feat(graph-api): Add schema review notes for upcoming Graph API changes

feat(sbomservice): Add placeholder for SHA256SUMS in LNM v1 fixtures

docs(devportal): Create README for SDK archives in public directory

build(devportal): Implement offline bundle build script

test(devportal): Add link checker script for validating links in documentation

test(devportal): Create performance check script for dist folder size

test(devportal): Implement accessibility check script using Playwright and Axe

docs(devportal): Add SDK quickstart guide with examples for Node.js, Python, and cURL

feat(excititor): Implement MongoDB storage for airgap import records

test(findings): Add unit tests for export filters hash determinism

feat(findings): Define attestation contracts for ledger web service

feat(graph): Add MongoDB options and service collection extensions for graph indexing

test(graph): Implement integration tests for MongoDB provider and service collection extensions

feat(zastava): Define configuration options for Zastava surface secrets

build(tests): Create script to run Concelier linkset tests with TRX output

docs/modules/findings-ledger/deployment.md

@@ -99,12 +99,38 @@
 
 ## 4. Backups & restores
 
+### 4.1 Backup quickstart (PostgreSQL)
+
 | Task | Command / guidance |
 | --- | --- |
-| Online backup | `pg_dump -Fc --dbname="$LEDGER_DB" --file ledger-$(date -u +%Y%m%d).dump` (run hourly for WAL + daily full dumps). |
-| Point-in-time recovery | Enable WAL archiving; document target `recovery_target_time`. |
-| Projection rebuild | After restore, run `dotnet run --project tools/LedgerReplayHarness -- --connection "$LEDGER_DB" --tenant all` to regenerate projections and verify hashes. |
-| Evidence bundles | Store Merkle root anchors + replay DSSE bundles alongside DB backups for audit parity. |
+| Full dump | `pg_dump -Fc --dbname="$LEDGER_DB" --file ledger-$(date -u +%Y%m%d).dump` (run daily). |
+| WAL archiving | `archive_mode=on`, `archive_command='test ! -f /wal/%f && cp %p /wal/%f'`; retain ≥7 days or per policy. |
+| Integrity check | `pg_restore -l ledger-YYYYMMDD.dump | head` (validate readable) + verify `ledger_merkle_roots` count matches production before pruning. |
+
+### 4.2 Restore + replay
+
+1. Restore database (full + WAL).  
+   ```bash
+   pg_restore -C -d postgres ledger-YYYYMMDD.dump
+   ```
+2. Run projection replay/determinism harness to repopulate projections and validate hashes:
+   ```bash
+   dotnet run --project src/Findings/tools/LedgerReplayHarness \
+     -- --connection "$LEDGER_DB" \
+     --tenant all \
+     --maxParallel 8 \
+     --report out/harness/restore-report.json
+   ```
+3. Compare Merkle roots: query `select root_hash from ledger_merkle_roots order by anchored_at desc limit 5;` and ensure harness report `merkleRoot` matches latest root.
+4. Recreate indexes/materialized views if disabled during restore (see `migrations/` for schema reference).
+
+### 4.3 Evidence & audit artefacts
+
+- Store the following with each backup set:
+  - `ledger_merkle_roots` CSV export.
+  - Replay harness signed report (`harness-report.json` + `.sig`).
+  - Latest Grafana dashboard JSON and alert rules used during the period.
+- Keep anchor references (`anchor_reference`) when external anchoring is enabled; include external proof bundle if present.
 
 ## 5. Offline / air-gapped workflow
 
@@ -115,6 +141,8 @@
 - Package ledger service binaries + migrations using `ops/offline-kit/build_offline_kit.py --include ledger`.
 - Document sealed-mode restrictions: disable outbound attachments unless egress policy allows Evidence Locker endpoints; set `LEDGER__ATTACHMENTS__ALLOWEGRESS=false`.
 
+**Path placeholder (waiting on DevOps):** Helm/Compose/offline-kit overlay directories are pending centralisation under `ops/deployment`/`ops/offline-kit`. Until paths are assigned, keep environment-specific overlays local to `docs/modules/findings-ledger/deployment.md` examples and avoid committing manifests outside this module.
+
 ## 6. Post-deploy checklist
 
 - [ ] Health + metrics endpoints respond.