stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
3488b22c0c7334f26cd0e0f8c99b562219556973
git.stella-ops.org/docs/product-advisories/ADVISORY_INDEX.md
StellaOps Bot 3488b22c0c
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
up
2025-11-29 11:08:08 +02:00

22 KiB
Raw Blame History

Product Advisory Index

This index consolidates the November 2025 product advisories, identifying canonical documents and duplicates.

Canonical Advisories (Active)

These are the authoritative advisories to reference for implementation:

CVSS v4.0

  • Canonical: 25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md
  • Sprint: SPRINT_0190_0001_0001_cvss_v4_receipts.md
  • Status: New sprint created

SBOM/VEX Pipeline

  • Canonical: 27-Nov-2025 - Deep Architecture Brief - SBOMFirst, VEXReady Spine.md
  • Sprint: SPRINT_0186_0001_0001_record_deterministic_execution.md (tasks 15a-15f)
  • Supersedes:
    • 24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md → archive
    • 25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md → archive
    • 26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md → archive

Rekor/DSSE Batch Sizing

  • Canonical: 26-Nov-2025 - Handling Rekor v2 and DSSE AirGap Limits.md
  • Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (DSSE tasks)
  • Supersedes:
    • 27-Nov-2025 - Rekor Envelope Size Heuristic.md → archive (duplicate)
    • 27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md → archive (duplicate)
    • 27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md → archive (duplicate)

Graph Revision IDs

  • Canonical: 26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md
  • Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (existing tasks)
  • Supersedes:
    • 25-Nov-2025 - HashStable Graph Revisions Across Systems.md → archive (earlier version)

Reachability Benchmark (Public)

  • Canonical: 24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md
  • Sprint: SPRINT_0513_0001_0001_public_reachability_benchmark.md
  • Related:
    • 26-Nov-2025 - Opening Up a Reachability Dataset.md → complementary (dataset focus)

Unknowns Registry

  • Canonical: 27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md
  • Sprint: SPRINT_0140_0001_0001_runtime_signals.md (existing implementation)
  • Extends: archived/18-Nov-2025 - Unknowns-Registry.md
  • Status: Already implemented in Signals module; advisory validates design

Confidence Decay for Prioritization

  • Canonical: 25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md
  • Sprint: SPRINT_0140_0001_0001_runtime_signals.md (integration point)
  • Related: Unknowns Registry (time-based decay complements ambiguity tracking)
  • Status: Design advisory - provides exponential decay formula for priority freshness

Explainability

  • Canonical (Graphs): 27-Nov-2025 - Making Graphs Understandable to Humans.md
  • Canonical (Verdicts): 27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md
  • Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (UI-CLI tasks)
  • Status: Complementary advisories - graphs cover edge reasons, verdicts cover audit trails

VEX Proofs

  • Canonical: 25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md
  • Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (POLICY-VEX tasks)

Binary Reachability

  • Canonical: 27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md
  • Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (GRAPH-HYBRID tasks)

Scanner Roadmap

  • Canonical: 27-Nov-2025 - Blueprint for a 2026Ready Scanner.md
  • Sprint: Multiple sprints (0186, 0401, 0512)
  • Status: High-level roadmap document

Vulnerability Triage UX & VEX-First Decisioning

  • Canonical: 28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md
  • Sprint: SPRINT_0215_0001_0001_vuln_triage_ux.md (NEW)
  • Related Sprints:
    • SPRINT_210_ui_ii.md (UI-LNM-22-003 VEX tab)
    • SPRINT_0334_docs_modules_vuln_explorer.md (docs)
  • Related Advisories:
    • 27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md (evidence chain)
    • 27-Nov-2025 - Making Graphs Understandable to Humans.md (graph UX)
    • 25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md (VEX proofs)
  • Status: New - defines converged triage UX across Snyk/GitLab/Harbor/Anchore patterns
  • Schemas:
    • docs/schemas/vex-decision.schema.json
    • docs/schemas/attestation-vuln-scan.schema.json
    • docs/schemas/audit-bundle-index.schema.json

Sovereign Crypto for Regional Compliance

  • Canonical: 28-Nov-2025 - Sovereign Crypto for Regional Compliance.md
  • Sprint: SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (EXISTING)
  • Related Docs:
    • docs/security/rootpack_ru_*.md - RootPack RU documentation
    • docs/security/crypto-registry-decision-2025-11-18.md - Registry design
    • docs/security/pq-provider-options.md - Post-quantum options
  • Status: Fills HIGH-priority gap - covers eIDAS, FIPS, GOST, SM algorithm support
  • Compliance: EU (eIDAS), US (FIPS 140-2/3), Russia (GOST), China (SM2/3/4)

Plugin Architecture & Extensibility

  • Canonical: 28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md
  • Sprint: Foundational - appears in module-specific sprints
  • Related Docs:
    • docs/dev/plugins/README.md - General plugin guide
    • docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md - Concelier connectors
    • docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md - Authority plugins
    • docs/modules/scanner/guides/surface-validation-extensibility.md - Scanner extensibility
  • Status: Fills MEDIUM-priority gap - consolidates extensibility patterns across modules

Evidence Bundle & Replay Contracts

  • Canonical: 29-Nov-2025 - Evidence Bundle and Replay Contracts.md
  • Sprint: SPRINT_0161_0001_0001_evidencelocker.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0187_0001_0001_evidence_locker_cli_integration.md (CLI)
    • SPRINT_0160_0001_0001_export_evidence.md (Coordination)
  • Related Docs:
    • docs/modules/evidence-locker/bundle-packaging.md - Bundle spec
    • docs/modules/evidence-locker/attestation-contract.md - DSSE contract
    • docs/modules/evidence-locker/replay-payload-contract.md - Replay schema
  • Status: Fills HIGH-priority gap - covers deterministic bundles, attestations, replay, incident mode

Mirror & Offline Kit Strategy

  • Canonical: 29-Nov-2025 - Mirror and Offline Kit Strategy.md
  • Sprint: SPRINT_0125_0001_0001 (Mirror Bundles)
  • Related Sprints:
    • SPRINT_0150_0001_0001 (DSSE/Time Anchors)
    • SPRINT_0150_0001_0002 (Time Anchors)
    • SPRINT_0150_0001_0003 (Orchestrator Hooks)
  • Related Docs:
    • docs/modules/mirror/dsse-tuf-profile.md - DSSE/TUF spec
    • docs/modules/mirror/thin-bundle-assembler.md - Thin bundle spec
    • docs/airgap/time-anchor-schema.json - Time anchor schema
  • Status: Fills HIGH-priority gap - covers thin bundles, DSSE/TUF signing, time anchoring

Task Pack Orchestration & Automation

  • Canonical: 29-Nov-2025 - Task Pack Orchestration and Automation.md
  • Sprint: SPRINT_0157_0001_0001_taskrunner_i.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0158_0001_0002_taskrunner_ii.md (Phase II)
    • SPRINT_0157_0001_0002_taskrunner_blockers.md (Blockers)
  • Related Docs:
    • docs/task-packs/spec.md - Pack manifest specification
    • docs/task-packs/authoring-guide.md - Authoring workflow
    • docs/task-packs/registry.md - Registry architecture
  • Status: Fills HIGH-priority gap - covers pack DSL, approvals, evidence capture

Authentication & Authorization Architecture

  • Canonical: 29-Nov-2025 - Authentication and Authorization Architecture.md
  • Sprint: Multiple (see below)
  • Related Sprints:
    • SPRINT_100_identity_signing.md (CLOSED - historical)
    • SPRINT_314_docs_modules_authority.md (Docs)
    • SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (Crypto)
  • Related Docs:
    • docs/modules/authority/architecture.md - Module architecture
    • docs/11_AUTHORITY.md - Overview
    • docs/security/authority-scopes.md - Scope reference
    • docs/security/dpop-mtls-rollout.md - Sender constraints
  • Status: Fills HIGH-priority gap - consolidates token model, scopes, multi-tenant isolation

CLI Developer Experience & Command UX

  • Canonical: 29-Nov-2025 - CLI Developer Experience and Command UX.md
  • Sprint: SPRINT_0201_0001_0001_cli_i.md (PRIMARY)
  • Related Sprints:
    • SPRINT_203_cli_iii.md
    • SPRINT_205_cli_v.md
  • Related Docs:
    • docs/modules/cli/architecture.md - Module architecture
    • docs/09_API_CLI_REFERENCE.md - Command reference
  • Status: Fills HIGH-priority gap - covers command surface, auth model, Buildx integration

Orchestrator Event Model & Job Lifecycle

  • Canonical: 29-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md
  • Sprint: SPRINT_0151_0001_0001_orchestrator_i.md (PRIMARY)
  • Related Sprints:
    • SPRINT_152_orchestrator_ii.md
    • SPRINT_0152_0001_0002_orchestrator_ii.md
  • Related Docs:
    • docs/modules/orchestrator/architecture.md - Module architecture
  • Status: Fills HIGH-priority gap - covers job lifecycle, quota governance, replay semantics

Export Center & Reporting Strategy

  • Canonical: 29-Nov-2025 - Export Center and Reporting Strategy.md
  • Sprint: SPRINT_0160_0001_0001_export_evidence.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0161_0001_0001_evidencelocker.md
  • Related Docs:
    • docs/modules/export-center/architecture.md - Module architecture
  • Status: Fills MEDIUM-priority gap - covers profile system, adapters, distribution channels

Runtime Posture & Observation (Zastava)

  • Canonical: 29-Nov-2025 - Runtime Posture and Observation with Zastava.md
  • Sprint: SPRINT_0144_0001_0001_zastava_runtime_signals.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0140_0001_0001_runtime_signals.md
    • SPRINT_0143_0000_0001_signals.md
  • Related Docs:
    • docs/modules/zastava/architecture.md - Module architecture
  • Status: Fills MEDIUM-priority gap - covers runtime events, admission control, drift detection

Notification Rules & Alerting Engine

  • Canonical: 29-Nov-2025 - Notification Rules and Alerting Engine.md
  • Sprint: SPRINT_0170_0001_0001_notify_engine.md (NEW)
  • Related Sprints:
    • SPRINT_0171_0001_0002_notify_connectors.md
    • SPRINT_0172_0001_0003_notify_ack_tokens.md
  • Related Docs:
    • docs/modules/notify/architecture.md - Module architecture
  • Status: Fills MEDIUM-priority gap - covers rules engine, channels, noise control, ack tokens

Graph Analytics & Dependency Insights

  • Canonical: 29-Nov-2025 - Graph Analytics and Dependency Insights.md
  • Sprint: SPRINT_0141_0001_0001_graph_indexer.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0401_0001_0001_reachability_evidence_chain.md
    • SPRINT_0140_0001_0001_runtime_signals.md
  • Related Docs:
    • docs/modules/graph/architecture.md - Module architecture
  • Status: Fills MEDIUM-priority gap - covers graph model, overlays, analytics, visualization

Telemetry & Observability Patterns

  • Canonical: 29-Nov-2025 - Telemetry and Observability Patterns.md
  • Sprint: SPRINT_0180_0001_0001_telemetry_core.md (NEW)
  • Related Sprints:
    • SPRINT_0181_0001_0002_telemetry_forensic.md
    • SPRINT_0182_0001_0003_telemetry_offline.md
  • Related Docs:
    • docs/modules/telemetry/architecture.md - Module architecture
  • Status: Fills MEDIUM-priority gap - covers collector topology, forensic mode, offline bundles

Policy Simulation & Shadow Gates

  • Canonical: 29-Nov-2025 - Policy Simulation and Shadow Gates.md
  • Sprint: SPRINT_0185_0001_0001_policy_simulation.md (NEW)
  • Related Sprints:
    • SPRINT_0120_0000_0001_policy_reasoning.md
    • SPRINT_0121_0001_0001_policy_reasoning.md
  • Related Docs:
    • docs/modules/policy/architecture.md - Module architecture
  • Status: Fills MEDIUM-priority gap - covers shadow runs, coverage fixtures, promotion gates

Findings Ledger & Immutable Audit Trail

  • Canonical: 29-Nov-2025 - Findings Ledger and Immutable Audit Trail.md
  • Sprint: SPRINT_0186_0001_0001_record_deterministic_execution.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0120_0000_0001_policy_reasoning.md
    • SPRINT_311_docs_tasks_md_xi.md
  • Related Docs:
    • docs/modules/findings-ledger/openapi/findings-ledger.v1.yaml - OpenAPI spec
  • Status: Fills MEDIUM-priority gap - covers append-only events, Merkle anchoring, projections

Concelier Advisory Ingestion Model

  • Canonical: 29-Nov-2025 - Concelier Advisory Ingestion Model.md
  • Sprint: SPRINT_0115_0001_0004_concelier_iv.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0113_0001_0002_concelier_ii.md
    • SPRINT_0114_0001_0003_concelier_iii.md
  • Related Docs:
    • docs/modules/concelier/architecture.md - Module architecture
    • docs/modules/concelier/link-not-merge-schema.md - LNM schema
  • Status: Fills MEDIUM-priority gap - covers AOC, Link-Not-Merge, connectors, deterministic exports

Files Archived

The following files have been moved to archived/27-Nov-2025-superseded/:

# Superseded by canonical advisories
24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md
25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md
25-Nov-2025 - HashStable Graph Revisions Across Systems.md
26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md
27-Nov-2025 - Rekor Envelope Size Heuristic.md
27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md
27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md

Cleanup Completed (2025-11-28)

The following issues were fixed:

  • Deleted junk file: 24-Nov-2025 - 1 copy 2.md
  • Deleted malformed duplicate: 24-Nov-2025 - Designing a Deterministic Reachability Benchmarkmd
  • Fixed filename: 25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md (was missing .md extension)

Sprint Cross-Reference

Advisory Topic Sprint ID Status
CVSS v4.0 SPRINT_0190_0001_0001 NEW
SPDX 3.0.1 / SBOM SPRINT_0186_0001_0001 AUGMENTED
Reachability Benchmark SPRINT_0513_0001_0001 NEW
Reachability Evidence SPRINT_0401_0001_0001 EXISTING
Unknowns Registry SPRINT_0140_0001_0001 IMPLEMENTED
Confidence Decay SPRINT_0140_0001_0001 DESIGN
Graph Revision IDs SPRINT_0401_0001_0001 EXISTING
DSSE/Rekor Batching SPRINT_0401_0001_0001 EXISTING
Vuln Triage UX / VEX SPRINT_0215_0001_0001 NEW
Sovereign Crypto SPRINT_0514_0001_0001 EXISTING
Plugin Architecture Multiple (module-specific) FOUNDATIONAL
Evidence Bundle & Replay SPRINT_0161_0001_0001 EXISTING
Mirror & Offline Kit SPRINT_0125_0001_0001 EXISTING
Task Pack Orchestration SPRINT_0157_0001_0001 EXISTING
Auth/AuthZ Architecture Multiple (100, 314, 0514) EXISTING
CLI Developer Experience SPRINT_0201_0001_0001 NEW
Orchestrator Event Model SPRINT_0151_0001_0001 NEW
Export Center Strategy SPRINT_0160_0001_0001 NEW
Zastava Runtime Posture SPRINT_0144_0001_0001 NEW
Notification Rules Engine SPRINT_0170_0001_0001 NEW
Graph Analytics SPRINT_0141_0001_0001 NEW
Telemetry & Observability SPRINT_0180_0001_0001 NEW
Policy Simulation SPRINT_0185_0001_0001 NEW
Findings Ledger SPRINT_0186_0001_0001 NEW
Concelier Ingestion SPRINT_0115_0001_0004 NEW

Implementation Priority

Based on gap analysis:

  1. P0 - CVSS v4.0 (Sprint 0190) - Industry moving to v4.0, genuine gap
  2. P1 - SPDX 3.0.1 (Sprint 0186 tasks 15a-15f) - Standards compliance
  3. P1 - Public Benchmark (Sprint 0513) - Differentiation/marketing value
  4. P1 - Vuln Triage UX (Sprint 0215) - Industry-aligned UX for competitive parity
  5. P1 - Sovereign Crypto (Sprint 0514) - Regional compliance enablement
  6. P1 - Evidence Bundle & Replay (Sprint 0161, 0187) - Audit/compliance critical
  7. P1 - Mirror & Offline Kit (Sprint 0125, 0150) - Air-gap deployment critical
  8. P1 - CLI Developer Experience (Sprint 0201) - Developer UX critical
  9. P1 - Orchestrator Event Model (Sprint 0151) - Job lifecycle foundation
  10. P2 - Task Pack Orchestration (Sprint 0157, 0158) - Automation foundation
  11. P2 - Explainability (Sprint 0401) - UX enhancement, existing tasks
  12. P2 - Plugin Architecture (Multiple) - Foundational extensibility patterns
  13. P2 - Auth/AuthZ Architecture (Multiple) - Security consolidation
  14. P2 - Export Center (Sprint 0160) - Reporting flexibility
  15. P2 - Zastava Runtime (Sprint 0144) - Runtime observability
  16. P2 - Notification Rules (Sprint 0170) - Alert management
  17. P2 - Graph Analytics (Sprint 0141) - Dependency insights
  18. P2 - Telemetry (Sprint 0180) - Observability infrastructure
  19. P2 - Policy Simulation (Sprint 0185) - Safe policy testing
  20. P2 - Findings Ledger (Sprint 0186) - Audit immutability
  21. P2 - Concelier Ingestion (Sprint 0115) - Advisory pipeline
  22. P3 - Already Implemented - Unknowns, Graph IDs, DSSE batching

Implementer Quick Reference

For each topic, the implementer should read:

  1. Sprint file - Contains task definitions, dependencies, working directories
  2. Documentation Prerequisites - Listed in each sprint file
  3. Canonical advisory - Full product context and rationale
  4. Module AGENTS.md - If exists, contains module-specific coding guidance

Key Module Docs to Read Before Implementation

Module Architecture Doc AGENTS.md
Policy docs/modules/policy/architecture.md src/Policy/*/AGENTS.md
Scanner docs/modules/scanner/architecture.md src/Scanner/*/AGENTS.md
Sbomer docs/modules/sbomer/architecture.md src/Sbomer/*/AGENTS.md
Signals docs/modules/signals/architecture.md src/Signals/*/AGENTS.md
Attestor docs/modules/attestor/architecture.md src/Attestor/*/AGENTS.md
Vuln Explorer docs/modules/vuln-explorer/architecture.md src/VulnExplorer/*/AGENTS.md
VEX-Lens docs/modules/vex-lens/architecture.md src/Excititor/*/AGENTS.md
UI docs/modules/ui/architecture.md src/UI/*/AGENTS.md
Authority docs/modules/authority/architecture.md src/Authority/*/AGENTS.md
Evidence Locker docs/modules/evidence-locker/*.md src/EvidenceLocker/*/AGENTS.md
Mirror docs/modules/mirror/*.md src/Mirror/*/AGENTS.md
TaskRunner docs/modules/taskrunner/*.md src/TaskRunner/*/AGENTS.md
CLI docs/modules/cli/architecture.md src/Cli/*/AGENTS.md
Orchestrator docs/modules/orchestrator/architecture.md src/Orchestrator/*/AGENTS.md
Export Center docs/modules/export-center/architecture.md src/ExportCenter/*/AGENTS.md
Zastava docs/modules/zastava/architecture.md src/Zastava/*/AGENTS.md
Notify docs/modules/notify/architecture.md src/Notify/*/AGENTS.md
Graph docs/modules/graph/architecture.md src/Graph/*/AGENTS.md
Telemetry docs/modules/telemetry/architecture.md src/Telemetry/*/AGENTS.md
Findings Ledger docs/modules/findings-ledger/openapi/ src/Findings/*/AGENTS.md
Concelier docs/modules/concelier/architecture.md src/Concelier/*/AGENTS.md

Topical Gaps (Advisory Needed)

The following topics are mentioned in CLAUDE.md or module docs but lack dedicated product advisories:

Gap Severity Status Notes
Regional Crypto (eIDAS/FIPS/GOST/SM) HIGH FILLED 28-Nov-2025 - Sovereign Crypto for Regional Compliance.md
Plugin Architecture Patterns MEDIUM FILLED 28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md
Evidence Bundle Packaging HIGH FILLED 29-Nov-2025 - Evidence Bundle and Replay Contracts.md
Mirror/Offline Kit Strategy HIGH FILLED 29-Nov-2025 - Mirror and Offline Kit Strategy.md
Task Pack Orchestration HIGH FILLED 29-Nov-2025 - Task Pack Orchestration and Automation.md
Auth/AuthZ Architecture HIGH FILLED 29-Nov-2025 - Authentication and Authorization Architecture.md
CLI Developer Experience HIGH FILLED 29-Nov-2025 - CLI Developer Experience and Command UX.md
Orchestrator Event Model HIGH FILLED 29-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md
Export Center Strategy MEDIUM FILLED 29-Nov-2025 - Export Center and Reporting Strategy.md
Runtime Posture & Observation MEDIUM FILLED 29-Nov-2025 - Runtime Posture and Observation with Zastava.md
Notification Rules Engine MEDIUM FILLED 29-Nov-2025 - Notification Rules and Alerting Engine.md
Graph Analytics & Clustering MEDIUM FILLED 29-Nov-2025 - Graph Analytics and Dependency Insights.md
Telemetry & Observability MEDIUM FILLED 29-Nov-2025 - Telemetry and Observability Patterns.md
Policy Simulation & Shadow Gates MEDIUM FILLED 29-Nov-2025 - Policy Simulation and Shadow Gates.md
Findings Ledger & Audit Trail MEDIUM FILLED 29-Nov-2025 - Findings Ledger and Immutable Audit Trail.md
Concelier Advisory Ingestion MEDIUM FILLED 29-Nov-2025 - Concelier Advisory Ingestion Model.md
CycloneDX 1.6 .NET Integration LOW Open Deep Architecture covers generically; expand with .NET-specific guidance

Known Issues (Non-Blocking)

Unicode Encoding Inconsistency: Several filenames use en-dash (U+2011) instead of regular hyphen (-). This may cause cross-platform issues but does not affect content discovery. Files affected:

  • 26-Nov-2025 - Handling Rekor v2 and DSSE AirGap Limits.md
  • 27-Nov-2025 - Blueprint for a 2026Ready Scanner.md
  • 27-Nov-2025 - Deep Architecture Brief - SBOMFirst, VEXReady Spine.md

Archived Duplicate: archived/17-Nov-2025 - SBOM-Provenance-Spine.md and archived/18-Nov-2025 - SBOM-Provenance-Spine.md are potential duplicates. The 18-Nov version is likely canonical.

Index created: 2025-11-27 Last updated: 2025-11-29 (added 10 new advisories filling all identified gaps)