chore(docs+devops): cross-module doc sync + sprint archival moves + compose updates

Bundled pre-session doc + ops work:
- docs/modules/**: sync across advisory-ai, airgap, cli, excititor,
  export-center, findings-ledger, notifier, notify, platform, router,
  sbom-service, ui, web (architectural + operational updates)
- docs/features/**: updates to checked excititor vex pipeline,
  developer workspace, quick verify drawer
- docs top-level: README, quickstart, API_CLI_REFERENCE, UI_GUIDE,
  code-of-conduct/TESTING_PRACTICES updates
- docs/qa/feature-checks/: FLOW.md + excititor state update
- docs/implplan/: remaining sprint updates + new Concelier source
  credentials sprint (SPRINT_20260422_003)
- docs-archived/implplan/: 30 sprint archival moves (ElkSharp series,
  misc completed sprints)
- devops/compose: .env + services compose + env example + router gateway
  config updates

File-level granularity preserved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/modules/advisory-ai/guides/policy-studio-api.md

@@ -10,9 +10,16 @@ This guide documents the Policy Studio API for AI-powered policy authoring, conv
 Policy Studio enables:
 1. **Natural Language → Policy Intent**: Parse human intent from plain English
 2. **Intent → Lattice Rules**: Generate K4 lattice-compatible rules
-3. **Validation**: Detect conflicts, unreachable conditions, loops
+3. **Validation**: Planned HTTP stage; currently returns `501 Not Implemented`
 4. **Test Synthesis**: Auto-generate test cases for policy validation
-5. **Compilation**: Bundle rules into signed, versioned policy packages
+5. **Compilation**: Planned HTTP stage; currently returns `501 Not Implemented`
+
+## Current Runtime Status
+
+- Current route base: `/v1/advisory-ai/policy/studio/*`
+- Implemented in the current host: `parse`, `generate`
+- Reserved but not yet backed by durable generated-rule storage: `validate`, `compile`
+- Current runtime behavior for reserved stages: explicit HTTP `501 Not Implemented` problem responses
 
 ## API Endpoints
 
@@ -21,12 +28,12 @@ Policy Studio enables:
 Convert natural language to structured policy intent.
 
 ```http
-POST /api/v1/policy/studio/parse
+POST /v1/advisory-ai/policy/studio/parse
 Content-Type: application/json
 
 {
   "input": "Block all critical vulnerabilities in production services unless they have a vendor VEX stating not affected",
-  "scope": "production"
+  "defaultScope": "production"
 }
 ```
 
@@ -108,7 +115,7 @@ When intent is ambiguous, the API returns clarifying questions:
 Convert policy intent to K4 lattice rules.
 
 ```http
-POST /api/v1/policy/studio/generate
+POST /v1/advisory-ai/policy/studio/generate
 Content-Type: application/json
 
 {
@@ -149,14 +156,11 @@ Content-Type: application/json
 Check rules for conflicts and issues.
 
 ```http
-POST /api/v1/policy/studio/validate
+POST /v1/advisory-ai/policy/studio/validate
 Content-Type: application/json
 
 {
-  "rules": [
-    { "ruleId": "rule-20251226-001", "..." },
-    { "ruleId": "rule-20251226-002", "..." }
-  ],
+  "ruleIds": ["rule-20251226-001", "rule-20251226-002"],
   "existingRuleIds": ["rule-existing-001", "rule-existing-002"]
 }
 ```
@@ -165,39 +169,25 @@ Content-Type: application/json
 
 ```json
 {
-  "valid": false,
-  "conflicts": [
-    {
-      "ruleId1": "rule-20251226-001",
-      "ruleId2": "rule-existing-002",
-      "description": "Both rules match critical vulnerabilities but produce different dispositions (Block vs Allow)",
-      "suggestedResolution": "Add priority ordering or more specific conditions to disambiguate",
-      "severity": "error"
-    }
-  ],
-  "unreachableConditions": [
-    "Rule rule-20251226-002 condition 'severity=low AND severity=high' is always false"
-  ],
-  "potentialLoops": [],
-  "coverage": 0.85
+  "type": "https://stellaops.dev/problems/policy-studio/validate-not-implemented",
+  "title": "Policy Studio stage not implemented",
+  "status": 501,
+  "detail": "Policy Studio validate is not wired to durable generated-rule storage yet. Parse and generate are available; validate remains unavailable in this runtime."
 }
 ```
 
 ### Compile Policy Bundle
 
-Bundle validated rules into a signed policy package.
+Bundle validated rules into a signed policy package once durable generated-rule storage lands. The current runtime fails closed instead of returning a fabricated bundle.
 
 ```http
-POST /api/v1/policy/studio/compile
+POST /v1/advisory-ai/policy/studio/compile
 Content-Type: application/json
 
 {
-  "rules": [
-    { "ruleId": "rule-20251226-001", "..." }
-  ],
+  "ruleIds": ["rule-20251226-001"],
   "bundleName": "production-security-policy",
-  "version": "1.0.0",
-  "sign": true
+  "description": "Production bundle candidate"
 }
 ```
 
@@ -205,15 +195,10 @@ Content-Type: application/json
 
 ```json
 {
-  "bundleId": "bundle-20251226-001",
-  "bundleName": "production-security-policy",
-  "version": "1.0.0",
-  "ruleCount": 5,
-  "digest": "sha256:bundledigest...",
-  "signed": true,
-  "signatureKeyId": "stellaops-policy-signer-2025",
-  "compiledAt": "2025-12-26T10:30:00Z",
-  "downloadUrl": "/api/v1/policy/bundle/bundle-20251226-001"
+  "type": "https://stellaops.dev/problems/policy-studio/compile-not-implemented",
+  "title": "Policy Studio stage not implemented",
+  "status": 501,
+  "detail": "Policy Studio compile is not wired to durable generated-rule storage yet. Parse and generate are available; bundle compilation remains unavailable in this runtime."
 }
 ```