git.stella-ops.org/docs/product-advisories/ADVISORY_INDEX.md

Product Advisory Index

This index consolidates the November 2025 product advisories, identifying canonical documents and duplicates.

Canonical Advisories (Active)

These are the authoritative advisories to reference for implementation:

CVSS v4.0

• Canonical: 25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md
• Sprint: SPRINT_0190_0001_0001_cvss_v4_receipts.md
• Gaps: 31-Nov-2025 FINDINGS.md (CV1–CV10 remediation task CVSS-GAPS-190-013)
• Timing/UI: 01-Dec-2025 - Time-to-Evidence (TTE) Metric.md (archived)
• Status: New sprint created

CVSS v4.0 Momentum Briefing

• Canonical: 29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md
• Sprint: SPRINT_0190_0001_0001_cvss_v4_receipts.md (context)
• Related Docs:
  • docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md (implementation focus)
  • docs/product-advisories/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md (this briefing)
• Gaps: 31-Nov-2025 FINDINGS.md (CVM1–CVM10 remediation task CVSS-GAPS-190-014)
• Status: Summarises the industry adoption signals (NVD/GitHub/Microsoft/Snyk) and why Stella Ops should treat CVSS v4.0 as first-class now.

SCA Failure Catalogue

• Canonical: 29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md
• Sprint: SPRINT_0300_0001_0001_documentation_process.md (docs tracker)
• Related Docs:
  • docs/product-advisories/29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md (this catalogue)
  • docs/implplan/SPRINT_0300_0001_0001_documentation_process.md (tracking sync)
• Gaps: 31-Nov-2025 FINDINGS.md (FC1–FC10 remediation task SCA-FIXTURE-GAPS-300-014)
• Status: Captures five real-world regressions/ SBOM gaps for Trivy/Syft/Grype/Snyk and frames test vectors + alarm scenarios for StellaOps acceptance suites.

Mid-Level .NET Onboarding (Quick Start)

• Canonical: 29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md
• Sprint: SPRINT_0300_0001_0001_documentation_process.md (docs tracker)
• Related Docs:
  • docs/onboarding/dev-quickstart.md (to be updated)
  • docs/modules/platform/architecture-overview.md
• Gaps: 31-Nov-2025 FINDINGS.md (OB1–OB10 remediation task ONBOARD-GAPS-300-015)
• Status: Onboarding brief for mid-level .NET devs; needs deterministic/offline/DSSE/secret-handling expansions and cross-links.

Implementor Guidelines

• Canonical: 30-Nov-2025 - Implementor Guidelines for Stella Ops.md
• Sprint: SPRINT_0300_0001_0001_documentation_process.md (docs tracker)
• Related Docs:
  • docs/product-advisories/30-Nov-2025 - Implementor Guidelines for Stella Ops.md (this briefing)
  • docs/05_SYSTEM_REQUIREMENTS_SPEC.md / docs/13_RELEASE_ENGINEERING_PLAYBOOK.md (reference requirements)
• Gaps: 31-Nov-2025 FINDINGS.md (IG1–IG10 remediation task IMPLEMENTOR-GAPS-300-018)
• Status: Operational checklist for contributors, plug-in authors, and implementors linking SRS/architecture to practical practices.

Rekor Receipt Checklist

• Canonical: 30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md
• Sprint: SPRINT_0314_0001_0001_docs_modules_authority.md
• Related Docs: Authority/Sbomer module docs; Rekor v2 / DSSE receipt schemas (to be published)
• Gaps: 31-Nov-2025 FINDINGS.md (RR1–RR10 remediation task REKOR-RECEIPT-GAPS-314-005)
• Status: Needs signed/validated receipt schema/catalog, inclusion proof freshness policy, subject/policy binding, client provenance, TSA/time integrity, offline verifier, mirror snapshot rules, retention/observability, and tenant isolation.

Standup Sprint Kickstarters

• Canonical: 30-Nov-2025 - Standup Sprint Kickstarters.md
• Sprint: SPRINT_0300_0001_0001_documentation_process.md (docs tracker)
• Related Docs: docs/implplan/README.md (sprint template)
• Gaps: 31-Nov-2025 FINDINGS.md (SK1–SK10 remediation task STANDUP-GAPS-300-019)
• Status: Introduces ceremony primer but lacks template alignment, readiness evidence, dependency ledger, offline/async guidance, metrics/SLOs, and role/decision capture rules.

UI Micro-Interactions

• Canonical: 30-Nov-2025 - UI Micro-Interactions for StellaOps.md
• Sprint: SPRINT_0209_0001_0001_ui_i.md (UI I; share with UI II/III as needed)
• Related Docs: docs/modules/ui/architecture.md, Storybook token catalog (planned)
• Gaps: 31-Nov-2025 FINDINGS.md (MI1–MI10 remediation task UI-MICRO-GAPS-0209-011)
• Status: Needs motion tokens, reduced-motion/a11y rules, perf budgets, offline/latency states, error/cancel patterns, component mapping, telemetry schema, deterministic tests/snapshots, micro-copy localisation, and theme/contrast guidance.

Proof-Linked VEX UI (Not-Affected Proof Drawer)

• Canonical: Proof-linked VEX UI spec (chat-provided; to land as docs/ui/proof-linked-vex.md)
• Sprint: SPRINT_0215_0001_0001_vuln_triage_ux.md
• Related Docs: docs/product-advisories/27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md, docs/product-advisories/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md, VexLens/Policy module docs
• Gaps: 31-Nov-2025 FINDINGS.md (PVX1–PVX10 remediation task UI-PROOF-VEX-0215-010)
• Status: Drawer/badge pattern defined but missing scoped auth, cache/staleness policy, stronger integrity verification, failure/offline UX, evidence precedence rules, telemetry privacy schema, signed permalinks, revision reconciliation, and fixtures/tests.

Time-to-Evidence (TTE) Metric

• Canonical: 01-Dec-2025 - Time-to-Evidence (TTE) Metric.md
• Sprint: SPRINT_0215_0001_0001_vuln_triage_ux.md (UI) with telemetry alignment to SPRINT_0180_0001_0001_telemetry_core.md
• Related Docs: UI sprints 0209/0215, telemetry architecture docs
• Gaps: 31-Nov-2025 FINDINGS.md (TTE1–TTE10 remediation task TTE-GAPS-0215-011)
• Status: Metric defined but needs event schema/versioning, proof eligibility rules, sampling/bot filters, per-surface SLO/error budgets, index/streaming requirements, offline-kit handling, alert/runbook, release gate, and a11y tests.

Archived Advisories (15–23 Nov 2025)

• Canonical: docs/product-advisories/archived/*.md (embedded provenance events, function-level VEX explainability, binary reachability branches, SBOM-provenance spine, etc.)
• Sprint: SPRINT_0300_0001_0001_documentation_process.md (triage/decision)
• Related Docs: None current (need revival + canonicalization)
• Gaps: 31-Nov-2025 FINDINGS.md (AR-EP1 … AR-VB1 remediation task ARCHIVED-GAPS-300-020)
• Status: Archived set lacks schemas, determinism rules, redaction/licensing, changelog/signing, and duplication resolution; needs triage on which to revive into active advisories.

SBOM → VEX Proof Blueprint

• Canonical: 29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md
• Sprint: SPRINT_0300_0001_0001_documentation_process.md (docs tracker)
• Related Docs:
  • docs/product-advisories/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md (itself)
  • docs/modules/platform/architecture-overview.md (platform dossier link)
• Gaps: 31-Nov-2025 FINDINGS.md (BP1–BP10 remediation task SBOM-VEX-GAPS-300-013)
• Status: Diagram-first guide showing DSSE → Rekor v2 tiles → VEX linkage plus online/offline verification notes for StellaOps proofs.

UI Micro-Interactions

• Canonical: 30-Nov-2025 - UI Micro-Interactions for StellaOps.md
• Sprint: SPRINT_0300_0001_0001_documentation_process.md (docs tracker)
• Related Docs:
  • apps/console/src/app/shared/micro/
  • docs/product-advisories/30-Nov-2025 - UI Micro-Interactions for StellaOps.md
• Status: Three Angular tasks covering audit trail reasons, low-noise VEX gating, and evidence provenance chips for air-gapped + online UX.

Rekor Receipt Checklist

• Canonical: 30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md
• Sprint: SPRINT_0314_0001_0001_docs_modules_authority.md (PRIMARY)
• Related Docs:
  • docs/product-advisories/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md
  • docs/modules/platform/architecture-overview.md
• Gaps: 31-Nov-2025 FINDINGS.md (RR1–RR10 remediation task REKOR-RECEIPT-GAPS-314-005)
• Status: Field-level ownership map for receipts, bundles, and offline metadata so Authority/Sbomer/Vexer keep deterministic proofs.

Air-Gap Deployment Playbook

• Canonical: 25-Nov-2025 - Air-gap deployment playbook for StellaOps.md
• Sprint: SPRINT_0510_0001_0001_airgap.md (Ops & Offline)
• Gaps: 31-Nov-2025 FINDINGS.md (AG1–AG12 remediation task AIRGAP-GAPS-510-009)
• Status: Implementation guided by Ops/Offline sprint; gaps cover trust roots, Rekor mirrors, feed freezing, tooling hashes, AV scans, policy/graph hash verification, tenant scoping, ingress receipts, replay depth, and offline observability.

Ecosystem Reality Tests

• Canonical: 30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md
• Sprint: SPRINT_0300_0001_0001_documentation_process.md (docs tracker)
• Related Docs:
  • docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md
• Status: Evidence-backed acceptance tests covering credential leaks, offline DB quirks, SBOM parity, and scanner instability.

Unknowns Decay & Triage Heuristics

• Canonical: 30-Nov-2025 - Unknowns Decay & Triage Heuristics.md
• Sprint: SPRINT_0140_0001_0001_runtime_signals.md (Signals/Unknowns)
• Related Docs:
  • docs/product-advisories/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md
• Gaps: 31-Nov-2025 FINDINGS.md (UT1–UT10 remediation task UNKNOWN-HEUR-GAPS-140-007)
• Status: Confidence decay card + triage queue artifacts that feed UI + ops exports for stale unknowns.

Standup Sprint Kickstarters

• Canonical: 30-Nov-2025 - Standup Sprint Kickstarters.md
• Sprint: SPRINT_0300_0001_0001_documentation_process.md (docs tracker)
• Related Docs:
  • docs/product-advisories/30-Nov-2025 - Standup Sprint Kickstarters.md
• Status: Three day-0 tasks (scanner regressions, Postgres slice, DSSE/Rekor sweep) with ticket names and assignments.

Evidence + Suppression Patterns

• Canonical: 30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md
• Sprint: SPRINT_0300_0001_0001_documentation_process.md (docs tracker)
• Related Docs:
  • docs/product-advisories/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md
• Gaps: 31-Nov-2025 FINDINGS.md (CE1–CE10 remediation task EVIDENCE-PATTERNS-GAPS-300-016)
• Status: Snapshot of how Snyk, GitHub, Aqua, Anchore/Grype, and Prisma Cloud handle evidence, suppression, and audit/export primitives.

Ecosystem Reality Test Cases

• Canonical: 30-Nov-2025 - Ecosystem Reality Test Cases.md
• Sprint: SPRINT_0300_0001_0001_documentation_process.md (docs tracker)
• Related Docs:
  • docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases.md
• Gaps: 31-Nov-2025 FINDINGS.md (ET1–ET10 remediation task ECOSYS-FIXTURES-GAPS-300-017)
• Status: Five public incidents mapped to acceptance tests (credential leak, Trivy offline schema error, SBOM parity, Grype version drift, inconsistent detection); informs SCA acceptance packs.

Reachability Benchmark Fixtures

• Canonical: 30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md
• Sprint: SPRINT_0513_0001_0001_public_reachability_benchmark.md (PRIMARY)
• Related Docs:
  • docs/product-advisories/30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md
• Gaps: 31-Nov-2025 FINDINGS.md (RB1–RB10 remediation task REACH-FIXTURE-GAPS-513-020)
• Status: SV-COMP + OSS-Fuzz grounded fixture plan plus Tier-2 guidance for Java/Python, packages, containers, call-graph corpora.

SBOM/VEX Pipeline

• Canonical: 27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md
• Sprint: SPRINT_0186_0001_0001_record_deterministic_execution.md (tasks 15a-15f)
• Supersedes:
  • 24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md → archive
  • 25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md → archive
  • 26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md → archive

Rekor/DSSE Batch Sizing

• Canonical: 26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md
• Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (DSSE tasks)
• Supersedes:
  • 27-Nov-2025 - Rekor Envelope Size Heuristic.md → archive (duplicate)
  • 27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md → archive (duplicate)
  • 27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md → archive (duplicate)

Graph Revision IDs

• Canonical: 26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md
• Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (existing tasks)
• Gaps: 31-Nov-2025 FINDINGS.md (GR1–GR10 remediation task GRAPHREV-GAPS-401-063)
• Supersedes:
  • 25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md → archive (earlier version)

Reachability Benchmark (Public)

• Canonical: 24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md
• Sprint: SPRINT_0513_0001_0001_public_reachability_benchmark.md
• Related:
  • 26-Nov-2025 - Opening Up a Reachability Dataset.md → complementary (dataset focus)
  • 31-Nov-2025 FINDINGS.md → gap analysis (G1–G12) with remediation task BENCH-GAPS-513-018
• Gaps (dataset): 31-Nov-2025 FINDINGS.md (RD1–RD10 remediation task DATASET-GAPS-513-019)

Unknowns Registry

• Canonical: 27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md
• Sprint: SPRINT_0140_0001_0001_runtime_signals.md (existing implementation)
• Extends: archived/18-Nov-2025 - Unknowns-Registry.md
• Gaps: 31-Nov-2025 FINDINGS.md (UN1–UN10 remediation task UNKNOWN-GAPS-140-006)
• Status: Already implemented in Signals module; advisory validates design

Confidence Decay for Prioritization

• Canonical: 25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md
• Sprint: SPRINT_0140_0001_0001_runtime_signals.md (integration point)
• Gaps: 31-Nov-2025 FINDINGS.md (U1–U10 remediation task DECAY-GAPS-140-005)
• Related: Unknowns Registry (time-based decay complements ambiguity tracking)
• Status: Design advisory - provides exponential decay formula for priority freshness

Explainability

• Canonical (Graphs): 27-Nov-2025 - Making Graphs Understandable to Humans.md
• Canonical (Verdicts): 27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md
• Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (UI-CLI tasks)
• Gaps: 31-Nov-2025 FINDINGS.md (EX1–EX10 remediation task EXPLAIN-GAPS-401-064)
• Status: Complementary advisories - graphs cover edge reasons, verdicts cover audit trails

VEX Proofs

• Canonical: 25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md
• Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (POLICY-VEX tasks)
• Gaps: 31-Nov-2025 FINDINGS.md (VEX1–VEX10 remediation task VEX-GAPS-401-062)

Binary Reachability

• Canonical: 27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md
• Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (GRAPH-HYBRID tasks)
• Gaps: 31-Nov-2025 FINDINGS.md (BR1–BR10 remediation task BINARY-GAPS-401-066)

Scanner Roadmap

• Canonical: 27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md
• Sprint: Multiple sprints (0186, 0401, 0512)
• Gaps: 31-Nov-2025 FINDINGS.md (SC1–SC10 remediation task SCANNER-GAPS-186-018)
• Status: High-level roadmap document

SBOM-First, VEX-Ready Spine

• Canonical: 27-Nov-2025 - Deep Architecture Brief - SBOM-First, VEX-Ready Spine.md
• Sprint: SPRINT_0186_0001_0001_record_deterministic_execution.md (spine contracts) and related VEX/graph tasks in SPRINT_0401_0001_0001
• Gaps: 31-Nov-2025 FINDINGS.md (SP1–SP10 remediation task SPINE-GAPS-186-019)
• Status: Architecture brief; needs formalized schemas/contracts and DSSE/bundle enforcement.

SBOM & VEX Competitor Snapshot

• Canonical: 27-Nov-2025 - Late‑November SBOM & VEX competitor.md
• Sprint: SPRINT_0186_0001_0001_record_deterministic_execution.md (ingest/normalization)
• Gaps: 31-Nov-2025 FINDINGS.md (CM1–CM10 remediation task COMPETITOR-GAPS-186-020)
• Status: Competitive intelligence; requires hardened external ingest, signatures, and offline kit parity.

Vulnerability Triage UX & VEX-First Decisioning

• Canonical: 28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md
• Sprint: SPRINT_0215_0001_0001_vuln_triage_ux.md (NEW)
• Related Sprints:
  • SPRINT_0210_0001_0002_ui_ii.md (UI-LNM-22-003 VEX tab)
  • SPRINT_0334_docs_modules_vuln_explorer.md (docs)
• Related Advisories:
  • 27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md (evidence chain)
  • 27-Nov-2025 - Making Graphs Understandable to Humans.md (graph UX)
  • 25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md (VEX proofs)
• Gaps: 31-Nov-2025 FINDINGS.md (VT1–VT10 remediation task TRIAGE-GAPS-215-042)
• Status: New - defines converged triage UX across Snyk/GitLab/Harbor/Anchore patterns
• Schemas:
  • docs/schemas/vex-decision.schema.json
  • docs/schemas/attestation-vuln-scan.schema.json
  • docs/schemas/audit-bundle-index.schema.json

Sovereign Crypto for Regional Compliance

• Canonical: 28-Nov-2025 - Sovereign Crypto for Regional Compliance.md
• Sprint: SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (EXISTING)
• Related Docs:
  • docs/security/rootpack_ru_*.md - RootPack RU documentation
  • docs/security/crypto-registry-decision-2025-11-18.md - Registry design
  • docs/security/pq-provider-options.md - Post-quantum options
• Gaps: 31-Nov-2025 FINDINGS.md (SC1–SC10 remediation task SC-GAPS-514-010)
• Status: Fills HIGH-priority gap - covers eIDAS, FIPS, GOST, SM algorithm support
• Compliance: EU (eIDAS), US (FIPS 140-2/3), Russia (GOST), China (SM2/3/4)

Plugin Architecture & Extensibility

• Canonical: 28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md
• Sprint: Foundational - appears in module-specific sprints
• Related Docs:
  • docs/dev/plugins/README.md - General plugin guide
  • docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md - Concelier connectors
  • docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md - Authority plugins
  • docs/modules/scanner/guides/surface-validation-extensibility.md - Scanner extensibility
• Gaps: 31-Nov-2025 FINDINGS.md (PL1–PL10 remediation task Plugin architecture gaps remediation — Sprint 300)
• Status: Fills MEDIUM-priority gap - consolidates extensibility patterns across modules

Evidence Bundle & Replay Contracts

• Canonical: 28-Nov-2025 - Evidence Bundle and Replay Contracts.md
• Sprint: SPRINT_0161_0001_0001_evidencelocker.md (PRIMARY)
• Related Sprints:
  • SPRINT_0187_0001_0001_evidence_locker_cli_integration.md (CLI)
  • SPRINT_0160_0001_0001_export_evidence.md (Coordination)
• Related Docs:
  • docs/modules/evidence-locker/bundle-packaging.md - Bundle spec
  • docs/modules/evidence-locker/attestation-contract.md - DSSE contract
  • docs/modules/evidence-locker/replay-payload-contract.md - Replay schema
• Gaps: 31-Nov-2025 FINDINGS.md (EB1–EB10 remediation task EVID-GAPS-161-007)
• Status: Fills HIGH-priority gap - covers deterministic bundles, attestations, replay, incident mode

Export Center & Reporting

• Canonical: 28-Nov-2025 - Export Center and Reporting Strategy.md
• Sprint: SPRINT_0162_0001_0001_exportcenter_i.md (ExportCenter I)
• Related Sprints: SPRINT_0163_0001_0001_exportcenter_ii.md, SPRINT_0164_0001_0001_exportcenter_iii.md
• Gaps: 31-Nov-2025 FINDINGS.md (EC1–EC10 remediation task EXPORT-GAPS-162-013)
• Status: Export profiles/adapters; determinism, provenance, and offline kit parity need gap remediation.

Acceptance Tests Pack for Guardrails

• Canonical: 29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md
• Sprint: SPRINT_0300_0001_0001_documentation_process.md (Docs Governance)
• Related Docs:
  • docs/product-advisories/29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md (itself)
  • docs/implplan/SPRINT_0300_0001_0001_documentation_process.md (tracking the sync)
• Gaps: 31-Nov-2025 FINDINGS.md (AT1–AT10 remediation task AT-GAPS-300-012)
• Status: Captures feed resiliency, SBOM validation, snapshot/replay rehearsals, reachability fallbacks, and pipeline swap guardrails for acceptance tests.

Mirror & Offline Kit Strategy

• Canonical: 28-Nov-2025 - Mirror and Offline Kit Strategy.md
• Sprint: SPRINT_0125_0001_0001 (Mirror Bundles)
• Related Sprints:
  • SPRINT_0150_0001_0001 (DSSE/Time Anchors)
  • SPRINT_0150_0001_0002 (Time Anchors)
  • SPRINT_0150_0001_0003 (Orchestrator Hooks)
• Related Docs:
  • docs/modules/mirror/dsse-tuf-profile.md - DSSE/TUF spec
  • docs/modules/mirror/thin-bundle-assembler.md - Thin bundle spec
  • docs/airgap/time-anchor-schema.json - Time anchor schema
• Gaps: 31-Nov-2025 FINDINGS.md (OK1–OK10 remediation task OFFKIT-GAPS-125-011; RK1–RK10 task REKOR-GAPS-125-012; MS1–MS10 task MIRROR-GAPS-125-013)
• Status: Fills HIGH-priority gap - covers thin bundles, DSSE/TUF signing, time anchoring

Rekor v2 / DSSE Limits

• Canonical: 26-Nov-2025 - Handling Rekor v2 and DSSE Air-Gap Limits.md
• Sprint: SPRINT_0125_0001_0001_mirror.md (mirror/offline log handling) and linked to reachability evidence chain where DSSE predicates are used.
• Gaps: 31-Nov-2025 FINDINGS.md (RK1–RK10 remediation task REKOR-GAPS-125-012)
• Status: Guides policy for public/private Rekor use, payload limits, chunking, and shard-aware checkpoints.

Task Pack Orchestration & Automation

• Canonical: 28-Nov-2025 - Task Pack Orchestration and Automation.md
• Sprint: SPRINT_0157_0001_0001_taskrunner_i.md (PRIMARY)
• Related Sprints:
  • SPRINT_0158_0001_0002_taskrunner_ii.md (Phase II)
  • SPRINT_0157_0001_0002_taskrunner_blockers.md (Blockers)
• Related Docs:
  • docs/task-packs/spec.md - Pack manifest specification
  • docs/task-packs/authoring-guide.md - Authoring workflow
  • docs/task-packs/registry.md - Registry architecture
• Gaps: 31-Nov-2025 FINDINGS.md (TP1–TP10 remediation task TASKRUN-GAPS-157-014)
• Status: Fills HIGH-priority gap - covers pack DSL, approvals, evidence capture

Authentication & Authorization Architecture

• Canonical: 28-Nov-2025 - Authentication and Authorization Architecture.md
• Sprint: Multiple (see below)
• Related Sprints:
  • SPRINT_100_identity_signing.md (CLOSED - historical)
  • SPRINT_314_docs_modules_authority.md (Docs)
  • SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (Crypto)
• Gaps: 31-Nov-2025 FINDINGS.md (AU1–AU10 remediation task AUTH-GAPS-314-004)
• Related Docs:
  • docs/modules/authority/architecture.md - Module architecture
  • docs/11_AUTHORITY.md - Overview
  • docs/security/authority-scopes.md - Scope reference
  • docs/security/dpop-mtls-rollout.md - Sender constraints
• Status: Fills HIGH-priority gap - consolidates token model, scopes, multi-tenant isolation

CLI Developer Experience & Command UX

• Canonical: 28-Nov-2025 - CLI Developer Experience and Command UX.md
• Sprint: SPRINT_0201_0001_0001_cli_i.md (PRIMARY)
• Related Sprints:
  • SPRINT_203_cli_iii.md
  • SPRINT_205_cli_v.md
• Related Docs:
  • docs/modules/cli/architecture.md - Module architecture
  • docs/09_API_CLI_REFERENCE.md - Command reference
• Gaps: 31-Nov-2025 FINDINGS.md (CL1–CL10 remediation task CLI-GAPS-201-003)
• Status: Fills HIGH-priority gap - covers command surface, auth model, Buildx integration

Orchestrator Event Model & Job Lifecycle

• Canonical: 28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md
• Sprint: SPRINT_0151_0001_0001_orchestrator_i.md (PRIMARY)
• Related Sprints:
  • SPRINT_152_orchestrator_ii.md
  • SPRINT_0152_0001_0002_orchestrator_ii.md
• Related Docs:
  • docs/modules/orchestrator/architecture.md - Module architecture
• Gaps: 31-Nov-2025 FINDINGS.md (OR1–OR10 remediation task ORCH-GAPS-151-016)
• Status: Fills HIGH-priority gap - covers job lifecycle, quota governance, replay semantics

Export Center & Reporting Strategy

• Canonical: 28-Nov-2025 - Export Center and Reporting Strategy.md
• Sprint: SPRINT_0160_0001_0001_export_evidence.md (PRIMARY)
• Related Sprints:
  • SPRINT_0161_0001_0001_evidencelocker.md
• Related Docs:
  • docs/modules/export-center/architecture.md - Module architecture
• Status: Fills MEDIUM-priority gap - covers profile system, adapters, distribution channels

Runtime Posture & Observation (Zastava)

• Canonical: 28-Nov-2025 - Runtime Posture and Observation with Zastava.md
• Sprint: SPRINT_0144_0001_0001_zastava_runtime_signals.md (PRIMARY)
• Related Sprints:
  • SPRINT_0140_0001_0001_runtime_signals.md
  • SPRINT_0143_0000_0001_signals.md
• Related Docs:
  • docs/modules/zastava/architecture.md - Module architecture
• Gaps: 31-Nov-2025 FINDINGS.md (ZR1–ZR10 remediation task ZASTAVA-GAPS-144-007)
• Status: Fills MEDIUM-priority gap - covers runtime events, admission control, drift detection

Notification Rules & Alerting Engine

• Canonical: 28-Nov-2025 - Notification Rules and Alerting Engine.md
• Sprint: SPRINT_0170_0001_0001_notify_engine.md (NEW)
• Related Sprints:
  • SPRINT_0171_0001_0002_notify_connectors.md
  • SPRINT_0172_0001_0003_notify_ack_tokens.md
• Related Docs:
  • docs/modules/notify/architecture.md - Module architecture
• Gaps: 31-Nov-2025 FINDINGS.md (NR1–NR10 remediation task NOTIFY-GAPS-171-014; blueprint docs/notifications/gaps-nr1-nr10.md)
• Status: Fills MEDIUM-priority gap - covers rules engine, channels, noise control, ack tokens

Graph Analytics & Dependency Insights

• Canonical: 28-Nov-2025 - Graph Analytics and Dependency Insights.md
• Sprint: SPRINT_0141_0001_0001_graph_indexer.md (PRIMARY)
• Related Sprints:
  • SPRINT_0401_0001_0001_reachability_evidence_chain.md
  • SPRINT_0140_0001_0001_runtime_signals.md
• Related Docs:
  • docs/modules/graph/architecture.md - Module architecture
• Gaps: 31-Nov-2025 FINDINGS.md (GA1–GA10 remediation task GRAPH-ANALYTICS-GAPS-207-013)
• Status: Fills MEDIUM-priority gap - covers graph model, overlays, analytics, visualization

Telemetry & Observability Patterns

• Canonical: 28-Nov-2025 - Telemetry and Observability Patterns.md
• Sprint: SPRINT_0180_0001_0001_telemetry_core.md (NEW)
• Related Sprints:
  • SPRINT_0181_0001_0002_telemetry_forensic.md
  • SPRINT_0182_0001_0003_telemetry_offline.md
• Related Docs:
  • docs/modules/telemetry/architecture.md - Module architecture
• Gaps: 31-Nov-2025 FINDINGS.md (TO1–TO10 remediation task TELEM-GAPS-180-001)
• Status: Fills MEDIUM-priority gap - covers collector topology, forensic mode, offline bundles

Policy Simulation & Shadow Gates

• Canonical: 28-Nov-2025 - Policy Simulation and Shadow Gates.md
• Sprint: SPRINT_0185_0001_0001_policy_simulation.md (NEW)
• Related Sprints:
  • SPRINT_0120_0000_0001_policy_reasoning.md
  • SPRINT_0121_0001_0001_policy_reasoning.md
• Related Docs:
  • docs/modules/policy/architecture.md - Module architecture
• Gaps: 31-Nov-2025 FINDINGS.md (PS1–PS10 remediation task POLICY-GAPS-185-006)
• Status: Fills MEDIUM-priority gap - covers shadow runs, coverage fixtures, promotion gates

Findings Ledger & Immutable Audit Trail

• Canonical: 28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md
• Sprint: SPRINT_0186_0001_0001_record_deterministic_execution.md (PRIMARY)
• Related Sprints:
  • SPRINT_0120_0000_0001_policy_reasoning.md
  • SPRINT_0311_0001_0001_docs_tasks_md_xi.md
• Related Docs:
  • docs/modules/findings-ledger/openapi/findings-ledger.v1.yaml - OpenAPI spec
• Gaps: 31-Nov-2025 FINDINGS.md (FL1–FL10 remediation task LEDGER-GAPS-121-009)
• Status: Fills MEDIUM-priority gap - covers append-only events, Merkle anchoring, projections

Concelier Advisory Ingestion Model

• Canonical: 28-Nov-2025 - Concelier Advisory Ingestion Model.md
• Sprint: SPRINT_0115_0001_0004_concelier_iv.md (PRIMARY)
• Related Sprints:
  • SPRINT_0113_0001_0002_concelier_ii.md
  • SPRINT_0114_0001_0003_concelier_iii.md
• Related Docs:
  • docs/modules/concelier/architecture.md - Module architecture
• Gaps: 31-Nov-2025 FINDINGS.md (CI1–CI10 remediation task CONCELIER-GAPS-115-014)
  • docs/modules/concelier/link-not-merge-schema.md - LNM schema
• Status: Fills MEDIUM-priority gap - covers AOC, Link-Not-Merge, connectors, deterministic exports

Files Archived

The following files have been moved to archived/27-Nov-2025-superseded/:

# Superseded by canonical advisories
24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md
25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md
25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md
26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md
27-Nov-2025 - Rekor Envelope Size Heuristic.md
27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md
27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md

Cleanup Completed (2025-11-28)

The following issues were fixed:

• Deleted junk file: 24-Nov-2025 - 1 copy 2.md
• Deleted malformed duplicate: 24-Nov-2025 - Designing a Deterministic Reachability Benchmarkmd
• Fixed filename: 25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md (was missing .md extension)

Sprint Cross-Reference

Advisory Topic	Sprint ID	Status
CVSS v4.0	SPRINT_0190_0001_0001	NEW
SPDX 3.0.1 / SBOM	SPRINT_0186_0001_0001	AUGMENTED
Reachability Benchmark	SPRINT_0513_0001_0001	NEW
Reachability Evidence	SPRINT_0401_0001_0001	EXISTING
Unknowns Registry	SPRINT_0140_0001_0001	IMPLEMENTED
Confidence Decay	SPRINT_0140_0001_0001	DESIGN
Graph Revision IDs	SPRINT_0401_0001_0001	EXISTING
DSSE/Rekor Batching	SPRINT_0401_0001_0001	EXISTING
Vuln Triage UX / VEX	SPRINT_0215_0001_0001	NEW
Sovereign Crypto	SPRINT_0514_0001_0001	EXISTING
Plugin Architecture	Multiple (module-specific)	FOUNDATIONAL
Evidence Bundle & Replay	SPRINT_0161_0001_0001	EXISTING
Mirror & Offline Kit	SPRINT_0125_0001_0001	EXISTING
Task Pack Orchestration	SPRINT_0157_0001_0001	EXISTING
Auth/AuthZ Architecture	Multiple (100, 314, 0514)	EXISTING
CLI Developer Experience	SPRINT_0201_0001_0001	NEW
Orchestrator Event Model	SPRINT_0151_0001_0001	NEW
Export Center Strategy	SPRINT_0160_0001_0001	NEW
Zastava Runtime Posture	SPRINT_0144_0001_0001	NEW
Notification Rules Engine	SPRINT_0170_0001_0001	NEW
Graph Analytics	SPRINT_0141_0001_0001	NEW
Telemetry & Observability	SPRINT_0180_0001_0001	NEW
Policy Simulation	SPRINT_0185_0001_0001	NEW
Findings Ledger	SPRINT_0186_0001_0001	NEW
Concelier Ingestion	SPRINT_0115_0001_0004	NEW

Implementation Priority

Based on gap analysis:

1. P0 - CVSS v4.0 (Sprint 0190) - Industry moving to v4.0, genuine gap
2. P1 - SPDX 3.0.1 (Sprint 0186 tasks 15a-15f) - Standards compliance
3. P1 - Public Benchmark (Sprint 0513) - Differentiation/marketing value
4. P1 - Vuln Triage UX (Sprint 0215) - Industry-aligned UX for competitive parity
5. P1 - Sovereign Crypto (Sprint 0514) - Regional compliance enablement
6. P1 - Evidence Bundle & Replay (Sprint 0161, 0187) - Audit/compliance critical
7. P1 - Mirror & Offline Kit (Sprint 0125, 0150) - Air-gap deployment critical
8. P1 - CLI Developer Experience (Sprint 0201) - Developer UX critical
9. P1 - Orchestrator Event Model (Sprint 0151) - Job lifecycle foundation
10. P2 - Task Pack Orchestration (Sprint 0157, 0158) - Automation foundation
11. P2 - Explainability (Sprint 0401) - UX enhancement, existing tasks
12. P2 - Plugin Architecture (Multiple) - Foundational extensibility patterns
13. P2 - Auth/AuthZ Architecture (Multiple) - Security consolidation
14. P2 - Export Center (Sprint 0160) - Reporting flexibility
15. P2 - Zastava Runtime (Sprint 0144) - Runtime observability
16. P2 - Notification Rules (Sprint 0170) - Alert management
17. P2 - Graph Analytics (Sprint 0141) - Dependency insights
18. P2 - Telemetry (Sprint 0180) - Observability infrastructure
19. P2 - Policy Simulation (Sprint 0185) - Safe policy testing
20. P2 - Findings Ledger (Sprint 0186) - Audit immutability
21. P2 - Concelier Ingestion (Sprint 0115) - Advisory pipeline
22. P3 - Already Implemented - Unknowns, Graph IDs, DSSE batching

Implementer Quick Reference

For each topic, the implementer should read:

1. Sprint file - Contains task definitions, dependencies, working directories
2. Documentation Prerequisites - Listed in each sprint file
3. Canonical advisory - Full product context and rationale
4. Module AGENTS.md - If exists, contains module-specific coding guidance

Key Module Docs to Read Before Implementation

Module	Architecture Doc	AGENTS.md
Policy	docs/modules/policy/architecture.md	src/Policy/*/AGENTS.md
Scanner	docs/modules/scanner/architecture.md	src/Scanner/*/AGENTS.md
Sbomer	docs/modules/sbomer/architecture.md	src/Sbomer/*/AGENTS.md
Signals	docs/modules/signals/architecture.md	src/Signals/*/AGENTS.md
Attestor	docs/modules/attestor/architecture.md	src/Attestor/*/AGENTS.md
Vuln Explorer	docs/modules/vuln-explorer/architecture.md	src/VulnExplorer/*/AGENTS.md
VEX-Lens	docs/modules/vex-lens/architecture.md	src/Excititor/*/AGENTS.md
UI	docs/modules/ui/architecture.md	src/UI/*/AGENTS.md
Authority	docs/modules/authority/architecture.md	src/Authority/*/AGENTS.md
Evidence Locker	docs/modules/evidence-locker/*.md	src/EvidenceLocker/*/AGENTS.md
Mirror	docs/modules/mirror/*.md	src/Mirror/*/AGENTS.md
TaskRunner	docs/modules/taskrunner/*.md	src/TaskRunner/*/AGENTS.md
CLI	docs/modules/cli/architecture.md	src/Cli/*/AGENTS.md
Orchestrator	docs/modules/orchestrator/architecture.md	src/Orchestrator/*/AGENTS.md
Export Center	docs/modules/export-center/architecture.md	src/ExportCenter/*/AGENTS.md
Zastava	docs/modules/zastava/architecture.md	src/Zastava/*/AGENTS.md
Notify	docs/modules/notify/architecture.md	src/Notify/*/AGENTS.md
Graph	docs/modules/graph/architecture.md	src/Graph/*/AGENTS.md
Telemetry	docs/modules/telemetry/architecture.md	src/Telemetry/*/AGENTS.md
Findings Ledger	docs/modules/findings-ledger/openapi/	src/Findings/*/AGENTS.md
Concelier	docs/modules/concelier/architecture.md	src/Concelier/*/AGENTS.md

Developer Onboarding Quick Start

• Canonical: 29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md
• Sprint: SPRINT_0300_0001_0001_documentation_process.md (Docs Governance)
• Related Docs:
  • docs/onboarding/dev-quickstart.md (derived from this advisory)
  • docs/README.md (new quickstart reference)
  • docs/modules/platform/architecture-overview.md (platform dossier mention)
• Status: Documents deterministic onboarding for mid-level .NET engineers covering repos, determinism tests, DSSE/attestation patterns, and starter issues.

Topical Gaps (Advisory Needed)

The following topics are mentioned in CLAUDE.md or module docs but lack dedicated product advisories:

Gap	Severity	Status	Notes
Regional Crypto (eIDAS/FIPS/GOST/SM)	HIGH	FILLED	28-Nov-2025 - Sovereign Crypto for Regional Compliance.md
Plugin Architecture Patterns	MEDIUM	FILLED	28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md
Evidence Bundle Packaging	HIGH	FILLED	28-Nov-2025 - Evidence Bundle and Replay Contracts.md
Mirror/Offline Kit Strategy	HIGH	FILLED	28-Nov-2025 - Mirror and Offline Kit Strategy.md
Task Pack Orchestration	HIGH	FILLED	28-Nov-2025 - Task Pack Orchestration and Automation.md
Auth/AuthZ Architecture	HIGH	FILLED	28-Nov-2025 - Authentication and Authorization Architecture.md
CLI Developer Experience	HIGH	FILLED	28-Nov-2025 - CLI Developer Experience and Command UX.md
Orchestrator Event Model	HIGH	FILLED	28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md
Export Center Strategy	MEDIUM	FILLED	28-Nov-2025 - Export Center and Reporting Strategy.md
Runtime Posture & Observation	MEDIUM	FILLED	28-Nov-2025 - Runtime Posture and Observation with Zastava.md
Notification Rules Engine	MEDIUM	FILLED	28-Nov-2025 - Notification Rules and Alerting Engine.md
Graph Analytics & Clustering	MEDIUM	FILLED	28-Nov-2025 - Graph Analytics and Dependency Insights.md
Telemetry & Observability	MEDIUM	FILLED	28-Nov-2025 - Telemetry and Observability Patterns.md
Policy Simulation & Shadow Gates	MEDIUM	FILLED	28-Nov-2025 - Policy Simulation and Shadow Gates.md
Findings Ledger & Audit Trail	MEDIUM	FILLED	28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md
Concelier Advisory Ingestion	MEDIUM	FILLED	28-Nov-2025 - Concelier Advisory Ingestion Model.md
CycloneDX 1.6 .NET Integration	LOW	Open	Deep Architecture covers generically; expand with .NET-specific guidance

Known Issues (Non-Blocking)

Unicode Encoding Inconsistency: Several filenames use en-dash (U+2011) instead of regular hyphen (-). This may cause cross-platform issues but does not affect content discovery. Files affected:

• 26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md
• 27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md
• 27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md

Archived Duplicate: archived/17-Nov-2025 - SBOM-Provenance-Spine.md and archived/18-Nov-2025 - SBOM-Provenance-Spine.md are potential duplicates. The 18-Nov version is likely canonical.

---

Index created: 2025-11-27 Last updated: 2025-12-01 (added Rekor Receipt, Standup Kickstarters, UI Micro-Interactions, Proof-Linked VEX UI entries, plus new gap task IDs)