feat: Add VEX Lens CI and Load Testing Plan

- Introduced a comprehensive CI job structure for VEX Lens, including build, test, linting, and load testing.
- Defined load test parameters and SLOs for VEX Lens API and Issuer Directory.
- Created Grafana dashboards and alerting mechanisms for monitoring API performance and error rates.
- Established offline posture guidelines for CI jobs and load testing.

feat: Implement deterministic projection verification script

- Added `verify_projection.sh` script for verifying the integrity of projection exports against expected hashes.
- Ensured robust error handling for missing files and hash mismatches.

feat: Develop Vuln Explorer CI and Ops Plan

- Created CI jobs for Vuln Explorer, including build, test, and replay verification.
- Implemented backup and disaster recovery strategies for MongoDB and Redis.
- Established Merkle anchoring verification and automation for ledger projector.

feat: Introduce EventEnvelopeHasher for hashing event envelopes

- Implemented `EventEnvelopeHasher` to compute SHA256 hashes for event envelopes.

feat: Add Risk Store and Dashboard components

- Developed `RiskStore` for managing risk data and state.
- Created `RiskDashboardComponent` for displaying risk profiles with filtering capabilities.
- Implemented unit tests for `RiskStore` and `RiskDashboardComponent`.

feat: Enhance Vulnerability Detail Component

- Developed `VulnerabilityDetailComponent` for displaying detailed information about vulnerabilities.
- Implemented error handling for missing vulnerability IDs and loading failures.

ops/devops/docker/Dockerfile.hardened.template

@@ -0,0 +1,53 @@
+# syntax=docker/dockerfile:1.7
+# Hardened multi-stage template for StellaOps services
+# Parameters are build-time ARGs so this file can be re-used across services.
+
+ARG SDK_IMAGE=mcr.microsoft.com/dotnet/sdk:10.0-bookworm-slim
+ARG RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0-bookworm-slim
+ARG APP_PROJECT=src/Service/Service.csproj
+ARG CONFIGURATION=Release
+ARG PUBLISH_DIR=/app/publish
+ARG APP_USER=stella
+ARG APP_UID=10001
+ARG APP_GID=10001
+ARG APP_PORT=8080
+
+FROM ${SDK_IMAGE} AS build
+ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 \
+    DOTNET_NOLOGO=1 \
+    SOURCE_DATE_EPOCH=1704067200
+WORKDIR /src
+# Expect restore sources to be available offline via local-nugets/
+COPY . .
+RUN dotnet restore ${APP_PROJECT} --packages /src/local-nugets && \
+    dotnet publish ${APP_PROJECT} -c ${CONFIGURATION} -o ${PUBLISH_DIR} \
+      /p:UseAppHost=true /p:PublishTrimmed=false
+
+FROM ${RUNTIME_IMAGE} AS runtime
+# Create non-root user/group with stable ids for auditability
+RUN groupadd -r -g ${APP_GID} ${APP_USER} && \
+    useradd  -r -u ${APP_UID} -g ${APP_GID} -d /var/lib/${APP_USER} ${APP_USER} && \
+    mkdir -p /app /var/lib/${APP_USER} /var/run/${APP_USER} /tmp && \
+    chown -R ${APP_UID}:${APP_GID} /app /var/lib/${APP_USER} /var/run/${APP_USER} /tmp
+
+WORKDIR /app
+COPY --from=build --chown=${APP_UID}:${APP_GID} ${PUBLISH_DIR}/ ./
+# Ship healthcheck helper; callers may override with their own script
+COPY --chown=${APP_UID}:${APP_GID} ops/devops/docker/healthcheck.sh /usr/local/bin/healthcheck.sh
+
+ENV ASPNETCORE_URLS=http://+:${APP_PORT} \
+    DOTNET_EnableDiagnostics=0 \
+    DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 \
+    COMPlus_EnableDiagnostics=0
+
+USER ${APP_UID}:${APP_GID}
+EXPOSE ${APP_PORT}
+HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
+  CMD /usr/local/bin/healthcheck.sh
+
+# Harden filesystem; deploys should also set readOnlyRootFilesystem true
+RUN chmod 500 /app && \
+    find /app -maxdepth 1 -type f -exec chmod 400 {} \; && \
+    find /app -maxdepth 1 -type d -exec chmod 500 {} \;
+
+ENTRYPOINT ["./StellaOps.Service"]