Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools

- Implemented PolicyDslValidator with command-line options for strict mode and JSON output.
- Created PolicySchemaExporter to generate JSON schemas for policy-related models.
- Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes.
- Added project files and necessary dependencies for each tool.
- Ensured proper error handling and usage instructions across tools.

deploy/README.md

@@ -5,20 +5,34 @@ This directory contains deterministic deployment bundles for the core Stella Ops
 ## Structure
 
 - `releases/` – canonical release manifests (edge, stable, airgap) used to source image digests.
-- `compose/` – Docker Compose bundles for dev/stage/airgap targets plus `.env` seed files.
-- `compose/docker-compose.mirror.yaml` – managed mirror bundle for `*.stella-ops.org` with gateway cache and multi-tenant auth.
-- `helm/stellaops/` – multi-profile Helm chart with values files for dev/stage/airgap.
-- `tools/validate-profiles.sh` – helper that runs `docker compose config` and `helm lint/template` for every profile.
+- `compose/` – Docker Compose bundles for dev/stage/airgap targets plus `.env` seed files.
+- `compose/docker-compose.mirror.yaml` – managed mirror bundle for `*.stella-ops.org` with gateway cache and multi-tenant auth.
+- `compose/docker-compose.telemetry.yaml` – optional OpenTelemetry collector overlay (mutual TLS, OTLP pipelines).
+- `compose/docker-compose.telemetry-storage.yaml` – optional Prometheus/Tempo/Loki stack for observability backends.
+- `helm/stellaops/` – multi-profile Helm chart with values files for dev/stage/airgap.
+- `telemetry/` – shared OpenTelemetry collector configuration and certificate artefacts (generated via tooling).
+- `tools/validate-profiles.sh` – helper that runs `docker compose config` and `helm lint/template` for every profile.
 
 ## Workflow
 
 1. Update or add a release manifest under `releases/` with the new digests.
 2. Mirror the digests into the Compose and Helm profiles that correspond to that channel.
-3. Run `deploy/tools/validate-profiles.sh` (requires Docker CLI and Helm) to ensure the bundles lint and template cleanly.
-4. Commit the change alongside any documentation updates (e.g. install guide cross-links).
-
+3. Run `deploy/tools/validate-profiles.sh` (requires Docker CLI and Helm) to ensure the bundles lint and template cleanly.
+4. If telemetry ingest is required for the release, generate development certificates using
+   `./ops/devops/telemetry/generate_dev_tls.sh` and run the collector smoke test with
+   `python ./ops/devops/telemetry/smoke_otel_collector.py` to verify the OTLP endpoints.
+5. Commit the change alongside any documentation updates (e.g. install guide cross-links).
+
 Maintaining the digest linkage keeps offline/air-gapped installs reproducible and avoids tag drift between environments.
 
+### Additional tooling
+
+- `deploy/tools/check-channel-alignment.py` – verifies that Helm/Compose profiles reference the exact images listed in a release manifest. Run it for each channel before promoting a release.
+- `ops/devops/telemetry/generate_dev_tls.sh` – produces local CA/server/client certificates for Compose-based collector testing.
+- `ops/devops/telemetry/smoke_otel_collector.py` – sends OTLP traffic and asserts the collector accepted traces, metrics, and logs.
+- `ops/devops/telemetry/package_offline_bundle.py` – packages telemetry assets (config/Helm/Compose) into a signed tarball for air-gapped installs.
+- `docs/ops/deployment-upgrade-runbook.md` – end-to-end instructions for upgrade, rollback, and channel promotion workflows (Helm + Compose).
+
 ## CI smoke checks
 
 The `.gitea/workflows/build-test-deploy.yml` pipeline includes a `notify-smoke` stage that validates scanner event propagation after staging deployments. Configure the following repository secrets (or environment-level secrets) so the job can connect to Redis and the Notify API: