git.stella-ops.org/docs/product-advisories/31-Nov-2025 FINDINGS.md

Findings – Gaps in “Designing a Deterministic Reachability Benchmark”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md

Method: Read the advisory, cross-checked Sprint SPRINT_0513_0001_0001_public_reachability_benchmark, and compared with current bench scaffolding expectations (schemas, build/score flows, baselines). Below are the missing or weakly specified areas that need decisions and follow-on work.

Gap Table

ID	Area	Gap	Impact	Recommendation
G1	Dataset versioning & integrity	No canonical version/hash per case/split; no manifest tying case IDs to hashes or DSSE attestation of the benchmark state.	Repro claims and leaderboard comparability break when cases drift.	Add benchmark/VERSION plus a manifest (manifest.json + manifest.dsse) covering all case directories, splits, and schema versions; require submissions to cite the manifest hash.
G2	Submission provenance / anti-spoof	Submission schema omits attestation of tool binary, flags, and dataset version; no signature to prevent forged results.	Vendors can spoof runs or misreport tool versions; trust in leaderboard is weak.	Extend submission schema with {attestation, tool_sha256, dataset_manifest}; accept DSSE/IETF RATS evidence; verify signature before scoring.
G3	Language-specific determinism controls	Advisory says “deterministic builds” but does not mandate env guards (PYTHONHASHSEED, TZ=UTC, LC_ALL=C, Node --heapsnapshot-never, Java -Duser.country=US -Duser.language=en, C compiler flags).	Re-run variance can exceed 1–5% grade; coverage/traces become non‑reproducible.	Document per-language env/flags in build templates; pin seeds; add a determinism lint that fails when entropy sources (time, hostname, randomness, network) are observed.
G4	Dynamic evidence schemas	Coverage/traces are mentioned but lack explicit schemas or validation (format, units, clock source, path encoding).	Tool outputs cannot be compared or replayed; hard to verify explainability levels.	Add coverage.schema.json and trace.schema.json; normalize timestamps to monotonic nanoseconds; require DSSE-wrapped evidence bundles per case.
G5	Unreachability oracles	Negative cases lack explicit “must-not-reach” tests and guard toggles; no check that sinks stay dark when flags off.	False positives look like successes; labels can silently drift when code changes.	Require an “unreachable” oracle per negative case (test that asserts sink untouched); store guard matrix in truth.yaml; add CI step that fails on unexpected sink hits.
G6	Baseline determinism & offline posture	Baseline runners (Semgrep/CodeQL/angr/Snyk) are listed but rulepacks, databases, and CLI images are not frozen or vendored; network dependency not banned.	Results vary by day or fail in air‑gap; comparisons become unfair.	Vendor rule packs and CodeQL DB seeds into baselines/_frozen/ with hashes; run tools with --disable-version-check and offline flags; publish exact image digests.
G7	Resource normalization & timeouts	Scoring captures runtime/peak RAM but does not fix CPU/arch, thread limits, or timeout/ retry policy; large-language cases could dominate.	Leaderboard not comparable; vendors can over-provision hardware to win.	Define reference runner profile (e.g., x86_64, 4 vCPU, 16 GB RAM, cgroups limits); set per-case wall/time budgets and classify “timeout” separately from “unreachable.”
G8	Case evolution governance	TAC exists but no intake checklist (license, safety, reproducibility), dual-review rule, or version bump rules for cases/schemas.	Inconsistent case quality; legal risk from third-party code; breaking changes slip in unnoticed.	Add contributor checklist; require two maintainers + TAC sign-off; semantic versioning for schemas and cases; changelog per case with DSSE approval.
G9	Sensitive-data handling	Execution traces and logs may leak secrets/PII; no redaction or allowlist guidance.	Publishing traces could expose secrets or customer data in public benchmark.	Enforce redaction filters in harnesses; add “PII/secret scan” check in build pipeline; document allowed fields and require synthetic data only.
G10	Submission safety & malware controls	No sandboxing guidance for submitted binaries/artifacts; no AV/behavior scan before scoring.	Malicious submissions could target CI/score hosts.	Score in disposable sandbox; run AV/yara; restrict submission size/types; discard binaries after scoring; document this in submission guide.
G11	Distribution / kit integrity	“Repro packs” mentioned but no concrete packaging (manifest, checksums, signature) or offline mirror flow.	Consumers cannot verify downloads; offline users blocked.	Publish benchmark-kit.tgz with SHA256 + Sigstore signing; include CAS layout for cases/artifacts; provide mirror instructions and sample airgap-load.sh.
G12	StellaOps product linkage	Advisory doesn’t map benchmark artifacts to internal reachability evidence chain (Sprint 0401) or VEX/Verdict lattice inputs.	Benchmark effort risks diverging from product semantics and evidence format.	Add integration note: export truth/evidence in the same DSSE/graph format the Scanner expects; add a “stella-baseline” profile and conversion scripts.

Immediate follow-ups

• Add these gaps as tasks in the reachability benchmark sprint (0513) with owners and dates.
• Decide where schemas for coverage/traces live (benchmark/schemas/) and draft them alongside manifest/attestation changes.
• Update build templates per language with determinism env vars and redaction checks.
• Freeze baseline rulepacks/DBs and publish digests.
• Document sandbox and submission attestation requirements in the submission guide and CI policy.

Findings – Gaps in “Add CVSS v4.0 Score Receipts for Transparency”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md

Method: Read the advisory, cross-checked Sprint SPRINT_0190_0001_0001_cvss_v4_receipts, and compared with Policy/Signals architecture expectations (deterministic scoring, DSSE attestations, multi-tenant receipts). Below are the missing or weakly specified areas that need decisions and follow-on work.

Gap Table

ID	Area	Gap	Impact	Recommendation
CV1	Policy lifecycle & replay	Advisory calls for policy IDs/hashes but omits rules for policy rotation and backfill: when policies change, how to re-score existing receipts, preserve prior policy hash, and mark receipts as “computed under policy X”.	Receipts can become incomparable; auditors can’t tell which policy produced a score.	Define policy versioning and replay rules: immutable policies; when policy changes, emit new receipts with old ones retained; add computedWithPolicyId/hash and supersedesReceiptId; optional bulk backfill job with DSSE re-sign.
CV2	Canonical input hashing	Inputs hash is referenced but no canonicalization rules (ordering, whitespace, locale, numeric precision, timezone, null handling).	Different services may compute different hashes → false “different receipt” or DSSE signature failures.	Specify canonical serialization (e.g., JSON Canonicalization Scheme, UTC, sorted keys, fixed decimal precision, trimmed whitespace) and test vectors; enforce in ReceiptBuilder and clients.
CV3	Threat/Env freshness & decay	Threat metrics can become stale; advisory doesn’t define TTLs, “last observed” timestamps, or auto-expiry of exploitation intel.	Scores may overstate risk long after exploitation stops; history lacks time-bounded evidence.	Add observedAt, expiresAt, and decay policy (e.g., downgrade E after N days without sightings); include in policy config and receipt history.
CV4	Multi-tenant segregation	Same vulnerability may have different Environmental metrics per tenant; advisory doesn’t state whether to store per-tenant receipts or a shared base+overrides model.	Tenants could see each other’s context or overwrite Env scores; caching may leak data.	Model receipts as tenant-scoped; store Base once but derive tenant-specific Threat/Env receipts with isolation; enforce tenant IDs in keys and hashes.
CV5	v3.1→v4.0 interoperability	No guidance for ingesting vendor CVSS v3.1 vectors or mixed inputs; no mapping strategy or “converted” marker.	Pipelines may drop scores or mislabel vectors; UI confusion when vendors lag on v4.0.	Provide deterministic v3.1→v4.0 mapping with conversionMethod + confidence; tag receipts as source:converted-v3.1; allow dual display until vendor provides native v4.0.
CV6	Evidence provenance & storage	Evidence list exists but not tied to Evidence Locker/DSSE chain; no guidance on redaction, retention, or CAS location.	Receipts can point to mutable or PII-laden artifacts; replay may break if evidence moves.	Require CAS URIs, retention class, redaction status; store evidence DSSE references; integrate with Evidence Locker for storage/verification; add verifiedAt/hashMismatch flags.
CV7	Immutability vs amendment	History table exists, but advisory doesn’t mandate append-only receipts or forbid in-place edits; DSSE re-sign rules when amending are unspecified.	Receipts could be altered silently, breaking auditability and DSSE trust.	Enforce append-only: amendments create new receipt IDs; old receipts immutable; history references previous receipt; re-sign DSSE on each new receipt; add immutable=true guard in persistence layer.
CV8	Export determinism (PDF/JSON)	UI/CLI exports mentioned but not constrained: fonts, locale, timezone, rounding, and ordering are unspecified; PDF generation not deterministic.	Exports vary across runs/environments; cannot serve as audit evidence.	Define export profile: UTC timestamps, fixed font set, embedded fonts, stable ordering, standardized severity palette, normalized vector formatting; hash exports and store in Evidence Locker.
CV9	RBAC & change authority	Advisory hints at roles but doesn’t set RBAC boundaries for Base vs Threat/Env edits or evidence attachment, nor how to log delegation.	Unauthorized changes could alter scores; audit trails incomplete.	Define role matrix (e.g., Security Engineer: Base; SOC Analyst: Threat; Customer Admin: Env; Viewer: read-only); enforce in APIs; log actor IDs and auth method in history entries.
CV10	Monitoring & guardrails	No operational controls for failed DSSE verification, hash mismatches, policy/schema drift, or scoring engine version skew.	Silent corruption or version drift could invalidate receipts without alerting.	Add health checks/alerts: DSSE verify failures, hash mismatches, policy hash change, engine version mismatch; expose Prometheus counters and fail-fast toggles in ingestion/recalc pipelines.

Immediate follow-ups

• Add a CVSS gap-remediation task to Sprint SPRINT_0190_0001_0001_cvss_v4_receipts and split into sub-tasks if needed (policy lifecycle, hashing canonicalization, multi-tenant receipts, v3.1 conversion, evidence/DSSE linkage, RBAC/monitoring, deterministic exports).
• Publish canonical hashing spec and sample vectors in docs/modules/policy/cvss-v4.md (or schema folder) and add tests in StellaOps.Policy.Scoring.Tests.
• Define tenant-scoped receipt storage and RBAC in Policy WebService contract; ensure DSSE/signature rules cover amendments.

Findings – Gaps in “Air‑gap deployment playbook for StellaOps”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 25-Nov-2025 - Air‑gap deployment playbook for StellaOps.md

Method: Read the advisory and cross-checked with air‑gap/offline posture expectations (offline kits, Rekor mirrors, deterministic replay, crypto profiles) and with existing sprints for offline (e.g., SPRINT_0510_0001_0001_airgap, SPRINT_500_ops_offline). Identified missing controls and decisions needed to operationalize the playbook safely.

Gap Table

ID	Area	Gap	Impact	Recommendation
AG1	Trust roots & key custody	Playbook references trust-root.pem and offline-signer.key but lacks guidance on root rotation, split-key custody, HSM/offline signing flows, and how PQ dual-signing coexists with FIPS/EIDAS/GOST profiles.	Risk of single-operator key compromise; unclear compliance stance per region; PQ readiness ambiguous.	Define per-profile root hierarchy, rotation cadence, and key custody (M of N). Provide HSM/offline signer option; document dual-sign (ECDSA+PQ) handling and verification precedence.
AG2	Rekor mirror integrity	Mentions rekor-mirror/ but not the mirror format (CAR/SQLite), signing of the mirror, freshness markers, or how to reconcile partial mirrors with online logs.	Air-gapped sites may ingest stale or tampered logs; replay might diverge from upstream.	Standardize mirror format and signature (Sigstore bundle/DSSE); include mirror.manifest with root hash, range, and signature; add “staleness allowed” window and reconciliation procedure.
AG3	Feed freezing & provenance	No explicit freeze points for vulnerability/OVAL/OSV feeds or Concelier snapshots in the offline kit manifest.	Replay may pull newer data, breaking determinism and auditability.	Add feeds section to manifest with snapshot IDs/hashes and validity window; require DSSE for feed snapshots; block replay if feeds are newer/older than declared window unless override is signed.
AG4	Deterministic tooling versions	Toolkit versions are implied but not pinned in manifest; no hash of CLI/container images.	Rebuilds in air-gap could drift, leading to non-reproducible proofs.	Add tools list (name, version, image digest, sha256 of binaries) to manifest; enforce verification before replay.
AG5	Size and resource limits	No guidance on kit size limits, compression, or streaming validation for large OCI exports; no plan for chunking.	Large artifacts may be truncated or fail transfer; verification expensive in constrained sites.	Define max kit size, recommend zstd with checksummed chunks, and provide streaming verification script; add chunk manifest with per-chunk hashes.
AG6	Malware/content scanning	Kits can include binaries; there is no requirement for AV/YARA scanning before distribution or post-ingest.	Air-gapped sites could import malicious content.	Add pre-publish AV/YARA step with signed report hash; require on-ingest scan in air-gap before registry load; record scan result in manifest.
AG7	Policy/graph alignment	Manifest carries policy_id/graph_rev but not their hashes or DSSE attestations; no rule for mismatches during replay.	Gate decisions may be computed with different policies/graphs than intended.	Include hashes/DSSE refs for policy bundle and graph revision; replay must verify and fail closed on mismatch.
AG8	Tenant/env scoping	Manifest has tenant/env strings but no enforcement or isolation guidance when multiple tenants share an air-gapped site.	Cross-tenant leakage or misapplied proofs.	Require tenant-scoped storage paths and verification of tenant in DSSE annotations; block import if tenant/env mismatch.
AG9	Ingress/egress audit trail	Gateway headers are defined, but there’s no requirement to log and sign ingress/egress events for kits or attestation uploads.	Missing chain-of-custody; disputes hard to resolve.	Add signed ingress/egress receipts (DSSE) with hash of kit, operator ID, time, and gateway decision; store in Proof Graph.
AG10	Replay validation depth	Replay command is described but not bounded: which steps are re-run, how to handle partial success, and what constitutes a verified replay are unspecified.	Replay may be superficial, giving false confidence.	Define replay levels (hash-only, full recompute, recompute with policy freeze); require success criteria and evidence bundle; fail if any hash drift.
AG11	Observability in air-gap	Tracing guidance assumes OTLP export; no offline-friendly sink/retention plan.	Traces/logs may be lost or leak externally.	Provide OTLP file/SQLite exporter and retention limits; add redaction rules; include in kit or bootstrap scripts.
AG12	Operational runbooks	Playbook lacks explicit runbooks for failure cases: signature verification failure, missing header at gateway, mirror staleness, or policy mismatch.	Operators may improvise and bypass controls.	Add runbook matrix with decision trees and required approvals; include in offline-kit/README and ops docs.

Immediate follow-ups

• Create a remediation task in the relevant air-gap sprint (e.g., SPRINT_0510_0001_0001_airgap or ops/offline sprint) to close AG1–AG12, with owners/dates.
• Extend offline-kit manifest schema to include keys/tools/feeds/policy hashes, tenant scoping, AV scan results, and chunk metadata; add DSSE signatures for manifest and mirror.
• Document key management profiles (FIPS/eIDAS/GOST/SM + optional PQ), rotation, and custody; update Authority/Verifier guides accordingly.
• Add pre-publish and post-ingest AV/YARA checks and signed reports; wire gateway/ingress receipts into Proof Graph.

Findings – Gaps in “Define Safe VEX 'Not Affected' Claims with Proofs”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md

Method: Read the advisory and compared it with reachability/VEX pipelines (Sprint SPRINT_0401_0001_0001_reachability_evidence_chain) and policy/attestation expectations. Identified missing guardrails needed to make not_affected defensible and deterministic.

Gap Table

ID	Area	Gap	Impact	Recommendation
VEX1	Allowed justifications governance	Advisory lists example justifications but no canonical allowlist, schema versioning, or approval path for new values.	Teams may invent ad-hoc reasons, weakening comparability and audits.	Publish a signed justification catalog (OpenVEX extension) with version/hash; enforce allowlist in Policy/Excititor; require RFC for additions.
VEX2	Proof bundle schema	“Proof bundle” is referenced but not structured (no required evidence types, hashes, or DSSE refs).	Receipts can claim proof without verifiable contents; auditors can’t replay.	Define proofBundle.schema.json: required sections (entrypoint coverage, config/flags, reachability graph hash, tests/traces, mitigation evidence), DSSE refs, and SHA256s; validate on VEX emission.
VEX3	Entry-point coverage completeness	Advisory says “enumerate entry points” but no coverage metric or negative-test requirement.	Partial audits may still certify not_affected, leading to false negatives.	Require coverage % (audited/known) and a mandatory “must-not-reach” test per justification; fail VEX if coverage < threshold or negative test missing.
VEX4	Config/flag drift control	Limits (flags/config) are listed but not tied to hashes or runtime enforcement.	Deployments can drift (flags flipped) while VEX stays not_affected.	Include config/flag hashes in VEX analysis; emit runtime guardrails (policy gate) that deny if hash/flag mismatch; add expiry when constraints are temporary.
VEX5	Time-bounded validity	Exceptions are mentioned informally; no required expiresAt/recheckBy.	Stale not_affected persists after conditions change.	Make expiresAt + recheckBy mandatory for constrained justifications; auto-revert to under_review on expiry and alert owners.
VEX6	DSSE/Rekor enforcement	Advisory says “Sign the VEX” but doesn’t require DSSE predicate type, Rekor entry, or offline mirror rules.	Unsigned or unlogged VEX can be tampered; offline parity unclear.	Mandate stella.ops/vexDecision@v1 DSSE, Rekor (or mirror) inclusion, and manifest hash; reject unsigned VEX in pipelines.
VEX7	Tenant/role segregation	No RBAC rules for who may assert not_affected or approve proofs.	Unauthorized downgrades could hide risk.	Define role matrix (security approver + service owner required); enforce dual sign-off and DSSE annotation with actor IDs.
VEX8	Re-evaluation triggers	No automation to re-evaluate when SBOM/graph/runtime hits change.	VEX can become invalid after new evidence but stays not_affected.	Add triggers: new SBOM version, new reachability graph hash, runtime hit, or policy change → set status to under_review and require re-sign.
VEX9	Integration with uncertainty/unknowns	Advisory doesn’t address how to handle low-confidence or missing data states.	not_affected could be issued while evidence is incomplete.	Require uncertainty score (from Signals) and forbid not_affected if uncertainty > threshold; otherwise emit under_review.
VEX10	Export determinism	No rules for canonical ordering/formatting of OpenVEX with analysis block.	Different serializers may yield hash drift; DSSE signatures may not verify across tools.	Define canonical serialization (sorted keys, UTF-8, normalized timestamps) and test vectors; enforce in emitter/validator.

Immediate follow-ups

• Add a VEX gap-remediation task to Sprint SPRINT_0401_0001_0001_reachability_evidence_chain (policy/DSSE track) to close VEX1–VEX10.
• Draft proofBundle.schema.json and justification catalog; wire validation into Policy VEX emitter and Excititor gates.
• Add runtime/config hash checks and expiry handling to VEX emission and gate policy; ensure re-evaluation triggers on SBOM/graph/runtime changes.

Findings – Gaps in “Half-Life Confidence Decay for Unknowns”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md

Method: Read the advisory and compared it with Signals/Unknowns handling (Sprint SPRINT_0140_0001_0001_runtime_signals) and policy/triage pipelines. Identified control gaps needed to make decay auditable, deterministic, and safe for risk scoring.

Gap Table

ID	Area	Gap	Impact	Recommendation
U1	Governance of τ (tau)	Advisory suggests presets but no governance (who sets per-entity τ, allowable ranges, change log).	Inconsistent decay across teams; hidden priority swings.	Create a confidence_decay_config with signed defaults per entity (incident/vuln/issue/doc) and change-control; surface τ in API responses.
U2	Floor / freeze rules	No lower bound or freeze semantics; pinned/SLA items may decay to near-zero.	Critical items can fall out of view; audits can’t explain priority drops.	Add confidence_floor and is_confidence_frozen; require floor for SLA-bound vulns; expose in scoring.
U3	Multi-signal weighting	All signals reset equally; high-value signals (new exploit, customer incident) should outweigh trivial edits.	Trivial activity can mask staleness; risk is mis-ranked.	Introduce weighted signals with severity classes; compute last_signal_weighted_at using max(weighted freshness); document signal taxonomy.
U4	Time basis / clock drift	Advisory omits time source; no guidance on UTC vs local or monotonic clock, nor handling of backdated events.	Drifted clocks or reordered events can inflate confidence.	Use monotonic+UTC timestamps; reject future/backdated signals beyond threshold; log corrections.
U5	Deterministic recalculation	No schedule/trigger for recomputing confidence; materialization vs on-read undefined.	Different services may show divergent scores; caching bugs remain hidden.	Define recalculation cadence (nightly job) plus on-read fallback; publish checksum of decay snapshot per day; add regression test vectors.
U6	SLA/priority coupling	Interaction with vuln SLAs and severity not specified (e.g., Critical vulns decaying).	SLA breaches hidden by decay; compliance risk.	Clamp decay for SLA-scoped items (e.g., do not decay below 0.6 until SLA satisfied); include SLA override flag in score.
U7	Unknowns/uncertainty linkage	Advisory doesn’t align decay with uncertainty states from Signals/Unknowns Registry.	Items with high uncertainty may retain high priority incorrectly.	Tie decay to uncertainty: if uncertainty high, cap confidence or force review; store uncertainty_score alongside confidence.
U8	Backfill & migrations	No plan to backfill last_signal_at or τ when enabling feature; historic items may get mis-scored.	Sudden reordering of queues; audit gaps.	Define migration script: seed last_signal_at from latest activity; default τ from config; dry-run impact report.
U9	API/UX surfacing	UI badges suggested but no API fields or sort semantics defined; missing red/amber thresholds in contracts.	Implementations diverge; front-ends guess thresholds.	Add API fields (confidence, confidence_band, tau_days) and standard bands; document sorting (priority * confidence).
U10	Observability & alerts	No monitoring for missing signals, runaway decay, or stalled recompute jobs.	Silent failures lead to incorrect queues.	Add metrics (confidence_recalc_latency, items_below_floor, signals_per_type); alerts when recompute job skips or when high-severity items decay below band.

Immediate follow-ups

• Add a decay-gap task to the relevant sprint (e.g., SPRINT_0140_0001_0001_runtime_signals) to close U1–U10 with owners/dates.
• Define and publish confidence_decay_config and signal taxonomy; add API fields/bands and regression test vectors for decay math.
• Implement floor/freeze/SLA clamping and weighted signals; add monitoring/alerts for recompute health.

Findings – Gaps in “Offline‑kit attestation essentials checklist”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 25-Nov-2025 - Offline‑kit attestation essentials checklist.md

Method: Reviewed the checklist against mirror/air-gap kit expectations (Sprint SPRINT_0125_0001_0001_mirror, air-gap sprints) and DSSE/Rekor/attestation practices. Identified missing controls to make offline kits verifiable, deterministic, and safe to ship.

Gap Table

ID	Area	Gap	Impact	Recommendation
OK1	Trust roots & key manifest	Checklist mentions vendor-pubkeys.pem/manifest but lacks rotation rules, revocation flow, and PQ dual-sign guidance.	Stale/compromised keys may remain trusted; PQ-readiness unclear.	Define key manifest schema with validity windows, revocation list, PQ co-sign option; require DSSE-signed manifest and rotation playbook bundled.
OK2	Tooling provenance	Bundled tools (cosign, tlog-verify) are not hashed/signed; no verification steps for the verifiers themselves.	Offline verification can be subverted by tampered tools.	Include tool hashes + signatures (or supply verifiers as DSSE-signed blobs); add VERIFY step to check tool integrity before use.
OK3	Cross-linking artifacts	Installer, SBOM, receipts, and DSSE envelopes aren’t cross-referenced by a single manifest hash.	Customers can mix components from different releases; audit trail weak.	Add top-level manifest (DSSE-signed) linking all file digests (installer, SBOM, DSSE, receipt, configs, tools) and the key manifest hash.
OK4	Rekor/receipt freshness & checkpoints	Checklist includes a receipt and checkpoint but no staleness window or multi-log/mirror guidance.	Stale or mismatched receipts may pass; offline parity with mirrors unclear.	Add checkpoint.meta with log origin, tree size, timestamp, max drift; include mirror hash; fail VERIFY if beyond window.
OK5	Compression/determinism parameters	Installer/archive determinism is “tip-only”; no required flags (mtime, owner, compression level) or verification of reproducibility.	Rebuilds may drift; hashes differ across builders.	Standardize archiving flags (e.g., `tar --mtime @0 --owner 0 --group 0 --numeric-owner
OK6	Evidence coverage	Only SBOM + installer covered; scan/VEX attestations and policy/graph hashes absent.	Offline users lack vulnerability context; cannot replay decisions.	Bundle scan + VEX DSSE predicates and policy/graph hashes; include reachability status and mitigation notes.
OK7	Time anchoring	No trusted time source or Roughtime/RFC3161 token included.	Cannot prove freshness of kit or receipts in offline court/audit.	Include signed time anchor (Roughtime/RFC3161) and verify it against trust roots; record in manifest.
OK8	Transport integrity	No guidance on packaging for physical transport (tamper-evident, chunking, checksum lists).	Media swap/tamper risk during handoff; large kits may corrupt.	Provide SHA256SUMS + chunk manifest, recommend tamper-evident packaging, and include chain-of-custody receipt template.
OK9	Tenant/env scoping	Kits are not scoped to tenant/env or product variant.	Cross-tenant kit reuse could bypass controls.	Add tenant/env/product identifiers to manifest and VERIFY guard; block import if mismatch.
OK10	VERIFY completeness & failure modes	VERIFY.md lacks negative tests, failure guidance, or automation hooks (exit codes/log capture).	Operators may skip steps or accept partial verification.	Provide scripted verify.sh with strict exit codes, logging, and remediation guidance; include failure decision tree in README.

Immediate follow-ups

• Add an offline-kit gaps task to the mirror/offline sprint (e.g., SPRINT_0125_0001_0001_mirror) to close OK1–OK10.
• Extend kit manifest schema to cover tool hashes, cross-links, checkpoints with freshness, tenant/env scoping, time anchors, and chain-of-custody receipt; sign the manifest with DSSE.
• Add deterministic packaging flags, tool integrity checks, scan/VEX artifacts, and a scripted verify.sh with negative-path guidance.

Findings – Gaps in “Handling Rekor v2 and DSSE Air‑Gap Limits”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md

Method: Read the advisory and compared it with current transparency/attestation posture (mirror/offline kits, reachability DSSE, Rekor usage). Focused on log size/type changes, sharding, offline parity, and retry/idempotency requirements.

Gap Table

ID	Area	Gap	Impact	Recommendation
RK1	Entry type & schema governance	Advisory notes v2 keeps only dsse and hashedrekord, but no internal policy/schemas were updated to forbid deprecated types.	Pipelines may still emit intoto/rekord entries; submissions will fail or be non-compliant.	Update attestation schemas and signing code to allow only dsse/hashedrekord; add CI lint to fail deprecated types.
RK2	Payload size limits	No hard limits or preflight checks for DSSE payload size; no chunking/manifest pattern defined.	Large SBOM/scan/VEX payloads will be rejected by public Rekor; retries waste time.	Enforce max payload (e.g., 80KB for public Rekor) with preflight; move large data to CAS/blob, sign manifest-only DSSE; provide chunking manifest + reassembly rules.
RK3	Private vs public routing	Advisory suggests private logs but no routing matrix or policy (when to use public, private, or none).	Inconsistent submissions; sensitive data could hit public log; or nothing logged.	Define routing policy (public for small public artifacts; private for internal/large; none for restricted); encode in config and DSSE metadata; audit route decisions.
RK4	Shard awareness & verification	Rekor v2 shards logs, but verification/checkpoint logic in kits/pipelines isn’t shard-aware.	Inclusion proofs may fail or be unverifiable offline; replay to wrong shard.	Extend verification to record shard ID/tree ID; bundle shard checkpoint metadata; update verify tools to validate shard-specific proofs.
RK5	Idempotent submission keys	Advisory calls for idempotent re-submit but no idempotency keys or dedupe store specified.	Duplicate or conflicting log entries; pipeline flakiness.	Use deterministic submission key (hash of envelope + log target + subject digest); store in DB; skip if already succeeded.
RK6	Offline parity / bundle completeness	No requirement to ship Sigstore bundle or offline mirror of log entries alongside attestations.	Air-gap replay lacks log proofs; parity with online Rekor breaks.	Always emit Sigstore bundles (DSSE + tlog data) and include in offline kits; add bundle hash to manifest.
RK7	Transparency checkpoint freshness	Checkpoints are not versioned or freshness-bounded; no staleness alarm.	Stale checkpoints may pass verification; audit trail weak.	Add checkpoint metadata (tree size, timestamp, log ID, shard ID, max allowed staleness); fail verify if outside window.
RK8	PQ and multi-alg support	Advisory doesn’t address dual-sign (ECDSA+PQ) for long-lived proofs.	Future-proofing and some compliance profiles unmet.	Support dual-sign predicates and Rekor submissions where allowed; record algorithms in metadata and bundle.
RK9	Error taxonomy & backoff	No standardized error classification for Rekor rejections (size, type, HTTP codes) or retry/backoff policy.	Pipelines may spin or silently drop entries.	Add error taxonomy + retry policy: size→fail fast; 5xx→exponential backoff; 4xx type→lint failure; log structured metrics.
RK10	Policy linkage	Rekor entries not cross-linked to policy/graph hashes or reachability evidence; advisory hints but not mandated.	Proves signature but not decision context; weak audit.	Include policy_id, graph_hash in DSSE annotations; store in bundle/manifests; verify presence before submit.

Immediate follow-ups

• Add a Rekor/DSSE gap task to the relevant sprint (e.g., mirror/offline or reachability evidence) to close RK1–RK10 with owners/dates.
• Enforce payload preflight + chunked-manifest pattern; route public/private per policy; bundle Sigstore artifacts with shard-aware checkpoints and idempotency keys.
• Update verify tooling and kits to validate shard, checkpoint freshness, and policy/graph annotations; add retry/error taxonomy in submission workers.

Findings – Gaps in “Opening Up a Reachability Dataset”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 26-Nov-2025 - Opening Up a Reachability Dataset.md

Method: Read the advisory and cross-checked with benchmark efforts (Sprint SPRINT_0513_0001_0001_public_reachability_benchmark) and reachability evidence chain requirements. Focused on dataset governance, determinism, legal/sanitization, and scoring reproducibility.

Gap Table

ID	Area	Gap	Impact	Recommendation
RD1	Dataset legal/sanitization	Advisory calls for “sanitized subset” but lacks a documented sanitization checklist (license vetting, PII/secrets scan, binary redistributability).	Legal/redistribution risk; dataset could ship non-redistributable code.	Create SANITIZATION checklist + automated scans (license, PII/secret, binary redistribution) and require DSSE-signed approval per case.
RD2	Feed freeze & provenance	No requirement to lock feed snapshots (package indexes, OSV/OVAL) or record tool hashes for dataset generation.	Re-runs may differ; external feeds could change labels.	Require manifest.lock.json with feed snapshot IDs/hashes, tool image digests, rule hashes; sign with DSSE.
RD3	Schema + validator maturity	Graph/truth schemas mentioned but no published JSON Schemas, examples, or validator in CI.	Contributions may drift, breaking harness compatibility.	Publish JSON Schemas (graph, truth, dataset, scores), example fixtures, and a CI validator; fail PRs on schema violations.
RD4	Ground-truth evidence depth	“Ground truth” is listed but not tied to evidence (oracles, traces, proof of reachability/unreachability).	Labels may be disputed; reproducibility weak.	Require per-case evidence bundle refs (tests/traces/patch-oracle) with hashes; include explainability path or sink evidence.
RD5	Binary cases scope	Binary mini-cases are proposed but no guidance on stripped vs unstripped, symbol source, or patch-oracle expectations.	Binary ground truth may be unverifiable or unrepeatable.	Define binary case recipe: stripped/unstripped pairs, symbol source, build-id capture, patch-oracle outputs, required callgraph format.
RD6	Determinism enforcement	Determinism is asserted but no CI check to rerun harness N times and compare hashes; no reproducibility budget.	Dataset could regress into non-determinism unnoticed.	Add determinism CI: rerun harness 3x, compare hashes of scores/outputs; fail on drift >0; publish hash manifest.
RD7	Benchmark scoring transparency	Metrics listed but no frozen baselines, sample outputs, or severity of failure handling.	Hard to compare tools; contributors can’t validate locally.	Provide baseline runs (naïve/imports-only/call-depth-2/Stella reference) with signed result JSON; document expected scores and tolerance (zero drift).
RD8	Submission & contribution policy	No CLA/contribution policy, review gate, or DSSE requirement for contributed cases.	Low-quality or malicious contributions; legal exposure.	Add CONTRIBUTING + CLA notice; require DSSE-signed case submissions with validator run; mandate maintainer review + two sign-offs.
RD9	Versioning & change log	Releases (v0.1/v0.2) suggested but no change-log format or deprecation rules for cases.	Consumers can’t track breaking changes; reproducibility breaks silently.	Adopt semantic dataset versions; keep CHANGELOG with per-case changes; do not delete cases—deprecate via metadata and keep old versions.
RD10	Offline/air-gap parity	Advisory says offline-friendly but does not require bundling dataset + harness with hashes for air-gap users.	Air-gapped users may get incomplete data or mismatched hashes.	Ship benchmark-kit.tgz with dataset, schemas, harness image digest, hash manifest, and DSSE signature; include offline VERIFY instructions.

Immediate follow-ups

• Add a reachability-dataset gaps task to Sprint SPRINT_0513_0001_0001_public_reachability_benchmark to close RD1–RD10.
• Publish JSON Schemas and validators; add determinism CI (multi-run hash compare) and baseline result artifacts; extend manifest.lock with feed/tool hashes and DSSE signing.
• Define sanitization checklist, binary case recipe, contribution/CLA/DSSE requirements, and offline kit packaging for dataset+harness.

Findings – Gaps in “Use Graph Revision IDs as Public Trust Anchors”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md

Method: Read the advisory and compared with reachability evidence chain plans (Sprint SPRINT_0401_0001_0001_reachability_evidence_chain), graph storage, and UI/CLI needs. Identified missing contracts to make revision IDs enforceable, verifiable, and cross-service consistent.

Gap Table

ID	Area	Gap	Impact	Recommendation
GR1	Manifest definition	Advisory references manifest inputs but provides no formal schema or canonical serialization rules.	Different generators may compute different hashes for the same graph; revision IDs become inconsistent.	Publish graph-revision-manifest.schema.json, define canonical JSON (sorted keys, UTF-8), and add test vectors.
GR2	Hash algorithm / encoding	BLAKE3 suggested, but not mandated; no encoding (hex/base58) or truncation rules; no multi-alg support.	Consumers may hash with different algos/encodings, breaking rev IDs and auditability.	Mandate algo (e.g., BLAKE3-256 hex), length, and encoding; allow optional multi-alg field for PQ/interop; include in manifest.
GR3	Immutability enforcement	Advisory says “never reuse” but doesn’t specify storage or API constraints preventing mutation/overwrite of a revision.	Revisions could be overwritten or garbage-collected, breaking evidence chains.	Enforce append-only storage with FK from nodes/edges to graph_revision_id; forbid UPDATE/DELETE; tombstone with 410 on purge with audit log.
GR4	Lineage and diff metadata	Parent linkage is suggested but not required; no guidance on diff computation/storage.	Hard to compare revisions or trace lineage; UI “compare” may be inconsistent.	Require parent_revision_id and optional diff summary/hash; expose GET /graphs/{id}/revisions/{rev}/diff/{rev2} API; store edge delta counts.
GR5	Cross-artifact linkage	Advisory doesn’t mandate recording feed/policy/graph evidence hashes in the manifest or DSSE.	Revision IDs may not tie back to SBOM/VEX/policy, weakening trust anchor use.	Include SBOM, VEX, policy/lattice, tool image digests, and config flags in manifest; sign manifest with DSSE and reference in ledger.
GR6	UI/CLI surfacing & copy accuracy	UI copy button suggested but no requirement for truncation rules or full-id availability; no CLI flags.	Users may copy truncated IDs, causing ambiguity; CLI/URL parity may diverge.	Define display rules (short form = first 12 chars, full available via tooltip/CLI); add CLI --rev everywhere graph data is fetched.
GR7	Sharding/tenant scope	No guidance on tenant scoping or shard IDs when revisions live in multi-tenant stores.	Cross-tenant leakage or wrong-shard lookups.	Include tenant_id and optional shard_id in manifest and storage keys; enforce isolation in queries/APIs.
GR8	Pinning/governance	Pinning is suggested but not tied to roles, approvals, or audit trails.	Unauthorized pins could bless bad graphs; lack of traceability.	Require dual approval for pin, store pin metadata (who/when/why), expose audit log, and DSSE-sign pinned manifest.
GR9	Retention & GC	No retention rules for old revisions; risk of GC breaking cited URLs.	Audits break if revisions are garbage-collected.	Define retention policy (e.g., never GC pinned/cited revisions; age-based GC only with archive snapshot), with tombstone records.
GR10	Offline/air-gap verification	No instruction to bundle manifests/revisions in offline kits.	Air-gapped users can’t verify revisions or evidence.	Include revision manifests + DSSE in offline/mirror bundles; add VERIFY steps for graph revisions.

Immediate follow-ups

• Add a graph-revision gap task to Sprint SPRINT_0401_0001_0001_reachability_evidence_chain to close GR1–GR10.
• Publish manifest schema and canonical hashing rules; enforce append-only storage, lineage metadata, and DSSE-signed manifests with cross-artifact digests.
• Update UI/CLI contracts to surface full/short revision IDs, add shard/tenant context, and pin/audit workflows; include revision manifests in offline kits.

Findings – Gaps in “Blueprint for a 2026‑Ready Scanner”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md

Method: Read the roadmap advisory and compared it to ongoing scanner/SPDX/VEX/SLSA work (sprints 0186, 0401, 0513). Identified gaps to make the blueprint actionable, deterministic, and standard-aligned.

Gap Table

ID	Area	Gap	Impact	Recommendation
SC1	Standards convergence plan	Advisory lists CVSS v4.0, CycloneDX 1.7, SLSA 1.2 RC2 but no migration/compatibility plan across pipeline stages.	Fragmented adoption; mixed outputs; audit pain.	Publish a standards convergence roadmap with cutover dates, dual-write periods, and fallback rules; map each stage (SBOM, VEX, provenance, scoring) to target versions.
SC2	CycloneDX 1.7 / CBOM support	No requirement to emit CBOM or structured citations from scanner/SBOMer.	Crypto/algorithm visibility and provenance claims missing; compliance gaps.	Extend SBOM outputs to CycloneDX 1.7 with CBOM + citations; hash-lock; add tests/fixtures.
SC3	SLSA 1.2 Source Track	Blueprint notes SLSA 1.2 but no plan to capture Source Track provenance (repo tree hash, reviewer attestations).	Provenance chain incomplete; cannot meet SLSA 1.2 expectations.	Add Source Track capture to build/scan manifests (source digest, branch, PR/reviewer attestations), and emit DSSE predicates.
SC4	Multi-version compatibility	No downgrade/compatibility handling for consumers that only speak v3.1 (CVSS), CDX 1.6, or SLSA 1.0.	Downstream tools may break or silently ignore fields.	Define compatibility matrix and adapters: v4→v3.1 CVSS mapping, CDX1.7→1.6 reducer, SLSA1.2→1.0 reducer; gate by feature flags.
SC5	Determinism & reproducibility guardrails	Blueprint asserts determinism but lacks CI checks for multi-run hash stability across new standards (CDX1.7, SLSA1.2).	Silent drift when enabling new formats; audits fail.	Add determinism CI covering SBOM/VEX/provenance outputs under new formats; require zero hash drift across N runs; publish hash manifests.
SC6	Evidence breadth (binary & source)	Binary reachability + source provenance alignment is not detailed (stripped binaries, symbol sources, build-id capture).	Incomplete evidence chain; harder to defend reachability claims.	Require binary fixtures with build-id, symbol source, patch-oracle; include in reachability manifests; tie to Source Track data.
SC7	Policy/UX surfacing	No UX/API plan to surface new metadata (CBOM, citations, SLSA source fields, dual-sign info).	Users can’t see or export the richer evidence; tooling divergence.	Update API/UI schemas to display CBOM fields, citations, source provenance, dual-sign algs; add export/CLI flags.
SC8	Testing/baselines	No baseline vectors/fixtures for CVSS v4.0 + CDX1.7 + SLSA1.2 combined.	Hard to validate integrations; regressions likely.	Create baseline fixture set and golden outputs combining all three standards; include in CI and offline kit.
SC9	Governance & approvals	No decision forum or owner assignments for adopting new standards.	Risk of piecemeal or stalled adoption.	Create an approval checklist and owner map per standard; require sign-off before enabling defaults.
SC10	Offline/air-gap parity	No plan to package new artifacts (CBOM, SLSA source attestations) in offline kits/mirrors.	Air-gapped customers miss key metadata; parity broken.	Extend offline kits/mirror bundles with CBOM, source-provenance attestations, and combined hash manifest; update VERIFY docs.

Immediate follow-ups

• Add a scanner blueprint gaps task to the relevant scanner/replay sprint (e.g., SPRINT_0186_0001_0001_record_deterministic_execution) to close SC1–SC10.
• Publish a standards convergence roadmap, add CDX 1.7/CBOM outputs and SLSA 1.2 Source Track fields to manifests, create compatibility adapters, and add determinism CI + golden fixtures.
• Update UI/API/export and offline-kit packaging to surface and ship the new metadata; define governance/approvals for enabling defaults.

Findings – Gaps in “Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md

Method: Read the architecture brief and compared with scanner/SBOM/VEX pipeline sprints (0186, 0401, 0513) and replay/attestation standards. Focused on missing contracts needed to operationalize the SBOM-first spine deterministically and offline-ready.

Gap Table

ID	Area	Gap	Impact	Recommendation
SP1	Canonical contracts	Brief lists APIs (/scan, /sbom, /attest, /vex-gate, /diff, /unknowns) but no shared schemas or versioning for requests/responses.	Services may drift; CLI/UI integrations break.	Publish versioned API/DTO schemas (OpenAPI + JSON Schema) for each endpoint; add conformance tests.
SP2	Predicate/edge schema	Edge predicates (contains, reachable_via, overridden_by, etc.) not formally specified (fields, required evidence).	Graph interoperability and evidence linking become ambiguous.	Define graph predicate schema with required evidence refs and hash fields; enforce in ingestion and policy layers.
SP3	Unknowns workflow contract	State machine suggested but no API/DB contract or SLA/timeouts.	Unknowns handling inconsistent; SLAs unenforceable.	Define Unknowns schema, allowed transitions, SLA clocks, and audit events; add API/CLI endpoints and tests.
SP4	Bundle format lock	Bundle layout shown but not versioned or signed; no required hashes/DSSE for inputs.lock.	Replay/air-gap parity weak; bundles could be tampered.	Version and sign bundle manifest (inputs.lock) with DSSE; require hash list for all contents; define upgrade path.
SP5	Diff semantics	SBOM↔SBOM and SBOM↔runtime diffs lack canonical rules (normalization, matching keys, ignore lists).	Different engines produce different diffs; policies unreliable.	Specify diff normalization (PURL+version+hash, case, ordering), ignore rules, and deterministic output schema; add golden fixtures.
SP6	Offline feed parity	Feeds section mentions bundles but no freeze/refresh policy or snapshot hashes.	Offline runs may diverge; replay breaks.	Require feed snapshot IDs/hashes in bundles; define staleness windows and refresh workflow; fail closed on mismatch.
SP7	DSSE/Trust chain enforcement	DSSE is assumed but not mandated per hop; no required predicates or Rekor/mirror policy.	Unsigned evidence may enter spine; audit gaps.	Mandate DSSE predicates per stage (scan, sbom, policy-verified, vex); enforce verification before ingest; record Rekor/mirror evidence or local ledger entry.
SP8	Policy lattice versioning	Lattice/policy hash referenced but not versioned or stored alongside decisions.	Decisions may not be reproducible; audits fail.	Store policy version/hash in decisions/proofs; sign policy bundles; add policy registry with changelog.
SP9	Performance/scale constraints	No guidance on scale limits (graph size, evidence size, timeout budgets) or pagination for APIs.	Risk of outages/DoS; inconsistent client behavior.	Define performance envelopes, pagination defaults, evidence size caps; add load tests and limits in APIs.
SP10	Cross-standard alignment	Brief references SBOM (CDX/SPDX) and VEX but no explicit mapping of fields and hashes between SBOM, attestations, graph nodes, and policy outputs.	Evidence chain may be non-joinable; explainability suffers.	Define crosswalk mapping (SBOM IDs → graph nodes → VEX products → policy decisions) with required identifiers/hashes; add conformance tests.

Immediate follow-ups

• Add a spine-gap task to a relevant sprint (e.g., SPRINT_0186_0001_0001_record_deterministic_execution) to close SP1–SP10 with owners/dates.
• Publish versioned schemas for APIs, predicates, bundles, diffs, and Unknowns; mandate DSSE predicates per stage and policy lattice versioning; add deterministic fixtures and offline parity rules.

Findings – Gaps in “Explainability Layer for Vulnerability Verdicts”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md

Method: Read the explainability advisory and compared with reachability evidence chain (Sprint SPRINT_0401_0001_0001_reachability_evidence_chain) and VEX/policy outputs. Focused on making explanation graphs canonical, verifiable, and integrated with DSSE/Rekor and offline kits.

Gap Table

ID	Area	Gap	Impact	Recommendation
EX1	Canonical schema & hashing	Explanation graph JSON is outlined but lacks formal schema, canonicalization rules, and hash/test vectors.	Different services could hash/serialize differently → signatures break, audits fail.	Publish explanation-graph.schema.json, define canonical JSON (sorted keys, UTF-8), hash algorithm, and test vectors; enforce in emitter/validator.
EX2	DSSE predicate type & signing	DSSE is suggested but no predicate type or signing policy defined (key set, Rekor/mirror usage).	Unsigned/weakly signed graphs may enter system; replay impossible.	Define predicate stella.ops/explanationGraph@v1; require DSSE signing + Rekor/mirror record or bundle; verify on ingest.
EX3	Evidence blob integrity	Evidence nodes include hashes but no required storage location rules, size limits, or redaction guidance.	Evidence may be mutable, missing, or leak sensitive data.	Enforce CAS-style storage with content hashes, max size limits, redaction checklist; require DSSE for large evidence manifests.
EX4	Linkage to decisions & policy	Advisory does not mandate linking explanation graphs to specific policy/lattice versions or decision IDs.	Explanations can’t prove they correspond to the shipped decision; weak audit trail.	Require decision_id, policy_hash, rules_hash fields; store in graph and DSSE annotations; verify on load.
EX5	Runtime/graph alignment	No requirement to align explanation graph nodes with graph_revision_id or runtime evidence refs.	Explainability may diverge from actual graph/version used for verdict.	Include graph_revision_id and references to runtime traces; validate they match the decision’s revision.
EX6	UI/CLI export & replay	Export/verify flow is suggested but no standard bundle format or scripts are defined.	Users can’t easily replay explanations; offline parity weak.	Define explanation-bundle.zip layout (graph JSON, evidence blobs, verify script), add CLI stella explain verify/export, and VERIFY steps for offline kits.
EX7	Privacy/PII controls	No guidance on redacting PII/secret data inside evidence/summary fields.	Explanations could leak sensitive info in support/exports.	Add PII/secret scan + allowlist for evidence summaries/refs; fail export if violations; log redactions.
EX8	Performance/size budget	No size or performance budgets for explanation graphs; large graphs could bloat UI/exports.	Slow UI, oversized bundles, increased storage.	Set size limits (nodes, evidence count, blob size), add truncation rules with “omitted_count” fields; monitor metrics.
EX9	Versioning & evolution	No schema versioning/compatibility policy for explanation graphs.	Breaking changes could invalidate stored explanations.	Add schema_version, changelog, and compatibility policy; include migration guidance in docs.
EX10	Testing/baselines	No baseline fixtures or golden tests for explanation graphs.	Changes may break explainability without detection.	Create golden fixtures and regression tests (hash-stable) for sample vulnerabilities; include in CI and offline kits.

Immediate follow-ups

• Add an explainability-gaps task to Sprint SPRINT_0401_0001_0001_reachability_evidence_chain to close EX1–EX10 with owners/dates.
• Publish schema, canonicalization rules, DSSE predicate, and verification scripts; align graphs with policy decisions and graph revisions; add PII controls, size budgets, and golden fixtures/export tooling.

Findings – Gaps in “Late‑November SBOM & VEX competitor”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 27-Nov-2025 - Late‑November SBOM & VEX competitor.md

Method: Reviewed competitor snapshot (Syft/Grype, Trivy, Xray, Clair) against StellaOps ingestion, normalization, offline bundles, and deterministic evidence chain. Identified gaps to harden interoperability, determinism, and risk tracking.

Gap Table

ID	Area	Gap	Impact	Recommendation
CM1	External SBOM/scan normalization	No mandatory normalization/validation layer for third-party SBOMs/scans (Syft/Trivy/Clair).	Upstream schema/PURL bugs propagate into graphs and VEX decisions.	Add normalization/validator with schema version detection, PURL repair heuristics, and quarantine for anomalies before ingest.
CM2	Signature & provenance verification	Advisory suggests ingesting external outputs but no requirement to verify SBOM/DB signatures (Syft attestation, grype-db signatures).	Untrusted data could enter evidence chain; offline bundles unverifiable.	Require signature/DSSE verification for all external SBOMs/DBs; fail closed if missing/invalid; record signer in manifests.
CM3	DB snapshot governance	No policy for mirroring/updating external vuln DBs (grype-db, Trivy, Xray) with hashes/staleness windows.	Drift or schema mismatch causes nondeterministic results; offline users get stale data.	Define snapshot schedule + staleness SLA; store hashes, schema version, signer; include in manifest.lock; block use when stale/mismatched.
CM4	Compatibility adapters	No defined adapters/mappers for Syft/Trivy/Clair SBOM/scan outputs to Stella canonical graph.	Ingest paths may diverge or break on upstream changes.	Build and test adapters per tool with golden fixtures; versioned compatibility matrix; feature-flag per tool version.
CM5	PURL/identity anomaly tests	No regression tests for known upstream bugs (e.g., Syft Go PURL issues).	Previously fixed issues may reappear unnoticed.	Add anomaly test suite with upstream bug vectors; run in CI against normalizer; block regressions.
CM6	Offline bundle parity	No standard for packaging external tool data (SBOM + vuln DB) into offline bundles with DSSE.	Air-gap customers can’t verify third-party inputs or keep parity with online.	Define “external-ingest-kit” format: SBOMs, DB snapshot, signatures, manifest DSSE; add VERIFY script.
CM7	Risk dashboard linkage	Competitive signals not linked to sprint tasks/risk register.	PM/Eng may miss urgency when upstream tools change.	Add competitor risk tracker linking tool versions to ingestion adapters and staleness alerts; surface in Decisions & Risks.
CM8	Performance & fallback	No policy for fallback when external tool output is malformed or too large.	Pipelines may fail hard or produce partial graphs.	Define fallback paths (skip record + alert, or degrade to minimal component list); set size/time limits for ingest.
CM9	Transparency of third-party data	No requirement to surface which external tool/version produced each ingested record.	Difficult to audit blame when data is wrong.	Store source_tool, tool_version, signature_key, snapshot_id per ingested artifact and expose via API/CLI.
CM10	Benchmark parity	No plan to reflect external-tool baselines in public benchmark datasets.	Benchmark may not capture real-world ingestion diversity; weak external credibility.	Include Syft/Trivy/Clair baselines and anomaly cases in benchmark fixtures; publish signed baseline outputs.

Immediate follow-ups

• Add a competitor-ingest gaps task to a scanner/replay sprint (e.g., SPRINT_0186_0001_0001_record_deterministic_execution) to close CM1–CM10.
• Implement external-ingest normalization/verification (signatures, schema detection), adapters with golden fixtures, snapshot governance with staleness SLAs, and offline bundle packaging for third-party tools.
• Track upstream tool releases in a risk dashboard tied to ingestion adapters; expose source tool/version in APIs; add baselines/anomaly cases to benchmarks.

Findings – Gaps in “Making Graphs Understandable to Humans”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 27-Nov-2025 - Making Graphs Understandable to Humans.md

Method: Reviewed the explainability-for-edges advisory against graph evidence chain work (Sprint SPRINT_0401_0001_0001_reachability_evidence_chain). Focused on schema governance, determinism, UI/API surfacing, and auditability of edge reasons/evidence.

Gap Table

ID	Area	Gap	Impact	Recommendation
EG1	Reason enum governance	Reason glossary provided but no canonical enum/spec, versioning, or extension process.	Different services may use divergent strings; comparisons and explainers break.	Publish edge-reason.enum.json with versioning and change-control; enforce via schema/validator.
EG2	Canonical edge schema	Edge metadata structure (reason/evidence/provenance/confidence) not formally schematized or hash-normalized.	Serialization drift breaks determinism and hashing; API/UI may diverge.	Define edge.schema.json (canonical JSON rules) and add hash/test vectors; require in graph storage and exports.
EG3	Evidence limits & redaction	No limits or redaction rules for evidence strings (could leak secrets/PII or bloat UI).	Sensitive data exposure; large payloads; audit risk.	Add max counts/lengths, PII/secret scan, allowlist of evidence types; truncate with indicator.
EG4	Confidence rubric	Confidence values (high/medium/low) lack a shared rubric.	Inconsistent scoring; auditors can’t compare.	Publish a rubric per reason type; require detector to set confidence per rubric; validate in CI.
EG5	Detector/rule provenance	Detector/rule_id suggested but not required or standardized.	Hard to trace which rule emitted an edge; audit gaps.	Require detector and rule_id fields; enforce format (component@version, stable rule key); include in DSSE annotations.
EG6	UI/CLI parity	Advisory describes UI snippets but no API/CLI contract to fetch reason/evidence.	UI/CLI may diverge; exporters may drop fields.	Update graph APIs/CLI exports to include edge metadata; add “Why” column in tables and explain drawer; ensure same fields in CSV/JSON.
EG7	Determinism tests	No deterministic test/fixture set for edge reasons/evidence across reruns and languages.	Re-runs may change reasons; explainability becomes unstable.	Add golden fixtures per language (static/dynamic/import/reflection/binary cases) and rerun-hash CI.
EG8	Integration with VEX/explanation graphs	No requirement to propagate edge reasons into explanation graphs or VEX evidence.	Explainability chain broken between graph and verdict.	Include edge reason/evidence refs in explanation graph nodes and VEX evidence blocks; verify linkage.
EG9	Localization/UX copy	No guidance on truncation/localization of reason strings in UI exports.	Inconsistent UX; truncated data may lose meaning.	Standardize short code (enum) + localized label; truncate evidence separately; keep code intact.
EG10	Backfill/migration	No plan to backfill existing graphs with reason metadata.	Old edges lack reasons; mixed data quality.	Add backfill task with heuristics; flag edges without reasons; track progress metrics.

Immediate follow-ups

• Add an edge-explainability gap task to Sprint SPRINT_0401_0001_0001_reachability_evidence_chain to close EG1–EG10.
• Publish edge schema/enum/rubric, enforce in APIs/exports, add PII limits and deterministic fixtures, and ensure propagation into explanation graphs and VEX evidence.

Findings – Gaps in “Managing Ambiguity Through an Unknowns Registry”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md

Method: Read the advisory and compared with Signals/Unknowns work (Sprint SPRINT_0140_0001_0001_runtime_signals) and reachability evidence chain. Focused on contracts, determinism, decay/governance, and integration with SBOM/VEX/attestations.

Gap Table

ID	Area	Gap	Impact	Recommendation
UN1	Canonical schema & enums	Unknowns model described but no formal schema/enums (origin, reason, classification) or versioning.	Divergent implementations; data not portable across services.	Publish unknowns.schema.json with enums and version; add canonical JSON rules and test vectors.
UN2	Deterministic scoring spec	UR_t formula given but no fixed coefficients/rubrics or canonical hashable inputs.	Different services compute different scores; audits fail.	Define scoring config (B/A/T components, decay policy) with hashable manifest; pin defaults; add regression tests.
UN3	Decay policy registry	Decay policies (linear/exponential) not versioned or governed.	Changing decay silently alters risk posture.	Create decay_policies catalog with IDs, params, validity window; sign changes; include in manifest.
UN4	Evidence/provenance capture	No required evidence fields (e.g., entropy hints, section anomalies, missing signature) or attestation linkage.	Unknowns lack reproducible evidence; hard to resolve/audit.	Require evidence block with hashes/pointers; link to DSSE/scan attestation IDs; store in CAS.
UN5	Integration with SBOM/VEX	Unknowns not mandated to link to SBOM components/VEX decisions once resolved.	Unknowns remain orphaned; risk roll-up incomplete.	On resolution/mapping, persist component/VEX links; update portfolio metrics; emit event.
UN6	SLA/gates & suppression policy	Gates suggested but no enforceable SLA fields or suppression rules/expiry.	Releases may ignore critical unknowns; suppressions never expire.	Add SLA fields (age thresholds, UR_t caps); suppression requires reason+expiry; enforce in policy gate.
UN7	API/CLI surfaces	APIs sketched but not specified (filters, pagination, status transitions).	UI/CLI divergence; automation brittle.	Define REST/GraphQL contract with filters, transitions, audit logging; add CLI verbs with consistent flags.
UN8	Observability & reporting	No metrics/log schema for burn-down, age histograms, P90 UR_t, or top contributors.	Hard to track improvement or alert on regressions.	Emit metrics and weekly report template; add alerts on SLA breaches and stalled decay jobs.
UN9	Offline/air-gap parity	No requirement to include unknowns and decay config in offline bundles/replay manifests.	Air-gapped audits can’t reproduce unknowns state.	Include unknowns records + decay policies in replay/air-gap bundles; verify hashes during replay.
UN10	Backfill/migration plan	No plan to backfill existing unresolved “unknown-like” findings into registry.	Legacy gaps persist; metrics skewed.	Add migration/backfill task with heuristics; tag inferred records; track completion.

Immediate follow-ups

• Add an unknowns-gap task to Sprint SPRINT_0140_0001_0001_runtime_signals to close UN1–UN10 with owners/dates.
• Publish unknowns schema, scoring/decay manifests, API/CLI contracts, and CAS-backed evidence rules; enforce SLA/suppression policies, metrics, and offline bundle inclusion.

Findings – Gaps in “Verifying Binary Reachability via DSSE Envelopes”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md

Method: Read the binary reachability DSSE advisory and compared with reachability evidence chain tasks (Sprint SPRINT_0401_0001_0001_reachability_evidence_chain) and scanner binary ingest. Focused on schema, determinism, attestation, and offline parity for binary edges.

Gap Table

ID	Area	Gap	Impact	Recommendation
BR1	Predicate & schema mandate	Schemas shown (envelope, call-edge) but not declared canonical/required across Scanner/Attestor/Policy.	Services may emit incompatible predicates; verification fails.	Publish and version dsse-envelope-v1, call-edge-statement-v1 schemas as canonical; enforce in CI and ingestion.
BR2	Canonical edge ID & hashing	EdgeId suggested but no canonical hash recipe (ordering, normalization, encoding).	Duplicate/mismatched edges across tools; dedupe fails; DSSE hashes unstable.	Define canonical edge tuple (caller, callee, reason, policy_hash) with sorted/normalized fields; hash algo/encoding fixed; add test vectors.
BR3	Evidence linkage for binaries	Edge schema allows optional evidenceHash but no required evidence types (CFG, trace, relocation) or CAS storage rules.	Weak proofs; auditors can’t verify reachability claims.	Require evidence refs per edge (CFG/trace/reloc) with content hash and CAS pointer; include in DSSE predicate.
BR4	Build-ID/variant handling	BuildId optional; no rule for stripped binaries, symbol servers, or multiple variants.	Edges may not map to correct binary; replay fails on variant mismatch.	Require build-id or content hash; add symbol/variant mapping rules; record symbol source (PDB/dSYM/ELF).
BR5	Policy/hash alignment	PolicyHash field present but no governance on policy versions or lattice linkage.	Edges may be signed against unknown policy; difficult to replay.	Mandate policy registry ID/hash and lattice version; fail verification if unknown.
BR6	Transparency/log routing	Rekor/bundle flow not mandated; shard/log selection undefined.	Attestations may be unlogged or logged inconsistently; offline parity weak.	Require DSSE + Sigstore bundle with shard/log ID; include in offline kits; verify on ingest.
BR7	Idempotent submission & retries	No guidance on idempotency keys or retry policy for log submissions.	Duplicate or missing log entries.	Use deterministic submission key (edge hash + subject digest + log target); retry policy with backoff; dedupe store.
BR8	Performance/size limits	No size or chunking guidance for large CFG/trace evidence.	Log rejects big payloads; pipelines fail.	Set size limits; chunk evidence with manifest + hashes; store blobs in CAS; log only hashes.
BR9	API/CLI/UI surfacing	No contract to expose binary edge attestations in API/CLI/UI or to export verification bundles.	Users can’t inspect/verify binary proofs; adoption suffers.	Add API/CLI flags to fetch/export binary edge bundles; UI badge for DSSE-verified edges; include in explainers.
BR10	Test fixtures	No golden fixtures for binary edges (ELF/PE/Mach-O) with DSSE envelopes.	Regressions may go unnoticed; cross-tool compatibility untested.	Create fixture set (ELF/PE/Mach-O) with known edges, evidence, and signed envelopes; add CI verification.

Immediate follow-ups

• Add a binary-reachability gap task to Sprint SPRINT_0401_0001_0001_reachability_evidence_chain to close BR1–BR10 with owners/dates.
• Publish canonical schemas, hashing rules, evidence requirements, and bundle/log policies; add fixtures and API/CLI surfaces for binary DSSE proofs with offline parity.

Findings – Gaps in “Authentication and Authorization Architecture”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Authentication and Authorization Architecture.md

Method: Reviewed the authN/authZ advisory against Authority posture, cross-service scope usage, sovereign crypto sprint (0514), and offline/air-gap needs. Focused on token binding, scope governance, revocation/rotation, and offline verification gaps.

Gap Table

ID	Area	Gap	Impact	Recommendation
AU1	Scope catalog governance	65+ scopes listed but no canonical catalog versioning or change-control; role bundles not hash-tracked.	Scope drift across services; hard to audit who had what permission when.	Publish signed scope-catalog.json with version/hash; require services to load catalog by version; track role bundle hashes.
AU2	Audience & tenant enforcement defaults	Advisory describes tenant/audience claims but no enforcement defaults or fail-closed behavior specified per service.	Services may accept tokens without tenant/audience checks; risk of cross-tenant access.	Mandate per-service config: require tid, aud, cnf; fail-closed; add conformance tests.
AU3	DPoP/mTLS coverage & nonce policy	DPoP/mTLS required for some audiences but no explicit coverage matrix or nonce freshness policy.	High-value endpoints may be reachable with bearer tokens or replayable proofs.	Publish coverage matrix (audience→binding), require nonce for signer/attestor/orch, and add rejection metrics/alerts.
AU4	Revocation bundle SLA & format	Revocation bundles defined but no freshness SLA or schema versioning; offline verification rules absent.	Offline/air-gap may trust stale revocation; auditors lack assurance.	Version revocation-bundle schema; set freshness SLA (e.g., <5m); include signed timestamp/log sequence; verify in gateways.
AU5	Key rotation governance	Rotation noted but no mandatory overlap windows, audit log, or DSSE/JWS proofs of key state.	Clients may fail during rotation; provenance unclear.	Require dual-active keys with defined overlap, signed key-state manifest, and audit events; add rotation playbook tests.
AU6	Sovereign crypto profile selection	Profiles (FIPS/eIDAS/GOST/SM/PQ) mentioned but no negotiation or per-tenant profile selection rules.	Wrong algorithms in regulated regions; interoperability issues.	Define crypto-profile registry with allowed algs per tenant/installation; include in tokens and JWKS metadata; enforce per-audience minima.
AU7	Offline/air-gap verification path	No end-to-end example for verifying tokens/DPoP/mTLS and revocation offline.	Air-gapped deployments can’t validate tokens confidently.	Provide offline verifier bundle (JWKS, revocation, policy) + verify-auth.sh; add docs and tests.
AU8	Delegation quotas & guardrails	Delegated service accounts described but no enforcement of quotas per tenant/client or audit of delegation chains.	Delegated tokens could proliferate, increasing blast radius.	Enforce quotas per tenant/service account; log delegation chain in act; add alerts on quota breaches.
AU9	Attribute-based access (ABAC) semantics	ABAC attributes listed without schema/versioning or evaluation order; no conflict resolution with scopes.	Inconsistent policy outcomes; privilege escalation risk.	Define ABAC schema, precedence rules (deny-overrides), and evaluation order; version attributes; add tests.
AU10	Observability & conformance tests	Metrics listed but no conformance suite to assert binding/audience/scope enforcement across services.	Regressions may ship unnoticed; inconsistent enforcement.	Create auth conformance tests (per service) and dashboards with SLOs for binding failures, audience/tenant rejection rates; run in CI.

Immediate follow-ups

• Add an auth gaps task to Authority/crypto sprint (e.g., SPRINT_0314_0001_0001_docs_modules_authority or crypto sprint) to close AU1–AU10 with owners/dates.
• Publish signed scope/role catalogs, binding/audience matrices, revocation/JWKS schemas with freshness SLAs, offline verifier bundle, crypto-profile registry, and conformance tests per service.

Findings – Gaps in “CLI Developer Experience and Command UX”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - CLI Developer Experience and Command UX.md

Method: Reviewed the CLI advisory against current CLI sprints (0201/0202/0205 series) and offline/DSSE/auth requirements. Focused on determinism, auth security, distribution, compatibility, and testability.

Gap Table

ID	Area	Gap	Impact	Recommendation
CL1	Command/flag compatibility contract	No versioned command/flag catalog or deprecation policy; exit codes listed but not tied to a spec.	Breaking changes may hit CI; exit-code drift breaks pipelines.	Publish versioned CLI spec (commands/flags/exit codes), with deprecation policy and compatibility tests per release.
CL2	Deterministic output guarantees	Advisory claims deterministic output, but no hash/fixture tests for JSON/table modes or locale/time effects.	CI comparisons may flake; hashes change across runs/locales.	Add golden fixtures for JSON/table outputs with fixed locale/UTC; run multi-run hash tests in CI.
CL3	Auth hardening in CLI	DPoP described but no rotation/cleanup policy for stored keys; device-code cache binding undefined; no check for audience default misuse.	Stale keys or weak binding can leak access; wrong audience tokens used.	Enforce key rotation/cleanup, bind device-code cache to user+machine, default audience validation, and add stella auth doctor.
CL4	Offline/air-gap kit parity	Offline kit commands listed, but kit format, hash checks, and failure modes not specified.	Air-gap imports may be partial or unverifiable.	Define offline-kit CLI contract (manifest hash verify, required contents, failure handling); add tests.
CL5	Binary distribution verification	Distribution plan mentions signatures but no mandatory cosign verification on install/self-update.	Users may run tampered binaries.	Require cosign verify on install/update; publish public key fingerprints; add --verify default on self-update.
CL6	Buildx plugin provenance	Buildx installer verifies signature but lacks policy for pinned digest/version and rollback.	Supply-chain risk if plugin tag changes; rollbacks hard.	Pin plugin image digest; store policy file; add rollback and provenance report command.
CL7	Telemetry/analytics governance	No opt-in/out policy or schema for telemetry (if any) in CLI.	Compliance/privacy risk; inconsistent behavior.	Document telemetry policy; default off; add explicit flags/env; schema for emitted events; tests ensuring default off.
CL8	Accessibility/UX consistency	No a11y standards (colorblind-safe palettes, tty detection) or consistent UX patterns across commands.	Poor usability; inconsistent outputs.	Add UX guidelines: color palette, width detection, pager rules, TTY/non-TTY detection; enforce via lint/tests.
CL9	Error/help localization & structure	Help/error messages not versioned or structured; no machine-readable hints for tooling.	Harder to script; poor UX for non-English locales.	Standardize error/help schema (codes + detail + remediation); optional localization; ensure JSON errors match exit codes.
CL10	CI install/upgrade reliability	Install script is curl	sh with no checksum enforcement; no offline install path defined.	CI supply-chain risk; offline CI blocked.

Immediate follow-ups

• Add a CLI gaps task to the relevant CLI sprint (e.g., SPRINT_0201_0001_0001_cli_i or SPRINT_0202_0001_0001_cli_ii) to close CL1–CL10.
• Publish a versioned CLI spec with compatibility/deprecation rules, add golden output/exit-code tests, enforce cosign verification and offline-kit contracts, harden auth key handling, pin buildx plugin digests, and document telemetry/UX/a11y standards.

Findings – Gaps in “CLI Developer Experience and Command UX” (added)

Findings – Gaps in “Findings Ledger and Immutable Audit Trail”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md

Method: Reviewed the ledger advisory against ledger/Merkle/export work and offline/air-gap expectations. Focused on schema governance, external anchoring, tenant isolation, redaction, determinism, and replay/export parity.

Gap Table

ID	Area	Gap	Impact	Recommendation
FL1	Event/ledger schema versioning	Event and projection shapes are described but no versioned JSON Schemas or canonical serialization rules.	Producers/consumers may diverge; hash/cycle validation may fail.	Publish versioned schemas for events/projections/exports with canonical JSON rules and test vectors; sign schema catalog.
FL2	Merkle config & external anchoring	Merkle anchoring noted, but no mandated external anchoring policy, shard/log metadata, or checkpoint freshness.	Tamper evidence weaker; air-gap replay cannot validate freshness.	Define Merkle policy (batch size/window/algo) plus external anchor rules (log/shard ID, checkpoint freshness SLA); include in exports.
FL3	Chain fork handling & tombstones	Forks are “prohibited” but no explicit behavior/logging/audit when conflicts occur; no tombstone policy.	Fork attempts may go unnoticed; auditors lack evidence.	Require fork detection with audit events + DSSE record; tombstone/410 rules; expose metrics.
FL4	Tenant isolation & redaction	Tenant mention present but no redaction rules for exports or portable bundles; no isolation tests.	Cross-tenant leakage risk in exports.	Enforce tenant-scoped chains; redact tenant IDs in portable exports with redaction manifest; add isolation tests.
FL5	Payload redaction/PII	Comment text “hashed” noted but no redaction/allowlist for other fields; no size limits.	PII may leak; exports may bloat.	Define redaction/allowlist, size limits, and evidence rules; enforce before hash; document in schema.
FL6	Policy/version linkage	policyVersion and evidenceBundleRef exist but lattice/version governance not mandated; no DSSE for events.	Decisions not reproducible; weak audit link between policy and ledger.	Require DSSE-signed events or batch manifests including policy hash, lattice version, graph_revision_id; verify on ingest/export.
FL7	Export determinism & golden fixtures	Export determinism claimed but no golden fixtures or multi-run hash CI for ledger exports.	Regressions may go unnoticed; reproducibility claims weak.	Publish golden ledger exports and CI multi-run hash checks; pin compression/ordering.
FL8	Replay/rebuild tooling	Projection rebuild guidance minimal; no checksum for rebuild outputs.	Rebuilds may diverge from ledger state; audits fail.	Provide rebuild CLI with output hashes; compare against ledger roots; add acceptance tests.
FL9	Air-gap verifier	Offline bundle verification is mentioned but not specified (hash chain, Merkle roots, anchors, revocations).	Air-gapped audits may be incomplete.	Define offline ledger verify script requirements (hash chain, Merkle root, optional external anchor checkpoint); ship script + tests.
FL10	Performance envelopes & quotas	SLOs listed but no quotas/backpressure for append/export per tenant or chain.	Hot tenants could starve others; risk of data loss under load.	Add per-tenant quotas/backpressure and alerts; document performance envelopes; test under load.

Immediate follow-ups

• Add a ledger gaps task to a relevant sprint (e.g., reachability/policy ledger work or EvidenceLocker/export coordination) to close FL1–FL10.
• Publish versioned schemas and canonical serialization; mandate Merkle/external anchor policy with freshness; enforce tenant/redaction rules; require DSSE/policy linkage; add golden fixtures, replay/rebuild verifiers, air-gap verify scripts, and quotas/backpressure.

Findings – Gaps in “DSSE‑Signed Offline Scanner Updates — Developer Guidelines”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: User-provided advisory “DSSE‑Signed Offline Scanner Updates — Developer Guidelines” (not yet in repo); cross-checked against docs/24_OFFLINE_KIT.md, docs/modules/scanner/operations/dsse-rekor-operator-guide.md, and sprints 160/162 attestation work.

Method: Evaluated the proposed offline bundle pattern (DSSE envelope + Rekor v2 receipt + manifest + payload) and activation flow against existing offline-kit, scanner import, attestation, and determinism/air-gap requirements. Identified missing controls, governance, and telemetry required to make the pattern enforceable and replayable.

Gap Table

ID	Area	Gap	Impact	Recommendation
DS1	Trust bundle rotation & revocation	Advisory pins publisher/rekor keys but omits rotation channel, expiry/NotAfter checks, or revocation response (key compromise, revoked cert, mirror drift).	Stale or compromised keys could continue to sign/verify bundles; rollback to bad keys possible in air-gaps.	Define signed “trust bundle” schema with key set, expiry, revocation list, and provenance; enforce NotBefore/NotAfter on activation; require quorum/M-of-N to rotate keys and store rotation receipts alongside bundles.
DS2	Rekor freshness & offline proof	Verification only checks receipt vs DSSE hash; no requirement to validate the Rekor checkpoint/root, inclusion promise window, or bundled log segment authenticity.	Attackers can replay old receipts or splice receipts from another tree; air-gapped sites may trust stale proofs.	Require checkpoint verification (root hash, size, log ID) and freshness bound; when offline, bundle signed log segment + checkpoint DSSE; fail closed if segment/hash mismatches.
DS3	Manifest/schema canonicalization	manifest.json shape/version/canonical rules are undefined; hash algo/encoding not fixed; no schema signature.	Producers/consumers may compute different digests → false negatives/acceptance of tampered bundles.	Publish versioned JSON Schema with canonical ordering, SHA-256 as default, strict types; sign manifest with DSSE/JWS and include schema version in filename and trust_id.
DS4	Supply-chain provenance for bundle build	Build pipeline steps (hashing, signing, Rekor submission) lack attestation/SLSA provenance; no binding to source commit, tool versions, or build runner hash.	Malicious/compromised build host could emit validly signed but malicious payloads; hard to audit.	Produce SLSA/DSSE build attestation for each bundle (builder ID, git commit, tool versions, reproducible build inputs); verify attestation before accepting bundle into cache.
DS5	Anti-replay & rollback detection	Monotonicity check uses manifest.version but no binding to prior trust state or recorded trust_id; no replay window/nonce; force-activate bypass not audited.	Old bundles can be reintroduced (malicious or operator error); rollback may go unnoticed in air-gaps.	Persist last_good {version, trust_id, rekor_root} in append-only state; require version strictly increasing unless signed rollback exception; log and DSSE-sign every activation/force-activation event.
DS6	Delta/partial bundle rules	Contract only shown for full bundles; deltas/partials not defined (expected final state, base hash, tombstones).	Deltas may apply on wrong base, producing diverging DB contents without detection.	Define delta schema: base_version/base_hash, operations (add/remove/replace), resulting snapshot hash; verify base before apply; generate synthetic full-hash after apply and compare to declared target.
DS7	Per-file integrity & compression safety	Defense-in-depth note mentions file hashes but not mandatory verification of each entry inside payload.tar.zst, compression flags, or TOCTOU protection when extracting.	Tampering inside tar/zst could slip through if only outer hash is checked; extraction could overwrite symlinks or traverse directories.	Require per-entry hashes in manifest, validated before extraction; use safe extractor that rejects symlinks/.. paths and enforces uid/gid/perm allowlist; verify zstd dictionary/levels; hash post-extract contents before swap.
DS8	Config/feature flags & policy surface	requireDsse-style enforcement hinted but not specified across Scanner, CLI, Worker; no migration plan or policy gate.	Mixed deployments may silently skip DSSE/Rekor checks or drift from policy; inconsistent enforcement.	Add explicit config matrix (API/UI/CLI) with default requireDsse=true, rollout guard (observe→enforce), and policy gate that blocks imports lacking DSSE/Rekor unless override is signed and time-bound.
DS9	Observability & SLOs	Telemetry suggests reason codes but no SLOs, alerts, or metrics for freshness, failure streaks, rollback attempts, or trust-bundle age.	Operators lack visibility; silent drift or repeated failures may persist.	Define metrics (bundle_activate_total{reason}, rekor_freshness_seconds, trust_bundle_age_hours, rollback_attempt_total), alerts on stale checkpoint/keys or repeated failures, and trace spans around verify steps; document SLOs.
DS10	Recovery & quarantine governance	Quarantine step lacks retention period, evidence capture, or reprocessing flow; no checklist for operator actions or RCA evidence.	Quarantined bundles may be reintroduced without fix; root causes lost.	Require quarantine manifest (bundle hash, failure reason, logs, time, operator); set retention/SLA; add reanalyze job that re-verifies after trust-bundle/rekor updates; document runbook.
DS11	Multi-tenant/namespace scoping	Advisory assumes single trust root/cache; no scoping for multi-tenant or env-specific feeds (prod/stage/regional crypto profiles).	Wrong bundles could be activated in other tenants/regions; policy/cert profile mismatches.	Partition cache and trust state by tenant/env/crypto profile; include tenant/profile in DSSE predicate and activation state; block activation on mismatch.
DS12	Offline-kit parity & kit manifest linkage	Bundle layout is local-only; not bound to existing Offline Kit manifest/attestations; no guidance for importing via OUK or Export Center bundles.	Duplicate verification logic; kit imports may skip DSSE/Rekor or mismatch manifest coverage.	Align bundle schema with OUK: include pointers into offline-kit manifest, ensure kit contains DSSE/Rekor files, and require Scanner import to treat them as mandatory; add shared schema/docs.

Immediate follow-ups

• Add a gaps-remediation task to the relevant attestation/offline sprints (e.g., SPRINT_0162_0001_0001_exportcenter_i, SPRINT_0163_0001_0001_exportcenter_ii, SPRINT_0510_0001_0001_airgap, or Scanner import sprint) covering DS1–DS12.
• Draft and publish versioned schemas for bundle manifest, delta bundles, trust bundle, and Rekor segment packaging; include canonicalization rules and test vectors.
• Extend offline-kit and Scanner import docs to mandate DSSE/Rekor checkpoint verification, per-entry hashing, safe extraction, append-only state, and tenant/profile scoping; wire metrics/alerts into observability docs.
• Add CI/fixtures: reproducible bundle build attestation, delta/base mismatch tests, rollback/replay tests, stale checkpoint/key tests, and quarantine reprocessing tests.

Findings – Gaps in “StellaOps Storage Blueprint (PostgreSQL patterns per module)”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: Pasted advisory “Here’s a crisp, opinionated storage blueprint…” / “StellaOps – PostgreSQL Patterns per Module” (2025-12-01 draft).

Method: Reviewed the blueprint against module dossiers (Authority, Routing, VEX, Unknowns, Artifact), high-level architecture, and prior advisories on ledger/evidence/offline posture to identify missing guarantees, hardening steps, and operability gaps.

Gap Table

ID	Area	Gap	Impact	Recommendation
SB1	Tenant isolation	DDL examples mostly omit tenant_id and tenant-based RLS; policies rely only on app.user_id.	Cross-tenant data exposure or cache bleed; feature flags/routing/unknowns not tenant-safe.	Make tenant_id uuid not null mandatory on tenant-scoped tables, enforce base RLS tenant_id = current_setting('app.tenant_id')::uuid, and add partial indexes by tenant.
SB2	RLS hardening	Blueprint assumes set_config but lacks guards for unset/invalid session vars, role separation, or SECURITY DEFINER safety.	Mis-set sessions bypass RLS; superuser paths may leak data.	Add check_app_context() function used in policies, deny access when settings missing, separate DB roles per service, and forbid bypass for pg_read_all_data.
SB3	Partitioning & retention	High-volume tables (audit_log, oauth_token, outbox, unknowns history) not partitioned; no retention/archival plan.	Storage bloat, slow scans, expensive VACUUM; audit trails hard to manage.	Time/tenant partition heavy tables; enforce retention/archival to CAS; add DROP PARTITION/vacuumd runbooks and metrics.
SB4	Indexing & query plans	Several hot-path queries lack indexes (e.g., feature_flag(key, version), audit_log(actor_id, at), GIN on JSONB facts/unknowns, partial indexes on open unknowns).	Latency spikes and table scans; MV refreshes slow.	Specify required indexes per table and refresh cadence; add EXPLAIN baselines in migrations/tests.
SB5	HA/DR & PITR	No posture for replication, failover, backups, or PITR testing.	Data loss/outage risk; compliance gaps.	Standardize HA (streaming replica) with async/sync policy per module, scheduled base/backups + PITR drills, and recovery SLOs documented.
SB6	Migration/dual-write plan	Cutover phases describe read adapters but omit dual-write/backfill, consistency checks, and abort criteria.	Divergence between Mongo and Postgres; hard rollback.	Add dual-write phase with idempotent keys, reconciliation jobs, hash-based diff reports, and automated rollback switch; document stop conditions.
SB7	Schema governance	schema_version fields exist but no schema registry, compatibility rules, or SemVer/change-log requirements.	Breaking changes may ship unnoticed; clients can’t validate payloads.	Create schema catalog with SemVer and DSSE signatures; enforce compatibility checks in CI and at runtime; require migration playbooks per version bump.
SB8	CDC security & scoping	Logical replication recommended without tenant filtering, column-level exclusions, or connector isolation.	Sensitive data may leak to analytics/third parties; multi-tenant isolation broken.	Use publication per module/tenant, exclude secret columns, TLS/auth for connectors, and add redaction/field allowlists plus monitoring for lag/divergence.
SB9	Outbox robustness	Outbox table lacks idempotency keys, ordering/fencing rules, poison-message handling, and backpressure metrics.	Duplicate or lost events; dispatcher loops under load.	Add (aggregate_type, aggregate_id, topic, created_at) unique key, status enum, retry/backoff policy, dead-letter bucket, and observability counters; keep dispatcher transactional.
SB10	Cache governance (Redis)	Cache keys/TTLs noted but no tenant/env namespacing, warm/cold coherence rules, or fail-closed behavior.	Cross-tenant bleed or stale flags/routes; silent fallback to outdated cache.	Namespaces (env:tenant: prefixes), include version in keys, require cache-miss fallback to Postgres with freshness checks, and metrics/alerts on hit ratio + staleness.
SB11	Artifact index & CAS hygiene	CAS index lacks GC policy, tag/alias governance, encryption/ACL guidance, or tenant-scoped storage paths; signatures optional.	Digest store grows unbounded; cross-tenant leakage via shared blobs; unverifiable artifacts.	Add GC rules (refcount/last-access), tenant-scoped buckets/prefixes, mandatory signature refs, encryption at rest + access policy, and offline mirror/verify scripts.
SB12	Observability & SLOs	Metrics mentioned but no SLOs/alerts for MV lag, replication lag, RLS policy hits, outbox lag, refresh failures, or Redis divergence.	Operational drift undetected; regressions hit users before detection.	Define per-module SLOs and alerting; ship dashboards; add self-test queries in readiness probes; fail-fast on MV refresh/CDC gaps.
SB13	Security & compliance	No explicit at-rest/transport encryption, audit of DDL/config changes, or data-classification/PII rules for JSONB payloads.	Compliance risk; uncontrolled sensitive data storage.	Enforce TLS, TDE/disk encryption, pgaudit/DDL logging, classified columns with masking/redaction, and PII allowlists plus periodic scans.

Immediate follow-ups

• Open a sprint task (e.g., under data/platform hardening) to close SB1–SB13 with owners/dates and link to this finding.
• Produce migration/dual-write and partitioning runbooks per module; add schema catalog (versioned, signed) and required indexes to migrations.
• Define HA/DR posture, CDC scoping rules, cache namespacing, artifact GC/ACL policy, and observability SLOs; wire alerts and self-tests into services.

Findings – Gaps in “Verifiable Proof Spine → Moat (receipts + benchmarks)”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: “Here’s a crisp, practical way to turn Stella Ops’ ‘verifiable proof spine’ into a moat—and how to measure it.” (includes “Developer Guidelines – Benchmarks for a Testable Security Moat”).

Method: Read the advisory and attached developer guidelines; compared with related advisories already filed (Graph Revision IDs as Public Trust Anchors, Evidence Bundle and Replay Contracts, Reachability Benchmark Fixtures Snapshot, Comparative Evidence Patterns) and the current bench/ layout to surface missing contracts, controls, and enforcement hooks.

Gap Table

ID	Area	Gap	Impact	Recommendation
VM1	Graph Revision contract	Graph Revision ID recipe lacks canonical serialization rules (sorting, normalization, hash alg/encoding), multi-alg/PQ plan, and provenance fields (feeds/policies/tools).	Different services may compute divergent hashes; receipts tied to non-canonical IDs become unverifiable or collide.	Publish graph-revision-manifest.schema.json with canonical JSON rules, mandated hash alg (e.g., BLAKE3-256 hex) and optional multi-alg, plus required digests for feeds, policies, tool images, config flags; add test vectors.
VM2	DSSE predicate & receipt schema	Predicate stellaops.dev/verdict@v1 is named but not specified (required fields, canonicalization, clock source, list ordering) nor versioning/compatibility rules.	Receipts may serialize differently across services; signature verification and replay can fail; upgrades may break stored receipts.	Define versioned predicate schema + canonical JSON (sorted keys, UTC + monotonic timestamp pair, fixed decimal precision); publish validation tests and compatibility guidance; enforce in emitters/validators.
VM3	Signing policy & key lifecycle	“Sign with Authority” omits key hierarchy, rotation cadence, dual-sign (ECDSA+PQ) strategy, Rekor/mirror anchoring, and tenant scoping.	Long-lived receipts risk key compromise or compliance gaps; no traceable lineage for rotated keys; multi-tenant trust not isolated.	Document signing policy: key roles (online/offline/HSM), M-of-N custody, rotation/burn rules, dual-sign option, Rekor/mirror anchoring metadata, and tenant-scoped key IDs; enforce policy hash in receipts.
VM4	Receipt storage, retention, and isolation	Postgres table is suggested but lacks retention/GC rules, compression/dedup, encryption-at-rest, RBAC/tenant isolation, and sharding guidance.	Store can bloat; sensitive proofs may be exposed across tenants; replay/export may be inconsistent.	Define storage contract: per-tenant partitioning/shards, append-only receipts, row-level encryption, TTL/archival policy, dedup by (graphRevisionId, verdictId, algo), and export manifests with hashes.
VM5	Reachability slice / symbol proof schema	Call-stack slices and binary symbol proofs lack formal schema, size budgets, architecture coverage (ARM/ppc), redaction rules for paths/symbols, and validation tooling.	Proofs may leak PII/paths, explode in size, or be unusable for replay; binaries without symbols remain unprovable.	Publish schemas for slices and symbol proofs with max nodes/bytes, required fields (arch, offset, hash of slice), redaction/normalization rules, and validator/golden fixtures; add fallback proof type when symbols absent.
VM6	Replay Manifest governance	Replay manifest is named but not required to be DSSE-signed, canonically serialized, or to pin feeds/rulepacks/tool digests/time anchors; no CI gate uses it.	Auditors cannot trust manifests; replays may drift due to unstated feed/tool changes; CI may miss drift.	Define replay.manifest.json schema, canonical JSON, DSSE signing, and required fields (feeds/tool digests/policies/config, fake clock seed); add CI job to rerun gold fixtures and compare graph hashes against the manifest.
VM7	“No receipt, no ship” enforcement path	Rule is declarative; no enforcement points defined (scanner pipeline, policy engine, API, UI), no failure taxonomy, and no override/waiver process.	Receipts may be missing yet verdicts ship; users see inconsistent states; overrides may bypass audit.	Add fail-closed checks in scanner/policy APIs and UI gating; define error codes for missing/invalid receipts; require signed waiver/override records and metrics for violations.
VM8	Benchmark corpus governance & ground truth	Benchmarks call for public corpus and baselines but lack governance: licensing/sanitization checklist, ground-truth labels with evidence, competitor selection matrix, and contribution/review rules.	Metrics may be non-reproducible or legally risky; baseline comparisons could be biased or outdated.	Create benchmark governance doc: sanitized corpus manifest with hashes/DSSE, ground-truth evidence bundles, contributor CLA/review rules, competitor/baseline selection matrix, and staleness SLAs; store under bench/manifest.* and sign.
VM9	Benchmark determinism & resource profile	Metrics (FP reduction, triage time, proof coverage, determinism) are defined but no reference hardware/profile, seeding rules, retry/timeout policy, or multi-run hash check.	Results vary run-to-run or across machines; comparisons and claims lose credibility.	Pin reference runner (CPU/RAM, cgroups), seeds, thread limits, timeouts; add multi-run hash stability check in bench/scripts/run_benchmarks and publish tolerances; mark strict scenarios that must be zero-drift.
VM10	Observability, alerts, and export kits	Advisory lacks required metrics/alerts for signature failures, graph-hash drift, missing proofs, or benchmark regressions, and doesn’t define the “audit kit” packaging/signing.	Failures may go unnoticed; auditors/buyers cannot independently verify kits; offline users lack parity.	Instrument counters/alerts for receipt verify failures, graph drift, proof coverage gaps, benchmark regressions; define audit-kit layout (receipts + manifest + replay + verify script) with DSSE signature and include in offline kits/export center.

Immediate follow-ups

• Add a proof-spine/receipt gap-remediation task to Sprint SPRINT_0401_0001_0001_reachability_evidence_chain covering VM1–VM7.
• Add a benchmark governance/determinism task to Sprint SPRINT_0513_0001_0001_public_reachability_benchmark covering VM8–VM10, tying to bench/ manifests and CI jobs.
• Draft and publish schemas (graph revision, verdict predicate, replay manifest, reachability proofs) plus golden fixtures/tests; wire fail-closed receipt checks and observability alerts into scanner/policy pipelines and UI/API gating.

Findings – Gaps in “SBOM→VEX Proof Spine Blueprint”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: Chat-supplied advisory “tight, practical blueprint to turn your SBOM→VEX links into an auditable proof spine…” (not yet filed under docs/product-advisories/).

Method: Parsed the advisory, aligned it with Authority/Policy/Scanner evidence-chain expectations and existing sprint SPRINT_0401_0001_0001_reachability_evidence_chain, and checked for determinism, governance, tenancy, and offline parity gaps.

Gap Table

ID	Area	Gap	Impact	Recommendation
PS1	Trust anchor lifecycle & conflicts	Per-dependency TrustAnchor is defined but lacks lifecycle rules (creation approval, change control, supersedes flow) and conflict resolution when multiple anchors match a purl or SBOMEntry.	Anchor drift can silently change accepted signers; conflicting anchors can cause verification bypass or denial.	Require signed TrustAnchor records with version, createdBy, supersedes, and deterministic purl matching precedence; add dual-control approvals and DSSE for anchor mutations; fail closed on ambiguous anchor selection.
PS2	Revocation/rotation enforcement	Revocation list is mentioned but no policy for how existing spines/receipts behave after key revocation or anchor update; no rollback window or re-issuance rules.	Auditors may accept spines signed by revoked keys; replay may fail inconsistently.	Define revocation semantics (hard-fail vs warn), require re-verification tasks on revocation, emit new spines/receipts when anchors change, and publish “revoked-but-accepted-until” grace policy with metrics/alerts.
PS3	Predicate schemas & test vectors	Predicate types are named (evidence.stella/v1, etc.) but no JSON Schemas, canonicalization vectors, or compatibility commitments.	Producers may serialize differently, leading to hash mismatches and unverifiable bundles.	Publish signed JSON Schemas + canonical JSON rules and golden test vectors for evidence/reasoning/VEX/spine; include field-level required/optional rules and normalization of enums/whitespace/precision.
PS4	Merkle/ProofBundle recipe	ProofBundleID is “merkle root” but algorithm (tree shape, path ordering, hash algo, duplicate handling, domain separation) is unspecified.	Different implementations will derive different bundle IDs for the same inputs, breaking interoperability.	Standardize Merkle recipe (hash algo, leaf format, deterministic ordering, duplicate policy, domain tags); provide reference implementation and fixtures.
PS5	Evidence failure/negative cases	Flow assumes successful evidence; no schema for failed scans, partial results, or “absence of evidence” attestations.	Missing DSSE records allow silent gaps; verification may over-trust incomplete data.	Define evidence.stella/v1 variants for failures/partial coverage with required error codes and scope; require DSSE for failures and include them in ProofBundleID computation.
PS6	SBOM evolution & backfill	SBOMEntryID ties to sbomDigest+purl, but no rules for updated SBOMs, component renames, or superseded SBOM versions; backfill of historical spines not described.	Proof history can fragment; replay may mismatch SBOM version to spine.	Add SBOM versioning/backfill policy: immutable sbomDigest, supersedesSbomDigest, migration tasks to regenerate spines for changed entries, and UI/API to view lineage.
PS7	Third-party VEX & dual anchors	Import of vendor VEX is implied but no contract for dual-anchor verification (vendor + internal), status translation, or provenance preservation.	Imported VEX may be re-signed without proof of origin; status semantics can drift from vendor meaning.	Require vendor VEX verification against vendor anchor, preserve original envelope bytes, tag provenance, and optionally co-sign under Authority; define status mapping table and conflict resolution.
PS8	Storage security & tenancy	Postgres/blob layout shown but lacks tenant scoping, row-level security, encryption at rest, and retention/GC policy for blobs and envelopes.	Cross-tenant data leakage risk; unbounded storage growth; unverifiable deletions.	Enforce tenant/namespace columns with RLS, encrypt blobs, add retention classes + GC rules, and record DSSE-backed delete/tombstone manifests instead of hard deletes.
PS9	API contract & versioning	API endpoints are sketched without authZ roles, pagination, ETags, error codes, or versioning strategy; no idempotency keys for POST.	Clients may integrate inconsistently; accidental duplication or cache poisoning possible.	Define OpenAPI with versioned paths, RBAC roles (Authority/Viewer/Auditor), pagination/caching semantics, idempotency keys, and deterministic error models; add conformance tests.
PS10	Observability & SLIs	Metrics/logging expectations are absent (only UX hints); no alerts for verification drift, revocation, hash mismatch, or signer skew.	Integrity regressions may go unnoticed; auditors lack evidence of continuous enforcement.	Add required counters/histograms (verify pass/fail by reason, anchor conflicts, revocation hits, recompute drift), structured logs with IDs, and alert thresholds; document runbooks.
PS11	Offline/export kit parity	Advisory references offline friendliness but does not define export format (bundle layout, signatures, chunking), replay script, or air-gap verification inputs.	Air-gapped users cannot verify or may accept tampered kits; deterministic replay claims weaken.	Specify offline proof kit (SBOM + envelopes + anchors + schemas + Merkle recipe) with signed manifest and verify script; include chunking rules and hardware profile for replay.
PS12	Key custody & PQC coexistence	Keys live in Authority, but custody model, M-of-N approval, audit trails, and PQC dual-sign verification order are not defined.	Single-operator compromise or ambiguous verification precedence; PQ readiness unverifiable.	Define key hierarchies per environment, dual-control ops, signed key-rotation records, verification precedence (ECDSA vs PQ), and audit logging; ship HSM/KMS policy guidance.
PS13	Receipts schema & cache invalidation	Receipt structure is mentioned but not versioned; no rules for cache TTL, re-issuance when evidence/policy changes, or signing requirements.	Stale receipts may circulate; auditors cannot trust replay date/tool versions.	Version receipt schema, include verifier version/time, anchor IDs, tool hashes, policy hash; require DSSE signing; enforce cache TTL and auto-invalidate on anchor/policy change.
PS14	Performance/backpressure & dedup	No throughput/latency SLOs, queue/backpressure rules, or deduplication of envelopes for identical inputs.	Service overload or ballooning storage; duplicate envelopes inflate Merkle roots.	Define SLOs and per-tenant quotas; require deduplication by hash/predicate; add idempotent processing with backoff and metrics on drops/retries.

Immediate follow-ups

• Add a gaps-remediation task to SPRINT_0401_0001_0001_reachability_evidence_chain (or create a new sprint for the proof spine) covering PS1–PS14 with owners/dates.
• Publish signed JSON Schemas, Merkle recipe, and test vectors for evidence/reasoning/VEX/spine/receipt; wire canonicalization tests into CI.
• Draft TrustAnchor lifecycle/rotation policy (dual-control, revocation handling, ambiguity fail-closed) and update Authority/Policy docs accordingly.
• Define offline proof-kit packaging + verifier script and include metrics/alerts/runbooks for verification drift and anchor conflicts.

Findings – Gaps in “Time-to-Evidence (TTE) Metric”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 01-Dec-2025 - Time-to-Evidence (TTE) Metric.md

Method: Evaluated TTE proposal against StellaOps UX/telemetry architecture (UI sprints 0209/0215, Telemetry core 0180). Focused on instrumentation fidelity, data quality, SLO coverage, caching/streaming readiness, offline/tenant safety, and governance.

Gap Table

ID	Area	Gap	Impact	Recommendation
TTE1	Proof eligibility definition	“First proof” not formally defined (what counts as proof per surface; screenshots vs raw artifacts).	Inconsistent measurement; teams may emit on summaries.	Define proof eligibility per surface (SBOM line with bomRef + hash, reachability edge with graph rev, VEX clause with evidence ID); forbid summaries; add contract tests.
TTE2	Event schema/versioning	Event fields are informal; no schema/version, tenant scope, or PII redaction guidance.	Broken joins and leakage across tenants; dashboards unreliable.	Publish versioned tte-event.schema.json with required fields (finding_id, tenant_id, proof_kind, source, ui_version, synthetic flag), redaction rules, and validation in collectors.
TTE3	Correlation & dedupe	No guidance on deduping multiple proof_rendered events per open, retries, or tab refresh.	Over-counting inflates TTE; noisy alerts.	Define correlation rules (per finding_id + view instance), keep first-proof TTE canonical, bucket retries separately; add idempotency key.
TTE4	Sampling & bot exclusion	Sampling hinted but no hard targets, bot filters, or synthetic tagging.	Skewed metrics; false regressions.	Require 100% in staging, ≥50% prod with bot/synthetic exclusion flag; document filter and include in rollups.
TTE5	SLO scope & budgets	P95=15s stated globally; no per-surface SLOs, error budgets, or burn alerts.	Hot pages regress without alarms; mixed workloads masked.	Set per-surface SLOs (list/detail/deep-link, per proof_kind), define 28-day error budget and burn alerts; add regression guard in CI.
TTE6	Backend readiness (indexes/streaming)	Pre-index/streaming called out but no required indexes, chunk sizes, or fallback for cold caches.	P95 fails in prod despite UI work.	Mandate indexes (pkg@version, graph node, bomRef), first-chunk SLA (<200ms), cache warmers for top-N findings, and fallback to cached proof slice.
TTE7	Offline/air-gap mode	No rules for TTE when offline kits are used (local proofs) or when proofs are unavailable.	Air-gapped users show infinite TTE or misleading empties.	Define offline TTE path: local proof sources, explicit “offline proof unavailable” state, separate source=offline_kit; exclude from online SLO or bucket separately.
TTE8	Alerting & dashboards	Dashboards listed but no alert policies, runbooks, or ownership.	Slow drift unnoticed; no on-call action.	Create alert rules (P95>15s 15m, P99>30s 15m) with owners, runbook, and suppression windows; add weekly trend review.
TTE9	Governance & release gates	No requirement to block releases on TTE regression or to store baselines.	Regressions ship silently.	Add release check: compare P95 vs previous release by proof_kind/page; block if >20% regression unless waived; store baseline snapshots.
TTE10	Accessibility & layout	Evidence-above-fold rule stated but no viewport spec, keyboard/a11y checks, or fallback for long proofs.	Users may still miss proof or fail accessibility audits.	Define viewport targets (e.g., 1366x768), a11y checks (ARIA/Tab order for proof panel), truncation rules with “copy full proof”, and Playwright a11y test for TTE scenarios.

Immediate follow-ups

• Add TTE1–TTE10 remediation task TTE-GAPS-0215-011 to Sprint SPRINT_0215_0001_0001_vuln_triage_ux (primary UI owner) with telemetry alignment to Sprint SPRINT_0180_0001_0001_telemetry_core.
• Publish tte-event.schema.json, proof eligibility rules per surface, sampling/bot filters, per-surface SLO/error budgets, required indexes/streaming SLOs, offline-kit handling, alert/runbook, release gate, and a11y/viewport test cases.

Findings – Gaps in Archived November Advisories (15–23 Nov 2025)

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: All advisories in docs/product-advisories/archived/ dated 15–23 Nov 2025 (e.g., embedded in-toto provenance events, function-level VEX explainability, binary reachability branches, SBOM-provenance spine, reachability corpus, etc.).

Method: Skimmed each archived advisory and consolidated common gaps; focused on missing schemas, determinism/replay rules, tenant/redaction, offline parity, and ownership. Kept to 1–2 high-impact gaps per advisory to seed backlog without expanding scope excessively.

Gap Table

Advisory (archived)	Gap ID	Gap	Impact	Recommendation
Embedded in-toto provenance events	AR-EP1	No canonical event/predicate schema or DSSE requirement; relies on narrative.	Provenance unverifiable; toolchain drift.	Publish provenance-event.schema.json, require DSSE, include tool version + policy hash; add fixtures.
Function-level VEX explainability	AR-FX1	Lacks stable IDs for function nodes/edges and reachability proofs.	Explanations not replayable; links break.	Define function-node ID scheme, require graph_rev, shortest-path proof bundle; add determinism tests.
Serdica census Excel import blueprint	AR-SE1	No PII redaction or checksum rules for Excel ingest.	Data leakage; non-deterministic imports.	Add redaction/allowlist, checksum manifest, DSSE receipt per import, and replay script.
Proof spine for quiet alerts	AR-PS1	“Proof spine” undefined (hash recipe, bundle layout, failure cases).	Quiet alerts un-auditable.	Standardize spine (hash algo, ordering, failure records), DSSE-sign, and ship fixtures.
Scanner roadmap diff-aware rescans	AR-SR1	No determinism guards (seed/time clamp) for rescans.	Drift across runs; flaky diffs.	Enforce fixed seeds/UTC, sorted outputs, golden diffs CI.
Layer-SBOM cache hash reuse	AR-LS1	Cache key recipe unspecified (layer ordering, tar flags, compression).	Cache collisions/misses; incorrect reuse.	Define canonical key recipe (ordered layer digests, normalized tar, compression flags) and validators.
Multi-runtime reachability corpus	AR-MR1	Corpus lacks licensing/provenance and ground-truth assertions.	Legal risk; unvalidated results.	Add license metadata, expected reachability assertions, DSSE-signed manifest.
SPDX canonical persistence / CycloneDX interchange	AR-SX1	No canonicalization rules (ordering, whitespace, encoding) across SPDX↔CDX.	Hash drift; signature breakage.	Publish canonicalization spec + round-trip tests, DSSE-sign outputs.
Validation plan for quiet scans (diff-CI)	AR-VQ1	No acceptance thresholds or negative/failure fixtures.	Quiet scans may suppress real issues.	Define threshold matrix, include failure/edge fixtures, CI gate on false-negative budget.
SBOM-Provenance-Spine (17 & 18 Nov)	AR-SP1	Duplicate advisories; spine lacks versioning and Merkle recipe.	Divergent implementations; audit gaps.	Declare single canonical doc, versioned spine schema, Merkle/hash recipe, DSSE signing.
Stripped-ELF reachability	AR-SEF1	No symbol-stripping fallback (DWARF absent) or redaction rules.	Binaries unprovable; PII path leaks.	Require fallback heuristics, redaction, and proof attestation format.
Binary Reachability Engine	AR-BR1	Performance/SLOs and determinism seeds absent.	Non-reproducible graphs; timeouts.	Set seed/time clamps, path-ordering rules, perf SLO, golden graphs CI.
C# Binary Analyzer	AR-CS1	No PURL mapping or IL-level canonical IDs.	Findings not linkable to packages; unstable links.	Define IL symbol IDs + PURL mapping rules; add hash anchors.
Patch Oracles	AR-PO1	Oracle decision schema undefined; no audit trail.	Wrong patch suggestions; untraceable.	Create oracle schema with inputs, decision, confidence, evidence; DSSE-sign and log.
Unknowns Registry (18 Nov)	AR-UR1	Registry schema/versioning missing; decay logic undefined.	Unknowns pile up; inconsistent triage.	Version registry schema, define decay/expiry fields, audit trail, and offline export.
ELF Build-ID mapping	AR-BI1	Build-ID→PURL mapping recipe not specified; no collision policy.	Misattribution; trust breaks.	Define mapping algorithm, collision handling, attestation with subject hashes.
.init_array constructors as reachability roots	AR-IA1	No rule for weighting/ordering roots or de-duplication.	Over/under-approx reachability.	Specify root precedence, dedupe, and evidence bundle with graph_rev.
Reachability & Moat Watch updates	AR-MW1	No change-log or checkpoint signing for updates.	Consumers can’t track or trust updates.	Add signed checkpoints, changelog, and freshness SLA.
Encoding binary reachability with PURL edges	AR-PE1	Edge encoding schema not versioned; arch-specific fields absent.	Cross-arch drift; parsing errors.	Version edge schema, require arch/endianness, hash of binaries, and fixtures.
Where Stella Ops Can Truly Lead	AR-ML1	Positioning lacks measurable targets or evidence asks.	Strategy not actionable.	Add 3–5 measurable targets (perf/SLO, replay fidelity) with proof requirements and owners.
Benchmarking determinism in vuln scoring	AR-BD1	No benchmark corpus or scoring reproducibility rules.	Claims unproven; regressions undetected.	Publish corpus + expected scores, hash manifest, DSSE results, CI reruns.
Publishing a reachability benchmark dataset	AR-RD1	Dataset packaging/licensing undefined; no integrity attestation.	Cannot redistribute or verify.	Add license metadata, manifest + hashes, DSSE attestation, offline kit.
Stella Ops vs Competitors	AR-SC1	Comparison lacks normalized criteria or evidence links.	Biased/unsupported claims.	Define criteria table, data sources, timestamps; include raw evidence links.
Verifying Binary Reachability via DSSE Envelopes (archived copy)	AR-VB1	Archived version lacks current DSSE predicate and Merkle recipe updates.	Divergence from active spec.	Mark superseded; link to active advisory; provide migration notes.

Immediate follow-ups

• Add an “Archived Advisories Gaps” tracker row to the relevant documentation sprint (e.g., SPRINT_300_documentation_process) to decide which archived topics merit revival; start with high-signal engine/graph items (AR-BR1, AR-SEF1, AR-PE1) and provenance items (AR-EP1, AR-SP1).
• For any archived advisory revived, create a fresh canonical advisory and sprint tasks; retire duplicates (e.g., SBOM-Provenance-Spine) with clear supersede notes.

Per-advisory gap summaries (archived)

Advisory	Concise Gap	Recommendation
Where Stella Ops Can Truly Lead	Strategy brief lacks measurable targets and evidence asks.	Define 3–5 measurable targets (perf/SLO, replay fidelity) with required evidence links and owners.
Benchmarking Determinism in Vulnerability Scoring	No corpus/expected scores; reproducibility undefined.	Publish benchmark corpus + expected scores with hash manifest and DSSE results; add CI rerun gate.
Binary-Reachability-Engine	Missing determinism seeds/time clamps and perf SLOs.	Fix seeds/UTC, path-ordering rules, perf SLO, golden graphs CI.
Branch · Attach ELF Build‑IDs for Stable PURL Mapping	Mapping recipe/collision policy absent.	Define Build-ID→PURL algorithm, collision handling, attestation with subject hashes.
Branch · Model .init_array Constructors as Reachability Roots	Root weighting/dedup rules missing.	Specify root precedence, dedupe policy, and graph_rev-bound evidence bundle.
Branch · Reachability & Moat Watch — Verified 2025 Updates	No signed checkpoints/changelog.	Add signed checkpoints with freshness SLA and changelog; distribute via DSSE snapshot.
CSharp-Binary-Analyzer	No IL symbol IDs or PURL mapping rules.	Define IL symbol ID + PURL mapping with hash anchors; add fixtures.
DSSE-Signed Offline Scanner Updates	(Archived) No canonical DSSE predicate or offline kit recipe.	Publish predicate schema, offline bundle layout, and verifier script with hashes.
Encoding Binary Reachability with PURL‑Resolved Edges	Edge schema unversioned; arch fields missing.	Version edge schema; require arch/endianness/binary hash; add fixtures.
Patch-Oracles	Oracle decision schema/audit trail undefined.	Create decision schema (inputs, decision, confidence, evidence) with DSSE signing and logging.
Publishing a Reachability Benchmark Dataset	Packaging/licensing/integrity unclear.	Add license metadata, manifest + hashes, DSSE attestation, offline kit.
SBOM-Provenance-Spine (17 & 18 Nov)	Duplicate docs; spine lacks versioning/Merkle recipe.	Declare canonical version, publish schema + Merkle recipe, DSSE-sign; mark duplicate superseded.
Stella Ops vs Competitors	Criteria/evidence not normalized.	Define comparison criteria table, data sources/timestamps, and raw evidence links.
Storage Blueprint for PostgreSQL Modules	Patterns lack tenancy/isolation and PITR/SLA specifics.	Add tenant isolation, PITR/SLA baselines, deterministic migrations, and signed change log.
Stripped-ELF-Reachability	No fallback when symbols absent; redaction undefined.	Provide fallback heuristics, redaction rules, and proof attestation format.
Unknowns-Registry	Schema/versioning and decay/expiry logic missing.	Version registry schema; add decay/expiry fields, audit trail, offline export.
Verifiable Proof Spine Receipts and Benchmarks	Proof spine hash recipe undefined; benchmarks missing.	Standardize hash/ordering, include failure cases, DSSE-sign; publish benchmarks.
Verifying Binary Reachability via DSSE Envelopes (archived copy)	Archived version diverges from active spec.	Mark superseded; link to active advisory; provide migration notes.
embedded in-toto provenance events	No event schema or DSSE requirement.	Publish provenance-event schema; require DSSE; include tool/policy hashes.
function-level vex explainability	Missing stable function IDs/graph_rev binding.	Define function-node IDs, require graph_rev, shortest-path proof bundle, determinism tests.
ipal serdica census excel import blueprint	No PII redaction or checksum rules.	Add redaction/allowlist, checksum manifest, DSSE receipt per import, replay script.
layer-sbom cache hash reuse	Cache key recipe unspecified.	Define canonical key (ordered layer digests, normalized tar/compression flags) and validators.
multi-runtime reachability corpus	Lacks licensing/provenance and ground truth.	Add license metadata, expected reachability assertions, DSSE-signed manifest.
proof spine for explainable quiet alerts	Spine definition missing (hash recipe/failures).	Standardize spine schema/ordering, include failure records, DSSE-sign fixtures.
scanner roadmap with deterministic diff-aware rescans	No determinism guards or seeds.	Enforce fixed seeds/UTC, sorted outputs, golden diff CI.
spdx canonical persistence cyclonedx interchange	No canonicalization rules across SPDX↔CDX.	Publish canonicalization spec + round-trip tests; DSSE-sign outputs.
validation plan for quiet scans provenance diff-ci	Lacks acceptance thresholds and negative fixtures.	Define thresholds and failure/edge fixtures; gate CI on false-negative budget.

Archived advisory stubs (per-advisory headings)

These stubs reference the consolidated AR- gap table above; no additional gaps beyond that table.*

Findings – Gaps in “Where Stella Ops Can Truly Lead”

See AR-ML1 in the archived gap table.

Findings – Gaps in “ Where Stella Ops Can Truly Lead”

See AR-ML1 in the archived gap table; archived filename contains a leading space.

Findings – Gaps in “Benchmarking Determinism in Vulnerability Scoring”

See AR-BD1 in the archived gap table.

Findings – Gaps in “Binary-Reachability-Engine”

See AR-BR1 in the archived gap table.

Findings – Gaps in “Branch · Attach ELF Build‑IDs for Stable PURL Mapping”

See AR-BI1 in the archived gap table.

Findings – Gaps in “Branch · Model .init_array Constructors as Reachability Roots”

See AR-IA1 in the archived gap table.

Findings – Gaps in “Branch · Reachability & Moat Watch — Verified 2025 Updates”

See AR-MW1 in the archived gap table.

Findings – Gaps in “CSharp-Binary-Analyzer”

See AR-CS1 in the archived gap table.

Findings – Gaps in “DSSE-Signed Offline Scanner Updates”

See AR-DS1 in the archived gap table.

Findings – Gaps in “Encoding Binary Reachability with PURL‑Resolved Edges”

See AR-PE1 in the archived gap table.

Findings – Gaps in “Patch-Oracles”

See AR-PO1 in the archived gap table.

Findings – Gaps in “Publishing a Reachability Benchmark Dataset”

See AR-RD1 in the archived gap table.

Findings – Gaps in “SBOM-Provenance-Spine”

See AR-SP1 in the archived gap table.

Findings – Gaps in “SBOM-Provenance-Spine”

See AR-SP1 in the archived gap table; duplicate advisory, treat 18-Nov version as canonical.

Findings – Gaps in “Stella Ops vs Competitors”

See AR-SC1 in the archived gap table.

Findings – Gaps in “Storage Blueprint for PostgreSQL Modules”

See AR-SB1 in the archived gap table.

Findings – Gaps in “Stripped-ELF-Reachability”

See AR-SEF1 in the archived gap table.

Findings – Gaps in “Unknowns-Registry”

See AR-UR1 in the archived gap table.

Findings – Gaps in “Verifiable Proof Spine Receipts and Benchmarks”

See AR-VP1 in the archived gap table.

Findings – Gaps in “Verifying Binary Reachability via DSSE Envelopes”

See AR-VB1 in the archived gap table.

Findings – Gaps in “embedded in-toto provenance events”

See AR-EP1 in the archived gap table.

Findings – Gaps in “function-level vex explainability”

See AR-FX1 in the archived gap table.

Findings – Gaps in “ipal serdica census excel import blueprint”

See AR-SE1 in the archived gap table.

Findings – Gaps in “layer-sbom cache hash reuse”

See AR-LS1 in the archived gap table.

Findings – Gaps in “multi-runtime reachability corpus”

See AR-MR1 in the archived gap table.

Findings – Gaps in “proof spine for explainable quiet alerts”

See AR-PS1 in the archived gap table.

Findings – Gaps in “scanner roadmap with deterministic diff-aware rescans”

See AR-SR1 in the archived gap table.

Findings – Gaps in “spdx canonical persistence cyclonedx interchange”

See AR-SX1 in the archived gap table.

Findings – Gaps in “validation plan for quiet scans provenance diff-ci”

See AR-VQ1 in the archived gap table.

Findings – Gaps in “Rekor Receipt Checklist for Stella Ops”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md

Method: Compared checklist to Authority/Attestor receipt requirements and DSSE/Rekor v2 posture. Focused on canonical schema, inclusion proof freshness, subject binding, provenance, offline verification, and governance.

Gap Table

ID	Area	Gap	Impact	Recommendation
RR1	Versioned receipt schema	Checklist lists fields but no versioned/signed JSON Schema for receipts or catalog.	Drift across services; clients accept malformed receipts.	Publish rekor-receipt.schema.json and signed schema catalog; enforce validation in issuer/consumer.
RR2	Inclusion proof & checkpoint	Inclusion proof/checkpoint optional; no freshness/window rules.	Receipts can be replayed after log forks or stale checkpoints.	Require inclusion proof + log checkpoint hash, shard, and max age; fail receipts outside window.
RR3	Subject & policy binding	Receipt doesn’t mandate subject hash, policy/lattice hash, or trust profile.	Auditors can’t bind receipt to the evaluated object/policy.	Make subject digest, policy hash, and trust profile mandatory fields; include in DSSE payload.
RR4	Client provenance	Client version/flags/TUF snapshot not captured.	Hard to audit which verifier path created receipt; incompatibility hidden.	Record client version, build hash, config flags, and TUF snapshot in receipt metadata.
RR5	Time integrity	TSA/clock-drift guardrails absent; no signed time source.	Stale or backdated receipts reduce evidentiary value.	Require TSA stamp or trusted time source ID and drift threshold; reject receipts beyond skew.
RR6	Offline/air-gap verification	Checklist omits offline verifier inputs/outputs and failure codes.	Air-gapped users can’t validate receipts deterministically.	Ship offline verify script spec (inputs: receipt, bundle, checkpoint; outputs: exit codes, hashes); include in kit.
RR7	Mirror bridging	No rules for mirroring Rekor receipts/checkpoints into offline mirrors.	Mirror freshness and tamper-evidence unclear.	Define mirror snapshot format (checkpoint + entries + DSSE), freshness SLA, and hash manifest for import.
RR8	Retention/governance	Retention/rotation and redaction not specified.	Receipts may be pruned/rotated without audit trail.	Set retention policy, rotation rules, legal hold, and DSSE-signed rotation records.
RR9	Alerting/observability	No metrics/alerts for receipt failures or checkpoint staleness.	Failures go unnoticed; weak operational posture.	Add metrics/alerts for validation failures, checkpoint age, TSA errors; surface SLOs.
RR10	Multi-tenant isolation	Tenant scoping and PII redaction rules absent.	Receipts could leak tenant data when exported.	Require tenant ID scoping, optional redaction map, and isolation tests for exports.

Immediate follow-ups

• Track RR1–RR10 under REKOR-RECEIPT-GAPS-314-005 in Sprint SPRINT_0314_0001_0001_docs_modules_authority.
• Publish signed schema/catalog, mandate inclusion proof freshness, subject/policy binding, client provenance, time integrity, offline verify script, mirror snapshot rules, retention governance, observability SLOs, and tenant-safe exports.

Findings – Gaps in “Standup Sprint Kickstarters”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 30-Nov-2025 - Standup Sprint Kickstarters.md

Method: Reviewed the kickstarter checklist against sprint governance rules. Focused on deterministic ceremonies, dependency capture, evidence of readiness, and offline-friendly coordination.

Gap Table

ID	Area	Gap	Impact	Recommendation
SK1	Template conformance	Kickstarters don’t map to the sprint template (Topic/Scope, Dependencies, Docs prereqs).	Teams improvise structure; omissions persist.	Add a canonical “kickstarter” template aligned to sprint template; enforce via docs lint.
SK2	Readiness evidences	No requirement to show artefacts (schemas, fixtures, AGENTS) before moving tasks to DOING.	Tasks start without prerequisites; rework later.	Require a readiness checklist + evidence links per task before status changes.
SK3	Dependency ledger	Dependencies captured ad hoc; no immutable ledger or owners.	Blockers rediscovered during sprint; sequencing unclear.	Add dependency ledger with owner/date/SLO; link into Decisions & Risks.
SK4	Time-box & exit criteria	Standup goals lack time-box and measurable exit.	Standups sprawl; no clear “done” signal.	Define 15–20 min time-box with explicit exit criteria and fast-follow actions.
SK5	Cross-timezone coverage	No asynchronous path for distributed teams; relies on live attendance.	Remote teams miss blockers; delays accumulate.	Provide async standup template (thread/checklist) with deterministic update window and archival rules.
SK6	Evidence persistence	Updates not required to be committed (e.g., Execution Log).	Knowledge lost; audits impossible.	Require standup outcomes appended to sprint Execution Log with date/owner.
SK7	Risk/decision capture	Decisions/risks from standups not mandated to land in sprint section.	Decisions drift; mitigations forgotten.	Add “decisions/risks delta” subsection per standup; link to docs/ADRs if opened.
SK8	Offline/air-gap posture	No guidance for air-gapped teams (no cloud boards/chat).	Air-gapped execution breaks comms trail.	Provide offline-friendly workflow (filesystem logs + git commits), banned services list, and export scripts.
SK9	Metrics & SLOs	Success metrics for standups not defined (lead time/blocker clear rate).	No feedback loop; ceremonies may not improve outcomes.	Track basic metrics per sprint: blockers cleared/day, carryover, average task start latency; review weekly.
SK10	Role clarity	Roles (facilitator, note-taker, decision owner) not assigned.	Decisions get lost; action items drift.	Add mandatory role assignment per standup with rotation; record in Execution Log.

Immediate follow-ups

• Add SK1–SK10 remediation task to Sprint SPRINT_300_documentation_process with owners/dates; enforce kickstarter template + evidence/ledger rules.
• Publish offline-friendly/async variants, metrics, and role checklist; add docs lint to block PRs without populated kickstarter sections.

Findings – Gaps in “UI Micro-Interactions for StellaOps”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 30-Nov-2025 - UI Micro-Interactions for StellaOps.md

Method: Compared micro-interaction brief to UI guild standards (accessibility, determinism, offline, perf). Focused on tokens, reduced-motion, telemetry, testing, and error/latency handling.

Gap Table

ID	Area	Gap	Impact	Recommendation
MI1	Motion tokens	Doc lists examples but no tokenized durations/easing curves or theme slots.	Inconsistent motion; hard to enforce reduced-motion.	Define motion tokens (durations, easings, distances) in design tokens; gate via lint.
MI2	Reduced motion/a11y	No rule for prefers-reduced-motion, focus traps, or SR copy on micro-interactions.	A11y regressions; fails audits.	Require reduced-motion variants, focus order tests, ARIA labels for animated elements.
MI3	Performance budgets	No FPS/latency budgets or CPU/GPU cap per animation.	Jank on low-end devices; perf regressions unnoticed.	Set budgets (e.g., <16ms main thread), add perf tests in CI, document fallback to static states.
MI4	Offline/slow-network states	Micro-interactions assume online responses; no skeletons/timeouts strategy.	Bad UX in offline/slow links; spinner stalls.	Add skeleton/timebox patterns, retry/backoff rules, and offline banners per interaction type.
MI5	Error & cancellation states	Missing guidance for cancel/undo animations and error toasts alignment.	Users can’t recover gracefully; inconsistent messaging.	Standardize cancel/undo affordances, error toast placement/content, and motion for failure paths.
MI6	Cross-surface consistency	No contract tying micro-interactions to component library tokens.	Different surfaces diverge; reuse is low.	Map interactions to shared components; include UX conformance checklist in Storybook docs.
MI7	Telemetry & experiments	No instrumentation schema or flag strategy.	Can’t measure adoption or regressions; risky rollouts.	Define event schema (interaction id, duration, success/fail), add feature flags + A/B hooks, and privacy notes.
MI8	Determinism & tests	Tests/examples missing deterministic seeds and snapshot rules.	Animations flake in CI; screenshots unstable.	Add deterministic animation seeds, Playwright screenshot rules, and golden snapshots per key interaction.
MI9	Accessibility of micro-copy	Micro-copy for tooltips/toasts not standardized or localized.	Inconsistent wording; i18n gaps.	Provide micro-copy catalogue + localization keys; enforce in lint/tests.
MI10	Dark/light/contrast	No guidance for contrast/theming of micro-states.	Poor contrast in certain themes; fails WCAG.	Define theme-aware tokens for hover/active/disabled; add contrast tests.

Immediate follow-ups

• Add MI1–MI10 remediation task to UI Sprint SPRINT_0209_0001_0001_ui_i (or UI II/III if preferred) with owners and dates.
• Publish motion/telemetry/testing tokens, reduced-motion rules, offline/error patterns, component mappings, and theme-aware micro-copy guidance; add Playwright/a11y checks to CI.

Findings – Gaps in “Proof-Linked VEX UI Developer Guidelines”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: Proof-linked VEX UI spec provided in chat (Not Affected badge → proof drawer pattern)

Method: Reviewed provided spec against VEX Explorer/Explain drawers, DSSE integrity, offline parity, and scope/tenancy rules. Focused on security, determinism, caching, accessibility, and replayability.

Gap Table

ID	Area	Gap	Impact	Recommendation
PVX1	API auth/tenant scope	Spec omits required scopes/tenant headers for proof endpoints.	Proof links could leak across tenants or bypass scope checks.	Require vex.read, findings.read, downloads.read scopes and tenant header; add 403 handling in UI.
PVX2	Caching & staleness	Drawer fetch/HEAD calls lack cache/staleness policy.	Users may see stale proofs or hammer endpoints.	Define cache headers, ETag use, max-age, and staleness banners; add retry/backoff rules.
PVX3	Integrity verification depth	Drawer compares digest headers only; no signature/DSSE verify client-side.	MitM could swap payload with matching digest header spoof.	Add optional client-side DSSE/signature verification (WebCrypto) or enforce signed response headers + pinned keys.
PVX4	Error/failure UX	No UX for proof download failures, timeouts, or partial retries.	Users stuck on spinner; unclear next steps.	Add timeout/error states, retry with backoff, and “report mismatch” action that logs correlation ID.
PVX5	Offline/air-gap mode	Offline kit bundle path mentioned only as “nice-to-have”; not specified.	Air-gapped reviewers can’t open proofs or graph slices.	Define offline bundle format (tar.zst + manifest + digests), UI fallback to local files, and verify script hook.
PVX6	Evidence completeness rules	“At least one proof” rule exists but no prioritization when multiple proofs absent.	Inconsistent badges; trust dilution.	Define precedence (DSSE > attestation > graph), badge states per combination, and gating rules before showing green badge.
PVX7	Telemetry schema/privacy	Events listed but no schema, PII redaction, or sampling controls.	Telemetry may capture sensitive findings; GDPR risk.	Define event schema with redaction, sampling, retention; add opt-out and per-tenant export.
PVX8	URL/permalink signing	Permalinks suggested but not protected against tampering.	Shared URLs could be forged to different nodes.	Sign permalink params (HMAC) or include consensus/graph hash; validate on open.
PVX9	Consistency between VEX Explorer & Findings	Spec doesn’t define reconciliation when Explorer status conflicts with Findings verdict.	Users see conflicting states; trust drops.	Add rule: show warning banner when consensus revision ≠ policy revision; deep-link to both views with revision info.
PVX10	QA fixtures & contracts	No test fixtures/contracts for drawer + API responses.	Hard to implement consistently; regressions untested.	Ship fixture JSON for full/partial/fail cases; add Playwright tests for drawer states and contract tests for endpoints.

Immediate follow-ups

• Add PVX1–PVX10 remediation task to Sprint SPRINT_0215_0001_0001_vuln_triage_ux (proof-linked VEX UI) with owners/dates.
• Update VEX Explorer/Findings UI + APIs to enforce scopes/tenant headers, caching/staleness policy, stronger integrity verification, failure UX, offline bundle support, evidence precedence, telemetry schema, signed permalinks, revision reconciliation, and fixtures/tests.

Findings – Gaps in “Unknowns Decay & Triage Heuristics”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 30-Nov-2025 - Unknowns Decay & Triage Heuristics.md

Method: Reviewed the heuristic advisory and compared with Signals/Unknowns registry work (Sprint SPRINT_0140_0001_0001_runtime_signals) and prior decay/unknowns gaps. Focused on making decay/triage enforceable, deterministic, measurable, and offline-ready.

Gap Table

ID	Area	Gap	Impact	Recommendation
UT1	Heuristic catalog & schema	Heuristics listed narratively; no signed/Versioned schema or catalog with IDs, weights, thresholds.	Inconsistent application; hard to audit or evolve safely.	Publish unknowns-heuristics.catalog.json with IDs/weights/params and DSSE-sign; enforce via validator in Signals.
UT2	Deterministic scoring path	Heuristics mention time/decay but no canonical formula, seed, or ordering rules.	Non-deterministic triage scores; replay breaks.	Define canonical scoring formula (inputs, ordering, rounding, UTC/monotonic clock); add multi-run hash test.
UT3	Data quality bands	No quality/confidence bands for unknowns inputs (entropy hints, symbol matches).	Low-quality signals may overrule strong ones; explainability weak.	Add quality bands and minimum data-quality gate; expose in API/UI; block heuristics if quality < threshold.
UT4	Suppression/waiver policy	Suppression/waiver of unknowns not defined (expiry, approvers, evidence).	Unknowns can be suppressed silently; audit gaps.	Require DSSE-signed waiver with reason/expiry/approver; surface in ledger/UI; block auto-suppression.
UT5	SLA/priority coupling	Triage heuristics not tied to SLA classes or severity bands.	High-priority unknowns may decay or be deprioritized incorrectly.	Bind heuristics to SLA/priority matrix; clamp decay for SLA-critical classes; expose in config.
UT6	Offline parity	No offline kit guidance for heuristics/decay config or cached signals.	Air-gapped users can’t reproduce triage results.	Ship heuristics catalog + decay config + cached signals in offline kit with hashes/DSSE + verify script.
UT7	Observability & alerts	No metrics/alerts for heuristic outcomes (unknowns escalating/dropping) or decay job failures.	Failures go unnoticed; risk mis-prioritization.	Add metrics/alerts: unknowns_by_quality, decay_job_latency, waiver_expiry, offline_cache_age; include dashboards.
UT8	Backfill/migration rules	No plan to backfill existing unknowns with new heuristic fields/bands.	Legacy records inconsistent; comparisons invalid.	Define migration/backfill script to populate heuristic scores/bands; add migration checksum report.
UT9	Explainability UX	Advisory doesn’t specify UI fields for heuristic contribution, quality, decay, waiver.	Users can’t trust triage results; auditors lack detail.	Add UI/API fields: heuristicScores[], qualityBand, decayApplied, waiverId; include in exports.
UT10	Testing & fixtures	No fixture suite to validate heuristic scoring/decay/waiver flows.	Regressions undetected; behavior drifts across releases.	Create fixtures/tests for each heuristic and decay path; include golden outputs and hash checks; run in CI.

Immediate follow-ups

• Add an unknowns-heuristics gaps task to Sprint SPRINT_0140_0001_0001_runtime_signals.md to close UT1–UT10 with owners/dates.
• Publish signed heuristic catalog and deterministic scoring rules; add quality bands, waiver policy, SLA coupling, offline kit contents, observability/alerts, backfill plan, UX fields/exports, and fixtures with golden outputs.

Findings – Gaps in “Graph Analytics and Dependency Insights”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Graph Analytics and Dependency Insights.md

Method: Reviewed the graph analytics advisory against graph API/indexer sprints (0207/0141) and evidence chain needs. Focused on schema/versioning, determinism, privacy/tenant isolation, performance budgets, and offline/export parity.

Gap Table

ID	Area	Gap	Impact	Recommendation
GA1	Analytics schema/versioning	Metrics/analytics outputs not tied to versioned schemas or canonical JSON/CSV rules.	Consumers may misparse; hash-based reproducibility fails.	Publish versioned schemas for analytics outputs (centrality, clusters, diffs) with canonical serialization and test vectors.
GA2	Determinism & repeatability	Advisory asserts deterministic analytics but no rerun-hash CI or seed control for algorithms (e.g., Louvain).	Runs may drift, undermining reproducibility claims.	Require fixed seeds/configs; add multi-run hash CI; document tolerances per algorithm.
GA3	Privacy/PII & tenant isolation	No redaction/aggregation rules for sensitive fields or tenant-scoped analytics; cross-tenant leakage risk.	Analytics exports could expose tenant data.	Enforce tenant scoping, redaction/aggregation rules; produce redacted/public variants; add isolation tests.
GA4	Baseline datasets & fixtures	No canonical fixtures/baselines for analytics metrics.	Regressions undetected; hard to compare vendors.	Publish baseline datasets with expected metrics/hashes; include in CI and benchmark kits.
GA5	Performance/budget envelopes	No explicit limits for query cost, tile sizes, or analytics job budgets.	Jobs may exhaust resources; DoS risk.	Set budgets/quotas per tenant/job; expose metrics/alerts; enforce in API.
GA6	Explainability of analytics	Advisory doesn’t require exposing reason/inputs for scores (centrality, clusters).	Users can’t audit why a score was produced.	Include inputs/rationale in outputs (parameters, seeds, data slice, revision IDs); link to evidence/graph revision.
GA7	Export/format determinism	Multiple export formats mentioned but no checksum/manifest requirements.	Exports may be non-reproducible; offline parity weak.	Require checksum manifest + DSSE for analytics exports; canonical ordering; include graph_revision_id.
GA8	Algorithm versioning	Algorithm versions/implementations not recorded.	Metric changes invisible; audits impossible.	Record algorithm name/version and implementation hash in outputs; include in manifests.
GA9	Offline/air-gap parity	No requirement to bundle analytics outputs for offline verification.	Air-gapped users can’t verify or compare analytics.	Provide offline analytics bundle schema + verify script; include seeds, configs, manifests, hashes.
GA10	Governance/change log	No change-log or SemVer for analytics outputs/APIs.	Breaking changes propagate silently.	Adopt SemVer + CHANGELOG for analytics schemas/APIs; embed version in outputs.

Immediate follow-ups

• Add a graph analytics gaps task to Sprint SPRINT_0207_0001_0001_graph.md (or related graph/indexer sprint) to close GA1–GA10.
• Publish analytics schemas, seeds/configs, and baseline fixtures; enforce determinism/quotas, add DSSE-signed manifests, privacy/redaction rules, algorithm/version metadata, and offline bundle/verify scripts with changelog governance.

Findings – Gaps in “Mirror and Offline Kit Strategy”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Mirror and Offline Kit Strategy.md

Method: Reviewed the mirror/offline kit strategy against mirror creator sprints (0125/0150) and offline/air-gap requirements. Focused on manifest integrity, DSSE/TUF, time anchors, delta correctness, tenant scoping, and distribution safety.

Gap Table

ID	Area	Gap	Impact	Recommendation
MS1	Manifest schema/versioning	Mirror manifest/layout described but no signed/ versioned schemas.	Tools may generate incompatible mirrors; verification unreliable.	Publish signed schemas for mirror manifest/index (full/delta) with canonical JSON rules and test vectors.
MS2	DSSE/TUF policy & key rotation	DSSE/TUF profile noted but rotation, key manifest, and dual-sign (PQ/fips) rules not enforced.	Stale/compromised keys may be trusted; regional crypto gaps.	Require key manifest with validity/rotation, dual-sign options, and enforce in build/verify; include in bundle.
MS3	Delta correctness & tombstones	Mirror delta creation lacks formal algorithm, tombstone handling, and base-hash binding.	Deltas may miss/delete incorrectly; replay breaks.	Define delta spec (base hash, added/removed/tombstones), include in manifest, add fixtures/CI.
MS4	Time anchor & checkpoint freshness	Time-anchor hooks exist but no freshness SLA or verification in mirror kits.	Stale bundles may be accepted in air-gap; audit weakened.	Require time-anchor token + freshness window in manifest; verify during import; fail stale.
MS5	Tenant/env scoping	Mirror bundles not mandated to carry tenant/env scope or to validate on import.	Cross-tenant data leakage or wrong-env import.	Include tenant/env in manifest + DSSE; import must fail on mismatch.
MS6	Distribution integrity	OCI/FS distribution lacks required checksum/signature headers and immutability indicators.	Tampered mirrors could be ingested.	Enforce checksum + signature metadata for HTTP/OCI; require immutable object storage flags; verify on import.
MS7	Chunking/size limits	No guidance for large mirrors or chunk manifests.	Transfers may fail or be partial; hard to verify.	Provide chunk manifest with per-chunk hashes (zstd/OCI layers), max size guidance, and streaming verify.
MS8	Offline import/verify UX	Import/verify steps not formally specified (exit codes, scripts, failure modes).	Operators may skip checks; errors unclear.	Ship standard mirror-verify.sh with exit codes, required checks (schema, sig, hashes, time anchor, tenant), and negative tests.
MS9	Observability & audit	No metrics/log schema for mirror creation/import, verification failures, or staleness.	Issues may go unnoticed; harder to audit.	Emit metrics/logs for build/import/verify (counts, failures, staleness); add alerts.
MS10	Governance/change log	No SemVer/change log for mirror formats/profiles.	Breaking changes silently break consumers.	Adopt SemVer + CHANGELOG for mirror formats; embed version in manifest; block cross-major mixing.

Immediate follow-ups

• Add a mirror/offline-kit gaps task to Sprint SPRINT_0125_0001_0001_mirror.md (or 0150 series) to close MS1–MS10.
• Publish signed schemas and delta/time-anchor specs; enforce DSSE/TUF policy with rotation, tenant/env scoping, distribution integrity, chunking limits, standard verify script, metrics/alerts, and SemVer/change log for mirror formats.

Findings – Gaps in “Concelier Advisory Ingestion Model”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Concelier Advisory Ingestion Model.md

Method: Reviewed the advisory versus Link-Not-Merge/AOC requirements and Concelier ingestion sprints (0115 series). Focused on schema governance, connector safety, provenance, determinism, and offline parity.

Gap Table

ID	Area	Gap	Impact	Recommendation
CI1	Canonical observation schema/versioning	Observation/linkset structures shown but no published JSON Schema or versioning for AOC/Aggregation contracts.	Connectors may emit divergent shapes; validation inconsistent; replay unreliable.	Publish signed schemas (observation.schema.json, linkset.schema.json, aoc.guard.json), version them, and enforce via AOCVerifier/CI.
CI2	Forbidden-field enforcement	AOC rules listed, but no explicit denylist/allowlist or Roslyn/analyzer test suite shipped.	Derived/merged fields could leak into ingestion, breaking AOC purity.	Ship analyzers + tests with a denylist (severity, fix, merged status, reachability) and enforce in CI; fail builds on violations.
CI3	Provenance completeness	Signature presence noted but no required fields for signer identity, signature algorithm, or verification result.	Weak provenance; auditors cannot validate source authenticity.	Require provenance block with signer key ID, algorithm, verification status, Rekor/mirror ref; fail ingest on missing provenance.
CI4	Feed snapshot governance	No policy for feed snapshot hashes/staleness per connector; offline bundles undefined for advisory feeds.	Non-deterministic ingestion; offline parity breaks.	Require feed snapshot manifest (hash, fetch time, source URL, signer) per connector; include in offline advisory bundle; enforce staleness windows.
CI5	Conflict detection rules	Conflict model shown but no deterministic rules/thresholds for conflict detection or confidence scoring.	Inconsistent conflict reporting; hard to compare runs.	Define conflict types, detection rules, confidence rubric, and deterministic ordering; add tests.
CI6	Idempotency keys & dedupe	Idempotent upsert mentioned but no canonical content-hash recipe or idempotency key per connector.	Duplicates or missed updates if connectors vary hashing.	Standardize content-hash recipe (normalized JSON, hash algo/encoding) and idempotency key; add test vectors.
CI7	Multi-tenant isolation	Tenant claim required but no isolation tests or redaction rules for cross-tenant artifacts.	Cross-tenant leakage risk in shared stores/logs.	Add tenant-isolation tests and redaction guard; enforce tenant in IDs/queries; log rejection metrics.
CI8	Connector safety & sandboxing	No safety baseline for connectors (rate limits, timeouts, schema validation before write, memory limits).	Connector defects can destabilize ingestion or accept malformed data.	Define connector SLOs/limits; add sandbox runner with time/mem caps and schema pre-validate before persistence.
CI9	Offline/air-gap ingest & export	Advisory export format mentioned but not specified (hash lists, signatures, bundle schema).	Air-gap consumers can’t verify advisory bundles; replay breaks.	Define advisory-bundle schema (hash manifest + DSSE signature + feed snapshots); add CLI import/verify steps.
CI10	Testing fixtures & benchmarks	No shared fixtures/benchmarks for connectors (OSV, GHSA, CSAF, vendor feeds).	Regression detection weak; connectors may break silently.	Provide fixture set + determinism tests per connector family; run in CI; publish hashes.

Immediate follow-ups

• Add a Concelier ingestion gaps task to the relevant sprint (e.g., SPRINT_0115_0001_0004_concelier_iv or nearby Concelier sprint) to close CI1–CI10.
• Publish signed schemas and hashing recipes; enforce AOC denylist via analyzers; add provenance requirements, snapshot governance, conflict rules, connector sandbox limits, offline bundle schema, and fixture-based CI.

Findings – Gaps in “Notification Rules and Alerting Engine”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Notification Rules and Alerting Engine.md

Method: Read the advisory, compared with Notifier sprints (0170/0171/0172) and current code/contracts in src/Notifier/StellaOps.Notifier (rules, connectors, storm breaker, ack tokens). Focused on determinism, RBAC/tenant isolation, provenance, offline parity, and operational guardrails.

Gap Table

ID	Area	Gap	Impact	Recommendation
NR1	Schema/versioning & canonical JSON	Rules/channels/templates/deliveries not backed by signed, versioned schemas or canonical serialization (ordering, tz/locale, casing).	Drift across services/SDKs; hash-based dedupe and DSSE signatures unstable.	Publish signed schemas with canonical JSON rules and test vectors; enforce via API/SDK validators and worker ingestion.
NR2	Tenant isolation & cross-tenant guardrails	Tenant field present but no hard enforcement, shared-channel policy, or dual-approval for cross-tenant routes.	Cross-tenant leakage via misconfigured channels/rules.	Enforce tenant scoping in storage/queries; require dual-approval + DSSE annotation for cross-tenant channel use; fail closed on mismatch.
NR3	Deterministic rendering & localization	Locale-aware templates lack fixed locale/timezone, font set, whitespace rules, or golden outputs per channel.	Output hashes drift; dedupe/digests and audits unreliable.	Fix locale to en-US + UTC; embed font set for email/PDF; normalize whitespace/order; add golden fixtures for Slack/Teams/Email/Webhook outputs.
NR4	Rate limits, backpressure, and DLQ	Throttle windows exist but no per-tenant/channel quotas, queue depth/backpressure policy, DLQ classification, or storm-breaker linkage.	Overload or runaway retries; noisy tenants can starve others.	Set quotas per tenant/channel; define shed/delay policy; classify errors (retryable/non) with DLQ + alerting; integrate storm-breaker signals into dispatcher.
NR5	Reliability & retry semantics	Retry/backoff/idempotency strategy unspecified per channel; no max-attempts/jitter defaults or idempotency key recipe.	Duplicate deliveries or silent drops; hard to audit.	Standardize retry policy with bounded attempts + jitter; idempotency key recipe per delivery/action; record retry attempts and final state in ledger/metrics.
NR6	Security of webhook/ack flows	Webhook signing shown but no canonicalization, replay window, or CSRF/redirect protections; ack tokens lack cnf binding guidance.	Ack/webhook spoofing or replay; approvals could be hijacked.	Mandate canonical body hash + timestamp drift limit; require nonce + cnf binding for ack tokens; enforce host allowlist/TLS profile; block redirects; add conformance tests.
NR7	PII/redaction & payload limits	Redaction implied but no allowlist, size limits, or template lint per channel.	PII/secrets may leak via Slack/email/webhooks; payloads may be rejected.	Define redaction policy + size limits; lint templates; truncate with omitted_count; add PII/secret scan in CI and per-delivery guard.
NR8	Observability & SLO conformance	Metrics listed but no alert thresholds, sampling budgets, or linkage to ledger/incident IDs.	SLO breaches unnoticed; tracing costs spike; weak auditability.	Define alert rules for latency/failure/duplicate/queue depth; set trace sampling budgets; link deliveries to ledger/event IDs; publish SLO dashboards.
NR9	Offline/air-gap parity	No requirement to package rules/templates/channel configs with hashes/signatures or verify connectors offline.	Offline sites cannot verify/reproduce notifications; env drift.	Ship “notify-kit” (schemas, templates, connectors) with hash manifest + DSSE; include connector binary hashes and channel health fixtures; provide verify script.
NR10	Change governance & simulations	Simulations exist but not required pre-deploy; no dual-approval or evidence capture for rule/template changes.	Risky rule changes can ship without guardrails; regressions likely.	Require dual-approval + mandatory simulation run before activation; store simulation evidence hash; block activation without proof.

Immediate follow-ups

• Add a notification-gaps task to Sprint SPRINT_0171_0001_0001_notifier_i.md to close NR1–NR10 with owners/dates.
• Publish schemas + canonical JSON rules; enforce tenant scoping, quotas/backpressure, retry/ack security, redaction policies, deterministic rendering tests; ship offline “notify-kit” with DSSE manifest and verify script; require dual-approval + simulation evidence for rule/template changes.

Findings – Gaps in “Orchestrator Event Model and Job Lifecycle”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md

Method: Read the advisory, cross-checked Orchestrator sprints (0151/0152) and current contracts (OAS 61–63, air-gap, observability tracks). Focused on determinism, replay/audit fidelity, tenant/quotas, DAG correctness, offline parity, and security/operational guardrails.

Gap Table

ID	Area	Gap	Impact	Recommendation
OR1	Canonical schemas & hashing	Event/job payloads lack versioned JSON Schemas, canonicalization (sorted keys, tz/locale, numeric precision), or hash recipe for history/audit bundles.	Drift across services/SDKs; hashes/signatures unstable; replay may mis-verify.	Publish signed schemas for job, event, quota, throttle, incident, replay records with canonical JSON and hash/test vectors; enforce in API/worker validators.
OR2	Replay determinism & inputs lock	Replay guarantees stated but no inputs.lock (tool versions, policy/graph hashes, env/seed) or side-effect guardrails.	Replays may diverge from originals; audit claims weakened.	Require replay manifest with inputs.lock (tool images, policy/lattice hash, graph_revision_id, seeds, time source); block replay if mismatched; record replays as DSSE with replayOf linkage.
OR3	Lease/heartbeat governance	Heartbeat cadence given but no monotonic clock requirement, drift tolerance, or lease-expiry/backoff policy; no DSSE/log for lease changes.	False expiries or hung jobs; inconsistent worker behavior across regions.	Mandate monotonic+UTC clocks; define heartbeat jitter, grace windows, and lease extension limits; log DSSE events for lease/expiry; add conformance tests.
OR4	DAG/dependency correctness	Dependencies listed but no cycle detection, topological ordering rules, or partial-failure handling; no per-edge idempotency key.	Cycles or partial-complete runs can deadlock or double-execute.	Enforce DAG validation (cycle detection), topological scheduling with deterministic order, per-edge idempotency key; define partial-failure policy (fail-fast vs continue) and audit it.
OR5	Quotas/circuit breakers governance	Quota and breaker thresholds not versioned; no change-control, tenant overrides, or emergency bypass audit.	Misconfig can starve tenants or bypass safety; hard to audit changes.	Version quotas/breakers with DSSE-signed configs; require dual-approval for emergency bypass; emit change events to ledger; add per-tenant override rules and tests.
OR6	Security & tenant isolation	Scopes mentioned elsewhere but advisory lacks authN/Z defaults (mTLS/DPoP), tenant binding on all APIs/events, and webhook/worker allowlists.	Cross-tenant leakage or forged worker traffic; job control abuse.	Enforce tenant binding on all API/event payloads; require mTLS/DPoP for workers; maintain worker allowlist + key rotation; reject events missing tenant/trace bindings.
OR7	Event fan-out ordering & backpressure	SSE/GraphQL/webhook feeds not required to preserve ordering, dedupe by eventId, or apply backpressure/flow control.	Dashboards/consumers may see out-of-order or duplicate events; memory pressure.	Define ordering (timestamp+eventId), dedupe rules, ack/backpressure protocol per channel; add replayable event store with cursor checkpoints and deterministic pagination.
OR8	Offline/audit bundle schema	Audit bundle contents listed but no schema, size limits, redaction rules, compression/determinism flags, or DSSE signature requirement.	Offline audits may ingest tampered/incomplete bundles; PII may leak; hashes drift.	Define audit-bundle.schema.json, hash manifest, deterministic archive flags (mtime/owner), redaction/PII allowlist, and DSSE signature; ship verify script with exit codes.
OR9	Observability/SLOs & incident hooks	Metrics listed but no SLO thresholds, alert rules, sampling budgets, or linkage to incident mode/circuit breakers.	SLO breaches unnoticed; incident mode may not trigger; tracing costs spike.	Publish SLOs + alert rules (queue depth, latency, failure rate, heartbeat gaps); tie to circuit breakers/incident mode activation; set trace sampling budgets and dashboards.
OR10	TaskRunner bridge integrity	Pack-run heartbeat/log/artifact flows lack integrity rules (hashing, size limits), resumability, and DSSE linkage to job events.	Logs/artifacts may be tampered; replay/resume may fail; weak audit trail.	Require hashes for artifacts/log streams, size/chunk limits, DSSE linkage of pack-run events to jobId/runId; define resume semantics and tests; include in audit bundles.

Immediate follow-ups

• Add an orchestrator-gap task to Sprint SPRINT_0151_0001_0001_orchestrator_i.md to close OR1–OR10 with owners/dates.
• Publish signed schemas + hash recipes; enforce tenant binding/mTLS/DPoP, DAG validation, quotas/breakers governance, heartbeat/lease policy, fan-out ordering/backpressure, audit-bundle schema/verify script, SLO alerts, and TaskRunner integrity (hashes/DSSE/resume rules).

Findings – Gaps in “Plugin Architecture & Extensibility Patterns”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md

Method: Reviewed the advisory against module plugin patterns (Authority, Scanner analyzers, Concelier connectors), platform determinism/air-gap rules, and existing plugin guides. Focused on trust, compatibility, isolation, determinism, offline parity, and governance.

Gap Table

ID	Area	Gap	Impact	Recommendation
PL1	Canonical manifests & schemas	Manifest format shown but no signed/Versioned JSON Schemas, canonical JSON rules, or hash recipe for plugin/connector/analyzer descriptors.	Divergent manifests across modules; hashes/DSSE signatures unstable; loaders may accept malformed plugins.	Publish signed schemas per plugin type with canonical JSON rules and hash/test vectors; enforce validation in hosts/CI.
PL2	Capability token governance	Capabilities listed but no registry/versioning or negotiation rules across host versions.	Capability drift; plugins may assume features not supported by host, causing runtime failures.	Create capability catalog (SemVer) per module; enforce host-version compatibility and fail closed when unknown tokens encountered; provide downgrade rules.
PL3	Supply chain & provenance	No requirement for plugin SBOM, signatures (DSSE/cosign), or provenance metadata (builder, source digest, policy hash).	Tampered or opaque plugins could be loaded; audit/replay weak.	Require SBOM + DSSE-signed provenance bundle per plugin; verify signatures and policy hash at load; store provenance in CAS and audit log.
PL4	Sandbox/Resource isolation	Advisory mentions isolation but lacks mandatory sandbox model (AppDomain/AssemblyLoadContext + cgroups/seccomp), CPU/RAM/time budgets, or deny-by-default network/filesystem.	Plugins can exhaust resources or escape isolation, affecting host determinism/security.	Define sandbox profile per module with CPU/mem/time/IO caps, network default-deny, and configurable allowlist; enforce via host; add kill-switch metrics/alerts.
PL5	Determinism enforcement & test harness	Determinism principles stated but no per-plugin determinism tests, seeds, locale/timezone pinning, or multi-run hash checks.	Plugins may emit non-deterministic outputs, breaking reproducibility.	Provide plugin test harness with multi-run hash CI, fixed locale/UTC, seeded RNG, and determinism lint; require passing before publish/load.
PL6	ABI/API compatibility & migrations	HostVersion field present but no compatibility matrix, breaking-change policy, or migration hooks.	Plugins may break on host upgrades; silent failures.	Publish compatibility matrix per module; define breaking-change policy and migration hooks; enforce semantic range checks at load with clear errors.
PL7	Dependency/secret posture	Offline-first listed but no lockfiles, vendored deps, or secret-handling rules (KMS refs vs inline).	Runtime downloads or secret sprawl; non-reproducible builds.	Require dependency lockfiles + vendored artefacts; forbid runtime downloads; mandate secret refs (KMS/secret store), never inline; add CI checks.
PL8	Observability, crash containment, and kill-switch	Health checks mentioned but no required crash isolation, auto-disable on fault rate, or structured logs/traces per plugin ID.	Faulty plugins can flap hosts; poor triage.	Add fault counter + kill-switch thresholds; emit structured logs/traces with pluginId; auto-disable after N failures with DSSE-signed disable record and rollback path.
PL9	Offline kit packaging & verification	Offline kit layout shown but no DSSE signatures, deterministic archive flags, or verify script with exit codes.	Air-gapped installs can’t verify authenticity; hashes drift across builders.	Package plugins in deterministic archive with hash manifest + DSSE signature; include verify script (hash/signature/hostVersion check) and time-anchor token.
PL10	Distribution trust & revocation	No process for plugin publication review, CVE tracking, revocation/denylist distribution, or metadata feed for updates.	Malicious/vulnerable plugins may persist; customers unaware of revocations.	Establish review/sign-off workflow; publish signed plugin index with revocation/denylist and CVE metadata; hosts poll index (or import offline) and refuse revoked versions.

Immediate follow-ups

• Add a plugin-architecture gaps task to a coordination sprint (e.g., SPRINT_300_documentation_process.md) to close PL1–PL10 with owners/dates and module owners for each plugin type.
• Publish signed schemas/capability catalog; enforce sandbox/resource limits, provenance/SBOM + DSSE verification, determinism harness, compatibility matrix, dependency/secret rules, crash kill-switch, offline packaging with verify script, and signed plugin index with revocation/CVE data.

Findings – Gaps in “Policy Simulation and Shadow Gates”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Policy Simulation and Shadow Gates.md

Method: Read the advisory, compared with policy reasoning sprints (0120/0121) and replay core (0185), and with Policy Engine contracts. Focused on determinism, coverage fidelity, gate governance, auditability, offline parity, and safety.

Gap Table

ID	Area	Gap	Impact	Recommendation
PS1	Canonical schemas & hashing	Simulation, diff, coverage, promotion records lack versioned JSON Schemas, canonical JSON rules, and deterministic hash recipe.	Results may drift across services/SDKs; hashes/DSSE signatures unstable; replay unverifiable.	Publish signed schemas for simulation/diff/coverage/promotions + canonical JSON rules and hash/test vectors; enforce in API/CLI/worker validators.
PS2	Shadow isolation & redaction	Shadow collections defined but no mandatory tenant scoping, PII/redaction rules, TTL/GC governance, or cross-tenant leakage tests.	Shadow data could leak or persist indefinitely; compliance/audit risk.	Enforce tenant scoping, redaction allowlist, TTL with DSSE-config, isolation tests; forbid cross-tenant queries; include redaction manifest in audit trail.
PS3	Coverage fixture governance	Fixture format shown but no schema versioning, required fields, negative/edge cases, or golden fixtures with determinism checks.	Fixtures may be ambiguous; regressions undetected; audits weak.	Publish fixture schema + conformance suite; require negative/edge cases; provide golden fixtures and multi-run hash CI; include VEX-aware expectations.
PS4	Gate policy & approvals	Promotion gates lack RBAC/dual-approval rules, DSSE evidence, policy/graph hash binding, or environment constraints.	Unsanctioned promotions or mismatched policy/graph could ship.	Require dual-approval with DSSE-signed gate bundle including policy/graph hashes, inputs.lock, scope/env; enforce RBAC and deny if evidence missing.
PS5	Replay/inputs.lock & feed freeze	Determinism hash uses policy/rules only; no inputs.lock covering feeds, SBOMs, tool versions, time source, or random seeds.	Replays may diverge due to feed/tool drift; audit claims weakened.	Add inputs.lock (feeds snapshots, tool/image digests, time source, seeds); store with simulation/promotions; reject replay if mismatched; DSSE-sign.
PS6	Resource budgets & quotas	No per-tenant/job-type quotas, concurrency limits, or cost caps for simulations/diffs/coverage.	Large simulations could starve production or cause outages.	Define quotas/concurrency per tenant/policy; enforce budgets and backpressure; surface metrics/alerts; fail fast with retryable codes.
PS7	Observability & audit linkage	Metrics/audit events listed but no required SLOs, alert thresholds, or linkage to ledger/replay evidence.	Failures may go unnoticed; audit trail fragmented.	Set SLOs + alert rules (latency, failure rate, coverage pass rate, gate duration); log DSSE/audit events with simulation IDs; link to ledger entries.
PS8	CLI/CI contract & exit codes	CLI commands shown but no versioned spec for flags/exit codes or CI gating rules (what fails a pipeline).	CI may mis-handle outcomes; breaking changes unnoticed.	Publish CLI/CI contract (flags, outputs, exit codes, JSON schema); add compatibility tests; define CI gating defaults (fail on coverage <100%, diff severity thresholds).
PS9	Offline/air-gap parity	No requirement to package simulations/coverage/gate evidence in offline kits with hashes/signatures and verify scripts.	Air-gapped sites cannot verify or replay simulations; env drift.	Provide “policy-sim-kit” (schemas, fixtures, results, inputs.lock, DSSE signatures, verify script) with deterministic archives; document import/verify flow.
PS10	Safety for shadow/no-notify	Advisory says no notifications but lacks guard to prevent hooks or side-effects (webhooks, Jira, enforcement flags) during shadow runs.	Shadow runs could trigger actions or mutate state; production impact risk.	Enforce side-effect guard: disable outbound hooks/enforcement during shadow; static allowlist; assert no writes except shadow collections; add tests.

Immediate follow-ups

• Add a policy-simulation gaps task to Sprint SPRINT_0185_0001_0001_shared_replay_primitives.md (or successor policy simulation sprint) to close PS1–PS10 with owners/dates.
• Publish signed schemas + inputs.lock rules; enforce shadow isolation/redaction, fixture conformance with golden tests, gate RBAC/DSSE evidence, quotas/backpressure, CLI/CI contract with exit codes, offline “policy-sim-kit” packaging, and side-effect guards for shadow runs.

Findings – Gaps in “Runtime Posture and Observation with Zastava”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Runtime Posture and Observation with Zastava.md

Method: Read the advisory, cross-checked Zastava sprint SPRINT_0144_0001_0001_zastava_runtime_signals and Surface.Env/Secrets/FS integrations. Focused on determinism, tenant isolation, provenance, replay/audit, offline parity, observability, and safety controls.

Gap Table

ID	Area	Gap	Impact	Recommendation
ZR1	Canonical schemas & hashing	Event/admission/observation payloads lack signed/Versioned JSON Schemas, canonical JSON rules, and hash recipe for DSSE/audit bundles.	Hash/signature drift; replay unverifiable; cross-service divergence.	Publish signed schemas for observer/webhook events and admissions with canonical JSON + hash/test vectors; enforce in validators.
ZR2	Tenant isolation & scope binding	Advisory assumes tenant fields but no hard binding in webhook/observer, nor cross-tenant tests or deny-by-default for missing tenant/context.	Cross-tenant leakage or spoofed admissions.	Require tenant/project bindings on all requests/events; fail closed on missing/ambiguous tenant; add isolation tests and DSSE annotations with tenant.
ZR3	Determinism & time source	Runtime/admission flows lack mandated monotonic clock, timezone/locale rules, or deterministic ordering of findings/events.	Non-deterministic decisions; replay hashes drift.	Mandate monotonic+UTC time provider, stable ordering (tenant, namespace, digest), and deterministic serialization; add multi-run hash CI.
ZR4	Provenance & signer identity	Observations lack required provenance fields (sensor ID, firmware/version, policy hash, graph revision, key ID) and DSSE enforcement.	Evidence unverifiable; spoofed sensors possible.	Require DSSE envelopes with signer identity, policy/graph hashes, sensor ID/firmware; verify before accept; log provenance in CAS.
ZR5	Admission side-effects & escape hatches	No guardrail for side-effecting hooks, emergency bypasses, or debug flags; unclear approval path for bypass.	Unsafe bypass may disable enforcement; audit gaps.	Add side-effect allowlist; require dual-approval + DSSE-signed waiver for bypass/debug; log and expire waivers; deny unknown hooks.
ZR6	Offline/air-gap parity	Offline posture noted but no bundle schema, deterministic archive flags, or verify script for observation/admission data.	Air-gapped users can’t verify or replay; integrity risk.	Provide “zastava-kit” with observations/admissions, hash manifest, DSSE signature, deterministic tar flags, and verify script (hash/signature/tenant checks).
ZR7	Replay/audit linkage	Observations/admissions not linked to ledger/replay manifests or reachability/graph revisions.	Hard to audit or reproduce decisions.	Link events to ledger IDs and graph_revision_id; store replay manifest refs; include in DSSE annotations and export bundles.
ZR8	Thresholds, burn-rate & anomaly policy	Storm/burn-rate thresholds not codified; no change-control or DSSE for threshold updates.	Noisy alerts or missed incidents; drift unnoticed.	Version and sign threshold config; require change log + DSSE; add alerting on threshold changes; publish budgets (latency, error rate, drop rate).
ZR9	PII/redaction & log hygiene	Advisory mentions logging but no redaction allowlist, size limits, or secret/PII scan for observation payloads and webhook logs.	PII/secret leakage via logs/events.	Define redaction allowlist + size limits; run PII/secret scan in CI and at ingest; truncate with omitted counts; include redaction manifest.
ZR10	Health, kill-switch & fallback	Health checks exist but no kill-switch on repeated failures, fallback policy (fail-open vs fail-closed), or DSSE record of kill events.	Unstable sensors/webhooks can flap services; enforcement may silently fail open.	Add fault counter + kill-switch with DSSE-signed disable record; configurable fail-open/closed defaults (closed for admission); expose metrics/alerts; require manual re-enable with audit.

Immediate follow-ups

• Add a Zastava gaps task to Sprint SPRINT_0144_0001_0001_zastava_runtime_signals.md to close ZR1–ZR10 with owners/dates.
• Publish signed schemas + hash recipes; enforce tenant binding, deterministic clocks/ordering, DSSE provenance, side-effect/bypass controls, offline “zastava-kit” packaging, ledger/replay linkage, threshold governance, PII/redaction policy, and kill-switch/fallback rules with alerts and audits.

Findings – Gaps in “Sovereign Crypto for Regional Compliance”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Sovereign Crypto for Regional Compliance.md

Method: Read the advisory, cross-checked Sovereign Crypto sprint SPRINT_0514_0001_0001_sovereign_crypto_enablement.md and crypto registry decision docs. Focused on compliance evidence, determinism, offline parity, provider governance, PQ transition, and security/operational guardrails.

Gap Table

ID	Area	Gap	Impact	Recommendation
SC1	Canonical registry schema & hashing	Registry/profiles lack signed/Versioned JSON Schemas, canonical serialization, and hash recipes for configs.	Drift across services; hashes/DSSE signatures unstable; audits fail.	Publish signed schemas for registry/profiles/providers with canonical JSON + hash/test vectors; enforce validation at startup and in CI.
SC2	Compliance evidence & attestation	eIDAS/FIPS/GOST/SM claims lack required evidence (cert IDs, module versions, validation scope) and DSSE attestations for provider selection.	Compliance assertions unverifiable; regulators may reject evidence.	Require compliance evidence block (cert ID, module version, OID/SM spec, validation scope, expiry) and DSSE-signed attestation when profile is activated; store in CAS/ledger.
SC3	PQ/hybrid transition rules	PQ plan noted but no concrete algorithm sets, dual-sign ordering, or migration/rollback policy.	Inconsistent PQ rollout; signatures may be non-interoperable.	Define PQ profiles (Dilithium/Falcon) with dual-sign ordering, verification precedence, rollback policy, and interop matrix; add tests/vectors.
SC4	Provider trust & provenance	Provider binaries (CryptoPro, Tongsuo, OpenSSL FIPS) lack provenance/SBOM, signature verification, or supply-chain policy.	Risk of tampered binaries; audit gaps.	Require SBOM + DSSE/cosign signature for each provider; verify on ingest; store provenance in CAS; maintain allowlist of hashes.
SC5	Key custody & HSM policy	Key storage guidance is high level; no M-of-N, audit rules, or per-region HSM fallback policy.	Single-operator risk; compliance gaps; inconsistent behavior across regions.	Define custody policy (M-of-N), audit requirements, allowed HSMs per region, and fallback (software/HSM) with DSSE-logged overrides; add key-state manifest.
SC6	Runtime negotiation & fail-closed	Registry shows activeProfile but no fail-closed rules when profile missing/invalid or when providers unavailable.	Services might silently fall back to default/FIPS when region requires GOST/SM.	Enforce fail-closed on profile/provider mismatch; expose negotiation result; add health check/alerts; require explicit override token for fallback.
SC7	Determinism across profiles	Determinism rules mention timestamps but ignore algorithm-specific randomness (ECDSA/SM2 k), padding differences, or provider-specific encoding.	Outputs may drift across providers/runs; replay hashes unstable.	Standardize deterministic signing modes where possible (RFC 6979 for ECDSA/SM2 where supported); document encoding; add golden vectors per profile/provider; hash manifests for outputs.
SC8	Offline/air-gap RootPack	RootPack bundles lack deterministic packaging flags, manifest schema, DSSE signature, or verify script with time-anchor; CRL/OCSP offline handling unspecified.	Air-gapped deployments can’t verify packs; tamper risk; stale revocations.	Define RootPack schema + deterministic tar flags; include hash manifest, DSSE signature, time-anchor token; offline CRL/OCSP stapling guidance; provide verify script with exit codes.
SC9	Policy/tenant binding	Profile selection not tied to tenant/env/policy IDs in tokens/attestations; no audit of who switched profiles.	Wrong profile may be used for a tenant; auditors cannot trace changes.	Bind profile ID to tenant/env in config and tokens/attestations; log DSSE-signed profile-switch events with actor/time; enforce RBAC for switches.
SC10	Observability & drift detection	No metrics/alerts for profile drift, provider verification failures, or cert expiry; no periodic self-test.	Silent drift or expired certs could undermine compliance.	Add metrics/alerts for profile/provider hash mismatch, signature verification fail, cert expiry window, PQ/dual-sign success rate; schedule self-tests with DSSE-logged results.

Immediate follow-ups

• Add a sovereign-crypto gaps task to Sprint SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (or Authority/Security crypto sprint) to close SC1–SC10 with owners/dates.
• Publish signed schemas + compliance evidence blocks; enforce provider provenance checks, PQ/dual-sign rules, fail-closed negotiation, custody/HSM policy, deterministic signing vectors, RootPack schema + verify script with time-anchor, tenant-bound profile switches, and observability/self-tests for drift and expiry.

Findings – Gaps in “Task Pack Orchestration and Automation”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Task Pack Orchestration and Automation.md

Method: Read the advisory, cross-checked TaskRunner specs (docs/task-packs/*.md) and orchestration/pack sprints (0157/0158 series). Focused on determinism, safety, provenance, multi-tenant isolation, offline parity, and governance for packs, approvals, and executions.

Gap Table

ID	Area	Gap	Impact	Recommendation
TP1	Canonical schemas & plan hash recipe	Pack manifest and plan hash lack published signed schemas, canonical JSON rules, and hash recipe (ordering, normalization, casing).	Plan hash drift; DSSE attestations unverifiable; cross-host divergence.	Publish signed schemas for manifest/plan/run/approval events with canonical JSON rules and hash/test vectors; fix plan-hash recipe and enforce at build/run.
TP2	Provenance & evidence completeness	Evidence bundle includes attestation but no required fields for inputs.lock, tool versions, policy/graph hashes, or approver identities.	Replay/audit weak; approvals unverifiable; mismatched tools undetected.	Require evidence block with inputs.lock (images, feed snapshots, policy/graph hash, time source), approver identities, and DSSE bundle; store in Evidence Locker/ledger.
TP3	Approval governance & RBAC	Approval tokens include plan hash but no dual-approval rules, delegation limits, or DSSE-signed approval records; no expiry/renewal guidance beyond TTL.	Unauthorized or stale approvals may progress packs; audit gaps.	Enforce dual-approval/role matrix, delegation quotas, DSSE-signed approval records with expiry/nonce, and audit trail; deny on missing/expired approvals.
TP4	Secrets handling & redaction	Advisory says secrets masked, but no schema/allowlist, redaction manifest, or log guard; no proof that outputs/artifacts redact secrets.	Secrets/PII could leak in logs/evidence; compliance risk.	Define secret/PII redaction policy + allowlist; include redaction manifest in evidence; add CI lint + runtime guard to block unmasked outputs; redact artifacts/exports.
TP5	Determinism across step types	Parallel/map/approval/policy steps lack deterministic ordering, RNG/clock control, and retry semantics; maxParallel/map order not fixed.	Non-deterministic runs; plan hash mismatch on replay; flaky pipelines.	Fix ordering rules (stable sort for map/parallel), enforce monotonic+UTC time provider, deterministic RNG, and retry/backoff policy per step type; add multi-run hash CI.
TP6	Sandbox/resource limits & egress	Run steps lack mandated sandbox (CPU/mem/time IO), network egress policy, or per-module allowlists; no per-tenant budgets/quotas.	Pack runs can exhaust resources or exfiltrate data; noisy tenants starve others.	Define sandbox profile per module; set CPU/mem/time/IO limits, network default-deny with allowlist; quotas per tenant; enforce in runner; emit metrics/alerts.
TP7	Pack registry trust & signing	Registry APIs exist but no requirement for signed packs (cosign/DSSE), SBOMs, or signature verification at publish/pull; no revocation/denylist feed.	Tampered packs could be executed; compromised registry could spread malware.	Require DSSE/cosign signatures + SBOM for packs; verify on publish/pull; maintain signed pack index with revocations/denylists; fail closed on missing/invalid sigs.
TP8	Offline/air-gap pack bundles	Export/import commands shown but no deterministic bundle schema, hash manifest, DSSE signature, or verify script; approvals/tokens offline flow unspecified.	Air-gapped users cannot verify packs; tamper risk; approvals unenforceable offline.	Define pack-bundle schema with deterministic tar flags, hash manifest, DSSE signature, time anchor; include approvals/tokens/offline authority keys; ship verify script.
TP9	Observability & incident hooks	Metrics listed but no SLOs/alerts, burn-rate/incident mode hooks, or linkage to ledger/timeline events.	Failures/noise may go unnoticed; incomplete auditability.	Set SLOs + alert rules (queue depth, step latency, approval SLA, failure rate); emit timeline/ledger events with trace IDs; add incident mode triggers and dashboards.
TP10	Safety for policy/approval gates	Gate types outlined but no guardrails to prevent side effects or bypass when gates fail; no policy for replays after gate failure.	Gates may be bypassed; side effects may run in shadow; inconsistent promotion.	Enforce fail-closed on gate failure/expiry; block side effects until gate satisfied; require DSSE proof of gate success; define replay rules after gate failure.

Immediate follow-ups

• Add a task-pack gaps task to the TaskRunner sprint (e.g., SPRINT_0157_0001_0001_taskrunner_i.md or SPRINT_0158_0001_0002_taskrunner_ii.md) to close TP1–TP10 with owners/dates.
• Publish signed schemas and plan-hash recipe; enforce DSSE/Signature + SBOM for packs, evidence inputs.lock, dual-approval governance, sandbox/egress limits, deterministic ordering/RNG/time, offline pack-bundle schema/verify script, SLO/alerting, and gate fail-closed rules.

Findings – Gaps in “Telemetry and Observability Patterns”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Telemetry and Observability Patterns.md

Method: Read the advisory, compared with telemetry docs (collector config, dashboards) and missing telemetry sprint. Focused on determinism, sealed-mode/offline parity, provenance, redaction, tenant isolation, and operational guardrails.

Gap Table

ID	Area	Gap	Impact	Recommendation
TO1	Canonical schemas & hashing	Metrics/traces/logs configs lack signed/Versioned schemas, canonical JSON, and hash recipe for bundle/manifest.	Drift across services; bundle hashes/DSSE unstable; replay verification weak.	Publish signed schemas for telemetry configs/exports with canonical JSON + hash/test vectors; enforce validation in collector/SDK CI.
TO2	Provenance & DSSE	Collector profiles/bundles lack DSSE attestation with collector version, exporter set, redaction policy, and crypto profile.	Consumers can’t trust telemetry bundles; forensic evidence not audit-grade.	Require DSSE for profile activation and bundle export including collector build/version, exporter list, redaction policy, crypto profile; store in ledger.
TO3	Determinism & sampling stability	Tail sampling rules given but no deterministic seed, priority order, or retry/backpressure policy; logs/traces ordering unspecified.	Re-runs differ; incident comparisons unreliable; bundle hashes drift.	Define deterministic sampling order/seed, backpressure rules, and stable ordering (timestamp+traceId); add multi-run hash CI for exporters.
TO4	Sealed-mode / egress guards	Sealed-mode guidance shown but not enforced (no deny list of exporters, DNS/IP allowlist, or fail-closed policy).	Telemetry could exfiltrate data from air-gap; compliance risk.	Enforce sealed-mode guard that blocks non-loopback exporters; add allowlist/DNS pinning; fail closed; emit DSSE-signed seal-status record.
TO5	Redaction policy & PII tests	Redaction described but no allowlist, regex/catalog, or CI tests; log processors not required to prove redaction.	PII/secret leakage via OTLP/logs.	Define redaction allowlist/catalog; add PII/secret test suite; require redaction manifest in bundles; fail bundle export if redaction violations detected.
TO6	Tenant isolation & multi-tenant routing	Advisory lacks tenant binding on OTLP signals and isolation tests; no per-tenant quotas.	Cross-tenant leakage in shared collectors/backends.	Require tenant/project IDs in attributes and pipeline routing; enforce per-tenant quotas/limits; add isolation tests and metrics.
TO7	Forensic triggers governance	Forensic mode triggers listed but no approval/expiry policy, DSSE record, or rollback guard.	Forensic mode could stay on or be abused; noisy costs.	Require dual-approval + DSSE record for forensic activation with expiry; log actor/time/reason; auto-expire with rollback; alert on long-running forensic mode.
TO8	Offline bundle schema & verify	Bundle structure shown but no deterministic tar flags, manifest schema, hash list, or verify script/time-anchor.	Offline bundles unverifiable; tamper risk.	Define telemetry-bundle.schema.json, deterministic archive flags, hash manifest + DSSE signature + time-anchor token; ship verify script with exit codes.
TO9	Observability of observability	Metrics/alerts listed but no SLOs/alert rules for collectors/exporters or bundle generation; no self-tests.	Telemetry pipeline failures unnoticed; forensic/offline exports may fail silently.	Set SLOs + alert rules for collector health, exporter failures, queue backpressure, bundle success rate; add periodic self-test with DSSE-logged results.
TO10	CLI/pack contracts	CLI commands absent; no versioned spec for telemetry CLI/export commands or CI gating on bundle validation.	CI/pipelines may break on changes; offline ops inconsistent.	Publish CLI/pack contract (flags, exit codes, JSON schema) for telemetry exports; add compatibility tests; fail CI on invalid bundles.

Immediate follow-ups

• Add a telemetry gaps task to Sprint SPRINT_0180_0001_0001_telemetry_core.md to close TO1–TO10 with owners/dates.
• Publish signed schemas + DSSE provenance for profiles/bundles; enforce sealed-mode/egress guards, deterministic sampling/order, redaction allowlist + PII tests, tenant binding/quotas, forensic activation governance, offline bundle schema + verify script, SLO/alerting for collectors/exporters, and CLI/pack contracts.

Findings – Gaps in “Vulnerability Triage UX & VEX-First Decisioning”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md

Method: Read the advisory, cross-checked triage/UI sprint SPRINT_0215_0001_0001_vuln_triage_ux and related explainability/VEX advisories. Focused on determinism, schema completeness, evidence linkage, tenant isolation, offline parity, accessibility, and approval/decision governance.

Gap Table

ID	Area	Gap	Impact	Recommendation
VT1	Schema/versioning & canonical JSON	VEX decision, vuln scan attestation, and audit bundle schemas referenced but not published or versioned; no canonical JSON rules.	UI/API may drift; hashes/DSSE signatures unstable; integrations break.	Publish signed schemas for vex-decision, vuln-scan attestation, audit-bundle index with canonical JSON + hash/test vectors; enforce in API/UI validators.
VT2	Evidence linkage & explainability	Advisory calls for evidence-first UI but lacks required fields linking decisions to reachability graphs, policy hashes, and attestation IDs.	Users can’t audit or replay decisions; explainability incomplete.	Require decision payloads to include graph_revision_id, policy_hash, attestation_ids, evidence bundle refs; surface in UI cards and exports; enforce in API.
VT3	Tenant isolation & RBAC	VEX modal/actions not bound to tenant/project roles; no dual-approval or reviewer metadata for high-impact decisions.	Cross-tenant leaks or unauthorized decisions; audit gaps.	Bind decisions to tenant/project; enforce RBAC/dual-approval for high-severity scope; log reviewer metadata; DSSE-sign decisions with actor IDs.
VT4	Determinism & sorting	Finding lists/cards lack deterministic ordering rules and stable pagination hashes; locale/time effects not addressed.	UI/exports reorder across sessions; hashes drift; tests flaky.	Define ordering (tenant, severity desc, package, vulnId), fix locale/UTC, deterministic pagination tokens; add golden fixture tests.
VT5	Accessibility & usability standards	Advisory omits a11y requirements (contrast, keyboard nav, screen reader labels, focus management) for triage workspace/VEX modal.	Non-compliance, poor UX for accessibility; potential legal risk.	Add WCAG 2.1 AA checklist: focus order, ARIA labels, keyboard shortcuts, contrast tokens; add a11y CI checks.
VT6	Offline/air-gap parity	No guidance to package triage/VEX data for offline review or to verify attestation/decision bundles offline.	Air-gapped users cannot review/export decisions; integrity risk.	Provide “triage-kit” export with findings, decisions, attestations, evidence, hash manifest + DSSE signature and verify script; include UI offline view guidance.
VT7	Conflict resolution & supersedes	Supersedes logic hinted (PATCH) but no deterministic rules for conflicting decisions, scope overlaps, or expiry/validFor handling.	UI may display stale/conflicting decisions; audits ambiguous.	Define supersedes/precedence rules (newer notAfter/notBefore, scope specificity, signer trust); enforce in API; show in UI with conflict badges.
VT8	Attestation verification UX	Attestation tab lacks verification status rules (Rekor/bundle presence, DSSE verification, key trust) or error handling.	Users may trust unverified attestations; weak evidence chain.	Require verification state (verified/failed/unknown) with reasons; enforce DSSE/Rekor/bundle checks; display signer key/fingerprint and trust result.
VT9	Privacy/redaction in UI	Evidence fields and notes not bound to redaction/allowlist; screenshots/links could leak PII/credentials.	Sensitive data exposure in UI exports and screenshots.	Apply redaction policy to evidence fields; add redaction manifest to exports; UI should mask secrets and mark redacted areas; add PII scan in pipeline.
VT10	Metrics/telemetry for UX	Advisory lists dashboards/alerts elsewhere but no UX telemetry/SLIs (time-to-first-meaningful-render, modal save latency, decision success rate).	UX regressions unnoticed; SLAs unmet.	Define UX SLIs (TTFMR, VEX save p95, decision error rate, export latency); add instrumentation and alerts; include in dashboards.

Immediate follow-ups

• Add a triage UX gaps task to Sprint SPRINT_0215_0001_0001_vuln_triage_ux.md (or related UI sprint) to close VT1–VT10 with owners/dates.
• Publish signed schemas and enforce evidence linkage, tenant/RBAC controls, deterministic ordering, a11y standards, offline triage-kit, supersedes/conflict rules, attestation verification UX, redaction policy, and UX telemetry/SLIs with alerts.

Findings – Gaps in “Acceptance Tests Pack for StellaOps Guardrails”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md

Method: Read the advisory and mapped it to guardrail CI expectations (feed integrity, SBOM gating, replay, policy change attestation, backups). Focused on completeness, determinism, provenance, offline parity, and automated enforcement.

Gap Table

ID	Area	Gap	Impact	Recommendation
AT1	Canonical test pack schema	Pack/fixture layout not defined by signed/Versioned schema or canonical JSON rules.	Implementations may drift; CI may accept malformed tests; hashes/signatures unstable.	Publish signed schema for acceptance-pack manifest + fixtures with canonical JSON and hash/test vectors; enforce validation in CI.
AT2	Deterministic fixtures & seeds	No requirement for fixed seeds, clocks (UTC), or deterministic archiving of fixtures.	Flaky acceptance runs; reproducibility claims weakened.	Require fixed seeds/time sources; deterministic tar flags for fixture bundles; multi-run hash CI on acceptance pack outputs.
AT3	Coverage breadth & critical paths	Advisory covers five areas but omits runtime admission, VEX/graph drift, and auth/DPoP misuse scenarios.	Gaps leave critical regressions untested.	Expand pack to include admission/VEX/graph drift/auth binding scenarios; map each to acceptance IDs and CI jobs.
AT4	Provenance & signing of bundles	Acceptance bundle signing/attestation not mandated; no provenance (tool versions, policy hashes, feed snapshots).	Tampered tests or mismatched environments may pass; audits weak.	DSSE-sign acceptance bundles with provenance (tool versions, feed snapshot IDs, policy/graph hashes); verify before run; store results in Evidence Locker.
AT5	Air-gap/offline execution	Offline/air-gap execution not codified (no offline mirrors, time anchor, or verify script).	Air-gapped sites cannot run/verify acceptance pack; integrity risk.	Provide offline “guardrail-pack” with hash manifest, DSSE signature, time anchor, and verify script; forbid network during run; include mirrored feeds.
AT6	SBOM/scan gating thresholds	Thresholds listed informally; no machine-enforced limits or schema for completeness/error budgets.	Inconsistent gating; teams may weaken thresholds unnoticed.	Define gating policy schema (hash coverage %, ecosystem completeness, provenance requirement) and enforce in acceptance runner with fail-closed defaults.
AT7	Replay/determinism checks	Replay of graph/revision parity mentioned but no required comparison outputs or allowed tolerances.	Restores may appear “green” without verifying verdict parity; audits weak.	Require parity checks on graph_revision_id and verdict counts with zero tolerance; include expected hashes in fixtures.
AT8	Policy change attestation	Authority DSSE gating described but not enforced in acceptance tests; no negative tests for missing/invalid signatures.	Unsigned policy changes could slip through; audit trail incomplete.	Add acceptance cases for valid/invalid DSSE policy change requests, require rejection on missing/invalid signatures, and record ledger entry; include sample envelopes.
AT9	Backup/restore rehearsal automation	Backup cadence noted but no automated rehearsal scripts, success criteria, or CI job wiring.	Restores may silently fail; RPO/RTO claims unproven.	Add scripted PITR rehearsal with hash/parity assertions; wire into CI weekly; publish logs + hashes as artifacts.
AT10	Reporting & SLOs for guardrail CI	No reporting format or SLO targets for acceptance suite (pass rate, duration, flake rate).	Leadership lacks visibility; flaky tests ignored.	Define report schema + SLOs (pass rate, max duration, flake budget); publish HTML/JSON summary; alert on SLO breaches.

Immediate follow-ups

• Add an acceptance-pack gaps task to Sprint SPRINT_300_documentation_process.md (Docs/Process) to close AT1–AT10 with owners/dates.
• Publish signed acceptance-pack schema and deterministic fixtures; extend coverage to admission/VEX/auth cases; mandate DSSE provenance, offline guardrail-pack with verify script/time anchor, gating thresholds schema, replay parity checks, policy DSSE negative tests, PITR rehearsal automation, and SLO-backed reporting.

Findings – Gaps in “CVSS v4.0 Momentum in Vulnerability Management”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md

Method: Read the momentum advisory and compared with StellaOps scoring/policy pipelines (CVSS receipts sprint 0190, policy/VEX/triage flows). Focused on data model, canonicalization, multi-version support, provenance, UI/API surfacing, offline parity, and operational governance.

Gap Table

ID	Area	Gap	Impact	Recommendation
CVM1	Canonical schemas & parsing	Advisory doesn’t mandate signed/Versioned schemas or canonical JSON for CVSS v4.0 vectors/metrics; parsing rules for Supplemental group unspecified.	Parsers drift; hashes/DSSE receipts unstable; supplemental metrics lost.	Publish signed schemas for v4 vectors + metrics (Base/Threat/Env/Supplemental) with canonical JSON and test vectors; enforce strict parser/validator and canonicalization for hashing.
CVM2	Multi-version storage & receipts	No contract for storing multiple CVSS versions (v2/v3.x/v4) per finding with source/assessed_at and immutable receipts.	Overwrites destroy provenance; auditors can’t trace scorer/source; UI may show mixed data.	Model CVSS assessments as append-only records with version, source, assessed_at, receipt DSSE; expose via API/UI with version tag; keep legacy scores for compatibility but default to v4.
CVM3	Supplemental/Threat/Env completeness	Advisory highlights momentum but not completeness requirements for Threat/Environmental/Supplemental fields; no “data quality” band.	Scores degrade to Base-only; uneven risk posture; explainability weak.	Require completeness thresholds (e.g., Threat present if upstream supplies; Environmental/Supplemental optional but flagged). Mark quality band and block “v4-default” if key groups missing unless explicitly allowed.
CVM4	Canonical hashing for receipts	No canonical hash recipe for CVSS receipts (policy v4 work does Base hash only).	DSSE receipt hashes may drift; signatures unverifiable across services.	Define canonical hash: sorted keys, fixed precision, UTC timestamps, normalized vectors; include metric groups present flags; add test vectors.
CVM5	Interop & downgrade rules	No downgrade/crosswalk rules v4→v3.1 or mixed-source merging; no precedence rules when v3.1 and v4 coexist.	UI/API may pick wrong score; pipelines inconsistent.	Define precedence (prefer v4 from trusted sources, fall back to v3.1); provide deterministic v4→v3.1 reducer with confidence tag; expose both in API/UI with source.
CVM6	UI/API surfacing & exports	Advisory lists momentum but no UI/API/export spec for multiple scores, metric groups, source, and quality bands.	Users see ambiguous scores; exports non-deterministic.	Update API/UI contracts: show v4 score set (B/BT/BE/BTE), source, assessed_at, quality band; include in exports with deterministic ordering/formatting.
CVM7	Offline/air-gap parity	No requirement to include CVSS v4 data, schemas, and receipts in offline bundles.	Air-gapped sites lack v4 support; replay breaks.	Ship CVSS schemas/test vectors and v4 receipts in offline kits; verify hash/signature; include reducer outputs for legacy consumers.
CVM8	Monitoring & drift detection	No metrics/alerts for missing v4 data, parser failures, or receipt drift vs source (NVD/GitHub).	Silent regressions; stale scores.	Add metrics/alerts: v4 coverage %, parser failures, hash mismatch vs source, fallback to v3.1 events; surface in dashboards.
CVM9	Governance & change control	Momentum noted but no change-control or versioning for parser/ruleset updates; no audit of scorer changes.	Parser changes can alter scores unnoticed.	Version parsers/rulesets; DSSE-sign releases; log scorer version in receipts; require dual-review for scoring logic changes.
CVM10	Test coverage & fixtures	No golden fixtures/regression tests for v4 vectors, supplemental fields, or reducer outputs.	Regressions may ship; inconsistent outputs across services.	Publish fixture suite (v2/v3.1/v4 vectors incl. Supplemental) with expected scores and hashes; run in CI across services; include downgrade fixtures.

Immediate follow-ups

• Add a CVSS momentum gaps task to Sprint SPRINT_0190_0001_0001_cvss_v4_receipts (or related policy/scoring sprint) to close CVM1–CVM10 with owners/dates.
• Publish signed schemas and canonical hash recipe; enforce append-only multi-version receipts with provenance, completeness bands, precedence/downgrade rules, deterministic API/UI/export formats, offline kit inclusion, monitoring/alerts, governed parser releases, and golden fixtures."

Findings – Gaps in “SBOM to VEX Proof Pipeline Blueprint”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md

Method: Read the blueprint, compared with reachability evidence chain (Sprint 0401), policy/VEX pipelines, and evidence locker/export contracts. Focused on end-to-end determinism, DSSE/Rekor alignment, offline parity, idempotency, and testability.

Gap Table

ID	Area	Gap	Impact	Recommendation
BP1	Canonical schemas & hash chain	Blueprint shows diagrams but no signed/Versioned schemas for SBOM→scan→reachability→VEX artifacts or canonical hash recipe tying them.	Chain-of-custody unverifiable; hashes drift across services.	Publish signed schemas for each hop (SBOM, scan, reachability graph, VEX decision) with canonical JSON + hash/test vectors; define chain hash linking inputs/outputs.
BP2	Predicate alignment	DSSE predicates for scan/reachability/VEX not mandated or versioned; no required fields cross-referencing each other.	Attestations may be incompatible; evidence linkage weak.	Mandate predicate set (stella.ops/sbom@v1, …/scan@v1, …/reachability@v1, …/vexDecision@v1) with required cross-refs (graph_revision_id, policy_hash, evidence bundle IDs).
BP3	Idempotency & replay	No idempotency keys or replay/inputs.lock definition across pipeline stages.	Duplicate or divergent runs; replay not guaranteed.	Define inputs.lock (feed snapshots, tool images, flags) and idempotency key per artifact; require replay to validate lock and chain hashes.
BP4	Transparency/log routing	Rekor/TLOG usage mentioned but no routing policy (public vs private), shard IDs, or bundle requirements.	Attestations may be unlogged or unverifiable offline.	Define routing matrix; require shard ID/log ID in envelopes; ship Sigstore bundles in offline kits.
BP5	Offline/air-gap parity	Offline flow sketched but no deterministic bundle layout, verify script, time anchors, or dual-sign (PQ/FIPS) guidance.	Air-gapped verification weak; regional compliance risk.	Provide “sbom-vex-kit” with deterministic archive flags, hash manifest, DSSE signature + time anchor, dual-sign where required; include verify script with exit codes.
BP6	Error taxonomy & backpressure	Failure modes/reties across stages (scan, reachability, VEX emit) not defined; no backpressure policy.	Pipelines may thrash or silently drop evidence.	Define error taxonomy + retry/backoff, DLQ for failed attestations, and backpressure metrics; fail-closed on missing links.
BP7	Policy/gate binding	VEX decisions not explicitly bound to policy/lattice versions or gate evaluation results.	Decisions may be applied under wrong policy; audit gaps.	Require policy_hash/lattice_version in VEX attestation; bind gate evaluation result to decision; verify before accept.
BP8	Tenant/role segregation	Tenant binding and role/RBAC for emitting/approving VEX not specified.	Cross-tenant leakage or unauthorized downgrades.	Enforce tenant field in all artifacts; require dual-approval for VEX publish; annotate attestation with actors/roles.
BP9	Testing/fixtures	No golden fixtures or CI covering SBOM→scan→reachability→VEX chain with hash expectations.	Regressions undetected; chain drift unnoticed.	Publish fixture set with expected hashes/attestations for a reference image; add multi-run hash CI.
BP10	Observability & SLOs	No metrics/alerts for chain integrity (hash mismatch, missing attestation, replay failure).	Failures invisible; customers get incomplete proofs.	Add metrics/alerts for chain completeness, hash drift, replay success, tlog submission errors; include in dashboards.

Immediate follow-ups

• Add an SBOM→VEX pipeline gaps task to Sprint SPRINT_300_documentation_process.md (docs/process tracker) or relevant pipeline sprint to close BP1–BP10 with owners/dates.
• Publish signed schemas and chain hash recipe; mandate predicate alignment and inputs.lock, Rekor routing/bundles, offline kit with verify script/time anchor, error/backpressure policy, policy/tenant binding, golden fixtures, and integrity/SLO monitoring.

Findings – Gaps in “SCA Failure Catalogue for StellaOps Tests”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md

Method: Reviewed the failure catalogue and mapped the five cited regressions to StellaOps scanning/SBOM/DB/offline expectations. Focused on making the catalogue actionable as deterministic test vectors with provenance, thresholds, and CI wiring.

Gap Table

ID	Area	Gap	Impact	Recommendation
FC1	Test vector formalization	Catalogue lists examples but no signed/Versioned fixture pack (images/SBOMs/expected results) with hashes.	Hard to reproduce or detect regressions; provenance weak.	Create a signed fixture pack (container images, SBOMs, expected vuln sets) with hash manifest + DSSE; version it and store in Evidence Locker.
FC2	Determinism & seeds	No deterministic build/scan instructions (seeds, timestamps, locales) for the vectors.	Flaky tests; inconsistent results across runs.	Provide deterministic build scripts with fixed seeds/UTC/time clamp, reproducible container builds, and multi-run hash checks.
FC3	Coverage gaps	Catalogue focuses on jar detection/SBOM gaps but omits other high-risk categories (e.g., language DB schema drift, package manager parity checks, VEX/graph drift).	Critical regressions could slip.	Expand catalogue to include DB/schema drift cases, package manager vs SBOM parity, VEX/graph drift, and offline updater behavior; tag each with priority.
FC4	Expected result schemas	Expected outcomes not expressed in machine-readable schema (e.g., expected vulns, counts, parity deltas).	CI can’t assert pass/fail deterministically.	Define result schema (expected vulns list, counts per severity, allowed deltas) and validate in CI; fail on deviations.
FC5	Offline/air-gap validation	Offline behavior mentioned but not enforced with no-network guard or mirrored DBs.	Tests may pass online but fail in customer air-gaps.	Add offline test mode with enforced no-network (firewall/iptables), mirrored DB bundles with hashes, and verify script; fail if network access occurs.
FC6	Tool/version matrix	No matrix of tool versions (Trivy/Grype/Syft/Snyk) to run against fixtures; regressions may go undetected on upgrades.	Upgrades can reintroduce failures unnoticed.	Maintain a version matrix (current, N-1, known-good) for each tool; run fixtures against all; alert on regressions.
FC7	Alerting/reporting	No SLOs or reporting for acceptance pack results (pass rate, flake rate, duration).	Failures may be ignored; flaky tests linger.	Add report + SLO (pass rate, max duration, flake budget) and publish dashboards; alert on SLO breaches.
FC8	Integration into CI pipelines	Catalogue not wired into CI with jobs, tags, or owners.	Tests may stay shelfware.	Add CI jobs (sca-fixtures) with owners, schedules, and gating rules (block release on failures); tag tests by scenario.
FC9	Provenance & licensing of fixtures	External artifacts (jars/images) lack provenance/licensing notes; risk of using non-redistributable samples.	Legal risk; fixtures may be removed later.	Document provenance/licensing for each fixture; prefer MIT/Apache or self-built artifacts; store notices alongside fixtures.
FC10	Documentation & discoverability	Catalogue isn’t linked to sprint tasks or module AGENTS; engineers may miss it.	Low adoption; duplicate effort.	Link fixture pack from module AGENTS and sprint docs; add README with usage; reference in ADVISORY_INDEX and sprint trackers.

Immediate follow-ups

• Add an SCA fixture gaps task to Sprint SPRINT_300_documentation_process.md (or a test/QA sprint) to close FC1–FC10 with owners/dates.
• Produce a signed, deterministic fixture pack with schema-defined expected results, offline/no-network mode, tool/version matrix, SLO/reporting, provenance/licensing notes, and CI wiring (sca-fixtures job) with gating rules.

Findings – Gaps in “StellaOps – Mid-Level .NET Onboarding (Quick Start)”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md

Method: Reviewed the onboarding brief against current repo state (missing UI workspace, multiple databases, DSSE/air-gap rules). Focused on completeness, determinism guarantees, offline/air-gap readiness, security posture, and handoff quality for mid-level devs.

Gap Table

ID	Area	Gap	Impact	Recommendation
OB1	Environment parity & prerequisites	Brief omits required local-nuget/offline feeds, Mongo vs Postgres choice guidance, and required tools (Cosign/Rekor client, BLAKE3) for determinism.	New devs hit restore/build failures; non-deterministic envs.	Add prerequisites table with exact versions, offline feed setup, DB selection instructions, and verification commands.
OB2	Determinism verification	Only three sample tests listed; no guidance on clocks/locale/newlines/line-endings enforcement or golden snapshot update policy.	Developers may commit non-deterministic changes.	Add determinism checklist (TZ=UTC, InvariantCulture, \n line endings), lint hooks, and policy for updating goldens with DSSE-signoff.
OB3	Security posture (keys/secrets)	Brief suggests copying .env but not key generation/rotation, KMS/soft-HSM use, or avoiding dev secrets in repo.	Risk of shared dev keys and leaked secrets.	Document dev key workflow (per-user keys, rotation cadence, soft-HSM option), forbid committing .env, provide make dev-keys script and secret scanning hook.
OB4	Air-gap/offline workflow	Instructions assume internet; no offline bootstrap steps (bundle pulls, rootpacks, mirrors).	Air-gapped onboarding fails; inconsistent envs.	Add offline bootstrap steps (load offline-kit, restore from local-nuget, import RootPack/feeds), and a “no-network” smoke test.
OB5	Multi-DB guidance	Brief mentions Mongo/Postgres without migration/compat guidance or determinism notes.	Mismatched DB selection breaks tests; inconsistent hashes.	Provide matrix: which services support which DB, migrations status, and determinism notes; include commands for both.
OB6	UI workspace gap	Current repo lacks Angular workspace; brief doesn’t warn or provide fallback (console/CLI).	Devs blocked on UI tasks.	Add note that UI workspace is missing; provide alternative CLI flows and link to sprint blocking item.
OB7	Sample issues/tests ownership	Starter issues listed but no links to tickets, owners, or paths to tests/fixtures.	New devs waste time finding code/tests; duplicate work.	Link each starter issue to path and test project; assign guild owner; include “definition of done” bullets.
OB8	DSSE/Rekor workflow details	Brief mentions RekorMode.OfflineMirrorIfAirgapped but not required flags, mirror paths, or verification commands.	Devs misuse Rekor/mirror; proofs incomplete.	Add step-by-step DSSE+Rekor workflow (online vs offline), mirror location, verify command, and expected hash outputs.
OB9	Contribution guardrails	No mention of code style, analyzers, required test suites, or pre-commit checks.	Inconsistent code quality; reviewers rework.	Add contribution checklist: run analyzers, determinism tests, secret scan, formatting; link to STYLE.md/Analyzers.
OB10	Documentation cross-links	Brief not cross-linked from AGENTS/sprints; missing references to module docs relevant to starter issues.	Discoverability low; onboarding drift.	Link quick-start from AGENTS and sprint docs; add doc map per starter issue.

Immediate follow-ups

• Add an onboarding gaps task to Sprint SPRINT_300_documentation_process.md (docs/process tracker) to close OB1–OB10 with owners/dates.
• Expand the quick-start with prerequisites/offline steps, determinism/DSSE/secret-handling guidance, DB matrix, UI gap note, linked starter issues, Rekor/mirror workflow, contribution checklist, and doc cross-links.

Findings – Gaps in “Comparative Evidence Patterns for Stella Ops”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md

Method: Reviewed the comparative study across Snyk, GitHub, Aqua/Trivy, Anchore/Grype, and Prisma Cloud. Focused on turning competitive observations into StellaOps requirements for evidence, suppression/VEX, exports, accessibility, and auditability.

Gap Table

ID	Area	Gap	Impact	Recommendation
CE1	Evidence model & schemas	Comparative patterns not translated into StellaOps evidence schemas (data-flow, dependency path, attestation links) with canonical JSON.	UI/API may be inconsistent; exports non-deterministic.	Define evidence schema covering code paths, dependency paths, attestation refs, policy context; publish canonical JSON + test vectors.
CE2	Suppression/VEX consistency	Advisory notes fragmentation elsewhere but does not mandate a single suppression/VEX model across scan types in StellaOps.	Risk of repeating fragmented UX; hidden suppressions.	Enforce one suppression model (VEX + policy) across SBOM/container/code/runtime; always surface suppressed counts and include suppressed items in exports on demand.
CE3	Justification taxonomy & expiry	No structured justification/expiry rules for suppressions; free-text only.	Audits weak; inconsistent reasons.	Create justification enum + expiry policy; require reason + optional evidence link; DSSE-sign suppression actions.
CE4	Export/ledger linkage	Exports (CSV/JSON/VEX) not required to include ledger/timeline IDs, suppression metadata, or graph revision IDs.	Audits/replay difficult; regulators lack chain-of-custody.	Require exports to carry ledger IDs, graph_revision_id, suppression/VEX status, and signer info; include deterministic ordering and hashes.
CE5	Accessibility & UX parity	Comparative review doesn’t specify WCAG/a11y and UX parity across surfaces (UI/CLI/API) for evidence and suppression views.	Accessibility gaps; inconsistent operator experience.	Define a11y requirements (WCAG 2.1 AA) and ensure evidence/suppression affordances match in UI/CLI/API; add a11y tests.
CE6	Offline/air-gap parity	No requirement to include evidence/suppression data in offline bundles with verify script/time anchor.	Air-gapped customers cannot audit evidence; parity breaks.	Ship “evidence-kit” with findings, evidence paths, suppressions, VEX statements, hash manifest + DSSE + time anchor; provide verify script.
CE7	Observability & SLOs	No metrics/alerts for suppression usage, evidence load errors, export failures, or VEX ingestion drift.	Silent failures; UX regressions unseen.	Add metrics/alerts for suppression actions, suppressed count drift, export success rate, evidence load latency; include dashboards.
CE8	Cross-product comparison fixtures	Competitive examples not turned into fixtures to test StellaOps outputs against desired patterns.	Hard to validate UX/data-model decisions.	Create fixtures mirroring “good” patterns (e.g., Snyk data-flow) and “bad” patterns (fragmented suppression) and use them in UI/API regression tests.
CE9	Policy for suppressed visibility	Default visibility of suppressed items not specified (should not be hidden).	Suppressed issues may disappear from operator view.	Mandate always-visible suppressed counter, with toggle to show suppressed details; exports include suppressed items by option.
CE10	Governance & change control	No change-control for suppression/evidence UX rules or export formats.	Drift/regressions may slip in without review.	Version and change-log suppression/evidence/export schemas; require dual-review for changes; DSSE-sign schema catalog.

Immediate follow-ups

• Add an evidence-pattern gaps task to Sprint SPRINT_300_documentation_process.md (docs/process tracker) to close CE1–CE10 with owners/dates.
• Publish evidence/suppression/export schemas with canonical rules, enforce single suppression model with justification/expiry, add offline evidence-kit, a11y requirements, observability metrics, visibility policy, and versioned change control; create fixtures to validate desired patterns.

Findings – Gaps in “Ecosystem Reality Test Cases”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 30-Nov-2025 - Ecosystem Reality Test Cases.md

Method: Reviewed the five public incidents/test ideas and mapped them to StellaOps acceptance/fixture requirements. Focused on determinism, provenance, offline enforcement, safety (secret leaks), and CI wiring.

Gap Table

ID	Area	Gap	Impact	Recommendation
ET1	Fixture pack & schemas	Test cases described but no signed fixture pack (images/SBOMs/DB snapshots) or schema for expected outcomes.	Hard to reproduce; results non-deterministic.	Create signed fixture pack with hash manifest + DSSE, covering all five cases; define expected-result schema.
ET2	Deterministic builds/seeds	No fixed seeds, timestamps, or reproducible build scripts for fixtures (e.g., JAR images, SBOMs).	Flaky tests; hash drift.	Provide deterministic build scripts (fixed time/locale), and multi-run hash checks for each fixture.
ET3	Secrets-leak guardrails	Credential-leak test lacks explicit assertions/log scrubbing rules in StellaOps pipeline.	Credentials could leak into logs/JSON exports.	Add secret-scanning of raw outputs/logs for fixture secrets; fail tests on detection; document safe flags.
ET4	Offline/no-network enforcement	Trivy offline schema error test not tied to “no-network” enforcement or expected exit codes.	Offline regressions may pass unnoticed or be misinterpreted.	Enforce firewall/no-network during offline tests; assert specific exit codes/messages; treat schema mismatch as hard error.
ET5	Version matrix coverage	Grype version drift test lacks required version matrix (v0.87.0 vs latest) and DB snapshot pinning.	Regression may be missed on upgrades.	Run fixtures against pinned versions + latest with pinned DB snapshots; alert on delta; store results.
ET6	SBOM parity diffs	SBOM parity test (native vs container) lacks diff criteria (component count thresholds, hash expectations).	Inconsistent interpretations; noisy results.	Define parity thresholds and expected diffs; compute and assert deltas; flag when beyond tolerance.
ET7	Reporting & ownership	No owners/SLAs for these tests; not wired into CI dashboards.	Failures ignored; drift persists.	Assign owners; add CI job ecosystem-fixtures with SLOs (pass rate, duration); alert on failure.
ET8	Provenance/licensing	External artifacts’ licensing/provenance not documented.	Legal risk; fixtures may need removal.	Document provenance/licenses; prefer self-built or permissive samples; include notices in fixture pack.
ET9	Export/log retention	No guidance on how long to retain raw outputs/logs from these tests or how to redact before storage.	PII/secret leakage risk; storage bloat.	Define retention + redaction policy for test artifacts; default short retention; store redacted outputs only.
ET10	Cross-tool normalization	Tests compare tools but no normalization rules for IDs/aliases (CVE/GHSA/SNYK) or CVSS versions.	False diffs; noisy comparisons.	Normalize IDs/aliases and CVSS versions before comparison; include reducer utilities in test harness.

Immediate follow-ups

• Add an ecosystem-fixtures gaps task to Sprint SPRINT_300_documentation_process.md (or test/QA sprint) to close ET1–ET10 with owners/dates.
• Publish signed fixture pack + expected-result schema, deterministic builds, secret-leak assertions, offline/no-network enforcement with exit-code checks, version matrix + DB pinning, SBOM parity thresholds, CI ownership/SLOs, provenance notices, retention/redaction policy, and ID/CVSS normalization utilities in the harness.

Findings – Gaps in “Implementor Guidelines for Stella Ops”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 30-Nov-2025 - Implementor Guidelines for Stella Ops.md

Method: Reviewed the guideline advisory against current repo practices (determinism, offline, quotas, SLSA, schema versioning). Focused on making the guidelines enforceable, testable, and aligned with module AGENTS and sprint docs.

Gap Table

ID	Area	Gap	Impact	Recommendation
IG1	Enforceability & checklist	Guidelines are narrative; no enforceable checklist or CI gates (lint/analyzers/tests) to prove compliance.	Inconsistent adherence; regressions slip in.	Create enforceable checklist with CI gates (analyzers, determinism tests, schema version check, offline/no-network tests); publish in CONTRIBUTING and AGENTS.
IG2	Schema/change control	No explicit versioning/change-log rule for schemas/APIs/CLIs mentioned in the guidelines.	Breaking changes can land silently; replay breaks.	Mandate SemVer + changelog for schemas/APIs/CLIs; require schema catalog update + DSSE signature on change.
IG3	Determinism guardrails	Determinism noted but no required settings (TZ, culture, line endings, RNG seeds) or lint rules.	Non-deterministic outputs and hashes.	Add determinism guardrails: enforce TZ=UTC, InvariantCulture, newline normalization, stable RNG seeds; add lint/test to block violations.
IG4	Offline/air-gap guarantees	Offline-first called out, but no required offline test suite or mirror verification steps.	Features may break offline unnoticed.	Add offline CI job with no-network enforcement, mirror verification, and OUK import test; document required scripts.
IG5	Security/secret handling	Guidelines lack required secret-scanning/DSSE key handling steps for dev/CI; env copying risk.	Secrets leakage or shared dev keys.	Require secret scan pre-commit/CI, per-dev key generation with rotation guidance, forbid committing .env; add dev-keys script and doc.
IG6	Quotas/perf enforcement	Quota and P95 targets stated but no test harness or profiling budget in guidelines.	Performance drift; quotas unenforced.	Add perf/quota tests (reference hardware profile), budget docs, and CI perf smoke; require perf notes in PR checklist.
IG7	Documentation sync	“Docs in lock-step” stated but no enforcement (e.g., lint that docs paths updated).	Docs drift from code.	Add docs-sync check: PR must touch referenced docs or carry docs: n/a justification; add script to verify schema/docs references.
IG8	Cross-module boundaries	Roles split mentioned but no guidance on shared libs vs module-local code; risk of cross-module coupling.	Boundary erosion; harder offline bundles.	Document allowed shared libraries, module boundaries, and approval needed for cross-module calls; enforce via codeowners/analyzers.
IG9	SLSA/provenance specifics	SLSA target mentioned but no concrete steps (provenance format, attestation placement) in guideline.	Inconsistent provenance; audits fail.	Add required provenance format (in-toto/DSSE), storage location, signing algorithms; include sample and CI check to verify presence.
IG10	Discovery & AGENTS linkage	Guidelines not linked from module AGENTS/sprints; discoverability low.	New contributors miss rules; inconsistency.	Link guideline doc from AGENTS and sprint templates; add short “read receipt” checkbox when starting tasks.

Immediate follow-ups

• Add an implementor-guidelines gaps task to Sprint SPRINT_300_documentation_process.md to close IG1–IG10 with owners/dates.
• Publish enforceable checklist with CI gates, determinism/offline/secret/provenance requirements, schema/versioning change control, perf/quota tests, boundary rules, and AGENTS/sprint linkages.

Findings – Gaps in “Reachability Benchmark Fixtures Snapshot”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md

Method: Reviewed snapshot against reachability benchmark goals (Sprint 0513) and evidence chain requirements. Focused on fixture governance, determinism, licensing, coverage, offline parity, and integration into StellaOps schemas/graphs.

Gap Table

ID	Area	Gap	Impact	Recommendation
RB1	Canonical fixture schema	Snapshot lists sources but no signed/Versioned schema for fixtures (metadata, ground truth, hashes, SBOM/VEX refs).	Fixtures may drift; hashes unverifiable; CI can't validate.	Publish fixture schema (YAML/JSON) with canonical rules and hash manifest + DSSE signature.
RB2	Licensing/provenance	Tier-2 sources (OSS-Fuzz, Vulhub, packages) lack licensing/provenance vetting guidance.	Legal risk; fixtures may be non-redistributable.	Add licensing/provenance checklist; prefer self-owned/MIT fixtures; document license per fixture.
RB3	Deterministic build/run	No deterministic build/run scripts, seeds, or time clamps for fixtures.	Non-reproducible hashes/graphs.	Provide deterministic build scripts with fixed seeds/UTC/time clamp; include multi-run hash tests.
RB4	Ground truth validation	Ground truth (reachability/unreachability) not encoded in machine-readable assertions or tests.	CI can't assert correctness; false positives slip.	Encode ground truth in fixture manifest (expected graph_revision_id, reachable/not, failing property); add CI validators.
RB5	Coverage breadth	Snapshot prioritizes SV-COMP/OSS-Fuzz but lacks minimum coverage matrix (languages, binary cases, configs, call-graphs).	Gaps in benchmark reduce confidence.	Define coverage matrix (C, Java, .NET, Python, binary, container) and minimum counts; plan Tier-2 expansion with milestones.
RB6	Offline/air-gap kit	No packaging/verify script for offline distribution of fixtures.	Air-gapped users can't run benchmark or verify integrity.	Ship “reachability-fixtures kit” with deterministic archive flags, hash manifest + DSSE, time anchor, and verify script.
RB7	Integration with evidence chain	Fixtures not aligned to SBOM/graph/VEX schemas (no required outputs/pointers).	Benchmark not usable to validate product evidence chain.	Require each fixture to emit SBOM, scan attestation, reachability graph, VEX reference with hashes and cross-links; include in manifest.
RB8	Versioning/change control	No versioning strategy for fixture sets; updates could break baselines.	Benchmark comparisons unstable over time.	Version fixture set (e.g., golden-v0), maintain changelog, never delete fixtures—add new versions; DSSE-sign releases.
RB9	CI wiring & owners	No CI job/owners defined to run fixtures regularly.	Regressions go unnoticed.	Add CI job reachability-fixtures with owners, schedule, SLOs; fail builds on hash drift.
RB10	Metrics/reporting	No reporting format for benchmark results (pass/fail, hash drift, perf).	Hard to track regression trends.	Define report schema and dashboard; include hash drift, pass/fail, runtime; alert on failures.

Immediate follow-ups

• Add a reachability-fixtures gaps task to Sprint SPRINT_0513_0001_0001_public_reachability_benchmark (or docs tracker) to close RB1–RB10 with owners/dates.
• Publish signed fixture schema and kit with deterministic builds, licensing/provenance notes, ground-truth assertions, coverage matrix, evidence chain outputs, versioning/changelog, CI job with reporting/alerts.

Findings – Gaps in “Evidence Bundle and Replay Contracts”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Evidence Bundle and Replay Contracts.md

Method: Reviewed the advisory against Evidence Locker and replay sprints (0161, 0187) and offline/DSSE requirements. Focused on schema versioning, determinism, provenance, retention/incident governance, and offline parity.

Gap Table

ID	Area	Gap	Impact	Recommendation
EB1	Bundle/manifest schema versioning	Bundle layout shown but manifest/checksums schemas not versioned/signed; no canonical JSON rules.	Producers/consumers may drift; verification may accept wrong layouts.	Publish versioned schemas (bundle.manifest.schema.json, checksums.schema.json) with canonical JSON rules and signatures; add test vectors.
EB2	Hash recipe & Merkle alignment	No canonical path ordering/normalization for checksums/Merkle root.	Different packagers produce different roots; DSSE subject mismatch.	Define canonical path ordering, normalization, hash algo/encoding; document Merkle calculation; ship fixtures.
EB3	DSSE predicate & log policy	Predicate type not mandated; transparency/log routing optional.	Inconsistent signing/logging; weaker trust.	Mandate stella.ops/evidence-bundle@v1, require DSSE and Sigstore bundle/log metadata (shard/log ID), fail-closed verification.
EB4	Replay provenance completeness	Replay records lack required signer/tool/policy/graph hashes; DSSE optional.	Replay not auditable; deterministic replays may diverge.	Require provenance block (signer, tool version, policy/lattice hash, graph_revision_id) and DSSE envelope for replay manifest; verify on ingest.
EB5	Size/chunking & CAS	No guidance for large observations/linksets/timeline files.	Bundles may fail or be unverifiable; memory spikes.	Set size limits; support chunk manifests with CAS URIs/hashes; store large blobs out-of-tar referenced from manifest.
EB6	Incident/retention governance	Incident mode lacks signed activation records, authorization rules, or retention invariants.	Misuse or silent retention changes; weak forensic chain.	Require signed incident activation/exit records (who/when/why), legal-hold flags, retention invariants/tests, and audit events/metrics.
EB7	Multi-tenant isolation & redaction	Portable bundles lack redaction rules; tenant isolation not tested.	Cross-tenant leakage in portable/offline exports.	Enforce tenant-scoped manifests; redact tenant IDs in portable bundles with DSSE-recorded redaction map; add isolation tests.
EB8	Offline verifier completeness	Offline verify script not specified (revocation/log checks, crypto profile).	Offline users may skip critical checks; false positives.	Define verifier requirements (signature, checksum, manifest hash, optional log proof, crypto profile match); ship scripted verifier with exit codes/tests.
EB9	Golden fixtures & determinism CI	Golden bundles/replay fixtures not mandated in advisory.	Regressions may ship unnoticed; determinism unproven.	Publish official golden bundles/replay records with hashes and multi-run hash CI checks.
EB10	Versioning/change log	No SemVer/changelog for bundle/replay schemas.	Consumers can’t track breaking changes; offline kits may mix versions.	Adopt SemVer for bundle/replay schemas, maintain CHANGELOG, embed version in manifest, and block mixing major versions.

Immediate follow-ups

• Add an evidence-bundle gaps task to Sprint SPRINT_0161_0001_0001_evidencelocker (and note for CLI replay sprint 0187) to close EB1–EB10.
• Publish versioned schemas and hashing/Merkle spec, mandate DSSE predicate/log policy, require replay provenance, add chunking/CAS rules, incident governance, tenant isolation/redaction, offline verifier requirements, golden fixtures, and SemVer/change-log governance.

Findings – Gaps in “Export Center and Reporting Strategy”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Export Center and Reporting Strategy.md

Method: Reviewed the export strategy against Export Center sprints (0162–0164), EvidenceLocker bundles, and distribution/adaptation needs. Focused on schema/versioning, determinism, provenance, selector governance, distribution integrity, offline parity, and performance.

Gap Table

ID	Area	Gap	Impact	Recommendation
EC1	Profile & manifest schemas	Profiles/manifests lack versioned JSON Schemas and signatures; selectors not validated.	Inconsistent profiles; invalid selectors reach adapters; reproducibility breaks.	Publish signed schemas for ExportProfile and export manifest; validate selectors; add test vectors.
EC2	Adapter determinism	Determinism asserted but no per-adapter rules (JSON ordering, Trivy DB schema pin, mirror delta rules).	Different runs may emit different hashes; delta/mirror may drift.	Define determinism rules per adapter (schema version, ordering, compression flags); add CI rerun-hash checks.
EC3	Provenance/attestation policy	Provenance/SLSA shown but not mandated; no required fields or log policy.	Exports may ship unsigned/unlogged; audit trail weak.	Mandate DSSE/SLSA attestation with required fields (profile, selectors, inputs, tool versions, policy hash, tenant); include Sigstore bundle/log ID.
EC4	Selector governance & cross-tenant controls	Cross-tenant exports “with approval” mentioned but no enforcement/approval flow.	Possible data leakage across tenants.	Require explicit approval tokens/workflow; enforce tenant checks in profiles/runs; log decisions; deny by default.
EC5	Distribution integrity (HTTP/OCI/object)	Distribution channels lack integrity requirements (checksums, signatures, immutability flags, range/partial verification).	Corrupted or tampered exports reach consumers.	Require checksum + signature headers, immutability flags, range verification; for OCI, require annotations + cosign/Sigstore bundle.
EC6	Trivy/DB schema pinning	Trivy adapter supports schema v2 but no pinning/staleness rules or downgrade handling.	Schema drift may break consumers silently.	Pin supported schema versions; embed in manifest; fail fast on mismatch; provide reducer if needed.
EC7	Delta correctness	Mirror delta adapter lacks formal diff rules and tombstone handling.	Deltas may miss or duplicate entries; replay fails.	Define delta algorithm (base manifest hash, added/removed lists, tombstones), include in manifest, and add fixtures.
EC8	Encryption/key management	Encryption optional but key management and recipient validation not specified.	Weak encryption posture; wrong recipients; inability to decrypt offline.	Define encryption policy (age/KMS), recipient validation, key provenance in manifest, and offline decrypt instructions/tests.
EC9	Performance/quotas	No throughput/size limits, concurrency caps, or run quotas per tenant/profile.	Export jobs may overwhelm infra or starve tenants.	Set quotas and limits; expose metrics/alerts; enforce backpressure.
EC10	Offline/air-gap parity	Export bundles (profiles, manifests, signatures) not required to be packageable for offline import/verify.	Air-gapped consumers can’t verify or ingest exports.	Provide offline export kit schema (manifest + sig + profiles + inputs hashes) with verify script; ensure adapters produce kit-ready outputs.

Immediate follow-ups

• Add an Export Center gaps task to a relevant sprint (e.g., SPRINT_0162_0001_0001_exportcenter_i or SPRINT_0163_0001_0001_exportcenter_ii) to close EC1–EC10.
• Publish versioned schemas and determinism rules per adapter; enforce attestation/log policy, selector validation, tenant controls, distribution integrity, schema pinning, delta rules, encryption policy, quotas, and offline kit packaging with verify scripts.

Findings – Gaps in “Findings Ledger and Immutable Audit Trail”

Requested label: 2025-11-31 (note: November has 30 days)

Compiled: 2025-12-01 (UTC)

Source reviewed: 28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md

Method: Reviewed the ledger advisory against ledger/Merkle/export work and offline/air-gap expectations. Focused on schema governance, external anchoring, tenant isolation, redaction, determinism, and replay/export parity.

Gap Table

ID	Area	Gap	Impact	Recommendation
FL1	Event/ledger schema versioning	Event and projection shapes are described but no versioned JSON Schemas or canonical serialization rules.	Producers/consumers may diverge; hash/cycle validation may fail.	Publish versioned schemas for events/projections/exports with canonical JSON rules and test vectors; sign schema catalog.
FL2	Merkle config & external anchoring	Merkle anchoring noted, but no mandated external anchoring policy, shard/log metadata, or checkpoint freshness.	Tamper evidence weaker; air-gap replay cannot validate freshness.	Define Merkle policy (batch size/window/algo) plus external anchor rules (log/shard ID, checkpoint freshness SLA); include in exports.
FL3	Chain fork handling & tombstones	Forks are “prohibited” but no explicit behavior/logging/audit when conflicts occur; no tombstone policy.	Fork attempts may go unnoticed; auditors lack evidence.	Require fork detection with audit events + DSSE record; tombstone/410 rules; expose metrics.
FL4	Tenant isolation & redaction	Tenant mention present but no redaction rules for exports or portable bundles; no isolation tests.	Cross-tenant leakage risk in exports.	Enforce tenant-scoped chains; redact tenant IDs in portable exports with redaction manifest; add isolation tests.
FL5	Payload redaction/PII	Comment text “hashed” noted but no redaction/allowlist for other fields; no size limits.	PII may leak; exports may bloat.	Define redaction/allowlist, size limits, and evidence rules; enforce before hash; document in schema.
FL6	Policy/version linkage	policyVersion and evidenceBundleRef exist but lattice/version governance not mandated; no DSSE for events.	Decisions not reproducible; weak audit link between policy and ledger.	Require DSSE-signed events or batch manifests including policy hash, lattice version, graph_revision_id; verify on ingest/export.
FL7	Export determinism & golden fixtures	Export determinism claimed but no golden fixtures or multi-run hash CI for ledger exports.	Regressions may go unnoticed; reproducibility claims weak.	Publish golden ledger exports and CI multi-run hash checks; pin compression/ordering.
FL8	Replay/rebuild tooling	Projection rebuild guidance minimal; no checksum for rebuild outputs.	Rebuilds may diverge from ledger state; audits fail.	Provide rebuild CLI with output hashes; compare against ledger roots; add acceptance tests.
FL9	Air-gap verifier	Offline bundle verification is mentioned but not specified (hash chain, Merkle roots, anchors, revocations).	Air-gapped audits may be incomplete.	Define offline ledger verify script requirements (hash chain, Merkle root, optional external anchor checkpoint); ship script + tests.
FL10	Performance envelopes & quotas	SLOs listed but no quotas/backpressure for append/export per tenant or chain.	Hot tenants could starve others; risk of data loss under load.	Add per-tenant quotas/backpressure and alerts; document performance envelopes; test under load.

Immediate follow-ups

• Add a ledger gaps task to a relevant sprint (e.g., reachability/policy ledger work or EvidenceLocker/export coordination) to close FL1–FL10.
• Publish versioned schemas and canonical serialization; mandate Merkle/external anchor policy with freshness; enforce tenant/redaction rules; require DSSE/policy linkage; add golden fixtures, replay/rebuild verifiers, air-gap verify scripts, and quotas/backpressure. _id; verify on ingest/export. | | FL7 | Export determinism & golden fixtures | Export determinism claimed but no golden fixtures or multi-run hash CI for ledger exports. | Regressions may go unnoticed; reproducibility claims weak. | Publish golden ledger exports and CI multi-run hash checks; pin compression/ordering. | | FL8 | Replay/rebuild tooling | Projection rebuild guidance minimal; no checksum for rebuild outputs. | Rebuilds may diverge from ledger state; audits fail. | Provide rebuild CLI with output hashes; compare against ledger roots; add acceptance tests. | | FL9 | Air-gap verifier | Offline bundle verification is mentioned but not specified (hash chain, Merkle roots, anchors, revocations). | Air-gapped audits may be incomplete. | Define offline ledger verify script requirements (hash chain, Merkle root, optional external anchor checkpoint); ship script + tests. | | FL10 | Performance envelopes & quotas | SLOs listed but no quotas/backpressure for append/export per tenant or chain. | Hot tenants could starve others; risk of data loss under load. | Add per-tenant quotas/backpressure and alerts; document performance envelopes; test under load. |

Immediate follow-ups

• Add a ledger gaps task to a relevant sprint (e.g., reachability/policy ledger work or EvidenceLocker/export coordination) to close FL1–FL10.
• Publish versioned schemas and canonical serialization; mandate Merkle/external anchor policy with freshness; enforce tenant/redaction rules; require DSSE/policy linkage; add golden fixtures, replay/rebuild verifiers, air-gap verify scripts, and quotas/backpressure.