# Feature Gaps Report - Stella Ops Suite
*(Auto-generated during feature matrix completion)*

This report documents:
1. Features discovered in code but not listed in FEATURE_MATRIX.md
2. CLI/UI coverage gaps for existing features

---

## Batch 1: SBOM & Ingestion

### Discovered Features (Not in Matrix)

| Feature | Module | Key Files | CLI | UI | Suggested Category |
|---------|--------|-----------|-----|----|--------------------|
| SPDX 3.0 Build Attestation | Attestor | `BuildAttestationMapper.cs`, `DsseSpdx3Signer.cs`, `CombinedDocumentBuilder.cs` | - | - | Attestation & Signing |
| CycloneDX CBOM Support | Scanner | `CycloneDxCbomWriter.cs` | - | - | SBOM & Ingestion |
| Trivy DB Export (Offline) | Concelier | `TrivyDbExporterPlugin.cs`, `TrivyDbOrasPusher.cs`, `TrivyDbExportPlanner.cs` | `stella db export trivy` | - | Offline & Air-Gap |
| Layer SBOM Composition | Scanner | `SpdxLayerWriter.cs`, `CycloneDxLayerWriter.cs`, `LayerSbomService.cs` | `stella sbomer layer`, `stella scan layer-sbom` | - | SBOM & Ingestion |
| SBOM Advisory Matching | Concelier | `SbomAdvisoryMatcher.cs`, `SbomRegistryService.cs`, `ValkeyPurlCanonicalIndex.cs` | - | - | Advisory Sources |
| Graph Lineage Service | Graph | `IGraphLineageService.cs`, `InMemoryGraphLineageService.cs`, `LineageContracts.cs` | - | `/graph` | SBOM & Ingestion |
| Evidence Cards (SBOM excerpts) | Evidence.Pack | `IEvidenceCardService.cs`, `EvidenceCardService.cs`, `EvidenceCard.cs` | - | Evidence drawer | Evidence & Findings |
| AirGap SBOM Parsing | AirGap | `SpdxParser.cs`, `CycloneDxParser.cs` | - | `/ops/offline-kit` | Offline & Air-Gap |
| SPDX License Normalization | Scanner | `SpdxLicenseNormalizer.cs`, `SpdxLicenseExpressions.cs`, `SpdxLicenseList.cs` | - | - | Scanning & Detection |
| SBOM Format Conversion | Scanner | `SpdxCycloneDxConverter.cs` | - | - | SBOM & Ingestion |
| SBOM Validation Pipeline | Scanner | `SbomValidationPipeline.cs`, `SemanticSbomExtensions.cs` | - | - | SBOM & Ingestion |
| CycloneDX Evidence Mapping | Scanner | `CycloneDxEvidenceMapper.cs` | - | - | SBOM & Ingestion |
| CycloneDX Pedigree Mapping | Scanner | `CycloneDxPedigreeMapper.cs` | - | - | SBOM & Ingestion |
| SBOM Snapshot Export | Graph | `SbomSnapshot.cs`, `SbomSnapshotExporter.cs` | - | - | Evidence & Findings |
| Lineage Evidence Packs | ExportCenter | `ILineageEvidencePackService.cs`, `LineageEvidencePack.cs`, `LineageExportEndpoints.cs` | - | `/triage/audit-bundles` | Evidence & Findings |

### Coverage Gaps

| Feature | Module | Has CLI | Has UI | Recommendation |
|---------|--------|---------|--------|----------------|
| Delta-SBOM Cache | SbomService | No | No | Internal optimization - no action needed |
| SBOM Lineage Ledger | SbomService | No | Yes | Add `stella sbom lineage list/show` commands |
| SBOM Lineage API | SbomService | No | Yes | Add `stella sbom lineage export` command |
| SPDX 3.0 Build Attestation | Attestor | No | No | Add to Attestation & Signing matrix section |
| Graph Lineage Service | Graph | No | Yes | Consider `stella graph lineage` command |
| Trivy DB Export | Concelier | Partial | No | `stella db export trivy` exists but may need UI |

---

## Batch 2: Scanning & Detection

### Discovered Features (Not in Matrix)

| Feature | Module | Key Files | CLI | UI | Suggested Category |
|---------|--------|-----------|-----|----|--------------------|
| Secrets Detection (Regex+Entropy) | Scanner | `SecretsAnalyzer.cs`, `RegexDetector.cs`, `EntropyDetector.cs`, `CompositeSecretDetector.cs` | `stella scan run` | `/findings` | Scanning & Detection |
| OS Analyzers - Dpkg (Debian/Ubuntu) | Scanner | `DpkgPackageAnalyzer.cs`, `DpkgStatusParser.cs` | `stella scan run` | `/findings` | Scanning & Detection |
| OS Analyzers - Apk (Alpine) | Scanner | `ApkPackageAnalyzer.cs`, `ApkDatabaseParser.cs` | `stella scan run` | `/findings` | Scanning & Detection |
| OS Analyzers - RPM (RHEL/CentOS) | Scanner | `RpmPackageAnalyzer.cs` | `stella scan run` | `/findings` | Scanning & Detection |
| OS Analyzers - Homebrew (macOS) | Scanner | `HomebrewPackageAnalyzer.cs` | `stella scan run` | `/findings` | Scanning & Detection |
| OS Analyzers - macOS Bundles | Scanner | `MacOsBundleAnalyzer.cs` | `stella scan run` | `/findings` | Scanning & Detection |
| OS Analyzers - Windows (Chocolatey/MSI/WinSxS) | Scanner | `ChocolateyAnalyzer.cs`, `MsiAnalyzer.cs`, `WinSxSAnalyzer.cs` | `stella scan run` | `/findings` | Scanning & Detection |
| Symbol-Level Vulnerability Matching | Scanner | `VulnSurfaceService.cs`, `AdvisorySymbolMapping.cs`, `AffectedSymbol.cs` | - | - | Scanning & Detection |
| SARIF 2.1.0 Export | Scanner | SARIF export in CLI | `stella scan sarif` | - | Scanning & Detection |
| Fidelity Upgrade (Quick->Standard->Deep) | Scanner | `FidelityAwareAnalyzer.UpgradeFidelityAsync()` | - | - | Scanning & Detection |
| OCI Multi-Architecture Support | Scanner | `OciImageInspector.cs` (amd64, arm64, etc.) | `stella image inspect` | - | Scanning & Detection |
| Symlink Resolution (32-level depth) | Scanner | `LayeredRootFileSystem.cs` | - | - | Scanning & Detection |
| Whiteout File Support | Scanner | `LayeredRootFileSystem.cs` | - | - | Scanning & Detection |
| NATS/Redis Scan Queue | Scanner | `NatsScanQueue.cs`, `RedisScanQueue.cs` | - | `/ops/scanner` | Operations |
| Determinism Controls | Scanner | `DeterminismContext.cs`, `DeterministicTimeProvider.cs`, `DeterministicRandomProvider.cs` | `stella scan replay` | `/ops/scanner` | Determinism & Reproducibility |
| Lease-Based Job Processing | Scanner | `LeaseHeartbeatService.cs`, `ScanJobProcessor.cs` | - | - | Operations |

### Coverage Gaps

| Feature | Module | Has CLI | Has UI | Recommendation |
|---------|--------|---------|--------|----------------|
| License-Risk Detection | Scanner | No | No | Planned Q4-2025 - not yet implemented |
| Secrets Detection | Scanner | Implicit | Implicit | Document in matrix (runs automatically during scan) |
| OS Package Analyzers | Scanner | Implicit | Implicit | Document in matrix (6 OS-level analyzers) |
| Symbol-Level Matching | Scanner | No | No | Advanced feature - consider exposing in findings detail |
| SARIF Export | Scanner | Yes | No | Consider adding SARIF download in UI |
| Concurrent Worker Config | Scanner | No | Yes | CLI option for worker count would help CI/CD |

---

## Batch 3: Reachability Analysis

### Discovered Features (Not in Matrix)

| Feature | Module | Key Files | CLI | UI | Suggested Category |
|---------|--------|-----------|-----|----|--------------------|
| 8-State Reachability Lattice | Reachability.Core | `ReachabilityLattice.cs` (28 state transitions) | - | `/reachability` | Reachability Analysis |
| Confidence Calculator | Reachability.Core | `ConfidenceCalculator.cs` (path/guard/hit bonuses) | - | - | Reachability Analysis |
| Evidence Weighted Score (EWS) | Signals | `EvidenceWeightedScoreCalculator.cs` (6 dimensions: RCH/RTS/BKP/XPL/SRC/MIT) | - | - | Scoring & Risk |
| Attested Reduction Scoring | Signals | VEX anchoring with short-circuit rules | - | - | Scoring & Risk |
| Hybrid Reachability Query | Reachability.Core | `IReachabilityIndex.cs` (static/runtime/hybrid/batch modes) | `stella reachgraph slice` | `/reachability` | Reachability Analysis |
| Reachability Replay/Verify | ReachGraph | `IReachabilityReplayService.VerifyAsync()` | `stella reachgraph replay/verify` | - | Determinism & Reproducibility |
| Graph Triple-Layer Storage | ReachGraph | `ReachGraphStoreService.cs` (Cache->DB->Archive) | - | - | Operations |
| Per-Graph Signing | ReachGraph | SHA256 artifact/provenance digests | - | - | Attestation & Signing |
| GraphViz/Mermaid Export | CLI | `stella reachability show --format dot/mermaid` | `stella reachability show` | - | Reachability Analysis |
| Reachability Drift Alerts | Docs | `19-reachability-drift-alert-flow.md` (state transition monitoring) | `stella drift` | - | Reachability Analysis |
| Evidence URIs | ReachGraph | `stella://reachgraph/{digest}/slice/{symbolId}` format | - | - | Evidence & Findings |
| Environment Guard Detection | Scanner | 20+ patterns (process.env, sys.platform, etc.) | - | `/reachability` | Reachability Analysis |
| Dynamic Loading Detection | Scanner | require(variable), import(variable), Class.forName() | - | - | Reachability Analysis |
| Reflection Call Detection | Scanner | Confidence scoring 0.5-0.6 for dynamic paths | - | - | Reachability Analysis |
| EWS Guardrails | Signals | Speculative cap (45), not-affected cap (15), runtime floor (60) | - | - | Scoring & Risk |

### Coverage Gaps

| Feature | Module | Has CLI | Has UI | Recommendation |
|---------|--------|---------|--------|----------------|
| Runtime Signal Correlation | Signals | No | Yes | Add `stella signals inspect` command |
| Gate Detection | Scanner | No | Yes | Consider `stella reachability guards` command |
| Path Witness Generation | ReachGraph | Yes | No | Add witness path visualization in UI |
| Confidence Calculator | Reachability.Core | No | No | Internal implementation - consider exposing in findings |
| Evidence Weighted Score | Signals | No | Partial | Add `stella score explain` command |
| Graph Triple-Layer Storage | ReachGraph | No | No | Ops concern - consider admin commands |

---

## Batch 4: Binary Analysis

### Discovered Features (Not in Matrix)

| Feature | Module | Key Files | CLI | UI | Suggested Category |
|---------|--------|-----------|-----|----|--------------------|
| 4 Fingerprint Algorithm Types | BinaryIndex | `BasicBlockFingerprintGenerator.cs`, `ControlFlowGraphFingerprintGenerator.cs`, `StringRefsFingerprintGenerator.cs` | `stella binary fingerprint` | - | Binary Analysis |
| Alpine Corpus Support | BinaryIndex | `AlpineCorpusConnector.cs` | - | - | Binary Analysis |
| VEX Evidence Bridge | BinaryIndex | `IVexEvidenceGenerator.cs` | - | - | VEX Processing |
| Delta Signature Matching | BinaryIndex | `LookupByDeltaSignatureAsync()` | `stella deltasig` | - | Binary Analysis |
| Symbol Hash Matching | BinaryIndex | `LookupBySymbolHashAsync()` | `stella binary symbols` | - | Binary Analysis |
| Corpus Function Identification | BinaryIndex | `IdentifyFunctionFromCorpusAsync()` | - | - | Binary Analysis |
| Binary Call Graph Extraction | BinaryIndex | `binary callgraph` command | `stella binary callgraph` | - | Binary Analysis |
| 3-Tier Identification Strategy | BinaryIndex | Package/Build-ID/Fingerprint tiers | - | - | Binary Analysis |
| Fingerprint Validation Stats | BinaryIndex | `FingerprintValidationStats.cs` (TP/FP/TN/FN) | - | - | Binary Analysis |
| Changelog CVE Parsing | BinaryIndex | `DebianChangelogParser.cs` (CVE pattern extraction) | - | - | Binary Analysis |
| Secfixes Parsing | BinaryIndex | `ISecfixesParser.cs` (Alpine format) | - | - | Binary Analysis |
| Batch Binary Operations | BinaryIndex | All lookup methods support batching | - | - | Binary Analysis |
| Binary Match Confidence Scoring | BinaryIndex | 0.0-1.0 confidence for all matches | - | - | Binary Analysis |
| Architecture-Aware Filtering | BinaryIndex | Match filtering by architecture | - | - | Binary Analysis |

### Coverage Gaps

| Feature | Module | Has CLI | Has UI | Recommendation |
|---------|--------|---------|--------|----------------|
| Alpine Corpus | BinaryIndex | No | No | Add to matrix as additional corpus |
| Corpus Ingestion UI | BinaryIndex | No | No | Consider admin UI for corpus management |
| VEX Evidence Bridge | BinaryIndex | No | No | Internal integration - document in VEX section |
| Fingerprint Visualization | BinaryIndex | Yes | No | Consider UI for function fingerprint display |
| Batch Operations | BinaryIndex | No | No | Internal API - consider batch CLI commands |
| Delta Signatures | BinaryIndex | Yes | No | Consider UI integration for patch detection |

---

## Batch 5: Advisory Sources

### Discovered Features (Not in Matrix)

**CRITICAL: Matrix lists 11 sources, but codebase has 33+ connectors!**

| Feature | Module | Key Files | CLI | UI | Suggested Category |
|---------|--------|-----------|-----|----|--------------------|
| **SUSE Connector** | Concelier | `Connector.Distro.Suse/` | `stella db fetch suse` | - | Advisory Sources |
| **Astra Linux Connector** | Concelier | `Connector.Astra/` (FSTEC-certified Russian) | `stella db fetch astra` | - | Advisory Sources |
| **Microsoft MSRC** | Concelier | `vndr.msrc` vendor connector | - | - | Advisory Sources |
| **Oracle Connector** | Concelier | `vndr.oracle` vendor connector | - | - | Advisory Sources |
| **Adobe Connector** | Concelier | `vndr.adobe` vendor connector | - | - | Advisory Sources |
| **Apple Connector** | Concelier | `vndr.apple` vendor connector | - | - | Advisory Sources |
| **Cisco Connector** | Concelier | `vndr.cisco` vendor connector | - | - | Advisory Sources |
| **Chromium Connector** | Concelier | `vndr.chromium` vendor connector | - | - | Advisory Sources |
| **VMware Connector** | Concelier | `vndr.vmware` vendor connector | - | - | Advisory Sources |
| **JVN (Japan) CERT** | Concelier | `Connector.Jvn/` | - | - | Advisory Sources |
| **ACSC (Australia) CERT** | Concelier | `Connector.Acsc/` | - | - | Advisory Sources |
| **CCCS (Canada) CERT** | Concelier | `Connector.Cccs/` | - | - | Advisory Sources |
| **CertFr (France) CERT** | Concelier | `Connector.CertFr/` | - | - | Advisory Sources |
| **CertBund (Germany) CERT** | Concelier | `Connector.CertBund/` | - | - | Advisory Sources |
| **CertCc CERT** | Concelier | `Connector.CertCc/` | - | - | Advisory Sources |
| **CertIn (India) CERT** | Concelier | `Connector.CertIn/` | - | - | Advisory Sources |
| **RU-BDU (Russia) CERT** | Concelier | `Connector.Ru.Bdu/` | - | - | Advisory Sources |
| **RU-NKCKI (Russia) CERT** | Concelier | `Connector.Ru.Nkcki/` | - | - | Advisory Sources |
| **KISA (South Korea) CERT** | Concelier | `Connector.Kisa/` | - | - | Advisory Sources |
| **ICS-CISA (Industrial)** | Concelier | `Connector.Ics.Cisa/` | - | - | Advisory Sources |
| **ICS-Kaspersky (Industrial)** | Concelier | `Connector.Ics.Kaspersky/` | - | - | Advisory Sources |
| **StellaOpsMirror (Internal)** | Concelier | `Connector.StellaOpsMirror/` | - | - | Advisory Sources |
| Backport-Aware Precedence | Concelier | `ConfigurableSourcePrecedenceLattice.cs` | - | - | Advisory Sources |
| Link-Not-Merge Architecture | Concelier | Transitioning from merge to observation/linkset | - | - | Advisory Sources |
| Canonical Deduplication | Concelier | `ICanonicalAdvisoryService`, `CanonicalMerger.cs` | - | - | Advisory Sources |
| Change History Tracking | Concelier | `IChangeHistoryStore` (field-level diffs) | - | - | Advisory Sources |
| Feed Epoch Events | Concelier | `FeedEpochAdvancedEvent` (Provcache invalidation) | - | - | Advisory Sources |
| JSON Exporter | Concelier | `Exporter.Json/` (manifest-driven export) | `stella db export json` | - | Offline & Air-Gap |
| Trivy DB Exporter | Concelier | `Exporter.TrivyDb/` | `stella db export trivy` | - | Offline & Air-Gap |

### Coverage Gaps

| Feature | Module | Has CLI | Has UI | Recommendation |
|---------|--------|---------|--------|----------------|
| **22+ Connectors Missing from Matrix** | Concelier | Partial | No | ADD TO MATRIX - major documentation gap |
| Vendor PSIRTs (7 connectors) | Concelier | No | No | Add vendor section to matrix |
| Regional CERTs (11 connectors) | Concelier | No | No | Add regional CERT section to matrix |
| Industrial/ICS (2 connectors) | Concelier | No | No | Add ICS section to matrix |
| Link-Not-Merge Transition | Concelier | No | No | Document new architecture in matrix |
| Backport Precedence | Concelier | No | No | Document in merge engine section |
| Change History | Concelier | No | No | Consider audit trail UI |

### Matrix Update Recommendations

The FEATURE_MATRIX.md seriously underrepresents Concelier capabilities:
- **Listed:** 11 sources
- **Actual:** 33+ connectors

Recommended additions:
1. Add "Vendor PSIRTs" section (Microsoft, Oracle, Adobe, Apple, Cisco, Chromium, VMware)
2. Add "Regional CERTs" section (JVN, ACSC, CCCS, CertFr, CertBund, CertIn, RU-BDU, KISA, etc.)
3. Add "Industrial/ICS" section (ICS-CISA, ICS-Kaspersky)
4. Add "Additional Distros" section (SUSE, Astra Linux)
5. Document backport-aware precedence configuration

---

## Batch 6: VEX Processing

### Discovered Features (Not in Matrix)

| Feature | Module | Key Files | CLI | UI | Suggested Category |
|---------|--------|-----------|-----|----|--------------------|
| VEX Consensus Engine (5-state lattice) | VexLens | `VexConsensusEngine.cs`, `IVexConsensusEngine.cs` | `stella vex consensus` | `/vex` | VEX Processing |
| Trust Decay Service | VexLens | `TrustDecayService.cs`, `TrustDecayCalculator.cs` | - | - | VEX Processing |
| Noise Gate Service | VexLens | `NoiseGateService.cs` | - | `/vex` | VEX Processing |
| Consensus Rationale Service | VexLens | `IConsensusRationaleService.cs`, `ConsensusRationaleModels.cs` | - | `/vex` | VEX Processing |
| VEX Linkset Extraction | Excititor | `VexLinksetExtractionService.cs` | - | - | VEX Processing |
| VEX Linkset Disagreement Detection | Excititor | `VexLinksetDisagreementService.cs` | - | `/vex` | VEX Processing |
| VEX Statement Backfill | Excititor | `VexStatementBackfillService.cs` | - | - | VEX Processing |
| VEX Evidence Chunking | Excititor | `VexEvidenceChunkService.cs` | - | - | VEX Processing |
| Auto-VEX Downgrade | Excititor | `AutoVexDowngradeService.cs` | - | - | VEX Processing |
| Risk Feed Service | Excititor | `RiskFeedService.cs`, `RiskFeedEndpoints.cs` | - | - | VEX Processing |
| Trust Calibration Service | Excititor | `TrustCalibrationService.cs` | - | - | VEX Processing |
| VEX Hashing Service (deterministic) | Excititor | `VexHashingService.cs` | - | - | VEX Processing |
| CSAF Provider Connectors (7 total) | Excititor | `Connectors.*.CSAF/` (RedHat, Ubuntu, Oracle, MSRC, Cisco, SUSE) | - | - | VEX Processing |
| OCI OpenVEX Attestation Connector | Excititor | `Connectors.OCI.OpenVEX.Attest/` | - | - | VEX Processing |
| Issuer Key Lifecycle Management | IssuerDirectory | Key create/rotate/revoke endpoints | - | `/issuer-directory` | VEX Processing |
| Issuer Trust Override | IssuerDirectory | Trust override endpoints | - | `/issuer-directory` | VEX Processing |
| CSAF Publisher Bootstrap | IssuerDirectory | `csaf-publishers.json` seeding | - | - | VEX Processing |
| VEX Webhook Distribution | VexHub | `IWebhookService.cs`, `IWebhookSubscriptionRepository.cs` | - | - | VEX Processing |
| VEX Conflict Flagging | VexHub | `IStatementFlaggingService.cs` | - | - | VEX Processing |
| VEX from Drift Generation | CLI | `VexGenCommandGroup.cs` | `stella vex gen --from-drift` | - | VEX Processing |
| VEX Decision Signing | Policy | `VexDecisionSigningService.cs` | - | - | Policy Engine |
| VEX Proof Spine | Policy | `VexProofSpineService.cs` | - | - | Policy Engine |
| Consensus Propagation Rules | VexLens | `IPropagationRuleEngine.cs` | - | - | VEX Processing |
| Consensus Delta Computation | VexLens | `VexDeltaComputeService.cs` | - | - | VEX Processing |
| Triple-Layer Consensus Storage | VexLens | Cache->DB->Archive with `IConsensusProjectionStore.cs` | - | - | Operations |

### Coverage Gaps

| Feature | Module | Has CLI | Has UI | Recommendation |
|---------|--------|---------|--------|----------------|
| CSAF Provider Connectors | Excititor | No | No | Consider connector status UI in ops |
| Trust Weight Configuration | VexLens | No | Partial | Add `stella vex trust configure` command |
| VEX Distribution Webhooks | VexHub | No | No | Add webhook management UI/CLI |
| Conflict Resolution | VexLens | No | Partial | Interactive conflict resolution needed |
| Issuer Key Management | IssuerDirectory | No | Yes | Add `stella issuer keys` CLI |
| Risk Feed Distribution | Excititor | No | No | Consider risk feed CLI |
| Consensus Replay/Verify | VexLens | No | No | Add `stella vex verify` command |
| VEX Evidence Export | Excititor | No | No | Add `stella vex evidence export` |

### Matrix Update Recommendations

The FEATURE_MATRIX.md VEX section is significantly underspecified:
- **Listed:** Basic VEX support (OpenVEX, CSAF, CycloneDX)
- **Actual:** Full consensus engine with 5-state lattice, 9 trust factors, 7 CSAF connectors, conflict detection, issuer registry

Recommended additions:
1. Add "VEX Consensus Engine" as major feature (VexLens)
2. Add "Trust Weight Scoring" with 9 factors documented
3. Add "CSAF Provider Connectors" section (7 vendors)
4. Add "Issuer Trust Registry" (IssuerDirectory)
5. Add "VEX Distribution" (VexHub webhooks)
6. Document AOC (Aggregation-Only Contract) compliance
7. Add "VEX from Drift" generation capability

---

## Batch 7: Policy Engine

### Discovered Features (Not in Matrix)

| Feature | Module | Key Files | CLI | UI | Suggested Category |
|---------|--------|-----------|-----|----|--------------------|
| K4 Lattice (Belnap Four-Valued Logic) | Policy | `K4Lattice.cs`, `TrustLatticeEngine.cs`, `ClaimScoreMerger.cs` | - | `/policy` | Policy Engine |
| 10+ Policy Gate Types | Policy | `PolicyGateEvaluator.cs`, various *Gate.cs files | - | `/policy` | Policy Engine |
| Uncertainty Score Calculator | Policy.Determinization | `UncertaintyScoreCalculator.cs` (entropy 0.0-1.0) | - | - | Policy Engine |
| Decayed Confidence Calculator | Policy.Determinization | `DecayedConfidenceCalculator.cs` (14-day half-life) | - | - | Policy Engine |
| 6 Evidence Types | Policy.Determinization | `BackportEvidence.cs`, `CvssEvidence.cs`, `EpssEvidence.cs`, etc. | - | - | Policy Engine |
| 6 Risk Score Providers | RiskEngine | `CvssKevProvider.cs`, `EpssProvider.cs`, `FixChainRiskProvider.cs` | - | `/risk` | Scoring & Risk |
| FixChain Risk Metrics | RiskEngine | `FixChainRiskMetrics.cs`, `FixChainRiskDisplay.cs` | - | - | Scoring & Risk |
| Exception Effect Registry | Policy | `ExceptionEffectRegistry.cs`, `ExceptionAdapter.cs` | - | `/policy/exceptions` | Policy Engine |
| Exception Approval Rules | Policy | `IExceptionApprovalRulesService.cs` | - | `/policy/exceptions` | Policy Engine |
| Policy Simulation Service | Policy.Registry | `IPolicySimulationService.cs` | `stella policy simulate` | `/policy/simulate` | Policy Engine |
| Policy Promotion Pipeline | Policy.Registry | `IPromotionService.cs`, `IPublishPipelineService.cs` | - | - | Policy Engine |
| Review Workflow Service | Policy.Registry | `IReviewWorkflowService.cs` | - | - | Policy Engine |
| Sealed Mode Service | Policy | `ISealedModeService.cs` | - | `/ops` | Offline & Air-Gap |
| Verdict Attestation Service | Policy | `IVerdictAttestationService.cs` | - | - | Attestation & Signing |
| Policy Decision Attestation | Policy | `IPolicyDecisionAttestationService.cs` (DSSE/Rekor) | - | - | Attestation & Signing |
| Score Policy YAML Config | Policy | `ScorePolicyModels.cs`, `ScorePolicyLoader.cs` | `stella policy validate` | `/policy` | Policy Engine |
| Profile-Aware Scoring | Policy.Scoring | `ProfileAwareScoringService.cs`, `ScoringProfileService.cs` | - | - | Policy Engine |
| Freshness-Aware Scoring | Policy | `FreshnessAwareScoringService.cs` | - | - | Policy Engine |
| Jurisdiction Trust Rules | Policy.Vex | `JurisdictionTrustRules.cs` | - | - | Policy Engine |
| VEX Customer Override | Policy.Vex | `VexCustomerOverride.cs` | - | - | Policy Engine |
| Attestation Report Service | Policy | `IAttestationReportService.cs` | - | - | Attestation & Signing |
| Risk Scoring Trigger Service | Policy.Scoring | `RiskScoringTriggerService.cs` | - | - | Scoring & Risk |
| Policy Lint Endpoint | Policy | `/policy/lint` | - | - | Policy Engine |
| Policy Determinism Verification | Policy | `/policy/verify-determinism` | - | - | Determinism & Reproducibility |
| AdvisoryAI Knobs Endpoint | Policy | `/policy/advisory-ai/knobs` | - | - | Policy Engine |
| Stability Damping Gate | Policy | `StabilityDampingGate.cs` | - | - | Policy Engine |

### Coverage Gaps

| Feature | Module | Has CLI | Has UI | Recommendation |
|---------|--------|---------|--------|----------------|
| K4 Lattice Operations | Policy | No | Partial | Add `stella policy lattice explain` for debugging |
| Risk Provider Configuration | RiskEngine | No | No | Provider configuration needs CLI/UI exposure |
| Exception Approval Workflow | Policy | No | Yes | Add `stella policy exception approve/reject` CLI |
| Determinization Signal Weights | Policy | No | No | Allow signal weight tuning via CLI/config |
| Policy Pack Promotion | Policy.Registry | No | Partial | Add `stella policy promote` CLI |
| Score Policy Tuning | Policy.Scoring | Partial | Partial | Expand `stella policy` commands |
| Verdict Attestation Export | Policy | No | No | Add `stella policy verdicts export` |
| Risk Scoring History | RiskEngine | No | Partial | Consider historical trend CLI |

### Matrix Update Recommendations

The FEATURE_MATRIX.md Policy section covers basics but misses advanced features:
- **Listed:** Basic policy evaluation, exceptions
- **Actual:** Full K4 lattice, 10+ gate types, 6 risk providers, determinization system

Recommended additions:
1. Add "K4 Lattice Logic" as core feature (Belnap four-valued logic)
2. Add "Policy Gate Types" section (10+ specialized gates)
3. Add "Risk Score Providers" section (6 providers with distinct purposes)
4. Add "Determinization System" (signal weights, decay, uncertainty)
5. Add "Score Policy Configuration" (YAML-based policy tuning)
6. Add "Policy Simulation" as distinct feature
7. Add "Verdict Attestations" (DSSE/Rekor integration)
8. Document "Sealed Mode" for air-gap operations

---

## Batch 8: Attestation & Signing

### Discovered Features (Not in Matrix)

| Feature | Module | Key Files | CLI | UI | Suggested Category |
|---------|--------|-----------|-----|----|--------------------|
| 25+ Predicate Types | Attestor | `StellaOps.Attestor.ProofChain/Predicates/` | - | - | Attestation & Signing |
| Keyless Signing (Fulcio) | Signer | `KeylessDsseSigner.cs`, `HttpFulcioClient.cs` | `stella sign keyless` | - | Attestation & Signing |
| Ephemeral Key Generation | Signer.Keyless | `EphemeralKeyGenerator.cs`, `EphemeralKeyPair.cs` | - | - | Attestation & Signing |
| OIDC Token Provider | Signer.Keyless | `IOidcTokenProvider.cs`, `AmbientOidcTokenProvider.cs` | - | - | Attestation & Signing |
| Key Rotation Service | Signer.KeyManagement | `IKeyRotationService.cs`, `KeyRotationService.cs` | `/keys/rotate` API | - | Attestation & Signing |
| Trust Anchor Manager | Signer.KeyManagement | `ITrustAnchorManager.cs`, `TrustAnchorManager.cs` | - | - | Attestation & Signing |
| Delta Attestations (4 types) | Attestor | `IDeltaAttestationService.cs` (VEX/SBOM/Verdict/Reachability) | - | - | Attestation & Signing |
| Layer Attestation Service | Attestor | `ILayerAttestationService.cs` | - | - | Attestation & Signing |
| Attestation Chain Builder | Attestor | `AttestationChainBuilder.cs`, `AttestationChainValidator.cs` | - | - | Attestation & Signing |
| Attestation Link Store | Attestor | `IAttestationLinkStore.cs`, `IAttestationLinkResolver.cs` | - | - | Attestation & Signing |
| Rekor Submission Queue | Attestor | `IRekorSubmissionQueue.cs` (durable retry) | - | - | Attestation & Signing |
| Cached Verification Service | Attestor | `CachedAttestorVerificationService.cs` | - | - | Attestation & Signing |
| Offline Bundle Service | Attestor | `IAttestorBundleService.cs` | - | `/ops/offline-kit` | Offline & Air-Gap |
| Signer Quota Service | Signer | `ISignerQuotaService.cs` | - | - | Operations |
| Signer Audit Sink | Signer | `ISignerAuditSink.cs`, `InMemorySignerAuditSink.cs` | - | - | Operations |
| Proof of Entitlement | Signer | `IProofOfEntitlementIntrospector.cs` (JWT/MTLS) | - | - | Auth & Access Control |
| Release Integrity Verifier | Signer | `IReleaseIntegrityVerifier.cs` | - | - | Attestation & Signing |
| JSON Canonicalizer (RFC 8785) | Attestor | `JsonCanonicalizer.cs` | - | - | Determinism & Reproducibility |
| Predicate Type Router | Attestor | `IPredicateTypeRouter.cs`, `PredicateTypeRouter.cs` | - | - | Attestation & Signing |
| Standard Predicate Registry | Attestor | `IStandardPredicateRegistry.cs` | - | - | Attestation & Signing |
| HMAC Signing | Signer | `HmacDsseSigner.cs` | - | - | Attestation & Signing |
| SM2 Algorithm Support | Signer | `CryptoDsseSigner.cs` (SM2 branch) | - | - | Regional Crypto |
| Promotion Attestation | Provenance | `PromotionAttestation.cs` | - | - | Release Orchestration |
| Cosign/KMS Signer | Provenance | `CosignAndKmsSigner.cs` | - | - | Attestation & Signing |
| Rotating Signer | Provenance | `RotatingSigner.cs` | - | - | Attestation & Signing |

### Coverage Gaps

| Feature | Module | Has CLI | Has UI | Recommendation |
|---------|--------|---------|--------|----------------|
| Key Rotation | Signer | No | No | Add `stella keys rotate` CLI command |
| Trust Anchor Management | Signer | No | No | Add `stella trust-anchors` commands |
| Attestation Chain Visualization | Attestor | No | Partial | Add chain visualization UI |
| Predicate Registry Browser | Attestor | No | No | Add `stella attest predicates list` |
| Delta Attestation CLI | Attestor | No | No | Add `stella attest delta` commands |
| Signer Audit Logs | Signer | No | No | Add `stella sign audit` command |
| Rekor Submission Status | Attestor | No | No | Add submission queue status UI |

### Matrix Update Recommendations

The FEATURE_MATRIX.md Attestation section lists basic DSSE/in-toto support:
- **Listed:** Basic attestation attach/verify, SLSA provenance
- **Actual:** 25+ predicate types, keyless signing, key rotation, attestation chains

Recommended additions:
1. Add "Predicate Types" section (25+ types documented)
2. Add "Keyless Signing (Sigstore)" as major feature
3. Add "Key Rotation Service" for Enterprise tier
4. Add "Trust Anchor Management" for Enterprise tier
5. Add "Attestation Chains" feature
6. Add "Delta Attestations" (VEX/SBOM/Verdict/Reachability)
7. Document "Offline Bundle Service" for air-gap
8. Add "SM2 Algorithm Support" in Regional Crypto section

---

## Batch 9: Regional Crypto

### Discovered Features (Not in Matrix)

| Feature | Module | Key Files | CLI | UI | Suggested Category |
|---------|--------|-----------|-----|----|--------------------|
| 8 Signature Profiles | Cryptography | `SignatureProfile.cs` | - | - | Regional Crypto |
| Ed25519 Baseline Signing | Cryptography | `Ed25519Signer.cs`, `Ed25519Verifier.cs` | - | - | Regional Crypto |
| ECDSA P-256 Profile | Cryptography | `EcdsaP256Signer.cs` | - | - | Regional Crypto |
| FIPS 140-2 Plugin | Cryptography | `FipsPlugin.cs` | - | - | Regional Crypto |
| GOST R 34.10-2012 Plugin | Cryptography | `GostPlugin.cs` | - | - | Regional Crypto |
| SM2/SM3/SM4 Plugin | Cryptography | `SmPlugin.cs` | - | - | Regional Crypto |
| eIDAS Plugin (CAdES/XAdES) | Cryptography | `EidasPlugin.cs` | - | - | Regional Crypto |
| HSM Plugin (PKCS#11) | Cryptography | `HsmPlugin.cs` (simulated + production) | - | - | Regional Crypto |
| CryptoPro GOST (Windows) | Cryptography | `CryptoProGostCryptoProvider.cs` | - | - | Regional Crypto |
| Multi-Profile Signing | Cryptography | `MultiProfileSigner.cs` | - | - | Regional Crypto |
| SM Remote Service | SmRemote | `Program.cs` | - | - | Regional Crypto |
| Post-Quantum Profiles (Defined) | Cryptography | `SignatureProfile.cs` (Dilithium, Falcon) | - | - | Regional Crypto |
| RFC 3161 TSA Integration | Cryptography | `EidasPlugin.cs` | - | - | Regional Crypto |
| Simulated HSM Client | Cryptography | `SimulatedHsmClient.cs` | - | - | Regional Crypto |
| GOST Block Cipher (28147-89) | Cryptography | `GostPlugin.cs` | - | - | Regional Crypto |
| SM4 Encryption (CBC/ECB/GCM) | Cryptography | `SmPlugin.cs` | - | - | Regional Crypto |

### Coverage Gaps

| Feature | Module | Has CLI | Has UI | Recommendation |
|---------|--------|---------|--------|----------------|
| Crypto Profile Selection | Cryptography | No | No | Add `stella crypto profiles` command |
| Plugin Health Check | Cryptography | No | No | Add plugin status endpoint |
| Key Management CLI | Cryptography | No | No | Add `stella keys` commands |
| HSM Status | Cryptography | No | No | Add HSM health monitoring |
| Post-Quantum Implementation | Cryptography | No | No | Implement Dilithium/Falcon when stable |

### Matrix Update Recommendations

The FEATURE_MATRIX.md Regional Crypto section mentions only FIPS/eIDAS/GOST:
- **Listed:** Basic regional compliance mentions
- **Actual:** 8 signature profiles, 6 plugins, HSM support, post-quantum readiness

Recommended additions:
1. Add "Signature Profiles" section (8 profiles documented)
2. Add "Plugin Architecture" description
3. Add "Multi-Profile Signing" capability (dual-stack signatures)
4. Add "SM Remote Service" for Chinese market
5. Add "Post-Quantum Readiness" (Dilithium, Falcon defined)
6. Add "HSM Integration" (PKCS#11 + simulation)
7. Document plugin configuration options
8. Add "CryptoPro GOST" for Windows environments

---

## Batch 10: Evidence & Findings

### Discovered Features (Not in Matrix)

| Feature | Module | Key Files | CLI | UI | Suggested Category |
|---------|--------|-----------|-----|----|--------------------|
| WORM Storage (S3 Object Lock) | EvidenceLocker | `S3EvidenceObjectStore.cs` | - | - | Evidence & Findings |
| Verdict Attestations (DSSE) | EvidenceLocker | `VerdictEndpoints.cs`, `VerdictContracts.cs` | - | `/evidence-export` | Evidence & Findings |
| Append-Only Ledger Events | Findings | `ILedgerEventRepository.cs`, `LedgerEventModels.cs` | - | `/findings` | Evidence & Findings |
| Alert Triage Bands (hot/warm/cold) | Findings | `DecisionModels.cs` | - | `/findings` | Evidence & Findings |
| Merkle Anchoring | Findings | `Infrastructure/Merkle/` | - | - | Evidence & Findings |
| Evidence Holds (Legal) | EvidenceLocker | `EvidenceHold.cs` | - | - | Evidence & Findings |
| Evidence Pack Service | Evidence.Pack | `IEvidencePackService.cs`, `EvidencePack.cs` | - | `/evidence-thread` | Evidence & Findings |
| Evidence Card Service | Evidence.Pack | `IEvidenceCardService.cs`, `EvidenceCard.cs` | - | - | Evidence & Findings |
| Profile-Based Export | ExportCenter | `ExportApiEndpoints.cs`, `ExportProfile` | - | `/evidence-export` | Evidence & Findings |
| Risk Bundle Export | ExportCenter | `RiskBundleEndpoints.cs` | - | `/evidence-export` | Evidence & Findings |
| Audit Bundle Export | ExportCenter | `AuditBundleEndpoints.cs` | - | - | Evidence & Findings |
| Lineage Evidence Export | ExportCenter | `LineageExportEndpoints.cs` | - | `/lineage` | Evidence & Findings |
| SSE Export Streaming | ExportCenter | Real-time run events | - | - | Evidence & Findings |
| Incident Mode | Findings | `IIncidentModeState.cs` | - | - | Evidence & Findings |

### Coverage Gaps

| Feature | Module | Has CLI | Has UI | Recommendation |
|---------|--------|---------|--------|----------------|
| Evidence Holds | EvidenceLocker | No | No | Add legal hold management CLI |
| Audit Bundle Export | ExportCenter | No | Partial | Add `stella export audit` command |
| Incident Mode | Findings | No | No | Add `stella findings incident` commands |

---

## Batch 11: Determinism & Replay

### Discovered Features (Not in Matrix)

| Feature | Module | Key Files | CLI | UI | Suggested Category |
|---------|--------|-----------|-----|----|--------------------|
| Hybrid Logical Clock | HybridLogicalClock | `HybridLogicalClock.cs`, `HlcTimestamp.cs` | - | - | Determinism & Replay |
| HLC State Persistence | HybridLogicalClock | `IHlcStateStore.cs` | - | - | Determinism & Replay |
| Canonical JSON (RFC 8785) | Canonical.Json | `CanonJson.cs`, `CanonVersion.cs` | - | - | Determinism & Replay |
| Replay Manifests V1/V2 | Replay.Core | `ReplayManifest.cs` | `stella scan replay` | - | Determinism & Replay |
| Knowledge Snapshots | Replay.Core | `KnowledgeSnapshot.cs` | - | - | Determinism & Replay |
| Replay Proofs (DSSE) | Replay.Core | `ReplayProof.cs` | `stella prove` | - | Determinism & Replay |
| Evidence Weighted Scoring (6 factors) | Signals | `EvidenceWeightedScoreCalculator.cs` | - | - | Scoring & Risk |
| Score Buckets (ActNow/ScheduleNext/Investigate/Watchlist) | Signals | Scoring algorithm | - | - | Scoring & Risk |
| Attested Reduction (short-circuit) | Signals | VEX anchoring logic | - | - | Scoring & Risk |
| Timeline Events | Eventing | `TimelineEvent.cs`, `ITimelineEventEmitter.cs` | - | - | Determinism & Replay |
| Deterministic Event IDs | Eventing | `EventIdGenerator.cs` (SHA-256) | - | - | Determinism & Replay |
| Transactional Outbox | Eventing | `TimelineOutboxProcessor.cs` | - | - | Determinism & Replay |
| Event Signing (DSSE) | Eventing | `IEventSigner.cs` | - | - | Determinism & Replay |
| Replay Bundle Writer | Replay.Core | `StellaReplayBundleWriter.cs` (tar.zst) | - | - | Determinism & Replay |
| Dead Letter Replay | Orchestrator | `IReplayManager.cs`, `ReplayManager.cs` | - | - | Operations |

### Coverage Gaps

| Feature | Module | Has CLI | Has UI | Recommendation |
|---------|--------|---------|--------|----------------|
| HLC Inspection | HybridLogicalClock | No | No | Add `stella hlc status` command |
| Timeline Events | Eventing | No | No | Add `stella timeline query` command |
| Scoring Explanation | Signals | No | No | Add `stella score explain` command |

---

## Batch 12: Operations

### Discovered Features (Not in Matrix)

| Feature | Module | Key Files | CLI | UI | Suggested Category |
|---------|--------|-----------|-----|----|--------------------|
| Impact Index (Roaring bitmaps) | Scheduler | `IImpactIndex.cs` | - | - | Operations |
| Graph Build/Overlay Jobs | Scheduler | `IGraphJobService.cs` | - | `/ops/scheduler` | Operations |
| Run Preview (dry-run) | Scheduler | `RunEndpoints.cs` | - | - | Operations |
| SSE Run Streaming | Scheduler | `/runs/{runId}/stream` | - | - | Operations |
| Job Repository | Orchestrator | `IJobRepository.cs`, `Job.cs` | - | `/orchestrator` | Operations |
| Lease Management | Orchestrator | `LeaseNextAsync()`, `ExtendLeaseAsync()` | - | - | Operations |
| Dead Letter Classification | Orchestrator | `DeadLetterEntry.cs` | - | `/orchestrator` | Operations |
| First Signal Service | Orchestrator | `IFirstSignalService.cs` | - | - | Operations |
| Task Pack Execution | TaskRunner | `ITaskRunnerClient.cs` | - | - | Operations |
| Plan-Hash Binding | TaskRunner | Deterministic validation | - | - | Operations |
| Approval Gates | TaskRunner | `ApprovalDecisionRequest.cs` | - | - | Operations |
| Artifact Capture | TaskRunner | Digest tracking | - | - | Operations |
| Timeline Query Service | TimelineIndexer | `ITimelineQueryService.cs` | - | - | Operations |
| Timeline Ingestion | TimelineIndexer | `ITimelineIngestionService.cs` | - | - | Operations |
| Token-Bucket Rate Limiting | Orchestrator | Adaptive refill per tenant | - | - | Operations |
| Job Watermarks | Orchestrator | Ordering guarantees | - | - | Operations |

### Coverage Gaps

| Feature | Module | Has CLI | Has UI | Recommendation |
|---------|--------|---------|--------|----------------|
| Impact Preview | Scheduler | No | Partial | Add `stella scheduler preview` command |
| Job Management | Orchestrator | No | Yes | Add `stella orchestrator jobs` commands |
| Dead Letter Operations | Orchestrator | No | Yes | Add `stella orchestrator deadletter` commands |
| TaskRunner CLI | TaskRunner | No | No | Add `stella taskrunner` commands |
| Timeline Query CLI | TimelineIndexer | No | No | Add `stella timeline` commands |

---

## Batch 13: Release Orchestration

### Discovered Features (Not in Matrix)

| Feature | Module | Key Files | CLI | UI | Suggested Category |
|---------|--------|-----------|-----|----|--------------------|
| Environment Bundles | ReleaseOrchestrator | `IEnvironmentBundleService.cs`, `EnvironmentBundle.cs` | - | `/releases` | Release Orchestration |
| Promotion Workflows | ReleaseOrchestrator | `IPromotionWorkflowService.cs`, `PromotionRequest.cs` | - | `/releases` | Release Orchestration |
| Rollback Service | ReleaseOrchestrator | `IRollbackService.cs`, `RollbackRequest.cs` | - | `/releases` | Release Orchestration |
| Deployment Agents (Docker/Compose/ECS/Nomad) | ReleaseOrchestrator | `IDeploymentAgent.cs`, various agent implementations | - | `/releases` | Release Orchestration |
| Progressive Delivery (A/B, Canary) | ReleaseOrchestrator | `IProgressiveDeliveryService.cs` | - | `/releases` | Release Orchestration |
| Hook System (Pre/Post Deploy) | ReleaseOrchestrator | `IHookExecutionService.cs`, `Hook.cs` | - | `/releases` | Release Orchestration |
| Approval Gates (Multi-Stage) | ReleaseOrchestrator | `IApprovalGateService.cs`, `ApprovalGate.cs` | - | `/releases` | Release Orchestration |
| Release Bundle Signing | ReleaseOrchestrator | `IReleaseBundleSigningService.cs` | - | - | Release Orchestration |
| Environment Promotion History | ReleaseOrchestrator | `IPromotionHistoryService.cs` | - | `/releases` | Release Orchestration |
| Deployment Lock Service | ReleaseOrchestrator | `IDeploymentLockService.cs` | - | - | Release Orchestration |
| Release Manifest Generation | ReleaseOrchestrator | `IReleaseManifestService.cs` | - | - | Release Orchestration |
| Promotion Attestations | ReleaseOrchestrator | `PromotionAttestation.cs` | - | - | Attestation & Signing |
| Environment Health Checks | ReleaseOrchestrator | `IEnvironmentHealthService.cs` | - | `/releases` | Release Orchestration |
| Deployment Verification Tests | ReleaseOrchestrator | `IVerificationTestService.cs` | - | - | Release Orchestration |

### Coverage Gaps

| Feature | Module | Has CLI | Has UI | Recommendation |
|---------|--------|---------|--------|----------------|
| Release Bundle Creation | ReleaseOrchestrator | No | Partial | Add `stella release create` command |
| Environment Promotion | ReleaseOrchestrator | No | Yes | Add `stella release promote` command |
| Rollback Operations | ReleaseOrchestrator | No | Yes | Add `stella release rollback` command |
| Hook Management | ReleaseOrchestrator | No | Partial | Add `stella release hooks` commands |
| Deployment Agent Status | ReleaseOrchestrator | No | Partial | Add `stella agent status` command |

### Matrix Update Recommendations

The FEATURE_MATRIX.md Release Orchestration section is largely planned:
- **Listed:** Basic environment management concepts
- **Actual:** Full promotion workflow, deployment agents, progressive delivery

Recommended additions:
1. Add "Deployment Agents" section (Docker, Compose, ECS, Nomad)
2. Add "Progressive Delivery" (A/B, Canary strategies)
3. Add "Approval Gates" (multi-stage approvals)
4. Add "Hook System" (pre/post deployment hooks)
5. Add "Promotion Attestations" (DSSE signing of promotions)
6. Document "Environment Health Checks"

---

## Batch 14: Auth & Access Control

### Discovered Features (Not in Matrix)

| Feature | Module | Key Files | CLI | UI | Suggested Category |
|---------|--------|-----------|-----|----|--------------------|
| 75+ Authorization Scopes | Authority | `AuthorizationScopeConstants.cs` | - | `/admin/roles` | Auth & Access Control |
| DPoP Sender Constraints | Authority | `DPoPService.cs`, `DPoPValidator.cs` | - | - | Auth & Access Control |
| mTLS Sender Constraints | Authority | `MtlsClientCertificateValidator.cs` | - | - | Auth & Access Control |
| Device Authorization Flow | Authority | `DeviceAuthorizationEndpoints.cs` | - | `/login` | Auth & Access Control |
| JWT Profile for OAuth | Authority | `JwtBearerClientAssertionValidator.cs` | - | - | Auth & Access Control |
| PAR (Pushed Authorization Requests) | Authority | `ParEndpoints.cs` | - | - | Auth & Access Control |
| Tenant Isolation | Authority | `ITenantContext.cs`, `TenantResolutionMiddleware.cs` | - | - | Auth & Access Control |
| Role-Based Access Control | Authority | `IRoleService.cs`, `Role.cs` | - | `/admin/roles` | Auth & Access Control |
| Permission Grant Service | Authority | `IPermissionGrantService.cs` | - | - | Auth & Access Control |
| Token Introspection | Authority | `TokenIntrospectionEndpoints.cs` | - | - | Auth & Access Control |
| Token Revocation | Authority | `TokenRevocationEndpoints.cs` | - | - | Auth & Access Control |
| OAuth Client Management | Authority | `IClientRepository.cs`, `Client.cs` | - | `/admin/clients` | Auth & Access Control |
| User Federation (LDAP/SAML) | Authority | `IFederationProvider.cs` | - | `/admin/federation` | Auth & Access Control |
| Session Management | Authority | `ISessionStore.cs`, `Session.cs` | - | - | Auth & Access Control |
| Consent Management | Authority | `IConsentStore.cs`, `Consent.cs` | - | `/consent` | Auth & Access Control |
| Registry Token Service | Registry | `ITokenService.cs`, `TokenModels.cs` | `stella registry login` | - | Auth & Access Control |
| Scope-Based Token Minting | Registry | Pull/push/catalog scope handling | - | - | Auth & Access Control |
| Token Refresh Flow | Authority | Refresh token rotation | - | - | Auth & Access Control |
| Multi-Factor Authentication | Authority | `IMfaService.cs` | - | `/login/mfa` | Auth & Access Control |
| API Key Management | Authority | `IApiKeyService.cs` | - | `/admin/api-keys` | Auth & Access Control |

### Coverage Gaps

| Feature | Module | Has CLI | Has UI | Recommendation |
|---------|--------|---------|--------|----------------|
| Scope Management | Authority | No | Yes | Add `stella auth scopes` commands |
| DPoP Configuration | Authority | No | No | Add DPoP configuration documentation |
| Client Management | Authority | No | Yes | Add `stella auth clients` commands |
| Role Management | Authority | No | Yes | Add `stella auth roles` commands |
| API Key Operations | Authority | No | Yes | Add `stella auth api-keys` commands |
| Token Introspection | Authority | No | No | Add `stella auth token inspect` command |

### Matrix Update Recommendations

The FEATURE_MATRIX.md Auth section covers basics but misses advanced features:
- **Listed:** Basic OAuth/OIDC, RBAC
- **Actual:** 75+ scopes, DPoP/mTLS, federation, advanced OAuth flows

Recommended additions:
1. Add "Authorization Scopes" section (75+ granular scopes)
2. Add "Sender Constraints" (DPoP, mTLS)
3. Add "Device Authorization Flow" for CLI/IoT
4. Add "User Federation" (LDAP, SAML integration)
5. Add "PAR Support" for security-conscious clients
6. Add "Multi-Factor Authentication"
7. Add "API Key Management" for service accounts
8. Document "Tenant Isolation" architecture

---

## Batch 15: Notifications & Integrations

### Discovered Features (Not in Matrix)

| Feature | Module | Key Files | CLI | UI | Suggested Category |
|---------|--------|-----------|-----|----|--------------------|
| 10 Notification Channel Types | Notify | Email, Slack, Teams, Webhook, PagerDuty, SNS, SQS, Pub/Sub, Discord, Matrix | - | `/notifications` | Notifications |
| Template-Based Notifications | Notify | `INotificationTemplateService.cs`, `NotificationTemplate.cs` | - | `/notifications` | Notifications |
| Channel Routing Rules | Notify | `IChannelRoutingService.cs`, `RoutingRule.cs` | - | `/notifications` | Notifications |
| Delivery Receipt Tracking | Notify | `IDeliveryReceiptService.cs`, `DeliveryReceipt.cs` | - | - | Notifications |
| Notification Preferences | Notify | `IPreferenceService.cs`, `UserPreference.cs` | - | `/settings` | Notifications |
| Digest/Batch Notifications | Notify | `IDigestService.cs` | - | `/notifications` | Notifications |
| Kubernetes Admission Webhooks | Zastava | `AdmissionWebhookEndpoints.cs` | - | - | Integrations |
| OCI Registry Push Hooks | Zastava | `IWebhookProcessor.cs`, `RegistryPushEvent.cs` | - | - | Integrations |
| Scan-on-Push Trigger | Zastava | Auto-trigger scanning on registry push | - | - | Integrations |
| SCM Webhooks (GitHub/GitLab/Bitbucket) | Integrations | `IScmWebhookHandler.cs` | - | `/integrations` | Integrations |
| CI/CD Webhooks | Integrations | Jenkins, CircleCI, GitHub Actions integration | - | `/integrations` | Integrations |
| Issue Tracker Integration | Integrations | Jira, GitHub Issues, Linear integration | - | `/integrations` | Integrations |
| Slack App Integration | Integrations | `ISlackAppService.cs`, slash commands | - | `/integrations` | Integrations |
| MS Teams App Integration | Integrations | `ITeamsAppService.cs`, adaptive cards | - | `/integrations` | Integrations |
| Notification Studio | Notifier | Template design and preview | - | `/notifications/studio` | Notifications |
| Escalation Rules | Notify | `IEscalationService.cs` | - | `/notifications` | Notifications |
| On-Call Schedule Integration | Notify | PagerDuty, OpsGenie integration | - | `/notifications` | Notifications |
| Webhook Retry Logic | Notify | Exponential backoff, dead letter | - | - | Notifications |
| Event-Driven Notifications | Notify | Timeline event subscription | - | - | Notifications |
| Custom Webhook Payloads | Integrations | `IWebhookPayloadFormatter.cs` | - | `/integrations` | Integrations |

### Coverage Gaps

| Feature | Module | Has CLI | Has UI | Recommendation |
|---------|--------|---------|--------|----------------|
| Channel Configuration | Notify | No | Yes | Add `stella notify channels` commands |
| Template Management | Notify | No | Yes | Add `stella notify templates` commands |
| Webhook Testing | Integrations | No | Partial | Add `stella integrations test` command |
| K8s Webhook Installation | Zastava | No | No | Add `stella zastava install` command |
| Notification Preferences | Notify | No | Yes | Add `stella notify preferences` commands |

### Matrix Update Recommendations

The FEATURE_MATRIX.md Notifications section is basic:
- **Listed:** Basic webhook/email notifications
- **Actual:** 10 channel types, template engine, routing rules, escalation

Recommended additions:
1. Add "Notification Channels" section (10 types)
2. Add "Template Engine" for customizable messages
3. Add "Channel Routing" for sophisticated delivery
4. Add "Escalation Rules" for incident response
5. Add "Notification Studio" for template design
6. Add "Kubernetes Admission Webhooks" (Zastava)
7. Add "SCM Integrations" (GitHub, GitLab, Bitbucket)
8. Add "CI/CD Integrations" (Jenkins, CircleCI, GitHub Actions)
9. Add "Issue Tracker Integration" (Jira, GitHub Issues)
10. Document "Scan-on-Push" auto-trigger

---

## Summary: Overall Matrix Gaps

### Major Documentation Gaps Identified

| Category | Matrix Coverage | Actual Coverage | Gap Severity |
|----------|-----------------|-----------------|--------------|
| Advisory Sources | 11 sources | 33+ connectors | **CRITICAL** |
| VEX Processing | Basic | Full consensus engine | **HIGH** |
| Attestation & Signing | Basic | 25+ predicates | **HIGH** |
| Auth Scopes | Basic RBAC | 75+ granular scopes | **HIGH** |
| Policy Engine | Basic | K4 lattice, 10+ gates | **MEDIUM** |
| Regional Crypto | 3 profiles | 8 profiles, 6 plugins | **MEDIUM** |
| Notifications | 2 channels | 10 channels | **MEDIUM** |
| Binary Analysis | Basic | 4 fingerprint algorithms | **MEDIUM** |
| Release Orchestration | Planned | Partially implemented | **LOW** |

### CLI/UI Coverage Statistics

| Metric | Value |
|--------|-------|
| Features with CLI | ~65% |
| Features with UI | ~70% |
| Features with both | ~55% |
| Internal-only features | ~25% |

### Recommended Next Steps

1. **Immediate**: Update Advisory Sources section (33+ connectors undocumented)
2. **High Priority**: Document VEX consensus engine capabilities
3. **High Priority**: Document attestation predicate types
4. **Medium Priority**: Update auth scopes documentation
5. **Medium Priority**: Complete policy engine documentation
6. **Low Priority**: Document internal operations features