RedteamNotes
diff --git a/‎README.md‎
Lines changed: 26 additions & 10 deletions b/‎README.md‎
Lines changed: 26 additions & 10 deletions
diff --git a/‎docs/CLI.md‎
Lines changed: 30 additions & 6 deletions b/‎docs/CLI.md‎
Lines changed: 30 additions & 6 deletions
diff --git a/‎docs/ENTERPRISE_OUTPUTS.md‎
Lines changed: 3 additions & 2 deletions b/‎docs/ENTERPRISE_OUTPUTS.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎docs/LAB_VALIDATION.md‎
Lines changed: 20 additions & 0 deletions b/‎docs/LAB_VALIDATION.md‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎docs/README.fr.md‎
Lines changed: 30 additions & 11 deletions b/‎docs/README.fr.md‎
Lines changed: 30 additions & 11 deletions
@@ -70,6 +70,11 @@ telemetry.
 - Standard lab matrix planning and corpus coverage verification for HTTP/IIS
   EPA, AD CS Web Enrollment EPA, LDAP signing, LDAPS CBT, and MSSQL
   encryption/EPA states.
+- Lab response differential analysis for stable policy-state pairs, including
+  discriminator keys, context-only differences, and promotion support.
+- Evidence completeness reporting for finding/path records, including protocol
+  judgement fields, confidence distribution, missing contract keys, and
+  remaining uncertainty.
 - Guarded validation and execution records with dry-run, armed, and confirmed
   modes, operator context, timebox/noise/scope checks, and JSONL audit logs.
 - Source validation planning for WebClient/WebDAV, RPC coercion surfaces,
@@ -83,8 +88,9 @@ telemetry.
   module definitions, credential policy guardrails, listener policy guardrails,
   and audited adapter lifecycle records.
 - Versioned schema and evidence contract validation for result files, lab
-  profiles, corpuses, execution records, module manifests, OpenGraph, JSONL,
-  CSV, OPSEC policy, and route report artifacts.
+  profiles, corpuses, lab stability and differential reports, execution
+  records, evidence reports, module manifests, OpenGraph, JSONL, CSV, OPSEC
+  policy, and route report artifacts.
 - Enterprise outputs for graph analysis, SIEM ingestion, spreadsheet review,
   HTML/Markdown reporting, scan diffing, and remediation impact simulation.
 - Enterprise bundle generation with manifest, artifact hashes, schema status,
@@ -144,6 +150,7 @@ Review relay paths, decisions, controls, and remediation:
 relayx paths result.json
 relayx routes --result result.json
 relayx calculus result.json
+relayx evidence-report --result result.json
 relayx controls result.json
 relayx fixes result.json
 relayx plan result.json PX-0001 --format json --out plan.json
@@ -212,8 +219,10 @@ relayx lab-matrix        Print the standard RelayX lab policy matrix
 relayx lab-corpus        Extract lab calibration signatures from a result
 relayx lab-verify        Verify lab corpuses against the standard matrix
 relayx lab-stability     Assess repeat-capture lab stability and drift
+relayx lab-diff          Compare stable lab policy-state response differences
 relayx lab-index         Summarize lab signature corpuses
 relayx lab-profile       Generate a calibration profile draft from corpuses
+relayx evidence-report   Audit evidence completeness and judgement fields
 relayx validate          Run guarded active validation for one path
 relayx profiles          List bundled RelayX profiles
 relayx export            Export graph, JSONL, CSV, report, or diagram artifacts
@@ -295,12 +304,17 @@ relayx schema validate --kind module-manifest fixtures/execution_modules
 ```
 
 Supported kinds include `result`, `evidence`, `lab-profile`, `lab-corpus`,
-`lab-stability`, `execution-record`, `module-manifest`, `opsec-policy`,
-`route-report`, `bundle-manifest`, `quality-gate`, `opengraph`, `jsonl`, and
-`csv`.
+`lab-stability`, `lab-differential`, `evidence-report`, `execution-record`,
+`module-manifest`, `opsec-policy`, `route-report`, `bundle-manifest`,
+`quality-gate`, `opengraph`, `jsonl`, and `csv`.
 Validation reports explain invalid fields by path and return exit code `2` when
 an artifact does not satisfy the selected contract.
 
+`relayx evidence-report -r result.json` audits an existing result without
+network activity. It highlights candidate or relayable records without
+evidence, protocol judgement records missing policy inference or remaining
+uncertainty, and evidence entries that still carry unknown confidence.
+
 ## Calibration
 
 RelayX is deliberately conservative when network evidence is ambiguous. Lab
@@ -313,6 +327,7 @@ relayx compare-baseline --baseline epa-off.json --candidate epa-required.json --
 relayx lab-matrix --target-family mssql_epa --format json --out lab-matrix.json
 relayx lab-verify --corpus fixtures/lab_corpus --format json --out lab-verify.json
 relayx lab-stability --corpus fixtures/lab_corpus --min-captures 2 --format json --out lab-stability.json
+relayx lab-diff --corpus fixtures/lab_corpus --target-family http_iis_epa --format json --out lab-diff.json
 relayx lab-corpus result.json --label iis-epa-required --policy-state epa_required --expected-state epa_or_cbt_enforcement_signal --promotion promote --format json --out corpus.json
 relayx lab-profile --corpus corpus.json --profile-id http_iis_epa_lab --target-family http_iis_epa --service http --format json --out profile.json
 ```
@@ -321,11 +336,12 @@ Calibration can promote a finding only when the supplied profile and baseline
 difference support that conclusion. Otherwise RelayX keeps the original
 conservative state and explains the remaining uncertainty.
 
-`lab-matrix`, `lab-verify`, `lab-stability`, `lab-corpus`, and `lab-profile`
-are offline research helpers. They do not create network traffic; they turn
-already captured RelayX results into reusable signature corpuses, verify
-coverage against the standard policy matrix, measure repeat-capture stability
-and drift, and generate profile drafts for review.
+`lab-matrix`, `lab-verify`, `lab-stability`, `lab-diff`, `lab-corpus`, and
+`lab-profile` are offline research helpers. They do not create network traffic;
+they turn already captured RelayX results into reusable signature corpuses,
+verify coverage against the standard policy matrix, measure repeat-capture
+stability and drift, compare stable policy-state response differentials, and
+generate profile drafts for review.
 
 ## Safety Boundary
 
 
@@ -36,9 +36,9 @@ relayx help export -f json
 
 - Assessment: `scan`, `assess`, `summary`, `matrix`, `sources`, `routes`,
   `paths`, `rank`, `explain`
-- Analysis: `calculus`, `controls`, `fixes`, `plan`, `calibrate`,
-  `compare-baseline`, `lab-matrix`, `lab-corpus`, `lab-verify`,
-  `lab-stability`, `lab-profile`
+- Analysis: `calculus`, `controls`, `fixes`, `plan`, `evidence-report`,
+  `calibrate`, `compare-baseline`, `lab-matrix`, `lab-corpus`, `lab-verify`,
+  `lab-stability`, `lab-diff`, `lab-profile`
 - Validation: `validate`, `source-check`, `source-plan`, `run`
 - Enterprise: `profiles`, `report`, `export`, `bundle`, `diff`,
   `simulate-fixes`, `quality-gate`
@@ -94,6 +94,21 @@ live reachability from the operator host. Source profiles can provide
 `route_hops`. Structured routes produce stronger reachability evidence than
 unconstrained labels.
 
+## Evidence Report
+
+```bash
+relayx evidence-report -r result.json
+relayx evidence-report -r examples/tutorial/sample-result.json -f json -o evidence-report.json
+relayx schema validate -k evidence-report evidence-report.json
+```
+
+`evidence-report` audits an existing result offline. It reports whether
+candidate or relayable records have evidence, whether protocol judgement
+records expose response classification, policy inference, and remaining
+uncertainty, and whether any evidence still has unknown confidence. It is meant
+for lab promotion review, enterprise handoff, and fixture quality checks; it
+does not scan, validate, relay, or mutate the result file.
+
 ## Schema Contracts
 
 ```bash
@@ -105,9 +120,9 @@ relayx schema validate -k jsonl relayx-events.jsonl
 ```
 
 Supported schema kinds are `result`, `evidence`, `lab-profile`, `lab-corpus`,
-`lab-stability`, `execution-record`, `module-manifest`, `opsec-policy`,
-`route-report`, `bundle-manifest`, `quality-gate`, `opengraph`, `jsonl`, and
-`csv`.
+`lab-stability`, `lab-differential`, `evidence-report`, `execution-record`,
+`module-manifest`, `opsec-policy`, `route-report`, `bundle-manifest`,
+`quality-gate`, `opengraph`, `jsonl`, and `csv`.
 Invalid artifacts return exit code `2`.
 
 Pin `-k/--kind` when validating a directory. Auto inference is useful for a
@@ -154,6 +169,7 @@ relayx lab-verify -c fixtures/lab_corpus
 relayx lab-verify -c fixtures/lab_corpus -t ldaps_cbt -m 2 -f json
 relayx lab-stability -c fixtures/lab_corpus -m 2
 relayx lab-stability -c fixtures/lab_corpus -t mssql_epa -m 3 -T 0.9 -f json
+relayx lab-diff -c fixtures/lab_corpus -t http_iis_epa -p epa_off:epa_required -f json
 ```
 
 `lab-matrix` prints the standard policy-state coverage plan for HTTP/IIS EPA,
@@ -169,6 +185,14 @@ remain promotable or are downgraded to `retain`. The command defaults to
 `--min-captures 2` and `--stable-threshold 0.85`; increase both when building a
 profile intended for high-assurance lab promotion.
 
+`lab-diff` compares stable policy-state signatures from the corpus and reports
+which changed fields are response discriminators versus context-only
+differences. It is useful for reviewing HTTP/IIS EPA, AD CS EPA, LDAP signing,
+LDAPS CBT, and MSSQL encryption/EPA response deltas before editing calibration
+profiles. It does not compare two result files; use `compare-baseline` for that
+workflow. Unmatched `-p/--pair` filters are reported as warnings so a typo does
+not silently produce an empty pass report.
+
 ## Execution Adapter SDK
 
 `relayx modules` and `relayx module-plan` expose both module manifests and the
 
@@ -17,6 +17,7 @@ relayx bundle -r result.json -d relayx-bundle
 relayx diff old-result.json new-result.json --format json --out relayx-diff.json
 relayx simulate-fixes result.json --control smb_signing --format json
 relayx routes --result result.json --format json --out relayx-routes.json
+relayx evidence-report --result result.json --format json --out relayx-evidence-report.json
 relayx quality-gate -C . -f json -o relayx-quality-gate.json
 relayx schema validate --kind opengraph relayx-opengraph.json
 relayx schema validate --kind jsonl relayx-events.jsonl
@@ -85,8 +86,8 @@ for CI and ingestion pipeline checks.
 `relayx quality-gate` is the local CI and release gate. It validates package
 metadata, schema catalog coverage, JSON fixtures, schema fixture directories,
 enterprise output matrix coverage, lab matrix coverage, lab stability checks,
-documentation coverage, and GitHub Actions workflow presence. Failed gates
-return exit code `2`.
+lab differential checks, evidence-report checks, documentation coverage, and
+GitHub Actions workflow presence. Failed gates return exit code `2`.
 
 ```bash
 relayx quality-gate -C . -f json -o relayx-quality-gate.json
 
@@ -19,6 +19,10 @@ offline tutorial in [`docs/TUTORIAL.md`](TUTORIAL.md) and the fixtures in
 Every protocol oracle should produce stable evidence keys that can be used
 by reports, ranking, and regression tests.
 
+Use `relayx evidence-report -r result.json` before promoting lab evidence. The
+report checks whether finding/path records carry evidence, protocol judgement
+fields, confidence, and remaining uncertainty in a consistent structure.
+
 | Oracle | Required evidence keys |
 | --- | --- |
 | SMB | `smb_signing_required`, `smb_security_mode` |
@@ -52,6 +56,7 @@ relayx lab-matrix
 relayx lab-matrix --target-family mssql_epa --format json --out lab-matrix.json
 relayx lab-verify --corpus fixtures/lab_corpus --format json --out lab-verify.json
 relayx lab-stability --corpus fixtures/lab_corpus --min-captures 2 --format json --out lab-stability.json
+relayx lab-diff --corpus fixtures/lab_corpus --target-family http_iis_epa --format json --out lab-diff.json
 ```
 
 `lab-matrix` is the planning contract. `lab-verify` checks that a lab corpus
@@ -67,6 +72,12 @@ and explains why a promotion hint can be preserved or must be downgraded to
 coverage checks: one capture can prove that a matrix state exists, but repeated
 captures are needed before RelayX should treat a lab signature as stable.
 
+`lab-diff` is the response-difference contract. It compares stable dominant
+signatures between policy states, separates response discriminator keys from
+context-only fields, and reports whether a policy-state pair can support
+calibration promotion. This is the offline corpus-level companion to
+`compare-baseline`, which compares two RelayX result files.
+
 | ID | Service | Lab policy state | RelayX command mode | Expected behavior |
 | --- | --- | --- | --- | --- |
 | SMB-01 | SMB server | Signing disabled or not required | default scan | `smb_signing_required=false`; finding relay-ready/candidate through path engine |
@@ -117,6 +128,15 @@ Lab stability reports expose a separate confidence contract with evidence model
 promotion boundary, and auto-downgrade rule used when a corpus or generated
 profile attempts to preserve `promotion=promote` or `promotion=block`.
 
+Lab differential reports expose evidence model `lab_response_differential`.
+They record stable changed keys, response discriminator keys, context-only
+keys, promotion support, and remaining uncertainty for each policy-state pair.
+
+Evidence reports expose evidence model `result_evidence_completeness`. They are
+offline audits of an existing result and do not prove protocol correctness; they
+make missing judgement fields and unknown-confidence evidence visible before a
+lab profile or enterprise handoff relies on the result.
+
 For baseline comparisons, promotion requires both:
 
 1. A candidate signature that matches a promotable calibrated lab state.
 
@@ -76,11 +76,17 @@ echec.
   modules via JSON manifest, credential policy guardrails, listener policy
   guardrails et adapter lifecycle auditable.
 - Validation versionnee des schemas et du contrat evidence pour resultats,
-  profils lab, corpuses, execution records, module manifests, OpenGraph, JSONL
-  CSV, OPSEC policy et route report.
+  profils lab, corpuses, execution records, evidence reports, module manifests,
+  OpenGraph, JSONL, CSV, OPSEC policy et route report.
 - Planification de standard lab matrix et verification de couverture corpus
   pour les etats HTTP/IIS EPA, AD CS Web Enrollment EPA, LDAP signing, LDAPS
   CBT et MSSQL encryption/EPA.
+- Analyse des lab response differentials pour comparer des signatures stables
+  de policy states et separer les vrais response discriminators des champs de
+  contexte.
+- Evidence completeness reporting pour auditer les records finding/path, les
+  champs de protocol judgement, la distribution de confidence, les contract
+  keys manquantes et l'incertitude restante.
 - Exports entreprise pour graph analysis, ingestion SIEM, revue CSV, rapports
   HTML/Markdown, scan diff et simulation d'impact de remediation.
 - Generation d'enterprise bundle avec manifest, hashes d'artefacts, schema
@@ -141,6 +147,7 @@ Examiner les chemins relay, decisions, controles et remediations :
 relayx paths result.json
 relayx routes --result result.json
 relayx calculus result.json
+relayx evidence-report --result result.json
 relayx controls result.json
 relayx fixes result.json
 relayx plan result.json PX-0001 --format json --out plan.json
@@ -210,8 +217,10 @@ relayx lab-matrix        Affiche la standard lab policy matrix RelayX
 relayx lab-corpus        Extrait des signatures lab depuis un resultat
 relayx lab-verify        Verifie les corpuses lab contre la matrice standard
 relayx lab-stability     Evalue stabilite et drift des captures lab repetees
+relayx lab-diff          Compare les response differentials entre policy states
 relayx lab-index         Resume les corpuses de signatures lab
 relayx lab-profile       Genere un draft de calibration profile depuis corpus
+relayx evidence-report   Audite evidence completeness et champs de judgement
 relayx validate          Lance une validation active controlee pour un chemin
 relayx profiles          Liste les profils RelayX integres
 relayx export            Exporte graph, JSONL, CSV, rapport ou diagramme
@@ -295,10 +304,16 @@ relayx schema validate --kind module-manifest fixtures/execution_modules
 ```
 
 Les kinds supportes incluent `result`, `evidence`, `lab-profile`, `lab-corpus`,
-`lab-stability`, `execution-record`, `module-manifest`, `opsec-policy`,
-`route-report`, `bundle-manifest`, `quality-gate`, `opengraph`, `jsonl` et
-`csv`. Les rapports de validation expliquent les champs invalides par chemin et
-renvoient un exit code `2` lorsque l'artefact ne respecte pas le contrat choisi.
+`lab-stability`, `lab-differential`, `evidence-report`, `execution-record`,
+`module-manifest`, `opsec-policy`, `route-report`, `bundle-manifest`,
+`quality-gate`, `opengraph`, `jsonl` et `csv`. Les rapports de validation
+expliquent les champs invalides par chemin et renvoient un exit code `2`
+lorsque l'artefact ne respecte pas le contrat choisi.
+
+`relayx evidence-report -r result.json` audite un resultat existant hors ligne,
+sans trafic reseau. Il signale les records candidate/relayable sans evidence,
+les protocol judgement records sans policy inference ou remaining uncertainty,
+et les evidence entries qui gardent une confidence `unknown`.
 
 ## Calibration laboratoire
 
@@ -312,6 +327,7 @@ relayx compare-baseline --baseline epa-off.json --candidate epa-required.json --
 relayx lab-matrix --target-family mssql_epa --format json --out lab-matrix.json
 relayx lab-verify --corpus fixtures/lab_corpus --format json --out lab-verify.json
 relayx lab-stability --corpus fixtures/lab_corpus --min-captures 2 --format json --out lab-stability.json
+relayx lab-diff --corpus fixtures/lab_corpus --target-family http_iis_epa --format json --out lab-diff.json
 relayx lab-corpus result.json --label iis-epa-required --policy-state epa_required --expected-state epa_or_cbt_enforcement_signal --promotion promote --format json --out corpus.json
 relayx lab-profile --corpus corpus.json --profile-id http_iis_epa_lab --target-family http_iis_epa --service http --format json --out profile.json
 ```
@@ -320,11 +336,14 @@ RelayX ne promeut une conclusion que lorsque le profil et la difference de
 baseline la justifient. Sinon, il conserve l'etat conservateur initial et
 explique les preuves encore manquantes.
 
-`lab-matrix`, `lab-verify`, `lab-stability`, `lab-corpus` et `lab-profile`
-sont des aides de recherche hors ligne. Ils ne generent pas de trafic reseau;
-ils transforment des resultats RelayX deja captures en corpuses de signatures,
-verifient la couverture contre la matrice standard, mesurent la stabilite et le
-drift des captures repetees, et generent des drafts de profiles a reviser.
+`lab-matrix`, `lab-verify`, `lab-stability`, `lab-diff`, `lab-corpus` et
+`lab-profile` sont des aides de recherche hors ligne. Ils ne generent pas de
+trafic reseau; ils transforment des resultats RelayX deja captures en corpuses
+de signatures, verifient la couverture contre la matrice standard, mesurent la
+stabilite et le drift des captures repetees, comparent les response
+discriminators entre etats de politique stables, et generent des drafts de
+profiles a reviser. `lab-diff` travaille sur les etats stables d'un corpus;
+utilisez `compare-baseline` pour comparer deux fichiers resultat RelayX.
 
 ## Frontiere de securite