license switch agpl -> busl1, sprints work, new product advisories

docs/operations/devops/architecture.md

@@ -313,7 +313,7 @@ rustfs://stellaops/
 ### 7.5 PostgreSQL server baseline
 
 * **Minimum supported server:** PostgreSQL **16+**. Earlier versions lack required features (e.g., enhanced JSON functions, performance improvements).
-* **Deploy images:** Compose/Helm defaults stay on `postgres:16`. For air-gapped installs, refresh Offline Kit bundles so the packaged PostgreSQL image matches ≥16.
+* **Deploy images:** Compose/Helm defaults stay on `postgres:18.1`. For air-gapped installs, refresh Offline Kit bundles so the packaged PostgreSQL image matches ≥18.1.
 * **Upgrade guard:** During rollout, verify PostgreSQL major version ≥16 before applying schema migrations; automation should hard-stop if version check fails.
 
 ---
@@ -440,13 +440,22 @@ services:
   web-ui:
     image: registry.stella-ops.org/stellaops/web-ui@sha256:...
   postgres:
-    image: postgres:16
+    image: postgres:18.1
   valkey:
-    image: valkey/valkey:8.0
+    image: valkey/valkey:9.0.1
   rustfs:
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
+  rekor-cli:
+    image: ghcr.io/sigstore/rekor-cli:v1.4.3
+    profiles: ["sigstore"]
+  cosign:
+    image: ghcr.io/sigstore/cosign:v3.0.4
+    profiles: ["sigstore"]
 ```
 
+Sigstore tool containers are optional; enable with `docker compose --profile sigstore`.
+Rekor v2 overlay lives at `devops/compose/docker-compose.rekor-v2.yaml`; enable the same profile and point `REKOR_SERVER_URL` to the `rekor-v2` service.
+
 ---
 
 ## 14) Governance & keys (who owns the trust root)
@@ -487,3 +496,4 @@ services:
 ---
 
 **End — component_architecture_devops.md**
+

docs/operations/devops/runbooks/deployment-upgrade.md

@@ -49,7 +49,8 @@ Infrastructure components (PostgreSQL, Valkey, MinIO, RustFS) are pinned in the
    Archive the resulting `out/offline-kit/metadata/debug-store.json` alongside the kit bundle.
 
 5. **Review compatibility matrix**
-   Confirm PostgreSQL, Valkey, and RustFS versions in the release manifest match platform SLOs. The default targets are `postgres:16-alpine`, `valkey:8.0`, `rustfs:2025.10.0-edge`.
+   Confirm PostgreSQL, Valkey, and RustFS versions in the release manifest match platform SLOs. The default targets are `postgres:18.1-alpine`, `valkey:9.0.1`, `rustfs:2025.09.2`.
+   If the Sigstore tools profile is enabled, verify `rekor-cli:v1.4.3` and `cosign:v3.0.4`.
 
 6. **Create a rollback bookmark**  
    Record the current Helm revision (`helm history stellaops -n stellaops`) and compose tag (`git describe --tags`) before applying changes.

docs/operations/rekor-policy.md

@@ -184,7 +184,7 @@ attestor:
     # Rekor server URL (default: public Sigstore Rekor)
     serverUrl: "https://rekor.sigstore.dev"
 
-    # Log version: Auto, V1, or V2 (V2 uses tile-based Sunlight format)
+    # Log version: Auto or V2 (V2 uses tile-based Sunlight format)
     version: Auto
 
     # Log ID for multi-log environments (hex-encoded SHA-256)
@@ -193,8 +193,6 @@ attestor:
     # Tile base URL for V2 (optional, defaults to {serverUrl}/tile/)
     tileBaseUrl: ""
 
-    # Prefer tile proofs when version is Auto
-    preferTileProofs: false
 
     # Submission tier: graph-only | with-edges
     tier: graph-only

docs/operations/router-chaos-testing-runbook.md

@@ -177,7 +177,7 @@ docker-compose up router valkey
 curl http://localhost:8080/health
 
 # Verify Valkey connection
-docker exec -it valkey redis-cli ping
+docker exec -it valkey valkey-cli ping
 ```
 
 ### Debug Mode