stela ops usage fixes roles propagation and timoeut, one account to support multi tenants, migrations consolidation, search to support documentation, doctor and open api vector db search

docs/implplan/SPRINT_20260221_042_FE_mock_data_to_real_endpoint_cutover.md

@@ -180,15 +180,17 @@ Completion criteria:
 | 2026-02-21 | 042-T9 completed for inline runtime datasets: `simulation-history.component.ts`, `conflict-detection.component.ts`, `batch-evaluation.component.ts`, and `graph-explorer.component.ts` now load backend data through `POLICY_SIMULATION_API` and `GRAPH_PLATFORM_API` instead of inline mocks; app config now binds graph runtime base/token providers. | Developer (FE) |
 | 2026-02-21 | Validation after T9 cutover: `npm run build` (with `NODE_OPTIONS=--max-old-space-size=6144`) passed; targeted tests passed: `npx ng test --watch=false --include=src/tests/policy_studio/policy-simulation.behavior.spec.ts --include=src/tests/signals_runtime_dashboard/signals-runtime-dashboard.service.spec.ts` and `npx ng test --watch=false --include=src/tests/security-risk/security-risk-routes.spec.ts --include=src/tests/security-risk/sbom-graph-page.component.spec.ts`. | Developer (FE) |
 | 2026-02-21 | T12 documentation sync started: updated `docs/modules/ui/README.md` with runtime endpoint cutover summary and updated `docs/modules/ui/v2-rewire/S00_endpoint_contract_ledger_v2_pack22.md` with Policy Simulation + Graph Explorer endpoint rows reflecting runtime bindings. | Developer / Documentation author |
+| 2026-02-21 | Closed lineage compare mock gap: `lineage-compare.component.ts` now consumes real `whySafe` payloads from compare responses, `why-safe-panel.component.ts` removed inline mock explanation generation and renders directly from VEX/reachability/attestation compare data, and unused `lineage-why-safe-panel.component.ts` mock component was deleted. | Developer (FE) |
+| 2026-02-21 | Validation after lineage cutover: `npm run build` passed and targeted lineage verification passed via `npx ng test --watch=false --include=src/tests/lineage/lineage-compare-panel.component.spec.ts` (4/4 tests). | Developer (FE) |
 ## Decisions & Risks
 - Decision: runtime DI must resolve API tokens to HTTP clients; mock classes are test/dev assets only.
 - Decision: no new backend contracts are assumed in this sprint; if a required endpoint is missing, task becomes `BLOCKED` with explicit contract gap.
+- Decision: lineage compare client now normalizes both legacy and compare-service payload shapes (`componentDiff/vexDeltas[]` and `sbomDiff/vexDeltas.changes`) into the UI diff view-model to keep runtime bindings backend-driven.
 - Risk: payload shape drift between mock data and backend responses may break UI assumptions. Mitigation: add adapter layer + targeted tests before removing fallback.
 - Risk: component-level `providers` can silently override global DI. Mitigation: inventory + explicit removal task (042-T7) with verification.
 - Risk: direct `inject(Mock...)` usage bypasses app config contracts. Mitigation: mandatory tokenized refactor task (042-T8).
 - Cross-module note: docs updates required in `docs/modules/ui/**` and endpoint ledger docs under `docs/modules/ui/v2-rewire/`.
 - `BLOCKED` endpoint gap: `src/Web/StellaOps.Web/src/app/features/releases/state/release-detail.store.ts` still uses inline mock state and `setTimeout` flows; the store is not yet mapped to a finalized release-detail endpoint contract in the Pack 22 ledger row `S22-T03-REL-02`.
-- `BLOCKED` endpoint gap: `src/Web/StellaOps.Web/src/app/features/lineage/components/lineage-why-safe-panel/lineage-why-safe-panel.component.ts` still returns inline mock explanations; a tokenized API client/contract for "why-safe" explanation is not yet present in `core/api/**` runtime bindings.
 
 ## Next Checkpoints
 - 2026-02-22 UTC: Complete T1 inventory and finalize endpoint mapping/risk list.

docs/implplan/SPRINT_20260222_046_Router_gateway_spa_fallback_rustfs_healthcheck.md

@@ -0,0 +1,65 @@
+# Sprint 20260222.046 - Gateway SPA Fallback and RustFS Healthcheck
+
+## Topic & Scope
+- Fix gateway route collisions where browser deep links (for example `/policy`) could be dispatched to microservice endpoints instead of the SPA shell.
+- Stabilize local compose health reporting for RustFS by using an endpoint that returns success in S3 mode.
+- Working directory: `src/Router/`.
+- Cross-module edits explicitly allowed for this sprint: `devops/compose`, `docs/modules/router`, `src/Router/__Tests`.
+- Expected evidence: unit tests for route-dispatch behavior, compose health output, Playwright route verification.
+
+## Dependencies & Concurrency
+- Depends on current Router Gateway route table behavior in compose (`router-gateway-local.json`).
+- Depends on RustFS S3 runtime semantics (`/` returns 403, `/status` returns 200).
+- Work can proceed in parallel between gateway middleware changes and compose healthcheck updates.
+
+## Documentation Prerequisites
+- `docs/modules/router/architecture.md`
+- `docs/modules/router/webservice-integration-guide.md`
+- `docs/modules/platform/architecture-overview.md`
+
+## Delivery Tracker
+
+### RGH-01 - Gateway browser deep-link fallback for microservice routes
+Status: DONE
+Dependency: none
+Owners: Developer, Test Automation
+Task description:
+- Extend gateway `RouteDispatchMiddleware` SPA fallback behavior so browser document requests matching `Microservice` route prefixes are served by the SPA static fallback route.
+- Preserve backend dispatch for API paths by excluding `/api` and `/v1` prefixes from SPA fallback.
+- Add deterministic unit tests covering SPA fallback for `/policy`-style routes and non-fallback behavior for API routes.
+
+Completion criteria:
+- [x] Browser deep link to a microservice-prefixed SPA route resolves to SPA `index.html`.
+- [x] API-prefixed routes still dispatch to microservice pipeline.
+- [x] Unit tests cover both behaviors.
+
+### RGH-02 - RustFS compose healthcheck fix
+Status: DONE
+Dependency: none
+Owners: Developer
+Task description:
+- Update `docker-compose.stella-ops.yml` RustFS health probe from `/` to `/status` so health reflects actual S3-mode service readiness.
+- Verify compose service transitions to healthy with the updated probe command.
+
+Completion criteria:
+- [x] Compose RustFS healthcheck command uses `/status`.
+- [x] `docker compose ps` reports `stellaops-rustfs` healthy after update.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-02-22 | Sprint created for gateway SPA fallback + RustFS healthcheck stabilization. | Project Manager |
+| 2026-02-22 | Implemented microservice-route SPA fallback in `RouteDispatchMiddleware`; added unit tests for browser deep link vs API dispatch behavior. | Developer |
+| 2026-02-22 | Updated RustFS healthcheck probe to `/status` and revalidated compose health + Playwright route checks. | Developer |
+
+## Decisions & Risks
+- Decision: apply SPA fallback to both `ReverseProxy` and `Microservice` matched routes for browser document requests.
+- Decision: explicitly exclude `/api` and `/v1` from SPA fallback to prevent API browser requests being masked.
+- Risk: route-table prefix collisions can regress UI deep links after future route conversions. Mitigation: retain unit coverage in gateway middleware tests.
+- Risk: RustFS endpoint semantics can change across image versions. Mitigation: keep compose probe aligned with documented runtime status endpoint.
+- Docs links:
+- `docs/modules/router/webservice-integration-guide.md`
+
+## Next Checkpoints
+- Validate full route regression suite in CI after gateway image rebuild.
+- Add an integration test asserting deep-link `GET /policy` returns SPA shell in compose profile tests.

docs/implplan/SPRINT_20260222_051_AdvisoryAI_knowledge_search_docs_api_doctor.md

@@ -0,0 +1,140 @@
+# Sprint 20260222_051 - AdvisoryAI Knowledge Search
+
+## Topic & Scope
+- Deliver AdvisoryAI Knowledge Search (AKS) for deterministic retrieval across docs, OpenAPI, and Doctor checks.
+- Extend existing global search surfaces (Web + CLI) to resolve operational questions into grounded, actionable references.
+- Preserve existing Doctor execution behavior while adding searchable Doctor projections and recommendation affordances.
+- Working directory: `src/AdvisoryAI`.
+- Expected evidence: schema migration SQL, ingestion/search tests, CLI/Web integration tests, benchmark report, docs.
+
+## Dependencies & Concurrency
+- Depends on current AdvisoryAI and Doctor contracts:
+  - `src/AdvisoryAI/StellaOps.AdvisoryAI.WebService/Program.cs`
+  - `src/__Libraries/StellaOps.Doctor/**`
+  - `src/Doctor/StellaOps.Doctor.WebService/Endpoints/DoctorEndpoints.cs`
+- Cross-module edits are explicitly allowed for this sprint:
+  - `src/Cli/**` for `stella search` and `stella doctor suggest`.
+  - `src/Web/StellaOps.Web/**` for global search integration.
+  - `docs/modules/advisory-ai/**` and `docs/modules/cli/**` for contract/user docs.
+  - `devops/compose/**` for test DB harness.
+- Safe parallelism: AdvisoryAI ingestion/search internals can proceed in parallel with CLI/Web wiring once API contract is frozen.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/advisory-ai/architecture.md`
+- `docs/modules/cli/architecture.md`
+- `src/AdvisoryAI/AGENTS.md`
+- `src/Cli/AGENTS.md`
+- `src/Web/StellaOps.Web/AGENTS.md`
+
+## Delivery Tracker
+
+### AIAI-KS-001 - AdvisoryAI Knowledge Schema + Ingestion Core
+Status: DONE
+Dependency: none
+Owners: Developer / Implementer
+Task description:
+- Add AdvisoryAI knowledge schema and deterministic ingestion pipeline for Markdown docs, OpenAPI specs, and Doctor projections.
+- Implement deterministic IDs (doc/chunk), anchors, section paths, and span metadata required for exact source navigation.
+
+Completion criteria:
+- [x] Schema migration(s) create `kb_doc`, `kb_chunk`, `api_spec`, `api_operation`, and doctor projection tables with required indexes.
+- [x] Deterministic index rebuild command/service ingests docs + specs + doctor metadata with reproducible IDs.
+- [x] Ingestion supports product/version metadata and can run without external network dependencies.
+
+### AIAI-KS-002 - Hybrid Search API + Ranking
+Status: DONE
+Dependency: AIAI-KS-001
+Owners: Developer / Implementer
+Task description:
+- Implement `POST /v1/advisory-ai/search` with deterministic retrieval outputs for docs/api/doctor.
+- Provide FTS retrieval baseline plus optional vector retrieval and deterministic rank fusion, including stable fallback when embeddings are missing.
+
+Completion criteria:
+- [x] Search request/response contracts include typed open-actions and snippet/source evidence.
+- [x] Ranking includes deterministic tie-breaking and filter support (`type`, `product`, `version`, `service`, `tags`).
+- [x] API tests validate exact-string and paraphrase-like query behavior over seeded data.
+
+### AIAI-KS-003 - CLI Search + Doctor Suggest Integration
+Status: DONE
+Dependency: AIAI-KS-002
+Owners: Developer / Implementer
+Task description:
+- Add CLI command(s) to consume AKS and return human + JSON output with stable shape.
+- Add Doctor suggestion flow backed by the same retrieval stack to recommend checks/docs from symptom strings.
+
+Completion criteria:
+- [x] `stella search "<query>"` supports type/filter flags and deterministic JSON output.
+- [x] `stella doctor suggest "<symptom/error>"` returns recommended checks/docs/endpoints from AKS.
+- [x] CLI tests cover output shape and deterministic ordering.
+
+### AIAI-KS-004 - Web Global Search Integration
+Status: DONE
+Dependency: AIAI-KS-002
+Owners: Developer / Implementer
+Task description:
+- Rewire Web global search to AKS mixed results and render grouped docs/api/doctor hits with action affordances.
+- Keep keyboard and accessibility behaviors intact while adding type filters and action metadata rendering.
+
+Completion criteria:
+- [x] Global search client calls AdvisoryAI search API and maps result groups deterministically.
+- [x] UI exposes grouped hits with actionable links (open docs anchor, endpoint details/copy, run check).
+- [x] Targeted frontend tests cover rendering + result interaction for mixed types.
+
+### AIAI-KS-005 - Test DB + Dataset Generator + Quality Gates
+Status: DONE
+Dependency: AIAI-KS-001
+Owners: Developer / Implementer, Test Automation
+Task description:
+- Create dedicated Postgres+pgvector test harness and deterministic query dataset generator with ground truth mappings.
+- Add benchmark runner/reporting for recall@k and latency sanity checks.
+
+Completion criteria:
+- [x] Compose/scripts provision dedicated AKS test DB and load deterministic seed snapshot.
+- [x] Dataset generator emits >= 1,000 grounded queries across docs/api/doctor with expected targets.
+- [x] Automated test/benchmark path reports recall@5 and latency metrics in reproducible format.
+
+### AIAI-KS-006 - Documentation + Operational Runbook Sync
+Status: DONE
+Dependency: AIAI-KS-001
+Owners: Documentation author / Developer
+Task description:
+- Publish AKS design and operating guide: problem framing, schema, ingestion, ranking, API, CLI/UI usage, testing approach.
+- Update sprint decisions with doc links and operational caveats.
+
+Completion criteria:
+- [x] AdvisoryAI documentation includes AKS architecture and usage.
+- [x] CLI/Web docs reflect new search command + global search behavior.
+- [x] Sprint Decisions & Risks section links updated docs and known limitations.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-02-22 | Sprint created, scope authorized, and AIAI-KS-001 moved to DOING. | Developer |
+| 2026-02-22 | Implemented AKS schema and deterministic ingestion/rebuild pipeline for markdown + OpenAPI + doctor projections in AdvisoryAI. | Developer |
+| 2026-02-22 | Implemented AKS search API (`/api/v1/advisory-ai/search`) with typed open-actions, deterministic ranking, and fallback behavior. | Developer |
+| 2026-02-22 | Wired CLI (`search`, `doctor suggest`, `advisoryai index rebuild`) and added behavioral CLI tests for output contracts. | Developer |
+| 2026-02-22 | Rewired Web global search and command palette to AKS mixed docs/api/doctor results with actions and filter chips. | Developer |
+| 2026-02-22 | Added AKS benchmark dataset generator + benchmark runner tests and dedicated compose pgvector test harness. | Developer, Test Automation |
+| 2026-02-22 | Validation complete: AdvisoryAI tests `584/584`, CLI tests `1187/1187`, Web global-search spec `4/4`, Web build succeeded. | Developer |
+
+## Decisions & Risks
+- Decision: AKS ownership remains in `src/AdvisoryAI`; CLI/Web consume AKS via API contracts to avoid cross-module logic sprawl.
+- Decision: Doctor execution semantics remain in Doctor module; AKS only ingests projections/metadata and emits recommendation actions.
+- Risk: Existing workspace is heavily dirty (unrelated pre-existing edits). Mitigation: keep changes tightly scoped to listed sprint directories and avoid destructive cleanup.
+- Risk: OpenAPI sources are mixed (`openapi.json` and yaml). Mitigation: MVP prioritizes deterministic JSON ingestion; document yaml handling strategy.
+- Risk: Vector extension may be absent in some environments. Mitigation: FTS-only fallback path remains fully functional and deterministic.
+- Docs updated:
+  - `docs/modules/advisory-ai/knowledge-search.md`
+  - `docs/modules/advisory-ai/guides/api.md`
+  - `docs/modules/advisory-ai/README.md`
+  - `docs/modules/cli/guides/cli-reference.md`
+  - `docs/API_CLI_REFERENCE.md`
+- Risk: Microsoft.Testing.Platform ignores VSTest `--filter` in this repository. Mitigation: run target `.csproj` directly and record full-suite counts in validation logs.
+
+## Next Checkpoints
+- 2026-02-22: Schema + FTS endpoint + index rebuild MVP complete. (DONE)
+- 2026-02-22: CLI/Web wiring and targeted integration tests complete. (DONE)
+- 2026-02-22: Dataset generator, benchmark path, and docs finalization complete. (DONE)

docs/implplan/SPRINT_20260222_051_DOCS_migration_types_counts_runner_entrypoint_consolidation.md

@@ -0,0 +1,235 @@
+# Sprint 20260222.051 - Migration Types, Counts, and Runner Entrypoint Consolidation
+
+## Topic & Scope
+- Consolidate all database migration mechanisms to a single canonical model suitable for on-prem and updateable deployments.
+- Produce an authoritative migration inventory table per service with DAL type, migration location, migration count, and runner mechanism.
+- Standardize migration numbering/category rules and remove ambiguous or duplicated runner paths.
+- Enforce a phase gate: EF Core v10 models and Dapper to EF migration begin only after migration consolidation is implemented and validated.
+- Update operator-facing procedures in documentation, setup flow, CLI guidance, and Docker Compose guidance as part of the same consolidation stream.
+- Working directory: `docs/implplan/`.
+- Cross-module edits explicitly allowed for this sprint: `src/__Libraries/StellaOps.Infrastructure.Postgres`, `src/Platform/__Libraries/StellaOps.Platform.Database`, `src/Cli/StellaOps.Cli`, `src/**/Migrations`, `src/**/Database/Migrations`, `src/**/Storage`, `docs/db`, `docs/operations`, `docs/INSTALL_GUIDE.md`, `docs/API_CLI_REFERENCE.md`, `devops/compose/README.md`, `docs/modules/**`.
+- Expected evidence: migration inventory matrix, runner entrypoint map, cutover checklist, deterministic upgrade/replay logs, updated setup/CLI/compose procedure documents, phase-gate approval record.
+
+## Dependencies & Concurrency
+- Depends on:
+- `docs/README.md`
+- `docs/ARCHITECTURE_OVERVIEW.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- Safe concurrency:
+- Inventory extraction and migration counting can run in parallel per module.
+- Runner contract definition can proceed in parallel with numbering-rule proposal.
+- Runner cutovers must be sequential per module wave after contract approval.
+- EF Core v10 model work is blocked until migration consolidation is complete.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/ARCHITECTURE_OVERVIEW.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/implplan/AGENTS.md`
+- `src/__Libraries/StellaOps.Infrastructure.Postgres/Migrations/MigrationRunner.cs`
+- `src/__Libraries/StellaOps.Infrastructure.Postgres/Migrations/MigrationCategory.cs`
+- `src/Platform/__Libraries/StellaOps.Platform.Database/MigrationModuleRegistry.cs`
+
+## Delivery Tracker
+
+### MGC-01 - Migration inventory and mechanism taxonomy baseline
+Status: DONE
+Dependency: none
+Owners: Project Manager, Developer
+Task description:
+- Build the authoritative service migration matrix for the current repository state.
+- For each service/module, capture DAL type, migration file locations, migration count, and current runner entrypoint/mechanism.
+- Mark modules where migration files exist but runtime invocation is missing.
+
+Completion criteria:
+- [x] Matrix includes every service with database migration artifacts.
+- [x] DAL type and runner mechanism are identified for every matrix row.
+- [x] Missing invocation paths are explicitly listed as blockers or remediation tasks.
+
+### MGC-02 - Canonical migration mechanism and numbering policy
+Status: DONE
+Dependency: MGC-01
+Owners: Developer, Documentation Author
+Task description:
+- Define the single supported migration execution mechanism for production and upgrade flows.
+- Normalize migration numbering and category rules across modules.
+- Define compatibility handling for legacy schema version tables and custom history formats.
+
+Completion criteria:
+- [x] Policy defines one canonical runner mechanism and approved exceptions.
+- [x] Numbering/category rules are deterministic and documented.
+- [x] Legacy compatibility mapping exists for all non-canonical history tables.
+
+### MGC-03 - Runner entrypoint consolidation plan and implementation wave map
+Status: DONE
+Dependency: MGC-02
+Owners: Developer, Project Manager
+Task description:
+- Define the single entrypoint strategy for migration execution across startup, CLI, and deployment automation.
+- Map all module cutovers from custom or fragmented runners to the canonical entrypoint.
+- Produce implementation waves and dependency order with rollback markers.
+
+Completion criteria:
+- [x] One canonical runner entrypoint path is selected and documented.
+- [x] Every module is assigned to a cutover wave with explicit owner.
+- [x] Rollback and safety controls are defined per wave.
+
+### MGC-04 - Module cutover to canonical runner
+Status: DOING
+Dependency: MGC-03
+Owners: Developer
+Task description:
+- Migrate modules with custom migration executors to the shared runner contract.
+- Wire startup and CLI flows so the same canonical path executes migrations.
+- Remove dead runner paths after validation.
+
+Completion criteria:
+- [ ] Custom runner implementations are replaced or adapter-wrapped to canonical contract.
+- [ ] Startup and CLI both route through the same migration mechanism.
+- [ ] Removed runner paths are verified as no longer referenced.
+
+### MGC-05 - Migration count consolidation and baseline strategy
+Status: TODO
+Dependency: MGC-04
+Owners: Developer, Project Manager
+Task description:
+- Consolidate migration counts per module using approved baseline/squash strategy for long-lived on-prem upgrades.
+- Preserve deterministic replay and checksum integrity during consolidation.
+- Document versioning guarantees for existing installed customer environments.
+
+Completion criteria:
+- [ ] Target migration count and baseline strategy are published per module.
+- [ ] Replay/checksum behavior remains deterministic across upgraded environments.
+- [ ] Backward-compatibility rules are documented for in-field upgrades.
+
+### MGC-06 - On-prem upgrade rehearsal and verification
+Status: TODO
+Dependency: MGC-05
+Owners: Test Automation, Developer
+Task description:
+- Execute clean install and upgrade-path rehearsals using canonical migration entrypoint.
+- Validate deterministic outcomes across repeated runs and rollback/retry scenarios.
+- Capture evidence for release gating.
+
+Completion criteria:
+- [ ] Clean install and upgrade rehearsals pass with canonical runner.
+- [ ] Repeat runs are deterministic with no schema drift.
+- [ ] Rollback/retry paths are validated and documented.
+
+### MGC-07 - Phase gate for EF Core v10 and Dapper migration
+Status: TODO
+Dependency: MGC-06
+Owners: Project Manager, Developer, Documentation Author
+Task description:
+- Open the next-phase implementation stream for EF Core v10 model generation and Dapper-to-EF migration after consolidation verification passes.
+- Define scope boundaries so EF model changes do not alter migration governance decisions made in this sprint.
+- Produce handoff checklist and dependency references for the EF migration sprint.
+
+Completion criteria:
+- [ ] Explicit go/no-go decision is recorded for EF Core v10 phase start.
+- [ ] EF phase backlog is created with dependencies and module order.
+- [ ] Governance boundary between migration consolidation and ORM transition is documented.
+
+### MGC-08 - Documentation consolidation for migration operations
+Status: DONE
+Dependency: MGC-01
+Owners: Documentation Author, Project Manager
+Task description:
+- Update canonical migration docs to reflect the observed current state and the target consolidated mechanism.
+- Publish and maintain the authoritative migration inventory table (service, DAL type, migration locations, migration counts, runner mechanism, runner entrypoint).
+- Ensure migration governance docs link to concrete implementation files and runbooks.
+
+Completion criteria:
+- [x] `docs/db/MIGRATION_STRATEGY.md` and `docs/db/MIGRATION_CONVENTIONS.md` reflect consolidation policy and current-state caveats.
+- [x] Migration inventory artifact is published and referenced by the sprint.
+- [x] Documentation clearly distinguishes current implementation from target consolidated architecture.
+
+### MGC-09 - Setup procedure updates
+Status: DONE
+Dependency: MGC-08
+Owners: Documentation Author, Developer
+Task description:
+- Update installation and setup procedures to include migration preflight checks, migration execution path, and post-migration verification.
+- Align setup guidance with canonical runner entrypoint decisions and safety gates.
+
+Completion criteria:
+- [x] `docs/INSTALL_GUIDE.md` includes migration preflight and verification steps.
+- [x] Setup guidance references the canonical migration commands and expected outcomes.
+- [x] Procedure changes are validated for local, on-prem, and upgrade contexts.
+
+### MGC-10 - CLI procedure updates for migration operations
+Status: DONE
+Dependency: MGC-08
+Owners: Documentation Author, Developer
+Task description:
+- Update CLI reference documentation for migration run/status/verify flows and module coverage.
+- Document current limitations and target module expansion under consolidation waves.
+
+Completion criteria:
+- [x] `docs/API_CLI_REFERENCE.md` contains an explicit migration command section.
+- [x] Current module coverage and expected post-consolidation coverage are documented.
+- [x] CLI workflow examples are deterministic and automation-friendly.
+
+### MGC-11 - Docker Compose migration procedure updates
+Status: DONE
+Dependency: MGC-08
+Owners: DevOps, Documentation Author
+Task description:
+- Update Compose runbooks to include database migration preflight, startup migration behavior, and upgrade-time migration sequencing.
+- Align compose procedures with canonical migration runner entrypoint and rollback expectations.
+
+Completion criteria:
+- [x] `devops/compose/README.md` documents migration execution and validation in compose workflows.
+- [x] Compose upgrade path includes migration status checks before and after deployment.
+- [x] Rollback notes include migration-state considerations.
+
+### MGC-12 - Platform UI/API migration execution path (follow-on)
+Status: DONE
+Dependency: MGC-04
+Owners: Developer, Platform Service Owner
+Task description:
+- Define and implement Platform WebService administrative endpoints for migration status/verify/run operations.
+- Ensure endpoints use the same platform-owned registry and canonical runner path used by CLI.
+- Keep database execution server-side only; UI must invoke the Platform API and never connect directly to PostgreSQL.
+
+Completion criteria:
+- [x] Platform migration admin API contract is implemented with authorization and deterministic responses.
+- [x] API execution path consumes `src/Platform/__Libraries/StellaOps.Platform.Database/MigrationModuleRegistry.cs`.
+- [x] UI orchestration path is documented and linked from migration runbooks.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-02-22 | Sprint created to prioritize migration mechanism/type/count consolidation and single runner entrypoint unification before ORM transition. | Project Manager |
+| 2026-02-22 | Initial repository audit completed; baseline migration matrix dimensions identified and MGC-01 started. | Project Manager |
+| 2026-02-22 | Sprint scope expanded to require procedure updates across documentation, setup, CLI, and Docker Compose workflows; MGC-08 started. | Project Manager |
+| 2026-02-22 | Published baseline inventory (`docs/db/MIGRATION_INVENTORY.md`) and updated migration/setup/CLI/compose procedure docs for consolidation alignment. | Documentation Author |
+| 2026-02-22 | MGC-08 completed; MGC-10 and MGC-11 completed with updates in `docs/API_CLI_REFERENCE.md`, `devops/compose/README.md`, and deployment upgrade runbooks. MGC-09 remains DOING pending broader procedural validation. | Project Manager |
+| 2026-02-22 | MGC-01 completed with full migration inventory table including DAL type, migration locations/counts, mechanism type, and runner entrypoint status. | Project Manager |
+| 2026-02-22 | MGC-02 completed: canonical migration mechanism, deterministic numbering/category policy, and legacy history-table compatibility mapping were documented in `docs/db/MIGRATION_CONSOLIDATION_PLAN.md`, with strategy/conventions sync in `docs/db/MIGRATION_STRATEGY.md` and `docs/db/MIGRATION_CONVENTIONS.md`. | Documentation Author |
+| 2026-02-22 | MGC-03 completed: canonical runner entrypoint and wave-based module cutover map published in `docs/db/MIGRATION_CONSOLIDATION_PLAN.md` and linked from `docs/db/MIGRATION_INVENTORY.md`. | Project Manager |
+| 2026-02-22 | MGC-09 completed: setup/install procedure updated for canonical migration preflight/execution/verification flow in `docs/INSTALL_GUIDE.md`; supporting references synchronized in compose/CLI/upgrade runbooks. | Documentation Author |
+| 2026-02-22 | MGC-04 started (Wave W1): expanded migration registry coverage from 6 to 10 modules (`AirGap`, `Scanner`, `TimelineIndexer`, `Platform` added); updated CLI tests and inventory/CLI docs to reflect new coverage. | Developer |
+| 2026-02-22 | MGC-04 Wave W1 refinement: moved migration registry ownership from CLI into `src/Platform/__Libraries/StellaOps.Platform.Database/MigrationModuleRegistry.cs` and rewired CLI to consume the platform-owned registry as the canonical module catalog. | Developer |
+| 2026-02-22 | Added MGC-12 follow-on tracker so UI-driven migration execution is implemented via Platform WebService admin APIs using the same platform-owned registry and canonical runner path. | Project Manager |
+| 2026-02-22 | MGC-12 completed: implemented `/api/v1/admin/migrations/{modules,status,verify,run}` with `platform.setup.admin`, wired server-side execution through `PlatformMigrationAdminService` + platform-owned registry, updated setup/CLI/compose/upgrade docs for UI/API orchestration, and validated Platform WebService tests (`177/177` pass). | Developer |
+| 2026-02-22 | MGC-04 Wave W1 update: replaced hardcoded module list with plugin auto-discovery (`IMigrationModulePlugin`) so one migration plugin descriptor per web service is discovered by the consolidated runner path and consumed by both CLI and Platform API. | Developer |
+
+## Decisions & Risks
+- Decision: phase order is fixed. Migration mechanism/count/runner consolidation completes first, EF Core v10 migration starts only after MGC-06 and MGC-07 gate approval.
+- Risk: modules with custom history tables may break replay when moved to canonical runner. Mitigation: compatibility adapters and checksum-preserving migration history mapping.
+- Risk: migration files with no runtime invocation can create false confidence in upgrade readiness. Mitigation: mandatory invocation audit in MGC-01 and enforced cutover in MGC-04.
+- Risk: aggressive migration squashing may invalidate existing customer upgrade paths. Mitigation: per-module baseline strategy with explicit installed-version compatibility windows.
+- Risk: fragmented startup vs CLI execution can reintroduce drift. Mitigation: single entrypoint enforcement and wave-level regression checks.
+- Decision: migration module registry ownership is platform-level (`StellaOps.Platform.Database`) so CLI and future UI/API execution paths consume the same module catalog.
+- Decision: module catalog population is plugin-driven (`IMigrationModulePlugin`) with one migration plugin descriptor per web service, auto-discovered by `MigrationModulePluginDiscovery`.
+- Documentation synchronization for this sprint (contracts/procedures): `docs/db/MIGRATION_CONSOLIDATION_PLAN.md`, `docs/db/MIGRATION_STRATEGY.md`, `docs/db/MIGRATION_CONVENTIONS.md`, `docs/db/MIGRATION_INVENTORY.md`, `docs/INSTALL_GUIDE.md`, `docs/API_CLI_REFERENCE.md`, `devops/compose/README.md`, `docs/operations/upgrade-runbook.md`, `docs/operations/devops/runbooks/deployment-upgrade.md`, `docs/db/README.md`.
+
+## Next Checkpoints
+- 2026-02-23: MGC-01 baseline matrix complete and reviewed.
+- 2026-02-24: MGC-02 policy and MGC-03 wave map approved. (Completed 2026-02-22)
+- 2026-02-26: MGC-04 runner cutover implementation complete.
+- 2026-02-27: MGC-05 and MGC-06 consolidation and rehearsal evidence complete.
+- 2026-02-28: MGC-07 phase-gate decision and EF Core v10 handoff package complete.

docs/implplan/SPRINT_20260222_052_DOCS_router_endpoint_auth_scope_description_backfill.md

@@ -0,0 +1,154 @@
+# Sprint 20260222.052 - Router Endpoint Auth Scope and Description Backfill
+
+## Topic & Scope
+- Establish a complete endpoint-level inventory for Router OpenAPI with explicit authorization and description coverage status.
+- For every endpoint, track whether it is anonymous or authenticated, what scopes/roles/policies are declared, and what description improvements are required.
+- Convert the inventory into endpoint-level implementation actions (`authAction`, `descriptionAction`) so execution can proceed deterministically service-by-service.
+- Working directory: `docs/implplan`.
+- Expected evidence: full endpoint inventory CSV, per-service summary CSV, global summary JSON, execution waves for implementation.
+
+## Dependencies & Concurrency
+- Depends on current Router aggregate OpenAPI served at `https://stella-ops.local/openapi.json`.
+- Depends on current compose contract for auth metadata extension (`x-stellaops-gateway-auth`) and endpoint descriptions.
+- Safe parallelism:
+- Auth metadata backfill can run in parallel by service wave.
+- Description enrichment can run in parallel with auth metadata work once per-service owner is assigned.
+
+## Documentation Prerequisites
+- `docs/modules/router/architecture.md`
+- `docs/modules/router/aspnet-endpoint-bridge.md`
+- `docs/modules/router/webservice-integration-guide.md`
+- `docs/modules/platform/architecture-overview.md`
+
+## Endpoint Inventory Artifacts
+- Full endpoint listing with endpoint-level plan:
+- `docs/implplan/SPRINT_20260222_052_DOCS_router_endpoint_auth_scope_description_backfill.endpoints.csv`
+- Per-service rollup:
+- `docs/implplan/SPRINT_20260222_052_DOCS_router_endpoint_auth_scope_description_backfill.services.csv`
+- Global totals snapshot:
+- `docs/implplan/SPRINT_20260222_052_DOCS_router_endpoint_auth_scope_description_backfill.summary.json`
+- OpenAPI capture used for this sprint:
+- `docs/implplan/SPRINT_20260222_052_DOCS_router_endpoint_auth_scope_description_backfill.openapi_live.json`
+
+## Baseline Snapshot (Generated 2026-02-22)
+- Total operations: `2190`
+- Anonymous operations: `6`
+- Authenticated operations: `2184`
+- Operations with explicit scopes: `28`
+- Operations with explicit roles: `0`
+- Operations with policies: `156`
+- Operations with auth source `None`: `1991`
+- Descriptions requiring expansion (`same_as_summary` or `too_short`): `1507`
+
+## Delivery Tracker
+
+### RASD-01 - Produce full endpoint-level auth and description inventory
+Status: DONE
+Dependency: none
+Owners: Project Manager
+Task description:
+- Pull the live Router OpenAPI document and enumerate every HTTP operation.
+- For each operation, extract:
+- Service, method, path, operationId.
+- `allowAnonymous`, `requiresAuthentication`, `authSource`, `effectiveClaimSource`.
+- Scope, role, policy, and claim requirement details.
+- Description quality status.
+- Persist the result as a deterministic CSV under this sprint.
+
+Completion criteria:
+- [x] All operations in the current OpenAPI are represented in one inventory file.
+- [x] Every inventory row includes auth and description status columns.
+- [x] Inventory artifact is linked in this sprint.
+
+### RASD-02 - Attach endpoint-level planned actions for auth and descriptions
+Status: DONE
+Dependency: RASD-01
+Owners: Project Manager
+Task description:
+- Add per-endpoint plan columns to the inventory:
+- `authAction` values: `add_endpoint_auth_metadata`, `keep_or_refine_scope`, `policy_defined_scope_not_exported`, `verify_anonymous_intent`, `needs_auth_review`.
+- `descriptionAction` values: `expand_description`, `add_description`, `replace_http_stub_with_domain_semantics`, `keep_description`.
+- Ensure each endpoint row has a deterministic next action without requiring manual interpretation.
+
+Completion criteria:
+- [x] Every endpoint row has `authAction`.
+- [x] Every endpoint row has `descriptionAction`.
+- [x] Action taxonomy is documented in this sprint.
+
+### RASD-03 - Execute Wave A (missing endpoint auth metadata)
+Status: TODO
+Dependency: RASD-02
+Owners: Developer, Test Automation
+Task description:
+- Implement endpoint auth metadata for all operations marked `authAction=add_endpoint_auth_metadata` (`1991` endpoints).
+- Primary migration target is conversion of in-handler/manual checks to endpoint metadata where applicable (`[Authorize]`/`.RequireAuthorization(...)` and mapped policies/scopes).
+- Prioritized service order by count:
+- `orchestrator (313)`, `policy-engine (202)`, `notifier (197)`, `platform (165)`, `concelier (144)`, `policy-gateway (121)`, `findings-ledger (83)`, `advisoryai (81)`, `exportcenter (64)`, `excititor (55)`, then remaining services.
+
+Completion criteria:
+- [ ] Every endpoint currently marked `add_endpoint_auth_metadata` is migrated or explicitly justified.
+- [ ] OpenAPI no longer reports `source: "None"` for migrated endpoints.
+- [ ] Regression tests validate expected `401/403` behavior.
+
+### RASD-04 - Execute Wave B (scope/policy normalization and export fidelity)
+Status: TODO
+Dependency: RASD-03
+Owners: Developer, Test Automation
+Task description:
+- Resolve endpoints marked `policy_defined_scope_not_exported` (`128` endpoints, currently concentrated in `scanner`) so explicit scope semantics are exported consistently.
+- Review endpoints marked `needs_auth_review` (`37` endpoints, currently in `authority`) and decide whether they remain policy-only auth or receive explicit scope/role declarations.
+- Ensure resulting OpenAPI expresses effective scope/claim requirements where expected.
+
+Completion criteria:
+- [ ] `policy_defined_scope_not_exported` endpoints are eliminated or explicitly documented as policy-only.
+- [ ] `needs_auth_review` endpoints are classified and updated.
+- [ ] Endpoint security metadata is consistent with runtime authorization behavior.
+
+### RASD-05 - Execute Wave C (description enrichment)
+Status: TODO
+Dependency: RASD-02
+Owners: Documentation author, Developer
+Task description:
+- Enrich descriptions for all endpoints marked `descriptionAction=expand_description` (`1507` endpoints).
+- Replace terse or repeated summary text with domain semantics: purpose, side effects, key constraints, and error behavior.
+- Keep concise descriptions already marked `keep_description` unchanged unless auth behavior changes require updates.
+
+Completion criteria:
+- [ ] All endpoints flagged for description expansion have non-trivial descriptions.
+- [ ] Descriptions align with actual handler behavior and response contracts.
+- [ ] OpenAPI diff shows description improvements without schema regressions.
+
+### RASD-06 - Validate end-to-end and lock quality gates
+Status: TODO
+Dependency: RASD-03
+Owners: Test Automation, QA
+Task description:
+- Add deterministic quality checks that fail CI when:
+- Endpoint auth metadata is missing for non-anonymous endpoints.
+- Scope/role/policy metadata diverges from declared service authorization rules.
+- Endpoint descriptions regress to low-information forms.
+- Rebuild/redeploy and verify `https://stella-ops.local/openapi.json` reflects the updated metadata.
+
+Completion criteria:
+- [ ] Automated checks guard auth and description regressions.
+- [ ] Fresh compose deployment validates updated OpenAPI.
+- [ ] Sprint artifacts updated with final counts and diffs.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-02-22 | Sprint created for full endpoint auth/scope/description inventory and migration planning. | Project Manager |
+| 2026-02-22 | Generated endpoint inventory (`2190` operations) and per-endpoint planned actions in CSV artifacts. | Project Manager |
+| 2026-02-22 | Computed service-level backlog and execution waves for metadata + description remediation. | Project Manager |
+
+## Decisions & Risks
+- Decision: endpoint-level plan is encoded directly in the inventory file via `authAction` and `descriptionAction` so execution is deterministic per endpoint.
+- Decision: prioritize Wave A by highest-volume services to reduce `source=None` exposure first.
+- Risk: services using manual in-handler authorization checks may appear authenticated without exported scopes/roles in OpenAPI. Mitigation: convert to endpoint metadata and policy-mapped claims in Wave A/B.
+- Risk: large-scale description edits can drift from implementation. Mitigation: pair documentation updates with endpoint tests and OpenAPI diff checks.
+- Risk: runtime and OpenAPI drift if containers are restarted without rebuilt images. Mitigation: include rebuild + redeploy verification in RASD-06.
+
+## Next Checkpoints
+- Wave A kickoff: assign owners per service group and start with `orchestrator`, `policy-engine`, `notifier`, `platform`, `concelier`.
+- Wave B kickoff: `scanner` and `authority` normalization review.
+- Quality gate activation after first two services complete.

docs/implplan/SPRINT_20260222_052_DOCS_router_endpoint_auth_scope_description_backfill.services.csv

@@ -0,0 +1,39 @@
+"service","totalEndpoints","anonymousEndpoints","requiresAuthEndpoints","endpointsWithScopes","endpointsWithRoles","endpointsWithPolicies","authSourceNone","missingDescriptions","genericHttpDescriptions","sameAsSummaryDescriptions"
+"advisoryai","81","0","81","0","0","0","81","0","0","79"
+"airgap-controller","4","0","4","0","0","0","4","0","0","4"
+"attestor","45","0","45","0","0","0","45","0","0","38"
+"authority","45","6","39","0","0","0","2","0","0","39"
+"binaryindex","21","0","21","0","0","0","21","0","0","21"
+"concelier","144","0","144","0","0","0","144","0","0","136"
+"doctor","16","0","16","16","0","16","0","0","0","16"
+"doctor-scheduler","11","0","11","0","0","0","11","0","0","11"
+"evidencelocker","36","0","36","0","0","0","36","0","0","36"
+"excititor","55","0","55","0","0","0","55","0","0","51"
+"exportcenter","64","0","64","0","0","0","64","0","0","0"
+"findings-ledger","83","0","83","0","0","0","83","0","0","45"
+"integrations","20","0","20","0","0","0","20","0","0","0"
+"issuerdirectory","12","0","12","0","0","0","12","0","0","12"
+"notifier","197","0","197","0","0","0","197","0","0","164"
+"notify","49","0","49","0","0","0","49","0","0","49"
+"opsmemory","12","0","12","0","0","0","12","0","0","0"
+"orchestrator","313","0","313","0","0","0","313","0","0","0"
+"packsregistry","19","0","19","0","0","0","19","0","0","19"
+"platform","165","0","165","0","0","0","165","0","0","139"
+"policy-engine","202","0","202","0","0","0","202","0","0","170"
+"policy-gateway","121","0","121","0","0","0","121","0","0","54"
+"reachgraph","17","0","17","0","0","0","17","0","0","17"
+"replay","15","0","15","0","0","0","15","0","0","15"
+"riskengine","9","0","9","0","0","0","9","0","0","5"
+"sbomservice","51","0","51","0","0","0","51","0","0","51"
+"scanner","168","0","168","0","0","128","40","0","0","103"
+"scheduler","37","0","37","0","0","0","37","0","0","37"
+"signals","23","0","23","0","0","0","23","0","0","23"
+"signer","15","0","15","0","0","0","15","0","0","15"
+"smremote","6","0","6","0","0","0","6","0","0","6"
+"symbols","19","0","19","0","0","0","19","0","0","19"
+"taskrunner","33","0","33","0","0","0","33","0","0","33"
+"timelineindexer","12","0","12","12","0","12","0","0","0","0"
+"unknowns","8","0","8","0","0","0","8","0","0","0"
+"vexhub","16","0","16","0","0","0","16","0","0","0"
+"vexlens","36","0","36","0","0","0","36","0","0","0"
+"vulnexplorer","10","0","10","0","0","0","10","0","0","10"

docs/implplan/SPRINT_20260222_052_DOCS_router_endpoint_auth_scope_description_backfill.summary.json

@@ -0,0 +1,14 @@
+{
+    "generatedUtc":  "2026-02-22T17:24:57Z",
+    "endpointCount":  2190,
+    "anonymousEndpoints":  6,
+    "requiresAuthEndpoints":  2184,
+    "endpointsWithScopes":  28,
+    "endpointsWithRoles":  0,
+    "endpointsWithPolicies":  156,
+    "authSourceNone":  1991,
+    "missingDescriptions":  0,
+    "genericHttpDescriptions":  0,
+    "sameAsSummaryDescriptions":  1417,
+    "tooShortDescriptions":  90
+}