Add OpenSslLegacyShim to ensure OpenSSL 1.1 libraries are accessible on Linux

This commit introduces the OpenSslLegacyShim class, which sets the LD_LIBRARY_PATH environment variable to include the directory containing OpenSSL 1.1 native libraries. This is necessary for Mongo2Go to function correctly on Linux platforms that do not ship these libraries by default. The shim checks if the current operating system is Linux and whether the required directory exists before modifying the environment variable.

docs/modules/cli/guides/cli-reference.md

@@ -289,6 +289,7 @@ Additional notes:
 - [Architecture overview](../../platform/architecture-overview.md)
 - [Console AOC dashboard](../../../ui/console.md)
 - [Authority scopes](../../authority/architecture.md)
+- [Task Pack CLI profiles](./packs-profiles.md)
 
 ---
 
@@ -303,7 +304,7 @@ Additional notes:
 
 ---
 
-*Last updated: 2025-10-29 (Sprint 24).*
+*Last updated: 2025-11-02 (Sprint 100).*
 
 ## 13. Authority configuration quick reference
 
@@ -313,6 +314,9 @@ Additional notes:
 | `StellaOps:Authority:OperatorTicket` | Change/incident ticket reference paired with orchestrator control actions. | CLI flag `--Authority:OperatorTicket=...` or env `STELLAOPS_ORCH_TICKET`. |
 | `StellaOps:Authority:QuotaReason` | Required justification recorded with `orch:quota` tokens. | CLI flag `--Authority:QuotaReason=...` or env `STELLAOPS_ORCH_QUOTA_REASON`. |
 | `StellaOps:Authority:QuotaTicket` | Optional change ticket/reference accompanying quota adjustments. | CLI flag `--Authority:QuotaTicket=...` or env `STELLAOPS_ORCH_QUOTA_TICKET`. |
+| `StellaOps:Authority:BackfillReason` | Required justification recorded with `orch:backfill` tokens. | CLI flag `--Authority:BackfillReason=...` or env `STELLAOPS_ORCH_BACKFILL_REASON`. |
+| `StellaOps:Authority:BackfillTicket` | Required ticket/reference accompanying historical backfill runs. | CLI flag `--Authority:BackfillTicket=...` or env `STELLAOPS_ORCH_BACKFILL_TICKET`. |
+| `StellaOps:Authority:Scope` | Default scope string requested during `stella auth login`. | CLI flag `--Authority:Scope=\"packs.read packs.run\"` or env `STELLAOPS_AUTHORITY_SCOPE`; see `docs/modules/cli/guides/packs-profiles.md` for common Task Pack profiles. |
 
-> Tokens requesting `orch:operate` fail with `invalid_request` unless both operator values are present. `orch:quota` tokens require `quota_reason` (≤256 chars) and accept an optional `quota_ticket` (≤128 chars). Avoid embedding secrets in either field.
+> Tokens requesting `orch:operate` fail with `invalid_request` unless both operator values are present. `orch:quota` tokens require `quota_reason` (≤256 chars) and accept an optional `quota_ticket` (≤128 chars). `orch:backfill` tokens require both `backfill_reason` (≤256 chars) and `backfill_ticket` (≤128 chars). Avoid embedding secrets in any value.
 

docs/modules/cli/guides/packs-profiles.md

@@ -0,0 +1,54 @@
+# CLI Task Pack SSO Profiles
+
+Task Pack workflows rely on purpose-scoped Authority clients. To streamline local logins and CI/CD automation, define StellaOps CLI profiles under `~/.stellaops/profiles` so `stella auth login` automatically requests the correct scopes.
+
+Profiles are simple YAML files that map onto the CLI configuration schema. Set `STELLA_PROFILE=<name>` (or pass `--profile <name>` once the CLI exposes the switch) before invoking `stella` to load the profile.
+
+## Example profiles
+
+### Packs operator (`~/.stellaops/profiles/packs-operator.yaml`)
+
+```yaml
+StellaOps:
+  Authority:
+    Url: https://authority.example.com
+    ClientId: pack-operator
+    ClientSecretFile: ~/.stellaops/secrets/pack-operator.secret
+    Scope: "packs.read packs.run"
+    TokenCacheDirectory: ~/.stellaops/tokens
+  BackendUrl: https://task-runner.example.com
+```
+
+### Packs publisher (`~/.stellaops/profiles/packs-publisher.yaml`)
+
+```yaml
+StellaOps:
+  Authority:
+    Url: https://authority.example.com
+    ClientId: packs-registry
+    ClientSecretFile: ~/.stellaops/secrets/packs-registry.secret
+    Scope: "packs.read packs.write"
+    TokenCacheDirectory: ~/.stellaops/tokens
+  BackendUrl: https://packs-registry.example.com
+```
+
+### Packs approver (`~/.stellaops/profiles/packs-approver.yaml`)
+
+```yaml
+StellaOps:
+  Authority:
+    Url: https://authority.example.com
+    ClientId: pack-approver
+    ClientSecretFile: ~/.stellaops/secrets/pack-approver.secret
+    Scope: "packs.read packs.approve"
+    TokenCacheDirectory: ~/.stellaops/tokens
+  BackendUrl: https://task-runner.example.com
+```
+
+## Usage
+
+1. Create the profile file under `~/.stellaops/profiles/<name>.yaml`.
+2. Store the matching client secret in the referenced path (or set `ClientSecret` for development).
+3. Export `STELLA_PROFILE=<name>` before running `stella auth login` or individual pack commands.
+
+The CLI reads the profile, applies the Authority configuration, and requests the listed scopes so the resulting tokens satisfy Task Runner and Packs Registry expectations.

docs/modules/orchestrator/architecture.md

@@ -22,7 +22,7 @@
 - Quotas defined per tenant/profile (`maxActive`, `maxPerHour`, `burst`). Stored in `quotas` and enforced before leasing.
 - Dynamic throttles allow ops to pause specific sources (`pauseSource`, `resumeSource`) or reduce concurrency.
 - Circuit breakers automatically pause job types when failure rate > configured threshold; incidents generated via Notify and Observability stack.
-- Control plane quota updates require Authority scope `orch:quota` (issued via `Orch.Admin` role). Token requests include `quota_reason` (mandatory) and optional `quota_ticket`; Authority persists both values for audit replay.
+- Control plane quota updates require Authority scope `orch:quota` (issued via `Orch.Admin` role). Historical rebuilds/backfills additionally require `orch:backfill` and must supply `backfill_reason` and `backfill_ticket` alongside the operator metadata. Authority persists all four fields (`quota_reason`, `quota_ticket`, `backfill_reason`, `backfill_ticket`) for audit replay.
 
 ## 4) APIs
 

docs/modules/scanner/TASKS.md

@@ -1,9 +1,10 @@
-# Task board — Scanner
-
-> Local tasks should link back to ./AGENTS.md and mirror status updates into ../../TASKS.md when applicable.
-
-| ID | Status | Owner(s) | Description | Notes |
-|----|--------|----------|-------------|-------|
-| SCANNER-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md |
-| SCANNER-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md |
-| SCANNER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow |
+# Task board — Scanner
+
+> Local tasks should link back to ./AGENTS.md and mirror status updates into ../../TASKS.md when applicable.
+
+| ID | Status | Owner(s) | Description | Notes |
+|----|--------|----------|-------------|-------|
+| SCANNER-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md |
+| SCANNER-DOCS-0002 | DONE (2025-11-02) | Docs Guild | Keep scanner benchmark comparisons (Trivy/Grype/Snyk) and deep-dive matrix current with source references. | Coordinate with docs/benchmarks owners |
+| SCANNER-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md |
+| SCANNER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow |

docs/modules/scanner/operations/entrypoint-static-analysis.md

@@ -140,19 +140,18 @@ Compose the runtime argv as `Entrypoint ++ Cmd`, honouring shell-form vs exec-fo
 
 ## 4) Wrapper catalogue
 
-> _Roadmap note_: extended package/tool runners land with **SCANNER-ENTRYTRACE-18-508**; today the catalogue covers init/user-switch/environment/supervisor wrappers listed above.
+Collapse known wrappers before analysing the target command so the terminal reflects the real runtime binary. Sprint 130.A ships the extended catalogue from **SCANNER-ENTRYTRACE-18-508**, covering init/user-switch/environment/supervisor wrappers as well as package and language launchers such as `bundle exec`, `docker-php-entrypoint`, `npm exec`, `yarn node`, `pipenv run`, and `poetry run`.
 
-Collapse known wrappers before analysing the target command:
-
-- Init shims: `tini`, `dumb-init`, `s6-svscan`, `runit`, `supervisord`.
-- Privilege droppers: `gosu`, `su-exec`, `chpst`.
-- Shells: `sh`, `bash`, `dash`, BusyBox variants.
-- Package runners: `npm`, `yarn`, `pnpm`, `pip`, `pipenv`, `poetry`, `bundle`, `rake`.
+- Init shims: `tini`, `dumb-init`, `s6-svscan`, `runit`, `supervisord`.
+- Privilege droppers: `gosu`, `su-exec`, `chpst`.
+- Shells: `sh`, `bash`, `dash`, BusyBox variants.
+- Package runners: `npm`, `yarn`, `pnpm`, `pip`, `pipenv`, `poetry`, `bundle`, `rake`.
 
 Rules:
-- If wrapper contains a `--` sentinel (`tini -- app …`) drop the wrapper and record a reduction edge.
-- `gosu user cmd …` → collapse to `cmd …`.
-- For shell wrappers, delegate to the ShellFlow analyser (see separate guide).
+- If wrapper contains a `--` sentinel (`tini -- app …`) drop the wrapper and record a reduction edge.
+- `gosu user cmd …` → collapse to `cmd …`.
+- For shell wrappers, delegate to the ShellFlow analyser (see separate guide).
+- When a wrapper delegates to an interpreter (`python`, `node`, `java -jar`), continue into the interpreter handlers so a terminal classification is still recorded even if the script/module cannot be resolved.
 
 ## 5) ShellFlow integration