# Findings Ledger Implementation Plan

## Purpose
Define the delivery plan for the Findings Ledger service, replay harness, observability, and air-gap provenance so audits can verify deterministic state reconstruction.

## Active work
- Runtime fake-removal work for Findings/RiskEngine was completed under `docs/implplan/SPRINT_20260415_006_DOCS_policy_findings_signer_real_backend_cutover.md`.
- Use `docs/modules/findings-ledger/gaps-FL1-FL10.md` for the remaining product-capability remediation backlog.

## Current host posture
- `RiskEngine.WebService` now runs against PostgreSQL outside `Testing`; in-memory result stores are test-only.
- `Findings.Ledger.WebService` non-testing hosts no longer fabricate scoring/webhook/runtime/VulnExplorer write state. Retired compatibility writes fail with truthful `501 problem+json`, while projection-backed reads remain served from persisted Findings state.
- The standalone `StellaOps.VulnExplorer.Api` host remains retired; no separate fake backend was reintroduced for legacy write flows.

## Near-term deliverables
- Observability baselines: metrics, logs, traces, dashboards, and alert rules per `docs/modules/findings-ledger/observability.md`.
- Determinism harness: replay CLI, fixtures, and signed reports per `docs/modules/findings-ledger/replay-harness.md`.
- Deployment collateral: Compose/Helm overlays, migrations, and backup/restore runbooks per `docs/modules/findings-ledger/deployment.md`.
- Provenance extensions: air-gap bundle metadata, staleness enforcement, and sealed-mode timeline entries per `docs/modules/findings-ledger/airgap-provenance.md`.

## Dependencies
- Observability schema approval for metrics and dashboards.
- Orchestrator export schema freeze for provenance linkage.
- QA lab capacity for >=5M findings/tenant replay harness.
- DevOps review of Compose/Helm overlays and offline kit packaging.

## Evidence of completion
- `src/Findings/StellaOps.Findings.Ledger` and `src/Findings/tools/LedgerReplayHarness` updated with deterministic behavior and tests.
- Replay harness reports (`harness-report.json` + DSSE) stored under approved offline kit locations.
- Dashboard JSON and alert rules committed under `offline/telemetry/dashboards/ledger` or `ops/devops/findings-ledger/**`.
- Deployment and backup guidance validated against `docs/modules/findings-ledger/deployment.md`.

## Reference docs
- `docs/modules/findings-ledger/schema.md`
- `docs/modules/findings-ledger/replay-harness.md`
- `docs/modules/findings-ledger/observability.md`
- `docs/modules/findings-ledger/deployment.md`
- `docs/modules/findings-ledger/airgap-provenance.md`
- `docs/modules/findings-ledger/workflow-inference.md`