consolidation of some of the modules, localization fixes, product advisories work, qa work

2026-03-05 03:54:22 +02:00
parent 7bafcc3eef
commit 8e1cb9448d
3878 changed files with 72600 additions and 46861 deletions
--- a/docs/modules/router/README.md
+++ b/docs/modules/router/README.md
@@ -72,8 +72,7 @@ StellaOps.Router.slnx
 │   ├── StellaOps.Router.Transport.RabbitMQ/
 │   ├── StellaOps.Microservice/
 │   └── StellaOps.Microservice.SourceGen/
-├── src/Gateway/
-│   └── StellaOps.Gateway.WebService/
+├── src/Router/StellaOps.Gateway.WebService/  (moved from src/Gateway/ per Sprint 200)
 └── tests/
    └── (test projects)
 ```
@@ -181,5 +180,5 @@ dotnet build StellaOps.Router.slnx
 dotnet test StellaOps.Router.slnx

 # Run gateway
-dotnet run --project src/Gateway/StellaOps.Gateway.WebService
+dotnet run --project src/Router/StellaOps.Gateway.WebService
 ```
--- a/docs/modules/router/architecture.md
+++ b/docs/modules/router/architecture.md
@@ -7,7 +7,7 @@ Service impact ledger: `docs/technical/architecture/multi-tenant-service-impact-
 Flow sequences: `docs/technical/architecture/multi-tenant-flow-sequences.md`
 Rollout policy: `docs/operations/multi-tenant-rollout-and-compatibility.md`

-> **Dual-location clarification (updated 2026-02-22).** The Router (`src/Router/`) hosts the evolved `StellaOps.Gateway.WebService` with advanced features not present in `src/Gateway/`: configurable route tables via `GatewayRouteCatalog`, reverse proxy support, SPA fallback hosting, WebSocket routing, Valkey messaging transport integration, and `StellaOpsRouteResolver` for front-door dispatching. This is the current canonical deployment for HTTP ingress. A simpler version exists at `src/Gateway/` for basic ingress scenarios. See also [Gateway Architecture](../gateway/architecture.md).
+> **Location clarification (updated 2026-03-04).** The Router (`src/Router/`) hosts `StellaOps.Gateway.WebService` with configurable route tables via `GatewayRouteCatalog`, reverse proxy support, SPA fallback hosting, WebSocket routing, Valkey messaging transport integration, and `StellaOpsRouteResolver` for front-door dispatching. This is the canonical deployment for HTTP ingress. The standalone `src/Gateway/` was deleted in Sprint 200.

 ## System Architecture

@@ -296,7 +296,7 @@ Request ─►│ ForwardedHeaders        │
 - Per-request tenant override is disabled by default and only works when explicitly enabled with `Gateway:Auth:EnableTenantOverride=true` and the requested tenant exists in `stellaops:allowed_tenants`.
 - Authorization/DPoP passthrough is fail-closed:
 - route must be configured with `PreserveAuthHeaders=true`, and
- route prefix must also be in the approved passthrough allow-list (`/connect`, `/console`, `/api/admin`).
+- route prefix must also be in the approved passthrough allow-list (`/connect`, `/console`, `/authority`, `/doctor`, `/api`).
 - Tenant override attempts are logged with deterministic fields including route, actor, requested tenant, and resolved tenant.

 ### Connection State
--- a/docs/modules/router/migration-guide.md
+++ b/docs/modules/router/migration-guide.md
@@ -513,7 +513,7 @@ For each route:
 | Scanner | StellaOps.Scanner.WebService | High | High | Streaming scans |
 | Attestor | StellaOps.Attestor.WebService | Medium | Medium | Attestation gen |
 | Excititor | StellaOps.Excititor.WebService | Medium | Low | VEX processing |
-| Orchestrator | StellaOps.Orchestrator.WebService | Medium | Medium | Job coordination |
+| Orchestrator | StellaOps.JobEngine.WebService | Medium | Medium | Job coordination |
 | Scheduler | StellaOps.Scheduler.WebService | Low | Low | Job scheduling |
 | Notify | StellaOps.Notify.WebService | Low | Low | Notifications |
 | Notifier | StellaOps.Notifier.WebService | Low | Low | Alert dispatch |
--- a/docs/modules/router/timelineindexer-microservice-pilot.md
+++ b/docs/modules/router/timelineindexer-microservice-pilot.md
@@ -1,7 +1,7 @@
 # Router TimelineIndexer Microservice Pilot

 ## Scope
- Pilot service: `TimelineIndexer` (`src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService`).
+- Pilot service: `TimelineIndexer` (`src/Timeline/StellaOps.TimelineIndexer.WebService`).
 - Transport: `TransportType.Messaging` backed by Valkey.
 - Gateway entry under pilot: `/api/v1/timeline*`.

--- a/docs/modules/router/webservice-integration-guide.md
+++ b/docs/modules/router/webservice-integration-guide.md
@@ -178,7 +178,7 @@ All WebServices have been updated with Router integration:
 | Scanner.WebService | `src/Scanner/StellaOps.Scanner.WebService` | ✅ Complete |
 | Concelier.WebService | `src/Concelier/StellaOps.Concelier.WebService` | ✅ Complete |
 | Excititor.WebService | `src/Excititor/StellaOps.Excititor.WebService` | ✅ Complete |
-| Gateway.WebService | `src/Gateway/StellaOps.Gateway.WebService` | ✅ Complete |
+| Gateway.WebService | `src/Router/StellaOps.Gateway.WebService` (moved from `src/Gateway/`, Sprint 200) | ✅ Complete |
 | VexHub.WebService | `src/VexHub/StellaOps.VexHub.WebService` | ✅ Complete |
 | Attestor.WebService | `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService` | ✅ Complete |
 | EvidenceLocker.WebService | `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService` | ✅ Complete |
@@ -188,11 +188,11 @@ All WebServices have been updated with Router integration:
 | Notifier.WebService | `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService` | ✅ Complete |
 | Notify.WebService | `src/Notify/StellaOps.Notify.WebService` | ✅ Complete |
 | PacksRegistry.WebService | `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService` | ✅ Complete |
-| RiskEngine.WebService | `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService` | ✅ Complete |
+| RiskEngine.WebService | `src/Findings/StellaOps.RiskEngine.WebService` | ✅ Complete |
 | Signer.WebService | `src/Signer/StellaOps.Signer/StellaOps.Signer.WebService` | ✅ Complete |
 | TaskRunner.WebService | `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService` | ✅ Complete |
-| TimelineIndexer.WebService | `src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService` | ✅ Complete |
-| Orchestrator.WebService | `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService` | ✅ Complete |
+| TimelineIndexer.WebService | `src/Timeline/StellaOps.TimelineIndexer.WebService` | ✅ Complete |
+| Orchestrator.WebService | `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService` | ✅ Complete |
 | Scheduler.WebService | `src/Scheduler/StellaOps.Scheduler.WebService` | ✅ Complete |
 | ExportCenter.WebService | `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService` | ✅ Complete |

--- a/docs/modules/router/webservices-valkey-rollout-matrix.md
+++ b/docs/modules/router/webservices-valkey-rollout-matrix.md
@@ -36,7 +36,7 @@ Legend:
 | notifier.stella-ops.local | notifier-web | /api/v1/notifier, /notifier | D | Developer + Test Automation (Wave D) | Migrate API prefix first, then root compatibility path. | Route type revert + `NOTIFIER_ROUTER_ENABLED=false` (RMW-03). |
 | notify.stella-ops.local | notify-web | /api/v1/notify, /notify | D | Developer + Test Automation (Wave D) | Migrate API prefix first, then root compatibility path. | Route type revert + `NOTIFY_ROUTER_ENABLED=false` (RMW-03). |
 | opsmemory.stella-ops.local | opsmemory-web | /api/v1/opsmemory, /opsmemory | A | Developer + Test Automation (Wave A) | Migrate API prefix first, then root compatibility path. | Route type revert + `OPSMEMORY_ROUTER_ENABLED=false` (RMW-03). |
-| orchestrator.stella-ops.local | orchestrator | /api/approvals, /api/orchestrator, /api/release-orchestrator, /api/releases, /api/v1/orchestrator, /api/v1/release-orchestrator, /api/v1/workflows, /orchestrator, /v1/runs | C | Developer + Test Automation (Wave C) | Migrate all API/v1 and v1 routes first; keep root compatibility path until control-plane acceptance. | Route type revert + `ORCHESTRATOR_ROUTER_ENABLED=false` (RMW-03). |
+| jobengine.stella-ops.local | orchestrator | /api/approvals, /api/jobengine, /api/release-orchestrator, /api/releases, /api/v1/jobengine, /api/v1/release-orchestrator, /api/v1/workflows, /orchestrator, /v1/runs | C | Developer + Test Automation (Wave C) | Migrate all API/v1 and v1 routes first; keep root compatibility path until control-plane acceptance. | Route type revert + `ORCHESTRATOR_ROUTER_ENABLED=false` (RMW-03). |
 | packsregistry.stella-ops.local | packsregistry-web | /packsregistry | A | Developer + Test Automation (Wave A) | Add API-form endpoint mapping if required, then migrate root compatibility route. | Route type revert + `PACKSREGISTRY_ROUTER_ENABLED=false` (RMW-03). |
 | platform.stella-ops.local | platform | /api, /api/admin, /api/analytics, /api/v1/authority/quotas, /api/v1/gateway/rate-limits, /api/v1/platform, /envsettings.json, /platform | C | Developer + Test Automation (Wave C) | Migrate API prefixes to Microservice; keep `/platform` and `/envsettings.json` reverse proxy for static/bootstrap behavior. | Route type revert + `PLATFORM_ROUTER_ENABLED=false` (RMW-03). |
 | policy-engine.stella-ops.local | policy-engine | /api/risk, /api/risk-budget, /api/v1/determinization, /policyEngine | C | Developer + Test Automation (Wave C) | Migrate API prefixes first; keep root compatibility path until control-plane verification completes. | Route type revert + `POLICY_ENGINE_ROUTER_ENABLED=false` (RMW-03). |