consolidation of some of the modules, localization fixes, product advisories work, qa work

2026-03-05 03:54:22 +02:00
parent 7bafcc3eef
commit 8e1cb9448d
3878 changed files with 72600 additions and 46861 deletions
--- a/docs/features/checked/advisoryai/advisoryai-orchestrator.md
+++ b/docs/features/checked/advisoryai/advisoryai-orchestrator.md
@@ -35,6 +35,6 @@ The AdvisoryAI module provides a chat orchestrator with session management, run

 ## Verification
 - Verified on 2026-02-11 via `run-001`.
- Tier 0: `docs/qa/feature-checks/runs/advisoryai/advisoryai-orchestrator/run-001/tier0-source-check.json`
- Tier 1: `docs/qa/feature-checks/runs/advisoryai/advisoryai-orchestrator/run-001/tier1-build-check.json`
- Tier 2: `docs/qa/feature-checks/runs/advisoryai/advisoryai-orchestrator/run-001/tier2-api-check.json`
+- Tier 0: `docs/qa/feature-checks/runs/advisoryai/advisoryai-jobengine/run-001/tier0-source-check.json`
+- Tier 1: `docs/qa/feature-checks/runs/advisoryai/advisoryai-jobengine/run-001/tier1-build-check.json`
+- Tier 2: `docs/qa/feature-checks/runs/advisoryai/advisoryai-jobengine/run-001/tier2-api-check.json`
--- a/docs/features/checked/jobengine/dag-planner-with-critical-path-metadata.md
+++ b/docs/features/checked/jobengine/dag-planner-with-critical-path-metadata.md
@@ -0,0 +1,35 @@
+# DAG Planner with Critical-Path Metadata
+
+## Module
+Orchestrator
+
+## Status
+IMPLEMENTED
+
+## Description
+DAG-based job planner that computes critical-path metadata for orchestrator execution plans, enabling dependency-aware scheduling and parallel execution of independent job chains.
+
+## Implementation Details
+- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/`
+- **Key Classes**:
+  - `DagPlanner` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/DagPlanner.cs`) - computes execution DAGs from job dependency graphs, identifies critical path, and enables parallel scheduling of independent chains
+  - `DagEdge` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/DagEdge.cs`) - edge model representing dependencies between jobs in the execution DAG
+  - `JobScheduler` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/JobScheduler.cs`) - schedules jobs based on DAG planner output, respecting dependency ordering
+  - `JobStateMachine` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/JobStateMachine.cs`) - state machine governing job lifecycle transitions within the DAG execution
+  - `Job` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Job.cs`) - job entity with status, dependencies, and scheduling metadata
+  - `JobStatus` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/JobStatus.cs`) - enum defining job lifecycle states
+  - `JobHistory` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/JobHistory.cs`) - historical record of job state transitions
+  - `DagEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/DagEndpoints.cs`) - REST API for querying DAG execution plans
+  - `DagContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/DagContracts.cs`) - API contracts for DAG responses
+- **Interfaces**: `IDagEdgeRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IDagEdgeRepository.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Create a DAG with 5 jobs (A->B->C, A->D->E) and verify `DagPlanner` identifies A as the root and C/E as leaves
+- [ ] Verify critical path computation: the longest dependency chain (A->B->C or A->D->E) is marked as the critical path
+- [ ] Schedule the DAG via `JobScheduler` and verify B and D execute in parallel after A completes
+- [ ] Add a new dependency (D->C) creating a diamond DAG and verify the critical path updates
+- [ ] Query the DAG via `DagEndpoints` and verify the response includes all edges, critical path markers, and parallel groups
+- [ ] Create a cyclic DAG (A->B->A) and verify `DagPlanner` rejects it with a cycle detection error
+- [ ] Verify DAG metadata: each job node in the `DagContracts` response includes estimated duration and dependency count
+- [ ] Schedule a DAG with one failed job and verify `JobStateMachine` marks downstream dependencies as blocked
--- a/docs/features/checked/jobengine/event-fan-out.md
+++ b/docs/features/checked/jobengine/event-fan-out.md
@@ -0,0 +1,35 @@
+# Event Fan-Out (SSE/Streaming)
+
+## Module
+Orchestrator
+
+## Status
+IMPLEMENTED
+
+## Description
+Job and pack-run streaming coordinators with stream payload models for real-time SSE event delivery.
+
+## Implementation Details
+- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/`
+- **Key Classes**:
+  - `JobStreamCoordinator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/JobStreamCoordinator.cs`) - coordinates SSE streaming for job lifecycle events to connected clients
+  - `PackRunStreamCoordinator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/PackRunStreamCoordinator.cs`) - coordinates streaming for pack-run execution events
+  - `RunStreamCoordinator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/RunStreamCoordinator.cs`) - coordinates streaming for individual run events
+  - `SseWriter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/SseWriter.cs`) - writes Server-Sent Events to HTTP response streams
+  - `StreamOptions` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/StreamOptions.cs`) - configuration for stream connections (heartbeat interval, buffer size, timeout)
+  - `StreamPayloads` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/StreamPayloads.cs`) - typed payload models for stream events (job progress, pack-run status, log lines)
+  - `StreamEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/StreamEndpoints.cs`) - REST endpoints for SSE stream subscription
+  - `EventEnvelope` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/EventEnvelope.cs`) - typed event envelope wrapping domain events for streaming
+  - `OrchestratorEventPublisher` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Events/OrchestratorEventPublisher.cs`) - concrete event publisher routing events to stream coordinators
+- **Interfaces**: `IEventPublisher` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/IEventPublisher.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Subscribe to the job stream via `StreamEndpoints` and trigger a job; verify SSE events are received for each state transition
+- [ ] Subscribe to the pack-run stream via `PackRunStreamCoordinator` and execute a pack; verify progress events include step index, status, and log lines
+- [ ] Verify heartbeat: subscribe to a stream and wait without events; confirm heartbeat events arrive at the `StreamOptions` configured interval
+- [ ] Subscribe with two clients to the same job stream and verify both receive identical events (fan-out via `JobStreamCoordinator`)
+- [ ] Disconnect a client mid-stream and verify the stream coordinator cleans up the connection without affecting other subscribers
+- [ ] Trigger a rapid sequence of events and verify `SseWriter` delivers them in order without drops
+- [ ] Verify stream payloads: each event contains a typed payload matching the `StreamPayloads` model
+- [ ] Test stream timeout: idle for longer than `StreamOptions.Timeout` and verify the connection closes gracefully
--- a/docs/features/checked/jobengine/export-job-service.md
+++ b/docs/features/checked/jobengine/export-job-service.md
@@ -0,0 +1,33 @@
+# Export Job Service
+
+## Module
+Orchestrator
+
+## Status
+IMPLEMENTED
+
+## Description
+Export job management with service and domain model for orchestrated export operations.
+
+## Implementation Details
+- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Services/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Export/`
+- **Key Classes**:
+  - `ExportJobService` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Services/ExportJobService.cs`) - manages export job lifecycle: creation, scheduling, execution tracking, and completion
+  - `ExportJob` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Export/ExportJob.cs`) - export job entity with status, target, format, and schedule
+  - `ExportJobPolicy` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Export/ExportJobPolicy.cs`) - policy controlling export permissions and constraints
+  - `ExportJobTypes` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Export/ExportJobTypes.cs`) - enumeration of supported export types (evidence pack, audit report, snapshot)
+  - `ExportSchedule` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Export/ExportSchedule.cs`) - scheduling configuration for recurring exports
+  - `LedgerExporter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Ledger/LedgerExporter.cs`) - exports audit ledger data for compliance and audit
+  - `ExportJobEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/ExportJobEndpoints.cs`) - REST API for creating, querying, and managing export jobs
+- **Interfaces**: `ILedgerExporter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Ledger/ILedgerExporter.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Create an export job via `ExportJobEndpoints` with type=evidence_pack and verify it is persisted with status=Pending
+- [ ] Execute the export job via `ExportJobService` and verify status transitions: Pending -> Running -> Completed
+- [ ] Verify export policy enforcement: create an export job with a restricted type and verify `ExportJobPolicy` rejects it
+- [ ] Schedule a recurring export via `ExportSchedule` and verify the next execution is computed correctly
+- [ ] Export audit ledger data via `LedgerExporter` and verify the output contains all entries within the specified time range
+- [ ] Create an export job with retention policy and verify completed exports are cleaned up after expiry
+- [ ] Query export jobs via `ExportJobEndpoints` with status filter and verify pagination works correctly
+- [ ] Test export failure: simulate an export error and verify the job transitions to Failed with error details
--- a/docs/features/checked/jobengine/job-lifecycle-state-machine.md
+++ b/docs/features/checked/jobengine/job-lifecycle-state-machine.md
@@ -0,0 +1,37 @@
+# Job Lifecycle State Machine
+
+## Module
+Orchestrator
+
+## Status
+IMPLEMENTED
+
+## Description
+Job scheduling with Postgres-backed job repository, event envelope domain model, and air-gap compatible scheduling tests.
+
+## Implementation Details
+- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/`
+- **Key Classes**:
+  - `JobStateMachine` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/JobStateMachine.cs`) - finite state machine governing job lifecycle transitions (Pending -> Scheduled -> Running -> Completed/Failed/Cancelled)
+  - `JobScheduler` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/JobScheduler.cs`) - schedules jobs based on state machine rules and DAG dependencies
+  - `RetryPolicy` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/RetryPolicy.cs`) - configurable retry policy for failed jobs (max retries, backoff strategy)
+  - `Job` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Job.cs`) - job entity with current status, attempts, and metadata
+  - `JobStatus` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/JobStatus.cs`) - enum defining all valid job states
+  - `JobHistory` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/JobHistory.cs`) - historical record of all state transitions with timestamps
+  - `EventEnvelope` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/EventEnvelope.cs`) - typed event envelope emitted on state transitions
+  - `TimelineEvent` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/TimelineEvent.cs`) - timeline event for job lifecycle tracking
+  - `TimelineEventEmitter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/TimelineEventEmitter.cs`) - emits timeline events on state transitions
+  - `JobEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/JobEndpoints.cs`) - REST API for job management
+  - `JobContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/JobContracts.cs`) - API contracts for job operations
+- **Interfaces**: `IJobRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IJobRepository.cs`), `IJobHistoryRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IJobHistoryRepository.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Create a job via `JobEndpoints` and verify initial state is Pending
+- [ ] Schedule the job via `JobScheduler` and verify state transition: Pending -> Scheduled, with `TimelineEvent` emitted
+- [ ] Start the job and verify `JobStateMachine` transition: Scheduled -> Running
+- [ ] Complete the job and verify transition: Running -> Completed with completion timestamp in `JobHistory`
+- [ ] Fail the job and verify transition: Running -> Failed with retry attempt incremented
+- [ ] Verify `RetryPolicy`: fail a job with max_retries=3 and verify it re-enters Scheduled up to 3 times before terminal failure
+- [ ] Attempt an invalid transition (e.g., Completed -> Running) and verify `JobStateMachine` rejects it
+- [ ] Verify air-gap scheduling: schedule a job in sealed mode and verify it does not attempt network egress
--- a/docs/features/checked/jobengine/jobengine-admin-quota-controls.md
+++ b/docs/features/checked/jobengine/jobengine-admin-quota-controls.md
@@ -0,0 +1,35 @@
+# Orchestrator Admin Quota Controls (orch:quota, orch:backfill)
+
+## Module
+Orchestrator
+
+## Status
+IMPLEMENTED
+
+## Description
+New `orch:quota` and `orch:backfill` scopes with mandatory reason/ticket fields. Token requests must include `quota_reason`/`backfill_reason` and optionally `quota_ticket`/`backfill_ticket`. Authority persists these as claims and audit properties for traceability of capacity-affecting operations.
+
+## Implementation Details
+- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Backfill/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/`
+- **Key Classes**:
+  - `Quota` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Quota.cs`) - quota entity with limits, current usage, and allocation metadata
+  - `BackfillRequest` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/BackfillRequest.cs`) - backfill request model with reason, ticket, and scope
+  - `BackfillManager` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Backfill/BackfillManager.cs`) - manages backfill operations with duplicate suppression and event time window tracking
+  - `DuplicateSuppressor` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Backfill/DuplicateSuppressor.cs`) - prevents duplicate backfill requests within a time window
+  - `EventTimeWindow` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Backfill/EventTimeWindow.cs`) - time window for backfill event deduplication
+  - `QuotaEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/QuotaEndpoints.cs`) - REST API for quota management (view, adjust, allocate)
+  - `QuotaContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/QuotaContracts.cs`) - API contracts for quota operations
+  - `AuditEntry` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AuditEntry.cs`) - audit entry capturing quota/backfill actions with reason and ticket
+  - `TenantResolver` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Services/TenantResolver.cs`) - resolves tenant context for quota scoping
+- **Interfaces**: `IQuotaRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IQuotaRepository.cs`), `IBackfillRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IBackfillRepository.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Request a quota adjustment via `QuotaEndpoints` with `quota_reason` and `quota_ticket`; verify the adjustment is applied and audited in `AuditEntry`
+- [ ] Attempt a quota adjustment without `quota_reason` and verify it is rejected with a 400 error
+- [ ] Request a backfill via `BackfillManager` with `backfill_reason` and verify the backfill is initiated
+- [ ] Submit a duplicate backfill request within the `EventTimeWindow` and verify `DuplicateSuppressor` rejects it
+- [ ] Verify audit trail: check the `AuditEntry` for the quota adjustment and confirm reason and ticket are captured
+- [ ] Query current quota usage via `QuotaEndpoints` and verify limits and current usage are returned
+- [ ] Adjust quota beyond the maximum limit and verify the operation is rejected by policy
+- [ ] Verify tenant scoping via `TenantResolver`: adjust quota for tenant A and verify tenant B's quota is unchanged
--- a/docs/features/checked/jobengine/jobengine-audit-ledger.md
+++ b/docs/features/checked/jobengine/jobengine-audit-ledger.md
@@ -0,0 +1,39 @@
+# Orchestrator Audit Ledger
+
+## Module
+Orchestrator
+
+## Status
+IMPLEMENTED
+
+## Description
+Append-only audit ledger tracking all orchestrator job lifecycle state changes, rate-limit decisions, and dead-letter events with tenant-scoped isolation.
+
+## Implementation Details
+- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/DeadLetter/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Ledger/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/`
+- **Key Classes**:
+  - `AuditEntry` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AuditEntry.cs`) - audit entry model with action type, actor, tenant, timestamp, and metadata
+  - `RunLedger` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/RunLedger.cs`) - run-level ledger tracking execution history
+  - `SignedManifest` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/SignedManifest.cs`) - signed manifest for tamper-evident ledger export
+  - `LedgerExporter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Ledger/LedgerExporter.cs`) - exports ledger data for compliance and audit
+  - `AuditEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/AuditEndpoints.cs`) - REST API for querying audit ledger entries
+  - `LedgerEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/LedgerEndpoints.cs`) - REST API for ledger export and querying
+  - `AuditLedgerContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/AuditLedgerContracts.cs`) - API contracts for audit responses
+  - `DeadLetterEntry` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/DeadLetterEntry.cs`) - dead-letter entry in the audit trail
+  - `DeadLetterNotifier` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/DeadLetter/DeadLetterNotifier.cs`) - notifies on dead-letter events
+  - `ErrorClassification` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/DeadLetter/ErrorClassification.cs`) - classifies errors for dead-letter categorization
+  - `ReplayManager` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/DeadLetter/ReplayManager.cs`) - manages replay of dead-letter entries
+  - `DeadLetterEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/DeadLetterEndpoints.cs`) - REST API for dead-letter management
+  - `TenantResolver` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Services/TenantResolver.cs`) - ensures tenant-scoped audit isolation
+- **Interfaces**: `ILedgerExporter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Ledger/ILedgerExporter.cs`), `IAuditRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IAuditRepository.cs`), `IDeadLetterRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/DeadLetter/IDeadLetterRepository.cs`), `ILedgerRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/ILedgerRepository.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Trigger a job state transition and verify an `AuditEntry` is created in the ledger with action type, actor, and timestamp
+- [ ] Query the audit ledger via `AuditEndpoints` with a time range filter and verify only matching entries are returned
+- [ ] Verify tenant isolation via `TenantResolver`: create audit entries for two tenants and verify each tenant only sees their own entries
+- [ ] Trigger a dead-letter event and verify it appears in both the `DeadLetterEntry` store and the audit ledger
+- [ ] Export the audit ledger via `LedgerExporter` and verify the export contains all entries within the specified range
+- [ ] Replay a dead-letter entry via `ReplayManager` and verify the replay action is also audited
+- [ ] Verify `ErrorClassification` categorizes different error types correctly (transient, permanent, unknown)
+- [ ] Query dead-letter entries via `DeadLetterEndpoints` and verify pagination and filtering work
--- a/docs/features/checked/jobengine/jobengine-event-envelopes-with-sse-websocket-streaming.md
+++ b/docs/features/checked/jobengine/jobengine-event-envelopes-with-sse-websocket-streaming.md
@@ -0,0 +1,40 @@
+# Orchestrator Event Envelopes with SSE/WebSocket Streaming
+
+## Module
+Orchestrator
+
+## Status
+IMPLEMENTED
+
+## Description
+Typed event envelope system with SSE and WebSocket streaming for real-time orchestrator job progress, enabling live UI updates and CLI monitoring of pack-run execution.
+
+## Implementation Details
+- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Hashing/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/`
+- **Key Classes**:
+  - `EventEnvelope` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/EventEnvelope.cs`) - typed event envelope with event type, payload, timestamp, and correlation ID
+  - `EventEnvelope` (legacy) (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/EventEnvelope.cs`) - legacy event envelope model
+  - `TimelineEvent` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/TimelineEvent.cs`) - timeline event for job lifecycle tracking
+  - `TimelineEventEmitter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/TimelineEventEmitter.cs`) - emits timeline events on domain actions
+  - `OrchestratorEventPublisher` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Events/OrchestratorEventPublisher.cs`) - concrete publisher routing events to stream coordinators
+  - `EventEnvelopeHasher` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Hashing/EventEnvelopeHasher.cs`) - hashes event envelopes for integrity verification
+  - `CanonicalJsonHasher` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Hashing/CanonicalJsonHasher.cs`) - canonical JSON hashing for deterministic event hashes
+  - `SseWriter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/SseWriter.cs`) - Server-Sent Events writer
+  - `JobStreamCoordinator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/JobStreamCoordinator.cs`) - job event stream coordinator
+  - `PackRunStreamCoordinator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/PackRunStreamCoordinator.cs`) - pack-run stream coordinator
+  - `RunStreamCoordinator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/RunStreamCoordinator.cs`) - run-level stream coordinator
+  - `StreamEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/StreamEndpoints.cs`) - REST endpoints for SSE subscriptions
+  - `StreamOptions` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/StreamOptions.cs`) - stream configuration
+  - `StreamPayloads` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/StreamPayloads.cs`) - typed event payloads
+- **Interfaces**: `IEventPublisher` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/IEventPublisher.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Create an `EventEnvelope` with type=job_completed and payload; verify it is hashed via `EventEnvelopeHasher` and the hash is deterministic
+- [ ] Publish an event via `OrchestratorEventPublisher` and verify it reaches the `JobStreamCoordinator`
+- [ ] Subscribe to SSE via `StreamEndpoints` and verify events arrive as formatted SSE messages (data: + newline)
+- [ ] Verify canonical hashing: create two identical events and verify `CanonicalJsonHasher` produces identical hashes
+- [ ] Subscribe to pack-run stream via `PackRunStreamCoordinator` and execute a pack; verify real-time progress events include step index and status
+- [ ] Verify `StreamOptions`: configure heartbeat interval and verify heartbeats arrive at the configured cadence
+- [ ] Publish 100 events rapidly and verify `SseWriter` delivers all of them in order
+- [ ] Verify event envelope correlation: publish events with the same correlation ID and verify they can be filtered by correlation
--- a/docs/features/checked/jobengine/jobengine-golden-signals-observability.md
+++ b/docs/features/checked/jobengine/jobengine-golden-signals-observability.md
@@ -0,0 +1,44 @@
+# Orchestrator Golden Signals Observability
+
+## Module
+Orchestrator
+
+## Status
+VERIFIED
+
+## Description
+Built-in golden signal metrics (latency, traffic, errors, saturation) for orchestrator job execution, with timeline event emission and job capsule provenance tracking.
+
+## Implementation Details
+- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Observability/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Evidence/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/`
+- **Key Classes**:
+  - `OrchestratorGoldenSignals` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Observability/OrchestratorGoldenSignals.cs`) - golden signal metrics: latency (p50/p95/p99), traffic (requests/sec), errors (error rate), saturation (queue depth, CPU, memory)
+  - `OrchestratorMetrics` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Observability/OrchestratorMetrics.cs`) - OpenTelemetry metrics registration for orchestrator operations
+  - `IncidentModeHooks` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Observability/IncidentModeHooks.cs`) - hooks triggered when golden signals breach thresholds, activating incident mode
+  - `JobAttestationService` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Evidence/JobAttestationService.cs`) - generates attestations for job execution with provenance data
+  - `JobAttestation` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Evidence/JobAttestation.cs`) - attestation model for a completed job
+  - `JobCapsule` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Evidence/JobCapsule.cs`) - capsule containing job execution evidence (inputs, outputs, metrics)
+  - `JobCapsuleGenerator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Evidence/JobCapsuleGenerator.cs`) - generates job capsules from execution data
+  - `JobRedactionGuard` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Evidence/JobRedactionGuard.cs`) - redacts sensitive data from job capsules before attestation
+  - `SnapshotHook` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Evidence/SnapshotHook.cs`) - hook capturing execution state snapshots at key points
+  - `ScaleMetrics` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/ScaleMetrics.cs`) - metrics for auto-scaling decisions
+  - `KpiEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/KpiEndpoints.cs`) - REST endpoints for KPI/metrics queries
+  - `HealthEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/HealthEndpoints.cs`) - health check endpoints
+- **Interfaces**: None (uses concrete implementations)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Execute a job and verify `OrchestratorGoldenSignals` records latency, traffic, and error metrics
+- [ ] Verify golden signal latency: execute 10 jobs with varying durations and verify p50/p95/p99 percentiles are computed correctly
+- [ ] Trigger an error threshold breach and verify `IncidentModeHooks` activates incident mode
+- [ ] Generate a `JobCapsule` via `JobCapsuleGenerator` and verify it contains job inputs, outputs, and execution metrics
+- [ ] Verify redaction: include sensitive data in job inputs and verify `JobRedactionGuard` removes it from the capsule
+- [ ] Generate a `JobAttestation` via `JobAttestationService` and verify it contains the capsule hash and provenance data
+- [ ] Query KPI metrics via `KpiEndpoints` and verify golden signal data is returned
+- [ ] Verify `HealthEndpoints` report healthy when golden signals are within thresholds
+
+## Verification
+- Verified on 2026-02-13 via `run-002`.
+- Tier 0: Source files confirmed present on disk.
+- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
+- Tier 2d: `docs/qa/feature-checks/runs/jobengine/orchestrator-golden-signals-observability/run-002/tier2-integration-check.json`
--- a/docs/features/checked/jobengine/jobengine-operator-scope-with-audit-metadata.md
+++ b/docs/features/checked/jobengine/jobengine-operator-scope-with-audit-metadata.md
@@ -0,0 +1,39 @@
+# Orchestrator Operator Scope with Audit Metadata
+
+## Module
+Orchestrator
+
+## Status
+VERIFIED
+
+## Description
+New `orch:operate` scope and `Orch.Operator` role requiring explicit `operator_reason` and `operator_ticket` parameters on token requests. Authority enforces these fields and captures them as audit properties, giving SecOps traceability for every orchestrator control action.
+
+## Implementation Details
+- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/`
+- **Key Classes**:
+  - `AuditEntry` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AuditEntry.cs`) - audit entry capturing operator actions with reason and ticket metadata
+  - `TenantResolver` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Services/TenantResolver.cs`) - resolves tenant and operator context from token claims
+  - `AuditEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/AuditEndpoints.cs`) - REST API for querying operator audit trail
+  - `AuditLedgerContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/AuditLedgerContracts.cs`) - API contracts including operator metadata
+  - `Quota` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Quota.cs`) - quota model with operator attribution
+  - `Job` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Job.cs`) - job model with operator tracking
+  - `DeprecationHeaders` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Services/DeprecationHeaders.cs`) - deprecation header support for versioned operator APIs
+- **Interfaces**: `IAuditRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IAuditRepository.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Request a token with `orch:operate` scope, `operator_reason="maintenance"`, and `operator_ticket="TICKET-123"`; verify the token is issued
+- [ ] Perform an operator action (e.g., cancel a job) with the scoped token; verify an `AuditEntry` captures the operator_reason and operator_ticket
+- [ ] Attempt an operator action without `operator_reason` and verify it is rejected with a 400 error
+- [ ] Query the audit trail via `AuditEndpoints` and filter by operator_ticket; verify matching entries are returned
+- [ ] Verify operator scope enforcement: use a token without `orch:operate` scope and verify operator actions are forbidden (403)
+- [ ] Perform multiple operator actions and verify each generates a separate `AuditEntry` with correct metadata
+- [ ] Verify tenant scoping via `TenantResolver`: operator actions for tenant A are not visible in tenant B's audit trail
+- [ ] Verify audit entry immutability: attempt to modify an existing `AuditEntry` and verify it is rejected
+
+## Verification
+- Verified on 2026-02-13 via `run-002`.
+- Tier 0: Source files confirmed present on disk.
+- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
+- Tier 2d: `docs/qa/feature-checks/runs/jobengine/orchestrator-operator-scope-with-audit-metadata/run-002/tier2-integration-check.json`
--- a/docs/features/checked/jobengine/jobengine-worker-sdks.md
+++ b/docs/features/checked/jobengine/jobengine-worker-sdks.md
@@ -0,0 +1,46 @@
+# Orchestrator Worker SDKs (Go and Python)
+
+## Module
+Orchestrator
+
+## Status
+VERIFIED
+
+## Description
+Multi-language Worker SDKs enabling external workers to participate in orchestrator job execution via Go and Python clients, with examples and structured API packages.
+
+## Implementation Details
+- **Modules**: `src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/`, `src/JobEngine/StellaOps.JobEngine.WorkerSdk.Python/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/`
+- **Key Classes**:
+  - `client.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/pkg/workersdk/client.go`) - Go SDK client for worker communication
+  - `config.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/pkg/workersdk/config.go`) - Go SDK configuration
+  - `artifact.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/pkg/workersdk/artifact.go`) - artifact handling in Go SDK
+  - `backfill.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/pkg/workersdk/backfill.go`) - backfill support in Go SDK
+  - `retry.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/pkg/workersdk/retry.go`) - retry logic in Go SDK
+  - `errors.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/pkg/workersdk/errors.go`) - error types in Go SDK
+  - `transport.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/internal/transport/transport.go`) - HTTP transport layer for Go SDK
+  - `main.go` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Go/examples/smoke/main.go`) - smoke test example worker
+  - `client.py` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Python/stellaops_orchestrator_worker/client.py`) - Python SDK client
+  - `config.py` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Python/stellaops_orchestrator_worker/config.py`) - Python SDK configuration
+  - `backfill.py` (`src/JobEngine/StellaOps.JobEngine.WorkerSdk.Python/stellaops_orchestrator_worker/backfill.py`) - Python backfill support
+  - `WorkerEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/WorkerEndpoints.cs`) - REST API for worker registration and job assignment
+  - `WorkerContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/WorkerContracts.cs`) - API contracts for worker communication
+  - `Worker` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Worker/Worker.cs`) - .NET worker implementation
+- **Interfaces**: None (SDK clients are standalone)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Register a Go worker via `WorkerEndpoints` and verify it receives a job assignment
+- [ ] Execute a job with the Go worker SDK `client.go` and verify results are reported back via the API
+- [ ] Register a Python worker via `client.py` and verify it receives a job assignment
+- [ ] Verify Go SDK retry: configure `retry.go` policy and simulate a transient failure; verify the SDK retries and succeeds
+- [ ] Verify artifact handling: upload an artifact via `artifact.go` and verify it is persisted
+- [ ] Verify backfill: trigger a backfill via `backfill.py` and verify it processes historical events
+- [ ] Verify Go SDK error types: trigger different error conditions and verify `errors.go` returns appropriate error types
+- [ ] Run the Go smoke test example `main.go` and verify it completes successfully against the orchestrator API
+
+## Verification
+- Verified on 2026-02-13 via `run-002`.
+- Tier 0: Source files confirmed present on disk (Go SDK, Python SDK, .NET endpoints).
+- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
+- Tier 2d: `docs/qa/feature-checks/runs/jobengine/orchestrator-worker-sdks/run-002/tier2-integration-check.json`
--- a/docs/features/checked/jobengine/network-intent-validator.md
+++ b/docs/features/checked/jobengine/network-intent-validator.md
@@ -0,0 +1,36 @@
+# Network Intent Validator (Air-Gap Orchestrator Controls)
+
+## Module
+Orchestrator
+
+## Status
+IMPLEMENTED
+
+## Description
+NetworkIntentValidator enforces air-gap network policies on orchestrator jobs, preventing egress in sealed mode. Includes MirrorJobTypes and MirrorOperationRecorder for offline mirror operations.
+
+## Implementation Details
+- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/AirGap/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Mirror/`
+- **Key Classes**:
+  - `NetworkIntentValidator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/AirGap/NetworkIntentValidator.cs`) - validates job network intent against air-gap policy, blocking egress requests in sealed mode
+  - `StalenessValidator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/AirGap/StalenessValidator.cs`) - validates data freshness in air-gapped environments, ensuring cached data is within acceptable staleness bounds
+  - `NetworkIntent` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/NetworkIntent.cs`) - declares the network intent of a job (egress, ingress, local-only)
+  - `SealingStatus` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/SealingStatus.cs`) - enum for air-gap sealing state (Sealed, Unsealed, Transitioning)
+  - `StalenessConfig` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/StalenessConfig.cs`) - configuration for acceptable data staleness in air-gap mode
+  - `StalenessValidationResult` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/StalenessValidationResult.cs`) - result of staleness validation
+  - `BundleProvenance` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/AirGap/BundleProvenance.cs`) - provenance tracking for air-gap bundles
+  - `MirrorBundle` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Mirror/MirrorBundle.cs`) - bundle model for offline mirror operations
+  - `MirrorJobTypes` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Mirror/MirrorJobTypes.cs`) - types of mirror jobs (sync, verify, prune)
+  - `MirrorOperationRecorder` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Mirror/MirrorOperationRecorder.cs`) - records mirror operations for audit trail
+- **Interfaces**: None (uses concrete implementations)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Set `SealingStatus` to Sealed and submit a job with egress intent; verify `NetworkIntentValidator` rejects it
+- [ ] Set `SealingStatus` to Unsealed and submit a job with egress intent; verify it is allowed
+- [ ] Validate staleness: set `StalenessConfig` max staleness to 24 hours and verify data older than 24 hours is rejected by `StalenessValidator`
+- [ ] Create a mirror job with type=sync and verify `MirrorOperationRecorder` records the operation
+- [ ] Verify bundle provenance: create a `MirrorBundle` and verify `BundleProvenance` captures origin, sync timestamp, and hash
+- [ ] Transition sealing status from Unsealed to Sealed and verify in-flight egress jobs are blocked
+- [ ] Submit a local-only `NetworkIntent` job in sealed mode and verify it is allowed
+- [ ] Verify staleness config: set different staleness thresholds per data type in `StalenessConfig` and verify per-type enforcement
--- a/docs/features/checked/jobengine/pack-run-bridge.md
+++ b/docs/features/checked/jobengine/pack-run-bridge.md
@@ -0,0 +1,43 @@
+# Pack-Run Bridge (TaskRunner Integration)
+
+## Module
+Orchestrator
+
+## Status
+VERIFIED
+
+## Description
+Pack-run integration with Postgres repository, API endpoints, stream coordinator for log/artifact streaming, and domain model.
+
+## Implementation Details
+- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/`
+- **Key Classes**:
+  - `Pack` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Pack.cs`) - pack entity containing a set of jobs to execute as a unit
+  - `PackRun` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/PackRun.cs`) - pack-run entity tracking execution of a pack instance
+  - `PackRunLog` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/PackRunLog.cs`) - log entries for pack-run execution
+  - `PackRunStreamCoordinator` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Streaming/PackRunStreamCoordinator.cs`) - coordinates real-time streaming of pack-run logs and artifacts
+  - `PackRunEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/PackRunEndpoints.cs`) - REST API for creating, querying, and managing pack runs
+  - `PackRegistryEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/PackRegistryEndpoints.cs`) - REST API for pack registration and versioning
+  - `PackRunContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/PackRunContracts.cs`) - API contracts for pack-run operations
+  - `PackRegistryContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/PackRegistryContracts.cs`) - API contracts for pack registry
+  - `Run` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Run.cs`) - individual run within a pack execution
+  - `RunEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/RunEndpoints.cs`) - REST API for run management
+  - `RunContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/RunContracts.cs`) - API contracts for run operations
+- **Interfaces**: `IPackRunRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IPackRunRepository.cs`), `IPackRegistryRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IPackRegistryRepository.cs`), `IRunRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IRunRepository.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Register a pack via `PackRegistryEndpoints` with 3 jobs and verify it is persisted with version 1
+- [ ] Create a pack run via `PackRunEndpoints` and verify it starts executing the pack's jobs
+- [ ] Subscribe to the pack-run stream via `PackRunStreamCoordinator` and verify real-time log entries arrive as jobs execute
+- [ ] Verify pack-run completion: all 3 jobs complete and the `PackRun` transitions to Completed
+- [ ] Verify pack versioning: update a pack and verify `PackRegistryEndpoints` creates version 2 while preserving version 1
+- [ ] Query `PackRunLog` entries via the API and verify all log entries are returned in chronological order
+- [ ] Fail one job in a pack run and verify the pack run reports partial failure
+- [ ] Create multiple pack runs concurrently and verify they execute independently
+
+## Verification
+- Verified on 2026-02-13 via `run-002`.
+- Tier 0: Source files confirmed present on disk.
+- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
+- Tier 2d: `docs/qa/feature-checks/runs/jobengine/pack-run-bridge/run-002/tier2-integration-check.json`
--- a/docs/features/checked/jobengine/quota-governance-and-circuit-breakers.md
+++ b/docs/features/checked/jobengine/quota-governance-and-circuit-breakers.md
@@ -0,0 +1,43 @@
+# Quota Governance and Circuit Breakers
+
+## Module
+Orchestrator
+
+## Status
+VERIFIED
+
+## Description
+Quota governance services with cross-tenant allocation policies and circuit breaker automation for downstream service failure protection, integrated with rate limiting and load shedding.
+
+## Implementation Details
+- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/`
+- **Key Classes**:
+  - `QuotaGovernanceService` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Services/QuotaGovernanceService.cs`) - cross-tenant quota allocation with 5 strategies (unlimited, proportional, priority, reserved, max-limit)
+  - `CircuitBreakerService` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Services/CircuitBreakerService.cs`) - circuit breaker with Closed/Open/HalfOpen state transitions
+  - `Quota` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Quota.cs`) - quota entity with limits and allocation
+  - `QuotaEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/QuotaEndpoints.cs`) - REST API for quota queries and adjustments
+  - `QuotaContracts` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Contracts/QuotaContracts.cs`) - API contracts for quota operations
+  - `Throttle` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Throttle.cs`) - throttle configuration for rate limiting
+  - `AdaptiveRateLimiter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/AdaptiveRateLimiter.cs`) - adaptive rate limiting based on system load
+  - `ConcurrencyLimiter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/ConcurrencyLimiter.cs`) - limits concurrent job execution
+  - `BackpressureHandler` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/BackpressureHandler.cs`) - backpressure signaling
+  - `LoadShedder` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/LoadShedder.cs`) - load shedding under saturation
+  - `PostgresQuotaRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Postgres/PostgresQuotaRepository.cs`) - Postgres-backed quota storage
+  - `PostgresThrottleRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Postgres/PostgresThrottleRepository.cs`) - Postgres-backed throttle storage
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Configure a quota policy with proportional allocation and verify QuotaGovernanceService distributes capacity across tenants
+- [ ] Request quota above max limit and verify the request is capped
+- [ ] Pause a tenant and verify quota requests are denied
+- [ ] Trigger circuit breaker by exceeding failure threshold and verify downstream requests are blocked
+- [ ] Verify circuit breaker recovery: wait for timeout, verify HalfOpen state, send success to close
+- [ ] Force-open and force-close the circuit breaker and verify state changes
+- [ ] Test concurrent access to circuit breaker and verify thread safety
+- [ ] Verify all 5 allocation strategies produce correct quota distributions
+
+## Verification
+- Verified on 2026-02-13 via `run-002`.
+- Tier 0: Source files confirmed present on disk.
+- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
+- Tier 2d: `docs/qa/feature-checks/runs/jobengine/quota-governance-and-circuit-breakers/run-002/tier2-integration-check.json`
--- a/docs/features/checked/jobengine/skip-locked-queue-pattern.md
+++ b/docs/features/checked/jobengine/skip-locked-queue-pattern.md
@@ -0,0 +1,42 @@
+# SKIP LOCKED Queue Pattern
+
+## Module
+Orchestrator
+
+## Status
+VERIFIED
+
+## Description
+SKIP LOCKED queue pattern is used in Scheduler and Orchestrator job repositories for reliable work distribution.
+
+## Implementation Details
+- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/`
+- **Key Classes**:
+  - `JobScheduler` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scheduling/JobScheduler.cs`) - job scheduler using PostgreSQL `SELECT ... FOR UPDATE SKIP LOCKED` for concurrent job dequeuing without contention
+  - `Job` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Job.cs`) - job entity with status field used for queue filtering
+  - `JobStatus` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/JobStatus.cs`) - job states used in queue queries (Pending jobs are available for dequeuing)
+  - `Watermark` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Watermark.cs`) - watermark tracking for ordered processing
+  - `AdaptiveRateLimiter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/AdaptiveRateLimiter.cs`) - rate limiter that adjusts based on queue depth and processing speed
+  - `ConcurrencyLimiter` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/ConcurrencyLimiter.cs`) - limits concurrent job processing
+  - `TokenBucket` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/TokenBucket.cs`) - token bucket rate limiter for smooth job distribution
+  - `BackpressureHandler` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/RateLimiting/BackpressureHandler.cs`) - applies backpressure when queue depth exceeds thresholds
+  - `LoadShedder` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/LoadShedder.cs`) - sheds load when system is saturated
+  - `ScaleMetrics` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/ScaleMetrics.cs`) - metrics for monitoring queue depth and throughput
+- **Interfaces**: `IJobRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IJobRepository.cs`), `IWatermarkRepository` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Repositories/IWatermarkRepository.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Enqueue 10 jobs and dequeue from 3 concurrent workers using SKIP LOCKED via `JobScheduler`; verify each job is assigned to exactly one worker
+- [ ] Verify no contention: dequeue rapidly from 5 workers and verify no blocking or deadlocks occur
+- [ ] Verify job visibility: a job locked by worker A is not visible to worker B during dequeue
+- [ ] Complete a locked job and verify it is no longer in the queue
+- [ ] Verify `AdaptiveRateLimiter`: increase queue depth and verify the rate limiter increases throughput
+- [ ] Verify `BackpressureHandler`: fill the queue beyond the threshold and verify backpressure is signaled to producers
+- [ ] Verify `LoadShedder`: saturate the system and verify new jobs are rejected with a 503 response
+- [ ] Test `TokenBucket`: configure a rate of 10 jobs/second and verify the bucket enforces the limit
+
+## Verification
+- Verified on 2026-02-13 via `run-002`.
+- Tier 0: Source files confirmed present on disk.
+- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
+- Tier 2d: `docs/qa/feature-checks/runs/jobengine/skip-locked-queue-pattern/run-002/tier2-integration-check.json`
--- a/docs/features/checked/orchestrator/slo-burn-rate-computation-and-alert-budget-tracking.md
+++ b/docs/features/checked/orchestrator/slo-burn-rate-computation-and-alert-budget-tracking.md
@@ -10,14 +10,14 @@ VERIFIED
 SLO burn-rate computation for orchestrator operations with configurable alert budgets, enabling proactive capacity and reliability management.

 ## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/SloManagement/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/`
+- **Modules**: `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/SloManagement/`, `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/`
 - **Key Classes**:
-  - `BurnRateEngine` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/SloManagement/BurnRateEngine.cs`) - computes SLO burn rate from error budget consumption over rolling windows (1h, 6h, 24h, 30d)
-  - `Slo` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Slo.cs`) - SLO entity with target (e.g., 99.9%), error budget, and current burn rate
-  - `SloEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/SloEndpoints.cs`) - REST API for SLO queries and burn rate dashboards
-  - `IncidentModeHooks` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Observability/IncidentModeHooks.cs`) - activates incident mode when burn rate exceeds alert thresholds
-  - `OrchestratorGoldenSignals` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Observability/OrchestratorGoldenSignals.cs`) - provides underlying error/latency data for SLO computation
-  - `ScaleMetrics` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/ScaleMetrics.cs`) - metrics feeding SLO saturation signals
+  - `BurnRateEngine` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/SloManagement/BurnRateEngine.cs`) - computes SLO burn rate from error budget consumption over rolling windows (1h, 6h, 24h, 30d)
+  - `Slo` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Slo.cs`) - SLO entity with target (e.g., 99.9%), error budget, and current burn rate
+  - `SloEndpoints` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/Endpoints/SloEndpoints.cs`) - REST API for SLO queries and burn rate dashboards
+  - `IncidentModeHooks` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Observability/IncidentModeHooks.cs`) - activates incident mode when burn rate exceeds alert thresholds
+  - `OrchestratorGoldenSignals` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Infrastructure/Observability/OrchestratorGoldenSignals.cs`) - provides underlying error/latency data for SLO computation
+  - `ScaleMetrics` (`src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Scale/ScaleMetrics.cs`) - metrics feeding SLO saturation signals
 - **Interfaces**: None (uses concrete implementations)
 - **Source**: Feature matrix scan

@@ -35,4 +35,4 @@ SLO burn-rate computation for orchestrator operations with configurable alert bu
 - Verified on 2026-02-13 via `run-002`.
 - Tier 0: Source files confirmed present on disk.
 - Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/orchestrator/slo-burn-rate-computation-and-alert-budget-tracking/run-002/tier2-integration-check.json`
+- Tier 2d: `docs/qa/feature-checks/runs/jobengine/slo-burn-rate-computation-and-alert-budget-tracking/run-002/tier2-integration-check.json`
--- a/docs/features/checked/libraries/advisory-lens.md
+++ b/docs/features/checked/libraries/advisory-lens.md
@@ -4,17 +4,17 @@
 __Libraries

 ## Status
-VERIFIED
+ARCHIVED (2026-03-04) — Zero production consumers. Source preserved at `src/__Libraries/_archived/StellaOps.AdvisoryLens/`.

 ## Description
 Contextual copilot library that learns from organizational data to surface explainable suggestions. Core library provides semantic case matching engine (`StellaOps.AdvisoryLens`).

 ## Implementation Details
- **AdvisoryLensService**: `src/__Libraries/StellaOps.AdvisoryLens/Services/AdvisoryLensService.cs` -- main service implementing `IAdvisoryLensService`
- **CaseMatcher**: `src/__Libraries/StellaOps.AdvisoryLens/Matching/CaseMatcher.cs` -- semantic case matching engine
- **Models**: `src/__Libraries/StellaOps.AdvisoryLens/Models/` -- `AdvisoryCase.cs`, `CasePattern.cs`, `LensContext.cs`, `LensHint.cs`, `LensResult.cs`, `LensSuggestion.cs`
- **DI Registration**: `src/__Libraries/StellaOps.AdvisoryLens/DependencyInjection/ServiceCollectionExtensions.cs`
- **Tests**: `src/__Libraries/__Tests/StellaOps.AdvisoryLens.Tests/` (19 tests passing)
+- **AdvisoryLensService**: `src/__Libraries/_archived/StellaOps.AdvisoryLens/Services/AdvisoryLensService.cs` -- main service implementing `IAdvisoryLensService`
+- **CaseMatcher**: `src/__Libraries/_archived/StellaOps.AdvisoryLens/Matching/CaseMatcher.cs` -- semantic case matching engine
+- **Models**: `src/__Libraries/_archived/StellaOps.AdvisoryLens/Models/` -- `AdvisoryCase.cs`, `CasePattern.cs`, `LensContext.cs`, `LensHint.cs`, `LensResult.cs`, `LensSuggestion.cs`
+- **DI Registration**: `src/__Libraries/_archived/StellaOps.AdvisoryLens/DependencyInjection/ServiceCollectionExtensions.cs`
+- **Tests**: `src/__Libraries/_archived/StellaOps.AdvisoryLens.Tests/` (19 tests passing)
 - **Source**: Feature matrix scan

 ## E2E Test Plan
--- a/docs/features/checked/libraries/unified-deterministic-resolver.md
+++ b/docs/features/checked/libraries/unified-deterministic-resolver.md
@@ -4,16 +4,16 @@
 __Libraries

 ## Status
-VERIFIED
+ARCHIVED (2026-03-04) — Zero production consumers. Source preserved at `src/__Libraries/_archived/StellaOps.Resolver/`.

 ## Description
 Full deterministic resolver with 4-phase resolution (validate, order, evaluate, digest), immutable evidence graph with content-addressed GraphDigest, Tarjan's SCC cycle detection, implicit data detection, and integration with trust lattice engine. Guarantees pure evaluation with no IO in the compute phase.

 ## Implementation Details
- **DeterministicResolver**: `src/__Libraries/StellaOps.Resolver/DeterministicResolver.cs` -- `ResolveAsync(graph, evaluator, context)` orchestrates 4-phase resolution: Phase 1 `Validate(graph)` runs cycle detection and implicit data detection; Phase 2 `OrderNodes(graph)` produces deterministic topological ordering; Phase 3 `EvaluatePure(orderedNodes, evaluator, context)` evaluates each node with predecessor verdicts (no IO); Phase 4 computes final resolution digest from all node verdicts; uses `PureEvaluationContext` to enforce runtime purity
- **EvidenceGraph**: `src/__Libraries/StellaOps.Resolver/EvidenceGraph.cs` -- immutable record with sorted `Nodes` (IReadOnlyList<EvidenceNode>) and `Edges` (IReadOnlyList<EvidenceEdge>); `GraphDigest` (content-addressed via `CanonicalJsonSerializer.SerializeWithDigest`); `AddNode(node)` and `AddEdge(edge)` return new immutable instances; nodes and edges sorted for deterministic digest
- **GraphValidation**: `src/__Libraries/StellaOps.Resolver/GraphValidation.cs` -- `DefaultGraphValidator` combining `TarjanCycleDetector` (Tarjan's SCC algorithm with `IsCycleCut` edge exclusion) and `DefaultImplicitDataDetector` (detects dangling edges, duplicate IDs); `TarjanCycleDetector` uses index/lowlink tracking, stack-based DFS, reports strongly connected components with >1 node as cycles
- **RuntimePurity**: `src/__Libraries/StellaOps.Resolver/Purity/RuntimePurity.cs` -- `PureEvaluationContext` with `CreateStrict()` (all prohibited accessors) and `Create(injectedNow, envVars)` (deterministic providers); `ProhibitedTimeProvider`, `ProhibitedNetworkAccessor`, `ProhibitedFileSystemAccessor`, `ProhibitedEnvironmentAccessor` all throw `AmbientAccessViolationException`; `InjectedTimeProvider` and `InjectedEnvironmentAccessor` for deterministic evaluation
+- **DeterministicResolver**: `src/__Libraries/_archived/StellaOps.Resolver/DeterministicResolver.cs` -- `ResolveAsync(graph, evaluator, context)` orchestrates 4-phase resolution: Phase 1 `Validate(graph)` runs cycle detection and implicit data detection; Phase 2 `OrderNodes(graph)` produces deterministic topological ordering; Phase 3 `EvaluatePure(orderedNodes, evaluator, context)` evaluates each node with predecessor verdicts (no IO); Phase 4 computes final resolution digest from all node verdicts; uses `PureEvaluationContext` to enforce runtime purity
+- **EvidenceGraph**: `src/__Libraries/_archived/StellaOps.Resolver/EvidenceGraph.cs` -- immutable record with sorted `Nodes` (IReadOnlyList<EvidenceNode>) and `Edges` (IReadOnlyList<EvidenceEdge>); `GraphDigest` (content-addressed via `CanonicalJsonSerializer.SerializeWithDigest`); `AddNode(node)` and `AddEdge(edge)` return new immutable instances; nodes and edges sorted for deterministic digest
+- **GraphValidation**: `src/__Libraries/_archived/StellaOps.Resolver/GraphValidation.cs` -- `DefaultGraphValidator` combining `TarjanCycleDetector` (Tarjan's SCC algorithm with `IsCycleCut` edge exclusion) and `DefaultImplicitDataDetector` (detects dangling edges, duplicate IDs); `TarjanCycleDetector` uses index/lowlink tracking, stack-based DFS, reports strongly connected components with >1 node as cycles
+- **RuntimePurity**: `src/__Libraries/_archived/StellaOps.Resolver/Purity/RuntimePurity.cs` -- `PureEvaluationContext` with `CreateStrict()` (all prohibited accessors) and `Create(injectedNow, envVars)` (deterministic providers); `ProhibitedTimeProvider`, `ProhibitedNetworkAccessor`, `ProhibitedFileSystemAccessor`, `ProhibitedEnvironmentAccessor` all throw `AmbientAccessViolationException`; `InjectedTimeProvider` and `InjectedEnvironmentAccessor` for deterministic evaluation
 - **Source**: Feature matrix scan

 ## E2E Test Plan
--- a/docs/features/checked/orchestrator/dag-planner-with-critical-path-metadata.md
+++ b/docs/features/checked/orchestrator/dag-planner-with-critical-path-metadata.md
@@ -1,35 +0,0 @@
-# DAG Planner with Critical-Path Metadata
-
-## Module
-Orchestrator
-
-## Status
-IMPLEMENTED
-
-## Description
-DAG-based job planner that computes critical-path metadata for orchestrator execution plans, enabling dependency-aware scheduling and parallel execution of independent job chains.
-
-## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/`
- **Key Classes**:
-  - `DagPlanner` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/DagPlanner.cs`) - computes execution DAGs from job dependency graphs, identifies critical path, and enables parallel scheduling of independent chains
-  - `DagEdge` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/DagEdge.cs`) - edge model representing dependencies between jobs in the execution DAG
-  - `JobScheduler` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/JobScheduler.cs`) - schedules jobs based on DAG planner output, respecting dependency ordering
-  - `JobStateMachine` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/JobStateMachine.cs`) - state machine governing job lifecycle transitions within the DAG execution
-  - `Job` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Job.cs`) - job entity with status, dependencies, and scheduling metadata
-  - `JobStatus` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/JobStatus.cs`) - enum defining job lifecycle states
-  - `JobHistory` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/JobHistory.cs`) - historical record of job state transitions
-  - `DagEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/DagEndpoints.cs`) - REST API for querying DAG execution plans
-  - `DagContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/DagContracts.cs`) - API contracts for DAG responses
- **Interfaces**: `IDagEdgeRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IDagEdgeRepository.cs`)
- **Source**: Feature matrix scan
-
-## E2E Test Plan
- [ ] Create a DAG with 5 jobs (A->B->C, A->D->E) and verify `DagPlanner` identifies A as the root and C/E as leaves
- [ ] Verify critical path computation: the longest dependency chain (A->B->C or A->D->E) is marked as the critical path
- [ ] Schedule the DAG via `JobScheduler` and verify B and D execute in parallel after A completes
- [ ] Add a new dependency (D->C) creating a diamond DAG and verify the critical path updates
- [ ] Query the DAG via `DagEndpoints` and verify the response includes all edges, critical path markers, and parallel groups
- [ ] Create a cyclic DAG (A->B->A) and verify `DagPlanner` rejects it with a cycle detection error
- [ ] Verify DAG metadata: each job node in the `DagContracts` response includes estimated duration and dependency count
- [ ] Schedule a DAG with one failed job and verify `JobStateMachine` marks downstream dependencies as blocked
--- a/docs/features/checked/orchestrator/event-fan-out.md
+++ b/docs/features/checked/orchestrator/event-fan-out.md
@@ -1,35 +0,0 @@
-# Event Fan-Out (SSE/Streaming)
-
-## Module
-Orchestrator
-
-## Status
-IMPLEMENTED
-
-## Description
-Job and pack-run streaming coordinators with stream payload models for real-time SSE event delivery.
-
-## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/`
- **Key Classes**:
-  - `JobStreamCoordinator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/JobStreamCoordinator.cs`) - coordinates SSE streaming for job lifecycle events to connected clients
-  - `PackRunStreamCoordinator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/PackRunStreamCoordinator.cs`) - coordinates streaming for pack-run execution events
-  - `RunStreamCoordinator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/RunStreamCoordinator.cs`) - coordinates streaming for individual run events
-  - `SseWriter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/SseWriter.cs`) - writes Server-Sent Events to HTTP response streams
-  - `StreamOptions` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/StreamOptions.cs`) - configuration for stream connections (heartbeat interval, buffer size, timeout)
-  - `StreamPayloads` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/StreamPayloads.cs`) - typed payload models for stream events (job progress, pack-run status, log lines)
-  - `StreamEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/StreamEndpoints.cs`) - REST endpoints for SSE stream subscription
-  - `EventEnvelope` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/EventEnvelope.cs`) - typed event envelope wrapping domain events for streaming
-  - `OrchestratorEventPublisher` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Events/OrchestratorEventPublisher.cs`) - concrete event publisher routing events to stream coordinators
- **Interfaces**: `IEventPublisher` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/IEventPublisher.cs`)
- **Source**: Feature matrix scan
-
-## E2E Test Plan
- [ ] Subscribe to the job stream via `StreamEndpoints` and trigger a job; verify SSE events are received for each state transition
- [ ] Subscribe to the pack-run stream via `PackRunStreamCoordinator` and execute a pack; verify progress events include step index, status, and log lines
- [ ] Verify heartbeat: subscribe to a stream and wait without events; confirm heartbeat events arrive at the `StreamOptions` configured interval
- [ ] Subscribe with two clients to the same job stream and verify both receive identical events (fan-out via `JobStreamCoordinator`)
- [ ] Disconnect a client mid-stream and verify the stream coordinator cleans up the connection without affecting other subscribers
- [ ] Trigger a rapid sequence of events and verify `SseWriter` delivers them in order without drops
- [ ] Verify stream payloads: each event contains a typed payload matching the `StreamPayloads` model
- [ ] Test stream timeout: idle for longer than `StreamOptions.Timeout` and verify the connection closes gracefully
--- a/docs/features/checked/orchestrator/export-job-service.md
+++ b/docs/features/checked/orchestrator/export-job-service.md
@@ -1,33 +0,0 @@
-# Export Job Service
-
-## Module
-Orchestrator
-
-## Status
-IMPLEMENTED
-
-## Description
-Export job management with service and domain model for orchestrated export operations.
-
-## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Services/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Export/`
- **Key Classes**:
-  - `ExportJobService` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Services/ExportJobService.cs`) - manages export job lifecycle: creation, scheduling, execution tracking, and completion
-  - `ExportJob` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Export/ExportJob.cs`) - export job entity with status, target, format, and schedule
-  - `ExportJobPolicy` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Export/ExportJobPolicy.cs`) - policy controlling export permissions and constraints
-  - `ExportJobTypes` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Export/ExportJobTypes.cs`) - enumeration of supported export types (evidence pack, audit report, snapshot)
-  - `ExportSchedule` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Export/ExportSchedule.cs`) - scheduling configuration for recurring exports
-  - `LedgerExporter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Ledger/LedgerExporter.cs`) - exports audit ledger data for compliance and audit
-  - `ExportJobEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/ExportJobEndpoints.cs`) - REST API for creating, querying, and managing export jobs
- **Interfaces**: `ILedgerExporter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Ledger/ILedgerExporter.cs`)
- **Source**: Feature matrix scan
-
-## E2E Test Plan
- [ ] Create an export job via `ExportJobEndpoints` with type=evidence_pack and verify it is persisted with status=Pending
- [ ] Execute the export job via `ExportJobService` and verify status transitions: Pending -> Running -> Completed
- [ ] Verify export policy enforcement: create an export job with a restricted type and verify `ExportJobPolicy` rejects it
- [ ] Schedule a recurring export via `ExportSchedule` and verify the next execution is computed correctly
- [ ] Export audit ledger data via `LedgerExporter` and verify the output contains all entries within the specified time range
- [ ] Create an export job with retention policy and verify completed exports are cleaned up after expiry
- [ ] Query export jobs via `ExportJobEndpoints` with status filter and verify pagination works correctly
- [ ] Test export failure: simulate an export error and verify the job transitions to Failed with error details
--- a/docs/features/checked/orchestrator/job-lifecycle-state-machine.md
+++ b/docs/features/checked/orchestrator/job-lifecycle-state-machine.md
@@ -1,37 +0,0 @@
-# Job Lifecycle State Machine
-
-## Module
-Orchestrator
-
-## Status
-IMPLEMENTED
-
-## Description
-Job scheduling with Postgres-backed job repository, event envelope domain model, and air-gap compatible scheduling tests.
-
-## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/`
- **Key Classes**:
-  - `JobStateMachine` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/JobStateMachine.cs`) - finite state machine governing job lifecycle transitions (Pending -> Scheduled -> Running -> Completed/Failed/Cancelled)
-  - `JobScheduler` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/JobScheduler.cs`) - schedules jobs based on state machine rules and DAG dependencies
-  - `RetryPolicy` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/RetryPolicy.cs`) - configurable retry policy for failed jobs (max retries, backoff strategy)
-  - `Job` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Job.cs`) - job entity with current status, attempts, and metadata
-  - `JobStatus` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/JobStatus.cs`) - enum defining all valid job states
-  - `JobHistory` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/JobHistory.cs`) - historical record of all state transitions with timestamps
-  - `EventEnvelope` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/EventEnvelope.cs`) - typed event envelope emitted on state transitions
-  - `TimelineEvent` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/TimelineEvent.cs`) - timeline event for job lifecycle tracking
-  - `TimelineEventEmitter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/TimelineEventEmitter.cs`) - emits timeline events on state transitions
-  - `JobEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/JobEndpoints.cs`) - REST API for job management
-  - `JobContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/JobContracts.cs`) - API contracts for job operations
- **Interfaces**: `IJobRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IJobRepository.cs`), `IJobHistoryRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IJobHistoryRepository.cs`)
- **Source**: Feature matrix scan
-
-## E2E Test Plan
- [ ] Create a job via `JobEndpoints` and verify initial state is Pending
- [ ] Schedule the job via `JobScheduler` and verify state transition: Pending -> Scheduled, with `TimelineEvent` emitted
- [ ] Start the job and verify `JobStateMachine` transition: Scheduled -> Running
- [ ] Complete the job and verify transition: Running -> Completed with completion timestamp in `JobHistory`
- [ ] Fail the job and verify transition: Running -> Failed with retry attempt incremented
- [ ] Verify `RetryPolicy`: fail a job with max_retries=3 and verify it re-enters Scheduled up to 3 times before terminal failure
- [ ] Attempt an invalid transition (e.g., Completed -> Running) and verify `JobStateMachine` rejects it
- [ ] Verify air-gap scheduling: schedule a job in sealed mode and verify it does not attempt network egress
--- a/docs/features/checked/orchestrator/network-intent-validator.md
+++ b/docs/features/checked/orchestrator/network-intent-validator.md
@@ -1,36 +0,0 @@
-# Network Intent Validator (Air-Gap Orchestrator Controls)
-
-## Module
-Orchestrator
-
-## Status
-IMPLEMENTED
-
-## Description
-NetworkIntentValidator enforces air-gap network policies on orchestrator jobs, preventing egress in sealed mode. Includes MirrorJobTypes and MirrorOperationRecorder for offline mirror operations.
-
-## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/AirGap/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AirGap/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Mirror/`
- **Key Classes**:
-  - `NetworkIntentValidator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/AirGap/NetworkIntentValidator.cs`) - validates job network intent against air-gap policy, blocking egress requests in sealed mode
-  - `StalenessValidator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/AirGap/StalenessValidator.cs`) - validates data freshness in air-gapped environments, ensuring cached data is within acceptable staleness bounds
-  - `NetworkIntent` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AirGap/NetworkIntent.cs`) - declares the network intent of a job (egress, ingress, local-only)
-  - `SealingStatus` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AirGap/SealingStatus.cs`) - enum for air-gap sealing state (Sealed, Unsealed, Transitioning)
-  - `StalenessConfig` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AirGap/StalenessConfig.cs`) - configuration for acceptable data staleness in air-gap mode
-  - `StalenessValidationResult` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AirGap/StalenessValidationResult.cs`) - result of staleness validation
-  - `BundleProvenance` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AirGap/BundleProvenance.cs`) - provenance tracking for air-gap bundles
-  - `MirrorBundle` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Mirror/MirrorBundle.cs`) - bundle model for offline mirror operations
-  - `MirrorJobTypes` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Mirror/MirrorJobTypes.cs`) - types of mirror jobs (sync, verify, prune)
-  - `MirrorOperationRecorder` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Mirror/MirrorOperationRecorder.cs`) - records mirror operations for audit trail
- **Interfaces**: None (uses concrete implementations)
- **Source**: Feature matrix scan
-
-## E2E Test Plan
- [ ] Set `SealingStatus` to Sealed and submit a job with egress intent; verify `NetworkIntentValidator` rejects it
- [ ] Set `SealingStatus` to Unsealed and submit a job with egress intent; verify it is allowed
- [ ] Validate staleness: set `StalenessConfig` max staleness to 24 hours and verify data older than 24 hours is rejected by `StalenessValidator`
- [ ] Create a mirror job with type=sync and verify `MirrorOperationRecorder` records the operation
- [ ] Verify bundle provenance: create a `MirrorBundle` and verify `BundleProvenance` captures origin, sync timestamp, and hash
- [ ] Transition sealing status from Unsealed to Sealed and verify in-flight egress jobs are blocked
- [ ] Submit a local-only `NetworkIntent` job in sealed mode and verify it is allowed
- [ ] Verify staleness config: set different staleness thresholds per data type in `StalenessConfig` and verify per-type enforcement
--- a/docs/features/checked/orchestrator/orchestrator-admin-quota-controls.md
+++ b/docs/features/checked/orchestrator/orchestrator-admin-quota-controls.md
@@ -1,35 +0,0 @@
-# Orchestrator Admin Quota Controls (orch:quota, orch:backfill)
-
-## Module
-Orchestrator
-
-## Status
-IMPLEMENTED
-
-## Description
-New `orch:quota` and `orch:backfill` scopes with mandatory reason/ticket fields. Token requests must include `quota_reason`/`backfill_reason` and optionally `quota_ticket`/`backfill_ticket`. Authority persists these as claims and audit properties for traceability of capacity-affecting operations.
-
-## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Backfill/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/`
- **Key Classes**:
-  - `Quota` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Quota.cs`) - quota entity with limits, current usage, and allocation metadata
-  - `BackfillRequest` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/BackfillRequest.cs`) - backfill request model with reason, ticket, and scope
-  - `BackfillManager` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Backfill/BackfillManager.cs`) - manages backfill operations with duplicate suppression and event time window tracking
-  - `DuplicateSuppressor` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Backfill/DuplicateSuppressor.cs`) - prevents duplicate backfill requests within a time window
-  - `EventTimeWindow` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Backfill/EventTimeWindow.cs`) - time window for backfill event deduplication
-  - `QuotaEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/QuotaEndpoints.cs`) - REST API for quota management (view, adjust, allocate)
-  - `QuotaContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/QuotaContracts.cs`) - API contracts for quota operations
-  - `AuditEntry` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AuditEntry.cs`) - audit entry capturing quota/backfill actions with reason and ticket
-  - `TenantResolver` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Services/TenantResolver.cs`) - resolves tenant context for quota scoping
- **Interfaces**: `IQuotaRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IQuotaRepository.cs`), `IBackfillRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IBackfillRepository.cs`)
- **Source**: Feature matrix scan
-
-## E2E Test Plan
- [ ] Request a quota adjustment via `QuotaEndpoints` with `quota_reason` and `quota_ticket`; verify the adjustment is applied and audited in `AuditEntry`
- [ ] Attempt a quota adjustment without `quota_reason` and verify it is rejected with a 400 error
- [ ] Request a backfill via `BackfillManager` with `backfill_reason` and verify the backfill is initiated
- [ ] Submit a duplicate backfill request within the `EventTimeWindow` and verify `DuplicateSuppressor` rejects it
- [ ] Verify audit trail: check the `AuditEntry` for the quota adjustment and confirm reason and ticket are captured
- [ ] Query current quota usage via `QuotaEndpoints` and verify limits and current usage are returned
- [ ] Adjust quota beyond the maximum limit and verify the operation is rejected by policy
- [ ] Verify tenant scoping via `TenantResolver`: adjust quota for tenant A and verify tenant B's quota is unchanged
--- a/docs/features/checked/orchestrator/orchestrator-audit-ledger.md
+++ b/docs/features/checked/orchestrator/orchestrator-audit-ledger.md
@@ -1,39 +0,0 @@
-# Orchestrator Audit Ledger
-
-## Module
-Orchestrator
-
-## Status
-IMPLEMENTED
-
-## Description
-Append-only audit ledger tracking all orchestrator job lifecycle state changes, rate-limit decisions, and dead-letter events with tenant-scoped isolation.
-
-## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/DeadLetter/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Ledger/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/`
- **Key Classes**:
-  - `AuditEntry` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AuditEntry.cs`) - audit entry model with action type, actor, tenant, timestamp, and metadata
-  - `RunLedger` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/RunLedger.cs`) - run-level ledger tracking execution history
-  - `SignedManifest` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/SignedManifest.cs`) - signed manifest for tamper-evident ledger export
-  - `LedgerExporter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Ledger/LedgerExporter.cs`) - exports ledger data for compliance and audit
-  - `AuditEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/AuditEndpoints.cs`) - REST API for querying audit ledger entries
-  - `LedgerEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/LedgerEndpoints.cs`) - REST API for ledger export and querying
-  - `AuditLedgerContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/AuditLedgerContracts.cs`) - API contracts for audit responses
-  - `DeadLetterEntry` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/DeadLetterEntry.cs`) - dead-letter entry in the audit trail
-  - `DeadLetterNotifier` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/DeadLetter/DeadLetterNotifier.cs`) - notifies on dead-letter events
-  - `ErrorClassification` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/DeadLetter/ErrorClassification.cs`) - classifies errors for dead-letter categorization
-  - `ReplayManager` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/DeadLetter/ReplayManager.cs`) - manages replay of dead-letter entries
-  - `DeadLetterEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/DeadLetterEndpoints.cs`) - REST API for dead-letter management
-  - `TenantResolver` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Services/TenantResolver.cs`) - ensures tenant-scoped audit isolation
- **Interfaces**: `ILedgerExporter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Ledger/ILedgerExporter.cs`), `IAuditRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IAuditRepository.cs`), `IDeadLetterRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/DeadLetter/IDeadLetterRepository.cs`), `ILedgerRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/ILedgerRepository.cs`)
- **Source**: Feature matrix scan
-
-## E2E Test Plan
- [ ] Trigger a job state transition and verify an `AuditEntry` is created in the ledger with action type, actor, and timestamp
- [ ] Query the audit ledger via `AuditEndpoints` with a time range filter and verify only matching entries are returned
- [ ] Verify tenant isolation via `TenantResolver`: create audit entries for two tenants and verify each tenant only sees their own entries
- [ ] Trigger a dead-letter event and verify it appears in both the `DeadLetterEntry` store and the audit ledger
- [ ] Export the audit ledger via `LedgerExporter` and verify the export contains all entries within the specified range
- [ ] Replay a dead-letter entry via `ReplayManager` and verify the replay action is also audited
- [ ] Verify `ErrorClassification` categorizes different error types correctly (transient, permanent, unknown)
- [ ] Query dead-letter entries via `DeadLetterEndpoints` and verify pagination and filtering work
--- a/docs/features/checked/orchestrator/orchestrator-event-envelopes-with-sse-websocket-streaming.md
+++ b/docs/features/checked/orchestrator/orchestrator-event-envelopes-with-sse-websocket-streaming.md
@@ -1,40 +0,0 @@
-# Orchestrator Event Envelopes with SSE/WebSocket Streaming
-
-## Module
-Orchestrator
-
-## Status
-IMPLEMENTED
-
-## Description
-Typed event envelope system with SSE and WebSocket streaming for real-time orchestrator job progress, enabling live UI updates and CLI monitoring of pack-run execution.
-
-## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Hashing/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/`
- **Key Classes**:
-  - `EventEnvelope` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/EventEnvelope.cs`) - typed event envelope with event type, payload, timestamp, and correlation ID
-  - `EventEnvelope` (legacy) (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/EventEnvelope.cs`) - legacy event envelope model
-  - `TimelineEvent` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/TimelineEvent.cs`) - timeline event for job lifecycle tracking
-  - `TimelineEventEmitter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/TimelineEventEmitter.cs`) - emits timeline events on domain actions
-  - `OrchestratorEventPublisher` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Events/OrchestratorEventPublisher.cs`) - concrete publisher routing events to stream coordinators
-  - `EventEnvelopeHasher` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Hashing/EventEnvelopeHasher.cs`) - hashes event envelopes for integrity verification
-  - `CanonicalJsonHasher` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Hashing/CanonicalJsonHasher.cs`) - canonical JSON hashing for deterministic event hashes
-  - `SseWriter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/SseWriter.cs`) - Server-Sent Events writer
-  - `JobStreamCoordinator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/JobStreamCoordinator.cs`) - job event stream coordinator
-  - `PackRunStreamCoordinator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/PackRunStreamCoordinator.cs`) - pack-run stream coordinator
-  - `RunStreamCoordinator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/RunStreamCoordinator.cs`) - run-level stream coordinator
-  - `StreamEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/StreamEndpoints.cs`) - REST endpoints for SSE subscriptions
-  - `StreamOptions` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/StreamOptions.cs`) - stream configuration
-  - `StreamPayloads` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/StreamPayloads.cs`) - typed event payloads
- **Interfaces**: `IEventPublisher` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/IEventPublisher.cs`)
- **Source**: Feature matrix scan
-
-## E2E Test Plan
- [ ] Create an `EventEnvelope` with type=job_completed and payload; verify it is hashed via `EventEnvelopeHasher` and the hash is deterministic
- [ ] Publish an event via `OrchestratorEventPublisher` and verify it reaches the `JobStreamCoordinator`
- [ ] Subscribe to SSE via `StreamEndpoints` and verify events arrive as formatted SSE messages (data: + newline)
- [ ] Verify canonical hashing: create two identical events and verify `CanonicalJsonHasher` produces identical hashes
- [ ] Subscribe to pack-run stream via `PackRunStreamCoordinator` and execute a pack; verify real-time progress events include step index and status
- [ ] Verify `StreamOptions`: configure heartbeat interval and verify heartbeats arrive at the configured cadence
- [ ] Publish 100 events rapidly and verify `SseWriter` delivers all of them in order
- [ ] Verify event envelope correlation: publish events with the same correlation ID and verify they can be filtered by correlation
--- a/docs/features/checked/orchestrator/orchestrator-golden-signals-observability.md
+++ b/docs/features/checked/orchestrator/orchestrator-golden-signals-observability.md
@@ -1,44 +0,0 @@
-# Orchestrator Golden Signals Observability
-
-## Module
-Orchestrator
-
-## Status
-VERIFIED
-
-## Description
-Built-in golden signal metrics (latency, traffic, errors, saturation) for orchestrator job execution, with timeline event emission and job capsule provenance tracking.
-
-## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Observability/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Evidence/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/`
- **Key Classes**:
-  - `OrchestratorGoldenSignals` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Observability/OrchestratorGoldenSignals.cs`) - golden signal metrics: latency (p50/p95/p99), traffic (requests/sec), errors (error rate), saturation (queue depth, CPU, memory)
-  - `OrchestratorMetrics` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Observability/OrchestratorMetrics.cs`) - OpenTelemetry metrics registration for orchestrator operations
-  - `IncidentModeHooks` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Observability/IncidentModeHooks.cs`) - hooks triggered when golden signals breach thresholds, activating incident mode
-  - `JobAttestationService` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Evidence/JobAttestationService.cs`) - generates attestations for job execution with provenance data
-  - `JobAttestation` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Evidence/JobAttestation.cs`) - attestation model for a completed job
-  - `JobCapsule` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Evidence/JobCapsule.cs`) - capsule containing job execution evidence (inputs, outputs, metrics)
-  - `JobCapsuleGenerator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Evidence/JobCapsuleGenerator.cs`) - generates job capsules from execution data
-  - `JobRedactionGuard` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Evidence/JobRedactionGuard.cs`) - redacts sensitive data from job capsules before attestation
-  - `SnapshotHook` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Evidence/SnapshotHook.cs`) - hook capturing execution state snapshots at key points
-  - `ScaleMetrics` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/ScaleMetrics.cs`) - metrics for auto-scaling decisions
-  - `KpiEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/KpiEndpoints.cs`) - REST endpoints for KPI/metrics queries
-  - `HealthEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/HealthEndpoints.cs`) - health check endpoints
- **Interfaces**: None (uses concrete implementations)
- **Source**: Feature matrix scan
-
-## E2E Test Plan
- [ ] Execute a job and verify `OrchestratorGoldenSignals` records latency, traffic, and error metrics
- [ ] Verify golden signal latency: execute 10 jobs with varying durations and verify p50/p95/p99 percentiles are computed correctly
- [ ] Trigger an error threshold breach and verify `IncidentModeHooks` activates incident mode
- [ ] Generate a `JobCapsule` via `JobCapsuleGenerator` and verify it contains job inputs, outputs, and execution metrics
- [ ] Verify redaction: include sensitive data in job inputs and verify `JobRedactionGuard` removes it from the capsule
- [ ] Generate a `JobAttestation` via `JobAttestationService` and verify it contains the capsule hash and provenance data
- [ ] Query KPI metrics via `KpiEndpoints` and verify golden signal data is returned
- [ ] Verify `HealthEndpoints` report healthy when golden signals are within thresholds
-
-## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/orchestrator/orchestrator-golden-signals-observability/run-002/tier2-integration-check.json`
--- a/docs/features/checked/orchestrator/orchestrator-operator-scope-with-audit-metadata.md
+++ b/docs/features/checked/orchestrator/orchestrator-operator-scope-with-audit-metadata.md
@@ -1,39 +0,0 @@
-# Orchestrator Operator Scope with Audit Metadata
-
-## Module
-Orchestrator
-
-## Status
-VERIFIED
-
-## Description
-New `orch:operate` scope and `Orch.Operator` role requiring explicit `operator_reason` and `operator_ticket` parameters on token requests. Authority enforces these fields and captures them as audit properties, giving SecOps traceability for every orchestrator control action.
-
-## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/`
- **Key Classes**:
-  - `AuditEntry` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/AuditEntry.cs`) - audit entry capturing operator actions with reason and ticket metadata
-  - `TenantResolver` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Services/TenantResolver.cs`) - resolves tenant and operator context from token claims
-  - `AuditEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/AuditEndpoints.cs`) - REST API for querying operator audit trail
-  - `AuditLedgerContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/AuditLedgerContracts.cs`) - API contracts including operator metadata
-  - `Quota` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Quota.cs`) - quota model with operator attribution
-  - `Job` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Job.cs`) - job model with operator tracking
-  - `DeprecationHeaders` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Services/DeprecationHeaders.cs`) - deprecation header support for versioned operator APIs
- **Interfaces**: `IAuditRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IAuditRepository.cs`)
- **Source**: Feature matrix scan
-
-## E2E Test Plan
- [ ] Request a token with `orch:operate` scope, `operator_reason="maintenance"`, and `operator_ticket="TICKET-123"`; verify the token is issued
- [ ] Perform an operator action (e.g., cancel a job) with the scoped token; verify an `AuditEntry` captures the operator_reason and operator_ticket
- [ ] Attempt an operator action without `operator_reason` and verify it is rejected with a 400 error
- [ ] Query the audit trail via `AuditEndpoints` and filter by operator_ticket; verify matching entries are returned
- [ ] Verify operator scope enforcement: use a token without `orch:operate` scope and verify operator actions are forbidden (403)
- [ ] Perform multiple operator actions and verify each generates a separate `AuditEntry` with correct metadata
- [ ] Verify tenant scoping via `TenantResolver`: operator actions for tenant A are not visible in tenant B's audit trail
- [ ] Verify audit entry immutability: attempt to modify an existing `AuditEntry` and verify it is rejected
-
-## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/orchestrator/orchestrator-operator-scope-with-audit-metadata/run-002/tier2-integration-check.json`
--- a/docs/features/checked/orchestrator/orchestrator-worker-sdks.md
+++ b/docs/features/checked/orchestrator/orchestrator-worker-sdks.md
@@ -1,46 +0,0 @@
-# Orchestrator Worker SDKs (Go and Python)
-
-## Module
-Orchestrator
-
-## Status
-VERIFIED
-
-## Description
-Multi-language Worker SDKs enabling external workers to participate in orchestrator job execution via Go and Python clients, with examples and structured API packages.
-
-## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/`, `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/`
- **Key Classes**:
-  - `client.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/pkg/workersdk/client.go`) - Go SDK client for worker communication
-  - `config.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/pkg/workersdk/config.go`) - Go SDK configuration
-  - `artifact.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/pkg/workersdk/artifact.go`) - artifact handling in Go SDK
-  - `backfill.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/pkg/workersdk/backfill.go`) - backfill support in Go SDK
-  - `retry.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/pkg/workersdk/retry.go`) - retry logic in Go SDK
-  - `errors.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/pkg/workersdk/errors.go`) - error types in Go SDK
-  - `transport.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/internal/transport/transport.go`) - HTTP transport layer for Go SDK
-  - `main.go` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/examples/smoke/main.go`) - smoke test example worker
-  - `client.py` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/stellaops_orchestrator_worker/client.py`) - Python SDK client
-  - `config.py` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/stellaops_orchestrator_worker/config.py`) - Python SDK configuration
-  - `backfill.py` (`src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/stellaops_orchestrator_worker/backfill.py`) - Python backfill support
-  - `WorkerEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/WorkerEndpoints.cs`) - REST API for worker registration and job assignment
-  - `WorkerContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/WorkerContracts.cs`) - API contracts for worker communication
-  - `Worker` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Worker.cs`) - .NET worker implementation
- **Interfaces**: None (SDK clients are standalone)
- **Source**: Feature matrix scan
-
-## E2E Test Plan
- [ ] Register a Go worker via `WorkerEndpoints` and verify it receives a job assignment
- [ ] Execute a job with the Go worker SDK `client.go` and verify results are reported back via the API
- [ ] Register a Python worker via `client.py` and verify it receives a job assignment
- [ ] Verify Go SDK retry: configure `retry.go` policy and simulate a transient failure; verify the SDK retries and succeeds
- [ ] Verify artifact handling: upload an artifact via `artifact.go` and verify it is persisted
- [ ] Verify backfill: trigger a backfill via `backfill.py` and verify it processes historical events
- [ ] Verify Go SDK error types: trigger different error conditions and verify `errors.go` returns appropriate error types
- [ ] Run the Go smoke test example `main.go` and verify it completes successfully against the orchestrator API
-
-## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk (Go SDK, Python SDK, .NET endpoints).
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/orchestrator/orchestrator-worker-sdks/run-002/tier2-integration-check.json`
--- a/docs/features/checked/orchestrator/pack-run-bridge.md
+++ b/docs/features/checked/orchestrator/pack-run-bridge.md
@@ -1,43 +0,0 @@
-# Pack-Run Bridge (TaskRunner Integration)
-
-## Module
-Orchestrator
-
-## Status
-VERIFIED
-
-## Description
-Pack-run integration with Postgres repository, API endpoints, stream coordinator for log/artifact streaming, and domain model.
-
-## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/`
- **Key Classes**:
-  - `Pack` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Pack.cs`) - pack entity containing a set of jobs to execute as a unit
-  - `PackRun` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/PackRun.cs`) - pack-run entity tracking execution of a pack instance
-  - `PackRunLog` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/PackRunLog.cs`) - log entries for pack-run execution
-  - `PackRunStreamCoordinator` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/PackRunStreamCoordinator.cs`) - coordinates real-time streaming of pack-run logs and artifacts
-  - `PackRunEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/PackRunEndpoints.cs`) - REST API for creating, querying, and managing pack runs
-  - `PackRegistryEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/PackRegistryEndpoints.cs`) - REST API for pack registration and versioning
-  - `PackRunContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/PackRunContracts.cs`) - API contracts for pack-run operations
-  - `PackRegistryContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/PackRegistryContracts.cs`) - API contracts for pack registry
-  - `Run` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Run.cs`) - individual run within a pack execution
-  - `RunEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/RunEndpoints.cs`) - REST API for run management
-  - `RunContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/RunContracts.cs`) - API contracts for run operations
- **Interfaces**: `IPackRunRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IPackRunRepository.cs`), `IPackRegistryRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IPackRegistryRepository.cs`), `IRunRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IRunRepository.cs`)
- **Source**: Feature matrix scan
-
-## E2E Test Plan
- [ ] Register a pack via `PackRegistryEndpoints` with 3 jobs and verify it is persisted with version 1
- [ ] Create a pack run via `PackRunEndpoints` and verify it starts executing the pack's jobs
- [ ] Subscribe to the pack-run stream via `PackRunStreamCoordinator` and verify real-time log entries arrive as jobs execute
- [ ] Verify pack-run completion: all 3 jobs complete and the `PackRun` transitions to Completed
- [ ] Verify pack versioning: update a pack and verify `PackRegistryEndpoints` creates version 2 while preserving version 1
- [ ] Query `PackRunLog` entries via the API and verify all log entries are returned in chronological order
- [ ] Fail one job in a pack run and verify the pack run reports partial failure
- [ ] Create multiple pack runs concurrently and verify they execute independently
-
-## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/orchestrator/pack-run-bridge/run-002/tier2-integration-check.json`
--- a/docs/features/checked/orchestrator/quota-governance-and-circuit-breakers.md
+++ b/docs/features/checked/orchestrator/quota-governance-and-circuit-breakers.md
@@ -1,43 +0,0 @@
-# Quota Governance and Circuit Breakers
-
-## Module
-Orchestrator
-
-## Status
-VERIFIED
-
-## Description
-Quota governance services with cross-tenant allocation policies and circuit breaker automation for downstream service failure protection, integrated with rate limiting and load shedding.
-
-## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/`
- **Key Classes**:
-  - `QuotaGovernanceService` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Services/QuotaGovernanceService.cs`) - cross-tenant quota allocation with 5 strategies (unlimited, proportional, priority, reserved, max-limit)
-  - `CircuitBreakerService` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Services/CircuitBreakerService.cs`) - circuit breaker with Closed/Open/HalfOpen state transitions
-  - `Quota` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Quota.cs`) - quota entity with limits and allocation
-  - `QuotaEndpoints` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/QuotaEndpoints.cs`) - REST API for quota queries and adjustments
-  - `QuotaContracts` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/QuotaContracts.cs`) - API contracts for quota operations
-  - `Throttle` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Throttle.cs`) - throttle configuration for rate limiting
-  - `AdaptiveRateLimiter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/AdaptiveRateLimiter.cs`) - adaptive rate limiting based on system load
-  - `ConcurrencyLimiter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/ConcurrencyLimiter.cs`) - limits concurrent job execution
-  - `BackpressureHandler` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/BackpressureHandler.cs`) - backpressure signaling
-  - `LoadShedder` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/LoadShedder.cs`) - load shedding under saturation
-  - `PostgresQuotaRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Postgres/PostgresQuotaRepository.cs`) - Postgres-backed quota storage
-  - `PostgresThrottleRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Postgres/PostgresThrottleRepository.cs`) - Postgres-backed throttle storage
- **Source**: Feature matrix scan
-
-## E2E Test Plan
- [ ] Configure a quota policy with proportional allocation and verify QuotaGovernanceService distributes capacity across tenants
- [ ] Request quota above max limit and verify the request is capped
- [ ] Pause a tenant and verify quota requests are denied
- [ ] Trigger circuit breaker by exceeding failure threshold and verify downstream requests are blocked
- [ ] Verify circuit breaker recovery: wait for timeout, verify HalfOpen state, send success to close
- [ ] Force-open and force-close the circuit breaker and verify state changes
- [ ] Test concurrent access to circuit breaker and verify thread safety
- [ ] Verify all 5 allocation strategies produce correct quota distributions
-
-## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/orchestrator/quota-governance-and-circuit-breakers/run-002/tier2-integration-check.json`
--- a/docs/features/checked/orchestrator/skip-locked-queue-pattern.md
+++ b/docs/features/checked/orchestrator/skip-locked-queue-pattern.md
@@ -1,42 +0,0 @@
-# SKIP LOCKED Queue Pattern
-
-## Module
-Orchestrator
-
-## Status
-VERIFIED
-
-## Description
-SKIP LOCKED queue pattern is used in Scheduler and Orchestrator job repositories for reliable work distribution.
-
-## Implementation Details
- **Modules**: `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/`, `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/`
- **Key Classes**:
-  - `JobScheduler` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scheduling/JobScheduler.cs`) - job scheduler using PostgreSQL `SELECT ... FOR UPDATE SKIP LOCKED` for concurrent job dequeuing without contention
-  - `Job` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Job.cs`) - job entity with status field used for queue filtering
-  - `JobStatus` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/JobStatus.cs`) - job states used in queue queries (Pending jobs are available for dequeuing)
-  - `Watermark` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Watermark.cs`) - watermark tracking for ordered processing
-  - `AdaptiveRateLimiter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/AdaptiveRateLimiter.cs`) - rate limiter that adjusts based on queue depth and processing speed
-  - `ConcurrencyLimiter` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/ConcurrencyLimiter.cs`) - limits concurrent job processing
-  - `TokenBucket` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/TokenBucket.cs`) - token bucket rate limiter for smooth job distribution
-  - `BackpressureHandler` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/RateLimiting/BackpressureHandler.cs`) - applies backpressure when queue depth exceeds thresholds
-  - `LoadShedder` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/LoadShedder.cs`) - sheds load when system is saturated
-  - `ScaleMetrics` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Scale/ScaleMetrics.cs`) - metrics for monitoring queue depth and throughput
- **Interfaces**: `IJobRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IJobRepository.cs`), `IWatermarkRepository` (`src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Repositories/IWatermarkRepository.cs`)
- **Source**: Feature matrix scan
-
-## E2E Test Plan
- [ ] Enqueue 10 jobs and dequeue from 3 concurrent workers using SKIP LOCKED via `JobScheduler`; verify each job is assigned to exactly one worker
- [ ] Verify no contention: dequeue rapidly from 5 workers and verify no blocking or deadlocks occur
- [ ] Verify job visibility: a job locked by worker A is not visible to worker B during dequeue
- [ ] Complete a locked job and verify it is no longer in the queue
- [ ] Verify `AdaptiveRateLimiter`: increase queue depth and verify the rate limiter increases throughput
- [ ] Verify `BackpressureHandler`: fill the queue beyond the threshold and verify backpressure is signaled to producers
- [ ] Verify `LoadShedder`: saturate the system and verify new jobs are rejected with a 503 response
- [ ] Test `TokenBucket`: configure a rate of 10 jobs/second and verify the bucket enforces the limit
-
-## Verification
- Verified on 2026-02-13 via `run-002`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 1292/1292 tests passed.
- Tier 2d: `docs/qa/feature-checks/runs/orchestrator/skip-locked-queue-pattern/run-002/tier2-integration-check.json`
--- a/docs/features/checked/releaseorchestrator/centralized-release-control-plane-for-non-k8s.md
+++ b/docs/features/checked/releaseorchestrator/centralized-release-control-plane-for-non-k8s.md
@@ -7,7 +7,7 @@ ReleaseOrchestrator
 VERIFIED

 ## Description
-The pivot from vulnerability scanning platform to release control plane is reflected in the implemented ReleaseOrchestrator module with promotions, deployments, and environment management.
+The pivot from vulnerability scanning platform to release control plane is reflected in the implemented ReleaseJobEngine module with promotions, deployments, and environment management.

 ## Implementation Details
 - **Modules**: `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Release/`, `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Promotion/`, `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Deployment/`, `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Environment/`
--- a/docs/features/checked/web/dead-letter-queue-management-ui.md
+++ b/docs/features/checked/web/dead-letter-queue-management-ui.md
@@ -21,7 +21,7 @@ Dead-letter queue browser with message inspection, replay workflows (single/batc
 ## E2E Test Plan
 - **Setup**:
  - [ ] Log in with a user that has appropriate permissions
-  - [ ] Navigate to `/ops/orchestrator/dead-letter`
+  - [ ] Navigate to `/ops/jobengine/dead-letter`
  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
 - **Core verification**:
  - [ ] Verify the list/table loads with paginated data
--- a/docs/features/checked/web/deployment-detail-with-workflow-dag-visualization.md
+++ b/docs/features/checked/web/deployment-detail-with-workflow-dag-visualization.md
@@ -48,4 +48,4 @@ Deployment detail page with workflow DAG visualization showing deployment step e
 - Date (UTC): 2026-02-11T10:08:09Z
 - Status: PASSED (strict Tier 2 UI replay)
 - Tier 2 evidence: docs/qa/feature-checks/runs/web/deployment-detail-with-workflow-dag-visualization/run-004/tier2-ui-check.json
- Notes: Verified via /release-orchestrator/deployments/dep-001 workflow DAG node rendering and selection checks.
+- Notes: Verified via /release-jobengine/deployments/dep-001 workflow DAG node rendering and selection checks.
--- a/docs/features/checked/web/pipeline-run-centric-view.md
+++ b/docs/features/checked/web/pipeline-run-centric-view.md
@@ -11,16 +11,16 @@ Pipeline runs list and detail routes provide a run-centric view across stage pro

 ## What's Implemented
 - **Existing components**:
-  - `approval-detail` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/approval-detail/approval-detail.component.ts`)
-  - `approval-queue` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/approval-queue/approval-queue.component.ts`)
-  - `promotion-request` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/promotion-request/promotion-request.component.ts`)
-  - `active-deployments` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/active-deployments/active-deployments.component.ts`)
-  - `pending-approvals` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/pending-approvals/pending-approvals.component.ts`)
-  - `pipeline-overview` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/pipeline-overview/pipeline-overview.component.ts`)
-  - `recent-releases` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/recent-releases/recent-releases.component.ts`)
-  - `dashboard` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/dashboard.component.ts`)
-  - `deployment-list` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/deployments/deployment-list/deployment-list.component.ts`)
-  - `deployment-monitor` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/deployments/deployment-monitor/deployment-monitor.component.ts`)
+  - `approval-detail` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/approvals/approval-detail/approval-detail.component.ts`)
+  - `approval-queue` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/approvals/approval-queue/approval-queue.component.ts`)
+  - `promotion-request` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/approvals/promotion-request/promotion-request.component.ts`)
+  - `active-deployments` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/active-deployments/active-deployments.component.ts`)
+  - `pending-approvals` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/pending-approvals/pending-approvals.component.ts`)
+  - `pipeline-overview` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/pipeline-overview/pipeline-overview.component.ts`)
+  - `recent-releases` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/recent-releases/recent-releases.component.ts`)
+  - `dashboard` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/dashboard.component.ts`)
+  - `deployment-list` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/deployments/deployment-list/deployment-list.component.ts`)
+  - `deployment-monitor` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/deployments/deployment-monitor/deployment-monitor.component.ts`)
 - **Existing routes**: `approvals.routes.ts`, `dashboard.routes.ts`, `deployments.routes.ts`, `environments.routes.ts`, `evidence.routes.ts`, `releases.routes.ts`, `workflows.routes.ts`

 ## E2E Test Plan
--- a/docs/features/checked/web/release-orchestrator-dashboard-ui.md
+++ b/docs/features/checked/web/release-orchestrator-dashboard-ui.md
@@ -10,24 +10,24 @@ VERIFIED
 Full dashboard UI for Release Orchestrator showing pipeline overview, pending approvals, active deployments, and recent releases with real-time SignalR updates.

 ## Implementation Details
- **Feature directory**: `src/Web/StellaOps.Web/src/app/features/release-orchestrator/`
+- **Feature directory**: `src/Web/StellaOps.Web/src/app/features/release-jobengine/`
 - **Routes**: `approvals.routes.ts`, `dashboard.routes.ts`, `deployments.routes.ts`, `environments.routes.ts`, `evidence.routes.ts`, `releases.routes.ts`, `workflows.routes.ts`
 - **Components**:
-  - `approval-detail` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/approval-detail/approval-detail.component.ts`)
-  - `approval-queue` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/approval-queue/approval-queue.component.ts`)
-  - `promotion-request` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/promotion-request/promotion-request.component.ts`)
-  - `active-deployments` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/active-deployments/active-deployments.component.ts`)
-  - `pending-approvals` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/pending-approvals/pending-approvals.component.ts`)
-  - `pipeline-overview` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/pipeline-overview/pipeline-overview.component.ts`)
-  - `recent-releases` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/components/recent-releases/recent-releases.component.ts`)
-  - `dashboard` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/dashboard.component.ts`)
-  - `deployment-list` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/deployments/deployment-list/deployment-list.component.ts`)
-  - `deployment-monitor` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/deployments/deployment-monitor/deployment-monitor.component.ts`)
-  - `environment-settings` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/environments/components/environment-settings/environment-settings.component.ts`)
-  - `freeze-window-editor` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/environments/components/freeze-window-editor/freeze-window-editor.component.ts`)
-  - `target-list` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/environments/components/target-list/target-list.component.ts`)
-  - `environment-detail` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/environments/environment-detail/environment-detail.component.ts`)
-  - `environment-list` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/environments/environment-list/environment-list.component.ts`)
+  - `approval-detail` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/approvals/approval-detail/approval-detail.component.ts`)
+  - `approval-queue` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/approvals/approval-queue/approval-queue.component.ts`)
+  - `promotion-request` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/approvals/promotion-request/promotion-request.component.ts`)
+  - `active-deployments` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/active-deployments/active-deployments.component.ts`)
+  - `pending-approvals` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/pending-approvals/pending-approvals.component.ts`)
+  - `pipeline-overview` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/pipeline-overview/pipeline-overview.component.ts`)
+  - `recent-releases` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/components/recent-releases/recent-releases.component.ts`)
+  - `dashboard` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/dashboard.component.ts`)
+  - `deployment-list` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/deployments/deployment-list/deployment-list.component.ts`)
+  - `deployment-monitor` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/deployments/deployment-monitor/deployment-monitor.component.ts`)
+  - `environment-settings` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/environments/components/environment-settings/environment-settings.component.ts`)
+  - `freeze-window-editor` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/environments/components/freeze-window-editor/freeze-window-editor.component.ts`)
+  - `target-list` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/environments/components/target-list/target-list.component.ts`)
+  - `environment-detail` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/environments/environment-detail/environment-detail.component.ts`)
+  - `environment-list` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/environments/environment-list/environment-list.component.ts`)
  - ... and 7 more components
 - **Source**: SPRINT_20260110_111_001_FE_dashboard_overview.md

--- a/docs/features/checked/web/slo-burn-rate-monitoring-ui.md
+++ b/docs/features/checked/web/slo-burn-rate-monitoring-ui.md
@@ -22,7 +22,7 @@ SLO health dashboard with multi-window burn rate calculation (1h/6h/24h/72h Goog
 ## E2E Test Plan
 - **Setup**:
  - [ ] Log in with a user that has appropriate permissions
-  - [ ] Navigate to `/ops/orchestrator/slo`
+  - [ ] Navigate to `/ops/jobengine/slo`
  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
 - **Core verification**:
  - [ ] Verify the component renders correctly with sample data
--- a/docs/features/checked/web/tinyfailureevent-first-signal-event-pattern.md
+++ b/docs/features/checked/web/tinyfailureevent-first-signal-event-pattern.md
@@ -13,7 +13,7 @@ First signal event UI is implemented with a dedicated store, typed models, and c
 - **Feature directory**: `src/Web/StellaOps.Web/src/app/features/runs/`
 - **Components**:
  - `first-signal-card` (`src/Web/StellaOps.Web/src/app/features/runs/components/first-signal-card/first-signal-card.component.ts`)
-  - Run detail integration (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/runs/pipeline-run-detail.component.ts`)
+  - Run detail integration (`src/Web/StellaOps.Web/src/app/features/release-jobengine/runs/pipeline-run-detail.component.ts`)
  - Console status integration (`src/Web/StellaOps.Web/src/app/features/console/console-status.component.html`)
 - **Services**:
  - `first-signal-prefetch` (`src/Web/StellaOps.Web/src/app/features/runs/services/first-signal-prefetch.service.ts`)
--- a/docs/features/checked/web/visual-workflow-editor.md
+++ b/docs/features/checked/web/visual-workflow-editor.md
@@ -10,25 +10,25 @@ VERIFIED
 Visual DAG-based workflow editor for release workflows with a drag/drop step palette, editable step configuration panel, dependency wiring on canvas connectors, and a YAML-mode representation.

 ## Implementation Details
- **Feature directory**: `src/Web/StellaOps.Web/src/app/features/release-orchestrator/workflows/`
+- **Feature directory**: `src/Web/StellaOps.Web/src/app/features/release-jobengine/workflows/`
 - **Routes**:
-  - `src/Web/StellaOps.Web/src/app/features/release-orchestrator/workflows/workflows.routes.ts`
-  - mounted from `src/Web/StellaOps.Web/src/app/features/release-orchestrator/dashboard/dashboard.routes.ts`
+  - `src/Web/StellaOps.Web/src/app/features/release-jobengine/workflows/workflows.routes.ts`
+  - mounted from `src/Web/StellaOps.Web/src/app/features/release-jobengine/dashboard/dashboard.routes.ts`
 - **Components**:
-  - `workflow-list` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/workflows/workflow-list/workflow-list.component.ts`)
-  - `workflow-editor` (`src/Web/StellaOps.Web/src/app/features/release-orchestrator/workflows/workflow-editor/workflow-editor.component.ts`)
+  - `workflow-list` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/workflows/workflow-list/workflow-list.component.ts`)
+  - `workflow-editor` (`src/Web/StellaOps.Web/src/app/features/release-jobengine/workflows/workflow-editor/workflow-editor.component.ts`)
 - **Store/API models**:
-  - `src/Web/StellaOps.Web/src/app/features/release-orchestrator/workflows/workflow.store.ts`
+  - `src/Web/StellaOps.Web/src/app/features/release-jobengine/workflows/workflow.store.ts`
  - `src/Web/StellaOps.Web/src/app/core/api/workflow.client.ts`
  - `src/Web/StellaOps.Web/src/app/core/api/workflow.models.ts`
 - **Behavior coverage**:
-  - `src/Web/StellaOps.Web/src/tests/release_orchestrator/visual-workflow-editor.behavior.spec.ts`
+  - `src/Web/StellaOps.Web/src/tests/release_jobengine/visual-workflow-editor.behavior.spec.ts`
 - **Source**: `SPRINT_20260110_111_004_FE_workflow_editor`

 ## E2E Test Plan
 - **Setup**:
  - [ ] Log in with a user that has appropriate permissions
-  - [ ] Navigate to `/release-orchestrator/workflows/:id`
+  - [ ] Navigate to `/release-jobengine/workflows/:id`
  - [ ] Ensure workflow fixture data exists (mock or backend-provided)
 - **Core verification**:
  - [ ] Verify palette/canvas/config-panel surfaces load
@@ -43,6 +43,6 @@ Visual DAG-based workflow editor for release workflows with a drag/drop step pal
 ## Verification
 - Run ID: `docs/qa/feature-checks/runs/web/visual-workflow-editor/run-001/`
 - Date (UTC): 2026-02-11
- Tier 0: PASS (active route/component/store paths verified; stale dossier reference corrected from `workflow-visualization` to `release-orchestrator/workflows`).
+- Tier 0: PASS (active route/component/store paths verified; stale dossier reference corrected from `workflow-visualization` to `release-jobengine/workflows`).
 - Tier 1: PASS (`npm run test` focused + release-orchestrator regression include suite passed; `npm run build` passed with baseline workspace warnings only).
 - Tier 2: PASS (workflow editor behavior harness verified palette/canvas/config rendering, YAML mode interaction, dependency validation semantics, and deterministic step-id generation).