# Product Advisory Index

This index consolidates the November 2025 product advisories, identifying canonical documents and duplicates.

## Canonical Advisories (Active)

These are the authoritative advisories to reference for implementation:

### CVSS v4.0
- **Canonical:** `25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md`
- **Sprint:** SPRINT_0190_0001_0001_cvss_v4_receipts.md
- **Status:** New sprint created

### SBOM/VEX Pipeline
- **Canonical:** `27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md`
- **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (tasks 15a-15f)
- **Supersedes:**
  - `24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md` → archive
  - `25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md` → archive
  - `26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md` → archive

### Rekor/DSSE Batch Sizing
- **Canonical:** `26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md`
- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (DSSE tasks)
- **Supersedes:**
  - `27-Nov-2025 - Rekor Envelope Size Heuristic.md` → archive (duplicate)
  - `27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md` → archive (duplicate)
  - `27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md` → archive (duplicate)

### Graph Revision IDs
- **Canonical:** `26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md`
- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (existing tasks)
- **Supersedes:**
  - `25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md` → archive (earlier version)

### Reachability Benchmark (Public)
- **Canonical:** `24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md`
- **Sprint:** SPRINT_0513_0001_0001_public_reachability_benchmark.md
- **Related:**
  - `26-Nov-2025 - Opening Up a Reachability Dataset.md` → complementary (dataset focus)

### Unknowns Registry
- **Canonical:** `27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md`
- **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (existing implementation)
- **Extends:** `archived/18-Nov-2025 - Unknowns-Registry.md`
- **Status:** Already implemented in Signals module; advisory validates design

### Confidence Decay for Prioritization
- **Canonical:** `25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md`
- **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (integration point)
- **Related:** Unknowns Registry (time-based decay complements ambiguity tracking)
- **Status:** Design advisory - provides exponential decay formula for priority freshness

### Explainability
- **Canonical (Graphs):** `27-Nov-2025 - Making Graphs Understandable to Humans.md`
- **Canonical (Verdicts):** `27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md`
- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (UI-CLI tasks)
- **Status:** Complementary advisories - graphs cover edge reasons, verdicts cover audit trails

### VEX Proofs
- **Canonical:** `25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md`
- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (POLICY-VEX tasks)

### Binary Reachability
- **Canonical:** `27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md`
- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (GRAPH-HYBRID tasks)

### Scanner Roadmap
- **Canonical:** `27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md`
- **Sprint:** Multiple sprints (0186, 0401, 0512)
- **Status:** High-level roadmap document

### Vulnerability Triage UX & VEX-First Decisioning
- **Canonical:** `28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`
- **Sprint:** SPRINT_0215_0001_0001_vuln_triage_ux.md (NEW)
- **Related Sprints:**
  - SPRINT_210_ui_ii.md (UI-LNM-22-003 VEX tab)
  - SPRINT_0334_docs_modules_vuln_explorer.md (docs)
- **Related Advisories:**
  - `27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md` (evidence chain)
  - `27-Nov-2025 - Making Graphs Understandable to Humans.md` (graph UX)
  - `25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md` (VEX proofs)
- **Status:** New - defines converged triage UX across Snyk/GitLab/Harbor/Anchore patterns
- **Schemas:**
  - `docs/schemas/vex-decision.schema.json`
  - `docs/schemas/attestation-vuln-scan.schema.json`
  - `docs/schemas/audit-bundle-index.schema.json`

### Sovereign Crypto for Regional Compliance
- **Canonical:** `28-Nov-2025 - Sovereign Crypto for Regional Compliance.md`
- **Sprint:** SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (EXISTING)
- **Related Docs:**
  - `docs/security/rootpack_ru_*.md` - RootPack RU documentation
  - `docs/security/crypto-registry-decision-2025-11-18.md` - Registry design
  - `docs/security/pq-provider-options.md` - Post-quantum options
- **Status:** Fills HIGH-priority gap - covers eIDAS, FIPS, GOST, SM algorithm support
- **Compliance:** EU (eIDAS), US (FIPS 140-2/3), Russia (GOST), China (SM2/3/4)

### Plugin Architecture & Extensibility
- **Canonical:** `28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md`
- **Sprint:** Foundational - appears in module-specific sprints
- **Related Docs:**
  - `docs/dev/plugins/README.md` - General plugin guide
  - `docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md` - Concelier connectors
  - `docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md` - Authority plugins
  - `docs/modules/scanner/guides/surface-validation-extensibility.md` - Scanner extensibility
- **Status:** Fills MEDIUM-priority gap - consolidates extensibility patterns across modules

### Evidence Bundle & Replay Contracts
- **Canonical:** `29-Nov-2025 - Evidence Bundle and Replay Contracts.md`
- **Sprint:** SPRINT_0161_0001_0001_evidencelocker.md (PRIMARY)
- **Related Sprints:**
  - SPRINT_0187_0001_0001_evidence_locker_cli_integration.md (CLI)
  - SPRINT_0160_0001_0001_export_evidence.md (Coordination)
- **Related Docs:**
  - `docs/modules/evidence-locker/bundle-packaging.md` - Bundle spec
  - `docs/modules/evidence-locker/attestation-contract.md` - DSSE contract
  - `docs/modules/evidence-locker/replay-payload-contract.md` - Replay schema
- **Status:** Fills HIGH-priority gap - covers deterministic bundles, attestations, replay, incident mode

### Mirror & Offline Kit Strategy
- **Canonical:** `29-Nov-2025 - Mirror and Offline Kit Strategy.md`
- **Sprint:** SPRINT_0125_0001_0001 (Mirror Bundles)
- **Related Sprints:**
  - SPRINT_0150_0001_0001 (DSSE/Time Anchors)
  - SPRINT_0150_0001_0002 (Time Anchors)
  - SPRINT_0150_0001_0003 (Orchestrator Hooks)
- **Related Docs:**
  - `docs/modules/mirror/dsse-tuf-profile.md` - DSSE/TUF spec
  - `docs/modules/mirror/thin-bundle-assembler.md` - Thin bundle spec
  - `docs/airgap/time-anchor-schema.json` - Time anchor schema
- **Status:** Fills HIGH-priority gap - covers thin bundles, DSSE/TUF signing, time anchoring

### Task Pack Orchestration & Automation
- **Canonical:** `29-Nov-2025 - Task Pack Orchestration and Automation.md`
- **Sprint:** SPRINT_0157_0001_0001_taskrunner_i.md (PRIMARY)
- **Related Sprints:**
  - SPRINT_0158_0001_0002_taskrunner_ii.md (Phase II)
  - SPRINT_0157_0001_0002_taskrunner_blockers.md (Blockers)
- **Related Docs:**
  - `docs/task-packs/spec.md` - Pack manifest specification
  - `docs/task-packs/authoring-guide.md` - Authoring workflow
  - `docs/task-packs/registry.md` - Registry architecture
- **Status:** Fills HIGH-priority gap - covers pack DSL, approvals, evidence capture

### Authentication & Authorization Architecture
- **Canonical:** `29-Nov-2025 - Authentication and Authorization Architecture.md`
- **Sprint:** Multiple (see below)
- **Related Sprints:**
  - SPRINT_100_identity_signing.md (CLOSED - historical)
  - SPRINT_314_docs_modules_authority.md (Docs)
  - SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (Crypto)
- **Related Docs:**
  - `docs/modules/authority/architecture.md` - Module architecture
  - `docs/11_AUTHORITY.md` - Overview
  - `docs/security/authority-scopes.md` - Scope reference
  - `docs/security/dpop-mtls-rollout.md` - Sender constraints
- **Status:** Fills HIGH-priority gap - consolidates token model, scopes, multi-tenant isolation

## Files Archived

The following files have been moved to `archived/27-Nov-2025-superseded/`:

```
# Superseded by canonical advisories
24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md
25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md
25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md
26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md
27-Nov-2025 - Rekor Envelope Size Heuristic.md
27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md
27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md
```

## Cleanup Completed (2025-11-28)

The following issues were fixed:
- Deleted junk file: `24-Nov-2025 - 1 copy 2.md`
- Deleted malformed duplicate: `24-Nov-2025 - Designing a Deterministic Reachability Benchmarkmd`
- Fixed filename: `25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md` (was missing .md extension)

## Sprint Cross-Reference

| Advisory Topic | Sprint ID | Status |
|---------------|-----------|--------|
| CVSS v4.0 | SPRINT_0190_0001_0001 | NEW |
| SPDX 3.0.1 / SBOM | SPRINT_0186_0001_0001 | AUGMENTED |
| Reachability Benchmark | SPRINT_0513_0001_0001 | NEW |
| Reachability Evidence | SPRINT_0401_0001_0001 | EXISTING |
| Unknowns Registry | SPRINT_0140_0001_0001 | IMPLEMENTED |
| Confidence Decay | SPRINT_0140_0001_0001 | DESIGN |
| Graph Revision IDs | SPRINT_0401_0001_0001 | EXISTING |
| DSSE/Rekor Batching | SPRINT_0401_0001_0001 | EXISTING |
| Vuln Triage UX / VEX | SPRINT_0215_0001_0001 | NEW |
| Sovereign Crypto | SPRINT_0514_0001_0001 | EXISTING |
| Plugin Architecture | Multiple (module-specific) | FOUNDATIONAL |
| Evidence Bundle & Replay | SPRINT_0161_0001_0001 | EXISTING |
| Mirror & Offline Kit | SPRINT_0125_0001_0001 | EXISTING |
| Task Pack Orchestration | SPRINT_0157_0001_0001 | EXISTING |
| Auth/AuthZ Architecture | Multiple (100, 314, 0514) | EXISTING |

## Implementation Priority

Based on gap analysis:

1. **P0 - CVSS v4.0** (Sprint 0190) - Industry moving to v4.0, genuine gap
2. **P1 - SPDX 3.0.1** (Sprint 0186 tasks 15a-15f) - Standards compliance
3. **P1 - Public Benchmark** (Sprint 0513) - Differentiation/marketing value
4. **P1 - Vuln Triage UX** (Sprint 0215) - Industry-aligned UX for competitive parity
5. **P1 - Sovereign Crypto** (Sprint 0514) - Regional compliance enablement
6. **P1 - Evidence Bundle & Replay** (Sprint 0161, 0187) - Audit/compliance critical
7. **P1 - Mirror & Offline Kit** (Sprint 0125, 0150) - Air-gap deployment critical
8. **P2 - Task Pack Orchestration** (Sprint 0157, 0158) - Automation foundation
9. **P2 - Explainability** (Sprint 0401) - UX enhancement, existing tasks
10. **P2 - Plugin Architecture** (Multiple) - Foundational extensibility patterns
11. **P2 - Auth/AuthZ Architecture** (Multiple) - Security consolidation
12. **P3 - Already Implemented** - Unknowns, Graph IDs, DSSE batching

## Implementer Quick Reference

For each topic, the implementer should read:

1. **Sprint file** - Contains task definitions, dependencies, working directories
2. **Documentation Prerequisites** - Listed in each sprint file
3. **Canonical advisory** - Full product context and rationale
4. **Module AGENTS.md** - If exists, contains module-specific coding guidance

### Key Module Docs to Read Before Implementation

| Module | Architecture Doc | AGENTS.md |
|--------|-----------------|-----------|
| Policy | `docs/modules/policy/architecture.md` | `src/Policy/*/AGENTS.md` |
| Scanner | `docs/modules/scanner/architecture.md` | `src/Scanner/*/AGENTS.md` |
| Sbomer | `docs/modules/sbomer/architecture.md` | `src/Sbomer/*/AGENTS.md` |
| Signals | `docs/modules/signals/architecture.md` | `src/Signals/*/AGENTS.md` |
| Attestor | `docs/modules/attestor/architecture.md` | `src/Attestor/*/AGENTS.md` |
| Vuln Explorer | `docs/modules/vuln-explorer/architecture.md` | `src/VulnExplorer/*/AGENTS.md` |
| VEX-Lens | `docs/modules/vex-lens/architecture.md` | `src/Excititor/*/AGENTS.md` |
| UI | `docs/modules/ui/architecture.md` | `src/UI/*/AGENTS.md` |
| Authority | `docs/modules/authority/architecture.md` | `src/Authority/*/AGENTS.md` |
| Evidence Locker | `docs/modules/evidence-locker/*.md` | `src/EvidenceLocker/*/AGENTS.md` |
| Mirror | `docs/modules/mirror/*.md` | `src/Mirror/*/AGENTS.md` |
| TaskRunner | `docs/modules/taskrunner/*.md` | `src/TaskRunner/*/AGENTS.md` |

## Topical Gaps (Advisory Needed)

The following topics are mentioned in CLAUDE.md or module docs but lack dedicated product advisories:

| Gap | Severity | Status | Notes |
|-----|----------|--------|-------|
| ~~Regional Crypto (eIDAS/FIPS/GOST/SM)~~ | HIGH | **FILLED** | `28-Nov-2025 - Sovereign Crypto for Regional Compliance.md` |
| ~~Plugin Architecture Patterns~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md` |
| ~~Evidence Bundle Packaging~~ | HIGH | **FILLED** | `29-Nov-2025 - Evidence Bundle and Replay Contracts.md` |
| ~~Mirror/Offline Kit Strategy~~ | HIGH | **FILLED** | `29-Nov-2025 - Mirror and Offline Kit Strategy.md` |
| ~~Task Pack Orchestration~~ | HIGH | **FILLED** | `29-Nov-2025 - Task Pack Orchestration and Automation.md` |
| ~~Auth/AuthZ Architecture~~ | HIGH | **FILLED** | `29-Nov-2025 - Authentication and Authorization Architecture.md` |
| **CycloneDX 1.6 .NET Integration** | LOW | Open | Deep Architecture covers generically; expand with .NET-specific guidance |
| **Findings Ledger & Audit Trail** | MEDIUM | Open | Immutable verdict tracking; module exists but no advisory |
| **Runtime Posture & Observation** | MEDIUM | Open | Zastava runtime signals; sprints exist but no advisory |
| **Graph Analytics & Clustering** | MEDIUM | Open | Community detection, blast-radius; implementation underway |
| **Policy Simulation & Shadow Gates** | MEDIUM | Open | Impact modeling; extensive sprints but no contract advisory |
| **Notification Rules Engine** | MEDIUM | Open | Throttling, digests, templating; sprints active |

## Known Issues (Non-Blocking)

**Unicode Encoding Inconsistency:**
Several filenames use en-dash (U+2011) instead of regular hyphen (-). This may cause cross-platform issues but does not affect content discovery. Files affected:
- `26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md`
- `27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md`
- `27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md`

**Archived Duplicate:**
`archived/17-Nov-2025 - SBOM-Provenance-Spine.md` and `archived/18-Nov-2025 - SBOM-Provenance-Spine.md` are potential duplicates. The 18-Nov version is likely canonical.

---
*Index created: 2025-11-27*
*Last updated: 2025-11-29*