${{ matrix.format }}.json
      - name: Upload test results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: interop-test-results-${{ matrix.format }}
          path: ./results/
      - name: Check parity threshold
        if: always()
        run: |
          PARITY=$(jq '.parityPercent' ./results/parity-report-${{ matrix.format }}.json 2>/dev/null || echo "0")
          echo "Parity for ${{ matrix.format }}: ${PARITY}%"
          if (( $(echo "$PARITY < 95" | bc -l 2>/dev/null || echo "1") )); then
            echo "::warning::Findings parity ${PARITY}% is below 95% threshold for ${{ matrix.format }}"
            # Don't fail the build yet - this is initial implementation
            # exit 1
          fi
  summary:
    runs-on: ubuntu-22.04
    needs: interop-tests
    if: always()
    steps:
      - name: Download all artifacts
        uses: actions/download-artifact@v4
        with:
          path: ./all-results
      - name: Generate summary
        run: |
          echo "## Interop Test Summary" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Format | Status |" >> $GITHUB_STEP_SUMMARY
          echo "|--------|--------|" >> $GITHUB_STEP_SUMMARY
          for format in cyclonedx spdx; do
            if [ -f "./all-results/interop-test-results-${format}/parity-report-${format}.json" ]; then
              PARITY=$(jq -r '.parityPercent // 0' "./all-results/interop-test-results-${format}/parity-report-${format}.json")
              if (( $(echo "$PARITY >= 95" | bc -l 2>/dev/null || echo "0") )); then
                STATUS="✅ Pass (${PARITY}%)"
              else
                STATUS="⚠️  Below threshold (${PARITY}%)"
              fi
            else
              STATUS="❌ No results"
            fi
            echo "| ${format} | ${STATUS} |" >> $GITHUB_STEP_SUMMARY
          done
--- a/.gitea/workflows/ledger-oas-ci.yml
+++ b/.gitea/workflows/ledger-oas-ci.yml
@@ -0,0 +1,81 @@
 name: Ledger OpenAPI CI
 on:
  workflow_dispatch:
  push:
    branches: [main]
    paths:
      - 'api/ledger/**'
      - 'ops/devops/ledger/**'
  pull_request:
    paths:
      - 'api/ledger/**'
 jobs:
  validate-oas:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Install tools
        run: |
          npm install -g @stoplight/spectral-cli
          npm install -g @openapitools/openapi-generator-cli
      - name: Validate OpenAPI spec
        run: |
          chmod +x ops/devops/ledger/validate-oas.sh
          ops/devops/ledger/validate-oas.sh
      - name: Upload validation report
        uses: actions/upload-artifact@v4
        with:
          name: ledger-oas-validation-${{ github.run_number }}
          path: |
            out/ledger/oas/lint-report.json
            out/ledger/oas/validation-report.txt
            out/ledger/oas/spec-summary.json
          if-no-files-found: warn
  check-wellknown:
    runs-on: ubuntu-22.04
    needs: validate-oas
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Check .well-known/openapi structure
        run: |
          # Validate .well-known structure if exists
          if [ -d ".well-known" ]; then
            echo "Checking .well-known/openapi..."
            if [ -f ".well-known/openapi.json" ]; then
              python3 -c "import json; json.load(open('.well-known/openapi.json'))"
              echo ".well-known/openapi.json is valid JSON"
            fi
          else
            echo "[info] .well-known directory not present (OK for dev)"
          fi
  deprecation-check:
    runs-on: ubuntu-22.04
    needs: validate-oas
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Check deprecation policy
        run: |
          if [ -f "ops/devops/ledger/deprecation-policy.yaml" ]; then
            echo "Validating deprecation policy..."
            python3 -c "import yaml; yaml.safe_load(open('ops/devops/ledger/deprecation-policy.yaml'))"
            echo "Deprecation policy is valid"
          else
            echo "[info] No deprecation policy yet (OK for initial setup)"
          fi
--- a/.gitea/workflows/ledger-packs-ci.yml
+++ b/.gitea/workflows/ledger-packs-ci.yml
@@ -0,0 +1,101 @@
 name: Ledger Packs CI
 on:
  workflow_dispatch:
    inputs:
      snapshot_id:
        description: 'Snapshot ID (leave empty for auto)'
        required: false
        default: ''
      sign:
        description: 'Sign pack (1=yes)'
        required: false
        default: '0'
  push:
    branches: [main]
    paths:
      - 'ops/devops/ledger/**'
 jobs:
  build-pack:
    runs-on: ubuntu-22.04
    env:
      COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup cosign
        uses: sigstore/cosign-installer@v3
      - name: Configure signing
        run: |
          if [ -z "${COSIGN_PRIVATE_KEY_B64}" ] || [ "${{ github.event.inputs.sign }}" = "1" ]; then
            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
          fi
      - name: Build pack
        run: |
          chmod +x ops/devops/ledger/build-pack.sh
          SNAPSHOT_ID="${{ github.event.inputs.snapshot_id }}"
          if [ -z "$SNAPSHOT_ID" ]; then
            SNAPSHOT_ID="ci-$(date +%Y%m%d%H%M%S)"
          fi
          SIGN_FLAG=""
          if [ "${{ github.event.inputs.sign }}" = "1" ] || [ -n "${COSIGN_PRIVATE_KEY_B64}" ]; then
            SIGN_FLAG="--sign"
          fi
          SNAPSHOT_ID="$SNAPSHOT_ID" ops/devops/ledger/build-pack.sh $SIGN_FLAG
      - name: Verify checksums
        run: |
          cd out/ledger/packs
          for f in *.SHA256SUMS; do
            if [ -f "$f" ]; then
              sha256sum -c "$f"
            fi
          done
      - name: Upload pack
        uses: actions/upload-artifact@v4
        with:
          name: ledger-pack-${{ github.run_number }}
          path: |
            out/ledger/packs/*.pack.tar.gz
            out/ledger/packs/*.SHA256SUMS
            out/ledger/packs/*.dsse.json
          if-no-files-found: warn
          retention-days: 30
  verify-pack:
    runs-on: ubuntu-22.04
    needs: build-pack
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Download pack
        uses: actions/download-artifact@v4
        with:
          name: ledger-pack-${{ github.run_number }}
          path: out/ledger/packs/
      - name: Verify pack structure
        run: |
          cd out/ledger/packs
          for pack in *.pack.tar.gz; do
            if [ -f "$pack" ]; then
              echo "Verifying $pack..."
              tar -tzf "$pack" | head -20
              # Extract and check manifest
              tar -xzf "$pack" -C /tmp manifest.json 2>/dev/null || true
              if [ -f /tmp/manifest.json ]; then
                python3 -c "import json; json.load(open('/tmp/manifest.json'))"
                echo "Pack manifest is valid JSON"
              fi
            fi
          done
--- a/.gitea/workflows/lighthouse-ci.yml
+++ b/.gitea/workflows/lighthouse-ci.yml
@@ -0,0 +1,188 @@
 # .gitea/workflows/lighthouse-ci.yml
 # Lighthouse CI for performance and accessibility testing of the StellaOps Web UI
 name: Lighthouse CI
 on:
  push:
    branches: [main]
    paths:
      - 'src/Web/StellaOps.Web/**'
      - '.gitea/workflows/lighthouse-ci.yml'
  pull_request:
    branches: [main, develop]
    paths:
      - 'src/Web/StellaOps.Web/**'
  schedule:
    # Run weekly on Sunday at 2 AM UTC
    - cron: '0 2 * * 0'
  workflow_dispatch:
 env:
  NODE_VERSION: '20'
  LHCI_BUILD_CONTEXT__CURRENT_BRANCH: ${{ github.head_ref || github.ref_name }}
  LHCI_BUILD_CONTEXT__COMMIT_SHA: ${{ github.sha }}
 jobs:
  lighthouse:
    name: Lighthouse Audit
    runs-on: ubuntu-22.04
    defaults:
      run:
        working-directory: src/Web/StellaOps.Web
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: 'npm'
          cache-dependency-path: src/Web/StellaOps.Web/package-lock.json
      - name: Install dependencies
        run: npm ci
      - name: Build production bundle
        run: npm run build -- --configuration production
      - name: Install Lighthouse CI
        run: npm install -g @lhci/cli@0.13.x
      - name: Run Lighthouse CI
        run: |
          lhci autorun \
            --collect.staticDistDir=./dist/stella-ops-web/browser \
            --collect.numberOfRuns=3 \
            --assert.preset=lighthouse:recommended \
            --assert.assertions.categories:performance=off \
            --assert.assertions.categories:accessibility=off \
            --upload.target=filesystem \
            --upload.outputDir=./lighthouse-results
      - name: Evaluate Lighthouse Results
        id: lhci-results
        run: |
          # Parse the latest Lighthouse report
          REPORT=$(ls -t lighthouse-results/*.json | head -1)
          if [ -f "$REPORT" ]; then
            PERF=$(jq '.categories.performance.score * 100' "$REPORT" | cut -d. -f1)
            A11Y=$(jq '.categories.accessibility.score * 100' "$REPORT" | cut -d. -f1)
            BP=$(jq '.categories["best-practices"].score * 100' "$REPORT" | cut -d. -f1)
            SEO=$(jq '.categories.seo.score * 100' "$REPORT" | cut -d. -f1)
            echo "performance=$PERF" >> $GITHUB_OUTPUT
            echo "accessibility=$A11Y" >> $GITHUB_OUTPUT
            echo "best-practices=$BP" >> $GITHUB_OUTPUT
            echo "seo=$SEO" >> $GITHUB_OUTPUT
            echo "## Lighthouse Results" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "| Category | Score | Threshold | Status |" >> $GITHUB_STEP_SUMMARY
            echo "|----------|-------|-----------|--------|" >> $GITHUB_STEP_SUMMARY
            # Performance: target >= 90
            if [ "$PERF" -ge 90 ]; then
              echo "| Performance | $PERF | >= 90 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
            else
              echo "| Performance | $PERF | >= 90 | :warning: |" >> $GITHUB_STEP_SUMMARY
            fi
            # Accessibility: target >= 95
            if [ "$A11Y" -ge 95 ]; then
              echo "| Accessibility | $A11Y | >= 95 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
            else
              echo "| Accessibility | $A11Y | >= 95 | :x: |" >> $GITHUB_STEP_SUMMARY
            fi
            # Best Practices: target >= 90
            if [ "$BP" -ge 90 ]; then
              echo "| Best Practices | $BP | >= 90 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
            else
              echo "| Best Practices | $BP | >= 90 | :warning: |" >> $GITHUB_STEP_SUMMARY
            fi
            # SEO: target >= 90
            if [ "$SEO" -ge 90 ]; then
              echo "| SEO | $SEO | >= 90 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
            else
              echo "| SEO | $SEO | >= 90 | :warning: |" >> $GITHUB_STEP_SUMMARY
            fi
          fi
      - name: Check Quality Gates
        run: |
          PERF=${{ steps.lhci-results.outputs.performance }}
          A11Y=${{ steps.lhci-results.outputs.accessibility }}
          FAILED=0
          # Performance gate (warning only, not blocking)
          if [ "$PERF" -lt 90 ]; then
            echo "::warning::Performance score ($PERF) is below target (90)"
          fi
          # Accessibility gate (blocking)
          if [ "$A11Y" -lt 95 ]; then
            echo "::error::Accessibility score ($A11Y) is below required threshold (95)"
            FAILED=1
          fi
          if [ "$FAILED" -eq 1 ]; then
            exit 1
          fi
      - name: Upload Lighthouse Reports
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: lighthouse-reports
          path: src/Web/StellaOps.Web/lighthouse-results/
          retention-days: 30
  axe-accessibility:
    name: Axe Accessibility Audit
    runs-on: ubuntu-22.04
    defaults:
      run:
        working-directory: src/Web/StellaOps.Web
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: 'npm'
          cache-dependency-path: src/Web/StellaOps.Web/package-lock.json
      - name: Install dependencies
        run: npm ci
      - name: Install Playwright browsers
        run: npx playwright install --with-deps chromium
      - name: Build production bundle
        run: npm run build -- --configuration production
      - name: Start preview server
        run: |
          npx serve -s dist/stella-ops-web/browser -l 4200 &
          sleep 5
      - name: Run Axe accessibility tests
        run: |
          npm run test:a11y || true
      - name: Upload Axe results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: axe-accessibility-results
          path: src/Web/StellaOps.Web/test-results/
          retention-days: 30
--- a/.gitea/workflows/lnm-migration-ci.yml
+++ b/.gitea/workflows/lnm-migration-ci.yml
@@ -0,0 +1,83 @@
 name: LNM Migration CI
 on:
  workflow_dispatch:
    inputs:
      run_staging:
        description: 'Run staging backfill (1=yes)'
        required: false
        default: '0'
  push:
    branches: [main]
    paths:
      - 'src/Concelier/__Libraries/StellaOps.Concelier.Migrations/**'
      - 'ops/devops/lnm/**'
 jobs:
  build-runner:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: 10.0.100
          include-prerelease: true
      - name: Setup cosign
        uses: sigstore/cosign-installer@v3
      - name: Configure signing
        run: |
          if [ -z "${{ secrets.COSIGN_PRIVATE_KEY_B64 }}" ]; then
            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
          fi
        env:
          COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
      - name: Build and package runner
        run: |
          chmod +x ops/devops/lnm/package-runner.sh
          ops/devops/lnm/package-runner.sh
      - name: Verify checksums
        run: |
          cd out/lnm
          sha256sum -c SHA256SUMS
      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: lnm-migration-runner-${{ github.run_number }}
          path: |
            out/lnm/lnm-migration-runner.tar.gz
            out/lnm/lnm-migration-runner.manifest.json
            out/lnm/lnm-migration-runner.dsse.json
            out/lnm/SHA256SUMS
          if-no-files-found: warn
  validate-metrics:
    runs-on: ubuntu-22.04
    needs: build-runner
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Validate monitoring config
        run: |
          # Validate alert rules syntax
          if [ -f "ops/devops/lnm/alerts/lnm-alerts.yaml" ]; then
            echo "Validating alert rules..."
            python3 -c "import yaml; yaml.safe_load(open('ops/devops/lnm/alerts/lnm-alerts.yaml'))"
          fi
          # Validate dashboard JSON
          if [ -f "ops/devops/lnm/dashboards/lnm-migration.json" ]; then
            echo "Validating dashboard..."
            python3 -c "import json; json.load(open('ops/devops/lnm/dashboards/lnm-migration.json'))"
          fi
          echo "Monitoring config validation complete"
--- a/.gitea/workflows/mirror-sign.yml
+++ b/.gitea/workflows/mirror-sign.yml
@@ -46,6 +46,16 @@ jobs:
        run: |
          scripts/mirror/verify_thin_bundle.py out/mirror/thin/mirror-thin-v1.tar.gz
      - name: Prepare Export Center handoff (metadata + optional schedule)
        run: |
          scripts/mirror/export-center-wire.sh
        env:
          EXPORT_CENTER_BASE_URL: ${{ secrets.EXPORT_CENTER_BASE_URL }}
          EXPORT_CENTER_TOKEN: ${{ secrets.EXPORT_CENTER_TOKEN }}
          EXPORT_CENTER_TENANT: ${{ secrets.EXPORT_CENTER_TENANT }}
          EXPORT_CENTER_PROJECT: ${{ secrets.EXPORT_CENTER_PROJECT }}
          EXPORT_CENTER_AUTO_SCHEDULE: ${{ secrets.EXPORT_CENTER_AUTO_SCHEDULE }}
      - name: Upload signed artifacts
        uses: actions/upload-artifact@v4
        with:
@@ -57,5 +67,8 @@ jobs:
            out/mirror/thin/tuf/
            out/mirror/thin/oci/
            out/mirror/thin/milestone.json
            out/mirror/thin/export-center/export-center-handoff.json
            out/mirror/thin/export-center/export-center-targets.json
            out/mirror/thin/export-center/schedule-response.json
          if-no-files-found: error
          retention-days: 14
--- a/.gitea/workflows/offline-e2e.yml
+++ b/.gitea/workflows/offline-e2e.yml
@@ -0,0 +1,121 @@
 name: Offline E2E Tests
 on:
  pull_request:
    paths:
      - 'src/AirGap/**'
      - 'src/Scanner/**'
      - 'tests/offline/**'
  schedule:
    - cron: '0 4 * * *'  # Nightly at 4 AM UTC
  workflow_dispatch:
 env:
  STELLAOPS_OFFLINE_MODE: 'true'
  DOTNET_VERSION: '10.0.100'
 jobs:
  offline-e2e:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Cache NuGet packages
        uses: actions/cache@v3
        with:
          path: ~/.nuget/packages
          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
          restore-keys: |
            ${{ runner.os }}-nuget-
      - name: Download offline bundle
        run: |
          # In real scenario, bundle would be pre-built and cached
          # For now, create minimal fixture structure
          mkdir -p ./offline-bundle/{images,feeds,policies,keys,certs,vex}
          echo '{}' > ./offline-bundle/manifest.json
      - name: Build in isolated environment
        run: |
          # Build offline test library
          dotnet build src/__Libraries/StellaOps.Testing.AirGap/StellaOps.Testing.AirGap.csproj
          # Build offline E2E tests
          dotnet build tests/offline/StellaOps.Offline.E2E.Tests/StellaOps.Offline.E2E.Tests.csproj
      - name: Run offline E2E tests with network isolation
        run: |
          # Set offline bundle path
          export STELLAOPS_OFFLINE_BUNDLE=$(pwd)/offline-bundle
          # Run tests
          dotnet test tests/offline/StellaOps.Offline.E2E.Tests \
            --logger "trx;LogFileName=offline-e2e.trx" \
            --logger "console;verbosity=detailed" \
            --results-directory ./results
      - name: Verify no network calls
        if: always()
        run: |
          # Parse test output for any NetworkIsolationViolationException
          if [ -f "./results/offline-e2e.trx" ]; then
            if grep -q "NetworkIsolationViolation" ./results/offline-e2e.trx; then
              echo "::error::Tests attempted network calls in offline mode!"
              exit 1
            else
              echo "✅ No network isolation violations detected"
            fi
          fi
      - name: Upload results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: offline-e2e-results
          path: ./results/
  verify-isolation:
    runs-on: ubuntu-22.04
    needs: offline-e2e
    if: always()
    steps:
      - name: Download results
        uses: actions/download-artifact@v4
        with:
          name: offline-e2e-results
          path: ./results
      - name: Generate summary
        run: |
          echo "## Offline E2E Test Summary" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          if [ -f "./results/offline-e2e.trx" ]; then
            # Parse test results
            TOTAL=$(grep -o 'total="[0-9]*"' ./results/offline-e2e.trx | cut -d'"' -f2 || echo "0")
            PASSED=$(grep -o 'passed="[0-9]*"' ./results/offline-e2e.trx | cut -d'"' -f2 || echo "0")
            FAILED=$(grep -o 'failed="[0-9]*"' ./results/offline-e2e.trx | cut -d'"' -f2 || echo "0")
            echo "| Metric | Value |" >> $GITHUB_STEP_SUMMARY
            echo "|--------|-------|" >> $GITHUB_STEP_SUMMARY
            echo "| Total Tests | ${TOTAL} |" >> $GITHUB_STEP_SUMMARY
            echo "| Passed | ${PASSED} |" >> $GITHUB_STEP_SUMMARY
            echo "| Failed | ${FAILED} |" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            if grep -q "NetworkIsolationViolation" ./results/offline-e2e.trx; then
              echo "❌ **Network isolation was violated**" >> $GITHUB_STEP_SUMMARY
            else
              echo "✅ **Network isolation verified - no egress detected**" >> $GITHUB_STEP_SUMMARY
            fi
          else
            echo "⚠️ No test results found" >> $GITHUB_STEP_SUMMARY
          fi
--- a/.gitea/workflows/parity-tests.yml
+++ b/.gitea/workflows/parity-tests.yml
@@ -0,0 +1,186 @@
 name: Parity Tests
 # Parity testing workflow: compares StellaOps against competitor scanners
 # (Syft, Grype, Trivy) on a standardized fixture set.
 #
 # Schedule: Nightly at 02:00 UTC; Weekly full run on Sunday 00:00 UTC
 # NOT a PR gate - too slow and has external dependencies
 on:
  schedule:
    # Nightly at 02:00 UTC (quick fixture set)
    - cron: '0 2 * * *'
    # Weekly on Sunday at 00:00 UTC (full fixture set)
    - cron: '0 0 * * 0'
  workflow_dispatch:
    inputs:
      fixture_set:
        description: 'Fixture set to use'
        required: false
        default: 'quick'
        type: choice
        options:
          - quick
          - full
      enable_drift_detection:
        description: 'Enable drift detection analysis'
        required: false
        default: 'true'
        type: boolean
 env:
  DOTNET_VERSION: '10.0.x'
  SYFT_VERSION: '1.9.0'
  GRYPE_VERSION: '0.79.3'
  TRIVY_VERSION: '0.54.1'
  PARITY_RESULTS_PATH: 'bench/results/parity'
 jobs:
  parity-tests:
    name: Competitor Parity Tests
    runs-on: ubuntu-latest
    timeout-minutes: 120
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Install Syft
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v${{ env.SYFT_VERSION }}
          syft version
      - name: Install Grype
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v${{ env.GRYPE_VERSION }}
          grype version
      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
          trivy --version
      - name: Determine fixture set
        id: fixtures
        run: |
          # Weekly runs use full fixture set
          if [[ "${{ github.event.schedule }}" == "0 0 * * 0" ]]; then
            echo "fixture_set=full" >> $GITHUB_OUTPUT
          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
            echo "fixture_set=${{ inputs.fixture_set }}" >> $GITHUB_OUTPUT
          else
            echo "fixture_set=quick" >> $GITHUB_OUTPUT
          fi
      - name: Build parity tests
        run: |
          dotnet build tests/parity/StellaOps.Parity.Tests/StellaOps.Parity.Tests.csproj -c Release
      - name: Run parity tests
        id: parity
        run: |
          mkdir -p ${{ env.PARITY_RESULTS_PATH }}
          RUN_ID=$(date -u +%Y%m%dT%H%M%SZ)
          echo "run_id=${RUN_ID}" >> $GITHUB_OUTPUT
          dotnet test tests/parity/StellaOps.Parity.Tests/StellaOps.Parity.Tests.csproj \
            -c Release \
            --no-build \
            --logger "trx;LogFileName=parity-results.trx" \
            --results-directory ${{ env.PARITY_RESULTS_PATH }} \
            -e PARITY_FIXTURE_SET=${{ steps.fixtures.outputs.fixture_set }} \
            -e PARITY_RUN_ID=${RUN_ID} \
            -e PARITY_OUTPUT_PATH=${{ env.PARITY_RESULTS_PATH }} \
            || true  # Don't fail workflow on test failures
      - name: Store parity results
        run: |
          # Copy JSON results to time-series storage
          if [ -f "${{ env.PARITY_RESULTS_PATH }}/parity-${{ steps.parity.outputs.run_id }}.json" ]; then
            echo "Parity results stored successfully"
            cat ${{ env.PARITY_RESULTS_PATH }}/parity-${{ steps.parity.outputs.run_id }}.json | jq .
          else
            echo "Warning: No parity results file found"
          fi
      - name: Run drift detection
        if: ${{ github.event_name != 'workflow_dispatch' || inputs.enable_drift_detection == 'true' }}
        run: |
          # Analyze drift from historical results
          dotnet run --project tests/parity/StellaOps.Parity.Tests/StellaOps.Parity.Tests.csproj \
            --no-build \
            -- analyze-drift \
            --results-path ${{ env.PARITY_RESULTS_PATH }} \
            --threshold 0.05 \
            --trend-days 3 \
            || true
      - name: Upload parity results
        uses: actions/upload-artifact@v4
        with:
          name: parity-results-${{ steps.parity.outputs.run_id }}
          path: ${{ env.PARITY_RESULTS_PATH }}
          retention-days: 90
      - name: Export Prometheus metrics
        if: ${{ env.PROMETHEUS_PUSH_GATEWAY != '' }}
        env:
          PROMETHEUS_PUSH_GATEWAY: ${{ secrets.PROMETHEUS_PUSH_GATEWAY }}
        run: |
          # Push metrics to Prometheus Push Gateway if configured
          if [ -f "${{ env.PARITY_RESULTS_PATH }}/parity-metrics.txt" ]; then
            curl -X POST \
              -H "Content-Type: text/plain" \
              --data-binary @${{ env.PARITY_RESULTS_PATH }}/parity-metrics.txt \
              "${PROMETHEUS_PUSH_GATEWAY}/metrics/job/parity_tests/instance/${{ steps.parity.outputs.run_id }}"
          fi
      - name: Generate comparison report
        run: |
          echo "## Parity Test Results - ${{ steps.parity.outputs.run_id }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Fixture Set:** ${{ steps.fixtures.outputs.fixture_set }}" >> $GITHUB_STEP_SUMMARY
          echo "**Competitor Versions:**" >> $GITHUB_STEP_SUMMARY
          echo "- Syft: ${{ env.SYFT_VERSION }}" >> $GITHUB_STEP_SUMMARY
          echo "- Grype: ${{ env.GRYPE_VERSION }}" >> $GITHUB_STEP_SUMMARY
          echo "- Trivy: ${{ env.TRIVY_VERSION }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          if [ -f "${{ env.PARITY_RESULTS_PATH }}/parity-${{ steps.parity.outputs.run_id }}.json" ]; then
            echo "### Metrics Summary" >> $GITHUB_STEP_SUMMARY
            jq -r '
              "| Metric | StellaOps | Grype | Trivy |",
              "|--------|-----------|-------|-------|",
              "| SBOM Packages | \(.sbomMetrics.stellaOpsPackageCount) | \(.sbomMetrics.syftPackageCount) | - |",
              "| Vulnerability Recall | \(.vulnMetrics.recall | . * 100 | round / 100)% | - | - |",
              "| Vulnerability F1 | \(.vulnMetrics.f1Score | . * 100 | round / 100)% | - | - |",
              "| Latency P95 (ms) | \(.latencyMetrics.stellaOpsP95Ms | round) | \(.latencyMetrics.grypeP95Ms | round) | \(.latencyMetrics.trivyP95Ms | round) |"
            ' ${{ env.PARITY_RESULTS_PATH }}/parity-${{ steps.parity.outputs.run_id }}.json >> $GITHUB_STEP_SUMMARY || echo "Could not parse results" >> $GITHUB_STEP_SUMMARY
          fi
      - name: Alert on critical drift
        if: failure()
        uses: slackapi/slack-github-action@v1.25.0
        with:
          payload: |
            {
              "text": "⚠️ Parity test drift detected",
              "blocks": [
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "*Parity Test Alert*\nDrift detected in competitor comparison metrics.\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Results>"
                  }
                }
              ]
            }
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
        continue-on-error: true
--- a/.gitea/workflows/reachability-bench.yaml
+++ b/.gitea/workflows/reachability-bench.yaml
@@ -0,0 +1,306 @@
 name: Reachability Benchmark
 # Sprint: SPRINT_3500_0003_0001
 # Task: CORPUS-009 - Create Gitea workflow for reachability benchmark
 # Task: CORPUS-010 - Configure nightly + per-PR benchmark runs
 on:
  workflow_dispatch:
    inputs:
      baseline_version:
        description: 'Baseline version to compare against'
        required: false
        default: 'latest'
      verbose:
        description: 'Enable verbose output'
        required: false
        type: boolean
        default: false
  push:
    branches: [ main ]
    paths:
      - 'datasets/reachability/**'
      - 'src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/**'
      - 'bench/reachability-benchmark/**'
      - '.gitea/workflows/reachability-bench.yaml'
  pull_request:
    paths:
      - 'datasets/reachability/**'
      - 'src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/**'
      - 'bench/reachability-benchmark/**'
  schedule:
    # Nightly at 02:00 UTC
    - cron: '0 2 * * *'
 jobs:
  benchmark:
    runs-on: ubuntu-22.04
    env:
      DOTNET_NOLOGO: 1
      DOTNET_CLI_TELEMETRY_OPTOUT: 1
      DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
      TZ: UTC
      STELLAOPS_OFFLINE: 'true'
      STELLAOPS_DETERMINISTIC: 'true'
    outputs:
      precision: ${{ steps.metrics.outputs.precision }}
      recall: ${{ steps.metrics.outputs.recall }}
      f1: ${{ steps.metrics.outputs.f1 }}
      pr_auc: ${{ steps.metrics.outputs.pr_auc }}
      regression: ${{ steps.compare.outputs.regression }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET 10
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: 10.0.100
          include-prerelease: true
      - name: Cache NuGet packages
        uses: actions/cache@v4
        with:
          path: ~/.nuget/packages
          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
          restore-keys: |
            ${{ runner.os }}-nuget-
      - name: Restore benchmark project
        run: |
          dotnet restore src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/StellaOps.Scanner.Benchmarks.csproj \
            --configfile nuget.config
      - name: Build benchmark project
        run: |
          dotnet build src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/StellaOps.Scanner.Benchmarks.csproj \
            -c Release \
            --no-restore
      - name: Validate corpus integrity
        run: |
          echo "::group::Validating corpus index"
          if [ ! -f datasets/reachability/corpus.json ]; then
            echo "::error::corpus.json not found"
            exit 1
          fi
          python3 -c "import json; data = json.load(open('datasets/reachability/corpus.json')); print(f'Corpus contains {len(data.get(\"samples\", []))} samples')"
          echo "::endgroup::"
      - name: Run benchmark
        id: benchmark
        run: |
          echo "::group::Running reachability benchmark"
          mkdir -p bench/results
          # Run the corpus benchmark
          dotnet run \
            --project src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/StellaOps.Scanner.Benchmarks.csproj \
            -c Release \
            --no-build \
            -- corpus run \
            --corpus datasets/reachability/corpus.json \
            --output bench/results/benchmark-${{ github.sha }}.json \
            --format json \
            ${{ inputs.verbose == 'true' && '--verbose' || '' }}
          echo "::endgroup::"
      - name: Extract metrics
        id: metrics
        run: |
          echo "::group::Extracting metrics"
          RESULT_FILE="bench/results/benchmark-${{ github.sha }}.json"
          if [ -f "$RESULT_FILE" ]; then
            PRECISION=$(jq -r '.metrics.precision // 0' "$RESULT_FILE")
            RECALL=$(jq -r '.metrics.recall // 0' "$RESULT_FILE")
            F1=$(jq -r '.metrics.f1 // 0' "$RESULT_FILE")
            PR_AUC=$(jq -r '.metrics.pr_auc // 0' "$RESULT_FILE")
            echo "precision=$PRECISION" >> $GITHUB_OUTPUT
            echo "recall=$RECALL" >> $GITHUB_OUTPUT
            echo "f1=$F1" >> $GITHUB_OUTPUT
            echo "pr_auc=$PR_AUC" >> $GITHUB_OUTPUT
            echo "Precision: $PRECISION"
            echo "Recall: $RECALL"
            echo "F1: $F1"
            echo "PR-AUC: $PR_AUC"
          else
            echo "::error::Benchmark result file not found"
            exit 1
          fi
          echo "::endgroup::"
      - name: Get baseline
        id: baseline
        run: |
          echo "::group::Loading baseline"
          BASELINE_VERSION="${{ inputs.baseline_version || 'latest' }}"
          if [ "$BASELINE_VERSION" = "latest" ]; then
            BASELINE_FILE=$(ls -t bench/baselines/*.json 2>/dev/null | head -1)
          else
            BASELINE_FILE="bench/baselines/$BASELINE_VERSION.json"
          fi
          if [ -f "$BASELINE_FILE" ]; then
            echo "baseline_file=$BASELINE_FILE" >> $GITHUB_OUTPUT
            echo "Using baseline: $BASELINE_FILE"
          else
            echo "::warning::No baseline found, skipping comparison"
            echo "baseline_file=" >> $GITHUB_OUTPUT
          fi
          echo "::endgroup::"
      - name: Compare to baseline
        id: compare
        if: steps.baseline.outputs.baseline_file != ''
        run: |
          echo "::group::Comparing to baseline"
          BASELINE_FILE="${{ steps.baseline.outputs.baseline_file }}"
          RESULT_FILE="bench/results/benchmark-${{ github.sha }}.json"
          # Extract baseline metrics
          BASELINE_PRECISION=$(jq -r '.metrics.precision // 0' "$BASELINE_FILE")
          BASELINE_RECALL=$(jq -r '.metrics.recall // 0' "$BASELINE_FILE")
          BASELINE_PR_AUC=$(jq -r '.metrics.pr_auc // 0' "$BASELINE_FILE")
          # Extract current metrics
          CURRENT_PRECISION=$(jq -r '.metrics.precision // 0' "$RESULT_FILE")
          CURRENT_RECALL=$(jq -r '.metrics.recall // 0' "$RESULT_FILE")
          CURRENT_PR_AUC=$(jq -r '.metrics.pr_auc // 0' "$RESULT_FILE")
          # Calculate deltas
          PRECISION_DELTA=$(echo "$CURRENT_PRECISION - $BASELINE_PRECISION" | bc -l)
          RECALL_DELTA=$(echo "$CURRENT_RECALL - $BASELINE_RECALL" | bc -l)
          PR_AUC_DELTA=$(echo "$CURRENT_PR_AUC - $BASELINE_PR_AUC" | bc -l)
          echo "Precision delta: $PRECISION_DELTA"
          echo "Recall delta: $RECALL_DELTA"
          echo "PR-AUC delta: $PR_AUC_DELTA"
          # Check for regression (PR-AUC drop > 2%)
          REGRESSION_THRESHOLD=-0.02
          if (( $(echo "$PR_AUC_DELTA < $REGRESSION_THRESHOLD" | bc -l) )); then
            echo "::error::PR-AUC regression detected: $PR_AUC_DELTA (threshold: $REGRESSION_THRESHOLD)"
            echo "regression=true" >> $GITHUB_OUTPUT
          else
            echo "regression=false" >> $GITHUB_OUTPUT
          fi
          echo "::endgroup::"
      - name: Generate markdown report
        run: |
          echo "::group::Generating report"
          RESULT_FILE="bench/results/benchmark-${{ github.sha }}.json"
          REPORT_FILE="bench/results/benchmark-${{ github.sha }}.md"
          cat > "$REPORT_FILE" << 'EOF'
          # Reachability Benchmark Report
          **Commit:** ${{ github.sha }}
          **Run:** ${{ github.run_number }}
          **Date:** $(date -u +"%Y-%m-%dT%H:%M:%SZ")
          ## Metrics
          | Metric | Value |
          |--------|-------|
          | Precision | ${{ steps.metrics.outputs.precision }} |
          | Recall | ${{ steps.metrics.outputs.recall }} |
          | F1 Score | ${{ steps.metrics.outputs.f1 }} |
          | PR-AUC | ${{ steps.metrics.outputs.pr_auc }} |
          ## Comparison
          ${{ steps.compare.outputs.regression == 'true' && '⚠️ **REGRESSION DETECTED**' || '✅ No regression' }}
          EOF
          echo "Report generated: $REPORT_FILE"
          echo "::endgroup::"
      - name: Upload results
        uses: actions/upload-artifact@v4
        with:
          name: benchmark-results-${{ github.sha }}
          path: |
            bench/results/benchmark-${{ github.sha }}.json
            bench/results/benchmark-${{ github.sha }}.md
          retention-days: 90
      - name: Fail on regression
        if: steps.compare.outputs.regression == 'true' && github.event_name == 'pull_request'
        run: |
          echo "::error::Benchmark regression detected. PR-AUC dropped below threshold."
          exit 1
  update-baseline:
    needs: benchmark
    if: github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.benchmark.outputs.regression != 'true'
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Download results
        uses: actions/download-artifact@v4
        with:
          name: benchmark-results-${{ github.sha }}
          path: bench/results/
      - name: Update baseline (nightly only)
        if: github.event_name == 'schedule'
        run: |
          DATE=$(date +%Y%m%d)
          cp bench/results/benchmark-${{ github.sha }}.json bench/baselines/baseline-$DATE.json
          echo "Updated baseline to baseline-$DATE.json"
  notify-pr:
    needs: benchmark
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-22.04
    permissions:
      pull-requests: write
    steps:
      - name: Comment on PR
        uses: actions/github-script@v7
        with:
          script: |
            const precision = '${{ needs.benchmark.outputs.precision }}';
            const recall = '${{ needs.benchmark.outputs.recall }}';
            const f1 = '${{ needs.benchmark.outputs.f1 }}';
            const prAuc = '${{ needs.benchmark.outputs.pr_auc }}';
            const regression = '${{ needs.benchmark.outputs.regression }}' === 'true';
            const status = regression ? '⚠️ REGRESSION' : '✅ PASS';
            const body = `## Reachability Benchmark Results ${status}
            | Metric | Value |
            |--------|-------|
            | Precision | ${precision} |
            | Recall | ${recall} |
            | F1 Score | ${f1} |
            | PR-AUC | ${prAuc} |
            ${regression ? '### ⚠️ Regression Detected\nPR-AUC dropped below threshold. Please review changes.' : ''}
            <details>
            <summary>Details</summary>
            - Commit: \`${{ github.sha }}\`
            - Run: [#${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
            </details>`;
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: body
            });
--- a/.gitea/workflows/reachability-corpus-ci.yml
+++ b/.gitea/workflows/reachability-corpus-ci.yml
@@ -0,0 +1,267 @@
 name: Reachability Corpus Validation
 on:
  workflow_dispatch:
  push:
    branches: [ main ]
    paths:
      - 'tests/reachability/corpus/**'
      - 'tests/reachability/fixtures/**'
      - 'tests/reachability/StellaOps.Reachability.FixtureTests/**'
      - 'scripts/reachability/**'
      - '.gitea/workflows/reachability-corpus-ci.yml'
  pull_request:
    paths:
      - 'tests/reachability/corpus/**'
      - 'tests/reachability/fixtures/**'
      - 'tests/reachability/StellaOps.Reachability.FixtureTests/**'
      - 'scripts/reachability/**'
      - '.gitea/workflows/reachability-corpus-ci.yml'
 jobs:
  validate-corpus:
    runs-on: ubuntu-22.04
    env:
      DOTNET_NOLOGO: 1
      DOTNET_CLI_TELEMETRY_OPTOUT: 1
      DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
      TZ: UTC
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET 10 RC
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: 10.0.100
          include-prerelease: true
      - name: Verify corpus manifest integrity
        run: |
          echo "Verifying corpus manifest..."
          cd tests/reachability/corpus
          if [ ! -f manifest.json ]; then
            echo "::error::Corpus manifest.json not found"
            exit 1
          fi
          echo "Manifest exists, checking JSON validity..."
          python3 -c "import json; json.load(open('manifest.json'))"
          echo "Manifest is valid JSON"
      - name: Verify reachbench index integrity
        run: |
          echo "Verifying reachbench fixtures..."
          cd tests/reachability/fixtures/reachbench-2025-expanded
          if [ ! -f INDEX.json ]; then
            echo "::error::Reachbench INDEX.json not found"
            exit 1
          fi
          echo "INDEX exists, checking JSON validity..."
          python3 -c "import json; json.load(open('INDEX.json'))"
          echo "INDEX is valid JSON"
      - name: Restore test project
        run: dotnet restore tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj --configfile nuget.config
      - name: Build test project
        run: dotnet build tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj -c Release --no-restore
      - name: Run corpus fixture tests
        run: |
          dotnet test tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj \
            -c Release \
            --no-build \
            --logger "trx;LogFileName=corpus-results.trx" \
            --results-directory ./TestResults \
            --filter "FullyQualifiedName~CorpusFixtureTests"
      - name: Run reachbench fixture tests
        run: |
          dotnet test tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj \
            -c Release \
            --no-build \
            --logger "trx;LogFileName=reachbench-results.trx" \
            --results-directory ./TestResults \
            --filter "FullyQualifiedName~ReachbenchFixtureTests"
      - name: Verify deterministic hashes
        run: |
          echo "Verifying SHA-256 hashes in corpus manifest..."
          chmod +x scripts/reachability/verify_corpus_hashes.sh || true
          if [ -f scripts/reachability/verify_corpus_hashes.sh ]; then
            scripts/reachability/verify_corpus_hashes.sh
          else
            echo "Hash verification script not found, using inline verification..."
            cd tests/reachability/corpus
            python3 << 'EOF'
          import json
          import hashlib
          import sys
          import os
          with open('manifest.json') as f:
              manifest = json.load(f)
          errors = []
          for entry in manifest:
              case_id = entry['id']
              lang = entry['language']
              case_dir = os.path.join(lang, case_id)
              for filename, expected_hash in entry['files'].items():
                  filepath = os.path.join(case_dir, filename)
                  if not os.path.exists(filepath):
                      errors.append(f"{case_id}: missing {filename}")
                      continue
                  with open(filepath, 'rb') as f:
                      actual_hash = hashlib.sha256(f.read()).hexdigest()
                  if actual_hash != expected_hash:
                      errors.append(f"{case_id}: {filename} hash mismatch (expected {expected_hash}, got {actual_hash})")
          if errors:
              for err in errors:
                  print(f"::error::{err}")
              sys.exit(1)
          print(f"All {len(manifest)} corpus entries verified")
          EOF
          fi
      - name: Upload test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: corpus-test-results-${{ github.run_number }}
          path: ./TestResults/*.trx
          retention-days: 14
  validate-ground-truths:
    runs-on: ubuntu-22.04
    env:
      TZ: UTC
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Validate ground-truth schema version
        run: |
          echo "Validating ground-truth files..."
          cd tests/reachability
          python3 << 'EOF'
          import json
          import os
          import sys
          EXPECTED_SCHEMA = "reachbench.reachgraph.truth/v1"
          ALLOWED_VARIANTS = {"reachable", "unreachable"}
          errors = []
          # Validate corpus ground-truths
          corpus_manifest = 'corpus/manifest.json'
          if os.path.exists(corpus_manifest):
              with open(corpus_manifest) as f:
                  manifest = json.load(f)
              for entry in manifest:
                  case_id = entry['id']
                  lang = entry['language']
                  truth_path = os.path.join('corpus', lang, case_id, 'ground-truth.json')
                  if not os.path.exists(truth_path):
                      errors.append(f"corpus/{case_id}: missing ground-truth.json")
                      continue
                  with open(truth_path) as f:
                      truth = json.load(f)
                  if truth.get('schema_version') != EXPECTED_SCHEMA:
                      errors.append(f"corpus/{case_id}: wrong schema_version")
                  if truth.get('variant') not in ALLOWED_VARIANTS:
                      errors.append(f"corpus/{case_id}: invalid variant '{truth.get('variant')}'")
                  if not isinstance(truth.get('paths'), list):
                      errors.append(f"corpus/{case_id}: paths must be an array")
          # Validate reachbench ground-truths
          reachbench_index = 'fixtures/reachbench-2025-expanded/INDEX.json'
          if os.path.exists(reachbench_index):
              with open(reachbench_index) as f:
                  index = json.load(f)
              for case in index.get('cases', []):
                  case_id = case['id']
                  case_path = case.get('path', os.path.join('cases', case_id))
                  for variant in ['reachable', 'unreachable']:
                      truth_path = os.path.join('fixtures/reachbench-2025-expanded', case_path, 'images', variant, 'reachgraph.truth.json')
                      if not os.path.exists(truth_path):
                          errors.append(f"reachbench/{case_id}/{variant}: missing reachgraph.truth.json")
                          continue
                      with open(truth_path) as f:
                          truth = json.load(f)
                      if not truth.get('schema_version'):
                          errors.append(f"reachbench/{case_id}/{variant}: missing schema_version")
                      if not isinstance(truth.get('paths'), list):
                          errors.append(f"reachbench/{case_id}/{variant}: paths must be an array")
          if errors:
              for err in errors:
                  print(f"::error::{err}")
              sys.exit(1)
          print("All ground-truth files validated successfully")
          EOF
  determinism-check:
    runs-on: ubuntu-22.04
    env:
      TZ: UTC
    needs: validate-corpus
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Verify JSON determinism (sorted keys, no trailing whitespace)
        run: |
          echo "Checking JSON determinism..."
          cd tests/reachability
          python3 << 'EOF'
          import json
          import os
          import sys
          def check_json_sorted(filepath):
              """Check if JSON has sorted keys (deterministic)."""
              with open(filepath) as f:
                  content = f.read()
              parsed = json.loads(content)
              reserialized = json.dumps(parsed, sort_keys=True, indent=2)
              # Normalize line endings
              content_normalized = content.replace('\r\n', '\n').strip()
              reserialized_normalized = reserialized.strip()
              return content_normalized == reserialized_normalized
          errors = []
          json_files = []
          # Collect JSON files from corpus
          for root, dirs, files in os.walk('corpus'):
              for f in files:
                  if f.endswith('.json'):
                      json_files.append(os.path.join(root, f))
          # Check determinism
          non_deterministic = []
          for filepath in json_files:
              try:
                  if not check_json_sorted(filepath):
                      non_deterministic.append(filepath)
              except json.JSONDecodeError as e:
                  errors.append(f"{filepath}: invalid JSON - {e}")
          if non_deterministic:
              print(f"::warning::Found {len(non_deterministic)} non-deterministic JSON files (keys not sorted or whitespace differs)")
              for f in non_deterministic[:10]:
                  print(f"  - {f}")
              if len(non_deterministic) > 10:
                  print(f"  ... and {len(non_deterministic) - 10} more")
          if errors:
              for err in errors:
                  print(f"::error::{err}")
              sys.exit(1)
          print(f"Checked {len(json_files)} JSON files")
          EOF
--- a/.gitea/workflows/replay-verification.yml
+++ b/.gitea/workflows/replay-verification.yml
@@ -0,0 +1,39 @@
 name: Replay Verification
 on:
  pull_request:
    paths:
      - 'src/Scanner/**'
      - 'src/__Libraries/StellaOps.Canonicalization/**'
      - 'src/__Libraries/StellaOps.Replay/**'
      - 'src/__Libraries/StellaOps.Testing.Manifests/**'
      - 'bench/golden-corpus/**'
 jobs:
  replay-verification:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.100'
      - name: Build CLI
        run: dotnet build src/Cli/StellaOps.Cli -c Release
      - name: Run replay verification on corpus
        run: |
          dotnet run --project src/Cli/StellaOps.Cli -- replay batch \
            --corpus bench/golden-corpus/ \
            --output results/ \
            --verify-determinism \
            --fail-on-diff
      - name: Upload diff report
        if: failure()
        uses: actions/upload-artifact@v4
        with:
          name: replay-diff-report
          path: results/diff-report.json
--- a/.gitea/workflows/risk-bundle-ci.yml
+++ b/.gitea/workflows/risk-bundle-ci.yml
@@ -0,0 +1,198 @@
 name: Risk Bundle CI
 on:
  push:
    branches: [ main ]
    paths:
      - 'src/ExportCenter/StellaOps.ExportCenter.RiskBundles/**'
      - 'src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/**'
      - 'ops/devops/risk-bundle/**'
      - '.gitea/workflows/risk-bundle-ci.yml'
      - 'docs/modules/export-center/operations/risk-bundle-*.md'
  pull_request:
    branches: [ main, develop ]
    paths:
      - 'src/ExportCenter/StellaOps.ExportCenter.RiskBundles/**'
      - 'src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/**'
      - 'ops/devops/risk-bundle/**'
      - '.gitea/workflows/risk-bundle-ci.yml'
      - 'docs/modules/export-center/operations/risk-bundle-*.md'
  workflow_dispatch:
    inputs:
      include_osv:
        description: 'Include OSV providers (larger bundle)'
        type: boolean
        default: false
      publish_checksums:
        description: 'Publish checksums to artifact store'
        type: boolean
        default: true
 jobs:
  risk-bundle-build:
    runs-on: ubuntu-22.04
    env:
      DOTNET_VERSION: '10.0.100'
      ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
      BUNDLE_OUTPUT: ${{ github.workspace }}/.artifacts/risk-bundle
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Export OpenSSL 1.1 shim for Mongo2Go
        run: scripts/enable-openssl11-shim.sh
      - name: Set up .NET SDK
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore
        run: dotnet restore src/ExportCenter/StellaOps.ExportCenter.RiskBundles/StellaOps.ExportCenter.RiskBundles.csproj
      - name: Build
        run: dotnet build src/ExportCenter/StellaOps.ExportCenter.RiskBundles/StellaOps.ExportCenter.RiskBundles.csproj -c Release /p:ContinuousIntegrationBuild=true
      - name: Test RiskBundle unit tests
        run: |
          mkdir -p $ARTIFACT_DIR
          dotnet test src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/StellaOps.ExportCenter.Tests.csproj \
            -c Release \
            --filter "FullyQualifiedName~RiskBundle" \
            --logger "trx;LogFileName=risk-bundle-tests.trx" \
            --results-directory $ARTIFACT_DIR
      - name: Build risk bundle (fixtures)
        run: |
          mkdir -p $BUNDLE_OUTPUT
          ops/devops/risk-bundle/build-bundle.sh --output "$BUNDLE_OUTPUT" --fixtures-only
      - name: Verify bundle integrity
        run: ops/devops/risk-bundle/verify-bundle.sh "$BUNDLE_OUTPUT/risk-bundle.tar.gz"
      - name: Generate checksums
        run: |
          cd $BUNDLE_OUTPUT
          sha256sum risk-bundle.tar.gz > risk-bundle.tar.gz.sha256
          sha256sum manifest.json > manifest.json.sha256
          cat risk-bundle.tar.gz.sha256 manifest.json.sha256 > checksums.txt
          echo "Bundle checksums:"
          cat checksums.txt
      - name: Upload risk bundle artifacts
        uses: actions/upload-artifact@v4
        with:
          name: risk-bundle-artifacts
          path: |
            ${{ env.BUNDLE_OUTPUT }}/risk-bundle.tar.gz
            ${{ env.BUNDLE_OUTPUT }}/risk-bundle.tar.gz.sig
            ${{ env.BUNDLE_OUTPUT }}/manifest.json
            ${{ env.BUNDLE_OUTPUT }}/checksums.txt
            ${{ env.ARTIFACT_DIR }}/*.trx
      - name: Upload test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: risk-bundle-test-results
          path: ${{ env.ARTIFACT_DIR }}/*.trx
  risk-bundle-offline-kit:
    runs-on: ubuntu-22.04
    needs: risk-bundle-build
    env:
      ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
      OFFLINE_KIT_DIR: ${{ github.workspace }}/.artifacts/offline-kit
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Download risk bundle artifacts
        uses: actions/download-artifact@v4
        with:
          name: risk-bundle-artifacts
          path: ${{ env.ARTIFACT_DIR }}
      - name: Package for offline kit
        run: |
          mkdir -p $OFFLINE_KIT_DIR/risk-bundles
          cp $ARTIFACT_DIR/risk-bundle.tar.gz $OFFLINE_KIT_DIR/risk-bundles/
          cp $ARTIFACT_DIR/risk-bundle.tar.gz.sig $OFFLINE_KIT_DIR/risk-bundles/ 2>/dev/null || true
          cp $ARTIFACT_DIR/manifest.json $OFFLINE_KIT_DIR/risk-bundles/
          cp $ARTIFACT_DIR/checksums.txt $OFFLINE_KIT_DIR/risk-bundles/
          # Create offline kit manifest entry
          cat > $OFFLINE_KIT_DIR/risk-bundles/kit-manifest.json <<EOF
          {
            "component": "risk-bundle",
            "version": "$(date -u +%Y%m%d-%H%M%S)",
            "files": [
              {"path": "risk-bundle.tar.gz", "checksum_file": "risk-bundle.tar.gz.sha256"},
              {"path": "manifest.json", "checksum_file": "manifest.json.sha256"}
            ],
            "verification": {
              "checksums": "checksums.txt",
              "signature": "risk-bundle.tar.gz.sig"
            }
          }
          EOF
      - name: Verify offline kit structure
        run: |
          echo "Offline kit structure:"
          find $OFFLINE_KIT_DIR -type f
          echo ""
          echo "Checksum verification:"
          cd $OFFLINE_KIT_DIR/risk-bundles
          sha256sum -c checksums.txt
      - name: Upload offline kit
        uses: actions/upload-artifact@v4
        with:
          name: risk-bundle-offline-kit
          path: ${{ env.OFFLINE_KIT_DIR }}
  publish-checksums:
    runs-on: ubuntu-22.04
    needs: risk-bundle-build
    if: github.ref == 'refs/heads/main' && (github.event_name == 'push' || github.event.inputs.publish_checksums == 'true')
    env:
      ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Download risk bundle artifacts
        uses: actions/download-artifact@v4
        with:
          name: risk-bundle-artifacts
          path: ${{ env.ARTIFACT_DIR }}
      - name: Publish checksums
        run: |
          echo "Publishing checksums for risk bundle..."
          CHECKSUM_DIR=out/checksums/risk-bundle/$(date -u +%Y-%m-%d)
          mkdir -p $CHECKSUM_DIR
          cp $ARTIFACT_DIR/checksums.txt $CHECKSUM_DIR/
          cp $ARTIFACT_DIR/manifest.json $CHECKSUM_DIR/
          # Create latest symlink manifest
          cat > out/checksums/risk-bundle/latest.json <<EOF
          {
            "date": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
            "path": "$(date -u +%Y-%m-%d)/checksums.txt",
            "manifest": "$(date -u +%Y-%m-%d)/manifest.json"
          }
          EOF
          echo "Checksums published to $CHECKSUM_DIR"
          cat $CHECKSUM_DIR/checksums.txt
      - name: Upload published checksums
        uses: actions/upload-artifact@v4
        with:
          name: risk-bundle-published-checksums
          path: out/checksums/risk-bundle/
--- a/.gitea/workflows/router-chaos.yml
+++ b/.gitea/workflows/router-chaos.yml
@@ -0,0 +1,306 @@
 # -----------------------------------------------------------------------------
 # router-chaos.yml
 # Sprint: SPRINT_5100_0005_0001_router_chaos_suite
 # Task: T5 - CI Chaos Workflow
 # Description: CI workflow for running router chaos tests.
 # -----------------------------------------------------------------------------
 name: Router Chaos Tests
 on:
  schedule:
    - cron: '0 3 * * *'  # Nightly at 3 AM UTC
  workflow_dispatch:
    inputs:
      spike_multiplier:
        description: 'Load spike multiplier (e.g., 10, 50, 100)'
        default: '10'
        type: choice
        options:
          - '10'
          - '50'
          - '100'
      run_valkey_tests:
        description: 'Run Valkey failure injection tests'
        default: true
        type: boolean
 env:
  DOTNET_NOLOGO: 1
  DOTNET_CLI_TELEMETRY_OPTOUT: 1
  TZ: UTC
  ROUTER_URL: http://localhost:8080
 jobs:
  load-tests:
    runs-on: ubuntu-22.04
    timeout-minutes: 30
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_USER: stellaops
          POSTGRES_PASSWORD: test
          POSTGRES_DB: stellaops_test
        ports:
          - 5432:5432
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
      valkey:
        image: valkey/valkey:7-alpine
        ports:
          - 6379:6379
        options: >-
          --health-cmd "valkey-cli ping"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.100'
          include-prerelease: true
      - name: Install k6
        run: |
          curl -sSL https://github.com/grafana/k6/releases/download/v0.54.0/k6-v0.54.0-linux-amd64.tar.gz | tar xz
          sudo mv k6-v0.54.0-linux-amd64/k6 /usr/local/bin/
          k6 version
      - name: Cache NuGet packages
        uses: actions/cache@v4
        with:
          path: ~/.nuget/packages
          key: chaos-nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
      - name: Build Router
        run: |
          dotnet restore src/Router/StellaOps.Router.WebService/StellaOps.Router.WebService.csproj
          dotnet build src/Router/StellaOps.Router.WebService/StellaOps.Router.WebService.csproj -c Release --no-restore
      - name: Start Router
        run: |
          dotnet run --project src/Router/StellaOps.Router.WebService/StellaOps.Router.WebService.csproj -c Release --no-build &
          echo $! > router.pid
          # Wait for router to start
          for i in {1..30}; do
            if curl -s http://localhost:8080/health > /dev/null 2>&1; then
              echo "Router is ready"
              break
            fi
            echo "Waiting for router... ($i/30)"
            sleep 2
          done
      - name: Run k6 spike test
        id: k6
        run: |
          mkdir -p results
          k6 run tests/load/router/spike-test.js \
            -e ROUTER_URL=${{ env.ROUTER_URL }} \
            --out json=results/k6-results.json \
            --summary-export results/k6-summary.json \
            2>&1 | tee results/k6-output.txt
          # Check exit code
          if [ ${PIPESTATUS[0]} -ne 0 ]; then
            echo "k6_status=failed" >> $GITHUB_OUTPUT
          else
            echo "k6_status=passed" >> $GITHUB_OUTPUT
          fi
      - name: Upload k6 results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: k6-results-${{ github.run_id }}
          path: results/
          retention-days: 30
      - name: Stop Router
        if: always()
        run: |
          if [ -f router.pid ]; then
            kill $(cat router.pid) 2>/dev/null || true
          fi
  chaos-unit-tests:
    runs-on: ubuntu-22.04
    timeout-minutes: 20
    needs: load-tests
    if: always()
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_USER: stellaops
          POSTGRES_PASSWORD: test
          POSTGRES_DB: stellaops_test
        ports:
          - 5432:5432
      valkey:
        image: valkey/valkey:7-alpine
        ports:
          - 6379:6379
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.100'
          include-prerelease: true
      - name: Build Chaos Tests
        run: |
          dotnet restore tests/chaos/StellaOps.Chaos.Router.Tests/StellaOps.Chaos.Router.Tests.csproj
          dotnet build tests/chaos/StellaOps.Chaos.Router.Tests/StellaOps.Chaos.Router.Tests.csproj -c Release --no-restore
      - name: Start Router for Tests
        run: |
          dotnet run --project src/Router/StellaOps.Router.WebService/StellaOps.Router.WebService.csproj -c Release &
          sleep 15  # Wait for startup
      - name: Run Chaos Unit Tests
        run: |
          dotnet test tests/chaos/StellaOps.Chaos.Router.Tests/StellaOps.Chaos.Router.Tests.csproj \
            -c Release \
            --no-build \
            --logger "trx;LogFileName=chaos-results.trx" \
            --logger "console;verbosity=detailed" \
            --results-directory results \
            -- RunConfiguration.TestSessionTimeout=600000
      - name: Upload Test Results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: chaos-test-results-${{ github.run_id }}
          path: results/
          retention-days: 30
  valkey-failure-tests:
    runs-on: ubuntu-22.04
    timeout-minutes: 20
    needs: load-tests
    if: ${{ github.event.inputs.run_valkey_tests != 'false' }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.100'
          include-prerelease: true
      - name: Install Docker Compose
        run: |
          sudo apt-get update
          sudo apt-get install -y docker-compose
      - name: Run Valkey Failure Tests
        run: |
          dotnet test tests/chaos/StellaOps.Chaos.Router.Tests/StellaOps.Chaos.Router.Tests.csproj \
            -c Release \
            --filter "Category=Valkey" \
            --logger "trx;LogFileName=valkey-results.trx" \
            --results-directory results \
            -- RunConfiguration.TestSessionTimeout=600000
      - name: Upload Valkey Test Results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: valkey-test-results-${{ github.run_id }}
          path: results/
  analyze-results:
    runs-on: ubuntu-22.04
    needs: [load-tests, chaos-unit-tests]
    if: always()
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Download k6 Results
        uses: actions/download-artifact@v4
        with:
          name: k6-results-${{ github.run_id }}
          path: k6-results/
      - name: Download Chaos Test Results
        uses: actions/download-artifact@v4
        with:
          name: chaos-test-results-${{ github.run_id }}
          path: chaos-results/
      - name: Analyze Results
        id: analysis
        run: |
          mkdir -p analysis
          # Parse k6 summary
          if [ -f k6-results/k6-summary.json ]; then
            echo "=== k6 Test Summary ===" | tee analysis/summary.txt
            # Extract key metrics
            jq -r '.metrics | to_entries[] | "\(.key): \(.value)"' k6-results/k6-summary.json >> analysis/summary.txt 2>/dev/null || true
          fi
          # Check thresholds
          THRESHOLDS_PASSED=true
          if [ -f k6-results/k6-summary.json ]; then
            # Check if any threshold failed
            FAILED_THRESHOLDS=$(jq -r '.thresholds | to_entries[] | select(.value.ok == false) | .key' k6-results/k6-summary.json 2>/dev/null || echo "")
            if [ -n "$FAILED_THRESHOLDS" ]; then
              echo "Failed thresholds: $FAILED_THRESHOLDS"
              THRESHOLDS_PASSED=false
            fi
          fi
          echo "thresholds_passed=$THRESHOLDS_PASSED" >> $GITHUB_OUTPUT
      - name: Upload Analysis
        uses: actions/upload-artifact@v4
        with:
          name: chaos-analysis-${{ github.run_id }}
          path: analysis/
      - name: Create Summary
        run: |
          echo "## Router Chaos Test Results" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### Load Test Results" >> $GITHUB_STEP_SUMMARY
          if [ -f k6-results/k6-summary.json ]; then
            echo "- Total Requests: $(jq -r '.metrics.http_reqs.values.count // "N/A"' k6-results/k6-summary.json)" >> $GITHUB_STEP_SUMMARY
            echo "- Failed Rate: $(jq -r '.metrics.http_req_failed.values.rate // "N/A"' k6-results/k6-summary.json)" >> $GITHUB_STEP_SUMMARY
          else
            echo "- No k6 results found" >> $GITHUB_STEP_SUMMARY
          fi
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### Thresholds" >> $GITHUB_STEP_SUMMARY
          echo "- Status: ${{ steps.analysis.outputs.thresholds_passed == 'true' && 'PASSED' || 'FAILED' }}" >> $GITHUB_STEP_SUMMARY
--- a/.gitea/workflows/scanner-analyzers-release.yml
+++ b/.gitea/workflows/scanner-analyzers-release.yml
@@ -34,6 +34,22 @@ jobs:
        run: |
          RID="${{ github.event.inputs.rid }}" scripts/scanner/package-analyzer.sh src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/StellaOps.Scanner.Analyzers.Lang.Ruby.csproj ruby-analyzer
      - name: Package Native analyzer
        run: |
          RID="${{ github.event.inputs.rid }}" scripts/scanner/package-analyzer.sh src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.csproj native-analyzer
      - name: Package Java analyzer
        run: |
          RID="${{ github.event.inputs.rid }}" scripts/scanner/package-analyzer.sh src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/StellaOps.Scanner.Analyzers.Lang.Java.csproj java-analyzer
      - name: Package DotNet analyzer
        run: |
          RID="${{ github.event.inputs.rid }}" scripts/scanner/package-analyzer.sh src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj dotnet-analyzer
      - name: Package Node analyzer
        run: |
          RID="${{ github.event.inputs.rid }}" scripts/scanner/package-analyzer.sh src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/StellaOps.Scanner.Analyzers.Lang.Node.csproj node-analyzer
      - name: Upload analyzer artifacts
        uses: actions/upload-artifact@v4
        with:
--- a/.gitea/workflows/signals-dsse-sign.yml
+++ b/.gitea/workflows/signals-dsse-sign.yml
@@ -28,6 +28,8 @@ jobs:
      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
      OUT_DIR: ${{ github.event.inputs.out_dir || 'evidence-locker/signals/2025-12-01' }}
      COSIGN_ALLOW_DEV_KEY: ${{ github.event.inputs.allow_dev_key || '0' }}
      CI_EVIDENCE_LOCKER_TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN || vars.CI_EVIDENCE_LOCKER_TOKEN }}
      EVIDENCE_LOCKER_URL: ${{ secrets.EVIDENCE_LOCKER_URL || vars.EVIDENCE_LOCKER_URL }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -42,6 +44,16 @@ jobs:
        with:
          cosign-release: 'v2.2.4'
      - name: Check signing key configured
        run: |
          if [[ -z "$COSIGN_PRIVATE_KEY_B64" && "$COSIGN_ALLOW_DEV_KEY" != "1" ]]; then
            echo "::error::COSIGN_PRIVATE_KEY_B64 is missing and dev key fallback is disabled. Set COSIGN_PRIVATE_KEY_B64 (and COSIGN_PASSWORD if needed) or rerun with allow_dev_key=1 for smoke only."
            exit 1
          fi
          if [[ "$COSIGN_ALLOW_DEV_KEY" == "1" ]]; then
            echo "::notice::Using dev key for signing (allow_dev_key=1) - not suitable for production uploads."
          fi
      - name: Verify artifacts exist
        run: |
          cd docs/modules/signals
@@ -90,9 +102,9 @@ jobs:
          retention-days: 90
      - name: Push to Evidence Locker
-        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
        env:
-          TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN }}
+          TOKEN: ${{ env.CI_EVIDENCE_LOCKER_TOKEN }}
          URL: ${{ env.EVIDENCE_LOCKER_URL }}
        run: |
          tar -cf /tmp/signals-dsse.tar -C "$OUT_DIR" .
@@ -102,7 +114,7 @@ jobs:
          echo "Pushed to Evidence Locker"
      - name: Evidence Locker skip notice
-        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
        run: |
          echo "::notice::Evidence Locker push skipped (CI_EVIDENCE_LOCKER_TOKEN or EVIDENCE_LOCKER_URL not set)"
          echo "Artifacts available as workflow artifact for manual ingestion"
--- a/.gitea/workflows/signals-evidence-locker.yml
+++ b/.gitea/workflows/signals-evidence-locker.yml
@@ -2,6 +2,14 @@ name: signals-evidence-locker
 on:
  workflow_dispatch:
    inputs:
      out_dir:
        description: "Output directory containing signed artifacts"
        required: false
        default: "evidence-locker/signals/2025-12-05"
      allow_dev_key:
        description: "Allow dev key fallback (1=yes, 0=no)"
        required: false
        default: "0"
      retention_target:
        description: "Retention days target"
        required: false
@@ -12,7 +20,12 @@ jobs:
    runs-on: ubuntu-latest
    env:
      MODULE_ROOT: docs/modules/signals
-      OUT_DIR: evidence-locker/signals/2025-12-05
+      OUT_DIR: ${{ github.event.inputs.out_dir || 'evidence-locker/signals/2025-12-05' }}
      COSIGN_ALLOW_DEV_KEY: ${{ github.event.inputs.allow_dev_key || '0' }}
      COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
      EVIDENCE_LOCKER_URL: ${{ secrets.EVIDENCE_LOCKER_URL || vars.EVIDENCE_LOCKER_URL }}
      CI_EVIDENCE_LOCKER_TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN || vars.CI_EVIDENCE_LOCKER_TOKEN }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -20,6 +33,31 @@ jobs:
      - name: Task Pack offline bundle fixtures
        run: python3 scripts/packs/run-fixtures-check.sh
      - name: Install cosign
        uses: sigstore/cosign-installer@v3
        with:
          cosign-release: 'v2.2.4'
      - name: Check signing key configured
        run: |
          if [[ -z "$COSIGN_PRIVATE_KEY_B64" && "$COSIGN_ALLOW_DEV_KEY" != "1" ]]; then
            echo "::error::COSIGN_PRIVATE_KEY_B64 is missing and dev key fallback is disabled. Set COSIGN_PRIVATE_KEY_B64 (and COSIGN_PASSWORD if needed) or rerun with allow_dev_key=1 for smoke only."
            exit 1
          fi
          if [[ "$COSIGN_ALLOW_DEV_KEY" == "1" ]]; then
            echo "::notice::Using dev key for signing (allow_dev_key=1) - not suitable for production uploads."
          fi
      - name: Verify artifacts exist
        run: |
          cd "$MODULE_ROOT"
          sha256sum -c SHA256SUMS
      - name: Sign signals artifacts
        run: |
          chmod +x tools/cosign/sign-signals.sh
          OUT_DIR="${OUT_DIR}" tools/cosign/sign-signals.sh
      - name: Build deterministic signals evidence tar
        run: |
          set -euo pipefail
@@ -52,16 +90,17 @@ jobs:
            /tmp/signals-evidence.tar.sha256
      - name: Push to Evidence Locker
-        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
        env:
-          TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN }}
+          TOKEN: ${{ env.CI_EVIDENCE_LOCKER_TOKEN }}
          URL: ${{ env.EVIDENCE_LOCKER_URL }}
        run: |
-          curl -f -X PUT "$URL/signals/2025-12-05/signals-evidence.tar" \
+          upload_path="${OUT_DIR#evidence-locker/}"
          curl -f -X PUT "$URL/${upload_path}/signals-evidence.tar" \
            -H "Authorization: Bearer $TOKEN" \
            --data-binary @/tmp/signals-evidence.tar
      - name: Skip push (missing secret or URL)
-        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
+        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
        run: |
          echo "Locker push skipped: set CI_EVIDENCE_LOCKER_TOKEN and EVIDENCE_LOCKER_URL to enable." >&2
--- a/.gitea/workflows/signals-reachability.yml
+++ b/.gitea/workflows/signals-reachability.yml
@@ -0,0 +1,127 @@
 name: Signals Reachability Scoring & Events
 on:
  workflow_dispatch:
    inputs:
      allow_dev_key:
        description: "Allow dev signing key fallback (1=yes, 0=no)"
        required: false
        default: "0"
      evidence_out_dir:
        description: "Evidence output dir for signing/upload"
        required: false
        default: "evidence-locker/signals/2025-12-05"
  push:
    branches: [ main ]
    paths:
      - 'src/Signals/**'
      - 'scripts/signals/reachability-smoke.sh'
      - '.gitea/workflows/signals-reachability.yml'
      - 'tools/cosign/sign-signals.sh'
 jobs:
  reachability-smoke:
    runs-on: ubuntu-22.04
    env:
      DOTNET_NOLOGO: 1
      DOTNET_CLI_TELEMETRY_OPTOUT: 1
      DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
      TZ: UTC
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Task Pack offline bundle fixtures
        run: python3 scripts/packs/run-fixtures-check.sh
      - name: Setup .NET 10 RC
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: 10.0.100
          include-prerelease: true
      - name: Restore
        run: dotnet restore src/Signals/StellaOps.Signals.sln --configfile nuget.config
      - name: Build
        run: dotnet build src/Signals/StellaOps.Signals.sln -c Release --no-restore
      - name: Reachability scoring + cache/events smoke
        run: |
          chmod +x scripts/signals/reachability-smoke.sh
          scripts/signals/reachability-smoke.sh
  sign-and-upload:
    runs-on: ubuntu-22.04
    needs: reachability-smoke
    env:
      COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
      COSIGN_ALLOW_DEV_KEY: ${{ github.event.inputs.allow_dev_key || '0' }}
      OUT_DIR: ${{ github.event.inputs.evidence_out_dir || 'evidence-locker/signals/2025-12-05' }}
      CI_EVIDENCE_LOCKER_TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN || vars.CI_EVIDENCE_LOCKER_TOKEN }}
      EVIDENCE_LOCKER_URL: ${{ secrets.EVIDENCE_LOCKER_URL || vars.EVIDENCE_LOCKER_URL }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Task Pack offline bundle fixtures
        run: python3 scripts/packs/run-fixtures-check.sh
      - name: Install cosign
        uses: sigstore/cosign-installer@v3
        with:
          cosign-release: 'v2.2.4'
      - name: Check signing key configured
        run: |
          if [[ -z "$COSIGN_PRIVATE_KEY_B64" && "$COSIGN_ALLOW_DEV_KEY" != "1" ]]; then
            echo "::error::COSIGN_PRIVATE_KEY_B64 is missing and dev key fallback is disabled. Set COSIGN_PRIVATE_KEY_B64 (and COSIGN_PASSWORD if needed) or rerun with allow_dev_key=1 for smoke only."
            exit 1
          fi
          if [[ "$COSIGN_ALLOW_DEV_KEY" == "1" ]]; then
            echo "::notice::Using dev key for signing (allow_dev_key=1) - not suitable for production uploads."
          fi
      - name: Verify artifacts exist
        run: |
          cd docs/modules/signals
          sha256sum -c SHA256SUMS
      - name: Sign signals artifacts
        run: |
          chmod +x tools/cosign/sign-signals.sh
          OUT_DIR="${OUT_DIR}" tools/cosign/sign-signals.sh
      - name: Upload signed artifacts
        uses: actions/upload-artifact@v4
        with:
          name: signals-evidence-${{ github.run_number }}
          path: |
            ${{ env.OUT_DIR }}/*.sigstore.json
            ${{ env.OUT_DIR }}/*.dsse
            ${{ env.OUT_DIR }}/SHA256SUMS
          if-no-files-found: error
          retention-days: 30
      - name: Push to Evidence Locker
        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
        env:
          TOKEN: ${{ env.CI_EVIDENCE_LOCKER_TOKEN }}
          URL: ${{ env.EVIDENCE_LOCKER_URL }}
        run: |
          tar -cf /tmp/signals-evidence.tar -C "$OUT_DIR" .
          sha256sum /tmp/signals-evidence.tar
          curl -f -X PUT "$URL/signals/$(date -u +%Y-%m-%d)/signals-evidence.tar" \
            -H "Authorization: Bearer $TOKEN" \
            --data-binary @/tmp/signals-evidence.tar
          echo "Uploaded to Evidence Locker"
      - name: Evidence Locker skip notice
        if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
        run: |
          echo "::notice::Evidence Locker upload skipped (CI_EVIDENCE_LOCKER_TOKEN or EVIDENCE_LOCKER_URL not set)"
--- a/.gitea/workflows/sm-remote-ci.yml
+++ b/.gitea/workflows/sm-remote-ci.yml
@@ -0,0 +1,33 @@
 name: sm-remote-ci
 on:
  push:
    paths:
      - "src/SmRemote/**"
      - "src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote/**"
      - "src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote.Tests/**"
      - "ops/sm-remote/**"
      - ".gitea/workflows/sm-remote-ci.yml"
  pull_request:
    paths:
      - "src/SmRemote/**"
      - "src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote/**"
      - "src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote.Tests/**"
      - "ops/sm-remote/**"
 jobs:
  build-and-test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: 10.0.x
      - name: Restore
        run: dotnet restore src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote.Tests/StellaOps.Cryptography.Plugin.SmRemote.Tests.csproj
      - name: Test
        run: dotnet test src/__Libraries/StellaOps.Cryptography.Plugin.SmRemote.Tests/StellaOps.Cryptography.Plugin.SmRemote.Tests.csproj --no-build --verbosity normal
      - name: Publish service
        run: dotnet publish src/SmRemote/StellaOps.SmRemote.Service/StellaOps.SmRemote.Service.csproj -c Release -o out/sm-remote
--- a/.gitea/workflows/test-lanes.yml
+++ b/.gitea/workflows/test-lanes.yml
@@ -0,0 +1,358 @@
 # .gitea/workflows/test-lanes.yml
 # Lane-based test execution using standardized trait filtering
 # Implements Task 10 from SPRINT 5100.0007.0001
 name: Test Lanes
 on:
  pull_request:
    branches: [ main, develop ]
    paths:
      - 'src/**'
      - 'tests/**'
      - 'scripts/test-lane.sh'
      - '.gitea/workflows/test-lanes.yml'
  push:
    branches: [ main ]
  workflow_dispatch:
    inputs:
      run_performance:
        description: 'Run Performance lane tests'
        required: false
        default: false
        type: boolean
      run_live:
        description: 'Run Live lane tests (external dependencies)'
        required: false
        default: false
        type: boolean
 env:
  DOTNET_VERSION: '10.0.100'
  BUILD_CONFIGURATION: Release
  TEST_RESULTS_DIR: ${{ github.workspace }}/test-results
 jobs:
  # ===========================================================================
  # Unit Lane: Fast, isolated, deterministic tests (PR-gating)
  # ===========================================================================
  unit-tests:
    name: Unit Tests
    runs-on: ubuntu-22.04
    timeout-minutes: 15
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln
      - name: Build solution
        run: dotnet build src/StellaOps.sln --configuration $BUILD_CONFIGURATION --no-restore
      - name: Run Unit lane tests
        run: |
          mkdir -p "$TEST_RESULTS_DIR"
          chmod +x scripts/test-lane.sh
          ./scripts/test-lane.sh Unit \
            --logger "trx;LogFileName=unit-tests.trx" \
            --results-directory "$TEST_RESULTS_DIR" \
            --verbosity normal
      - name: Upload Unit test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: unit-test-results
          path: ${{ env.TEST_RESULTS_DIR }}
          if-no-files-found: ignore
          retention-days: 7
  # ===========================================================================
  # Architecture Lane: Structural rule enforcement (PR-gating)
  # ===========================================================================
  architecture-tests:
    name: Architecture Tests
    runs-on: ubuntu-22.04
    timeout-minutes: 10
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore architecture tests
        run: dotnet restore tests/architecture/StellaOps.Architecture.Tests/StellaOps.Architecture.Tests.csproj
      - name: Build architecture tests
        run: dotnet build tests/architecture/StellaOps.Architecture.Tests/StellaOps.Architecture.Tests.csproj --configuration $BUILD_CONFIGURATION --no-restore
      - name: Run Architecture tests
        run: |
          mkdir -p "$TEST_RESULTS_DIR"
          dotnet test tests/architecture/StellaOps.Architecture.Tests/StellaOps.Architecture.Tests.csproj \
            --configuration $BUILD_CONFIGURATION \
            --no-build \
            --logger "trx;LogFileName=architecture-tests.trx" \
            --results-directory "$TEST_RESULTS_DIR" \
            --verbosity normal
      - name: Upload Architecture test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: architecture-test-results
          path: ${{ env.TEST_RESULTS_DIR }}
          if-no-files-found: ignore
          retention-days: 7
  # ===========================================================================
  # Contract Lane: API contract stability tests (PR-gating)
  # ===========================================================================
  contract-tests:
    name: Contract Tests
    runs-on: ubuntu-22.04
    timeout-minutes: 10
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln
      - name: Build solution
        run: dotnet build src/StellaOps.sln --configuration $BUILD_CONFIGURATION --no-restore
      - name: Run Contract lane tests
        run: |
          mkdir -p "$TEST_RESULTS_DIR"
          chmod +x scripts/test-lane.sh
          ./scripts/test-lane.sh Contract \
            --logger "trx;LogFileName=contract-tests.trx" \
            --results-directory "$TEST_RESULTS_DIR" \
            --verbosity normal
      - name: Upload Contract test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: contract-test-results
          path: ${{ env.TEST_RESULTS_DIR }}
          if-no-files-found: ignore
          retention-days: 7
  # ===========================================================================
  # Integration Lane: Service + storage tests with Testcontainers (PR-gating)
  # ===========================================================================
  integration-tests:
    name: Integration Tests
    runs-on: ubuntu-22.04
    timeout-minutes: 30
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln
      - name: Build solution
        run: dotnet build src/StellaOps.sln --configuration $BUILD_CONFIGURATION --no-restore
      - name: Run Integration lane tests
        env:
          POSTGRES_TEST_IMAGE: postgres:16-alpine
        run: |
          mkdir -p "$TEST_RESULTS_DIR"
          chmod +x scripts/test-lane.sh
          ./scripts/test-lane.sh Integration \
            --logger "trx;LogFileName=integration-tests.trx" \
            --results-directory "$TEST_RESULTS_DIR" \
            --verbosity normal
      - name: Upload Integration test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: integration-test-results
          path: ${{ env.TEST_RESULTS_DIR }}
          if-no-files-found: ignore
          retention-days: 7
  # ===========================================================================
  # Security Lane: AuthZ, input validation, negative tests (PR-gating)
  # ===========================================================================
  security-tests:
    name: Security Tests
    runs-on: ubuntu-22.04
    timeout-minutes: 20
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln
      - name: Build solution
        run: dotnet build src/StellaOps.sln --configuration $BUILD_CONFIGURATION --no-restore
      - name: Run Security lane tests
        run: |
          mkdir -p "$TEST_RESULTS_DIR"
          chmod +x scripts/test-lane.sh
          ./scripts/test-lane.sh Security \
            --logger "trx;LogFileName=security-tests.trx" \
            --results-directory "$TEST_RESULTS_DIR" \
            --verbosity normal
      - name: Upload Security test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: security-test-results
          path: ${{ env.TEST_RESULTS_DIR }}
          if-no-files-found: ignore
          retention-days: 7
  # ===========================================================================
  # Performance Lane: Benchmarks and regression thresholds (optional/scheduled)
  # ===========================================================================
  performance-tests:
    name: Performance Tests
    runs-on: ubuntu-22.04
    if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.run_performance == 'true')
    timeout-minutes: 30
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln
      - name: Build solution
        run: dotnet build src/StellaOps.sln --configuration $BUILD_CONFIGURATION --no-restore
      - name: Run Performance lane tests
        run: |
          mkdir -p "$TEST_RESULTS_DIR"
          chmod +x scripts/test-lane.sh
          ./scripts/test-lane.sh Performance \
            --logger "trx;LogFileName=performance-tests.trx" \
            --results-directory "$TEST_RESULTS_DIR" \
            --verbosity normal
      - name: Upload Performance test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: performance-test-results
          path: ${{ env.TEST_RESULTS_DIR }}
          if-no-files-found: ignore
          retention-days: 14
  # ===========================================================================
  # Live Lane: External API smoke tests (opt-in only, never PR-gating)
  # ===========================================================================
  live-tests:
    name: Live Tests (External Dependencies)
    runs-on: ubuntu-22.04
    if: github.event_name == 'workflow_dispatch' && github.event.inputs.run_live == 'true'
    timeout-minutes: 20
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln
      - name: Build solution
        run: dotnet build src/StellaOps.sln --configuration $BUILD_CONFIGURATION --no-restore
      - name: Run Live lane tests
        run: |
          mkdir -p "$TEST_RESULTS_DIR"
          chmod +x scripts/test-lane.sh
          ./scripts/test-lane.sh Live \
            --logger "trx;LogFileName=live-tests.trx" \
            --results-directory "$TEST_RESULTS_DIR" \
            --verbosity normal
        continue-on-error: true
      - name: Upload Live test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: live-test-results
          path: ${{ env.TEST_RESULTS_DIR }}
          if-no-files-found: ignore
          retention-days: 7
  # ===========================================================================
  # Test Results Summary
  # ===========================================================================
  test-summary:
    name: Test Results Summary
    runs-on: ubuntu-22.04
    needs: [unit-tests, architecture-tests, contract-tests, integration-tests, security-tests]
    if: always()
    steps:
      - name: Download all test results
        uses: actions/download-artifact@v4
        with:
          path: all-test-results
      - name: Generate summary
        run: |
          echo "## Test Lane Results" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          for lane in unit architecture contract integration security; do
            result_dir="all-test-results/${lane}-test-results"
            if [ -d "$result_dir" ]; then
              echo "### ${lane^} Lane: ✅ Passed" >> $GITHUB_STEP_SUMMARY
            else
              echo "### ${lane^} Lane: ❌ Failed or Skipped" >> $GITHUB_STEP_SUMMARY
            fi
          done
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "See individual job logs for detailed test output." >> $GITHUB_STEP_SUMMARY
--- a/.gitea/workflows/unknowns-budget-gate.yml
+++ b/.gitea/workflows/unknowns-budget-gate.yml
@@ -0,0 +1,199 @@
 # -----------------------------------------------------------------------------
 # unknowns-budget-gate.yml
 # Sprint: SPRINT_5100_0004_0001_unknowns_budget_ci_gates
 # Task: T2 - CI Budget Gate Workflow
 # Description: Enforces unknowns budgets on PRs and pushes
 # -----------------------------------------------------------------------------
 name: Unknowns Budget Gate
 on:
  pull_request:
    paths:
      - 'src/**'
      - 'Dockerfile*'
      - '*.lock'
      - 'etc/policy.unknowns.yaml'
  push:
    branches: [main]
    paths:
      - 'src/**'
      - 'Dockerfile*'
      - '*.lock'
 env:
  DOTNET_NOLOGO: 1
  DOTNET_CLI_TELEMETRY_OPTOUT: 1
  TZ: UTC
  STELLAOPS_BUDGET_CONFIG: ./etc/policy.unknowns.yaml
 jobs:
  scan-and-check-budget:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.100'
          include-prerelease: true
      - name: Cache NuGet packages
        uses: actions/cache@v4
        with:
          path: |
            ~/.nuget/packages
            local-nugets/packages
          key: budget-gate-nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
      - name: Restore and Build CLI
        run: |
          dotnet restore src/Cli/StellaOps.Cli/StellaOps.Cli.csproj --configfile nuget.config
          dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj -c Release --no-restore
      - name: Determine environment
        id: env
        run: |
          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
            echo "environment=prod" >> $GITHUB_OUTPUT
            echo "enforce=true" >> $GITHUB_OUTPUT
          elif [[ "${{ github.event_name }}" == "pull_request" ]]; then
            echo "environment=stage" >> $GITHUB_OUTPUT
            echo "enforce=false" >> $GITHUB_OUTPUT
          else
            echo "environment=dev" >> $GITHUB_OUTPUT
            echo "enforce=false" >> $GITHUB_OUTPUT
          fi
      - name: Create sample verdict for testing
        id: scan
        run: |
          mkdir -p out
          # In a real scenario, this would be from stella scan
          # For now, create a minimal verdict file
          cat > out/verdict.json << 'EOF'
          {
            "unknowns": []
          }
          EOF
          echo "verdict_path=out/verdict.json" >> $GITHUB_OUTPUT
      - name: Check unknowns budget
        id: budget
        continue-on-error: true
        run: |
          set +e
          dotnet run --project src/Cli/StellaOps.Cli/StellaOps.Cli.csproj -- \
            unknowns budget check \
            --verdict ${{ steps.scan.outputs.verdict_path }} \
            --environment ${{ steps.env.outputs.environment }} \
            --output json \
            --fail-on-exceed > out/budget-result.json
          EXIT_CODE=$?
          echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT
          if [ -f out/budget-result.json ]; then
            # Compact JSON for output
            RESULT=$(cat out/budget-result.json | jq -c '.')
            echo "result=$RESULT" >> $GITHUB_OUTPUT
          fi
          exit $EXIT_CODE
      - name: Upload budget report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: budget-report-${{ github.run_id }}
          path: out/budget-result.json
          retention-days: 30
      - name: Post PR comment
        if: github.event_name == 'pull_request' && always()
        uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
            let result = { isWithinBudget: true, totalUnknowns: 0 };
            try {
              const content = fs.readFileSync('out/budget-result.json', 'utf8');
              result = JSON.parse(content);
            } catch (e) {
              console.log('Could not read budget result:', e.message);
            }
            const status = result.isWithinBudget ? ':white_check_mark:' : ':x:';
            const env = '${{ steps.env.outputs.environment }}';
            let body = `## ${status} Unknowns Budget Check
 | Metric | Value |
 |--------|-------|
 | Environment | ${env} |
 | Total Unknowns | ${result.totalUnknowns || 0} |
 | Budget Limit | ${result.totalLimit || 'Unlimited'} |
 | Status | ${result.isWithinBudget ? 'PASS' : 'FAIL'} |
 `;
            if (result.violations && result.violations.length > 0) {
              body += `
 ### Violations
 `;
              for (const v of result.violations) {
                body += `- **${v.reasonCode}**: ${v.count}/${v.limit}\n`;
              }
            }
            if (result.message) {
              body += `\n> ${result.message}\n`;
            }
            body += `\n---\n_Generated by StellaOps Unknowns Budget Gate_`;
            // Find existing comment
            const { data: comments } = await github.rest.issues.listComments({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: context.issue.number,
            });
            const botComment = comments.find(c =>
              c.body.includes('Unknowns Budget Check') &&
              c.user.type === 'Bot'
            );
            if (botComment) {
              await github.rest.issues.updateComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                comment_id: botComment.id,
                body: body
              });
            } else {
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: context.issue.number,
                body: body
              });
            }
      - name: Fail if budget exceeded (prod)
        if: steps.env.outputs.environment == 'prod' && steps.budget.outputs.exit_code == '2'
        run: |
          echo "::error::Production unknowns budget exceeded!"
          exit 1
      - name: Warn if budget exceeded (non-prod)
        if: steps.env.outputs.environment != 'prod' && steps.budget.outputs.exit_code == '2'
        run: |
          echo "::warning::Unknowns budget exceeded for ${{ steps.env.outputs.environment }}"
--- a/.gitea/workflows/wine-csp-build.yml
+++ b/.gitea/workflows/wine-csp-build.yml
@@ -1,449 +0,0 @@
 name: wine-csp-build
 on:
  push:
    branches: [main, develop]
    paths:
      - 'src/__Tools/WineCspService/**'
      - 'ops/wine-csp/**'
      - 'third_party/forks/AlexMAS.GostCryptography/**'
      - '.gitea/workflows/wine-csp-build.yml'
  pull_request:
    paths:
      - 'src/__Tools/WineCspService/**'
      - 'ops/wine-csp/**'
      - 'third_party/forks/AlexMAS.GostCryptography/**'
  workflow_dispatch:
    inputs:
      push:
        description: "Push to registry"
        required: false
        default: "false"
      version:
        description: "Version tag (e.g., 2025.10.0-edge)"
        required: false
        default: "2025.10.0-edge"
      skip_tests:
        description: "Skip integration tests"
        required: false
        default: "false"
 env:
  IMAGE_NAME: registry.stella-ops.org/stellaops/wine-csp
  DOCKERFILE: ops/wine-csp/Dockerfile
  # Wine CSP only supports linux/amd64 (Wine ARM64 has compatibility issues with Windows x64 apps)
  PLATFORMS: linux/amd64
  PYTHON_VERSION: "3.11"
 jobs:
  # ===========================================================================
  # Job 1: Build Docker Image
  # ===========================================================================
  build:
    name: Build Wine CSP Image
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    outputs:
      image_tag: ${{ steps.version.outputs.tag }}
      image_digest: ${{ steps.build.outputs.digest }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          install: true
      - name: Set version tag
        id: version
        run: |
          if [[ -n "${{ github.event.inputs.version }}" ]]; then
            echo "tag=${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
          elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
            echo "tag=2025.10.0-edge" >> $GITHUB_OUTPUT
          else
            echo "tag=pr-${{ github.event.pull_request.number || github.sha }}" >> $GITHUB_OUTPUT
          fi
      - name: Docker metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.IMAGE_NAME }}
          tags: |
            type=raw,value=${{ steps.version.outputs.tag }}
            type=sha,format=short
      - name: Build image
        id: build
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ${{ env.DOCKERFILE }}
          platforms: ${{ env.PLATFORMS }}
          push: false
          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
      - name: Save image for testing
        run: |
          mkdir -p /tmp/images
          docker save "${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }}" | gzip > /tmp/images/wine-csp.tar.gz
      - name: Upload image artifact
        uses: actions/upload-artifact@v4
        with:
          name: wine-csp-image
          path: /tmp/images/wine-csp.tar.gz
          retention-days: 1
  # ===========================================================================
  # Job 2: Integration Tests
  # ===========================================================================
  test:
    name: Integration Tests
    runs-on: ubuntu-latest
    needs: build
    if: ${{ github.event.inputs.skip_tests != 'true' }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Download image artifact
        uses: actions/download-artifact@v4
        with:
          name: wine-csp-image
          path: /tmp/images
      - name: Load Docker image
        run: |
          gunzip -c /tmp/images/wine-csp.tar.gz | docker load
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}
      - name: Install test dependencies
        run: |
          pip install -r ops/wine-csp/tests/requirements.txt
      - name: Start Wine CSP container
        id: container
        run: |
          echo "Starting Wine CSP container..."
          docker run -d --name wine-csp-test \
            -e WINE_CSP_MODE=limited \
            -e WINE_CSP_LOG_LEVEL=Debug \
            -p 5099:5099 \
            "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}"
          echo "container_id=$(docker ps -q -f name=wine-csp-test)" >> $GITHUB_OUTPUT
      - name: Wait for service startup
        run: |
          echo "Waiting for Wine CSP service to be ready (up to 120s)..."
          for i in $(seq 1 24); do
            if curl -sf http://127.0.0.1:5099/health > /dev/null 2>&1; then
              echo "Service ready after $((i * 5))s"
              exit 0
            fi
            echo "Waiting... ($((i * 5))s elapsed)"
            sleep 5
          done
          echo "Service failed to start!"
          docker logs wine-csp-test
          exit 1
      - name: Run integration tests (pytest)
        id: pytest
        run: |
          mkdir -p test-results
          export WINE_CSP_URL=http://127.0.0.1:5099
          pytest ops/wine-csp/tests/test_wine_csp.py \
            -v \
            --tb=short \
            --junitxml=test-results/junit.xml \
            --timeout=60 \
            -x \
            2>&1 | tee test-results/pytest-output.txt
      - name: Run shell integration tests
        if: always()
        run: |
          chmod +x ops/wine-csp/tests/run-tests.sh
          ops/wine-csp/tests/run-tests.sh \
            --url http://127.0.0.1:5099 \
            --ci \
            --verbose || true
      - name: Collect container logs
        if: always()
        run: |
          docker logs wine-csp-test > test-results/container.log 2>&1 || true
      - name: Stop container
        if: always()
        run: |
          docker stop wine-csp-test || true
          docker rm wine-csp-test || true
      - name: Upload test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: wine-csp-test-results
          path: test-results/
      - name: Publish test results
        uses: mikepenz/action-junit-report@v4
        if: always()
        with:
          report_paths: 'test-results/junit.xml'
          check_name: 'Wine CSP Integration Tests'
          fail_on_failure: true
  # ===========================================================================
  # Job 3: Security Scan
  # ===========================================================================
  security:
    name: Security Scan
    runs-on: ubuntu-latest
    needs: build
    permissions:
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Download image artifact
        uses: actions/download-artifact@v4
        with:
          name: wine-csp-image
          path: /tmp/images
      - name: Load Docker image
        run: |
          gunzip -c /tmp/images/wine-csp.tar.gz | docker load
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}"
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          ignore-unfixed: true
      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'
      - name: Run Trivy for JSON report
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}"
          format: 'json'
          output: 'trivy-results.json'
          severity: 'CRITICAL,HIGH,MEDIUM'
      - name: Upload Trivy JSON report
        uses: actions/upload-artifact@v4
        with:
          name: wine-csp-security-scan
          path: trivy-results.json
  # ===========================================================================
  # Job 4: Generate SBOM
  # ===========================================================================
  sbom:
    name: Generate SBOM
    runs-on: ubuntu-latest
    needs: build
    steps:
      - name: Download image artifact
        uses: actions/download-artifact@v4
        with:
          name: wine-csp-image
          path: /tmp/images
      - name: Load Docker image
        run: |
          gunzip -c /tmp/images/wine-csp.tar.gz | docker load
      - name: Install syft
        uses: anchore/sbom-action/download-syft@v0
      - name: Generate SBOM (SPDX)
        run: |
          mkdir -p out/sbom
          syft "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}" \
            -o spdx-json=out/sbom/wine-csp.spdx.json
      - name: Generate SBOM (CycloneDX)
        run: |
          syft "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}" \
            -o cyclonedx-json=out/sbom/wine-csp.cdx.json
      - name: Upload SBOM artifacts
        uses: actions/upload-artifact@v4
        with:
          name: wine-csp-sbom-${{ needs.build.outputs.image_tag }}
          path: out/sbom/
  # ===========================================================================
  # Job 5: Publish (only on main branch or manual trigger)
  # ===========================================================================
  publish:
    name: Publish Image
    runs-on: ubuntu-latest
    needs: [build, test, security]
    if: ${{ (github.event.inputs.push == 'true' || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && needs.test.result == 'success' }}
    permissions:
      contents: read
      packages: write
      id-token: write
    steps:
      - name: Download image artifact
        uses: actions/download-artifact@v4
        with:
          name: wine-csp-image
          path: /tmp/images
      - name: Load Docker image
        run: |
          gunzip -c /tmp/images/wine-csp.tar.gz | docker load
      - name: Install cosign
        uses: sigstore/cosign-installer@v3.7.0
      - name: Login to registry
        uses: docker/login-action@v3
        with:
          registry: registry.stella-ops.org
          username: ${{ secrets.REGISTRY_USER }}
          password: ${{ secrets.REGISTRY_TOKEN }}
      - name: Push to registry
        run: |
          docker push "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}"
          # Also tag as latest if on main
          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
            docker tag "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}" "${{ env.IMAGE_NAME }}:latest"
            docker push "${{ env.IMAGE_NAME }}:latest"
          fi
      - name: Sign image with cosign
        env:
          COSIGN_EXPERIMENTAL: "1"
        run: |
          cosign sign --yes "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}" || echo "Signing skipped (no OIDC available)"
      - name: Create release summary
        run: |
          echo "## Wine CSP Image Published" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Image:** \`${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}\`" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**WARNING:** This image is for TEST VECTOR GENERATION ONLY." >> $GITHUB_STEP_SUMMARY
  # ===========================================================================
  # Job 6: Air-Gap Bundle
  # ===========================================================================
  airgap:
    name: Air-Gap Bundle
    runs-on: ubuntu-latest
    needs: [build, test]
    if: ${{ needs.test.result == 'success' }}
    steps:
      - name: Download image artifact
        uses: actions/download-artifact@v4
        with:
          name: wine-csp-image
          path: /tmp/images
      - name: Create air-gap bundle
        run: |
          mkdir -p out/bundles
          # Copy the image tarball
          cp /tmp/images/wine-csp.tar.gz out/bundles/wine-csp-${{ needs.build.outputs.image_tag }}.tar.gz
          # Generate bundle manifest
          cat > out/bundles/wine-csp-${{ needs.build.outputs.image_tag }}.manifest.json <<EOF
          {
            "name": "wine-csp",
            "version": "${{ needs.build.outputs.image_tag }}",
            "image": "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}",
            "platform": "linux/amd64",
            "sha256": "$(sha256sum out/bundles/wine-csp-${{ needs.build.outputs.image_tag }}.tar.gz | cut -d' ' -f1)",
            "created": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
            "git_commit": "${{ github.sha }}",
            "git_ref": "${{ github.ref }}",
            "warning": "FOR TEST VECTOR GENERATION ONLY - NOT FOR PRODUCTION SIGNING"
          }
          EOF
          # Create checksums file
          cd out/bundles
          sha256sum *.tar.gz *.json > SHA256SUMS
          echo "Air-gap bundle contents:"
          ls -lh
      - name: Upload air-gap bundle
        uses: actions/upload-artifact@v4
        with:
          name: wine-csp-bundle-${{ needs.build.outputs.image_tag }}
          path: out/bundles/
  # ===========================================================================
  # Job 7: Test Summary
  # ===========================================================================
  summary:
    name: Test Summary
    runs-on: ubuntu-latest
    needs: [build, test, security, sbom]
    if: always()
    steps:
      - name: Download test results
        uses: actions/download-artifact@v4
        with:
          name: wine-csp-test-results
          path: test-results/
        continue-on-error: true
      - name: Create summary
        run: |
          echo "## Wine CSP Build Summary" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Stage | Status |" >> $GITHUB_STEP_SUMMARY
          echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
          echo "| Build | ${{ needs.build.result }} |" >> $GITHUB_STEP_SUMMARY
          echo "| Tests | ${{ needs.test.result }} |" >> $GITHUB_STEP_SUMMARY
          echo "| Security | ${{ needs.security.result }} |" >> $GITHUB_STEP_SUMMARY
          echo "| SBOM | ${{ needs.sbom.result }} |" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Image Tag:** \`${{ needs.build.outputs.image_tag }}\`" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "---" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**SECURITY WARNING:** Wine CSP is for TEST VECTOR GENERATION ONLY." >> $GITHUB_STEP_SUMMARY
--- a/.github/flaky-tests-quarantine.json
+++ b/.github/flaky-tests-quarantine.json
@@ -0,0 +1,12 @@
 {
  "$schema": "https://stellaops.io/schemas/flaky-tests-quarantine.v1.json",
  "version": "1.0.0",
  "updated_at": "2025-01-15T00:00:00Z",
  "policy": {
    "consecutive_failures_to_quarantine": 2,
    "quarantine_duration_days": 14,
    "auto_reactivate_after_fix": true
  },
  "quarantined_tests": [],
  "notes": "Tests are quarantined after 2 consecutive failures. Review and fix within 14 days or escalate."
 }
--- a/.nuget-cache/microsoft.extensions.logging.abstractions/10.0.0-rc.2.25502.107/Microsoft.Extensions.Logging.Abstractions.nuspec
+++ b/.nuget-cache/microsoft.extensions.logging.abstractions/10.0.0-rc.2.25502.107/Microsoft.Extensions.Logging.Abstractions.nuspec
@@ -1,52 +0,0 @@
 <?xml version="1.0" encoding="utf-8"?>
 <package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
  <metadata>
    <id>Microsoft.Extensions.Logging.Abstractions</id>
    <version>10.0.0-rc.2.25502.107</version>
    <authors>Microsoft</authors>
    <license type="expression">MIT</license>
    <licenseUrl>https://licenses.nuget.org/MIT</licenseUrl>
    <icon>Icon.png</icon>
    <readme>PACKAGE.md</readme>
    <projectUrl>https://dot.net/</projectUrl>
    <description>Logging abstractions for Microsoft.Extensions.Logging.
 Commonly Used Types:
 Microsoft.Extensions.Logging.ILogger
 Microsoft.Extensions.Logging.ILoggerFactory
 Microsoft.Extensions.Logging.ILogger&lt;TCategoryName&gt;
 Microsoft.Extensions.Logging.LogLevel
 Microsoft.Extensions.Logging.Logger&lt;T&gt;
 Microsoft.Extensions.Logging.LoggerMessage
 Microsoft.Extensions.Logging.Abstractions.NullLogger</description>
    <releaseNotes>https://go.microsoft.com/fwlink/?LinkID=799421</releaseNotes>
    <copyright>© Microsoft Corporation. All rights reserved.</copyright>
    <serviceable>true</serviceable>
    <repository type="git" url="https://github.com/dotnet/dotnet" commit="89c8f6a112d37d2ea8b77821e56d170a1bccdc5a" />
    <dependencies>
      <group targetFramework=".NETFramework4.6.2">
        <dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
        <dependency id="System.Diagnostics.DiagnosticSource" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
        <dependency id="System.Buffers" version="4.6.1" exclude="Build,Analyzers" />
        <dependency id="System.Memory" version="4.6.3" exclude="Build,Analyzers" />
      </group>
      <group targetFramework="net8.0">
        <dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
        <dependency id="System.Diagnostics.DiagnosticSource" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
      </group>
      <group targetFramework="net9.0">
        <dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
        <dependency id="System.Diagnostics.DiagnosticSource" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
      </group>
      <group targetFramework="net10.0">
        <dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
      </group>
      <group targetFramework=".NETStandard2.0">
        <dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
        <dependency id="System.Diagnostics.DiagnosticSource" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
        <dependency id="System.Buffers" version="4.6.1" exclude="Build,Analyzers" />
        <dependency id="System.Memory" version="4.6.3" exclude="Build,Analyzers" />
      </group>
    </dependencies>
  </metadata>
 </package>
--- a/.nuget-cache/microsoft.extensions.logging.abstractions/10.0.0-rc.2.25502.107/v3wr4h43.dju
+++ b/.nuget-cache/microsoft.extensions.logging.abstractions/10.0.0-rc.2.25502.107/v3wr4h43.dju
--- a/.spectral.yaml
+++ b/.spectral.yaml
@@ -165,3 +165,69 @@ rules:
              in:
                const: header
            required: [name, in]
  # --- Deprecation Metadata Rules (per APIGOV-63-001) ---
  stella-deprecated-has-metadata:
    description: "Deprecated operations must have x-deprecation extension with required fields"
    message: "Add x-deprecation metadata (deprecatedAt, sunsetAt, successorPath, reason) to deprecated operations"
    given: "$.paths[*][*][?(@.deprecated == true)]"
    severity: error
    then:
      field: x-deprecation
      function: schema
      functionOptions:
        schema:
          type: object
          required:
            - deprecatedAt
            - sunsetAt
            - successorPath
            - reason
          properties:
            deprecatedAt:
              type: string
              format: date-time
            sunsetAt:
              type: string
              format: date-time
            successorPath:
              type: string
            successorOperationId:
              type: string
            reason:
              type: string
            migrationGuide:
              type: string
              format: uri
            notificationChannels:
              type: array
              items:
                type: string
                enum: [slack, teams, email, webhook]
  stella-deprecated-sunset-future:
    description: "Sunset dates should be in the future (warn if sunset already passed)"
    message: "x-deprecation.sunsetAt should be a future date"
    given: "$.paths[*][*].x-deprecation.sunsetAt"
    severity: warn
    then:
      function: truthy
  stella-deprecated-migration-guide:
    description: "Deprecated operations should include a migration guide URL"
    message: "Consider adding x-deprecation.migrationGuide for consumer guidance"
    given: "$.paths[*][*][?(@.deprecated == true)].x-deprecation"
    severity: hint
    then:
      field: migrationGuide
      function: truthy
  stella-deprecated-notification-channels:
    description: "Deprecated operations should specify notification channels"
    message: "Add x-deprecation.notificationChannels to enable deprecation notifications"
    given: "$.paths[*][*][?(@.deprecated == true)].x-deprecation"
    severity: hint
    then:
      field: notificationChannels
      function: truthy
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -58,8 +58,8 @@ When you are told you are working in a particular module or directory, assume yo
 * **Runtime**: .NET 10 (`net10.0`) with latest C# preview features. Microsoft.* dependencies should target the closest compatible versions.
 * **Frontend**: Angular v17 for the UI.
-* **NuGet**: Use the single curated feed and cache at `local-nugets/` (inputs and restored packages live together).
+* **NuGet**: Uses standard NuGet feeds configured in `nuget.config` (dotnet-public, nuget-mirror, nuget.org). Packages restore to the global NuGet cache.
-* **Data**: MongoDB as canonical store and for job/export state. Use a MongoDB driver version ≥ 3.0.
+* **Data**: PostgreSQL as canonical store and for job/export state. Use a PostgreSQL driver version ≥ 3.0.
 * **Observability**: Structured logs, counters, and (optional) OpenTelemetry traces.
 * **Ops posture**: Offline-first, remote host allowlist, strict schema validation, and gated LLM usage (only where explicitly configured).
@@ -126,7 +126,7 @@ It ships as containerised building blocks; each module owns a clear boundary and
 | Scanner                | `src/Scanner/StellaOps.Scanner.WebService`<br>`src/Scanner/StellaOps.Scanner.Worker`<br>`src/Scanner/__Libraries/StellaOps.Scanner.*` | `docs/modules/scanner/architecture.md`           |
 | Scheduler              | `src/Scheduler/StellaOps.Scheduler.WebService`<br>`src/Scheduler/StellaOps.Scheduler.Worker`                                          | `docs/modules/scheduler/architecture.md`         |
 | CLI                    | `src/Cli/StellaOps.Cli`<br>`src/Cli/StellaOps.Cli.Core`<br>`src/Cli/StellaOps.Cli.Plugins.*`                                          | `docs/modules/cli/architecture.md`               |
-| UI / Console           | `src/UI/StellaOps.UI`                                                                                                                 | `docs/modules/ui/architecture.md`                |
+| UI / Console           | `src/Web/StellaOps.Web`                                                                                                               | `docs/modules/ui/architecture.md`                |
 | Notify                 | `src/Notify/StellaOps.Notify.WebService`<br>`src/Notify/StellaOps.Notify.Worker`                                                      | `docs/modules/notify/architecture.md`            |
 | Export Center          | `src/ExportCenter/StellaOps.ExportCenter.WebService`<br>`src/ExportCenter/StellaOps.ExportCenter.Worker`                              | `docs/modules/export-center/architecture.md`     |
 | Registry Token Service | `src/Registry/StellaOps.Registry.TokenService`<br>`src/Registry/__Tests/StellaOps.Registry.TokenService.Tests`                        | `docs/modules/registry/architecture.md`          |
@@ -202,22 +202,22 @@ Your goals:
 Sprint filename format:
-`SPRINT_<IMPLID>_<BATCHID>_<SPRINTID>_<topic_in_few_words>.md`
+`SPRINT_<IMPLID>_<BATCHID>_<MODULEID>_<topic_in_few_words>.md`
-* `<IMPLID>`: `0000–9999` — implementation epoch (e.g., `1000` basic libraries, `2000` ingestion, `3000` backend services, `4000` CLI/UI, `5000` docs, `6000` marketing). When in doubt, use the highest number already present.
+* `<IMPLID>`: implementation epoch (e.g., `20251218`). Determine by scanning existing `docs/implplan/SPRINT_*.md` and using the highest epoch; if none exist, use today's epoch.
-* `<BATCHID>`: `0000–9999` — grouping when more than one sprint is needed for a feature.
+* `<BATCHID>`: `001`, `002`, etc. — grouping when more than one sprint is needed for a feature.
-* `<SPRINTID>`: `0000–9999` — sprint index within the batch.
+* `<MODULEID>`: `FE` (Frontend), `BE` (Backend), `AG` (Agent), `LB` (library), 'SCANNER' (scanner), 'AUTH' (Authority), 'CONCEL' (Concelier), 'CONCEL-ASTRA' - (Concelier Astra source connecto) and etc.
 * `<topic_in_few_words>`: short topic description.
 * **If you find an existing sprint whose filename does not match this format, you should adjust/rename it to conform, preserving existing content and references.** Document the rename in the sprint’s **Execution Log**.
-Sprint file template:
+Every sprint file must conform to this template:
 ```md
 # Sprint <ID> · <Stream/Topic>
 ## Topic & Scope
- Summarise the sprint in 2–4 bullets that read like a short story (expected outcomes and “why now”).
+- Summarise the sprint in 2–4 bullets that read like a short story (expected outcomes and "why now").
- Call out the single owning directory (e.g., `src/Concelier/StellaOps.Concelier.Core`) and the evidence you expect to produce.
+- Call out the single owning directory (e.g., `src/<module>/ReleaseOrchestrator.<module>.<sub-module>`) and the evidence you expect to produce.
 - **Working directory:** `<path/to/module>`.
 ## Dependencies & Concurrency
@@ -269,12 +269,12 @@ In this role you act as:
 * **Angular v17 engineer** (UI).
 * **QA automation engineer** (C#, Moq, Playwright, Angular test stack, or other suitable tools).
-Implementation principles:
+Implementation principles:
-
+
-* Always follow .NET 10 and Angular v17 best practices.
+* Always follow .NET 10 and Angular v17 best practices.
-* Apply SOLID design principles (SRP, OCP, LSP, ISP, DIP) in service and library code.
+* Apply SOLID design principles (SRP, OCP, LSP, ISP, DIP) in service and library code.
-* Maximise reuse and composability.
+* Maximise reuse and composability.
-* Maintain determinism: stable ordering, UTC ISO-8601 timestamps, immutable NDJSON where applicable.
+* Maintain determinism: stable ordering, UTC ISO-8601 timestamps, immutable NDJSON where applicable.
 Execution rules (very important):
@@ -330,7 +330,7 @@ If no design decision is required, you proceed autonomously, implementing the ch
 ---
-### 5) Working Agreement (Global)
+### 5) Working Agreement (Global)
 1. **Task status discipline**
@@ -353,41 +353,41 @@ If no design decision is required, you proceed autonomously, implementing the ch
 5. **Completion**
   * When you complete all tasks in scope for your current instruction set, explicitly state that you are done with those tasks.
-6. **AGENTS.md discipline**
+6. **AGENTS.md discipline**
-   * Project / technical managers ensure each module’s `AGENTS.md` exists, is up to date, and reflects current design and advisory decisions.
+   * Project / technical managers ensure each module’s `AGENTS.md` exists, is up to date, and reflects current design and advisory decisions.
-   * Implementers must read and follow the relevant `AGENTS.md` before coding in a module.
+   * Implementers must read and follow the relevant `AGENTS.md` before coding in a module.
-   * If a mismatch or gap is found, implementers log it via `BLOCKED` status and the sprint’s **Decisions & Risks**, and then continue with other work instead of asking for live clarification.
+   * If a mismatch or gap is found, implementers log it via `BLOCKED` status and the sprint’s **Decisions & Risks**, and then continue with other work instead of asking for live clarification.
-
+
---
+---
-
+
-### 7) Advisory Handling (do this every time a new advisory lands)
+### 7) Advisory Handling (do this every time a new advisory lands)
-
+
-**Trigger:** Any new or updated file under `docs/product-advisories/` (including archived) automatically starts this workflow. No chat approval required.
+**Trigger:** Any new or updated file under `docs/product-advisories/` (including archived) automatically starts this workflow. No chat approval required.
-
+
-1) **Doc sync (must happen for every advisory):**
+1) **Doc sync (must happen for every advisory):**
-   - Create/update **two layers**:
+   - Create/update **two layers**:
-     - **High-level**: `docs/` (vision/key-features/market) to capture the moat/positioning and the headline promise.
+     - **High-level**: `docs/` (vision/key-features/market) to capture the moat/positioning and the headline promise.
-     - **Detailed**: closest deep area (`docs/reachability/*`, `docs/market/*`, `docs/benchmarks/*`, `docs/modules/<module>/*`, etc.).
+     - **Detailed**: closest deep area (`docs/reachability/*`, `docs/market/*`, `docs/benchmarks/*`, `docs/modules/<module>/*`, etc.).
-   - **Code & samples:**
+   - **Code & samples:**
-     - Inline only short fragments (≤ ~20 lines) directly in the updated doc for readability.
+     - Inline only short fragments (≤ ~20 lines) directly in the updated doc for readability.
-     - Place runnable or longer samples/harnesses in `docs/benchmarks/**` or `tests/**` with deterministic, offline-friendly defaults (no network, fixed seeds), and link to them from the doc.
+     - Place runnable or longer samples/harnesses in `docs/benchmarks/**` or `tests/**` with deterministic, offline-friendly defaults (no network, fixed seeds), and link to them from the doc.
-     - If the advisory already contains code, carry it over verbatim into the benchmark/test file (with minor formatting only); don’t paraphrase away executable value.
+     - If the advisory already contains code, carry it over verbatim into the benchmark/test file (with minor formatting only); don’t paraphrase away executable value.
-   - **Cross-links:** whenever moats/positioning change, add links from `docs/07_HIGH_LEVEL_ARCHITECTURE.md`, `docs/key-features.md`, and the relevant module dossier(s).
+   - **Cross-links:** whenever moats/positioning change, add links from `docs/07_HIGH_LEVEL_ARCHITECTURE.md`, `docs/key-features.md`, and the relevant module dossier(s).
-
+
-2) **Sprint sync (must happen for every advisory):**
+2) **Sprint sync (must happen for every advisory):**
-   - Add Delivery Tracker rows in the relevant `SPRINT_*.md` with owners, deps, and doc paths; add an Execution Log entry for the change.
+   - Add Delivery Tracker rows in the relevant `SPRINT_*.md` with owners, deps, and doc paths; add an Execution Log entry for the change.
-   - If code/bench/dataset work is implied, create tasks and point to the new benchmark/test paths; add risks/interlocks for schema/feed freeze or transparency caps as needed.
+   - If code/bench/dataset work is implied, create tasks and point to the new benchmark/test paths; add risks/interlocks for schema/feed freeze or transparency caps as needed.
-
+
-3) **De-duplication:**
+3) **De-duplication:**
-   - Check `docs/product-advisories/archived/` for overlaps. If similar, mark “supersedes/extends <advisory>` in the new doc and avoid duplicate tasks.
+   - Check `docs/product-advisories/archived/` for overlaps. If similar, mark “supersedes/extends <advisory>` in the new doc and avoid duplicate tasks.
-
+
-4) **Defaults to apply (unless advisory overrides):**
+4) **Defaults to apply (unless advisory overrides):**
-   - Hybrid reachability posture: graph DSSE mandatory; edge-bundle DSSE optional/targeted; deterministic outputs only.
+   - Hybrid reachability posture: graph DSSE mandatory; edge-bundle DSSE optional/targeted; deterministic outputs only.
-   - Offline-friendly benches/tests; frozen feeds; deterministic ordering/hashes.
+   - Offline-friendly benches/tests; frozen feeds; deterministic ordering/hashes.
-
+
-5) **Do not defer:** Execute steps 1–4 immediately; reporting is after the fact, not a gating step.
+5) **Do not defer:** Execute steps 1–4 immediately; reporting is after the fact, not a gating step.
-
+
-**Lessons baked in:** Past delays came from missing code carry-over and missing sprint tasks. Always move advisory code into benchmarks/tests and open the corresponding sprint rows the same session you read the advisory.
+**Lessons baked in:** Past delays came from missing code carry-over and missing sprint tasks. Always move advisory code into benchmarks/tests and open the corresponding sprint rows the same session you read the advisory.
 ---
 ### 6) Role Switching
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -41,7 +41,7 @@ dotnet test --filter "FullyQualifiedName~TestMethodName"
 dotnet test src/StellaOps.sln --verbosity normal
 ```
-**Note:** Tests use Mongo2Go which requires OpenSSL 1.1 on Linux. Run `scripts/enable-openssl11-shim.sh` before testing if needed.
+**Note:** Integration tests use Testcontainers for PostgreSQL. Ensure Docker is running before executing tests.
 ## Linting and Validation
@@ -60,11 +60,11 @@ helm lint deploy/helm/stellaops
 ### Technology Stack
 - **Runtime:** .NET 10 (`net10.0`) with latest C# preview features
- **Frontend:** Angular v17 (in `src/UI/StellaOps.UI`)
+- **Frontend:** Angular v17 (in `src/Web/StellaOps.Web`)
- **Database:** MongoDB (driver version ≥ 3.0)
+- **Database:** PostgreSQL (≥16) with per-module schema isolation; see `docs/db/` for specification
- **Testing:** xUnit with Mongo2Go, Moq, Microsoft.AspNetCore.Mvc.Testing
+- **Testing:** xUnit with Testcontainers (PostgreSQL), Moq, Microsoft.AspNetCore.Mvc.Testing
 - **Observability:** Structured logging, OpenTelemetry traces
- **NuGet:** Use the single curated feed and cache at `local-nugets/`
+- **NuGet:** Uses standard NuGet feeds configured in `nuget.config` (dotnet-public, nuget-mirror, nuget.org)
 ### Module Structure
@@ -89,7 +89,7 @@ The codebase follows a monorepo pattern with modules under `src/`:
 - **Libraries:** `src/<Module>/__Libraries/StellaOps.<Module>.*`
 - **Tests:** `src/<Module>/__Tests/StellaOps.<Module>.*.Tests/`
 - **Plugins:** Follow naming `StellaOps.<Module>.Connector.*` or `StellaOps.<Module>.Plugin.*`
- **Shared test infrastructure:** `StellaOps.Concelier.Testing` provides MongoDB fixtures
+- **Shared test infrastructure:** `StellaOps.Concelier.Testing` and `StellaOps.Infrastructure.Postgres.Testing` provide PostgreSQL fixtures
 ### Naming Conventions
@@ -127,7 +127,7 @@ The codebase follows a monorepo pattern with modules under `src/`:
 - Module tests: `StellaOps.<Module>.<Component>.Tests`
 - Shared fixtures/harnesses: `StellaOps.<Module>.Testing`
- Tests use xUnit, Mongo2Go for MongoDB integration tests
+- Tests use xUnit, Testcontainers for PostgreSQL integration tests
 ### Documentation Updates
@@ -154,8 +154,15 @@ When working in this repository, behavior changes based on the role specified:
 ### As Project Manager
- Sprint files follow format: `SPRINT_<IMPLID>_<BATCHID>_<SPRINTID>_<topic>.md`
+Create implementation sprint files under `docs/implplan/` using the **mandatory** sprint filename format:
- IMPLID epochs: `1000` basic libraries, `2000` ingestion, `3000` backend services, `4000` CLI/UI, `5000` docs, `6000` marketing
+
 `SPRINT_<IMPLID>_<BATCHID>_<MODULEID>_<topic_in_few_words>.md`
 - `<IMPLID>`: implementation epoch (e.g., `20251219`). Determine by scanning existing `docs/implplan/SPRINT_*.md` and using the highest epoch; if none exist, use today's epoch.
 - `<BATCHID>`: `001`, `002`, etc. — grouping when more than one sprint is needed for a feature.
 - `<MODULEID>`: `FE` (Frontend), `BE` (Backend), `AG` (Agent), `LB` (library), `BE` (Backend), `AG` (Agent), `LB` (library), 'SCANNER' (scanner), 'AUTH' (Authority), 'CONCEL' (Concelier), 'CONCEL-ASTRA' - (Concelier Astra source connecto) and etc.
 - `<topic_in_few_words>`: short topic description.
 - **If any existing sprint file name or internal format deviates from the standard, rename/normalize it** and record the change in its **Execution Log**.
 - Normalize sprint files to standard template while preserving content
 - Ensure module `AGENTS.md` files exist and are up to date
@@ -200,6 +207,8 @@ Before coding, confirm required docs are read:
 - **Architecture overview:** `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 - **Module dossiers:** `docs/modules/<module>/architecture.md`
 - **Database specification:** `docs/db/SPECIFICATION.md`
 - **PostgreSQL operations:** `docs/operations/postgresql-guide.md`
 - **API/CLI reference:** `docs/09_API_CLI_REFERENCE.md`
 - **Offline operation:** `docs/24_OFFLINE_KIT.md`
 - **Quickstart:** `docs/10_CONCELIER_CLI_QUICKSTART.md`
@@ -216,5 +225,5 @@ Workflows are in `.gitea/workflows/`. Key workflows:
 ## Environment Variables
 - `STELLAOPS_BACKEND_URL` - Backend API URL for CLI
- `STELLAOPS_TEST_MONGO_URI` - MongoDB connection string for integration tests
+- `STELLAOPS_TEST_POSTGRES_CONNECTION` - PostgreSQL connection string for integration tests
 - `StellaOpsEnableCryptoPro` - Enable GOST crypto support (set to `true` in build)
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -2,23 +2,15 @@
  <PropertyGroup>
    <StellaOpsRepoRoot Condition="'$(StellaOpsRepoRoot)' == ''">$([System.IO.Path]::GetFullPath('$(MSBuildThisFileDirectory)'))</StellaOpsRepoRoot>
    <StellaOpsLocalNuGetSource Condition="'$(StellaOpsLocalNuGetSource)' == ''">$([System.IO.Path]::GetFullPath('$(StellaOpsRepoRoot)local-nugets/'))</StellaOpsLocalNuGetSource>
    <StellaOpsDotNetPublicSource Condition="'$(StellaOpsDotNetPublicSource)' == ''">https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json</StellaOpsDotNetPublicSource>
    <StellaOpsNuGetOrgSource Condition="'$(StellaOpsNuGetOrgSource)' == ''">https://api.nuget.org/v3/index.json</StellaOpsNuGetOrgSource>
    <_StellaOpsDefaultRestoreSources>$(StellaOpsLocalNuGetSource);$(StellaOpsDotNetPublicSource);$(StellaOpsNuGetOrgSource)</_StellaOpsDefaultRestoreSources>
    <_StellaOpsOriginalRestoreSources Condition="'$(_StellaOpsOriginalRestoreSources)' == ''">$(RestoreSources)</_StellaOpsOriginalRestoreSources>
    <RestorePackagesPath Condition="'$(RestorePackagesPath)' == ''">$([System.IO.Path]::GetFullPath('$(StellaOpsRepoRoot).nuget/packages'))</RestorePackagesPath>
    <RestoreConfigFile Condition="'$(RestoreConfigFile)' == ''">$([System.IO.Path]::Combine('$(StellaOpsRepoRoot)','NuGet.config'))</RestoreConfigFile>
    <RestoreSources Condition="'$(_StellaOpsOriginalRestoreSources)' == ''">$(_StellaOpsDefaultRestoreSources)</RestoreSources>
    <RestoreSources Condition="'$(_StellaOpsOriginalRestoreSources)' != ''">$(_StellaOpsDefaultRestoreSources);$(_StellaOpsOriginalRestoreSources)</RestoreSources>
    <DisableImplicitNuGetFallbackFolder>true</DisableImplicitNuGetFallbackFolder>
  </PropertyGroup>
  <PropertyGroup>
    <StellaOpsEnableCryptoPro Condition="'$(StellaOpsEnableCryptoPro)' == ''">false</StellaOpsEnableCryptoPro>
-    <NoWarn>$(NoWarn);NU1608;NU1605</NoWarn>
+    <NoWarn>$(NoWarn);NU1608;NU1605;NU1202</NoWarn>
-    <WarningsNotAsErrors>$(WarningsNotAsErrors);NU1608;NU1605</WarningsNotAsErrors>
+    <WarningsNotAsErrors>$(WarningsNotAsErrors);NU1608;NU1605;NU1202</WarningsNotAsErrors>
-    <RestoreNoWarn>$(RestoreNoWarn);NU1608;NU1605</RestoreNoWarn>
+    <RestoreNoWarn>$(RestoreNoWarn);NU1608;NU1605;NU1202</RestoreNoWarn>
    <RestoreWarningsAsErrors></RestoreWarningsAsErrors>
    <RestoreTreatWarningsAsErrors>false</RestoreTreatWarningsAsErrors>
    <RestoreDisableImplicitNuGetFallbackFolder>true</RestoreDisableImplicitNuGetFallbackFolder>
@@ -31,6 +23,10 @@
    <DisableImplicitNuGetFallbackFolder>true</DisableImplicitNuGetFallbackFolder>
  </PropertyGroup>
  <PropertyGroup>
    <AssetTargetFallback>$(AssetTargetFallback);net8.0;net7.0;net6.0;netstandard2.1;netstandard2.0</AssetTargetFallback>
  </PropertyGroup>
  <PropertyGroup Condition="'$(StellaOpsEnableCryptoPro)' == 'true'">
    <DefineConstants>$(DefineConstants);STELLAOPS_CRYPTO_PRO</DefineConstants>
  </PropertyGroup>
@@ -43,4 +39,52 @@
    <PackageReference Update="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.0" />
  </ItemGroup>
  <!-- .NET 10 compatible package version overrides -->
  <ItemGroup>
    <!-- Cryptography packages - updated for net10.0 compatibility -->
    <PackageReference Update="BouncyCastle.Cryptography" Version="2.6.2" />
    <PackageReference Update="Pkcs11Interop" Version="5.1.2" />
    <!-- Resilience - Polly 8.x for .NET 6+ -->
    <PackageReference Update="Polly" Version="8.5.2" />
    <PackageReference Update="Polly.Core" Version="8.5.2" />
    <!-- YAML - updated for net10.0 -->
    <PackageReference Update="YamlDotNet" Version="16.3.0" />
    <!-- JSON Schema packages -->
    <PackageReference Update="JsonSchema.Net" Version="7.3.2" />
    <PackageReference Update="Json.More.Net" Version="2.1.0" />
    <PackageReference Update="JsonPointer.Net" Version="5.1.0" />
    <!-- HTML parsing -->
    <PackageReference Update="AngleSharp" Version="1.2.0" />
    <!-- Scheduling -->
    <PackageReference Update="Cronos" Version="0.9.0" />
    <!-- Testing - xUnit 2.9.3 for .NET 10 -->
    <PackageReference Update="xunit" Version="2.9.3" />
    <PackageReference Update="xunit.assert" Version="2.9.3" />
    <PackageReference Update="xunit.extensibility.core" Version="2.9.3" />
    <PackageReference Update="xunit.extensibility.execution" Version="2.9.3" />
    <PackageReference Update="xunit.runner.visualstudio" Version="3.0.1" />
    <PackageReference Update="xunit.abstractions" Version="2.0.3" />
    <!-- JSON -->
    <PackageReference Update="Newtonsoft.Json" Version="13.0.4" />
    <!-- Annotations -->
    <PackageReference Update="JetBrains.Annotations" Version="2024.3.0" />
    <!-- Async interfaces -->
    <PackageReference Update="Microsoft.Bcl.AsyncInterfaces" Version="10.0.0" />
    <!-- HTTP Resilience integration (replaces Http.Polly) -->
    <PackageReference Update="Microsoft.Extensions.Http.Resilience" Version="10.0.0" />
    <!-- Testing packages - aligned to 10.0.0 -->
    <PackageReference Update="Microsoft.Extensions.TimeProvider.Testing" Version="10.0.0" />
  </ItemGroup>
 </Project>
--- a/NOTICE.md
+++ b/NOTICE.md
@@ -1,8 +1,10 @@
 # Third-Party Notices
-This project bundles or links against the following third-party components in the scanner Ruby analyzer implementation:
+This project bundles or links against the following third-party components:
- **tree-sitter** (MIT License, © 2018 Max Brunsfeld)
+- **tree-sitter** (MIT License, (c) 2018 Max Brunsfeld)
- **tree-sitter-ruby** (MIT License, © 2016 Rob Rix)
+- **tree-sitter-ruby** (MIT License, (c) 2016 Rob Rix)
 - **GostCryptography (fork)** (MIT License, (c) 2014-2024 AlexMAS) — vendored under `third_party/forks/AlexMAS.GostCryptography` for GOST support in `StellaOps.Cryptography.Plugin.CryptoPro` and related sovereign crypto plug-ins.
 - **CryptoPro CSP integration** (Commercial, customer-provided) — StellaOps ships only integration code; CryptoPro CSP binaries and licenses are not redistributed and must be supplied by the operator per vendor EULA.
 License texts are available under third-party-licenses/.
--- a/NuGet.config
+++ b/NuGet.config
@@ -2,13 +2,8 @@
 <configuration>
  <packageSources>
    <clear />
    <add key="local-nugets" value="./local-nugets" />
    <add key="dotnet-public" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json" />
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
  </packageSources>
  <config>
    <add key="globalPackagesFolder" value="./.nuget/packages" />
  </config>
  <fallbackPackageFolders>
    <clear />
  </fallbackPackageFolders>
--- a/README.md
+++ b/README.md
@@ -1,14 +1,20 @@
 # StellaOps Concelier & CLI
 [![Build Status](https://git.stella-ops.org/stellaops/feedser/actions/workflows/build-test-deploy.yml/badge.svg)](https://git.stella-ops.org/stellaops/feedser/actions/workflows/build-test-deploy.yml)
 [![Quality Gates](https://git.stella-ops.org/stellaops/feedser/actions/workflows/build-test-deploy.yml/badge.svg?job=quality-gates)](https://git.stella-ops.org/stellaops/feedser/actions/workflows/build-test-deploy.yml)
 [![Reachability](https://img.shields.io/badge/reachability-≥95%25-brightgreen)](docs/testing/ci-quality-gates.md)
 [![TTFS SLO](https://img.shields.io/badge/TTFS_P95-≤1.2s-blue)](docs/testing/ci-quality-gates.md)
 [![Mutation Score](https://img.shields.io/badge/mutation_score-≥80%25-purple)](docs/testing/mutation-testing-baselines.md)
 This repository hosts the StellaOps Concelier service, its plug-in ecosystem, and the
 first-party CLI (`stellaops-cli`). Concelier ingests vulnerability advisories from
-authoritative sources, stores them in MongoDB, and exports deterministic JSON and
+authoritative sources, stores them in PostgreSQL, and exports deterministic JSON and
 Trivy DB artefacts. The CLI drives scanner distribution, scan execution, and job
 control against the Concelier API.
 ## Quickstart
-1. Prepare a MongoDB instance and (optionally) install `trivy-db`/`oras`.
+1. Prepare a PostgreSQL instance and (optionally) install `trivy-db`/`oras`.
 2. Copy `etc/concelier.yaml.sample` to `etc/concelier.yaml` and update the storage + telemetry
   settings.
 3. Copy `etc/authority.yaml.sample` to `etc/authority.yaml`, review the issuer, token
@@ -22,9 +28,9 @@ Detailed operator guidance is available in `docs/10_CONCELIER_CLI_QUICKSTART.md`
 command reference material lives in `docs/09_API_CLI_REFERENCE.md`.
 Pipeline note: deployment workflows should template `etc/concelier.yaml` during CI/CD,
-injecting environment-specific Mongo credentials and telemetry endpoints. Upcoming
+injecting environment-specific PostgreSQL connection strings and telemetry endpoints.
-releases will add Microsoft OAuth (Entra ID) authentication support—track the quickstart
+Upcoming releases will add Microsoft OAuth (Entra ID) authentication support—track
-for integration steps once available.
+the quickstart for integration steps once available.
 ## Documentation
--- a/StellaOps.Router.slnx
+++ b/StellaOps.Router.slnx
@@ -1,19 +1,17 @@
 <Solution>
  <Folder Name="/src/" />
  <Folder Name="/src/Gateway/">
    <Project Path="src/Gateway/StellaOps.Gateway.WebService/StellaOps.Gateway.WebService.csproj" />
  </Folder>
  <Folder Name="/src/__Libraries/">
    <Project Path="src/__Libraries/StellaOps.Microservice.SourceGen/StellaOps.Microservice.SourceGen.csproj" />
    <Project Path="src/__Libraries/StellaOps.Microservice/StellaOps.Microservice.csproj" />
    <Project Path="src/__Libraries/StellaOps.Router.Common/StellaOps.Router.Common.csproj" />
    <Project Path="src/__Libraries/StellaOps.Router.Config/StellaOps.Router.Config.csproj" />
    <Project Path="src/__Libraries/StellaOps.Router.Gateway/StellaOps.Router.Gateway.csproj" />
    <Project Path="src/__Libraries/StellaOps.Router.Transport.InMemory/StellaOps.Router.Transport.InMemory.csproj" />
  </Folder>
  <Folder Name="/tests/">
    <Project Path="tests/StellaOps.Gateway.WebService.Tests/StellaOps.Gateway.WebService.Tests.csproj" />
    <Project Path="tests/StellaOps.Microservice.Tests/StellaOps.Microservice.Tests.csproj" />
    <Project Path="tests/StellaOps.Router.Common.Tests/StellaOps.Router.Common.Tests.csproj" />
    <Project Path="tests/StellaOps.Router.Gateway.Tests/StellaOps.Router.Gateway.Tests.csproj" />
    <Project Path="tests/StellaOps.Router.Transport.InMemory.Tests/StellaOps.Router.Transport.InMemory.Tests.csproj" />
  </Folder>
 </Solution>
--- a/bench/AGENTS.md
+++ b/bench/AGENTS.md
@@ -0,0 +1,20 @@
 # bench/AGENTS.md
 ## Purpose & Scope
 - Working directory: `bench/` (benchmarks, golden corpus, determinism fixtures).
 - Roles: QA engineer, performance/bench engineer, docs contributor.
 ## Required Reading (treat as read before DOING)
 - `docs/README.md`
 - `docs/19_TEST_SUITE_OVERVIEW.md`
 - `bench/README.md`
 - Sprint-specific guidance for corpus/bench artifacts.
 ## Working Agreements
 - Deterministic artifacts: stable ordering, fixed seeds, UTC timestamps.
 - Offline-friendly: no network dependencies in benchmarks unless explicitly required.
 - Keep fixtures and manifests ASCII and reproducible; avoid oversized binaries when possible.
 ## Validation
 - Validate manifests/fixtures with local scripts when available.
 - Document any new fixtures in `bench/README.md` or sprint notes.
--- a/bench/README.md
+++ b/bench/README.md
@@ -1,7 +1,7 @@
-# Stella Ops Bench Repository
+# Stella Ops Bench Repository
-> **Status:** Draft — aligns with `docs/benchmarks/vex-evidence-playbook.md` (Sprint 401).  
+> **Status:** Active · Last updated: 2025-12-13
-> **Purpose:** Host reproducible VEX decisions and comparison data that prove Stella Ops’ signal quality vs. baseline scanners.
+> **Purpose:** Host reproducible VEX decisions, reachability evidence, and comparison data proving Stella Ops' signal quality vs. baseline scanners.
 ## Layout
@@ -11,20 +11,122 @@ bench/
  findings/                 # per CVE/product bundles
    CVE-YYYY-NNNNN/
      evidence/
-        reachability.json
+        reachability.json   # richgraph-v1 excerpt
-        sbom.cdx.json
+        sbom.cdx.json       # CycloneDX SBOM
-      decision.openvex.json
+      decision.openvex.json # OpenVEX decision
-      decision.dsse.json
+      decision.dsse.json    # DSSE envelope
-      rekor.txt
+      rekor.txt             # Rekor log index + inclusion proof
-      metadata.json
+      metadata.json         # finding metadata (purl, CVE, version)
  tools/
-    verify.sh               # DSSE + Rekor verifier
+    verify.sh               # DSSE + Rekor verifier (online)
    verify.py               # offline verifier
    compare.py              # baseline comparison script
-    replay.sh               # runs reachability replay manifolds
+    replay.sh               # runs reachability replay manifests
  results/
-    summary.csv
+    summary.csv             # aggregated metrics
    runs/<date>/...         # raw outputs + replay manifests
  reachability-benchmark/   # reachability benchmark with JDK fixtures
 ```
-Refer to `docs/benchmarks/vex-evidence-playbook.md` for artifact contracts and automation tasks. The `bench/` tree will be populated once `BENCH-AUTO-401-019` and `DOCS-VEX-401-012` land.
+## Related Documentation
 | Document | Purpose |
 |----------|---------|
 | [VEX Evidence Playbook](../docs/benchmarks/vex-evidence-playbook.md) | Proof bundle schema, justification catalog, verification workflow |
 | [Hybrid Attestation](../docs/reachability/hybrid-attestation.md) | Graph-level and edge-bundle DSSE decisions |
 | [Function-Level Evidence](../docs/reachability/function-level-evidence.md) | Cross-module evidence chain guide |
 | [Deterministic Replay](../docs/replay/DETERMINISTIC_REPLAY.md) | Replay manifest specification |
 ## Verification Workflows
 ### Quick Verification (Online)
 ```bash
 # Verify a VEX proof bundle with DSSE and Rekor
 ./tools/verify.sh findings/CVE-2021-44228/decision.dsse.json
 # Output:
 # ✓ DSSE signature valid
 # ✓ Rekor inclusion verified (log index: 12345678)
 # ✓ Evidence hashes match
 # ✓ Justification catalog membership confirmed
 ```
 ### Offline Verification
 ```bash
 # Verify without network access
 python tools/verify.py \
  --bundle findings/CVE-2021-44228/decision.dsse.json \
  --cas-root ./findings/CVE-2021-44228/evidence/ \
  --catalog ../docs/benchmarks/vex-justifications.catalog.json
 # Or use the VEX proof bundle verifier
 python ../scripts/vex/verify_proof_bundle.py \
  --bundle ../tests/Vex/ProofBundles/sample-proof-bundle.json \
  --cas-root ../tests/Vex/ProofBundles/cas/
 ```
 ### Reachability Graph Verification
 ```bash
 # Verify graph DSSE
 stella graph verify --hash blake3:a1b2c3d4...
 # Verify with edge bundles
 stella graph verify --hash blake3:a1b2c3d4... --include-bundles
 # Offline with local CAS
 stella graph verify --hash blake3:a1b2c3d4... --cas-root ./offline-cas/
 ```
 ### Baseline Comparison
 ```bash
 # Compare Stella Ops findings against baseline scanners
 python tools/compare.py \
  --stellaops results/runs/2025-12-13/findings.json \
  --baseline results/baselines/trivy-latest.json \
  --output results/comparison-2025-12-13.csv
 # Metrics generated:
 # - True positives (reachability-confirmed)
 # - False positives (unreachable code paths)
 # - MTTD (mean time to detect)
 # - Reproducibility score
 ```
 ## Artifact Contracts
 All bench artifacts must comply with:
 1. **VEX Proof Bundle Schema** (`docs/benchmarks/vex-evidence-playbook.schema.json`)
   - BLAKE3-256 primary hash, SHA-256 secondary
   - Canonical JSON with sorted keys
   - DSSE envelope with Rekor-ready digest
 2. **Justification Catalog** (`docs/benchmarks/vex-justifications.catalog.json`)
   - VEX1-VEX10 justification codes
   - Required evidence types per justification
   - Expiry and re-evaluation rules
 3. **Reachability Graph** (`docs/contracts/richgraph-v1.md`)
   - BLAKE3 graph_hash for content addressing
   - Deterministic node/edge ordering
   - SymbolID/EdgeID format compliance
 ## CI Integration
 The bench directory is validated by:
 - `.gitea/workflows/vex-proof-bundles.yml` - Verifies all proof bundles
 - `.gitea/workflows/bench-determinism.yml` - Runs determinism benchmarks
 - `.gitea/workflows/hybrid-attestation.yml` - Verifies graph/edge-bundle fixtures
 ## Contributing
 1. Add new findings under `findings/CVE-YYYY-NNNNN/`
 2. Include all required evidence artifacts
 3. Generate DSSE envelope and Rekor proof
 4. Update `results/summary.csv`
 5. Run verification: `./tools/verify.sh findings/CVE-YYYY-NNNNN/decision.dsse.json`
--- a/bench/baselines/performance-baselines.json
+++ b/bench/baselines/performance-baselines.json
@@ -0,0 +1,22 @@
 {
  "schema_version": "stellaops.perf.baselines/v1",
  "updated_at": "2025-01-15T00:00:00Z",
  "environment": {
    "runtime": ".NET 10",
    "os": "ubuntu-22.04",
    "cpu": "8 cores",
    "memory_gb": 16
  },
  "baselines": {
    "score_computation_ms": 100,
    "score_computation_large_ms": 500,
    "proof_bundle_generation_ms": 200,
    "proof_signing_ms": 50,
    "dotnet_callgraph_extraction_ms": 500,
    "reachability_computation_ms": 100,
    "reachability_large_graph_ms": 500,
    "reachability_deep_path_ms": 200
  },
  "threshold_percent": 20,
  "notes": "Initial baselines established on CI runner. Update after algorithm changes."
 }
--- a/bench/baselines/ttfs-baseline.json
+++ b/bench/baselines/ttfs-baseline.json
@@ -0,0 +1,56 @@
 {
  "$schema": "https://json-schema.org/draft-07/schema#",
  "title": "TTFS Baseline",
  "description": "Time-to-First-Signal baseline metrics for regression detection",
  "version": "1.0.0",
  "created_at": "2025-12-16T00:00:00Z",
  "updated_at": "2025-12-16T00:00:00Z",
  "metrics": {
    "ttfs_ms": {
      "p50": 1500,
      "p95": 4000,
      "p99": 6000,
      "min": 500,
      "max": 10000,
      "mean": 2000,
      "sample_count": 500
    },
    "by_scan_type": {
      "image_scan": {
        "p50": 2500,
        "p95": 5000,
        "p99": 7500,
        "description": "Container image scanning TTFS baseline"
      },
      "filesystem_scan": {
        "p50": 1000,
        "p95": 2000,
        "p99": 3000,
        "description": "Filesystem/directory scanning TTFS baseline"
      },
      "sbom_scan": {
        "p50": 400,
        "p95": 800,
        "p99": 1200,
        "description": "SBOM-only scanning TTFS baseline"
      }
    }
  },
  "thresholds": {
    "p50_max_ms": 2000,
    "p95_max_ms": 5000,
    "p99_max_ms": 8000,
    "max_regression_pct": 10,
    "description": "Thresholds that will trigger CI gate failures"
  },
  "collection_info": {
    "test_environment": "ci-standard-runner",
    "runner_specs": {
      "cpu_cores": 4,
      "memory_gb": 8,
      "storage_type": "ssd"
    },
    "sample_corpus": "tests/reachability/corpus",
    "collection_window_days": 30
  }
 }
--- a/bench/competitors/corpus/corpus-manifest.json
+++ b/bench/competitors/corpus/corpus-manifest.json
@@ -0,0 +1,50 @@
 {
  "version": "1.0.0",
  "lastUpdated": "2025-12-22T00:00:00Z",
  "images": [
    {
      "digest": "sha256:placeholder-alpine-3.18",
      "imageRef": "alpine:3.18",
      "truePositives": [],
      "falsePositives": [],
      "categories": ["alpine", "base"],
      "notes": {}
    },
    {
      "digest": "sha256:placeholder-debian-bookworm",
      "imageRef": "debian:bookworm-slim",
      "truePositives": [],
      "falsePositives": [],
      "categories": ["debian", "base"],
      "notes": {}
    },
    {
      "digest": "sha256:placeholder-node-20",
      "imageRef": "node:20-alpine",
      "truePositives": [],
      "falsePositives": [],
      "categories": ["alpine", "nodejs"],
      "notes": {}
    },
    {
      "digest": "sha256:placeholder-python-3.12",
      "imageRef": "python:3.12-slim",
      "truePositives": [],
      "falsePositives": [],
      "categories": ["debian", "python"],
      "notes": {}
    }
  ],
  "stats": {
    "totalImages": 4,
    "byCategory": {
      "alpine": 2,
      "debian": 2,
      "base": 2,
      "nodejs": 1,
      "python": 1
    },
    "totalTruePositives": 0,
    "totalFalsePositives": 0
  }
 }
--- a/bench/determinism/README.md
+++ b/bench/determinism/README.md
@@ -0,0 +1,129 @@
 # Determinism Benchmark Suite
 > **Purpose:** Verify that StellaOps produces bit-identical results across replays.
 > **Status:** Active
 > **Sprint:** SPRINT_3850_0001_0001 (Competitive Gap Closure)
 ## Overview
 Determinism is a core differentiator for StellaOps:
 - Same inputs → same outputs (bit-identical)
 - Replay manifests enable audit verification
 - No hidden state or environment leakage
 ## What Gets Tested
 ### Canonical JSON
 - Object key ordering (alphabetical)
 - Number formatting consistency
 - UTF-8 encoding without BOM
 - No whitespace variation
 ### Scan Manifests
 - Same artifact + same feeds → same manifest hash
 - Seed values propagate correctly
 - Timestamp handling (fixed UTC)
 ### Proof Bundles
 - Root hash computation
 - DSSE envelope determinism
 - ProofLedger node ordering
 ### Score Computation
 - Same manifest → same score
 - Lattice merge is associative/commutative
 - Policy rule ordering doesn't affect outcome
 ## Test Cases
 ### TC-001: Canonical JSON Determinism
 ```bash
 # Run same object through CanonJson 100 times
 # All hashes must match
 ```
 ### TC-002: Manifest Hash Stability
 ```bash
 # Create manifest with identical inputs
 # Verify ComputeHash() returns same value
 ```
 ### TC-003: Cross-Platform Determinism
 ```bash
 # Run on Linux, Windows, macOS
 # Compare output hashes
 ```
 ### TC-004: Feed Snapshot Determinism
 ```bash
 # Same feed snapshot hash → same scan results
 ```
 ## Fixtures
 ```
 fixtures/
 ├── sample-manifest.json
 ├── sample-ledger.json
 ├── expected-hashes.json
 └── cross-platform/
    ├── linux-x64.hashes.json
    ├── windows-x64.hashes.json
    └── macos-arm64.hashes.json
 ```
 ## Running the Suite
 ```bash
 # Run determinism tests
 dotnet test tests/StellaOps.Determinism.Tests
 # Run replay verification
 ./run-replay.sh --manifest fixtures/sample-manifest.json --runs 10
 # Cross-platform verification (requires CI matrix)
 ./verify-cross-platform.sh
 ```
 ## Metrics
 | Metric | Target | Description |
 |--------|--------|-------------|
 | Hash stability | 100% | All runs produce identical hash |
 | Replay success | 100% | All replays match original |
 | Cross-platform parity | 100% | Same hash across OS/arch |
 ## Integration with CI
 ```yaml
 # .gitea/workflows/bench-determinism.yaml
 name: Determinism Benchmark
 on:
  push:
    paths:
      - 'src/__Libraries/StellaOps.Canonical.Json/**'
      - 'src/Scanner/__Libraries/StellaOps.Scanner.Core/**'
      - 'bench/determinism/**'
 jobs:
  determinism:
    strategy:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v4
      - name: Run Determinism Tests
        run: dotnet test tests/StellaOps.Determinism.Tests
      - name: Capture Hashes
        run: ./bench/determinism/capture-hashes.sh
      - name: Upload Hashes
        uses: actions/upload-artifact@v4
        with:
          name: hashes-${{ matrix.os }}
          path: bench/determinism/results/
 ```
--- a/bench/determinism/run-replay.sh
+++ b/bench/determinism/run-replay.sh
@@ -0,0 +1,133 @@
 #!/usr/bin/env bash
 # run-replay.sh
 # Deterministic Replay Benchmark
 # Sprint: SPRINT_3850_0001_0001
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 RESULTS_DIR="$SCRIPT_DIR/results/$(date -u +%Y%m%d_%H%M%S)"
 # Parse arguments
 MANIFEST_FILE=""
 RUNS=5
 VERBOSE=false
 while [[ $# -gt 0 ]]; do
    case $1 in
        --manifest)
            MANIFEST_FILE="$2"
            shift 2
            ;;
        --runs)
            RUNS="$2"
            shift 2
            ;;
        --verbose|-v)
            VERBOSE=true
            shift
            ;;
        *)
            echo "Unknown option: $1"
            exit 1
            ;;
    esac
 done
 echo "╔════════════════════════════════════════════════╗"
 echo "║       Deterministic Replay Benchmark           ║"
 echo "╚════════════════════════════════════════════════╝"
 echo ""
 echo "Configuration:"
 echo "  Manifest:    ${MANIFEST_FILE:-<default sample>}"
 echo "  Runs:        $RUNS"
 echo "  Results dir: $RESULTS_DIR"
 echo ""
 mkdir -p "$RESULTS_DIR"
 # Use sample manifest if none provided
 if [ -z "$MANIFEST_FILE" ] && [ -f "$SCRIPT_DIR/fixtures/sample-manifest.json" ]; then
    MANIFEST_FILE="$SCRIPT_DIR/fixtures/sample-manifest.json"
 fi
 declare -a HASHES
 echo "Running $RUNS iterations..."
 echo ""
 for i in $(seq 1 $RUNS); do
    echo -n "  Run $i: "
    OUTPUT_FILE="$RESULTS_DIR/run_$i.json"
    if command -v dotnet &> /dev/null; then
        # Run the replay service
        dotnet run --project "$SCRIPT_DIR/../../src/Scanner/StellaOps.Scanner.WebService" -- \
            replay \
            --manifest "$MANIFEST_FILE" \
            --output "$OUTPUT_FILE" \
            --format json 2>/dev/null || {
                echo "⊘ Skipped (replay command not available)"
                continue
            }
        if [ -f "$OUTPUT_FILE" ]; then
            HASH=$(sha256sum "$OUTPUT_FILE" | cut -d' ' -f1)
            HASHES+=("$HASH")
            echo "sha256:${HASH:0:16}..."
        else
            echo "⊘ No output generated"
        fi
    else
        echo "⊘ Skipped (dotnet not available)"
    fi
 done
 echo ""
 # Verify all hashes match
 if [ ${#HASHES[@]} -gt 1 ]; then
    FIRST_HASH="${HASHES[0]}"
    ALL_MATCH=true
    for hash in "${HASHES[@]}"; do
        if [ "$hash" != "$FIRST_HASH" ]; then
            ALL_MATCH=false
            break
        fi
    done
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo "Results"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    if $ALL_MATCH; then
        echo "✓ PASS: All $RUNS runs produced identical output"
        echo "  Hash: sha256:$FIRST_HASH"
    else
        echo "✗ FAIL: Outputs differ between runs"
        echo ""
        echo "Hashes:"
        for i in "${!HASHES[@]}"; do
            echo "  Run $((i+1)): ${HASHES[$i]}"
        done
    fi
 else
    echo "ℹ️  Insufficient runs to verify determinism"
 fi
 # Create summary JSON
 cat > "$RESULTS_DIR/summary.json" <<EOF
 {
  "benchmark": "determinism-replay",
  "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
  "manifest": "$MANIFEST_FILE",
  "runs": $RUNS,
  "hashes": [$(printf '"%s",' "${HASHES[@]}" | sed 's/,$//')],
  "deterministic": ${ALL_MATCH:-null}
 }
 EOF
 echo ""
 echo "Results saved to: $RESULTS_DIR"
--- a/bench/findings/CVE-2015-7547-reachable/decision.dsse.json
+++ b/bench/findings/CVE-2015-7547-reachable/decision.dsse.json
@@ -0,0 +1,10 @@
 {
  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpiZTMwNDMzZTE4OGEyNTg4NTY0NDYzMzZkYmIxMDk1OWJmYjRhYjM5NzQzODBhOGVhMTI2NDZiZjI2ODdiZjlhIiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL2dsaWJjLUNWRS0yMDIzLTQ5MTEtbG9vbmV5LXR1bmFibGVzQDEuMC4wIn1dLCJzdGF0dXMiOiJhZmZlY3RlZCIsInZ1bG5lcmFiaWxpdHkiOnsiQGlkIjoiaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLTIwMTUtNzU0NyIsIm5hbWUiOiJDVkUtMjAxNS03NTQ3In19XSwidGltZXN0YW1wIjoiMjAyNS0xMi0xNFQwMjoxMzozOFoiLCJ0b29saW5nIjoiU3RlbGxhT3BzL2JlbmNoLWF1dG9AMS4wLjAiLCJ2ZXJzaW9uIjoxfQ==",
  "payloadType": "application/vnd.openvex+json",
  "signatures": [
    {
      "keyid": "stella.ops/bench-automation@v1",
      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
    }
  ]
 }
--- a/bench/findings/CVE-2015-7547-reachable/decision.openvex.json
+++ b/bench/findings/CVE-2015-7547-reachable/decision.openvex.json
@@ -0,0 +1,25 @@
 {
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@type": "VEX",
  "author": "StellaOps Bench Automation",
  "role": "security_team",
  "statements": [
    {
      "action_statement": "Upgrade to patched version or apply mitigation.",
      "impact_statement": "Evidence hash: sha256:be30433e188a258856446336dbb10959bfb4ab3974380a8ea12646bf2687bf9a",
      "products": [
        {
          "@id": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0"
        }
      ],
      "status": "affected",
      "vulnerability": {
        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2015-7547",
        "name": "CVE-2015-7547"
      }
    }
  ],
  "timestamp": "2025-12-14T02:13:38Z",
  "tooling": "StellaOps/bench-auto@1.0.0",
  "version": 1
 }
--- a/bench/findings/CVE-2015-7547-reachable/evidence/reachability.json
+++ b/bench/findings/CVE-2015-7547-reachable/evidence/reachability.json
@@ -0,0 +1,25 @@
 {
  "case_id": "glibc-CVE-2023-4911-looney-tunables",
  "generated_at": "2025-12-14T02:13:38Z",
  "ground_truth": {
    "case_id": "glibc-CVE-2023-4911-looney-tunables",
    "paths": [
      [
        "sym://net:handler#read",
        "sym://glibc:glibc.c#entry",
        "sym://glibc:glibc.c#sink"
      ]
    ],
    "schema_version": "reachbench.reachgraph.truth/v1",
    "variant": "reachable"
  },
  "paths": [
    [
      "sym://net:handler#read",
      "sym://glibc:glibc.c#entry",
      "sym://glibc:glibc.c#sink"
    ]
  ],
  "schema_version": "richgraph-excerpt/v1",
  "variant": "reachable"
 }
--- a/bench/findings/CVE-2015-7547-reachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-2015-7547-reachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
 {
  "bomFormat": "CycloneDX",
  "components": [
    {
      "name": "glibc-CVE-2023-4911-looney-tunables",
      "purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
      "type": "library",
      "version": "1.0.0"
    }
  ],
  "metadata": {
    "timestamp": "2025-12-14T02:13:38Z",
    "tools": [
      {
        "name": "bench-auto",
        "vendor": "StellaOps",
        "version": "1.0.0"
      }
    ]
  },
  "specVersion": "1.6",
  "version": 1
 }
--- a/bench/findings/CVE-2015-7547-reachable/metadata.json
+++ b/bench/findings/CVE-2015-7547-reachable/metadata.json
@@ -0,0 +1,11 @@
 {
  "case_id": "glibc-CVE-2023-4911-looney-tunables",
  "cve_id": "CVE-2015-7547",
  "generated_at": "2025-12-14T02:13:38Z",
  "generator": "scripts/bench/populate-findings.py",
  "generator_version": "1.0.0",
  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
  "purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
  "reachability_status": "reachable",
  "variant": "reachable"
 }
--- a/bench/findings/CVE-2015-7547-reachable/rekor.txt
+++ b/bench/findings/CVE-2015-7547-reachable/rekor.txt
@@ -0,0 +1,5 @@
 # Rekor log entry placeholder
 # Submit DSSE envelope to Rekor to populate this file
 log_index: PENDING
 uuid: PENDING
 timestamp: 2025-12-14T02:13:38Z
--- a/bench/findings/CVE-2015-7547-unreachable/decision.dsse.json
+++ b/bench/findings/CVE-2015-7547-unreachable/decision.dsse.json
@@ -0,0 +1,10 @@
 {
  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpjNDJlYzAxNGE0MmQwZTNmYjQzZWQ0ZGRhZDg5NTM4MjFlNDQ0NTcxMTlkYTY2ZGRiNDFhMzVhODAxYTNiNzI3IiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9nbGliYy1DVkUtMjAyMy00OTExLWxvb25leS10dW5hYmxlc0AxLjAuMCJ9XSwic3RhdHVzIjoibm90X2FmZmVjdGVkIiwidnVsbmVyYWJpbGl0eSI6eyJAaWQiOiJodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAxNS03NTQ3IiwibmFtZSI6IkNWRS0yMDE1LTc1NDcifX1dLCJ0aW1lc3RhbXAiOiIyMDI1LTEyLTE0VDAyOjEzOjM4WiIsInRvb2xpbmciOiJTdGVsbGFPcHMvYmVuY2gtYXV0b0AxLjAuMCIsInZlcnNpb24iOjF9",
  "payloadType": "application/vnd.openvex+json",
  "signatures": [
    {
      "keyid": "stella.ops/bench-automation@v1",
      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
    }
  ]
 }
--- a/bench/findings/CVE-2015-7547-unreachable/decision.openvex.json
+++ b/bench/findings/CVE-2015-7547-unreachable/decision.openvex.json
@@ -0,0 +1,25 @@
 {
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@type": "VEX",
  "author": "StellaOps Bench Automation",
  "role": "security_team",
  "statements": [
    {
      "impact_statement": "Evidence hash: sha256:c42ec014a42d0e3fb43ed4ddad8953821e44457119da66ddb41a35a801a3b727",
      "justification": "vulnerable_code_not_present",
      "products": [
        {
          "@id": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0"
        }
      ],
      "status": "not_affected",
      "vulnerability": {
        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2015-7547",
        "name": "CVE-2015-7547"
      }
    }
  ],
  "timestamp": "2025-12-14T02:13:38Z",
  "tooling": "StellaOps/bench-auto@1.0.0",
  "version": 1
 }
--- a/bench/findings/CVE-2015-7547-unreachable/evidence/reachability.json
+++ b/bench/findings/CVE-2015-7547-unreachable/evidence/reachability.json
@@ -0,0 +1,13 @@
 {
  "case_id": "glibc-CVE-2023-4911-looney-tunables",
  "generated_at": "2025-12-14T02:13:38Z",
  "ground_truth": {
    "case_id": "glibc-CVE-2023-4911-looney-tunables",
    "paths": [],
    "schema_version": "reachbench.reachgraph.truth/v1",
    "variant": "unreachable"
  },
  "paths": [],
  "schema_version": "richgraph-excerpt/v1",
  "variant": "unreachable"
 }
--- a/bench/findings/CVE-2015-7547-unreachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-2015-7547-unreachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
 {
  "bomFormat": "CycloneDX",
  "components": [
    {
      "name": "glibc-CVE-2023-4911-looney-tunables",
      "purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
      "type": "library",
      "version": "1.0.0"
    }
  ],
  "metadata": {
    "timestamp": "2025-12-14T02:13:38Z",
    "tools": [
      {
        "name": "bench-auto",
        "vendor": "StellaOps",
        "version": "1.0.0"
      }
    ]
  },
  "specVersion": "1.6",
  "version": 1
 }
--- a/bench/findings/CVE-2015-7547-unreachable/metadata.json
+++ b/bench/findings/CVE-2015-7547-unreachable/metadata.json
@@ -0,0 +1,11 @@
 {
  "case_id": "glibc-CVE-2023-4911-looney-tunables",
  "cve_id": "CVE-2015-7547",
  "generated_at": "2025-12-14T02:13:38Z",
  "generator": "scripts/bench/populate-findings.py",
  "generator_version": "1.0.0",
  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
  "purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
  "reachability_status": "unreachable",
  "variant": "unreachable"
 }
--- a/bench/findings/CVE-2015-7547-unreachable/rekor.txt
+++ b/bench/findings/CVE-2015-7547-unreachable/rekor.txt
@@ -0,0 +1,5 @@
 # Rekor log entry placeholder
 # Submit DSSE envelope to Rekor to populate this file
 log_index: PENDING
 uuid: PENDING
 timestamp: 2025-12-14T02:13:38Z
--- a/bench/findings/CVE-2022-3602-reachable/decision.dsse.json
+++ b/bench/findings/CVE-2022-3602-reachable/decision.dsse.json
@@ -0,0 +1,10 @@
 {
  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjowMTQzMWZmMWVlZTc5OWM2ZmFkZDU5M2E3ZWMxOGVlMDk0Zjk4MzE0MDk2M2RhNmNiZmQ0YjdmMDZiYTBmOTcwIiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL29wZW5zc2wtQ1ZFLTIwMjItMzYwMi14NTA5LW5hbWUtY29uc3RyYWludHNAMS4wLjAifV0sInN0YXR1cyI6ImFmZmVjdGVkIiwidnVsbmVyYWJpbGl0eSI6eyJAaWQiOiJodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMi0zNjAyIiwibmFtZSI6IkNWRS0yMDIyLTM2MDIifX1dLCJ0aW1lc3RhbXAiOiIyMDI1LTEyLTE0VDAyOjEzOjM4WiIsInRvb2xpbmciOiJTdGVsbGFPcHMvYmVuY2gtYXV0b0AxLjAuMCIsInZlcnNpb24iOjF9",
  "payloadType": "application/vnd.openvex+json",
  "signatures": [
    {
      "keyid": "stella.ops/bench-automation@v1",
      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
    }
  ]
 }
--- a/bench/findings/CVE-2022-3602-reachable/decision.openvex.json
+++ b/bench/findings/CVE-2022-3602-reachable/decision.openvex.json
@@ -0,0 +1,25 @@
 {
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@type": "VEX",
  "author": "StellaOps Bench Automation",
  "role": "security_team",
  "statements": [
    {
      "action_statement": "Upgrade to patched version or apply mitigation.",
      "impact_statement": "Evidence hash: sha256:01431ff1eee799c6fadd593a7ec18ee094f983140963da6cbfd4b7f06ba0f970",
      "products": [
        {
          "@id": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0"
        }
      ],
      "status": "affected",
      "vulnerability": {
        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2022-3602",
        "name": "CVE-2022-3602"
      }
    }
  ],
  "timestamp": "2025-12-14T02:13:38Z",
  "tooling": "StellaOps/bench-auto@1.0.0",
  "version": 1
 }
--- a/bench/findings/CVE-2022-3602-reachable/evidence/reachability.json
+++ b/bench/findings/CVE-2022-3602-reachable/evidence/reachability.json
@@ -0,0 +1,25 @@
 {
  "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
  "generated_at": "2025-12-14T02:13:38Z",
  "ground_truth": {
    "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
    "paths": [
      [
        "sym://net:handler#read",
        "sym://openssl:openssl.c#entry",
        "sym://openssl:openssl.c#sink"
      ]
    ],
    "schema_version": "reachbench.reachgraph.truth/v1",
    "variant": "reachable"
  },
  "paths": [
    [
      "sym://net:handler#read",
      "sym://openssl:openssl.c#entry",
      "sym://openssl:openssl.c#sink"
    ]
  ],
  "schema_version": "richgraph-excerpt/v1",
  "variant": "reachable"
 }
--- a/bench/findings/CVE-2022-3602-reachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-2022-3602-reachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
 {
  "bomFormat": "CycloneDX",
  "components": [
    {
      "name": "openssl-CVE-2022-3602-x509-name-constraints",
      "purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
      "type": "library",
      "version": "1.0.0"
    }
  ],
  "metadata": {
    "timestamp": "2025-12-14T02:13:38Z",
    "tools": [
      {
        "name": "bench-auto",
        "vendor": "StellaOps",
        "version": "1.0.0"
      }
    ]
  },
  "specVersion": "1.6",
  "version": 1
 }
--- a/bench/findings/CVE-2022-3602-reachable/metadata.json
+++ b/bench/findings/CVE-2022-3602-reachable/metadata.json
@@ -0,0 +1,11 @@
 {
  "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
  "cve_id": "CVE-2022-3602",
  "generated_at": "2025-12-14T02:13:38Z",
  "generator": "scripts/bench/populate-findings.py",
  "generator_version": "1.0.0",
  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
  "purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
  "reachability_status": "reachable",
  "variant": "reachable"
 }
--- a/bench/findings/CVE-2022-3602-reachable/rekor.txt
+++ b/bench/findings/CVE-2022-3602-reachable/rekor.txt
@@ -0,0 +1,5 @@
 # Rekor log entry placeholder
 # Submit DSSE envelope to Rekor to populate this file
 log_index: PENDING
 uuid: PENDING
 timestamp: 2025-12-14T02:13:38Z
--- a/bench/findings/CVE-2022-3602-unreachable/decision.dsse.json
+++ b/bench/findings/CVE-2022-3602-unreachable/decision.dsse.json
@@ -0,0 +1,10 @@
 {
  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpkOWJhZjRjNjQ3NDE4Nzc4NTUxYWZjNDM3NTJkZWY0NmQ0YWYyN2Q1MzEyMmU2YzQzNzVjMzUxMzU1YjEwYTMzIiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9vcGVuc3NsLUNWRS0yMDIyLTM2MDIteDUwOS1uYW1lLWNvbnN0cmFpbnRzQDEuMC4wIn1dLCJzdGF0dXMiOiJub3RfYWZmZWN0ZWQiLCJ2dWxuZXJhYmlsaXR5Ijp7IkBpZCI6Imh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIyLTM2MDIiLCJuYW1lIjoiQ1ZFLTIwMjItMzYwMiJ9fV0sInRpbWVzdGFtcCI6IjIwMjUtMTItMTRUMDI6MTM6MzhaIiwidG9vbGluZyI6IlN0ZWxsYU9wcy9iZW5jaC1hdXRvQDEuMC4wIiwidmVyc2lvbiI6MX0=",
  "payloadType": "application/vnd.openvex+json",
  "signatures": [
    {
      "keyid": "stella.ops/bench-automation@v1",
      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
    }
  ]
 }
--- a/bench/findings/CVE-2022-3602-unreachable/decision.openvex.json
+++ b/bench/findings/CVE-2022-3602-unreachable/decision.openvex.json
@@ -0,0 +1,25 @@
 {
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@type": "VEX",
  "author": "StellaOps Bench Automation",
  "role": "security_team",
  "statements": [
    {
      "impact_statement": "Evidence hash: sha256:d9baf4c647418778551afc43752def46d4af27d53122e6c4375c351355b10a33",
      "justification": "vulnerable_code_not_present",
      "products": [
        {
          "@id": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0"
        }
      ],
      "status": "not_affected",
      "vulnerability": {
        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2022-3602",
        "name": "CVE-2022-3602"
      }
    }
  ],
  "timestamp": "2025-12-14T02:13:38Z",
  "tooling": "StellaOps/bench-auto@1.0.0",
  "version": 1
 }
--- a/bench/findings/CVE-2022-3602-unreachable/evidence/reachability.json
+++ b/bench/findings/CVE-2022-3602-unreachable/evidence/reachability.json
@@ -0,0 +1,13 @@
 {
  "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
  "generated_at": "2025-12-14T02:13:38Z",
  "ground_truth": {
    "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
    "paths": [],
    "schema_version": "reachbench.reachgraph.truth/v1",
    "variant": "unreachable"
  },
  "paths": [],
  "schema_version": "richgraph-excerpt/v1",
  "variant": "unreachable"
 }
--- a/bench/findings/CVE-2022-3602-unreachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-2022-3602-unreachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
 {
  "bomFormat": "CycloneDX",
  "components": [
    {
      "name": "openssl-CVE-2022-3602-x509-name-constraints",
      "purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
      "type": "library",
      "version": "1.0.0"
    }
  ],
  "metadata": {
    "timestamp": "2025-12-14T02:13:38Z",
    "tools": [
      {
        "name": "bench-auto",
        "vendor": "StellaOps",
        "version": "1.0.0"
      }
    ]
  },
  "specVersion": "1.6",
  "version": 1
 }
--- a/bench/findings/CVE-2022-3602-unreachable/metadata.json
+++ b/bench/findings/CVE-2022-3602-unreachable/metadata.json
@@ -0,0 +1,11 @@
 {
  "case_id": "openssl-CVE-2022-3602-x509-name-constraints",
  "cve_id": "CVE-2022-3602",
  "generated_at": "2025-12-14T02:13:38Z",
  "generator": "scripts/bench/populate-findings.py",
  "generator_version": "1.0.0",
  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
  "purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
  "reachability_status": "unreachable",
  "variant": "unreachable"
 }
--- a/bench/findings/CVE-2022-3602-unreachable/rekor.txt
+++ b/bench/findings/CVE-2022-3602-unreachable/rekor.txt
@@ -0,0 +1,5 @@
 # Rekor log entry placeholder
 # Submit DSSE envelope to Rekor to populate this file
 log_index: PENDING
 uuid: PENDING
 timestamp: 2025-12-14T02:13:38Z
--- a/bench/findings/CVE-2023-38545-reachable/decision.dsse.json
+++ b/bench/findings/CVE-2023-38545-reachable/decision.dsse.json
@@ -0,0 +1,10 @@
 {
  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpmMWMxZmRiZTk1YjMyNTNiMTNjYTZjNzMzZWMwM2FkYTNlYTg3MWU2NmI1ZGRlZGJiNmMxNGI5ZGM2N2IwNzQ4IiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL2N1cmwtQ1ZFLTIwMjMtMzg1NDUtc29ja3M1LWhlYXBAMS4wLjAifV0sInN0YXR1cyI6ImFmZmVjdGVkIiwidnVsbmVyYWJpbGl0eSI6eyJAaWQiOiJodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMy0zODU0NSIsIm5hbWUiOiJDVkUtMjAyMy0zODU0NSJ9fV0sInRpbWVzdGFtcCI6IjIwMjUtMTItMTRUMDI6MTM6MzhaIiwidG9vbGluZyI6IlN0ZWxsYU9wcy9iZW5jaC1hdXRvQDEuMC4wIiwidmVyc2lvbiI6MX0=",
  "payloadType": "application/vnd.openvex+json",
  "signatures": [
    {
      "keyid": "stella.ops/bench-automation@v1",
      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
    }
  ]
 }
--- a/bench/findings/CVE-2023-38545-reachable/decision.openvex.json
+++ b/bench/findings/CVE-2023-38545-reachable/decision.openvex.json
@@ -0,0 +1,25 @@
 {
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@type": "VEX",
  "author": "StellaOps Bench Automation",
  "role": "security_team",
  "statements": [
    {
      "action_statement": "Upgrade to patched version or apply mitigation.",
      "impact_statement": "Evidence hash: sha256:f1c1fdbe95b3253b13ca6c733ec03ada3ea871e66b5ddedbb6c14b9dc67b0748",
      "products": [
        {
          "@id": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0"
        }
      ],
      "status": "affected",
      "vulnerability": {
        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2023-38545",
        "name": "CVE-2023-38545"
      }
    }
  ],
  "timestamp": "2025-12-14T02:13:38Z",
  "tooling": "StellaOps/bench-auto@1.0.0",
  "version": 1
 }
--- a/bench/findings/CVE-2023-38545-reachable/evidence/reachability.json
+++ b/bench/findings/CVE-2023-38545-reachable/evidence/reachability.json
@@ -0,0 +1,25 @@
 {
  "case_id": "curl-CVE-2023-38545-socks5-heap",
  "generated_at": "2025-12-14T02:13:38Z",
  "ground_truth": {
    "case_id": "curl-CVE-2023-38545-socks5-heap",
    "paths": [
      [
        "sym://net:handler#read",
        "sym://curl:curl.c#entry",
        "sym://curl:curl.c#sink"
      ]
    ],
    "schema_version": "reachbench.reachgraph.truth/v1",
    "variant": "reachable"
  },
  "paths": [
    [
      "sym://net:handler#read",
      "sym://curl:curl.c#entry",
      "sym://curl:curl.c#sink"
    ]
  ],
  "schema_version": "richgraph-excerpt/v1",
  "variant": "reachable"
 }
--- a/bench/findings/CVE-2023-38545-reachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-2023-38545-reachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
 {
  "bomFormat": "CycloneDX",
  "components": [
    {
      "name": "curl-CVE-2023-38545-socks5-heap",
      "purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
      "type": "library",
      "version": "1.0.0"
    }
  ],
  "metadata": {
    "timestamp": "2025-12-14T02:13:38Z",
    "tools": [
      {
        "name": "bench-auto",
        "vendor": "StellaOps",
        "version": "1.0.0"
      }
    ]
  },
  "specVersion": "1.6",
  "version": 1
 }
--- a/bench/findings/CVE-2023-38545-reachable/metadata.json
+++ b/bench/findings/CVE-2023-38545-reachable/metadata.json
@@ -0,0 +1,11 @@
 {
  "case_id": "curl-CVE-2023-38545-socks5-heap",
  "cve_id": "CVE-2023-38545",
  "generated_at": "2025-12-14T02:13:38Z",
  "generator": "scripts/bench/populate-findings.py",
  "generator_version": "1.0.0",
  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
  "purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
  "reachability_status": "reachable",
  "variant": "reachable"
 }
--- a/bench/findings/CVE-2023-38545-reachable/rekor.txt
+++ b/bench/findings/CVE-2023-38545-reachable/rekor.txt
@@ -0,0 +1,5 @@
 # Rekor log entry placeholder
 # Submit DSSE envelope to Rekor to populate this file
 log_index: PENDING
 uuid: PENDING
 timestamp: 2025-12-14T02:13:38Z
--- a/bench/findings/CVE-2023-38545-unreachable/decision.dsse.json
+++ b/bench/findings/CVE-2023-38545-unreachable/decision.dsse.json
@@ -0,0 +1,10 @@
 {
  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjplNGIxOTk0ZTU5NDEwNTYyZjQwYWI0YTVmZTIzNjM4YzExZTU4MTdiYjcwMDM5M2VkOTlmMjBkM2M5ZWY5ZmEwIiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9jdXJsLUNWRS0yMDIzLTM4NTQ1LXNvY2tzNS1oZWFwQDEuMC4wIn1dLCJzdGF0dXMiOiJub3RfYWZmZWN0ZWQiLCJ2dWxuZXJhYmlsaXR5Ijp7IkBpZCI6Imh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIzLTM4NTQ1IiwibmFtZSI6IkNWRS0yMDIzLTM4NTQ1In19XSwidGltZXN0YW1wIjoiMjAyNS0xMi0xNFQwMjoxMzozOFoiLCJ0b29saW5nIjoiU3RlbGxhT3BzL2JlbmNoLWF1dG9AMS4wLjAiLCJ2ZXJzaW9uIjoxfQ==",
  "payloadType": "application/vnd.openvex+json",
  "signatures": [
    {
      "keyid": "stella.ops/bench-automation@v1",
      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
    }
  ]
 }
--- a/bench/findings/CVE-2023-38545-unreachable/decision.openvex.json
+++ b/bench/findings/CVE-2023-38545-unreachable/decision.openvex.json
@@ -0,0 +1,25 @@
 {
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@type": "VEX",
  "author": "StellaOps Bench Automation",
  "role": "security_team",
  "statements": [
    {
      "impact_statement": "Evidence hash: sha256:e4b1994e59410562f40ab4a5fe23638c11e5817bb700393ed99f20d3c9ef9fa0",
      "justification": "vulnerable_code_not_present",
      "products": [
        {
          "@id": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0"
        }
      ],
      "status": "not_affected",
      "vulnerability": {
        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2023-38545",
        "name": "CVE-2023-38545"
      }
    }
  ],
  "timestamp": "2025-12-14T02:13:38Z",
  "tooling": "StellaOps/bench-auto@1.0.0",
  "version": 1
 }
--- a/bench/findings/CVE-2023-38545-unreachable/evidence/reachability.json
+++ b/bench/findings/CVE-2023-38545-unreachable/evidence/reachability.json
@@ -0,0 +1,13 @@
 {
  "case_id": "curl-CVE-2023-38545-socks5-heap",
  "generated_at": "2025-12-14T02:13:38Z",
  "ground_truth": {
    "case_id": "curl-CVE-2023-38545-socks5-heap",
    "paths": [],
    "schema_version": "reachbench.reachgraph.truth/v1",
    "variant": "unreachable"
  },
  "paths": [],
  "schema_version": "richgraph-excerpt/v1",
  "variant": "unreachable"
 }
--- a/bench/findings/CVE-2023-38545-unreachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-2023-38545-unreachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
 {
  "bomFormat": "CycloneDX",
  "components": [
    {
      "name": "curl-CVE-2023-38545-socks5-heap",
      "purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
      "type": "library",
      "version": "1.0.0"
    }
  ],
  "metadata": {
    "timestamp": "2025-12-14T02:13:38Z",
    "tools": [
      {
        "name": "bench-auto",
        "vendor": "StellaOps",
        "version": "1.0.0"
      }
    ]
  },
  "specVersion": "1.6",
  "version": 1
 }
--- a/bench/findings/CVE-2023-38545-unreachable/metadata.json
+++ b/bench/findings/CVE-2023-38545-unreachable/metadata.json
@@ -0,0 +1,11 @@
 {
  "case_id": "curl-CVE-2023-38545-socks5-heap",
  "cve_id": "CVE-2023-38545",
  "generated_at": "2025-12-14T02:13:38Z",
  "generator": "scripts/bench/populate-findings.py",
  "generator_version": "1.0.0",
  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
  "purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
  "reachability_status": "unreachable",
  "variant": "unreachable"
 }
--- a/bench/findings/CVE-2023-38545-unreachable/rekor.txt
+++ b/bench/findings/CVE-2023-38545-unreachable/rekor.txt
@@ -0,0 +1,5 @@
 # Rekor log entry placeholder
 # Submit DSSE envelope to Rekor to populate this file
 log_index: PENDING
 uuid: PENDING
 timestamp: 2025-12-14T02:13:38Z
--- a/bench/findings/CVE-BENCH-LINUX-CG-reachable/decision.dsse.json
+++ b/bench/findings/CVE-BENCH-LINUX-CG-reachable/decision.dsse.json
@@ -0,0 +1,10 @@
 {
  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjoxNTRiYTZlMzU5YzA5NTQ1NzhhOTU2MDM2N2YxY2JhYzFjMTUzZTVkNWRmOTNjMmI5MjljZDM4NzkyYTIxN2JiIiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL2xpbnV4LWNncm91cHMtQ1ZFLTIwMjItMDQ5Mi1yZWxlYXNlX2FnZW50QDEuMC4wIn1dLCJzdGF0dXMiOiJhZmZlY3RlZCIsInZ1bG5lcmFiaWxpdHkiOnsiQGlkIjoiaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLUJFTkNILUxJTlVYLUNHIiwibmFtZSI6IkNWRS1CRU5DSC1MSU5VWC1DRyJ9fV0sInRpbWVzdGFtcCI6IjIwMjUtMTItMTRUMDI6MTM6MzhaIiwidG9vbGluZyI6IlN0ZWxsYU9wcy9iZW5jaC1hdXRvQDEuMC4wIiwidmVyc2lvbiI6MX0=",
  "payloadType": "application/vnd.openvex+json",
  "signatures": [
    {
      "keyid": "stella.ops/bench-automation@v1",
      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
    }
  ]
 }
--- a/bench/findings/CVE-BENCH-LINUX-CG-reachable/decision.openvex.json
+++ b/bench/findings/CVE-BENCH-LINUX-CG-reachable/decision.openvex.json
@@ -0,0 +1,25 @@
 {
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@type": "VEX",
  "author": "StellaOps Bench Automation",
  "role": "security_team",
  "statements": [
    {
      "action_statement": "Upgrade to patched version or apply mitigation.",
      "impact_statement": "Evidence hash: sha256:154ba6e359c0954578a9560367f1cbac1c153e5d5df93c2b929cd38792a217bb",
      "products": [
        {
          "@id": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0"
        }
      ],
      "status": "affected",
      "vulnerability": {
        "@id": "https://nvd.nist.gov/vuln/detail/CVE-BENCH-LINUX-CG",
        "name": "CVE-BENCH-LINUX-CG"
      }
    }
  ],
  "timestamp": "2025-12-14T02:13:38Z",
  "tooling": "StellaOps/bench-auto@1.0.0",
  "version": 1
 }
--- a/bench/findings/CVE-BENCH-LINUX-CG-reachable/evidence/reachability.json
+++ b/bench/findings/CVE-BENCH-LINUX-CG-reachable/evidence/reachability.json
@@ -0,0 +1,25 @@
 {
  "case_id": "linux-cgroups-CVE-2022-0492-release_agent",
  "generated_at": "2025-12-14T02:13:38Z",
  "ground_truth": {
    "case_id": "linux-cgroups-CVE-2022-0492-release_agent",
    "paths": [
      [
        "sym://net:handler#read",
        "sym://linux:linux.c#entry",
        "sym://linux:linux.c#sink"
      ]
    ],
    "schema_version": "reachbench.reachgraph.truth/v1",
    "variant": "reachable"
  },
  "paths": [
    [
      "sym://net:handler#read",
      "sym://linux:linux.c#entry",
      "sym://linux:linux.c#sink"
    ]
  ],
  "schema_version": "richgraph-excerpt/v1",
  "variant": "reachable"
 }
--- a/bench/findings/CVE-BENCH-LINUX-CG-reachable/evidence/sbom.cdx.json
+++ b/bench/findings/CVE-BENCH-LINUX-CG-reachable/evidence/sbom.cdx.json
@@ -0,0 +1,23 @@
 {
  "bomFormat": "CycloneDX",
  "components": [
    {
      "name": "linux-cgroups-CVE-2022-0492-release_agent",
      "purl": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0",
      "type": "library",
      "version": "1.0.0"
    }
  ],
  "metadata": {
    "timestamp": "2025-12-14T02:13:38Z",
    "tools": [
      {
        "name": "bench-auto",
        "vendor": "StellaOps",
        "version": "1.0.0"
      }
    ]
  },
  "specVersion": "1.6",
  "version": 1
 }
--- a/Show More
+++ b/Show More