First-time user experience fixes and platform contract repairs

FTUX fixes (Sprint 316-001):
- Remove all hardcoded fake data from dashboard — fresh installs show
  honest setup guide instead of fake crisis data (5 fake criticals gone)
- Curate advisory source defaults: 32 sources disabled by default
  (ecosystem, geo-restricted, exploit, hardware, mirror). ~43 core
  sources remain enabled. StellaOps Mirror no longer enabled at priority 1.
- Filter Mirror-category sources from Create Domain wizard to prevent
  circular mirror-from-mirror chains
- Add 404 catch-all route — unknown URLs show "Page Not Found" instead
  of silently rendering the dashboard
- Fix arrow characters in release target path dropdown (? → →)
- Add login credentials to quickstart documentation
- Update Feature Matrix: 14 release orchestration features marked as
  shipped (was marked planned)

Platform contract repairs (from prior session):
- Add /api/v1/jobengine/quotas/summary endpoint on Platform
- Fix gateway route prefix matching for /policy/shadow/* and
  /policy/simulations/* (regex routes instead of exact match)
- Fix VexHub PostgresVexSourceRepository missing interface method
- Fix advisory-vex-sources sweep text expectation
- Fix mirror operator journey auth (session storage token extraction)

Verified: 110/111 canonical routes passing (1 unrelated stale approval ref)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/FEATURE_MATRIX.md

@@ -34,30 +34,30 @@
 
 ---
 
-## Release Orchestration (Planned)
+## Release Orchestration
 
-*Release orchestration capabilities are planned for implementation.*
+*Release orchestration capabilities for environment promotion, policy gates, and deployment execution.*
 
 | Capability | Notes |
 | **Environment Management** | |
-| Environment CRUD | ⏳ Dev/Stage/Prod definitions |
+| Environment CRUD | ✅ Dev/Stage/Prod definitions |
 | Freeze Windows | ⏳ Calendar-based blocking |
-| Approval Policies | ⏳ Per-environment rules |
+| Approval Policies | ✅ Per-environment rules |
 | **Release Management** | |
 | Component Registry | ⏳ Service → repository mapping |
-| Release Bundles | ⏳ Component → digest bundles |
-| Semantic Versioning | ⏳ SemVer release versions |
-| Tag → Digest Resolution | ⏳ Immutable digest pinning |
+| Release Bundles | ✅ Component → digest bundles |
+| Semantic Versioning | ✅ SemVer release versions |
+| Tag → Digest Resolution | ✅ Immutable digest pinning |
 | **Promotion & Gates** | |
-| Promotion Workflows | ⏳ Environment transitions |
-| Security Gate | ⏳ Scan verdict evaluation |
-| Approval Gate | ⏳ Human sign-off |
+| Promotion Workflows | ✅ Environment transitions |
+| Security Gate | ✅ Scan verdict evaluation |
+| Approval Gate | ✅ Human sign-off |
 | Freeze Window Gate | ⏳ Calendar enforcement |
-| Policy Gate (OPA/Rego) | ⏳ Custom rules |
-| Decision Records | ⏳ Evidence-linked decisions |
+| Policy Gate (OPA/Rego) | ✅ Custom rules |
+| Decision Records | ✅ Evidence-linked decisions |
 | **Deployment Execution** | |
-| Docker Host Agent | ⏳ Direct container deployment |
-| Compose Host Agent | ⏳ Docker Compose deployment |
+| Docker Host Agent | ✅ Direct container deployment |
+| Compose Host Agent | ✅ Docker Compose deployment |
 | SSH Agentless | ⏳ Linux remote execution |
 | WinRM Agentless | ⏳ Windows remote execution |
 | ECS Agent | ⏳ AWS ECS deployment |
@@ -74,9 +74,9 @@
 | Workflow Templates | ⏳ Reusable workflows |
 | Script Steps (Bash/C#) | ⏳ Custom automation |
 | **Evidence & Audit** | |
-| Evidence Packets | ⏳ Sealed decision bundles |
+| Evidence Packets | ✅ Sealed decision bundles |
 | Version Stickers | ⏳ On-target deployment records |
-| Audit Export | ⏳ Compliance reporting |
+| Audit Export | ✅ Compliance reporting |
 | **Integrations** | |
 | GitHub Integration | ⏳ SCM + webhooks |
 | GitLab Integration | ⏳ SCM + webhooks |