Update compose config, policy simulation, and workflow replay

- devops/compose: README, docker-compose, hosts updates
- Policy simulation: pre-promotion and test-validate panels,
  routes, dashboard, and spec updates
- Workflow visualization: run-graph replay page template update
- Claude settings update

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

devops/compose/README.md

@@ -9,6 +9,9 @@ Consolidated Docker Compose configuration for the StellaOps platform. All profil
 | Run the full platform | `docker compose -f docker-compose.stella-ops.yml up -d` |
 | Add observability | `docker compose -f docker-compose.stella-ops.yml -f docker-compose.telemetry.yml up -d` |
 | Start QA integration fixtures | `docker compose -f docker-compose.integration-fixtures.yml up -d` |
+| Start 3rd-party integration services | `docker compose -f docker-compose.integrations.yml up -d` |
+| Start GitLab CE (heavy, ~4 GB RAM) | `docker compose -f docker-compose.integrations.yml --profile heavy up -d gitlab` |
+| Run integration E2E test suite | See [Integration Test Suite](#integration-test-suite) |
 | Run CI/testing infrastructure | `docker compose -f docker-compose.testing.yml --profile ci up -d` |
 | Deploy with China compliance | See [China Compliance](#china-compliance-sm2sm3sm4) |
 | Deploy with Russia compliance | See [Russia Compliance](#russia-compliance-gost) |
@@ -27,6 +30,7 @@ Consolidated Docker Compose configuration for the StellaOps platform. All profil
 | `docker-compose.telemetry.yml` | **Observability**: OpenTelemetry collector, Prometheus, Tempo, Loki |
 | `docker-compose.testing.yml` | **CI/Testing**: Test databases, mock services, Gitea for integration tests |
 | `docker-compose.dev.yml` | **Minimal dev infrastructure**: PostgreSQL, Valkey, RustFS only |
+| `docker-compose.integrations.yml` | **Integration services**: Gitea, Jenkins, Nexus, Vault, Docker Registry, MinIO, GitLab |
 
 ### Specialized Infrastructure
 
@@ -232,6 +236,173 @@ These fixtures are deterministic QA aids only; they are not production dependenc
 
 ---
 
+### Third-Party Integration Services
+
+Real 3rd-party services for local integration testing. Unlike the QA fixtures above (which are nginx mocks), these are fully functional instances that exercise actual connector plugin code paths.
+
+```bash
+# Start all lightweight integration services (after the main stack is up)
+docker compose -f docker-compose.integrations.yml up -d
+
+# Start specific services only
+docker compose -f docker-compose.integrations.yml up -d gitea vault jenkins
+
+# Start GitLab CE (heavy — requires ~4 GB RAM, ~3 min startup)
+docker compose -f docker-compose.integrations.yml --profile heavy up -d gitlab
+
+# Combine with mock fixtures for full coverage
+docker compose \
+  -f docker-compose.integrations.yml \
+  -f docker-compose.integration-fixtures.yml \
+  up -d
+```
+
+**Hosts file entries** (add to `C:\Windows\System32\drivers\etc\hosts`):
+```
+127.1.2.1  gitea.stella-ops.local
+127.1.2.2  jenkins.stella-ops.local
+127.1.2.3  nexus.stella-ops.local
+127.1.2.4  vault.stella-ops.local
+127.1.2.5  registry.stella-ops.local
+127.1.2.6  minio.stella-ops.local
+127.1.2.7  gitlab.stella-ops.local
+```
+
+**Service reference:**
+
+| Service | Type | Address | Credentials | Integration Provider |
+|---------|------|---------|-------------|---------------------|
+| Gitea | SCM | `http://gitea.stella-ops.local:3000` | Create on first login | `Gitea` |
+| Jenkins | CI/CD | `http://jenkins.stella-ops.local:8080` | Setup wizard disabled | `Jenkins` |
+| Nexus | Registry | `http://nexus.stella-ops.local:8081` | admin / see `admin.password` | `Nexus` |
+| Vault | Secrets | `http://vault.stella-ops.local:8200` | Token: `stellaops-dev-root-token-2026` | — |
+| Docker Registry | Registry | `http://registry.stella-ops.local:5000` | None (open dev) | `DockerHub` |
+| MinIO | S3 Storage | `http://minio.stella-ops.local:9001` | `stellaops` / `Stella2026!` | — |
+| GitLab CE | SCM+CI+Registry | `http://gitlab.stella-ops.local:8929` | root / `Stella2026!` | `GitLabServer` |
+
+**Credential resolution:** Integration connectors resolve secrets via `authref://vault/{path}#{key}` URIs. The Integrations service resolves these from Vault automatically in dev mode. Store credentials with:
+
+```bash
+export VAULT_ADDR=http://vault.stella-ops.local:8200
+export VAULT_TOKEN=stellaops-dev-root-token-2026
+
+vault kv put secret/harbor robot-account="harbor-robot-token"
+vault kv put secret/github app-private-key="your-key"
+vault kv put secret/gitea api-token="your-gitea-token"
+vault kv put secret/gitlab access-token="glpat-your-token"
+vault kv put secret/jenkins api-token="user:token"
+vault kv put secret/nexus admin-password="your-password"
+```
+
+**Backend connector plugins** (8 total, loaded in Integrations service):
+
+| Plugin | Type | Provider | Health Endpoint |
+|--------|------|----------|-----------------|
+| Harbor | Registry | `Harbor` | `/api/v2.0/health` |
+| Docker Registry | Registry | `DockerHub` | `/v2/` |
+| Nexus | Registry | `Nexus` | `/service/rest/v1/status` |
+| GitHub App | SCM | `GitHubApp` | `/api/v3/app` |
+| Gitea | SCM | `Gitea` | `/api/v1/version` |
+| GitLab | SCM | `GitLabServer` | `/api/v4/version` |
+| Jenkins | CI/CD | `Jenkins` | `/api/json` |
+| InMemory | Testing | `InMemory` | — (hidden) |
+
+**Advisory fixture endpoints** (for advisory sources that are unreachable from Docker):
+
+| Service | Hostname | Port | Mocked Sources |
+|---------|----------|------|----------------|
+| Advisory fixture | `advisory-fixture.stella-ops.local` | 80 | CERT-In, FSTEC BDU, VEX Hub, StellaOps Mirror, Exploit-DB, AMD, Siemens, Ruby Advisory DB |
+
+**IP address map:**
+
+| IP | Service | Port(s) |
+|----|---------|---------|
+| 127.1.1.6 | harbor-fixture | 80 |
+| 127.1.1.7 | github-app-fixture | 80 |
+| 127.1.1.8 | advisory-fixture | 80 |
+| 127.1.2.1 | gitea | 3000, 2222 |
+| 127.1.2.2 | jenkins | 8080, 50000 |
+| 127.1.2.3 | nexus | 8081, 8082, 8083 |
+| 127.1.2.4 | vault | 8200 |
+| 127.1.2.5 | docker-registry | 5000 |
+| 127.1.2.6 | minio | 9000, 9001 |
+| 127.1.2.7 | gitlab (heavy) | 8929, 2224, 5050 |
+
+For detailed setup instructions per service, see [`docs/integrations/LOCAL_SERVICES.md`](../../docs/integrations/LOCAL_SERVICES.md).
+
+### Integration Test Suite
+
+A Playwright-based E2E test suite validates the full integration lifecycle against the live stack. It covers 5 areas:
+
+| Area | What it tests |
+|------|--------------|
+| Compose Health | All fixture + service containers are running and healthy |
+| Endpoint Probes | Direct HTTP to each 3rd-party service (Harbor, Gitea, Jenkins, Nexus, Vault, Registry, MinIO) |
+| Connector Lifecycle | Create integrations via API, verify auto-activation, test-connection, health-check, cleanup |
+| Advisory Sources | All 74 advisory & VEX sources report healthy |
+| UI Verification | Hub counts, per-tab list views, tab switching |
+
+**Prerequisites:**
+
+```bash
+# 1. Main stack must be running
+docker compose -f docker-compose.stella-ops.yml up -d
+
+# 2. Start integration fixtures (mock endpoints)
+docker compose -f docker-compose.integration-fixtures.yml up -d
+
+# 3. Start real 3rd-party services
+docker compose -f docker-compose.integrations.yml up -d
+
+# 4. (Optional) Start GitLab for full SCM coverage
+docker compose -f docker-compose.integrations.yml --profile heavy up -d gitlab
+```
+
+**Run the test suite:**
+
+```bash
+cd src/Web/StellaOps.Web
+
+# Run all integration tests
+E2E_RUN_ID=$(date +%s) \
+PLAYWRIGHT_BASE_URL=https://stella-ops.local \
+  npx playwright test --config=playwright.integrations.config.ts
+
+# Run a specific test group
+E2E_RUN_ID=$(date +%s) \
+PLAYWRIGHT_BASE_URL=https://stella-ops.local \
+  npx playwright test --config=playwright.integrations.config.ts \
+  --grep "Compose Health"
+
+# Run with verbose output
+E2E_RUN_ID=$(date +%s) \
+PLAYWRIGHT_BASE_URL=https://stella-ops.local \
+  npx playwright test --config=playwright.integrations.config.ts \
+  --reporter=list
+```
+
+**Environment variables:**
+
+| Variable | Default | Purpose |
+|----------|---------|---------|
+| `PLAYWRIGHT_BASE_URL` | `https://stella-ops.local` | Target Stella Ops instance |
+| `E2E_RUN_ID` | `run1` | Unique suffix for test integration names (avoids duplicates across runs) |
+| `STELLAOPS_ADMIN_USER` | `admin` | Login username |
+| `STELLAOPS_ADMIN_PASS` | `Admin@Stella2026!` | Login password |
+
+**Key files:**
+
+| File | Purpose |
+|------|---------|
+| `src/Web/StellaOps.Web/playwright.integrations.config.ts` | Playwright config (no dev server, live stack) |
+| `src/Web/StellaOps.Web/tests/e2e/integrations/integrations.e2e.spec.ts` | Test suite (35 tests) |
+| `src/Web/StellaOps.Web/tests/e2e/integrations/live-auth.fixture.ts` | Real OIDC login fixture |
+| `src/Web/StellaOps.Web/e2e/screenshots/integrations/` | Test screenshots |
+
+**Note:** Unlike the mocked E2E tests in `tests/e2e/` and `e2e/`, this suite performs real OIDC login and hits the live API. It requires all services to be running and healthy.
+
+---
+
 ## Regional Compliance Deployments
 
 ### China Compliance (SM2/SM3/SM4)

devops/compose/docker-compose.stella-ops.yml

@@ -2325,6 +2325,7 @@ services:
       ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: "/var/lib/advisory-ai/queue"
       ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: "/var/lib/advisory-ai/plans"
       ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: "/var/lib/advisory-ai/outputs"
+      ADVISORYAI__AdvisoryAI__Chat__Enabled: "true"
       ADVISORYAI__AdvisoryAI__Adapters__Llm__Enabled: "${ADVISORY_AI_LLM_ADAPTERS_ENABLED:-true}"
       ADVISORYAI__AdvisoryAI__LlmProviders__ConfigDirectory: "${ADVISORY_AI_LLM_PROVIDERS_DIRECTORY:-/app/etc/llm-providers}"
       ADVISORYAI__AdvisoryAI__Inference__Mode: "${ADVISORY_AI_INFERENCE_MODE:-Local}"

devops/compose/hosts.stellaops.local

@@ -61,3 +61,13 @@
 127.1.1.5  registry.stella-ops.local
 127.1.1.6  harbor-fixture.stella-ops.local
 127.1.1.7  github-app-fixture.stella-ops.local
+127.1.1.8  advisory-fixture.stella-ops.local
+
+# ── Third-party integration services ─────────────────────────────────────────
+127.1.2.1  gitea.stella-ops.local
+127.1.2.2  jenkins.stella-ops.local
+127.1.2.3  nexus.stella-ops.local
+127.1.2.4  vault.stella-ops.local
+127.1.2.5  oci-registry.stella-ops.local
+127.1.2.6  minio.stella-ops.local
+127.1.2.7  gitlab.stella-ops.local