license switch agpl -> busl1, sprints work, new product advisories

docs/operations/devops/architecture.md

@@ -313,7 +313,7 @@ rustfs://stellaops/
 ### 7.5 PostgreSQL server baseline
 
 * **Minimum supported server:** PostgreSQL **16+**. Earlier versions lack required features (e.g., enhanced JSON functions, performance improvements).
-* **Deploy images:** Compose/Helm defaults stay on `postgres:16`. For air-gapped installs, refresh Offline Kit bundles so the packaged PostgreSQL image matches ≥16.
+* **Deploy images:** Compose/Helm defaults stay on `postgres:18.1`. For air-gapped installs, refresh Offline Kit bundles so the packaged PostgreSQL image matches ≥18.1.
 * **Upgrade guard:** During rollout, verify PostgreSQL major version ≥16 before applying schema migrations; automation should hard-stop if version check fails.
 
 ---
@@ -440,13 +440,22 @@ services:
   web-ui:
     image: registry.stella-ops.org/stellaops/web-ui@sha256:...
   postgres:
-    image: postgres:16
+    image: postgres:18.1
   valkey:
-    image: valkey/valkey:8.0
+    image: valkey/valkey:9.0.1
   rustfs:
-    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
+  rekor-cli:
+    image: ghcr.io/sigstore/rekor-cli:v1.4.3
+    profiles: ["sigstore"]
+  cosign:
+    image: ghcr.io/sigstore/cosign:v3.0.4
+    profiles: ["sigstore"]
 ```
 
+Sigstore tool containers are optional; enable with `docker compose --profile sigstore`.
+Rekor v2 overlay lives at `devops/compose/docker-compose.rekor-v2.yaml`; enable the same profile and point `REKOR_SERVER_URL` to the `rekor-v2` service.
+
 ---
 
 ## 14) Governance & keys (who owns the trust root)
@@ -487,3 +496,4 @@ services:
 ---
 
 **End — component_architecture_devops.md**
+