chore(docs+devops): cross-module doc sync + sprint archival moves + compose updates

Bundled pre-session doc + ops work:
- docs/modules/**: sync across advisory-ai, airgap, cli, excititor,
  export-center, findings-ledger, notifier, notify, platform, router,
  sbom-service, ui, web (architectural + operational updates)
- docs/features/**: updates to checked excititor vex pipeline,
  developer workspace, quick verify drawer
- docs top-level: README, quickstart, API_CLI_REFERENCE, UI_GUIDE,
  code-of-conduct/TESTING_PRACTICES updates
- docs/qa/feature-checks/: FLOW.md + excititor state update
- docs/implplan/: remaining sprint updates + new Concelier source
  credentials sprint (SPRINT_20260422_003)
- docs-archived/implplan/: 30 sprint archival moves (ElkSharp series,
  misc completed sprints)
- devops/compose: .env + services compose + env example + router gateway
  config updates

File-level granularity preserved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

devops/compose/.env

@@ -1,14 +1,11 @@
 # =============================================================================
 # STELLA OPS ENVIRONMENT CONFIGURATION
 # =============================================================================
-# Environment variables for the Stella Ops Docker Compose stack.
+# Main environment template for docker-compose.stella-ops.yml
+# Copy to .env and customize for your deployment.
 #
-# Usage (split infra/services files -- preferred):
-#   docker compose \
-#     -f docker-compose.stella-infra.yml \
-#     -f docker-compose.stella-services.yml up -d
-#
-# Usage (legacy monolith):
+# Usage:
+#   cp env/stellaops.env.example .env
 #   docker compose -f docker-compose.stella-ops.yml up -d
 #
 # =============================================================================
@@ -19,32 +16,38 @@
 
 # PostgreSQL Database
 POSTGRES_USER=stellaops
-POSTGRES_PASSWORD=stellaops
+POSTGRES_PASSWORD=stellaops           # Change for production
 POSTGRES_DB=stellaops_platform
 POSTGRES_PORT=5432
 
+# Shared connection strings consumed by docker-compose.stella-services.yml.
+# Keep these aligned with the local compose DNS aliases and bootstrap volumes.
+STELLAOPS_POSTGRES_CONNECTION=Host=db.stella-ops.local;Port=5432;Database=stellaops_platform;Username=stellaops;Password=stellaops;Maximum Pool Size=50
+STELLAOPS_POSTGRES_AUTHORITY_CONNECTION=Host=db.stella-ops.local;Port=5432;Database=stellaops_authority;Username=stellaops;Password=stellaops;Maximum Pool Size=20;Minimum Pool Size=2
+
+# Shared mounts referenced by service definitions.
+STELLAOPS_CERT_VOLUME=../../etc/authority/keys:/app/etc/certs:ro
+STELLAOPS_CA_BUNDLE_VOLUME=./combined-ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt:ro
+
 # Valkey (Redis-compatible cache and messaging)
 VALKEY_PORT=6379
 
 # RustFS Object Storage
-RUSTFS_HTTP_PORT=8080
+RUSTFS_HTTP_PORT=8333
 
 # =============================================================================
-# SHARED CONNECTION STRINGS (used by docker-compose.stella-services.yml)
+# ROUTER GATEWAY
 # =============================================================================
-# These replace YAML anchors (*postgres-connection, *postgres-authority-connection)
-# that cannot cross Docker Compose file boundaries.
 
-STELLAOPS_POSTGRES_CONNECTION=Host=db.stella-ops.local;Port=5432;Database=stellaops_platform;Username=stellaops;Password=stellaops;Maximum Pool Size=50
-STELLAOPS_POSTGRES_AUTHORITY_CONNECTION=Host=db.stella-ops.local;Port=5432;Database=stellaops_authority;Username=stellaops;Password=stellaops;Maximum Pool Size=20;Minimum Pool Size=2
+# Router route table file mounted to /app/appsettings.local.json
+# Microservice-first frontdoor config (default).
+# Reverse proxy is intentionally limited to external/bootstrap surfaces inside this file.
+ROUTER_GATEWAY_CONFIG=./router-gateway-local.json
+# Authority claims override endpoint base URL consumed by router-gateway.
+ROUTER_AUTHORITY_CLAIMS_OVERRIDES_URL=http://authority.stella-ops.local
 
-# =============================================================================
-# SHARED VOLUME MOUNTS (used by docker-compose.stella-services.yml)
-# =============================================================================
-# These replace YAML anchors (*cert-volume, *ca-bundle) for cross-file usage.
-
-STELLAOPS_CERT_VOLUME=../../etc/authority/keys:/app/etc/certs:ro
-STELLAOPS_CA_BUNDLE_VOLUME=./combined-ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt:ro
+# HMAC-SHA256 signing key for gateway identity envelopes used in local compose.
+STELLAOPS_IDENTITY_ENVELOPE_SIGNING_KEY=xPGV6S6dlS3JsLw3DuPRAEAXqJ9JOsfWE/8oIiplGRk=
 
 # =============================================================================
 # CORE SERVICES
@@ -54,6 +57,10 @@ STELLAOPS_CA_BUNDLE_VOLUME=./combined-ca-bundle.crt:/etc/ssl/certs/ca-certificat
 AUTHORITY_ISSUER=https://authority.stella-ops.local/
 AUTHORITY_PORT=8440
 AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:30:00
+AUTHORITY_BOOTSTRAP_APIKEY=stellaops-dev-bootstrap-key
+
+# Local first-run bootstrap admin used by the setup wizard and live browser helpers.
+# Keep this value only for local/dev compose usage and rotate it for any shared environment.
 STELLAOPS_ADMIN_PASS=Admin@Stella2026!
 
 # Signer
@@ -130,12 +137,16 @@ SCHEDULER_SCANNER_BASEADDRESS=http://scanner.stella-ops.local
 # REKOR / SIGSTORE CONFIGURATION
 # =============================================================================
 
-# Rekor server URL (default: public Sigstore, use http://rekor-v2:3000 for local)
+# Rekor server URL (default: public Sigstore, use http://rekor-v2:3322 for local)
 REKOR_SERVER_URL=https://rekor.sigstore.dev
 REKOR_VERSION=V2
 REKOR_TILE_BASE_URL=
 REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
 REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
+# Local Rekor v2 (`--profile sigstore-local`) uses Tessera GCP backend.
+# Override these with your actual GCP bucket/database identifiers.
+REKOR_GCP_BUCKET=stellaops-rekor-dev
+REKOR_GCP_SPANNER=projects/stellaops-dev/instances/rekor/databases/rekor
 
 # =============================================================================
 # ADVISORY AI CONFIGURATION
@@ -156,7 +167,7 @@ STELLAOPS_CRYPTO_PROFILE=default
 
 # Enable crypto simulation (for testing)
 STELLAOPS_CRYPTO_ENABLE_SIM=0
-STELLAOPS_CRYPTO_SIM_URL=http://sim-crypto:8080
+STELLAOPS_CRYPTO_SIM_URL=http://crypto-sim.stella-ops.local:8080
 
 # CryptoPro (Russia only) - requires EULA acceptance
 CRYPTOPRO_PORT=18080
@@ -173,13 +184,11 @@ SM_REMOTE_HSM_API_KEY=
 SM_REMOTE_HSM_TIMEOUT=30000
 
 # =============================================================================
-# ROUTER IDENTITY ENVELOPE
+# DEMO DATA SEEDING
 # =============================================================================
 
-# HMAC-SHA256 shared signing key for gateway identity envelopes.
-# Generate with: openssl rand -base64 32
-# For production: use Docker secrets or vault injection.
-STELLAOPS_IDENTITY_ENVELOPE_SIGNING_KEY=xPGV6S6dlS3JsLw3DuPRAEAXqJ9JOsfWE/8oIiplGRk=
+# Optional manual demo data seeding API endpoint. Keep disabled for truthful default installs.
+STELLAOPS_ENABLE_DEMO_SEED=false
 
 # =============================================================================
 # NETWORKING

devops/compose/docker-compose.stella-services.yml

@@ -1194,6 +1194,8 @@ services:
       Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
       Authority__ResourceServer__BypassNetworks__2: "::1/128"
       TIMELINE_Postgres__Timeline__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
+      TIMELINE_Ingestion__Redis__Enabled: "true"
+      TIMELINE_Ingestion__Redis__ConnectionString: "cache.stella-ops.local:6379"
       Router__Enabled: "${TIMELINE_SERVICE_ROUTER_ENABLED:-true}"
       Router__Messaging__ConsumerGroup: "timeline"
     volumes:
@@ -1583,6 +1585,7 @@ services:
       ASPNETCORE_URLS: "http://+:8080"
       <<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
       ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
+      RegistryTokenService__Postgres__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
       RegistryTokenService__Signing__Issuer: "http://registry-token.stella-ops.local"
       RegistryTokenService__Signing__KeyPath: "/app/etc/certs/kestrel-dev.pfx"
       RegistryTokenService__Signing__Lifetime: "00:05:00"
@@ -1715,6 +1718,7 @@ services:
       <<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
       ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
       ConnectionStrings__Redis: "cache.stella-ops.local:6379"
+      SbomService__PostgreSQL__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
       Router__Enabled: "${SBOMSERVICE_ROUTER_ENABLED:-true}"
       Router__Messaging__ConsumerGroup: "sbomservice"
     volumes:
@@ -1917,6 +1921,7 @@ services:
       <<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
       ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
       ConnectionStrings__Redis: "cache.stella-ops.local:6379"
+      Signals__Postgres__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
       Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
       Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
       Authority__ResourceServer__RequireHttpsMetadata: "false"
@@ -1954,8 +1959,10 @@ services:
     environment:
       ASPNETCORE_URLS: "http://+:8080"
       <<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
+      ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
       ADVISORYAI__AdvisoryAI__SbomBaseAddress: "${ADVISORY_AI_SBOM_BASEADDRESS:-http://scanner.stella-ops.local}"
       ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: "/var/lib/advisory-ai/queue"
+      ADVISORYAI__AdvisoryAI__Storage__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
       ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: "/var/lib/advisory-ai/plans"
       ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: "/var/lib/advisory-ai/outputs"
       ADVISORYAI__AdvisoryAI__Chat__Enabled: "true"
@@ -2002,8 +2009,10 @@ services:
       - scanner-web
     environment:
       <<: [*kestrel-cert, *gc-medium]
+      ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
       ADVISORYAI__AdvisoryAI__SbomBaseAddress: "${ADVISORY_AI_SBOM_BASEADDRESS:-http://scanner.stella-ops.local}"
       ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: "/tmp/advisory-ai/queue"
+      ADVISORYAI__AdvisoryAI__Storage__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
       ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: "/tmp/advisory-ai/plans"
       ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: "/tmp/advisory-ai/outputs"
       ADVISORYAI__AdvisoryAI__Inference__Mode: "${ADVISORY_AI_INFERENCE_MODE:-Local}"

devops/compose/env/stellaops.env.example

@@ -20,6 +20,15 @@ POSTGRES_PASSWORD=stellaops           # Change for production
 POSTGRES_DB=stellaops_platform
 POSTGRES_PORT=5432
 
+# Shared connection strings consumed by docker-compose.stella-services.yml.
+# Keep these aligned with the local compose DNS aliases and bootstrap volumes.
+STELLAOPS_POSTGRES_CONNECTION=Host=db.stella-ops.local;Port=5432;Database=stellaops_platform;Username=stellaops;Password=stellaops;Maximum Pool Size=50
+STELLAOPS_POSTGRES_AUTHORITY_CONNECTION=Host=db.stella-ops.local;Port=5432;Database=stellaops_authority;Username=stellaops;Password=stellaops;Maximum Pool Size=20;Minimum Pool Size=2
+
+# Shared mounts referenced by service definitions.
+STELLAOPS_CERT_VOLUME=../../etc/authority/keys:/app/etc/certs:ro
+STELLAOPS_CA_BUNDLE_VOLUME=./combined-ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt:ro
+
 # Valkey (Redis-compatible cache and messaging)
 VALKEY_PORT=6379
 
@@ -37,6 +46,9 @@ ROUTER_GATEWAY_CONFIG=./router-gateway-local.json
 # Authority claims override endpoint base URL consumed by router-gateway.
 ROUTER_AUTHORITY_CLAIMS_OVERRIDES_URL=http://authority.stella-ops.local
 
+# HMAC-SHA256 signing key for gateway identity envelopes used in local compose.
+STELLAOPS_IDENTITY_ENVELOPE_SIGNING_KEY=xPGV6S6dlS3JsLw3DuPRAEAXqJ9JOsfWE/8oIiplGRk=
+
 # =============================================================================
 # CORE SERVICES
 # =============================================================================

devops/compose/router-gateway-local.json

@@ -141,7 +141,7 @@
                                    { "Type": "Microservice", "Path": "^/api/v1/audit(.*)", "IsRegex": true, "TranslatesTo": "http://timeline.stella-ops.local/api/v1/audit$1" },
                                    { "Type": "Microservice", "Path": "^/api/v1/export(.*)", "IsRegex": true, "TranslatesTo": "https://exportcenter.stella-ops.local/api/v1/export$1" },
                                    { "Type": "Microservice", "Path": "^/api/v1/concelier(.*)", "IsRegex": true, "TranslatesTo": "http://concelier.stella-ops.local/api/v1/concelier$1" },
-                                   { "Type": "Microservice", "Path": "^/api/v1/advisory-sources(.*)", "IsRegex": true, "TranslatesTo": "http://concelier.stella-ops.local/api/v1/advisory-sources$1" },
+                                   { "Type": "ReverseProxy", "Path": "^/api/v1/advisory-sources(.*)", "IsRegex": true, "TranslatesTo": "http://concelier.stella-ops.local/api/v1/advisory-sources$1", "PreserveAuthHeaders": true },
                                    { "Type": "Microservice", "Path": "^/api/v1/notifier/delivery(.*)", "IsRegex": true, "TranslatesTo": "http://notify.stella-ops.local/api/v2/notify/deliveries$1" },
                                    { "Type": "Microservice", "Path": "^/api/v1/notifier/(.*)", "IsRegex": true, "TranslatesTo": "http://notify.stella-ops.local/api/v2/notify/$1" },
                                    { "Type": "Microservice", "Path": "^/api/v1/notify/(digest-schedules|quiet-hours|throttle-configs|simulate|escalation-policies|localizations|incidents)(.*)", "IsRegex": true, "TranslatesTo": "http://platform.stella-ops.local/api/v1/notify/$1$2" },