license switch agpl -> busl1, sprints work, new product advisories

devops/attestation/witness-plan.md

@@ -1,7 +1,7 @@
 # Transparency Log Witness Deployment Plan (DEVOPS-ATTEST-74-001)
 
 ## Goals
-- Deploy and monitor a Sigstore-compatible witness for Rekor v1/v2 logs (and air-gap mirrors).
+- Deploy and monitor a Sigstore-compatible witness for Rekor v2 logs (and air-gap mirrors).
 - Provide offline-ready configs and evidence (hashes, DSSE attestations) for bootstrap packs.
 
 ## Scope

devops/compose/README.md

@@ -11,12 +11,13 @@ These Compose bundles ship the minimum services required to exercise the scanner
 | `docker-compose.prod.yaml` | Production cutover stack with front-door network hand-off and Notify events enabled. |
 | `docker-compose.airgap.yaml` | Stable stack with air-gapped defaults (no outbound hostnames). |
 | `docker-compose.mirror.yaml` | Managed mirror topology for `*.stella-ops.org` distribution (Concelier + Excititor + CDN gateway). |
+| `docker-compose.rekor-v2.yaml` | Rekor v2 tiles overlay (MySQL-free) for bundled transparency logs. |
 | `docker-compose.telemetry.yaml` | Optional OpenTelemetry collector overlay (mutual TLS, OTLP ingest endpoints). |
 | `docker-compose.telemetry-storage.yaml` | Prometheus/Tempo/Loki storage overlay with multi-tenant defaults. |
 | `docker-compose.gpu.yaml` | Optional GPU overlay enabling NVIDIA devices for Advisory AI web/worker. Apply with `-f docker-compose.<env>.yaml -f docker-compose.gpu.yaml`. |
 | `env/*.env.example` | Seed `.env` files that document required secrets and ports per profile. |
-| `scripts/backup.sh` | Pauses workers and creates tar.gz of Mongo/MinIO/Redis volumes (deterministic snapshot). |
-| `scripts/reset.sh` | Stops the stack and removes Mongo/MinIO/Redis volumes after explicit confirmation. |
+| `scripts/backup.sh` | Pauses workers and creates tar.gz of Mongo/MinIO/Valkey volumes (deterministic snapshot). |
+| `scripts/reset.sh` | Stops the stack and removes Mongo/MinIO/Valkey volumes after explicit confirmation. |
 | `scripts/quickstart.sh` | Helper to validate config and start dev stack; set `USE_MOCK=1` to include `docker-compose.mock.yaml` overlay. |
 | `docker-compose.mock.yaml` | Dev-only overlay with placeholder digests for missing services (orchestrator, policy-registry, packs, task-runner, VEX/Vuln stack). Use only with mock release manifest `deploy/releases/2025.09-mock-dev.yaml`. |
 
@@ -30,6 +31,19 @@ docker compose --env-file dev.env -f docker-compose.dev.yaml up -d
 
 The stage and airgap variants behave the same way—swap the file names accordingly. All profiles expose 443/8443 for the UI and REST APIs, and they share a `stellaops` Docker network scoped to the compose project.
 
+### Rekor v2 overlay (tiles)
+
+Use the overlay below and set the Rekor env vars in your `.env` file (see
+`env/dev.env.example`):
+
+```bash
+docker compose --env-file dev.env \
+  -f docker-compose.dev.yaml \
+  -f docker-compose.rekor-v2.yaml \
+  --profile sigstore up -d
+```
+
+
 > **Surface.Secrets:** set `SCANNER_SURFACE_SECRETS_PROVIDER`/`SCANNER_SURFACE_SECRETS_ROOT` in your `.env` and point `SURFACE_SECRETS_HOST_PATH` to the decrypted bundle path (default `./offline/surface-secrets`). The stack mounts that path read-only into Scanner Web/Worker so `secret://` references resolve without embedding plaintext.
 
 > **Graph Explorer reminder:** If you enable Cartographer or Graph API containers alongside these profiles, update `etc/authority.yaml` so the `cartographer-service` client is marked with `properties.serviceIdentity: "cartographer"` and carries a tenant hint. The Authority host now refuses `graph:write` tokens without that marker, so apply the configuration change before rolling out the updated images.

devops/compose/docker-compose.airgap.yaml

@@ -20,7 +20,7 @@ volumes:
 
 services:
   postgres:
-    image: docker.io/library/postgres:17
+    image: docker.io/library/postgres:18.1
     restart: unless-stopped
     environment:
       POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -48,7 +48,7 @@ services:
     labels: *release-labels
 
   valkey:
-    image: docker.io/valkey/valkey:8.0
+    image: docker.io/valkey/valkey:9.0.1
     restart: unless-stopped
     command: ["valkey-server", "--appendonly", "yes"]
     volumes:
@@ -60,7 +60,7 @@ services:
     labels: *release-labels
 
   rustfs:
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
     command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
     restart: unless-stopped
     environment:
@@ -74,6 +74,24 @@ services:
       - stellaops
     labels: *release-labels
 
+  rekor-cli:
+    image: ghcr.io/sigstore/rekor-cli:v1.4.3
+    entrypoint: ["rekor-cli"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  cosign:
+    image: ghcr.io/sigstore/cosign:v3.0.4
+    entrypoint: ["cosign"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
   nats:
     image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
     command:
@@ -381,3 +399,5 @@ services:
     networks:
       - stellaops
     labels: *release-labels
+
+

devops/compose/docker-compose.cas.yaml

@@ -52,7 +52,7 @@ volumes:
 services:
   # Primary CAS storage - runtime facts, signals, replay artifacts
   rustfs-cas:
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
     command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
     restart: unless-stopped
     environment:
@@ -99,7 +99,7 @@ services:
 
   # Evidence storage - Merkle roots, hash chains, evidence bundles (immutable)
   rustfs-evidence:
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
     command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data", "--immutable"]
     restart: unless-stopped
     environment:
@@ -135,7 +135,7 @@ services:
 
   # Attestation storage - DSSE envelopes, in-toto attestations (immutable)
   rustfs-attestation:
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
     command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data", "--immutable"]
     restart: unless-stopped
     environment:
@@ -169,6 +169,24 @@ services:
       retries: 3
       start_period: 10s
 
+  rekor-cli:
+    image: ghcr.io/sigstore/rekor-cli:v1.4.3
+    entrypoint: ["rekor-cli"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - cas
+    labels: *release-labels
+
+  cosign:
+    image: ghcr.io/sigstore/cosign:v3.0.4
+    entrypoint: ["cosign"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - cas
+    labels: *release-labels
+
   # Lifecycle manager - enforces retention policies
   cas-lifecycle:
     image: registry.stella-ops.org/stellaops/cas-lifecycle:2025.10.0-edge
@@ -189,3 +207,4 @@ services:
     networks:
       - cas
     labels: *release-labels
+

devops/compose/docker-compose.china.yml

@@ -32,7 +32,7 @@ volumes:
 
 services:
   postgres:
-    image: docker.io/library/postgres:16
+    image: docker.io/library/postgres:18.1
     restart: unless-stopped
     environment:
       POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -49,7 +49,7 @@ services:
     labels: *release-labels
 
   valkey:
-    image: docker.io/valkey/valkey:8.0
+    image: docker.io/valkey/valkey:9.0.1
     restart: unless-stopped
     command: ["valkey-server", "--appendonly", "yes"]
     volumes:
@@ -61,7 +61,7 @@ services:
     labels: *release-labels
 
   rustfs:
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
     command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
     restart: unless-stopped
     environment:
@@ -75,6 +75,24 @@ services:
       - stellaops
     labels: *release-labels
 
+  rekor-cli:
+    image: ghcr.io/sigstore/rekor-cli:v1.4.3
+    entrypoint: ["rekor-cli"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  cosign:
+    image: ghcr.io/sigstore/cosign:v3.0.4
+    entrypoint: ["cosign"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
   nats:
     image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
     command:
@@ -299,3 +317,5 @@ services:
     networks:
       - stellaops
     labels: *release-labels
+
+

devops/compose/docker-compose.ci.yaml

@@ -9,10 +9,12 @@
 #   docker compose -f devops/compose/docker-compose.ci.yaml down -v
 #
 # Services:
-#   - postgres-ci: PostgreSQL 16 for integration tests (port 5433)
+#   - postgres-ci: PostgreSQL 18.1 for integration tests (port 5433)
 #   - valkey-ci: Valkey/Redis for caching tests (port 6380)
 #   - nats-ci: NATS JetStream for messaging tests (port 4223)
 #   - mock-registry: Local container registry for release testing (port 5001)
+#   - rekor-cli: Rekor CLI tool (profile: sigstore)
+#   - cosign: Cosign tool (profile: sigstore)
 #
 # =============================================================================
 
@@ -29,10 +31,10 @@ volumes:
 
 services:
   # ---------------------------------------------------------------------------
-  # PostgreSQL 16 - Primary database for integration tests
+  # PostgreSQL 18.1 - Primary database for integration tests
   # ---------------------------------------------------------------------------
   postgres-ci:
-    image: postgres:16-alpine
+    image: postgres:18.1-alpine
     container_name: stellaops-postgres-ci
     environment:
       POSTGRES_USER: stellaops_ci
@@ -55,10 +57,10 @@ services:
     restart: unless-stopped
 
   # ---------------------------------------------------------------------------
-  # Valkey 8.0 - Redis-compatible cache for caching tests
+  # Valkey 9.0.1 - Redis-compatible cache for caching tests
   # ---------------------------------------------------------------------------
   valkey-ci:
-    image: valkey/valkey:8.0-alpine
+    image: valkey/valkey:9.0.1-alpine
     container_name: stellaops-valkey-ci
     command: ["valkey-server", "--appendonly", "yes", "--maxmemory", "256mb", "--maxmemory-policy", "allkeys-lru"]
     ports:
@@ -74,6 +76,25 @@ services:
       retries: 5
     restart: unless-stopped
 
+  # ---------------------------------------------------------------------------
+  # Sigstore tools - Rekor CLI and Cosign (on-demand)
+  # ---------------------------------------------------------------------------
+  rekor-cli:
+    image: ghcr.io/sigstore/rekor-cli:v1.4.3
+    entrypoint: ["rekor-cli"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - ci-net
+
+  cosign:
+    image: ghcr.io/sigstore/cosign:v3.0.4
+    entrypoint: ["cosign"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - ci-net
+
   # ---------------------------------------------------------------------------
   # NATS JetStream - Message queue for messaging tests
   # ---------------------------------------------------------------------------
@@ -128,3 +149,4 @@ services:
       timeout: 5s
       retries: 5
     restart: unless-stopped
+

devops/compose/docker-compose.dev.yaml

@@ -19,7 +19,7 @@ volumes:
 
 services:
   postgres:
-    image: docker.io/library/postgres:16
+    image: docker.io/library/postgres:18.1
     restart: unless-stopped
     environment:
       POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -36,7 +36,7 @@ services:
     labels: *release-labels
 
   valkey:
-    image: docker.io/valkey/valkey:8.0
+    image: docker.io/valkey/valkey:9.0.1
     restart: unless-stopped
     command: ["valkey-server", "--appendonly", "yes"]
     volumes:
@@ -47,22 +47,40 @@ services:
       - stellaops
     labels: *release-labels
 
-  rustfs:
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
-    command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
-    restart: unless-stopped
+  rustfs:
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
+    command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
+    restart: unless-stopped
     environment:
       RUSTFS__LOG__LEVEL: info
       RUSTFS__STORAGE__PATH: /data
     volumes:
       - rustfs-data:/data
-    ports:
-      - "${RUSTFS_HTTP_PORT:-8080}:8080"
-    networks:
-      - stellaops
-    labels: *release-labels
-
-  nats:
+    ports:
+      - "${RUSTFS_HTTP_PORT:-8080}:8080"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  rekor-cli:
+    image: ghcr.io/sigstore/rekor-cli:v1.4.3
+    entrypoint: ["rekor-cli"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  cosign:
+    image: ghcr.io/sigstore/cosign:v3.0.4
+    entrypoint: ["cosign"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  nats:
     image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
     command:
       - "-js"
@@ -363,3 +381,5 @@ services:
     networks:
       - stellaops
     labels: *release-labels
+
+

devops/compose/docker-compose.eu.yml

@@ -32,7 +32,7 @@ volumes:
 
 services:
   postgres:
-    image: docker.io/library/postgres:16
+    image: docker.io/library/postgres:18.1
     restart: unless-stopped
     environment:
       POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -49,7 +49,7 @@ services:
     labels: *release-labels
 
   valkey:
-    image: docker.io/valkey/valkey:8.0
+    image: docker.io/valkey/valkey:9.0.1
     restart: unless-stopped
     command: ["valkey-server", "--appendonly", "yes"]
     volumes:
@@ -61,7 +61,7 @@ services:
     labels: *release-labels
 
   rustfs:
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
     command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
     restart: unless-stopped
     environment:
@@ -75,6 +75,24 @@ services:
       - stellaops
     labels: *release-labels
 
+  rekor-cli:
+    image: ghcr.io/sigstore/rekor-cli:v1.4.3
+    entrypoint: ["rekor-cli"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  cosign:
+    image: ghcr.io/sigstore/cosign:v3.0.4
+    entrypoint: ["cosign"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
   nats:
     image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
     command:
@@ -299,3 +317,5 @@ services:
     networks:
       - stellaops
     labels: *release-labels
+
+

devops/compose/docker-compose.international.yml

@@ -32,7 +32,7 @@ volumes:
 
 services:
   postgres:
-    image: docker.io/library/postgres:16
+    image: docker.io/library/postgres:18.1
     restart: unless-stopped
     environment:
       POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -49,7 +49,7 @@ services:
     labels: *release-labels
 
   valkey:
-    image: docker.io/valkey/valkey:8.0
+    image: docker.io/valkey/valkey:9.0.1
     restart: unless-stopped
     command: ["valkey-server", "--appendonly", "yes"]
     volumes:
@@ -61,7 +61,7 @@ services:
     labels: *release-labels
 
   rustfs:
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
     command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
     restart: unless-stopped
     environment:
@@ -75,6 +75,24 @@ services:
       - stellaops
     labels: *release-labels
 
+  rekor-cli:
+    image: ghcr.io/sigstore/rekor-cli:v1.4.3
+    entrypoint: ["rekor-cli"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  cosign:
+    image: ghcr.io/sigstore/cosign:v3.0.4
+    entrypoint: ["cosign"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
   nats:
     image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
     command:
@@ -299,3 +317,5 @@ services:
     networks:
       - stellaops
     labels: *release-labels
+
+

devops/compose/docker-compose.prod.yaml

@@ -23,7 +23,7 @@ volumes:
 
 services:
   valkey:
-    image: docker.io/valkey/valkey:8.0
+    image: docker.io/valkey/valkey:9.0.1
     restart: unless-stopped
     command: ["valkey-server", "--appendonly", "yes"]
     volumes:
@@ -34,22 +34,40 @@ services:
       - stellaops
     labels: *release-labels
 
-  rustfs:
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
-    command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
-    restart: unless-stopped
+  rustfs:
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
+    command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
+    restart: unless-stopped
     environment:
       RUSTFS__LOG__LEVEL: info
       RUSTFS__STORAGE__PATH: /data
     volumes:
       - rustfs-data:/data
-    ports:
-      - "${RUSTFS_HTTP_PORT:-8080}:8080"
-    networks:
-      - stellaops
-    labels: *release-labels
-
-  nats:
+    ports:
+      - "${RUSTFS_HTTP_PORT:-8080}:8080"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  rekor-cli:
+    image: ghcr.io/sigstore/rekor-cli:v1.4.3
+    entrypoint: ["rekor-cli"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  cosign:
+    image: ghcr.io/sigstore/cosign:v3.0.4
+    entrypoint: ["cosign"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  nats:
     image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
     command:
       - "-js"
@@ -123,7 +141,7 @@ services:
     labels: *release-labels
 
   postgres:
-    image: docker.io/library/postgres:16
+    image: docker.io/library/postgres:18.1
     restart: unless-stopped
     environment:
       POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -378,3 +396,5 @@ services:
       - stellaops
       - frontdoor
     labels: *release-labels
+
+

devops/compose/docker-compose.rekor-v2.yaml

@@ -0,0 +1,34 @@
+# Rekor v2 tiles stack (MySQL-free).
+# Usage:
+#   docker compose -f devops/compose/docker-compose.dev.yaml \
+#     -f devops/compose/docker-compose.rekor-v2.yaml --profile sigstore up -d
+#
+# Notes:
+# - This overlay runs Rekor v2 (rekor-tiles) with a POSIX tiles volume.
+# - Pin the image digest via REKOR_TILES_IMAGE in your env file.
+# - Keep it on the internal stellaops network unless you explicitly need
+#   external access.
+
+x-rekor-v2-labels: &rekor-v2-labels
+  com.stellaops.profile: "sigstore"
+  com.stellaops.component: "rekor-v2"
+
+networks:
+  stellaops:
+    driver: bridge
+
+volumes:
+  rekor-tiles-data:
+
+services:
+  rekor-v2:
+    image: ${REKOR_TILES_IMAGE:-ghcr.io/sigstore/rekor-tiles:latest}
+    restart: unless-stopped
+    networks:
+      - stellaops
+    volumes:
+      - rekor-tiles-data:/var/lib/rekor-tiles
+    # Backend-specific flags/env are intentionally omitted here; follow the
+    # rekor-tiles documentation for POSIX backend defaults.
+    profiles: ["sigstore"]
+    labels: *rekor-v2-labels

devops/compose/docker-compose.russia.yml

@@ -32,7 +32,7 @@ volumes:
 
 services:
   postgres:
-    image: docker.io/library/postgres:16
+    image: docker.io/library/postgres:18.1
     restart: unless-stopped
     environment:
       POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -49,7 +49,7 @@ services:
     labels: *release-labels
 
   valkey:
-    image: docker.io/valkey/valkey:8.0
+    image: docker.io/valkey/valkey:9.0.1
     restart: unless-stopped
     command: ["valkey-server", "--appendonly", "yes"]
     volumes:
@@ -61,7 +61,7 @@ services:
     labels: *release-labels
 
   rustfs:
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
     command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
     restart: unless-stopped
     environment:
@@ -75,6 +75,24 @@ services:
       - stellaops
     labels: *release-labels
 
+  rekor-cli:
+    image: ghcr.io/sigstore/rekor-cli:v1.4.3
+    entrypoint: ["rekor-cli"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  cosign:
+    image: ghcr.io/sigstore/cosign:v3.0.4
+    entrypoint: ["cosign"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
   nats:
     image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
     command:
@@ -299,3 +317,5 @@ services:
     networks:
       - stellaops
     labels: *release-labels
+
+

devops/compose/docker-compose.stage.yaml

@@ -20,7 +20,7 @@ volumes:
 
 services:
   valkey:
-    image: docker.io/valkey/valkey:8.0
+    image: docker.io/valkey/valkey:9.0.1
     restart: unless-stopped
     command: ["valkey-server", "--appendonly", "yes"]
     volumes:
@@ -32,7 +32,7 @@ services:
     labels: *release-labels
 
   postgres:
-    image: docker.io/library/postgres:16
+    image: docker.io/library/postgres:18.1
     restart: unless-stopped
     environment:
       POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
@@ -47,22 +47,40 @@ services:
       - stellaops
     labels: *release-labels
 
-  rustfs:
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
-    command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
-    restart: unless-stopped
+  rustfs:
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
+    command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
+    restart: unless-stopped
     environment:
       RUSTFS__LOG__LEVEL: info
       RUSTFS__STORAGE__PATH: /data
     volumes:
       - rustfs-data:/data
-    ports:
-      - "${RUSTFS_HTTP_PORT:-8080}:8080"
-    networks:
-      - stellaops
-    labels: *release-labels
-
-  nats:
+    ports:
+      - "${RUSTFS_HTTP_PORT:-8080}:8080"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  rekor-cli:
+    image: ghcr.io/sigstore/rekor-cli:v1.4.3
+    entrypoint: ["rekor-cli"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  cosign:
+    image: ghcr.io/sigstore/cosign:v3.0.4
+    entrypoint: ["cosign"]
+    command: ["version"]
+    profiles: ["sigstore"]
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  nats:
     image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
     command:
       - "-js"
@@ -367,3 +385,5 @@ services:
     networks:
       - stellaops
     labels: *release-labels
+
+

devops/compose/env/airgap.env.example

@@ -24,6 +24,19 @@ SIGNER_PORT=8441
 # Attestor
 ATTESTOR_PORT=8442
 
+# Rekor Configuration (Attestor/Scanner)
+# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
+REKOR_SERVER_URL=https://rekor.sigstore.dev
+# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
+REKOR_VERSION=V2
+# Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
+REKOR_TILE_BASE_URL=
+# Log ID for multi-log environments (Sigstore production log ID)
+REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
+
+# Rekor v2 tiles image (pin to digest when mirroring)
+REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
+
 # Issuer Directory
 ISSUER_DIRECTORY_PORT=8447
 ISSUER_DIRECTORY_SEED_CSAF=true

devops/compose/env/dev.env.example

@@ -24,16 +24,17 @@ SIGNER_PORT=8441
 ATTESTOR_PORT=8442
 
 # Rekor Configuration (Attestor/Scanner)
-# Server URL - default is public Sigstore Rekor
+# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
 REKOR_SERVER_URL=https://rekor.sigstore.dev
-# Log version: Auto, V1, or V2 (V2 uses tile-based Sunlight format)
-REKOR_VERSION=Auto
+# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
+REKOR_VERSION=V2
 # Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
 REKOR_TILE_BASE_URL=
 # Log ID for multi-log environments (Sigstore production log ID)
 REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
-# Prefer tile proofs when Version=Auto
-REKOR_PREFER_TILE_PROOFS=false
+
+# Rekor v2 tiles image (pin to digest when mirroring)
+REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
 
 # Issuer Directory
 ISSUER_DIRECTORY_PORT=8447

devops/compose/env/prod.env.example

@@ -25,6 +25,19 @@ SIGNER_PORT=8441
 # Attestor
 ATTESTOR_PORT=8442
 
+# Rekor Configuration (Attestor/Scanner)
+# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
+REKOR_SERVER_URL=https://rekor.sigstore.dev
+# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
+REKOR_VERSION=V2
+# Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
+REKOR_TILE_BASE_URL=
+# Log ID for multi-log environments (Sigstore production log ID)
+REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
+
+# Rekor v2 tiles image (pin to digest when mirroring)
+REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
+
 # Issuer Directory
 ISSUER_DIRECTORY_PORT=8447
 ISSUER_DIRECTORY_SEED_CSAF=true

devops/compose/env/stage.env.example

@@ -24,6 +24,19 @@ SIGNER_PORT=8441
 # Attestor
 ATTESTOR_PORT=8442
 
+# Rekor Configuration (Attestor/Scanner)
+# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
+REKOR_SERVER_URL=https://rekor.sigstore.dev
+# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
+REKOR_VERSION=V2
+# Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
+REKOR_TILE_BASE_URL=
+# Log ID for multi-log environments (Sigstore production log ID)
+REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
+
+# Rekor v2 tiles image (pin to digest when mirroring)
+REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
+
 # Issuer Directory
 ISSUER_DIRECTORY_PORT=8447
 ISSUER_DIRECTORY_SEED_CSAF=true

devops/database/local-postgres/docker-compose.yml

@@ -2,7 +2,7 @@ version: "3.9"
 
 services:
   stella-postgres:
-    image: postgres:17
+    image: postgres:18.1
     container_name: stella-postgres
     restart: unless-stopped
     environment:
@@ -29,3 +29,4 @@ services:
 volumes:
   stella-postgres-data:
     driver: local
+

devops/docker/Dockerfile.ci

@@ -16,7 +16,8 @@ ENV DEBIAN_FRONTEND=noninteractive
 ENV DOTNET_VERSION=10.0.100
 ENV NODE_VERSION=20
 ENV HELM_VERSION=3.16.0
-ENV COSIGN_VERSION=2.2.4
+ENV COSIGN_VERSION=3.0.4
+ENV REKOR_VERSION=1.4.3
 ENV TZ=UTC
 
 # Disable .NET telemetry
@@ -118,13 +119,22 @@ RUN curl -fsSL https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz | \
 
 # ===========================================================================
 # COSIGN
-# ===========================================================================
+# ===========================================================================   
 
 RUN curl -fsSL https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64 \
     -o /usr/local/bin/cosign \
     && chmod +x /usr/local/bin/cosign \
     && cosign version
 
+# ===========================================================================   
+# REKOR CLI
+# ===========================================================================   
+
+RUN curl -fsSL https://github.com/sigstore/rekor/releases/download/v${REKOR_VERSION}/rekor-cli-linux-amd64 \
+    -o /usr/local/bin/rekor-cli \
+    && chmod +x /usr/local/bin/rekor-cli \
+    && rekor-cli version
+
 # ===========================================================================
 # SYFT (SBOM generation)
 # ===========================================================================
@@ -153,6 +163,7 @@ RUN printf '%s\n' \
     'echo "npm: $(npm --version)"' \
     'echo "Helm: $(helm version --short)"' \
     'echo "Cosign: $(cosign version 2>&1 | head -1)"' \
+    'echo "Rekor CLI: $(rekor-cli version 2>&1 | head -1)"' \
     'echo "Docker: $(docker --version 2>/dev/null || echo Not available)"' \
     'echo "PostgreSQL client: $(psql --version)"' \
     'echo "=== All checks passed ==="' \

devops/docker/corpus/docker-compose.corpus.yml

@@ -1,5 +1,5 @@
 # Copyright (c) StellaOps. All rights reserved.
-# Licensed under AGPL-3.0-or-later.
+# Licensed under BUSL-1.1.
 
 # Function Behavior Corpus PostgreSQL Database
 #
@@ -11,7 +11,7 @@
 
 services:
   corpus-postgres:
-    image: postgres:16-alpine
+    image: postgres:18.1-alpine
     container_name: stellaops-corpus-db
     environment:
       POSTGRES_DB: stellaops_corpus
@@ -40,3 +40,4 @@ volumes:
 networks:
   stellaops-corpus:
     driver: bridge
+

devops/docker/corpus/scripts/init-test-data.sql

@@ -1,7 +1,7 @@
 -- =============================================================================
 -- CORPUS TEST DATA - Minimal corpus for integration testing
 -- Copyright (c) StellaOps. All rights reserved.
--- Licensed under AGPL-3.0-or-later.
+-- Licensed under BUSL-1.1.
 -- =============================================================================
 
 -- Set tenant for test data

devops/docker/ghidra/Dockerfile.headless

@@ -1,5 +1,5 @@
 # Copyright (c) StellaOps. All rights reserved.
-# Licensed under AGPL-3.0-or-later.
+# Licensed under BUSL-1.1.
 
 # Ghidra Headless Analysis Server for BinaryIndex
 #
@@ -24,7 +24,7 @@ ARG GHIDRA_SHA256
 LABEL org.opencontainers.image.title="StellaOps Ghidra Headless"
 LABEL org.opencontainers.image.description="Ghidra headless analysis server with ghidriff for BinaryIndex"
 LABEL org.opencontainers.image.version="${GHIDRA_VERSION}"
-LABEL org.opencontainers.image.licenses="AGPL-3.0-or-later"
+LABEL org.opencontainers.image.licenses="BUSL-1.1"
 LABEL org.opencontainers.image.source="https://github.com/stellaops/stellaops"
 LABEL org.opencontainers.image.vendor="StellaOps"
 

devops/docker/ghidra/docker-compose.bsim.yml

@@ -1,5 +1,5 @@
 # Copyright (c) StellaOps. All rights reserved.
-# Licensed under AGPL-3.0-or-later.
+# Licensed under BUSL-1.1.
 
 # BSim PostgreSQL Database and Ghidra Headless Services
 #
@@ -13,7 +13,7 @@ version: '3.8'
 
 services:
   bsim-postgres:
-    image: postgres:16-alpine
+    image: postgres:18.1-alpine
     container_name: stellaops-bsim-db
     environment:
       POSTGRES_DB: bsim_corpus
@@ -75,3 +75,4 @@ volumes:
 networks:
   stellaops-bsim:
     driver: bridge
+

devops/docker/ghidra/scripts/init-bsim.sql

@@ -1,6 +1,6 @@
 -- BSim PostgreSQL Schema Initialization
 -- Copyright (c) StellaOps. All rights reserved.
--- Licensed under AGPL-3.0-or-later.
+-- Licensed under BUSL-1.1.
 --
 -- This script creates the core BSim schema structure.
 -- Note: Full Ghidra BSim schema is auto-created by Ghidra tools.

devops/helm/stellaops/values-airgap.yaml

@@ -151,6 +151,7 @@ services:
       SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
       SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
       SCANNER__EVENTS__ENABLED: "false"
+      # Valkey (Redis-compatible) cache driver; keep "redis" for protocol compatibility.
       SCANNER__EVENTS__DRIVER: "redis"
       SCANNER__EVENTS__DSN: ""
       SCANNER__EVENTS__STREAM: "stella.events"
@@ -175,6 +176,7 @@ services:
       SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
       SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
       SCANNER__EVENTS__ENABLED: "false"
+      # Valkey (Redis-compatible) cache driver; keep "redis" for protocol compatibility.
       SCANNER__EVENTS__DRIVER: "redis"
       SCANNER__EVENTS__DSN: ""
       SCANNER__EVENTS__STREAM: "stella.events"
@@ -290,7 +292,7 @@ services:
         claimName: stellaops-minio-data
   rustfs:
     class: infrastructure
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
     service:
       port: 8080
     command:
@@ -323,3 +325,4 @@ services:
     volumeClaims:
       - name: nats-data
         claimName: stellaops-nats-data
+

devops/helm/stellaops/values-bluegreen-blue.yaml

@@ -56,9 +56,9 @@ database:
     minSize: 5
     maxSize: 25
 
-redis:
-  # Separate Redis instance per environment to avoid cache conflicts
-  host: redis-blue.stellaops-blue.svc.cluster.local
+valkey:
+  # Separate Valkey (Redis-compatible) instance per environment to avoid cache conflicts
+  host: valkey-blue.stellaops-blue.svc.cluster.local
   database: 0
 
 evidence:

devops/helm/stellaops/values-bluegreen-green.yaml

@@ -70,9 +70,9 @@ database:
     minSize: 5
     maxSize: 25
 
-redis:
-  # Separate Redis instance per environment to avoid cache conflicts
-  host: redis-green.stellaops-green.svc.cluster.local
+valkey:
+  # Separate Valkey (Redis-compatible) instance per environment to avoid cache conflicts
+  host: valkey-green.stellaops-green.svc.cluster.local
   database: 0
 
 evidence:

devops/helm/stellaops/values-dev.yaml

@@ -116,6 +116,7 @@ services:
       SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
       SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
       SCANNER__EVENTS__ENABLED: "false"
+      # Valkey (Redis-compatible) cache driver; keep "redis" for protocol compatibility.
       SCANNER__EVENTS__DRIVER: "redis"
       SCANNER__EVENTS__DSN: ""
       SCANNER__EVENTS__STREAM: "stella.events"
@@ -140,6 +141,7 @@ services:
       SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
       SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
       SCANNER__EVENTS__ENABLED: "false"
+      # Valkey (Redis-compatible) cache driver; keep "redis" for protocol compatibility.
       SCANNER__EVENTS__DRIVER: "redis"
       SCANNER__EVENTS__DSN: ""
       SCANNER__EVENTS__STREAM: "stella.events"
@@ -243,7 +245,7 @@ services:
         emptyDir: {}
   rustfs:
     class: infrastructure
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
     service:
       port: 8080
     env:
@@ -270,3 +272,4 @@ services:
     volumes:
       - name: nats-data
         emptyDir: {}
+

devops/helm/stellaops/values-prod.yaml

@@ -175,6 +175,7 @@ services:
       SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
       SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
       SCANNER__EVENTS__ENABLED: "true"
+      # Valkey (Redis-compatible) cache driver; keep "redis" for protocol compatibility.
       SCANNER__EVENTS__DRIVER: "redis"
       SCANNER__EVENTS__DSN: ""
       SCANNER__EVENTS__STREAM: "stella.events"
@@ -202,6 +203,7 @@ services:
       SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
       SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
       SCANNER__EVENTS__ENABLED: "true"
+      # Valkey (Redis-compatible) cache driver; keep "redis" for protocol compatibility.
       SCANNER__EVENTS__DRIVER: "redis"
       SCANNER__EVENTS__DSN: ""
       SCANNER__EVENTS__STREAM: "stella.events"
@@ -319,7 +321,7 @@ services:
         claimName: stellaops-minio-data
   rustfs:
     class: infrastructure
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
     service:
       port: 8080
     command:
@@ -337,3 +339,4 @@ services:
     volumeClaims:
       - name: rustfs-data
         claimName: stellaops-rustfs-data
+

devops/helm/stellaops/values-stage.yaml

@@ -116,6 +116,7 @@ services:
       SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
       SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
       SCANNER__EVENTS__ENABLED: "false"
+      # Valkey (Redis-compatible) cache driver; keep "redis" for protocol compatibility.
       SCANNER__EVENTS__DRIVER: "redis"
       SCANNER__EVENTS__DSN: ""
       SCANNER__EVENTS__STREAM: "stella.events"
@@ -141,6 +142,7 @@ services:
       SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
       SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
       SCANNER__EVENTS__ENABLED: "false"
+      # Valkey (Redis-compatible) cache driver; keep "redis" for protocol compatibility.
       SCANNER__EVENTS__DRIVER: "redis"
       SCANNER__EVENTS__DSN: ""
       SCANNER__EVENTS__STREAM: "stella.events"
@@ -210,7 +212,7 @@ services:
         claimName: stellaops-minio-data
   rustfs:
     class: infrastructure
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
     service:
       port: 8080
     command:
@@ -243,3 +245,4 @@ services:
     volumeClaims:
       - name: nats-data
         claimName: stellaops-nats-data
+

devops/scripts/generate-plugin-configs.ps1

@@ -140,7 +140,7 @@ function New-PluginManifest {
         enabled = $Plugin.enabled
         metadata = @{
             author = "StellaOps"
-            license = "AGPL-3.0-or-later"
+            license = "BUSL-1.1"
         }
     }
 

devops/scripts/test-package-publish.sh

@@ -109,7 +109,7 @@ if [[ -z "$TEST_MODULE" ]]; then
     <Version>0.0.1-test</Version>
     <Authors>StellaOps</Authors>
     <Description>Test package for registry validation</Description>
-    <PackageLicenseExpression>AGPL-3.0-or-later</PackageLicenseExpression>
+    <PackageLicenseExpression>BUSL-1.1</PackageLicenseExpression>
   </PropertyGroup>
 </Project>
 EOF

devops/services/authority/docker-compose.authority.yaml

@@ -40,7 +40,7 @@ services:
     restart: unless-stopped
 
   valkey:
-    image: valkey/valkey:8-alpine
+    image: valkey/valkey:9.0.1-alpine
     container_name: stellaops-authority-valkey
     command: ["valkey-server", "--save", "60", "1"]
     volumes:
@@ -56,3 +56,4 @@ volumes:
   mongo-data:
   valkey-data:
   authority-keys:
+

devops/services/orchestrator-config/docker-compose.orchestrator.yml

@@ -1,7 +1,7 @@
 version: "3.9"
 services:
   orchestrator-postgres:
-    image: postgres:16-alpine
+    image: postgres:18.1-alpine
     environment:
       POSTGRES_USER: orch
       POSTGRES_PASSWORD: orchpass
@@ -47,3 +47,4 @@ services:
 volumes:
   orch_pg_data:
   orch_mongo_data:
+

devops/services/orchestrator/Dockerfile

@@ -90,7 +90,7 @@ LABEL org.opencontainers.image.title="StellaOps Orchestrator WebService" \
       org.opencontainers.image.revision="${GIT_SHA}" \
       org.opencontainers.image.source="https://git.stella-ops.org/stella-ops/stellaops" \
       org.opencontainers.image.vendor="StellaOps" \
-      org.opencontainers.image.licenses="AGPL-3.0-or-later" \
+      org.opencontainers.image.licenses="BUSL-1.1" \
       org.stellaops.release.channel="${CHANNEL}" \
       org.stellaops.component="orchestrator-web"
 
@@ -117,7 +117,7 @@ LABEL org.opencontainers.image.title="StellaOps Orchestrator Worker" \
       org.opencontainers.image.revision="${GIT_SHA}" \
       org.opencontainers.image.source="https://git.stella-ops.org/stella-ops/stellaops" \
       org.opencontainers.image.vendor="StellaOps" \
-      org.opencontainers.image.licenses="AGPL-3.0-or-later" \
+      org.opencontainers.image.licenses="BUSL-1.1" \
       org.stellaops.release.channel="${CHANNEL}" \
       org.stellaops.component="orchestrator-worker"
 

devops/services/orchestrator/GA_CHECKLIST.md

@@ -84,7 +84,7 @@
 
 ## Compliance
 
-- [ ] AGPL-3.0-or-later license headers in all source files
+- [ ] BUSL-1.1 license headers in all source files
 - [ ] Third-party license notices collected and bundled
 - [ ] Attestation chain verifiable via `stella attest verify`
 - [ ] Air-gap deployment tested in isolated network

devops/services/signals-ops/docker-compose.signals.yml

@@ -37,7 +37,7 @@ services:
       retries: 5
 
   signals-valkey:
-    image: valkey/valkey:8-alpine
+    image: valkey/valkey:9.0.1-alpine
     ports:
       - "56379:6379"
     command: ["valkey-server", "--save", "", "--appendonly", "no"]
@@ -50,3 +50,4 @@ services:
 volumes:
   signals_artifacts:
   signals_mongo:
+

devops/tools/bench/compute-metrics.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: BUSL-1.1
 # BENCH-AUTO-401-019: Compute FP/MTTD/repro metrics from bench findings
 
 """

devops/tools/bench/populate-findings.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: BUSL-1.1
 # BENCH-AUTO-401-019: Automate population of src/__Tests/__Benchmarks/findings/** from reachbench fixtures
 
 """

devops/tools/bench/run-baseline.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: BUSL-1.1
 # BENCH-AUTO-401-019: Run baseline benchmark automation
 
 set -euo pipefail

devops/tools/callgraph/node/package-lock.json

@@ -7,7 +7,7 @@
     "": {
       "name": "stella-callgraph-node",
       "version": "1.0.0",
-      "license": "AGPL-3.0-or-later",
+      "license": "BUSL-1.1",
       "dependencies": {
         "@babel/parser": "^7.23.0",
         "@babel/traverse": "^7.23.0",

devops/tools/callgraph/node/package.json

@@ -18,7 +18,7 @@
     "static-analysis",
     "security"
   ],
-  "license": "AGPL-3.0-or-later",
+  "license": "BUSL-1.1",
   "dependencies": {
     "@babel/parser": "^7.23.0",
     "@babel/traverse": "^7.23.0",

devops/tools/reachability/run_all.ps1

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: BUSL-1.1
 # QA-CORPUS-401-031: Deterministic runner for reachability corpus tests (Windows)
 
 [CmdletBinding()]

devops/tools/reachability/run_all.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: BUSL-1.1
 # QA-CORPUS-401-031: Deterministic runner for reachability corpus tests
 set -euo pipefail
 

devops/tools/reachability/verify_corpus_hashes.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: BUSL-1.1
 # QA-CORPUS-401-031: Verify SHA-256 hashes in corpus manifest
 set -euo pipefail
 

devops/tools/sbom-validators/bundle.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: BUSL-1.1
 # Copyright (c) StellaOps
 #
 # bundle.sh - Bundle SBOM validators for air-gap deployment