refactor: JobEngine cleanup + crypto compose refactor + sprint plans + timeline merge prep

- Remove zombie JobEngine WebService (no container runs it)
- Remove dangling STELLAOPS_JOBENGINE_URL, replace with RELEASE_ORCHESTRATOR_URL
- Update Timeline audit paths to release-orchestrator
- Extract smremote to docker-compose.crypto-provider.smremote.yml
- Rename crypto compose files for consistent naming
- Add crypto provider health probe API (CP-001) + tenant preferences (CP-002)
- Create sprint plans: crypto picker, VulnExplorer merge, scheduler plugins
- Timeline merge prep: ingestion worker relocated to infrastructure lib

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

devops/docker/Dockerfile.console

@@ -188,7 +188,7 @@ server {
     # Policy gateway (strips /policy/ prefix, regex avoids colliding with
     # Angular /policy/exceptions, /policy/packs SPA routes)
     location ~ ^/policy/(api|v[0-9]+|shadow)/ {
-        set \$policy_upstream http://policy-gateway.stella-ops.local;
+        set \$policy_upstream http://policy-engine.stella-ops.local;
         rewrite ^/policy/(.*)\$ /\$1 break;
         proxy_pass \$policy_upstream;
         proxy_set_header Host \$host;
@@ -314,7 +314,7 @@ server {
         sub_filter '"http://platform.stella-ops.local"' '"/platform"';
         sub_filter '"http://authority.stella-ops.local"' '"/authority"';
         sub_filter '"http://scanner.stella-ops.local"' '"/scanner"';
-        sub_filter '"http://policy-gateway.stella-ops.local"' '"/policy"';
+        sub_filter '"http://policy-engine.stella-ops.local"' '"/policy"';
         sub_filter '"http://concelier.stella-ops.local"' '"/concelier"';
         sub_filter '"http://attestor.stella-ops.local"' '"/attestor"';
         sub_filter '"http://notify.stella-ops.local"' '"/notify"';
@@ -371,7 +371,7 @@ server {
         sub_filter '"http://platform.stella-ops.local"' '"/platform"';
         sub_filter '"http://authority.stella-ops.local"' '"/authority"';
         sub_filter '"http://scanner.stella-ops.local"' '"/scanner"';
-        sub_filter '"http://policy-gateway.stella-ops.local"' '"/policy"';
+        sub_filter '"http://policy-engine.stella-ops.local"' '"/policy"';
         sub_filter '"http://concelier.stella-ops.local"' '"/concelier"';
         sub_filter '"http://attestor.stella-ops.local"' '"/attestor"';
         sub_filter '"http://notify.stella-ops.local"' '"/notify"';

devops/docker/console-nginx-override.conf

@@ -37,7 +37,7 @@ server {
         sub_filter '"http://platform.stella-ops.local"' '"/platform"';
         sub_filter '"http://authority.stella-ops.local"' '"/authority"';
         sub_filter '"http://scanner.stella-ops.local"' '"/scanner"';
-        sub_filter '"http://policy-gateway.stella-ops.local"' '"/policy"';
+        sub_filter '"http://policy-engine.stella-ops.local"' '"/policy"';
         sub_filter '"http://concelier.stella-ops.local"' '"/concelier"';
         sub_filter '"http://attestor.stella-ops.local"' '"/attestor"';
         sub_filter '"http://notify.stella-ops.local"' '"/notify"';
@@ -144,7 +144,7 @@ server {
 
     # Policy gateway
     location ~ ^/policy/(api|v[0-9]+)/ {
-        set $policy_upstream http://policy-gateway.stella-ops.local;
+        set $policy_upstream http://policy-engine.stella-ops.local;
         rewrite ^/policy/(.*)$ /$1 break;
         proxy_pass $policy_upstream;
     }
@@ -408,7 +408,7 @@ server {
         sub_filter '"http://platform.stella-ops.local"' '"/platform"';
         sub_filter '"http://authority.stella-ops.local"' '"/authority"';
         sub_filter '"http://scanner.stella-ops.local"' '"/scanner"';
-        sub_filter '"http://policy-gateway.stella-ops.local"' '"/policy"';
+        sub_filter '"http://policy-engine.stella-ops.local"' '"/policy"';
         sub_filter '"http://concelier.stella-ops.local"' '"/concelier"';
         sub_filter '"http://attestor.stella-ops.local"' '"/attestor"';
         sub_filter '"http://notify.stella-ops.local"' '"/notify"';

devops/docker/nginx-console.conf

@@ -98,7 +98,7 @@ server {
     # Policy gateway (strips /policy/ prefix, regex avoids colliding with
     # Angular /policy/exceptions, /policy/packs SPA routes)
     location ~ ^/policy/(api|v[0-9]+)/ {
-        set $policy_upstream http://policy-gateway.stella-ops.local;
+        set $policy_upstream http://policy-engine.stella-ops.local;
         rewrite ^/policy/(.*)$ /$1 break;
         proxy_pass $policy_upstream;
         proxy_set_header Host $host;
@@ -208,7 +208,7 @@ server {
         sub_filter '"http://platform.stella-ops.local"' '"/platform"';
         sub_filter '"http://authority.stella-ops.local"' '"/authority"';
         sub_filter '"http://scanner.stella-ops.local"' '"/scanner"';
-        sub_filter '"http://policy-gateway.stella-ops.local"' '"/policy"';
+        sub_filter '"http://policy-engine.stella-ops.local"' '"/policy"';
         sub_filter '"http://concelier.stella-ops.local"' '"/concelier"';
         sub_filter '"http://attestor.stella-ops.local"' '"/attestor"';
         sub_filter '"http://notify.stella-ops.local"' '"/notify"';

devops/docker/services-matrix.env

@@ -52,10 +52,10 @@ graph-api|devops/docker/Dockerfile.hardened.template|src/Graph/StellaOps.Graph.A
 cartographer|devops/docker/Dockerfile.hardened.template|src/Scanner/StellaOps.Scanner.Cartographer/StellaOps.Scanner.Cartographer.csproj|StellaOps.Scanner.Cartographer|8080
 # ── Slot 22: ReachGraph ─────────────────────────────────────────────────────────
 reachgraph-web|devops/docker/Dockerfile.hardened.template|src/ReachGraph/StellaOps.ReachGraph.WebService/StellaOps.ReachGraph.WebService.csproj|StellaOps.ReachGraph.WebService|8080
-# ── Slot 23: Timeline Indexer ───────────────────────────────────────────────────
-timeline-indexer-web|devops/docker/Dockerfile.hardened.template|src/Timeline/StellaOps.TimelineIndexer.WebService/StellaOps.TimelineIndexer.WebService.csproj|StellaOps.TimelineIndexer.WebService|8080
-timeline-indexer-worker|devops/docker/Dockerfile.hardened.template|src/Timeline/StellaOps.TimelineIndexer.Worker/StellaOps.TimelineIndexer.Worker.csproj|StellaOps.TimelineIndexer.Worker|8080
-# ── Slot 24: Timeline ───────────────────────────────────────────────────────────
+# ── Slot 23: Timeline Indexer (MERGED into timeline-web in Slot 24) ────────────
+# timeline-indexer-web|devops/docker/Dockerfile.hardened.template|src/Timeline/StellaOps.TimelineIndexer.WebService/StellaOps.TimelineIndexer.WebService.csproj|StellaOps.TimelineIndexer.WebService|8080
+# timeline-indexer-worker|devops/docker/Dockerfile.hardened.template|src/Timeline/StellaOps.TimelineIndexer.Worker/StellaOps.TimelineIndexer.Worker.csproj|StellaOps.TimelineIndexer.Worker|8080
+# ── Slot 24: Timeline (unified: includes merged timeline-indexer) ──────────────
 timeline-web|devops/docker/Dockerfile.hardened.template|src/Timeline/StellaOps.Timeline.WebService/StellaOps.Timeline.WebService.csproj|StellaOps.Timeline.WebService|8080
 # ── Slot 25: Findings Ledger ────────────────────────────────────────────────────
 findings-ledger-web|devops/docker/Dockerfile.hardened.template|src/Findings/StellaOps.Findings.Ledger.WebService/StellaOps.Findings.Ledger.WebService.csproj|StellaOps.Findings.Ledger.WebService|8080