# Advisory Processing Report — 2025-12-20

**Role**: Product Manager
**Date**: 2025-12-20
**Status**: ANALYZED

---

## Executive Summary

Reviewed **7 unprocessed advisories** and **12 moat documents** from `docs/product-advisories/unprocessed/`. After cross-referencing with existing sprints, archived advisories, and implemented code, identified **3 new epic-level initiatives** and **5 enhancement opportunities** for existing features.

---

## 1. Advisories Reviewed

| File | Date | Primary Topic | Status |
|------|------|---------------|--------|
| Reimagining Proof‑Linked UX in Security Workflows | 2025-12-16 | Narrative-First Triage UX | ALREADY PROCESSED |
| Reachability Drift Detection | 2025-12-17 | Call graph drift between versions | NEW - ACTIONABLE |
| Designing Explainable Triage and Proof‑Linked Evidence | 2025-12-18 | Evidence-linked approvals | OVERLAPS w/ 12/16 |
| Branch · UX patterns worth borrowing | 2025-12-20 | Competitor UX analysis | REFERENCE ONLY |
| Testing strategy | 2025-12-20 | E2E testing strategy | NEW - ACTIONABLE |
| Moat #1 (Security Delta) | 2025-12-19 | Delta Verdicts as governance | NEW - STRATEGIC |
| Moat - Exception management | 2025-12-20 | Auditable exceptions | NEW - ACTIONABLE |
| Moat - Signed Replayable Verdicts | 2025-12-20 | Verdict attestations | PARTIAL OVERLAP |
| Moat - Knowledge Snapshots | 2025-12-20 | Time-travel replay | NEW - ACTIONABLE |
| Moat - Risk Budgets | 2025-12-20 | Diff-aware release gates | PARTIAL OVERLAP |

---

## 2. Cross-Reference with Existing Work

### 2.1 Already Implemented (Do Not Duplicate)

| Topic | Existing Implementation | Location |
|-------|------------------------|----------|
| Proof Ledger | ProofLedgerViewComponent | Sprint 3500.0004.0002 T1 |
| Reachability Explain | ReachabilityExplainWidget | Sprint 3500.0004.0002 T3 |
| Score Comparison | ScoreComparisonComponent | Sprint 3500.0004.0002 T4 |
| Proof Replay | ProofReplayDashboard | Sprint 3500.0004.0002 T5 |
| Material Risk Changes | MaterialRiskChangeDetector | Scanner.SmartDiff.Detection |
| VEX Lattice Merge | Excititor module | src/Excititor |
| Unknowns Registry | UnknownsService | Sprint 3500.0002.0002 |
| Call Graph Extraction | DotNetCallGraphExtractor, JavaCallGraphExtractor | Sprint 3500.0003.x |
| Semantic Entrypoints | Sprint 0411 | EntryTrace module |
| Temporal/Mesh Analysis | Sprint 0412 | EntryTrace module |
| Binary Intelligence | Sprint 0414 | EntryTrace module |
| Risk Scoring | Sprint 0415 | EntryTrace module |

### 2.2 Gaps Identified (New Work Required)

| Gap | Advisory Source | Priority | Complexity |
|-----|----------------|----------|------------|
| **Reachability Drift Detection** | 17-Dec advisory | HIGH | HIGH |
| **Exception Objects (Auditable)** | Moat Exception mgmt | HIGH | MEDIUM |
| **Knowledge Snapshots + Time-Travel** | Moat Knowledge Snapshots | HIGH | HIGH |
| **Delta Verdict Attestations** | Moat #1 | MEDIUM | MEDIUM |
| **Offline E2E Test Suite** | Testing strategy | MEDIUM | MEDIUM |
| **Code Change Facts Table** | 17-Dec advisory | MEDIUM | LOW |
| **Path Viewer UI Enhancement** | 17-Dec advisory | LOW | LOW |

---

## 3. Recommended New Epics

### Epic 3800: Reachability Drift Detection

**Justification**: The 17-Dec advisory identifies that reachability can change between versions even when vulnerability count stays the same. This is a significant moat differentiator.

**What's Missing** (per advisory gap analysis):
- `scanner.code_changes` table for AST-level diff facts
- `scanner.call_graph_snapshots` for per-scan graph cache
- `DriftCauseExplainer` service to attribute causes to code changes
- Cross-scan function-level drift (state drift exists, function-level doesn't)

**Scope**:
- Sprint 3800.0001.0001: Schema + Code Changes Table
- Sprint 3800.0001.0002: Call Graph Snapshot Service
- Sprint 3800.0002.0001: Drift Cause Explainer
- Sprint 3800.0002.0002: UI Integration

**Estimated Duration**: 4 weeks

---

### Epic 3900: Exception Management as Auditable Objects

**Justification**: The moat advisory explicitly states "Exception Objects" should be first-class, governed decisions — not .ignore files or UI toggles. This is critical for enterprise customers.

**What's Missing**:
- `policy.exceptions` table with full governance fields
- Exception lifecycle (proposed → approved → active → expired → revoked)
- Scope constraints (artifact digest, purl, environment)
- Time-bounded expiry enforcement
- Approval workflow integration
- Signed exception attestations

**Scope**:
- Sprint 3900.0001.0001: Schema + Exception Object Model
- Sprint 3900.0001.0002: Exception API (CRUD + approval workflow)
- Sprint 3900.0002.0001: Policy Engine Integration
- Sprint 3900.0002.0002: UI + Audit Pack Export

**Estimated Duration**: 4 weeks

---

### Epic 4000: Knowledge Snapshots + Time-Travel Replay

**Justification**: Multiple advisories emphasize that replayability requires pinned knowledge state (vuln feeds, VEX, policies). Current replay works for scores but not for full "time-travel" to a past knowledge state.

**What's Missing**:
- Content-addressed knowledge snapshot bundles
- Snapshot manifest with feed digests + policy versions
- Time-travel replay API that loads historical snapshots
- Evidence that the same inputs produce the same verdict

**Scope**:
- Sprint 4000.0001.0001: Knowledge Snapshot Model + Storage
- Sprint 4000.0001.0002: Snapshot Creation Service
- Sprint 4000.0002.0001: Time-Travel Replay API
- Sprint 4000.0002.0002: Verification + Audit Integration

**Estimated Duration**: 4 weeks

---

## 4. Enhancement Opportunities (Existing Features)

### 4.1 Delta Verdict Attestations

**Current State**: Score proofs exist and are signed via DSSE. Material risk changes are detected.

**Enhancement**: Create a formal "Delta Verdict" attestation that wraps:
- Baseline snapshot digest
- Target snapshot digest  
- Delta categories (SBOM/VEX/Reachability/Decision changes)
- Policy outcome with explanation
- Signed envelope

**Effort**: ~1 sprint (add to existing attestation infrastructure)

---

### 4.2 Offline E2E Test Suite

**Current State**: Integration tests exist (Sprint 3500.0004.0003). Air-gap tests are ad-hoc.

**Enhancement**: Formalize per the Testing Strategy advisory:
- Offline bundle spec (`bundle.json` with digests)
- No-egress CI jobs
- SBOM round-trip tests (Syft → cosign → Grype)
- Router backpressure chaos tests

**Effort**: ~1 sprint

---

### 4.3 VEX Conflict Studio UI

**Current State**: VEX merge happens in Excititor with lattice logic. No UI for conflict visualization.

**Enhancement**: Per UX advisory, add side-by-side VEX conflict view:
- Left: Vendor statement + provenance
- Right: Internal statement + provenance
- Middle: Merge result + rule that decided
- Evidence hooks checklist

**Effort**: ~1 sprint

---

## 5. Recommendations

### Immediate Actions (Next 2 Weeks)

1. **Create Sprint files for Epic 3800** (Reachability Drift) — highest impact moat
2. **Archive processed advisories** — move 16-Dec and 18-Dec to archive (already processed)
3. **Update moat.md** — sync key-features with new moat explanations

### Medium-Term (Next 4 Weeks)

4. **Create Sprint files for Epic 3900** (Exception Objects)
5. **Create Sprint files for Epic 4000** (Knowledge Snapshots)
6. **Add Delta Verdict attestation to existing proof infrastructure**

### Deferred (Roadmap)

7. Offline E2E test formalization
8. VEX Conflict Studio UI
9. Fleet-level blast radius visualization

---

## 6. Decision Required

**Question for Stakeholders**: Which epic should be prioritized first?

| Option | Epic | Business Value | Technical Risk |
|--------|------|----------------|----------------|
| A | 3800 Reachability Drift | HIGH (differentiator) | MEDIUM |
| B | 3900 Exception Objects | HIGH (enterprise) | LOW |
| C | 4000 Knowledge Snapshots | MEDIUM (audit) | HIGH |

**Recommendation**: Start with **Epic 3900 (Exception Objects)** due to lower risk and clear enterprise demand, then **Epic 3800 (Reachability Drift)** for moat differentiation.

---

## Appendix: Files to Archive

These advisories have been processed or are reference-only:

```
docs/product-advisories/unprocessed/16-Dec-2025 - Reimagining Proof‑Linked UX in Security Workflows.md
  → Already processed (Status: PROCESSED in file)

docs/product-advisories/unprocessed/18-Dec-2025 - Designing Explainable Triage and Proof‑Linked Evidence.md
  → Overlaps with 16-Dec, consolidate

docs/product-advisories/unprocessed/20-Dec-2025 - Branch · UX patterns worth borrowing from top scanners.md
  → Reference only, no actionable tasks
```

---

**Report Generated By**: StellaOps Agent (Product Manager Role)
**Next Step**: Await stakeholder decision on epic prioritization