Sprint 7+8: Journey UX fixes + identity envelope shared middleware

Sprint 7 — Deep journey fixes:
  S7-T01: Trust & Signing empty state with "Go to Signing Keys" CTA
  S7-T02: Notifications 3-step setup guide (channel→rule→test)
  S7-T03: Topology validate step skip — "Skip Validation" when API fails,
    with validateSkipped signal matching agentSkipped pattern
  S7-T04: VEX export note on Risk Report tab linking to VEX Ledger

Sprint 8 — Identity envelope shared middleware (ARCHITECTURE):
  S8-T01: New UseIdentityEnvelopeAuthentication() extension in
    StellaOps.Router.AspNet. Reads X-StellaOps-Identity-Envelope headers,
    verifies HMAC-SHA256 via GatewayIdentityEnvelopeCodec, creates
    ClaimsPrincipal with sub/tenant/scopes/roles. 5min clock skew.
  S8-T02: Concelier refactored — removed 78 lines of inline impl,
    now uses shared one-liner
  S8-T03: Scanner — UseIdentityEnvelopeAuthentication() added
  S8-T04: JobEngine — UseIdentityEnvelopeAuthentication() added
  S8-T05: Timeline — UseIdentityEnvelopeAuthentication() added
  S8-T06: Integrations — UseIdentityEnvelopeAuthentication() added
  S8-T07: docs/modules/router/IDENTITY_ENVELOPE_MIDDLEWARE.md

All services now authenticate ReverseProxy requests via gateway envelope.
Scanner scan submit should now work with authenticated identity.

Angular: 0 errors. .NET (6 services): 0 errors.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/implplan/SPRINT_20260316_007_FE_deep_journey_remaining_fixes.md

@@ -0,0 +1,22 @@
+# Sprint 20260316-007 — Deep Journey Remaining Fixes
+
+## Topic & Scope
+- Fix the 4 remaining UX issues found during deep journey testing (J-05 through J-08).
+- Trust & Signing empty state, Notifications empty state, Topology validate skip, VEX export visibility.
+- Working directory: `src/Web/StellaOps.Web/`.
+
+## Delivery Tracker
+
+### S7-T01 - Trust & Signing empty state guidance
+Status: TODO
+### S7-T02 - Notifications empty state guidance
+Status: TODO
+### S7-T03 - Topology wizard validate step skip
+Status: TODO
+### S7-T04 - VEX export button visibility
+Status: TODO
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-03-16 | Sprint created from deep journey findings J-05 to J-08. | Developer |

docs/implplan/SPRINT_20260316_008_Platform_identity_envelope_shared_middleware.md

@@ -0,0 +1,29 @@
+# Sprint 20260316-008 — Identity Envelope Shared Middleware (Architecture)
+
+## Topic & Scope
+- Extract identity envelope pre-auth middleware from Concelier into shared `StellaOps.Router.AspNet` extension.
+- Apply to all 5 services: Concelier (refactor), Scanner, JobEngine, Timeline, Integrations.
+- This unblocks scan submit (J-04) and all future ReverseProxy-routed authenticated endpoints.
+- Working directory: `src/Router/__Libraries/StellaOps.Router.AspNet/`, `src/*/Program.cs`.
+
+## Delivery Tracker
+
+### S8-T01 - Create shared middleware extension
+Status: TODO
+### S8-T02 - Refactor Concelier to use shared extension
+Status: TODO
+### S8-T03 - Add to Scanner
+Status: TODO
+### S8-T04 - Add to JobEngine
+Status: TODO
+### S8-T05 - Add to Timeline
+Status: TODO
+### S8-T06 - Add to Integrations
+Status: TODO
+### S8-T07 - Document the pattern
+Status: TODO
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-03-16 | Sprint created from architecture finding. | Developer |