tests fixes and sprints work

docs/modules/platform/platform-service.md

@@ -15,6 +15,7 @@ Provide a single, deterministic aggregation layer for cross-service UX workflows
 - Persist dashboard personalization and layout preferences.
 - Provide global search aggregation across entities.
 - Surface platform metadata for UI bootstrapping (version, build, offline status).
+- Expose analytics lake aggregates for SBOM, vulnerability, and attestation reporting.
 
 ## API surface (v1)
 
@@ -49,6 +50,16 @@ Provide a single, deterministic aggregation layer for cross-service UX workflows
 
 ### Metadata
 - GET `/api/v1/platform/metadata`
+- Response includes a capabilities list for UI bootstrapping; analytics capability is reported only when analytics storage is configured.
+
+### Analytics (SBOM lake)
+- GET `/api/analytics/suppliers`
+- GET `/api/analytics/licenses`
+- GET `/api/analytics/vulnerabilities`
+- GET `/api/analytics/backlog`
+- GET `/api/analytics/attestation-coverage`
+- GET `/api/analytics/trends/vulnerabilities`
+- GET `/api/analytics/trends/components`
 
 ## Data model
 - `platform.dashboard_preferences` (dashboard layout, widgets, filters)
@@ -72,11 +83,58 @@ Provide a single, deterministic aggregation layer for cross-service UX workflows
 - Preferences: `ui.preferences.read`, `ui.preferences.write`
 - Search: `search.read` plus downstream service scopes (`findings:read`, `policy:read`, etc.)
 - Metadata: `platform.metadata.read`
+- Analytics: `analytics.read`
 
 ## Determinism and offline posture
-- Stable ordering with explicit sort keys and deterministic tiebreakers.
+- Stable ordering with explicit sort keys and deterministic tiebreakers.        
 - All timestamps in UTC ISO-8601.
-- Cache last-known snapshots for offline rendering with "data as of" markers.
+- Cache last-known snapshots for offline rendering with "data as of" markers.   
+
+## Analytics ingestion configuration
+
+Analytics ingestion runs inside the Platform WebService and subscribes to Scanner,
+Concelier, and Attestor streams. Configure ingestion with `Platform:AnalyticsIngestion`:
+
+```yaml
+Platform:
+  AnalyticsIngestion:
+    Enabled: true
+    PostgresConnectionString: "" # optional; defaults to Platform:Storage
+    AllowedTenants: ["tenant-a"]
+    Streams:
+      ScannerStream: "orchestrator:events"
+      ConcelierObservationStream: "concelier:advisory.observation.updated:v1"
+      ConcelierLinksetStream: "concelier:advisory.linkset.updated:v1"
+      AttestorStream: "attestor:events"
+      StartFromBeginning: false
+    Cas:
+      RootPath: "/var/lib/stellaops/cas"
+      DefaultBucket: "attestations"
+    Attestations:
+      BundleUriTemplate: "bundle:{digest}"
+```
+
+`BundleUriTemplate` supports `{digest}` and `{hash}` placeholders. The `bundle:` scheme
+maps to `cas://<DefaultBucket>/{digest}` by default. Verify offline bundles with
+`stella bundle verify` before ingestion.
+
+## Analytics maintenance configuration
+Analytics rollups + materialized view refreshes are driven by
+`PlatformAnalyticsMaintenanceService` when analytics storage is configured.     
+Use `BackfillDays` to recompute recent rollups on the first maintenance run (set to `0` to disable).
+
+```yaml
+Platform:
+  Storage:
+    PostgresConnectionString: "Host=...;Database=...;Username=...;Password=..."
+  AnalyticsMaintenance:
+    Enabled: true
+    RunOnStartup: true
+    IntervalMinutes: 1440
+    ComputeDailyRollups: true
+    RefreshMaterializedViews: true
+    BackfillDays: 7
+```
 
 ## Observability
 - Metrics: `platform.aggregate.latency_ms`, `platform.aggregate.errors_total`, `platform.aggregate.cache_hits_total`