RedteamNotes
diff --git a/‎README.md‎
Lines changed: 16 additions & 9 deletions b/‎README.md‎
Lines changed: 16 additions & 9 deletions
diff --git a/‎docs/CLI.md‎
Lines changed: 13 additions & 4 deletions b/‎docs/CLI.md‎
Lines changed: 13 additions & 4 deletions
diff --git a/‎docs/ENTERPRISE_OUTPUTS.md‎
Lines changed: 4 additions & 3 deletions b/‎docs/ENTERPRISE_OUTPUTS.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎docs/LAB_VALIDATION.md‎
Lines changed: 14 additions & 0 deletions b/‎docs/LAB_VALIDATION.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎docs/README.fr.md‎
Lines changed: 24 additions & 15 deletions b/‎docs/README.fr.md‎
Lines changed: 24 additions & 15 deletions
@@ -70,6 +70,9 @@ telemetry.
 - Standard lab matrix planning and corpus coverage verification for HTTP/IIS
   EPA, AD CS Web Enrollment EPA, LDAP signing, LDAPS CBT, and MSSQL
   encryption/EPA states.
+- Lab corpus provenance review for synthetic fixture marking, authorized lab
+  capture metadata, endpoint build metadata, drift baselines, and operator
+  promotion decisions.
 - Lab response differential analysis for stable policy-state pairs, including
   discriminator keys, context-only differences, and promotion support.
 - Evidence completeness reporting for finding/path records, including protocol
@@ -218,6 +221,7 @@ relayx compare-baseline  Compare baseline and candidate lab result signatures
 relayx lab-matrix        Print the standard RelayX lab policy matrix
 relayx lab-corpus        Extract lab calibration signatures from a result
 relayx lab-verify        Verify lab corpuses against the standard matrix
+relayx lab-provenance    Audit lab corpus provenance and review readiness
 relayx lab-stability     Assess repeat-capture lab stability and drift
 relayx lab-diff          Compare stable lab policy-state response differences
 relayx lab-index         Summarize lab signature corpuses
@@ -304,9 +308,9 @@ relayx schema validate --kind module-manifest fixtures/execution_modules
 ```
 
 Supported kinds include `result`, `evidence`, `lab-profile`, `lab-corpus`,
-`lab-stability`, `lab-differential`, `evidence-report`, `execution-record`,
-`module-manifest`, `opsec-policy`, `route-report`, `bundle-manifest`,
-`quality-gate`, `opengraph`, `jsonl`, and `csv`.
+`lab-provenance`, `lab-stability`, `lab-differential`, `evidence-report`,
+`execution-record`, `module-manifest`, `opsec-policy`, `route-report`,
+`bundle-manifest`, `quality-gate`, `opengraph`, `jsonl`, and `csv`.
 Validation reports explain invalid fields by path and return exit code `2` when
 an artifact does not satisfy the selected contract.
 
@@ -328,6 +332,7 @@ relayx calibrate result.json --profiles fixtures/lab_profiles --annotate-out cal
 relayx compare-baseline --baseline epa-off.json --candidate epa-required.json --profiles fixtures/lab_profiles
 relayx lab-matrix --target-family mssql_epa --format json --out lab-matrix.json
 relayx lab-verify --corpus fixtures/lab_corpus --format json --out lab-verify.json
+relayx lab-provenance --corpus fixtures/lab_corpus --format json --out lab-provenance.json
 relayx lab-stability --corpus fixtures/lab_corpus --min-captures 2 --format json --out lab-stability.json
 relayx lab-diff --corpus fixtures/lab_corpus --target-family http_iis_epa --format json --out lab-diff.json
 relayx lab-corpus result.json --label iis-epa-required --policy-state epa_required --expected-state epa_or_cbt_enforcement_signal --promotion promote --format json --out corpus.json
@@ -338,12 +343,14 @@ Calibration can promote a finding only when the supplied profile and baseline
 difference support that conclusion. Otherwise RelayX keeps the original
 conservative state and explains the remaining uncertainty.
 
-`lab-matrix`, `lab-verify`, `lab-stability`, `lab-diff`, `lab-corpus`, and
-`lab-profile` are offline research helpers. They do not create network traffic;
-they turn already captured RelayX results into reusable signature corpuses,
-verify coverage against the standard policy matrix, measure repeat-capture
-stability and drift, compare stable policy-state response differentials, and
-generate profile drafts for review.
+`lab-matrix`, `lab-verify`, `lab-provenance`, `lab-stability`, `lab-diff`,
+`lab-corpus`, and `lab-profile` are offline research helpers. They do not
+create network traffic; they turn already captured RelayX results into reusable
+signature corpuses, verify coverage against the standard policy matrix, audit
+provenance and operator review readiness, measure repeat-capture stability and
+drift, compare stable policy-state response differentials, and generate profile
+drafts for review. Synthetic fixtures are useful for pipeline tests and
+examples, but RelayX does not treat them as real lab promotion evidence.
 
 ## Safety Boundary
 
 
@@ -38,7 +38,7 @@ relayx help export -f json
   `paths`, `rank`, `explain`
 - Analysis: `calculus`, `controls`, `fixes`, `plan`, `evidence-report`,
   `calibrate`, `compare-baseline`, `lab-matrix`, `lab-corpus`, `lab-verify`,
-  `lab-stability`, `lab-diff`, `lab-profile`
+  `lab-provenance`, `lab-stability`, `lab-diff`, `lab-profile`
 - Validation: `validate`, `source-check`, `source-plan`, `run`
 - Enterprise: `profiles`, `report`, `export`, `bundle`, `diff`,
   `simulate-fixes`, `quality-gate`
@@ -123,9 +123,9 @@ relayx schema validate -k jsonl relayx-events.jsonl
 ```
 
 Supported schema kinds are `result`, `evidence`, `lab-profile`, `lab-corpus`,
-`lab-stability`, `lab-differential`, `evidence-report`, `execution-record`,
-`module-manifest`, `opsec-policy`, `route-report`, `bundle-manifest`,
-`quality-gate`, `opengraph`, `jsonl`, and `csv`.
+`lab-provenance`, `lab-stability`, `lab-differential`, `evidence-report`,
+`execution-record`, `module-manifest`, `opsec-policy`, `route-report`,
+`bundle-manifest`, `quality-gate`, `opengraph`, `jsonl`, and `csv`.
 Invalid artifacts return exit code `2`.
 
 Pin `-k/--kind` when validating a directory. Auto inference is useful for a
@@ -170,6 +170,7 @@ relayx lab-matrix
 relayx lab-matrix -t mssql_epa -f json -o lab-matrix.json
 relayx lab-verify -c fixtures/lab_corpus
 relayx lab-verify -c fixtures/lab_corpus -t ldaps_cbt -m 2 -f json
+relayx lab-provenance -c fixtures/lab_corpus -f json -o lab-provenance.json
 relayx lab-stability -c fixtures/lab_corpus -m 2
 relayx lab-stability -c fixtures/lab_corpus -t mssql_epa -m 3 -T 0.9 -f json
 relayx lab-diff -c fixtures/lab_corpus -t http_iis_epa -p epa_off:epa_required -f json
@@ -181,6 +182,14 @@ AD CS Web Enrollment EPA, LDAP signing, LDAPS CBT, and MSSQL encryption/EPA.
 required state has the expected stable signature keys. The commands are
 offline; they do not scan or promote findings by themselves.
 
+`lab-provenance` is the corpus evidence-admission layer. It audits whether
+each corpus declares synthetic versus non-synthetic origin, capture source,
+endpoint build metadata, drift baseline, and capture-level operator review.
+Synthetic fixtures may pass the structure contract but are explicitly marked as
+not real lab promotion evidence. Non-synthetic `promote` or `block` hints are
+reported as not promotion-ready until the corpus and capture review approve the
+decision.
+
 `lab-stability` is the repeat-capture quality layer. It groups captures by
 target family and lab policy state, computes `consistency_score` as the dominant
 stable-signature ratio, reports drift keys, and explains why promotion hints
 
@@ -85,9 +85,10 @@ for CI and ingestion pipeline checks.
 
 `relayx quality-gate` is the local CI and release gate. It validates package
 metadata, schema catalog coverage, JSON fixtures, schema fixture directories,
-enterprise output matrix coverage, lab matrix coverage, lab stability checks,
-lab differential checks, evidence-report checks, evidence source taxonomy
-coverage, documentation coverage, and GitHub Actions workflow presence. Failed
+enterprise output matrix coverage, lab matrix coverage, lab provenance checks,
+lab stability checks, lab differential checks, evidence-report checks, evidence
+source taxonomy coverage, including the evidence source taxonomy used by result
+reviews, documentation coverage, and GitHub Actions workflow presence. Failed
 gates return exit code `2`.
 
 ```bash
 
@@ -56,6 +56,7 @@ commands:
 relayx lab-matrix
 relayx lab-matrix --target-family mssql_epa --format json --out lab-matrix.json
 relayx lab-verify --corpus fixtures/lab_corpus --format json --out lab-verify.json
+relayx lab-provenance --corpus fixtures/lab_corpus --format json --out lab-provenance.json
 relayx lab-stability --corpus fixtures/lab_corpus --min-captures 2 --format json --out lab-stability.json
 relayx lab-diff --corpus fixtures/lab_corpus --target-family http_iis_epa --format json --out lab-diff.json
 ```
@@ -65,6 +66,14 @@ covers the required policy states and stable signature keys. Verification does
 not promote findings by itself; promotion still requires reviewed calibration
 profiles or a stable baseline difference.
 
+`lab-provenance` is the evidence-admission contract. It checks whether each
+corpus records synthetic versus non-synthetic origin, capture source, endpoint
+build metadata, drift baseline metadata, and capture-level operator review.
+Synthetic fixtures may pass structure checks, but RelayX keeps them out of real
+promotion readiness. Non-synthetic `promotion=promote` or `promotion=block`
+hints require endpoint build metadata, drift baseline metadata, and explicit
+operator review before they can support profile promotion.
+
 `lab-stability` is the repeat-capture quality contract. It groups captures by
 target family and policy state, computes a dominant-signature
 `consistency_score`, reports changed stable-signature fields as `drift_keys`,
@@ -124,6 +133,11 @@ remaining uncertainty. This is intentionally stricter than a plain confidence
 label: a `high` confidence decision must still explain what evidence supports
 it and which interpretation boundary remains.
 
+Lab provenance reports expose evidence model
+`lab_corpus_provenance_review`. That contract records the boundary between
+synthetic fixtures, operator-supplied captures, real lab captures, endpoint
+build metadata, drift baselines, and operator-approved promotion decisions.
+
 Lab stability reports expose a separate confidence contract with evidence model
 `repeat_capture_stability`. That contract records the consistency rule,
 promotion boundary, and auto-downgrade rule used when a corpus or generated
 
@@ -62,6 +62,9 @@ echec.
   possibles et des cas qui doivent rester conservateurs.
 - Extraction de lab signature corpus et generation de drafts de calibration
   profile pour les exercices red/blue reproductibles.
+- Revue de provenance des lab corpuses pour distinguer synthetic fixtures,
+  captures lab autorisees, metadonnees endpoint build, drift baselines et
+  decisions operateur de promotion.
 - Validation et execution records controles en modes dry-run, armed et
   confirmed, avec contexte operateur, controles timebox/noise/scope et audit
   logs JSONL.
@@ -76,8 +79,9 @@ echec.
   modules via JSON manifest, credential policy guardrails, listener policy
   guardrails et adapter lifecycle auditable.
 - Validation versionnee des schemas et du contrat evidence pour resultats,
-  profils lab, corpuses, execution records, evidence reports, module manifests,
-  OpenGraph, JSONL, CSV, OPSEC policy et route report.
+  profils lab, corpuses, lab provenance reports, execution records, evidence
+  reports, module manifests, OpenGraph, JSONL, CSV, OPSEC policy et route
+  report.
 - Planification de standard lab matrix et verification de couverture corpus
   pour les etats HTTP/IIS EPA, AD CS Web Enrollment EPA, LDAP signing, LDAPS
   CBT et MSSQL encryption/EPA.
@@ -216,6 +220,7 @@ relayx compare-baseline  Compare signatures baseline et candidate
 relayx lab-matrix        Affiche la standard lab policy matrix RelayX
 relayx lab-corpus        Extrait des signatures lab depuis un resultat
 relayx lab-verify        Verifie les corpuses lab contre la matrice standard
+relayx lab-provenance    Audite provenance corpus et review readiness
 relayx lab-stability     Evalue stabilite et drift des captures lab repetees
 relayx lab-diff          Compare les response differentials entre policy states
 relayx lab-index         Resume les corpuses de signatures lab
@@ -304,11 +309,11 @@ relayx schema validate --kind module-manifest fixtures/execution_modules
 ```
 
 Les kinds supportes incluent `result`, `evidence`, `lab-profile`, `lab-corpus`,
-`lab-stability`, `lab-differential`, `evidence-report`, `execution-record`,
-`module-manifest`, `opsec-policy`, `route-report`, `bundle-manifest`,
-`quality-gate`, `opengraph`, `jsonl` et `csv`. Les rapports de validation
-expliquent les champs invalides par chemin et renvoient un exit code `2`
-lorsque l'artefact ne respecte pas le contrat choisi.
+`lab-provenance`, `lab-stability`, `lab-differential`, `evidence-report`,
+`execution-record`, `module-manifest`, `opsec-policy`, `route-report`,
+`bundle-manifest`, `quality-gate`, `opengraph`, `jsonl` et `csv`.
+Les rapports de validation expliquent les champs invalides par chemin et
+renvoient un exit code `2` lorsque l'artefact ne respecte pas le contrat choisi.
 
 `relayx evidence-report -r result.json` audite un resultat existant hors ligne,
 sans trafic reseau. Il signale les records candidate/relayable sans evidence,
@@ -328,6 +333,7 @@ relayx calibrate result.json --profiles fixtures/lab_profiles --annotate-out cal
 relayx compare-baseline --baseline epa-off.json --candidate epa-required.json --profiles fixtures/lab_profiles
 relayx lab-matrix --target-family mssql_epa --format json --out lab-matrix.json
 relayx lab-verify --corpus fixtures/lab_corpus --format json --out lab-verify.json
+relayx lab-provenance --corpus fixtures/lab_corpus --format json --out lab-provenance.json
 relayx lab-stability --corpus fixtures/lab_corpus --min-captures 2 --format json --out lab-stability.json
 relayx lab-diff --corpus fixtures/lab_corpus --target-family http_iis_epa --format json --out lab-diff.json
 relayx lab-corpus result.json --label iis-epa-required --policy-state epa_required --expected-state epa_or_cbt_enforcement_signal --promotion promote --format json --out corpus.json
@@ -338,14 +344,17 @@ RelayX ne promeut une conclusion que lorsque le profil et la difference de
 baseline la justifient. Sinon, il conserve l'etat conservateur initial et
 explique les preuves encore manquantes.
 
-`lab-matrix`, `lab-verify`, `lab-stability`, `lab-diff`, `lab-corpus` et
-`lab-profile` sont des aides de recherche hors ligne. Ils ne generent pas de
-trafic reseau; ils transforment des resultats RelayX deja captures en corpuses
-de signatures, verifient la couverture contre la matrice standard, mesurent la
-stabilite et le drift des captures repetees, comparent les response
-discriminators entre etats de politique stables, et generent des drafts de
-profiles a reviser. `lab-diff` travaille sur les etats stables d'un corpus;
-utilisez `compare-baseline` pour comparer deux fichiers resultat RelayX.
+`lab-matrix`, `lab-verify`, `lab-provenance`, `lab-stability`, `lab-diff`,
+`lab-corpus` et `lab-profile` sont des aides de recherche hors ligne. Ils ne
+generent pas de trafic reseau; ils transforment des resultats RelayX deja
+captures en corpuses de signatures, verifient la couverture contre la matrice
+standard, auditent la provenance et la review readiness, mesurent la stabilite
+et le drift des captures repetees, comparent les response discriminators entre
+etats de politique stables, et generent des drafts de profiles a reviser. Les
+synthetic fixtures servent aux tests de pipeline et aux exemples, mais RelayX
+ne les traite pas comme preuve de promotion issue d'un vrai lab. `lab-diff`
+travaille sur les etats stables d'un corpus; utilisez `compare-baseline` pour
+comparer deux fichiers resultat RelayX.
 
 ## Frontiere de securite