feat: Implement Scheduler Worker Options and Planner Loop

- Added `SchedulerWorkerOptions` class to encapsulate configuration for the scheduler worker.
- Introduced `PlannerBackgroundService` to manage the planner loop, fetching and processing planning runs.
- Created `PlannerExecutionService` to handle the execution logic for planning runs, including impact targeting and run persistence.
- Developed `PlannerExecutionResult` and `PlannerExecutionStatus` to standardize execution outcomes.
- Implemented validation logic within `SchedulerWorkerOptions` to ensure proper configuration.
- Added documentation for the planner loop and impact targeting features.
- Established health check endpoints and authentication mechanisms for the Signals service.
- Created unit tests for the Signals API to ensure proper functionality and response handling.
- Configured options for authority integration and fallback authentication methods.

docs/install/docker.md

@@ -0,0 +1,207 @@
+# StellaOps Console — Docker Install Recipes
+
+> **Audience:** Deployment Guild, Console Guild, platform operators.  
+> **Scope:** Acquire the `stellaops/web-ui` image, run it with Compose or Helm, mirror it for air‑gapped environments, and keep parity with CLI workflows.
+
+This guide focuses on the new **StellaOps Console** container. Start with the general [Installation Guide](../21_INSTALL_GUIDE.md) for shared prerequisites (Docker, registry access, TLS) and use the steps below to layer in the console.
+
+---
+
+## 1 · Release artefacts
+
+| Artefact | Source | Verification |
+|----------|--------|--------------|
+| Console image | `registry.stella-ops.org/stellaops/web-ui@sha256:<digest>` | Listed in `deploy/releases/<channel>.yaml` (`yq '.services[] | select(.name=="web-ui") | .image'`). Signed with Cosign (`cosign verify --key https://stella-ops.org/keys/cosign.pub …`). |
+| Compose bundles | `deploy/compose/docker-compose.{dev,stage,prod,airgap}.yaml` | Each profile already includes a `web-ui` service pinned to the release digest. Run `docker compose --env-file <env> -f docker-compose.<profile>.yaml config` to confirm the digest matches the manifest. |
+| Helm values | `deploy/helm/stellaops/values-*.yaml` (`services.web-ui`) | CI lints the chart; use `helm template` to confirm the rendered Deployment/Service carry the expected digest and env vars. |
+| Offline artefact (preview) | Generated via `oras copy registry.stella-ops.org/stellaops/web-ui@sha256:<digest> oci-archive:stellaops-web-ui-<channel>.tar` | Record SHA-256 in the downloads manifest (`DOWNLOADS-CONSOLE-23-001`) and sign with Cosign before shipping in the Offline Kit. |
+
+> **Tip:** Keep Compose/Helm digests in sync with the release manifest to preserve determinism. `deploy/tools/validate-profiles.sh` performs a quick cross-check.
+
+---
+
+## 2 · Compose quickstart (connected host)
+
+1. **Prepare workspace**
+
+   ```bash
+   mkdir stella-console && cd stella-console
+   cp /path/to/repo/deploy/compose/env/dev.env.example .env
+   ```
+
+2. **Add console configuration** – append the following to `.env` (adjust per environment):
+
+   ```bash
+   CONSOLE_PUBLIC_BASE_URL=https://console.dev.stella-ops.local
+   CONSOLE_GATEWAY_BASE_URL=https://api.dev.stella-ops.local
+   AUTHORITY_ISSUER=https://authority.dev.stella-ops.local
+   AUTHORITY_CLIENT_ID=console-ui
+   AUTHORITY_SCOPES="ui.read ui.admin findings:read advisory:read vex:read aoc:verify"
+   AUTHORITY_DPOP_ENABLED=true
+   ```
+
+   Optional extras from [`docs/deploy/console.md`](../deploy/console.md):
+
+   ```bash
+   CONSOLE_FEATURE_FLAGS=runs,downloads,policies
+   CONSOLE_METRICS_ENABLED=true
+   CONSOLE_LOG_LEVEL=Information
+   ```
+
+3. **Verify bundle provenance**
+
+   ```bash
+   cosign verify-blob \
+     --key https://stella-ops.org/keys/cosign.pub \
+     --signature /path/to/repo/deploy/compose/docker-compose.dev.yaml.sig \
+     /path/to/repo/deploy/compose/docker-compose.dev.yaml
+   ```
+
+4. **Launch infrastructure + console**
+
+   ```bash
+   docker compose --env-file .env -f /path/to/repo/deploy/compose/docker-compose.dev.yaml up -d mongo minio
+   docker compose --env-file .env -f /path/to/repo/deploy/compose/docker-compose.dev.yaml up -d web-ui
+   ```
+
+   The `web-ui` service exposes the console on port `8443` by default. Change the published port in the Compose file if you need to front it with an existing reverse proxy.
+
+5. **Health check**
+
+   ```bash
+   curl -k https://console.dev.stella-ops.local/health/ready
+   ```
+
+   Expect `{"status":"Ready"}`. If the response is `401`, confirm Authority credentials and scopes.
+
+---
+
+## 3 · Helm deployment (cluster)
+
+1. **Create an overlay** (example `console-values.yaml`):
+
+   ```yaml
+   global:
+     release:
+       version: "2025.10.0-edge"
+   services:
+     web-ui:
+       image: registry.stella-ops.org/stellaops/web-ui@sha256:38b225fa7767a5b94ebae4dae8696044126aac429415e93de514d5dd95748dcf
+       service:
+         port: 8443
+       env:
+         CONSOLE_PUBLIC_BASE_URL: "https://console.dev.stella-ops.local"
+         CONSOLE_GATEWAY_BASE_URL: "https://api.dev.stella-ops.local"
+         AUTHORITY_ISSUER: "https://authority.dev.stella-ops.local"
+         AUTHORITY_CLIENT_ID: "console-ui"
+        AUTHORITY_SCOPES: "ui.read ui.admin findings:read advisory:read vex:read aoc:verify"
+         AUTHORITY_DPOP_ENABLED: "true"
+         CONSOLE_FEATURE_FLAGS: "runs,downloads,policies"
+         CONSOLE_METRICS_ENABLED: "true"
+   ```
+
+2. **Render and validate**
+
+   ```bash
+   helm template stella-console ./deploy/helm/stellaops -f console-values.yaml | \
+     grep -A2 'name: stellaops-web-ui' -A6 'image:'
+   ```
+
+3. **Deploy**
+
+   ```bash
+   helm upgrade --install stella-console ./deploy/helm/stellaops \
+     -f deploy/helm/stellaops/values-dev.yaml \
+     -f console-values.yaml
+   ```
+
+4. **Post-deploy checks**
+
+   ```bash
+   kubectl get pods -l app.kubernetes.io/name=stellaops-web-ui
+   kubectl port-forward deploy/stellaops-web-ui 8443:8443
+   curl -k https://localhost:8443/health/ready
+   ```
+
+---
+
+## 4 · Offline packaging
+
+1. **Mirror the image to an OCI archive**
+
+   ```bash
+   DIGEST=$(yq '.services[] | select(.name=="web-ui") | .image' deploy/releases/2025.10-edge.yaml | cut -d@ -f2)
+   oras copy registry.stella-ops.org/stellaops/web-ui@${DIGEST} \
+     oci-archive:stellaops-web-ui-2025.10.0.tar
+   shasum -a 256 stellaops-web-ui-2025.10.0.tar
+   ```
+
+2. **Sign the archive**
+
+   ```bash
+   cosign sign-blob --key ~/keys/offline-kit.cosign \
+     --output-signature stellaops-web-ui-2025.10.0.tar.sig \
+     stellaops-web-ui-2025.10.0.tar
+   ```
+
+3. **Load in the air-gap**
+
+   ```bash
+   docker load --input stellaops-web-ui-2025.10.0.tar
+   docker tag stellaops/web-ui@${DIGEST} registry.airgap.local/stellaops/web-ui:2025.10.0
+   ```
+
+4. **Update the Offline Kit manifest** (once the downloads pipeline lands):
+
+   ```bash
+   jq '.artifacts.console.webUi = {
+     "digest": "sha256:'"${DIGEST#sha256:}"'",
+     "archive": "stellaops-web-ui-2025.10.0.tar",
+     "signature": "stellaops-web-ui-2025.10.0.tar.sig"
+   }' downloads/manifest.json > downloads/manifest.json.tmp
+   mv downloads/manifest.json.tmp downloads/manifest.json
+   ```
+
+   Re-run `stella offline kit import downloads/manifest.json` to validate signatures inside the air‑gapped environment.
+
+---
+
+## 5 · CLI parity
+
+Console operations map directly to scriptable workflows:
+
+| Action | CLI path |
+|--------|----------|
+| Fetch signed manifest entry | `stella downloads manifest show --artifact console/web-ui` *(CLI task `CONSOLE-DOC-23-502`, pending release)* |
+| Mirror digest to OCI archive | `stella downloads mirror --artifact console/web-ui --to oci-archive:stellaops-web-ui.tar` *(planned alongside CLI AOC parity)* |
+| Import offline kit | `stella offline kit import stellaops-web-ui-2025.10.0.tar` |
+| Validate console health | `stella console status --endpoint https://console.dev.stella-ops.local` *(planned; fallback to `curl` as shown above)* |
+
+Track progress for the CLI commands via `DOCS-CONSOLE-23-014` (CLI vs UI parity matrix).
+
+---
+
+## 6 · Compliance checklist
+
+- [ ] Image digest validated against the current release manifest.  
+- [ ] Compose/Helm deployments verified with `docker compose config` / `helm template`.  
+- [ ] Authority issuer, scopes, and DPoP settings documented and applied.  
+- [ ] Offline archive mirrored, signed, and recorded in the downloads manifest.  
+- [ ] CLI parity notes linked to the upcoming `docs/cli-vs-ui-parity.md` matrix.  
+- [ ] References cross-checked with `docs/deploy/console.md` and `docs/security/console-security.md`.  
+- [ ] Health checks documented for connected and air-gapped installs.
+
+---
+
+## 7 · References
+
+- `deploy/releases/<channel>.yaml` – Release manifest (digests, SBOM metadata).  
+- `deploy/compose/README.md` – Compose profile overview.  
+- `deploy/helm/stellaops/values-*.yaml` – Helm defaults per environment.  
+- `/docs/deploy/console.md` – Detailed environment variables, CSP, health checks.  
+- `/docs/security/console-security.md` – Auth flows, scopes, DPoP, monitoring.  
+- `/docs/ui/downloads.md` – Downloads manifest workflow and offline parity guidance.
+
+---
+
+*Last updated: 2025-10-28 (Sprint 23).*