feat: scheduler web+worker merge + audit Batch 1 (68 endpoints annotated)

Scheduler:
- Merge scheduler-worker into scheduler-web with Worker:Embedded flag
- Default embedded=true (compose), false available for K8s split
- Upgrade to resources-heavy, comment out scheduler-worker container

Audit Batch 1 (first real audit emission):
- Create AuditedRouteGroupExtensions convention helper
- EvidenceLocker: 7 endpoints (store/snapshot/verify/hold/export/verdict)
- Integrations: 6 endpoints (CRUD + test + discover)
- Scanner: 55 endpoints across 25 files
- Sprint 005 FILTER-001/002/003 marked DONE

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

devops/compose/docker-compose.stella-ops.legacy.yml

@@ -1193,14 +1193,16 @@ services:
   # jobengine and jobengine-worker removed.
   # Release endpoints → release-orchestrator service (Slot 47)
   # Workflow orchestration → workflow service (Slot 46)
-  # Scheduler remains in Slot 14 (scheduler-web / scheduler-worker)
+  # Scheduler remains in Slot 19 (scheduler-web; worker merged in)
 
   # --- Slot 18: TaskRunner (REMOVED) ------------------------------------------
   # taskrunner-web and taskrunner-worker deleted; task_runner_id DB columns left as nullable legacy
 
-  # --- Slot 19: Scheduler ----------------------------------------------------
+  # --- Slot 19: Scheduler (web + embedded worker) ----------------------------
+  # Worker BackgroundServices now run embedded in the web process (Scheduler:Worker:Embedded=true).
+  # Set Scheduler__Worker__Embedded=false and restore scheduler-worker for K8s split deployments.
   scheduler-web:
-    <<: *resources-medium
+    <<: *resources-heavy
     image: stellaops/scheduler-web:dev
     container_name: stellaops-scheduler-web
     restart: unless-stopped
@@ -1211,69 +1213,72 @@ services:
       ConnectionStrings__Default: *postgres-connection
       ConnectionStrings__Redis: "cache.stella-ops.local:6379"
       Scheduler__Authority__Enabled: "false"
-      # Worker options are validated even in web mode
+      # Embedded worker mode (all 8 BackgroundServices in this process)
+      Scheduler__Worker__Embedded: "true"
       scheduler__queue__Kind: "Redis"
       scheduler__queue__Redis__ConnectionString: "cache.stella-ops.local:6379"
       Scheduler__Storage__Postgres__Scheduler__ConnectionString: *postgres-connection
       Scheduler__Storage__Postgres__Scheduler__SchemaName: "scheduler"
-      Scheduler__Worker__Runner__Scanner__BaseAddress: "http://scanner.stella-ops.local"
+      Scheduler__Worker__Runner__Scanner__BaseAddress: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner.stella-ops.local}"
       Scheduler__Worker__Graph__Cartographer__BaseAddress: "http://graph.stella-ops.local"
       Scheduler__Worker__Graph__SchedulerApi__BaseAddress: "http://scheduler.stella-ops.local"
       Scheduler__Worker__Policy__Api__BaseAddress: "http://policy.stella-ops.local"
+      # Surface environment (merged from scheduler-worker)
+      SURFACE_FS_ENDPOINT: "http://s3.stella-ops.local:8333"
       Router__Enabled: "${SCHEDULER_ROUTER_ENABLED:-true}"
       Router__Messaging__ConsumerGroup: "scheduler"
     volumes:
       - *cert-volume
     tmpfs:
       - /plugins:mode=1777
+      - /var/lib/stellaops/surface:mode=1777
     ports:
       - "127.1.0.19:80:80"
     networks:
       stellaops:
         aliases:
           - scheduler.stella-ops.local
+          - scheduler-worker.stella-ops.local
       frontdoor: {}
     healthcheck:
       test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
       <<: *healthcheck-tcp
     labels: *release-labels
 
-  scheduler-worker:
-    <<: *resources-medium
-    image: stellaops/scheduler-worker:dev
-    container_name: stellaops-scheduler-worker
-    restart: unless-stopped
-    depends_on:
-      postgres:
-        condition: service_healthy
-      valkey:
-        condition: service_healthy
-    environment:
-      <<: [*kestrel-cert, *gc-medium]
-      # Queue config (Redis transport)
-      scheduler__queue__Kind: "Redis"
-      scheduler__queue__Redis__ConnectionString: "cache.stella-ops.local:6379"
-      # Persistence config (section: Scheduler:Storage, subsection: Postgres:Scheduler)
-      Scheduler__Storage__Postgres__Scheduler__ConnectionString: *postgres-connection
-      Scheduler__Storage__Postgres__Scheduler__SchemaName: "scheduler"
-      # Worker config
-      Scheduler__Worker__Runner__Scanner__BaseAddress: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner.stella-ops.local}"
-      Scheduler__Worker__Graph__Cartographer__BaseAddress: "http://graph.stella-ops.local"
-      Scheduler__Worker__Graph__SchedulerApi__BaseAddress: "http://scheduler.stella-ops.local"
-      Scheduler__Worker__Policy__Api__BaseAddress: "http://policy.stella-ops.local"
-      # Surface environment
-      SURFACE_FS_ENDPOINT: "http://s3.stella-ops.local:8333"
-    volumes:
-      - *cert-volume
-    tmpfs:
-      - /var/lib/stellaops/surface:mode=1777
-    networks:
-      stellaops:
-        aliases:
-          - scheduler-worker.stella-ops.local
-    healthcheck:
-      <<: *healthcheck-worker
-    labels: *release-labels
+  # scheduler-worker: MERGED into scheduler-web (Scheduler:Worker:Embedded=true)
+  # Uncomment and set Scheduler__Worker__Embedded=false on scheduler-web for K8s split.
+  # scheduler-worker:
+  #   <<: *resources-medium
+  #   image: stellaops/scheduler-worker:dev
+  #   container_name: stellaops-scheduler-worker
+  #   restart: unless-stopped
+  #   depends_on:
+  #     postgres:
+  #       condition: service_healthy
+  #     valkey:
+  #       condition: service_healthy
+  #   environment:
+  #     <<: [*kestrel-cert, *gc-medium]
+  #     scheduler__queue__Kind: "Redis"
+  #     scheduler__queue__Redis__ConnectionString: "cache.stella-ops.local:6379"
+  #     Scheduler__Storage__Postgres__Scheduler__ConnectionString: *postgres-connection
+  #     Scheduler__Storage__Postgres__Scheduler__SchemaName: "scheduler"
+  #     Scheduler__Worker__Runner__Scanner__BaseAddress: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner.stella-ops.local}"
+  #     Scheduler__Worker__Graph__Cartographer__BaseAddress: "http://graph.stella-ops.local"
+  #     Scheduler__Worker__Graph__SchedulerApi__BaseAddress: "http://scheduler.stella-ops.local"
+  #     Scheduler__Worker__Policy__Api__BaseAddress: "http://policy.stella-ops.local"
+  #     SURFACE_FS_ENDPOINT: "http://s3.stella-ops.local:8333"
+  #   volumes:
+  #     - *cert-volume
+  #   tmpfs:
+  #     - /var/lib/stellaops/surface:mode=1777
+  #   networks:
+  #     stellaops:
+  #       aliases:
+  #         - scheduler-worker.stella-ops.local
+  #   healthcheck:
+  #     <<: *healthcheck-worker
+  #   labels: *release-labels
 
   # --- Slot 20: Graph API ----------------------------------------------------
   graph-api: