Eliminate legacy gateway container (consolidate into router-gateway)

The gateway service was a redundant deployment of the same
StellaOps.Gateway.WebService binary already running as router-gateway.
It served no unique purpose — all traffic is handled by router-gateway
(slot 0). This removes the container, its route table entries, nginx
proxy blocks, health/quota stubs, and redirects STELLAOPS_GATEWAY_URL
to router.stella-ops.local so the Angular frontend resolves API base
URLs through the canonical frontdoor.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

devops/compose/docker-compose.stella-ops.yml

@@ -410,7 +410,7 @@ services:
       STELLAOPS_ROUTER_URL: "http://router.stella-ops.local"
       STELLAOPS_PLATFORM_URL: "http://platform.stella-ops.local"
       STELLAOPS_AUTHORITY_URL: "http://authority.stella-ops.local"
-      STELLAOPS_GATEWAY_URL: "http://gateway.stella-ops.local"
+      STELLAOPS_GATEWAY_URL: "http://router.stella-ops.local"
       STELLAOPS_ATTESTOR_URL: "http://attestor.stella-ops.local"
       STELLAOPS_EVIDENCELOCKER_URL: "http://evidencelocker.stella-ops.local"
       STELLAOPS_SCANNER_URL: "http://scanner.stella-ops.local"
@@ -535,38 +535,7 @@ services:
       <<: *healthcheck-tcp
     labels: *release-labels
 
-  # --- Slot 3: Gateway -------------------------------------------------------
-  gateway:
-    <<: *resources-light
-    image: stellaops/gateway:dev
-    container_name: stellaops-gateway
-    restart: unless-stopped
-    depends_on: *depends-infra
-    environment:
-      ASPNETCORE_URLS: "http://+:80;http://+:8080"
-      <<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
-      ConnectionStrings__Default: *postgres-connection
-      ConnectionStrings__Redis: "cache.stella-ops.local:6379"
-      Gateway__Auth__DpopEnabled: "false"
-      Gateway__Auth__Authority__Issuer: "https://authority.stella-ops.local/"
-      Gateway__Auth__Authority__RequireHttpsMetadata: "false"
-      Router__Enabled: "${GATEWAY_ROUTER_ENABLED:-true}"
-      Router__Messaging__ConsumerGroup: "gateway"
-    volumes:
-      - *cert-volume
-      - *ca-bundle
-      - *ca-bundle
-    ports:
-      - "127.1.0.5:80:80"
-    networks:
-      stellaops:
-        aliases:
-          - gateway.stella-ops.local
-      frontdoor: {}
-    healthcheck:
-      test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
-      <<: *healthcheck-tcp
-    labels: *release-labels
+  # --- Slot 3: (removed — Gateway consolidated into Router Gateway, slot 0) ---
 
   # --- Slot 4: Attestor ------------------------------------------------------
   attestor:

devops/compose/hosts.stellaops.local

@@ -12,7 +12,6 @@
 127.1.0.2  router.stella-ops.local
 127.1.0.3  platform.stella-ops.local
 127.1.0.4  authority.stella-ops.local
-127.1.0.5  gateway.stella-ops.local
 127.1.0.6  attestor.stella-ops.local
 127.1.0.7  evidencelocker.stella-ops.local
 127.1.0.8  scanner.stella-ops.local

devops/compose/openapi_routeprefix_smoke_microservice.csv

@@ -75,7 +75,6 @@
 "Microservice","/jwks","https://authority.stella-ops.local/jwks","/","200"
 "Microservice","/authority","https://authority.stella-ops.local/authority","/authority/audit/airgap","401"
 "Microservice","/console","https://authority.stella-ops.local/console","/console/filters","401"
-"Microservice","/gateway","http://gateway.stella-ops.local",,
 "Microservice","/scanner","http://scanner.stella-ops.local","/scanner/api/v1/agents","401"
 "Microservice","/policyGateway","http://policy-gateway.stella-ops.local","/policyGateway","302"
 "Microservice","/policyEngine","http://policy-engine.stella-ops.local","/policyEngine","302"

devops/compose/openapi_routeprefix_smoke_reverseproxy.csv

@@ -78,7 +78,6 @@
 "ReverseProxy","/console","https://authority.stella-ops.local/console","/console/vex","404"
 "ReverseProxy","/rekor","http://rekor.stella-ops.local:3322",,
 "ReverseProxy","/envsettings.json","http://platform.stella-ops.local/platform/envsettings.json","/","200"
-"ReverseProxy","/gateway","http://gateway.stella-ops.local",,
 "ReverseProxy","/scanner","http://scanner.stella-ops.local",,
 "ReverseProxy","/policyGateway","http://policy-gateway.stella-ops.local",,
 "ReverseProxy","/policyEngine","http://policy-engine.stella-ops.local",,

devops/compose/router-gateway-local.json

@@ -599,11 +599,6 @@
                                        "TranslatesTo":  "http://platform.stella-ops.local/platform/envsettings.json",
                                        "PreserveAuthHeaders":  true
                                    },
-                                   {
-                                       "Type":  "Microservice",
-                                       "Path":  "/gateway",
-                                       "TranslatesTo":  "http://gateway.stella-ops.local"
-                                   },
                                    {
                                        "Type":  "Microservice",
                                        "Path":  "/scanner",

devops/compose/router-gateway-local.reverseproxy.json

@@ -591,11 +591,6 @@
                                        "Path":  "/envsettings.json",
                                        "TranslatesTo":  "http://platform.stella-ops.local/platform/envsettings.json"
                                    },
-                                   {
-                                       "Type":  "ReverseProxy",
-                                       "Path":  "/gateway",
-                                       "TranslatesTo":  "http://gateway.stella-ops.local"
-                                   },
                                    {
                                        "Type":  "ReverseProxy",
                                        "Path":  "/scanner",

devops/docker/Dockerfile.console

@@ -56,17 +56,6 @@ server {
         proxy_set_header X-Forwarded-Proto \$scheme;
     }
 
-    # Gateway API (strips /gateway/ prefix for release-orchestrator clients)
-    location /gateway/ {
-        set \$gateway_upstream http://gateway.stella-ops.local;
-        rewrite ^/gateway/(.*)\$ /\$1 break;
-        proxy_pass \$gateway_upstream;
-        proxy_set_header Host gateway.stella-ops.local;
-        proxy_set_header X-Real-IP \$remote_addr;
-        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto \$scheme;
-    }
-
     # Platform service (preserves /platform/ prefix for envsettings, admin)
     location /platform/ {
         proxy_pass http://platform.stella-ops.local/platform/;
@@ -250,7 +239,7 @@ server {
         sub_filter '"http://stella-ops.local/connect/token"' '"/connect/token"';
         sub_filter '"http://stella-ops.local/connect/logout"' '"/connect/logout"';
         sub_filter '"http://stella-ops.local"' '""';
-        sub_filter '"http://gateway.stella-ops.local"' '"/gateway"';
+        sub_filter '"http://router.stella-ops.local"' '""';
         sub_filter '"http://platform.stella-ops.local"' '"/platform"';
         sub_filter '"http://authority.stella-ops.local"' '"/authority"';
         sub_filter '"http://scanner.stella-ops.local"' '"/scanner"';
@@ -307,7 +296,7 @@ server {
         sub_filter '"http://stella-ops.local/connect/token"' '"/connect/token"';
         sub_filter '"http://stella-ops.local/connect/logout"' '"/connect/logout"';
         sub_filter '"http://stella-ops.local"' '""';
-        sub_filter '"http://gateway.stella-ops.local"' '"/gateway"';
+        sub_filter '"http://router.stella-ops.local"' '""';
         sub_filter '"http://platform.stella-ops.local"' '"/platform"';
         sub_filter '"http://authority.stella-ops.local"' '"/authority"';
         sub_filter '"http://scanner.stella-ops.local"' '"/scanner"';

devops/docker/console-nginx-override.conf

@@ -22,14 +22,6 @@ server {
         proxy_pass http://platform.stella-ops.local/api/;
     }
 
-    # Gateway API (strips /gateway/ prefix)
-    location /gateway/ {
-        set $gateway_upstream http://gateway.stella-ops.local;
-        rewrite ^/gateway/(.*)$ /$1 break;
-        proxy_pass $gateway_upstream;
-        proxy_set_header Host gateway.stella-ops.local;
-    }
-
     # Platform envsettings.json with URL rewriting
     location = /platform/envsettings.json {
         proxy_pass http://platform.stella-ops.local/platform/envsettings.json;
@@ -41,7 +33,7 @@ server {
         sub_filter '"http://stella-ops.local/connect/token"' '"/connect/token"';
         sub_filter '"http://stella-ops.local/connect/logout"' '"/connect/logout"';
         sub_filter '"http://stella-ops.local"' '""';
-        sub_filter '"http://gateway.stella-ops.local"' '"/gateway"';
+        sub_filter '"http://router.stella-ops.local"' '""';
         sub_filter '"http://platform.stella-ops.local"' '"/platform"';
         sub_filter '"http://authority.stella-ops.local"' '"/authority"';
         sub_filter '"http://scanner.stella-ops.local"' '"/scanner"';
@@ -412,7 +404,7 @@ server {
         sub_filter '"http://stella-ops.local/connect/token"' '"/connect/token"';
         sub_filter '"http://stella-ops.local/connect/logout"' '"/connect/logout"';
         sub_filter '"http://stella-ops.local"' '""';
-        sub_filter '"http://gateway.stella-ops.local"' '"/gateway"';
+        sub_filter '"http://router.stella-ops.local"' '""';
         sub_filter '"http://platform.stella-ops.local"' '"/platform"';
         sub_filter '"http://authority.stella-ops.local"' '"/authority"';
         sub_filter '"http://scanner.stella-ops.local"' '"/scanner"';

devops/docker/nginx-console.conf

@@ -26,17 +26,6 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
     }
 
-    # Gateway API (strips /gateway/ prefix for release-orchestrator clients)
-    location /gateway/ {
-        set $gateway_upstream http://gateway.stella-ops.local;
-        rewrite ^/gateway/(.*)$ /$1 break;
-        proxy_pass $gateway_upstream;
-        proxy_set_header Host gateway.stella-ops.local;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-
     # Platform service (preserves /platform/ prefix for envsettings, admin)
     location /platform/ {
         proxy_pass http://platform.stella-ops.local/platform/;
@@ -215,7 +204,7 @@ server {
         proxy_set_header Accept-Encoding "";
         sub_filter_types application/json;
         sub_filter_once off;
-        sub_filter '"http://gateway.stella-ops.local"' '"/gateway"';
+        sub_filter '"http://router.stella-ops.local"' '""';
         sub_filter '"http://platform.stella-ops.local"' '"/platform"';
         sub_filter '"http://authority.stella-ops.local"' '"/authority"';
         sub_filter '"http://scanner.stella-ops.local"' '"/scanner"';

devops/docker/services-matrix.env

@@ -9,8 +9,7 @@ router-gateway|devops/docker/Dockerfile.hardened.template|src/Router/StellaOps.G
 platform|devops/docker/Dockerfile.hardened.template|src/Platform/StellaOps.Platform.WebService/StellaOps.Platform.WebService.csproj|StellaOps.Platform.WebService|8080
 # ── Slot 2: Authority ───────────────────────────────────────────────────────────
 authority|devops/docker/Dockerfile.hardened.template|src/Authority/StellaOps.Authority/StellaOps.Authority/StellaOps.Authority.csproj|StellaOps.Authority|8440
-# ── Slot 3: Gateway (legacy alias -> Router Gateway) ───────────────────────────
-gateway|devops/docker/Dockerfile.hardened.template|src/Router/StellaOps.Gateway.WebService/StellaOps.Gateway.WebService.csproj|StellaOps.Gateway.WebService|8080
+# ── Slot 3: (removed — Gateway consolidated into Router Gateway, slot 0) ───────
 # ── Slot 4: Attestor ────────────────────────────────────────────────────────────
 attestor|devops/docker/Dockerfile.hardened.template|src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/StellaOps.Attestor.WebService.csproj|StellaOps.Attestor.WebService|8442
 # ── Slot 5: Attestor TileProxy ──────────────────────────────────────────────────