stela ops usage fixes roles propagation and timoeut, one account to support multi tenants, migrations consolidation, search to support documentation, doctor and open api vector db search

devops/compose/README.md

@@ -71,6 +71,40 @@ Consolidated Docker Compose configuration for the StellaOps platform. All profil
 
 ## Usage Patterns
 
+### Migration Workflow (Compose)
+
+Use this sequence for deterministic migration handling in compose-based deployments:
+
+```bash
+# 1) Start stack (or restart after release image update)
+docker compose -f docker-compose.stella-ops.yml up -d
+
+# 2) Check migration status for CLI-registered modules
+stella system migrations-status --module all
+
+# 3) Verify checksums
+stella system migrations-verify --module all
+
+# 4) Preview release migrations
+stella system migrations-run --module all --category release --dry-run
+
+# 5) Execute release migrations when approved
+stella system migrations-run --module all --category release --force
+
+# 6) Re-check status
+stella system migrations-status --module all
+```
+
+This sequence is the canonical migration gate for on-prem upgradeable deployments.
+
+Current behavior details:
+
+- `./postgres-init` scripts execute only during first PostgreSQL initialization (`/docker-entrypoint-initdb.d` mount).
+- Some services run startup migrations via hosted services; others are currently CLI-only or not wired yet.
+- Use `docs/db/MIGRATION_INVENTORY.md` as the authoritative current-state matrix before production upgrades.
+- Consolidation target policy and module cutover waves are defined in `docs/db/MIGRATION_CONSOLIDATION_PLAN.md`.
+- UI-driven migration execution must use Platform admin endpoints (`/api/v1/admin/migrations/*`) and never direct browser-to-PostgreSQL access.
+
 ### Basic Development
 
 ```bash
@@ -83,10 +117,37 @@ docker compose -f docker-compose.stella-ops.yml config
 # Start the platform
 docker compose -f docker-compose.stella-ops.yml up -d
 
+# RustFS health probe (S3 mode)
+curl -fsS http://127.1.1.3:8080/status
+
 # View logs
 docker compose -f docker-compose.stella-ops.yml logs -f scanner-web
 ```
 
+### Router Mode Switching
+
+`router-gateway` now supports a compose-driven route table switch via `ROUTER_GATEWAY_CONFIG`.
+
+```bash
+# Default mode: microservice routing over Valkey messaging
+ROUTER_GATEWAY_CONFIG=./router-gateway-local.json \
+docker compose -f docker-compose.stella-ops.yml up -d
+
+# Reverse-proxy fallback mode (no route-table edits required)
+ROUTER_GATEWAY_CONFIG=./router-gateway-local.reverseproxy.json \
+docker compose -f docker-compose.stella-ops.yml up -d
+```
+
+Validation endpoints:
+
+```bash
+# Aggregated OpenAPI
+curl -k https://127.1.0.1/openapi.json
+
+# Timeline API schema (through router-gateway)
+curl -k https://127.1.0.1/openapi.json | jq '.paths["/api/v1/timeline"]'
+```
+
 ### With Observability
 
 ```bash
@@ -304,12 +365,23 @@ Only externally-reachable services (Authority, Signer, Attestor, Concelier, Scan
 
 ## Sigstore Tools
 
-Enable Sigstore CLI tools (rekor-cli, cosign) with the `sigstore` profile:
+Enable Sigstore CLI tools (`rekor-cli`, `cosign`) with the `sigstore` profile:
 
 ```bash
 docker compose -f docker-compose.stella-ops.yml --profile sigstore up -d
 ```
 
+Enable self-hosted Rekor v2 with the `sigstore-local` profile:
+
+```bash
+docker compose -f docker-compose.stella-ops.yml --profile sigstore-local up -d rekor-v2
+```
+
+`sigstore-local` requires:
+- Rekor signer key mounted at `../../etc/authority/keys/signing-dev.pem`
+- Tessera backend config: `REKOR_GCP_BUCKET` and `REKOR_GCP_SPANNER`
+- GCP ADC credentials available to the container runtime
+
 ---
 
 ## GPU Support for Advisory AI
@@ -367,8 +439,8 @@ docker compose -f docker-compose.stella-ops.yml \
 ```
 
 **Tile Proxy vs Rekor v2:**
-- Use `--profile sigstore` when running your own Rekor transparency log locally
-- Use `docker-compose.tile-proxy.yml` when caching tiles from public Sigstore (rekor.sigstore.dev)
+- Use `--profile sigstore-local` when running your own Rekor transparency log (GCP Tessera backend required).
+- Use `docker-compose.tile-proxy.yml` when caching tiles from public Sigstore (`rekor.sigstore.dev`).
 
 **Configuration:**
 | Variable | Default | Purpose |