Deprecate MongoDB support in AOC verification CLI

Removes legacy MongoDB options and code paths from the AOC verification command, enforcing PostgreSQL as the required backend. Updates environment examples and documentation to reflect Valkey and RustFS as defaults, replacing Redis and MinIO references.

docs/07_HIGH_LEVEL_ARCHITECTURE.md

@@ -54,9 +54,10 @@
 
 * **Fulcio** (Sigstore CA) — issues short‑lived signing certs (keyless).
 * **Rekor v2** (tile‑backed transparency log).
-* **RustFS** — offline-first object store with deterministic REST API (S3/MinIO fallback available for legacy installs).
+* **RustFS** — offline-first object store with deterministic REST API; S3/MinIO compatibility layer available for legacy deployments.
 * **PostgreSQL** (≥16) — primary control-plane storage with per-module schema isolation (authority, vuln, vex, scheduler, notify, policy, concelier). See [Database Architecture](#database-architecture-postgresql).
-* **Queue** — Redis Streams / NATS / RabbitMQ (pluggable).
+* **Valkey** (≥8.0) — Redis-compatible cache for DPoP nonces, event streams, queues, and rate limiting.
+* **Queue** — Valkey Streams (default); NATS JetStream available as optional transport (opt-in only).
 * **OCI Registry** — must support **Referrers API** (discover SBOMs/signatures).
 
 ### 1.3 Cloud licensing (Stella Ops)
@@ -86,9 +87,9 @@ flowchart LR
     ATT[Attestor\n(Rekor v2 submit/verify)]
     UI[Web UI (Angular)]
     Z[Zastava\n(Runtime Inspector/Enforcer)]
-    RFS[(RustFS object store)]
+    RFS[(RustFS)]
     PG[(PostgreSQL)]
-    QUE[(Queue/Streams)]
+    VK[(Valkey)]
   end
 
   CLI[StellaOps.Cli / Buildx Plugin]
@@ -97,8 +98,8 @@ flowchart LR
   REK[ Rekor v2 (tiles) ]
 
   CLI -->|scan/build| SW
-  SW -->|jobs| QUE
-  QUE --> WK
+  SW -->|jobs| VK
+  VK --> WK
   WK --> RFS
   SW --> PG
   CONC --> PG
@@ -604,8 +605,8 @@ Binary header + purl table + roaring bitmaps; optional `usedByEntrypoint` flags
 
 ## 9) Scale, performance & quotas
 
-* **Workers:** horizontal; **distributed lock per layer digest**; global CAS in MinIO.
-* **Queues:** Redis Streams / NATS / RabbitMQ. HPA by queue depth, CPU, memory.
+* **Workers:** horizontal; **distributed lock per layer digest**; global CAS in RustFS.
+* **Queues:** Valkey Streams (default); NATS JetStream available as opt-in alternative. HPA by queue depth, CPU, memory.
 * **Registry throttling:** per‑registry concurrency budgets.
 * **Targets:**
 
@@ -630,20 +631,21 @@ Binary header + purl table + roaring bitmaps; optional `usedByEntrypoint` flags
 
 ```yaml
 services:
-  authority:       { image: stellaops/authority, depends_on: [postgres] }
+  authority:       { image: stellaops/authority, depends_on: [postgres, valkey] }
   fulcio:          { image: sigstore/fulcio }
   rekor:           { image: sigstore/rekor-v2 }
-  minio:           { image: minio/minio, command: server /data --console-address ":9001" }
-  postgres:        { image: postgres:15-alpine, environment: { POSTGRES_DB: stellaops, POSTGRES_USER: stellaops } }
+  rustfs:          { image: stellaops/rustfs, environment: { RUSTFS_DATA: /data } }
+  valkey:          { image: valkey/valkey:8.0, command: valkey-server }
+  postgres:        { image: postgres:16-alpine, environment: { POSTGRES_DB: stellaops, POSTGRES_USER: stellaops } }
   signer:          { image: stellaops/signer, depends_on: [authority, fulcio] }
   attestor:        { image: stellaops/attestor, depends_on: [rekor, signer] }
-  scanner-web:     { image: stellaops/scanner-web, depends_on: [postgres, minio, signer, attestor] }
+  scanner-web:     { image: stellaops/scanner-web, depends_on: [postgres, rustfs, valkey, signer, attestor] }
   scanner-worker:  { image: stellaops/scanner-worker, deploy: { replicas: 4 }, depends_on: [scanner-web] }
   concelier:       { image: stellaops/concelier-web, depends_on: [postgres] }
   excititor:       { image: stellaops/excititor-web, depends_on: [postgres] }
-  scheduler-web:   { image: stellaops/scheduler-web, depends_on: [postgres] }
+  scheduler-web:   { image: stellaops/scheduler-web, depends_on: [postgres, valkey] }
   scheduler-worker:{ image: stellaops/scheduler-worker, deploy: { replicas: 2 }, depends_on: [scheduler-web] }
-  notify-web:      { image: stellaops/notify-web, depends_on: [postgres] }
+  notify-web:      { image: stellaops/notify-web, depends_on: [postgres, valkey] }
   notify-worker:   { image: stellaops/notify-worker, deploy: { replicas: 2 }, depends_on: [notify-web] }
   ui:              { image: stellaops/ui, depends_on: [scanner-web, concelier, excititor, scheduler-web, notify-web] }
 ```
@@ -667,7 +669,7 @@ services:
 * **Notify metrics:** `notify.sent_total{channel}`, `notify.dropped_total{reason}`, `notify.digest_coalesced_total`, `notify.latency_ms`.
 * **Tracing:** per‑stage spans; correlation IDs across Scanner→Signer→Attestor and Concelier/Excititor→Scheduler→Scanner→Notify.
 * **Audit logs:** every signing records `license_id`, `image_digest`, `policy_digest`, and Rekor UUID; Scheduler records who scheduled what; Notify records where, when, and why messages were sent or deduped.
-* **Compliance:** RustFS retention headers (or MinIO Object Lock when operating in S3 mode) keep immutable artifacts tamper‑resistant; reproducible outputs via policy digest + SBOM digest in predicate.
+* **Compliance:** RustFS retention headers keep immutable artifacts tamper‑resistant; S3-compatibility mode can use native Object Lock when enabled for legacy deployments; reproducible outputs via policy digest + SBOM digest in predicate.
 
 ---
 

docs/11_DATA_SCHEMAS.md

@@ -1,7 +1,7 @@
 # Data Schemas & Persistence Contracts
 
-*Audience* – backend developers, plug‑in authors, DB admins.  
-*Scope* – describes **Redis**, **PostgreSQL**, and on‑disk blob shapes that power Stella Ops.
+*Audience* – backend developers, plug‑in authors, DB admins.
+*Scope* – describes **Valkey**, **PostgreSQL**, and on‑disk blob shapes that power Stella Ops.
 
 ---
 
@@ -46,12 +46,12 @@ blobs/
  │   └─ sbom.meta.json   # wrapper (shape above)
 ```
 
-> **Note** – blob storage can point at S3, MinIO, or plain disk; driver plug‑ins adapt.
+> **Note** – RustFS is the primary object store; S3/MinIO compatibility layer available for legacy deployments; driver plug‑ins support multiple backends.
 
 #### 1.3 Delta SBOM Extension
 
-When `partial: true`, *only* the missing layers have been scanned.  
-Merging logic inside `scanning` module stitches new data onto the cached full SBOM in Redis.
+When `partial: true`, *only* the missing layers have been scanned.
+Merging logic inside `scanning` module stitches new data onto the cached full SBOM in Valkey.
 
 ---