Add TLS certificates and private keys for telemetry components

- Added CA certificate (ca.crt) and private key (ca.key) for secure communication.
- Added client certificate (client.crt) and private key (client.key) for client authentication.
- Added collector certificate (collector.crt) and private key (collector.key) for collector authentication.

.gitea/workflows/build-test-deploy.yml

@@ -81,12 +81,60 @@ jobs:
       - name: Validate telemetry storage configuration
         run: python3 ops/devops/telemetry/validate_storage_stack.py
 
+      - name: Telemetry tenant isolation smoke
+        env:
+          COMPOSE_DIR: ${GITHUB_WORKSPACE}/deploy/compose
+        run: |
+          set -euo pipefail
+          ./ops/devops/telemetry/generate_dev_tls.sh
+          COMPOSE_DIR="${COMPOSE_DIR:-${GITHUB_WORKSPACE}/deploy/compose}"
+          cleanup() {
+            set +e
+            (cd "$COMPOSE_DIR" && docker compose -f docker-compose.telemetry.yaml down -v --remove-orphans >/dev/null 2>&1)
+            (cd "$COMPOSE_DIR" && docker compose -f docker-compose.telemetry-storage.yaml down -v --remove-orphans >/dev/null 2>&1)
+          }
+          trap cleanup EXIT
+          (cd "$COMPOSE_DIR" && docker compose -f docker-compose.telemetry-storage.yaml up -d)
+          (cd "$COMPOSE_DIR" && docker compose -f docker-compose.telemetry.yaml up -d)
+          sleep 5
+          python3 ops/devops/telemetry/smoke_otel_collector.py --host localhost
+          python3 ops/devops/telemetry/tenant_isolation_smoke.py \
+            --collector https://localhost:4318/v1 \
+            --tempo https://localhost:3200 \
+            --loki https://localhost:3100
+
       - name: Setup .NET ${{ env.DOTNET_VERSION }}
         uses: actions/setup-dotnet@v4
         with:
           dotnet-version: ${{ env.DOTNET_VERSION }}
           include-prerelease: true
 
+      - name: Build CLI multi-runtime binaries
+        run: |
+          set -euo pipefail
+          export DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1
+          RUNTIMES=(linux-x64 linux-arm64 osx-x64 osx-arm64 win-x64)
+          rm -rf out/cli-ci
+          for runtime in "${RUNTIMES[@]}"; do
+            dotnet publish src/Cli/StellaOps.Cli/StellaOps.Cli.csproj \
+              --configuration $BUILD_CONFIGURATION \
+              --runtime "$runtime" \
+              --self-contained true \
+              /p:PublishSingleFile=true \
+              /p:IncludeNativeLibrariesForSelfExtract=true \
+              /p:EnableCompressionInSingleFile=true \
+              /p:InvariantGlobalization=true \
+              --output "out/cli-ci/${runtime}"
+          done
+
+      - name: Run CLI unit tests
+        run: |
+          mkdir -p "$TEST_RESULTS_DIR"
+          dotnet test src/Cli/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj \
+            --configuration $BUILD_CONFIGURATION \
+            --logger "trx;LogFileName=stellaops-cli-tests.trx" \
+            --results-directory "$TEST_RESULTS_DIR"
+
       - name: Restore Concelier solution
         run: dotnet restore src/Concelier/StellaOps.Concelier.sln
 

docs/implplan/SPRINT_190_ops_offline.md

@@ -69,7 +69,7 @@ DEVOPS-ATTEST-74-002 | TODO | Integrate attestation bundle builds into release/o
 DEVOPS-ATTEST-75-001 | TODO | Add dashboards/alerts for signing latency, verification failures, key rotation events. Dependencies: DEVOPS-ATTEST-74-002. | DevOps Guild, Observability Guild (ops/devops/TASKS.md)
 DEVOPS-CLI-41-001 | TODO | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI enforcement, and release artifact signing. | DevOps Guild, DevEx/CLI Guild (ops/devops/TASKS.md)
 DEVOPS-CLI-42-001 | TODO | Add CLI golden output tests, parity diff automation, pack run CI harness, and artifact cache for remote mode. Dependencies: DEVOPS-CLI-41-001. | DevOps Guild (ops/devops/TASKS.md)
-DEVOPS-CLI-43-001 | DOING (2025-10-27) | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, and Task Pack chaos tests. Dependencies: DEVOPS-CLI-42-001. | DevOps Guild (ops/devops/TASKS.md)
+DEVOPS-CLI-43-001 | DONE (2025-11-05) | Build/Test workflow publishes CLI for linux/mac/windows and runs CLI tests; release enforces parity gate and signs SBOMs. | DevOps Guild (ops/devops/TASKS.md)
 DEVOPS-CLI-43-002 | TODO | Implement Task Pack chaos smoke in CI (random failure injection, resume, sealed-mode toggle) and publish evidence bundles for review. Dependencies: DEVOPS-CLI-43-001. | DevOps Guild, Task Runner Guild (ops/devops/TASKS.md)
 DEVOPS-CLI-43-003 | TODO | Integrate CLI golden output/parity diff automation into release gating; export parity report artifact consumed by Console Downloads workspace. Dependencies: DEVOPS-CLI-43-002. | DevOps Guild, DevEx/CLI Guild (ops/devops/TASKS.md)
 DEVOPS-CONSOLE-23-001 | BLOCKED (2025-10-26) | Add console CI workflow (pnpm cache, lint, type-check, unit, Storybook a11y, Playwright, Lighthouse) with offline runners and artifact retention for screenshots/reports. | DevOps Guild, Console Guild (ops/devops/TASKS.md)
@@ -98,6 +98,7 @@ DEVOPS-LNM-22-003 | TODO | Add CI/monitoring coverage for new metrics (`advisory
 DEVOPS-OAS-61-001 | TODO | Add CI stages for OpenAPI linting, validation, and compatibility diff; enforce gating on PRs. | DevOps Guild, API Contracts Guild (ops/devops/TASKS.md)
 DEVOPS-OAS-61-002 | TODO | Integrate mock server + contract test suite into PR and nightly workflows; publish artifacts. Dependencies: DEVOPS-OAS-61-001. | DevOps Guild, Contract Testing Guild (ops/devops/TASKS.md)
 DEVOPS-OBS-50-002 | DONE (2025-11-05) | Tempo/Loki exporters added to collector, tenant isolation smoke + validation scripts landed, storage configs validated. | DevOps Guild, Security Guild (ops/devops/TASKS.md)
+DEVOPS-OBS-50-003 | DONE (2025-11-05) | Git workflow runs docker-compose-backed tenant isolation smoke alongside collector test. | DevOps Guild (ops/devops/TASKS.md)
 DEVOPS-OBS-51-001 | TODO | Implement SLO evaluator service (burn rate calculators, webhook emitters), Grafana dashboards, and alert routing to Notifier. Provide Terraform/Helm automation. Dependencies: DEVOPS-OBS-50-002. | DevOps Guild, Observability Guild (ops/devops/TASKS.md)
 DEVOPS-OBS-52-001 | TODO | Configure streaming pipeline (NATS/Redis/Kafka) with retention, partitioning, and backpressure tuning for timeline events; add CI validation of schema + rate caps. Dependencies: DEVOPS-OBS-51-001. | DevOps Guild, Timeline Indexer Guild (ops/devops/TASKS.md)
 DEVOPS-OBS-53-001 | TODO | Provision object storage with WORM/retention options (S3 Object Lock / MinIO immutability), legal hold automation, and backup/restore scripts for evidence locker. Dependencies: DEVOPS-OBS-52-001. | DevOps Guild, Evidence Locker Guild (ops/devops/TASKS.md)

ops/deploy/telemetry/certs/ca.crt

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE0TCCArkCFDKF9uZOnv4aZOLZaMxkCQRXh8WaMA0GCSqGSIb3DQEBCwUAMCUx
+IzAhBgNVBAMMGlN0ZWxsYU9wcyBEZXYgVGVsZW1ldHJ5IENBMB4XDTI1MTEwNTEz
+MTQxNloXDTI2MTEwNTEzMTQxNlowJTEjMCEGA1UEAwwaU3RlbGxhT3BzIERldiBU
+ZWxlbWV0cnkgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCsyoJs
+EiYwwH+3FeQGxh0C2e3c6QscMy3Vd+RY5RfVjtWjv7aRfCPegOEf9xARzoy+he2c
+42QaBvSnxZ43yDzKMYTwFkGwi1qFF68dqr8gb4iww3kf+YE09XI7zngH185v1NKi
+Mo61iYTkbf3Er6VqYhsDNGVEQQt4g+JXeTHORxmEJUef36ZqLPCGNnRP/HGxvrLH
+FDjUBCpkjhEUoP7Aqm5hbPcC8KUpKerGBirNsbvuhja+qUhglpdsihgdAiWHUrf1
+lUgQAHDAfM8AtG+v6uWu+0LkxIHc31EAMRn46ZpDZP6Paye9vfJdV4GM387vU5Ts
+0ugdn8BX9PAvCxOhqJ2Lp2Es3Umg0bBa9iYB/KUdhDp+WmVCcUGthmx/V03dwhEu
++Abqdi9J6ngMIBjB7RPOuTZYPgb9y8YdLKDjOMTzIUGLGWk5Q7OhiGMZYowFRa1G
+0ZhOqiV2N9GrCt2wFAqlLEork07zwmeeDfE/7xrkDqc0jNjf8WoLqcVPhsLLpToT
+4oG40WIHdbMmjw5dXoFUcqLWKKkLvo5R9LXbR8zlHDlELlbMX31DH7aOeqlB7Jx+
+Ya9fwNngEalvrci3WT/CV5bfxXAK57U+ffnYuzhrn3S5PQ4eCQ7QNTC+LZEiJ4XP
+X/KygY1aPFWzQkmPkrBgz/5dS5wfLeHO36ckRwIDAQABMA0GCSqGSIb3DQEBCwUA
+A4ICAQBy353C03SUJC38Ukpq5Gwp3xX/MViM9tcv+G25DFNxz7334glgpeVqQ9HD
+r42DwHaJjudWiTEZ73B2cf3Bs1DLpRLFk9AqsNVp+IlFKBRNgWDyev5UnRhDS/c5
+4MbwVr54Sn/6KVy56MEBLanQLgRB9iHhwekZYZpVkKS8gvdvMzkdj0kJJSYaMJSc
+0TzeL6nQHCuczI9lQ8ofV7yj1s3+XerzC3eKrze3iqc6o6J9163e6rPtm20plaEC
+fgo9NCjB9IRlBdsUuzFUYfgqsN7eisGHKXpFeA4D+Ox47v8uBCtK7zxrd3blvgts
+uNdJImGnjSRXB1C2KNjluCIaTvET4a8cq1nFUAlnA4pJXGwlRkJW42ncKUfEeIGN
+YltnLiwwf2PR/NCpFg+dMvrGwHKe0vHJluJi4cuvlnyh7YjEnn/2fDqUBwXfL7wW
+bRq1oC+o6Vd526BwQiysmp8bwkzsoZEgqSXYEiyP/PMBDrHvTWWi7Uj0mFSJfNIK
+r/3XbKCLfaCqZgm5CjFzpgy71aNMJE5NC7lKJNt7P67ZsyBDEYPleNIlTI9CZBY5
+ChaLedsHqEZgMcD3Hj5ETha8gbIf/07bMvFd/P6+lKq7IRwjozBAx7r8xrfepb0E
+OYqSDgxoHRhYoJzAbrY8w3rhmubb9we/HxcYBlunnN20c8lL6g==
+-----END CERTIFICATE-----

ops/deploy/telemetry/certs/ca.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCsyoJsEiYwwH+3
+FeQGxh0C2e3c6QscMy3Vd+RY5RfVjtWjv7aRfCPegOEf9xARzoy+he2c42QaBvSn
+xZ43yDzKMYTwFkGwi1qFF68dqr8gb4iww3kf+YE09XI7zngH185v1NKiMo61iYTk
+bf3Er6VqYhsDNGVEQQt4g+JXeTHORxmEJUef36ZqLPCGNnRP/HGxvrLHFDjUBCpk
+jhEUoP7Aqm5hbPcC8KUpKerGBirNsbvuhja+qUhglpdsihgdAiWHUrf1lUgQAHDA
+fM8AtG+v6uWu+0LkxIHc31EAMRn46ZpDZP6Paye9vfJdV4GM387vU5Ts0ugdn8BX
+9PAvCxOhqJ2Lp2Es3Umg0bBa9iYB/KUdhDp+WmVCcUGthmx/V03dwhEu+Abqdi9J
+6ngMIBjB7RPOuTZYPgb9y8YdLKDjOMTzIUGLGWk5Q7OhiGMZYowFRa1G0ZhOqiV2
+N9GrCt2wFAqlLEork07zwmeeDfE/7xrkDqc0jNjf8WoLqcVPhsLLpToT4oG40WIH
+dbMmjw5dXoFUcqLWKKkLvo5R9LXbR8zlHDlELlbMX31DH7aOeqlB7Jx+Ya9fwNng
+Ealvrci3WT/CV5bfxXAK57U+ffnYuzhrn3S5PQ4eCQ7QNTC+LZEiJ4XPX/KygY1a
+PFWzQkmPkrBgz/5dS5wfLeHO36ckRwIDAQABAoICABFrFqurRrNKbHV53PM73GfR
+rTNEQMz2ccvfmqLFcVojXHD13gMbdwgyiL8uqi2JW1HHcXULzSb8hYQ2HSV1Z39g
+b4y+SZ/w5E6fXRVKBZtQ8wASrG6nObmrdnkF7r6nqBVI6HTWUOGG++EFH3xI0o1/
+V0bC7ORtBCmBbfswae9n5nAWS/qXUpDId/Snn6ECizmGRkJgTPw+cUGSurEQK64j
+YB4tHFdtB9E2+wY8T+tNW+sHF5Svvu6Rr7EO2LBv63WRRp8YjdujF7qnujxRdCLR
+NJcnmA40qvynfGRfDsWzUswxbaHqhOaRM9HqBNK9KwCgNdaLyj9WP87+D4pGfRN3
+h4Fr4DTFHz96yV4WHACx5PKdOjUyK5a28EsKMfaCA9ky3IU6Np84NMGxOY8/HVet
+MkBFtZsAKOZrocCih1ZbDZRvMg0lEcLwLEL7yObMT2w/aG5M9Ppj+D/B+d4x0c/f
+6I+WRsBH4d3Ynbsicyn0Axuciu3+V44HAiNqccoA78lEGhTMbJ3NG38Y6EIQFbgV
+XwF+pmNyiXx0C2lm56OfRG6/DcizmHX3ID7aRkzg0dM7HYHGGcdgX3nVN7sLPH3e
+2KDi2LOCZdFFW10EFpPN8gygammhrDFFszgdjDkI/FxU8itiHyL25xRFJWwliwGr
+G3taY+NAYn+udaUC3UixAoIBAQDvemYBS//LpGHL/86RTG3EAdgVswSJJCBTmlAC
+qNF7oj843ewwfX2H/EhRTjm/6DH5443b1menqDXce5wTauGpYtu3XPoDWHepTM0J
+FzM8oFdRYNzgqEMOp7oUMULZkyEA6EFMWYSSB+n+Ce7QRPtb3vr4RNAW45nIxAV5
+kKJ5qVsOS9xY79wWt5GglHHsFG6Lu3nYfzCw/w79BRmVu900KaF+ZEHuKi/lfySG
+eSzVUw26cL35QJ73AsBseUUHRLLVqMO8qZmzII6Y0cE3AiZnyBsX1/FmmZwWrw5Y
+Z1TPuEtkM/Dla6oY+Vcu/G86+L936Z6Yr9UP7q1yChbuDHgXAoIBAQC4tk0P02SL
+ucyI6+YF3vQSmXKlWPqqOPExeVTaxtlHKuxWVS7LfsCn6H6WErB2hoRroBsL6vwp
+zCEskSdwq47OmxfAcN3EZ3Bn2E1z457NO7vzEio4uufwtzsOHZnI8CD/ZNOin/km
+M0RWgezYkDeCeO+/Hk7KBhO+Mlb/ZH7Bgb8F+UiqH3HoKnZIJ3Hgf/skakE5hXdb
+sHV6w8/U1QsoioWbmk/8vlPCY2mAQniZtDVwMzIiWgrQWyLLvd061C/Iy/7C2uR+
+87g/SWL8xxHhwLK0GHfHCh9VOZOatJSVdPf1p9eH+Qzw0gskYMChL1MwwtO8YiJP
+kNgrlY31RiNRAoIBAQCukC4i69899klDhuhwiaHJqv50ctXvkeHujyGbjquEz7P+
+I+azQgZrRb8BZWA7P2qOmQ0jHprYX4lDeuc+UD7GVkWK1793CNnREyayZbL3knmT
+3GOlb4HSAPlnFrGAH/uCycoveWFlgVdT0rG+J0qCoXuX1bFJvgavjhPflUqaHJU/
+SpUIT2/DL3R79TlFuW8LdFFROwWnP4URctI/j32jNGV/2F0m2qGnTJK3Y0UHC0+K
+g/w24J//toXFjHCA59bkX+yubYKYTDcltmB9VJfiNr9pFgPlojthXaG7Vzc/Yzux
+gxsqYNzQ75BZs7Dw77nCEw2Eh0dsIbNU2X31cClpAoIBAE9xgOVsmxMJf3HoW89s
+m/cf7lI1WeI6iWoo8BkEa1ETogBjtLOrOXs+IKu1MBZaNrv/aYKPt5LWi/IaICdy
+cgJkbCvFn2wovQy82FserB9DMMwTpPsvUDCU7h5dFtZ4iQivOeL5APSwGhVG3jIq
+nOVN1HeTtnlncbhc+FPxyh66CgmstNcOnTQohyTzaiQPh1mbJaByyeoyk+SQMWQt
+mRX/tgU9smdXCLlTfn2+mRYqjs1KB6cEqSACAo40g+EYf9DSBCmUcbA0bKszihKE
+ICnDcljJKUL/FIjYMabZQgqh+z+5x5ZgxHMTM92ai18H9rTDJsQgRPeJqZ/dO+gh
+GXECggEBAOf4EahtXAnijFG4razL1xZL5ITdJJQkfgZJDvu3sfS0euzbvnINP3uj
+qyB+8C81nBMMbD7StLXxqRYX3yJgcyfayae91rym/MUPx8r9qQbXSI+IqMAkNhHZ
+ciTKGq6uVxarUYtNIbRArvRG8qS4mRkl/jF8X0+t3AkFSyp4qeD2wvRM0LNFzhwO
+oXwipHEXUwzm13mA6O9rgWbYA7R/I0wUJffZVWh0dlKsj+AYkUDH4GJW13vQeodh
+zmB7vVYkC9hlNkH7Df8KP+xN2NCeq/UOHjQwZuOl/lP9WAvATU18sYn5suZieKiI
+JsLb8CGIEEsgMR8I5fIQdaIeFM5zC8c=
+-----END PRIVATE KEY-----

ops/deploy/telemetry/certs/client.crt

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFijCCA3KgAwIBAgIURlzXP0kww1npXz/oCffRcM5B7QEwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaU3RlbGxhT3BzIERldiBUZWxlbWV0cnkgQ0EwHhcNMjUx
+MTA1MTMxNDE4WhcNMjYxMTA1MTMxNDE4WjAgMR4wHAYDVQQDDBVzdGVsbGFvcHMt
+b3RlbC1jbGllbnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCh0uCg
+HSZRLFXeGx0444w0Ig9+gplsaf+Jf2nK7KAMAOqRadozjzECeK0wopuZ7gCmCtRA
+XBfKxJpoz50poMR44emL7ETbDqFHRW1zfERQfU17LpOd4Sw++BULDQHobB2/2nRg
+Fe2s1gPJKfLnN/u5b8CWWNu0iRl2buaoM9tsXY7XFZ4VK/R23MAlUwm+dwMGu256
+8dGnf6Htmm2uypPEAq8MfJhcnix2BRG7JPi1FR4ZubXut/k0qN1EvWOfZEHVQmxN
+PbcPDV8D/pqGIG11Yiz2aaAxQcwm2V++fh9bwE+ZC6wtcGi4jcSZ2OOTAZht2V1S
+ZEw6M0dOrvoS8s76vfiBKxF5HzTImD/ysfC/9EHTs+3EUK25p8ZKDjoisKP7DwZ1
+7IhxFZ6vkHv+AAaOera6JdsbquCIL6bUg9EDjq7aZOQoBMKTAecbPVEigsrnC4VY
+U4qXH6sr9S1uub1wBe41+4Ae6G6oEWtdfWOBydYBjAVcbrk/LXXOuYk6cP1ajOYQ
+Y0Y0NrIhGhR8k74TtVWfYZqAFDiKPdUI/HWlW0IZnxFqggLgQ+phNoPveQhu9kbe
+nCnp5J+ej/YY5Xey37k6nIDh260ZomlizFnzxG07L457iIxhtpGq27OeMtZVi8yS
+r4xxbEBWge1t3pqk5PzIR7s/qVkvlobTtU1QlwIDAQABo4G2MIGzMBMGA1UdJQQM
+MAoGCCsGAQUFBwMCMDEGA1UdEQQqMCiCFXN0ZWxsYW9wcy1vdGVsLWNsaWVudIIJ
+bG9jYWxob3N0hwR/AAABMB0GA1UdDgQWBBTFQj7R63yc+tf1xNK9aO9afwPZDDBK
+BgNVHSMEQzBBoSmkJzAlMSMwIQYDVQQDDBpTdGVsbGFPcHMgRGV2IFRlbGVtZXRy
+eSBDQYIUMoX25k6e/hpk4tlozGQJBFeHxZowDQYJKoZIhvcNAQELBQADggIBAIw0
+q9ulVu3mKpONcyGBf7a104uI45bc8xjihqgbd2ovFpyCORg63ejrvr4IUBzz+7E+
+M4rKZENE6SliI42cXXWiown/g/k75DdRGUF7opjcWMt0OjTU5G8vvhdHc26Xc6Sa
+k/qxbX8qydgPaa9MC2aohY902xwQ4OryQB/vBgukbvEdva/h3DsS3vWz0DPm3TgR
+D/gJZYWu66P1yuljb3q2UOGRUjwhrZSI+0gq4q2yaT85MEXgL+QlFtAiXkVxjS2y
+LRLQ3b7PJjoUZI3msREQyLPphmKJHBx1cfGJc1vxV93ZzjFc8FPnpFRqqNG+xYSl
+8REsB1xjPz1tSEi0mFe226S8xCSgGcAk7wi2Urw+BZiKxpZ8ATXH0awCsl42W1w1
+8oxN9c/8/S6qE3+1LF3QZiFm6I3HDQ61zSHPxbasuI5Y5+c7Z3A1UVTxCGAMUBPE
+zDP3XHwQkV27P3ChlUzP0ohTJgJvny81aIpZGJk/gTloPCNuKxLwVXLnR8qFR01U
+5HtWXkgMkpukh1S4wEDzN6IiLqyWsntoewwe6evqwbLRkUGsiqIHGzTI23B4UvFN
+qBonwFDGulP9t/VH33f+vmLnGv7ERVXRiVTXKts2cVGhGhWLyV+a/H5cF6pJKyet
+W2jYvD5N0Vzpw9IdQCIASSQ1ntYcTwW/CIz0ZkDW
+-----END CERTIFICATE-----

ops/deploy/telemetry/certs/client.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCh0uCgHSZRLFXe
+Gx0444w0Ig9+gplsaf+Jf2nK7KAMAOqRadozjzECeK0wopuZ7gCmCtRAXBfKxJpo
+z50poMR44emL7ETbDqFHRW1zfERQfU17LpOd4Sw++BULDQHobB2/2nRgFe2s1gPJ
+KfLnN/u5b8CWWNu0iRl2buaoM9tsXY7XFZ4VK/R23MAlUwm+dwMGu2568dGnf6Ht
+mm2uypPEAq8MfJhcnix2BRG7JPi1FR4ZubXut/k0qN1EvWOfZEHVQmxNPbcPDV8D
+/pqGIG11Yiz2aaAxQcwm2V++fh9bwE+ZC6wtcGi4jcSZ2OOTAZht2V1SZEw6M0dO
+rvoS8s76vfiBKxF5HzTImD/ysfC/9EHTs+3EUK25p8ZKDjoisKP7DwZ17IhxFZ6v
+kHv+AAaOera6JdsbquCIL6bUg9EDjq7aZOQoBMKTAecbPVEigsrnC4VYU4qXH6sr
+9S1uub1wBe41+4Ae6G6oEWtdfWOBydYBjAVcbrk/LXXOuYk6cP1ajOYQY0Y0NrIh
+GhR8k74TtVWfYZqAFDiKPdUI/HWlW0IZnxFqggLgQ+phNoPveQhu9kbenCnp5J+e
+j/YY5Xey37k6nIDh260ZomlizFnzxG07L457iIxhtpGq27OeMtZVi8ySr4xxbEBW
+ge1t3pqk5PzIR7s/qVkvlobTtU1QlwIDAQABAoICADaZoNnVTAbqdySEMIVv3W//
+qAuvBBY845AgkfD6ivvR2VNsDEgGQeqMDh+RVgAHemeL0tbOW+a6FEFV/7i6emAx
+FWx1MTxaQNd72PS00pX32Us9SWhlP9kVOoBqiKDDzfvcORTsgS+mXEulIEScso38
+Y1Y3MBZHhfRcce4B5UC4hogSzq5lEMyEKj7NuEVwAXDlj97itbMW0OuLBgQKbPYf
+U7HaXkwtwGGnzzY+QL5UnD3g175ui6KVcWcOocz3dnD+wu0C7D+jatI9tySXT2di
+UzpnJDpKcZgQEwqCopECH7lLY3JHccYHa3TfZdXFnYk+5Ip2tfOTNrWZO15mV6hg
+MoNdi8uDKfjEt3esINiR869GrLX+8TXAc1vHR+FyPIAA2NU65GWCYAV+g837QqjJ
++2/RnkT8SAE2v5dqasp6R7TfL9CvkJUTwQvOrRE9JnBl1IeEsyVz/ddheh5dGZYI
+L2BusYjqUA/D2n1k36WZW+axTn6NxWs7hzp9tRyGiVpktTFb6z98+J6kAEL9r+ZB
+DK4iDSb5lWpyTCNQXe0ZYSuIkmq62dAIIvdCt69uCadp1Udfr8rbAQ2n/AzSk1hJ
+NsWnyiNRWqL57jKzbCzqmSB0dzRkFrGej8oDApSab1co/paeVWz/HdaAGbTdBI0Y
+GbF+3A0JuM+4ZbsGF1D1AoIBAQDUoIiOmnhOGC7YO/7FEmJuIXVm71mYhnTXeiXZ
+tn/TDhOgaIIplPwooCcaREWrvKFYznhCqTc5EzCvS+HSBZRT/XGcZWVt4KbiGEWf
+ftXpepCINk9KL7W38IyEly5jzRBh9ZeNqN6oLY2omhIViN5mgK/dzRHS4N4+/5/7
+dqc4a7B8mu57mEOoiOEh6z0nb+0AyTObWXwCc7y31kpda4NdXwsTdXjA+hn/IJQn
+naVMogO2rgrUwLDCBAV0FELQ4fvHmQhpoT9IPM8TQM7t3ZhfrJIttU86i2VsEkXi
+t76MAAuXPBQQghAuStyvFsyXT72Z1Z3pn++f0Dm0p+WgxI7lAoIBAQDC1V/NtNp/
+NZLEUEnDVdhaqyoQ9G35/wHJK5/TD8Tyh35Uokrw1G/XGfvoqQUdMQGBsa9X1u3s
+90NEchm3GbP/LbA6Imka58XhiHBUw+dsbVaSz7ebHYgFqUaiLAJxEJjbhPqg90ii
+drFk3GrW2YEFad4wrkaifad3SWtVEQbei+BlAiS5BbIVGPWjBhgCW6+B5LZMuyGp
+58/TJm4J0ZoVemOB4Q531NW8g3cUCltPk4kkDAGMtoAQpZrMelI/83CSPy2XHehJ
+tEe0ZPlhzRkWhnMY2ykDbbc/ZW0OR2zFdxDNAJzB7Am/RCE37v6a7U/6cfzSiyBF
+wtpNl1IELu3LAoIBAQDSIqlyzcSx4YKCX6ClIUs37kc56LiSXeehgO1hYdSoQBQz
+hrWE5OHkQIsEkY6NcInA26TMtLGH7ahCxmqyBqOV8jdSyn7YfZpQfo5oV5CPA3tN
+subfuZEM7WXiMAs/xM05Et+pt8f9S6/hfgr7T14EzY+BVAcWcvgSKM3yVkxjHUK5
+kuC4Mz5ClKxyuiqhDCOdkDs5f9FoFvveb6Dk/LlCEQlAPOuPRF1m38qr8EgKGWA0
+LYM0yg6mYBUHqHJ0P7J2i45d3mdNPBOmwnj/ae4KN+Hr3HEludgNW23H57IgaHcM
+CusFeZUGOyQowg6GR99o5k3/Mvo95irxmLD/FuLlAoIBAQCqcCSN/D8D92a764yL
+n6ZTstZq3Jj0kHsMc+gtp+bfT15ZRVwPj5eC8U0oe+toXP13amv8iJ28pZWn47TR
+M1/9xAcc5AtUKRs3L7csv+/ML14DskhpHo1mfm224o8EP8OojYz+kTRuQyzuEdA4
+wS8YAEQKC/ronMmKFaUaVnnO50hWtGhRn0TpJduEUIliTribBevf9ff9/TcV/NFY
+L47+aQFxleKlO3/6mHrsAh9c3rCi4wncAa7IYUaox/z5yslYdoI4Z0ZUa6wqiAaM
+4vGmfdlkDhyzzh/3CpA7ZIont//vhjCbiBQCyOPSXXVHLIDBk0PbHzANNubn548s
+76y/AoIBADAE/XSuXiAxTy3jzUnPkw9GTxA3gFMDkRGlsPvAMoJ3H0Y9ow/kgwuB
+lULGKfchp8Aqq1t156fiN8hXA0Ojz8egKwuzrrZih2Z373tEmOfBhe1wIbDGwbhY
+7j5cOPmNEg2CPorI6yzeVDlEylM4yKzQqxgs09eNDHk8GCkdeHe7Lay5ChCmAohg
+3xcz9f/Jsy+Ntn6CDzJPk8FmFOpFokLvHctmA94kjNfj781kwotkP/cSqfY1S+AJ
+gxvUAkYupB+8XLLmD1I3C3aTRdA6NtwX6JlI1DKKHWsuNK8+kA8piSF5ECgDCFz7
+1MtPh2jZeC2RldWjRlBsY1fVC9SQF4k=
+-----END PRIVATE KEY-----

ops/deploy/telemetry/certs/collector.crt

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFmjCCA4KgAwIBAgIURlzXP0kww1npXz/oCffRcM5B7QAwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaU3RlbGxhT3BzIERldiBUZWxlbWV0cnkgQ0EwHhcNMjUx
+MTA1MTMxNDE2WhcNMjYxMTA1MTMxNDE2WjAjMSEwHwYDVQQDDBhzdGVsbGFvcHMt
+b3RlbC1jb2xsZWN0b3IwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCp
+TfZtIbS3A0gvYJY6MkHDW2TBD43+ooDqFFfxNsJTokmAT4InKRtX5ZXHS+Cpamg7
+g+Inre4U4nJ3gj9drGOonSyFi6MbEeYKhu7tRDqm6ryDfZ8AoMddwc8hasA4sajf
+e+PEHvtZFQliCoR83gQa+GHn3y8OSqYoAkeS9cNbK2dPNXjeDLGpQletXuGNtHOZ
+K2J67mhVIacDms8Vc7Up1beJ4Xg4w0XG1WW3sjkQk0KABtAWDv3nYZbF5q0XE3tD
+lqGfg1pdZHARuZc8WqCURjjOFZIZyqKo26JBAtKYylUR2bhrrafYIaw3HgUSj+qO
+m1Xe69P3JXnLLn3/A60S0URDBrVsY3ijXMhvcJV7QIIuGJYahe1J+o4cqtODJOiX
+w8BlEIf5uypo4bNoTxgE7dODST963DncM3VOS6xI+Cn79P1XkWi0VXRruB+RwDCe
+heXX1XHFrO/uvn/bZP66UiBx4sFA84NTqS9j3boQ/SH5ccEnmDvJ1EyhyDhQGgyl
+n/kgOwU0w6j514aexw5eJ/pLAr8o620pBUItgxXK12oaIceGrM3nDAaraXFYfsIF
+xF9V5WDqhtJ4IRJv4eAxUsWYVPgJ0uEYJ1C2eTh5YPktaBiHhCYBpDPSQBy1EJYi
+av4n8reI1gW9sO0t4zHcTZISnZzVbXH4eC7vG/dVuQIDAQABo4HDMIHAMDQGA1Ud
+EQQtMCuCGHN0ZWxsYW9wcy1vdGVsLWNvbGxlY3RvcoIJbG9jYWxob3N0hwR/AAAB
+MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUcCTexBYq
+9yCbUmHps6G/lIOIctkwSgYDVR0jBEMwQaEppCcwJTEjMCEGA1UEAwwaU3RlbGxh
+T3BzIERldiBUZWxlbWV0cnkgQ0GCFDKF9uZOnv4aZOLZaMxkCQRXh8WaMA0GCSqG
+SIb3DQEBCwUAA4ICAQBqtaI8No1BDaScO6/QCKbrsbFYxj/a7o9MwYoIgIldpIeB
+YTN4EbRg8AqqkOcndRFQcX+T7bFIijL0gya4mF3/lY1jIHi/RLLfWSqrrLue00vR
+GaXgiNMU34kJIXdv+sB/46Q3MdTdTLNmF+Y03sBqFIDuBFwUl6GHHZQ93kIeIlSc
+m3Vrb5OAz2dbMwe6EW17hDQ48kyzmWqlp5AfCZml5Oj15JMixYzWB1wvUlgQ58kV
+M7aG8tpUwp6WqpBLpx6zaYcqnb4GvJxFJVPJMdjrB7b8sIi4awGLijrcVdgcDjNo
+1+gfqLca200m88hMa0bGui4LQtcGJxDJLDdE3Ud3isSvDVv62HWUu9YO2DMa3e8e
+FG21zOWTPx/XlOOGonHdULQFETpySU78Xx6ql6lzmLoHDGGrktUTZxXqhKbflTmm
+B3gfujICGW92pF/6dlc2euuk7DaeG7jWmoYvymEi2bkEcY83KiYwqrJzXpb79TE/
+NmbCVocTbdmDV+oDP5qmJhFzBhb2aQjp8Ufxt8eZ6PTTtUS46vZCJuKQEQcezsRD
+G2+YAMshbjNMNA7pv755ykOaZT9vTBSpv7vF2XiiIpXtijXnzthVkOxW96jgubpd
+Sh1DCq2QnuIXRTjsQi9uZqQ1nifxkuYRxEtFb5wvJ8UBwzZRdqP037yaIkQ0MA==
+-----END CERTIFICATE-----

ops/deploy/telemetry/certs/collector.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCpTfZtIbS3A0gv
+YJY6MkHDW2TBD43+ooDqFFfxNsJTokmAT4InKRtX5ZXHS+Cpamg7g+Inre4U4nJ3
+gj9drGOonSyFi6MbEeYKhu7tRDqm6ryDfZ8AoMddwc8hasA4sajfe+PEHvtZFQli
+CoR83gQa+GHn3y8OSqYoAkeS9cNbK2dPNXjeDLGpQletXuGNtHOZK2J67mhVIacD
+ms8Vc7Up1beJ4Xg4w0XG1WW3sjkQk0KABtAWDv3nYZbF5q0XE3tDlqGfg1pdZHAR
+uZc8WqCURjjOFZIZyqKo26JBAtKYylUR2bhrrafYIaw3HgUSj+qOm1Xe69P3JXnL
+Ln3/A60S0URDBrVsY3ijXMhvcJV7QIIuGJYahe1J+o4cqtODJOiXw8BlEIf5uypo
+4bNoTxgE7dODST963DncM3VOS6xI+Cn79P1XkWi0VXRruB+RwDCeheXX1XHFrO/u
+vn/bZP66UiBx4sFA84NTqS9j3boQ/SH5ccEnmDvJ1EyhyDhQGgyln/kgOwU0w6j5
+14aexw5eJ/pLAr8o620pBUItgxXK12oaIceGrM3nDAaraXFYfsIFxF9V5WDqhtJ4
+IRJv4eAxUsWYVPgJ0uEYJ1C2eTh5YPktaBiHhCYBpDPSQBy1EJYiav4n8reI1gW9
+sO0t4zHcTZISnZzVbXH4eC7vG/dVuQIDAQABAoICABuXZZAufI2Q3tw9wO3WD+qf
+A+IEv27em+TKEPTyKCRKH/Flw7/PDrI567lxj7j8auU8Hoi560GDEAWS9/GzrQAn
+MUDIW3oHZjaT++81/dsDCVrih52qFiOc+L0o8Q+sQGm/foSRSgQgDgnozeOtqPye
+OxJ3SGtrVf3SNUjpfX9nqOv7Omnxpqh/c9uAyYB3BpnRPLjtDprFI7tOKO6Fj2I0
+frddQ+L4S/BWCcAwruUZIq7LrXDS26UwPcqdx9qpZZ7Dty5QUVNEEZGJ7fA7kszn
+Ts2jLU6/u9eKB7zRkXGuE8QXd9swj1iFUFQhM9FtG9xGy21LgJ1YAavPtV/wgO16
+wwjkmHTpe4Nnub6kaIxKhuTE9exflIEo/dUn434glnUxHN9chH53FwM0zPVPUMLW
+7sffBEGIneYCmlWZXsQqYDWiBEupUneeN0C0lVsscr5RqmkhT1q5uGVvlGpCjPfE
+gANqstRUIzp0PyCNAbb4MGu9S3jtaOtci08DsRyNEO2hfoOlqMHcksCpJxH0bQPw
+0pG1ToC6K6Rn7RzEbYH03mv3NC5gQ2zHR6WlfeWSJWzLQIreBcnAGk2GievJasuc
+lZetXZ61CXh+wXjgf7156zLnQUw6HTI9HRwTOcX4QjpMH59zU3Tp+A83bLGAdroz
+TGb9gbwilmMzS7CYOCabAoIBAQDWhJNSQVzJHwDqL3YA7jpbCRZNoOVuUnNNkgXi
+qg97Ylpto92j9t/l2+gYEHLIrM6kBGP6KJyJ7Lsx6mnOPNQ1PuxMEv2CBhPAU/a6
+ENFJH99MRe4+AT8igl/yqBsL71VoHvvUpG2/0uAVRsHGxmzj/960t1P2fuQZ7nbF
+XI0+n2gnh2PAoEJgb7THO1+/3k4j2Jekjkm+DRet3gns4U95ww+KLToDeyJKudMP
+9qOL6HEue04FWwtjb/j6w3Oi8IxULopfdzQEyj86mC1OCkHpZWaGkiuKxnMGkvUY
+rgEolx79UJp+I2soHlDRpRhPcv6yZtaHCHMk5HnGBGaTFeonAoIBAQDKCykm+v5o
+HPKtiJUxyPYEBFhhawfTqvnTg9JJEC0blySZSGSKO1ct/f8ShaeJICZSA/p8Tbtp
+767ds2Uphf99dZPLhzxug8oqCWmryGir8V2BibK7wLmFVObrJlZYn4wwG6lCd3+u
+2ie6joC+5UKecGBsQhB930AUZyq8SnrQdiC7zjFk8caTlAjR7upVgcOJA9vOdMyD
+Zx/v0jAJofmEZrNm+m/WTkX9lXLfsTXsoU2GgbIHY14qAsklPkJb2kaJL3dye2eL
+VODOFt/RJoXzEqkc19R972j6I9l3fgOjWC0pcLrLN2kQNpDyH5EMmnPzVglJy7mI
+1jjAEhyUtA0fAoIBAHqrw6dFE287mIVS8LMliB9o+eUYfjrxUVhpiY4N296d5sJN
+88AAvBaxA29HcKxLDbwDeryiHqpMwtuPhkPWyy9LtUrnjSqemQrhuPS8C0I6xLHU
+R6ITimwMjBuygAz6Jyfsl+wIv23zhAsGtGccL0bOmidTsuMBuyUNFcRU4byO4bvB
+E40i1/JXztQjouSQlrSu9kC20Xqp+AGIOLrKOW2S2z8UD9nPv1NmIkk9rFakbJy9
+DGfJoaCSdpnHzUe/MTAukRh4jTm0AiZawYWgHgL+5ntL+TRZuYtn3FrpnmX8zU7k
+mgRJ8sw1UdghBd7hDr8sSb9cWKQfN3fCKnowDP8CggEBAL/YayH1UB5h5li6iRf1
+vww/aABQleT5wzCBSepQbtR05q6Zm8XZ5MTqGgpnWJaPLXPRDUZ8tMk5amxfDF6q
+OtfRDh5C8jHp98uElo8jw6gIjoYSzuESddZRsNZ116VdEcsYaNaRC29m/DRbXYpl
+vKUfBZ+l92zd0EXPVDfn7MgGcryBZEt6e9jjxqA4YNACYD24qT1XkF3xTNT2WuC6
+qWd78TuF7y2pszG/d41KAm8HFsryWa5EP0Ra0s4HWRFIqJNYu+27ma0mUjO+apV5
+I9WT0Xpuwfk2nBJweezJfgDbGD7yKJwPqDZZ6bXOHXe/LPxQpI8q36g76TUPvY3B
+jXcCggEAYOPrBzSX8PEYeFQXL7kI+vf+llZzsf5diZyk8hZ/TTD3auvaM5hZqeI5
+CLnSJOrEaCbyZlN8ytGuZCP4v6k1e11ekRjdUBBgRnmIxL0zQyTHiVb6GFuR/s+S
+c3OxV8vMuuZgm9/fUVcgjeeKD1opSI51aCghJh+KuDBQbMYBH1BOrX3ZfZmgWzcn
+vmTkCv1xdWhMuO6yuvobudaqkJHdOmivjD+ZOUEGvqKKg8sBIY2r5tW8qqHvlgES
+GkeH66C+UKMAAjEUwLU4RyLNiuBzt6UQZ9hLsdtyyrnGZ6fuSOK/AvtoYbfr3RCZ
+uYZljgYrmHZpQPucWwwmGNsDx+casg==
+-----END PRIVATE KEY-----

ops/devops/TASKS.md

@@ -17,6 +17,8 @@
 > Blocked: guard coverage suites and exporter hooks pending in Concelier/Excititor (CONCELIER-WEB-AOC-19-003, EXCITITOR-WEB-AOC-19-003).
 | DEVOPS-AOC-19-101 | TODO (2025-10-28) | DevOps Guild, Concelier Storage Guild | CONCELIER-STORE-AOC-19-002 | Draft supersedes backfill rollout (freeze window, dry-run steps, rollback) once advisory_raw idempotency index passes staging verification. | Runbook committed in `docs/deploy/containers.md` + Offline Kit notes, staging rehearsal scheduled with dependencies captured in SPRINTS. |
 | DEVOPS-OBS-50-002 | DONE (2025-11-05) | DevOps Guild, Security Guild | DEVOPS-OBS-50-001, TELEMETRY-OBS-51-002 | Stand up multi-tenant storage backends (Prometheus, Tempo/Jaeger, Loki) with retention policies, tenant isolation, and redaction guard rails. Integrate with Authority scopes for read paths. | Storage stack deployed with auth; retention configured; integration tests verify tenant isolation; runbook drafted. |
+> 2025-11-05: Collector now exports to Tempo/Loki with tenant headers; tenant isolation smoke + CI integration landed.
+| DEVOPS-OBS-50-003 | DONE (2025-11-05) | DevOps Guild | DEVOPS-OBS-50-002 | Automate telemetry tenant-isolation smoke in CI (compose stack + OTLP checks). | Build pipeline runs `tenant_isolation_smoke.py`; cleanup guards registered. |
 > Coordination started with Observability Guild (2025-10-26) to schedule staging rollout and provision service accounts. Staging bootstrap commands and secret names documented in `docs/modules/telemetry/operations/storage.md`.
 > 2025-10-30: Added static validator `ops/devops/telemetry/validate_storage_stack.py` and updated storage runbook to require it alongside TLS/tenant setup.
 | DEVOPS-OBS-51-001 | TODO | DevOps Guild, Observability Guild | WEB-OBS-51-001, DEVOPS-OBS-50-001 | Implement SLO evaluator service (burn rate calculators, webhook emitters), Grafana dashboards, and alert routing to Notifier. Provide Terraform/Helm automation. | Dashboards live; evaluator emits webhooks; alert runbook referenced; staging alert fired in test. |
@@ -117,8 +119,8 @@
 |----|--------|----------|------------|-------------|---------------|
 | DEVOPS-CLI-41-001 | TODO | DevOps Guild, DevEx/CLI Guild | CLI-CORE-41-001 | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI enforcement, and release artifact signing. | Build pipeline operational; SBOM/checksums published; parity gate failing on drift; docs updated. |
 | DEVOPS-CLI-42-001 | TODO | DevOps Guild | DEVOPS-CLI-41-001, CLI-PARITY-41-001 | Add CLI golden output tests, parity diff automation, pack run CI harness, and artifact cache for remote mode. | Golden tests running; parity diff automation in CI; pack run harness executes sample packs; documentation updated. |
-| DEVOPS-CLI-43-001 | DOING (2025-10-27) | DevOps Guild | DEVOPS-CLI-42-001, TASKRUN-42-001 | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, and Task Pack chaos tests. | Release automation verified; SBOM signed; parity gate enforced; chaos tests documented. |
-> 2025-10-27: Release pipeline now packages CLI multi-platform artefacts with SBOM/signature coverage and enforces the CLI parity gate (`ops/devops/check_cli_parity.py`). Task Pack chaos smoke still pending CLI pack command delivery.
+| DEVOPS-CLI-43-001 | DONE (2025-11-05) | DevOps Guild | DEVOPS-CLI-42-001, TASKRUN-42-001 | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, and Task Pack chaos tests. | Release automation verified; SBOM signed; parity gate enforced; chaos tests documented. |
+> 2025-11-05: Build/Test workflow now publishes CLI binaries for linux/mac/windows and runs CLI unit tests; release workflow gates on `check_cli_parity.py` and signs CLI SBOMs. Task Pack chaos smoke tracked under DEVOPS-CLI-43-002 pending Task Runner approvals GA.
 | DEVOPS-CLI-43-002 | TODO | DevOps Guild, Task Runner Guild | CLI-PACKS-43-001, TASKRUN-43-001 | Implement Task Pack chaos smoke in CI (random failure injection, resume, sealed-mode toggle) and publish evidence bundles for review. | Chaos smoke job runs nightly; failures alert Slack; evidence stored in `out/pack-chaos`; runbook updated. |
 | DEVOPS-CLI-43-003 | TODO | DevOps Guild, DevEx/CLI Guild | CLI-PARITY-41-001, CLI-PACKS-42-001 | Integrate CLI golden output/parity diff automation into release gating; export parity report artifact consumed by Console Downloads workspace. | `check_cli_parity.py` wired to compare parity matrix and CLI outputs; artifact uploaded; release fails on regressions.
 

ops/devops/telemetry/generate_dev_tls.sh

@@ -1,77 +1,77 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-CERT_DIR="${SCRIPT_DIR}/../../deploy/telemetry/certs"
-
-mkdir -p "${CERT_DIR}"
-
-CA_KEY="${CERT_DIR}/ca.key"
-CA_CRT="${CERT_DIR}/ca.crt"
-COL_KEY="${CERT_DIR}/collector.key"
-COL_CSR="${CERT_DIR}/collector.csr"
-COL_CRT="${CERT_DIR}/collector.crt"
-CLIENT_KEY="${CERT_DIR}/client.key"
-CLIENT_CSR="${CERT_DIR}/client.csr"
-CLIENT_CRT="${CERT_DIR}/client.crt"
-
-echo "[*] Generating OpenTelemetry dev CA and certificates in ${CERT_DIR}"
-
-# Root CA
-if [[ ! -f "${CA_KEY}" ]]; then
-  openssl genrsa -out "${CA_KEY}" 4096 >/dev/null 2>&1
-fi
-openssl req -x509 -new -key "${CA_KEY}" -days 365 -sha256 \
-  -out "${CA_CRT}" -subj "/CN=StellaOps Dev Telemetry CA" \
-  -config <(cat <<'EOF'
-[req]
-distinguished_name = req_distinguished_name
-prompt = no
-[req_distinguished_name]
-EOF
-) >/dev/null 2>&1
-
-# Collector certificate (server + client auth)
-openssl req -new -nodes -newkey rsa:4096 \
-  -keyout "${COL_KEY}" \
-  -out "${COL_CSR}" \
-  -subj "/CN=stellaops-otel-collector" >/dev/null 2>&1
-
-openssl x509 -req -in "${COL_CSR}" -CA "${CA_CRT}" -CAkey "${CA_KEY}" \
-  -CAcreateserial -out "${COL_CRT}" -days 365 -sha256 \
-  -extensions v3_req -extfile <(cat <<'EOF'
-[v3_req]
-subjectAltName = @alt_names
-extendedKeyUsage = serverAuth, clientAuth
-[alt_names]
-DNS.1 = stellaops-otel-collector
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-EOF
-) >/dev/null 2>&1
-
-# Client certificate
-openssl req -new -nodes -newkey rsa:4096 \
-  -keyout "${CLIENT_KEY}" \
-  -out "${CLIENT_CSR}" \
-  -subj "/CN=stellaops-otel-client" >/dev/null 2>&1
-
-openssl x509 -req -in "${CLIENT_CSR}" -CA "${CA_CRT}" -CAkey "${CA_KEY}" \
-  -CAcreateserial -out "${CLIENT_CRT}" -days 365 -sha256 \
-  -extensions v3_req -extfile <(cat <<'EOF'
-[v3_req]
-extendedKeyUsage = clientAuth
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = stellaops-otel-client
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-EOF
-) >/dev/null 2>&1
-
-rm -f "${COL_CSR}" "${CLIENT_CSR}"
-rm -f "${CERT_DIR}/ca.srl"
-
-echo "[✓] Certificates ready:"
-ls -1 "${CERT_DIR}"
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CERT_DIR="${SCRIPT_DIR}/../../deploy/telemetry/certs"
+
+mkdir -p "${CERT_DIR}"
+
+CA_KEY="${CERT_DIR}/ca.key"
+CA_CRT="${CERT_DIR}/ca.crt"
+COL_KEY="${CERT_DIR}/collector.key"
+COL_CSR="${CERT_DIR}/collector.csr"
+COL_CRT="${CERT_DIR}/collector.crt"
+CLIENT_KEY="${CERT_DIR}/client.key"
+CLIENT_CSR="${CERT_DIR}/client.csr"
+CLIENT_CRT="${CERT_DIR}/client.crt"
+
+echo "[*] Generating OpenTelemetry dev CA and certificates in ${CERT_DIR}"
+
+# Root CA
+if [[ ! -f "${CA_KEY}" ]]; then
+  openssl genrsa -out "${CA_KEY}" 4096 >/dev/null 2>&1
+fi
+openssl req -x509 -new -key "${CA_KEY}" -days 365 -sha256 \
+  -out "${CA_CRT}" -subj "/CN=StellaOps Dev Telemetry CA" \
+  -config <(cat <<'EOF'
+[req]
+distinguished_name = req_distinguished_name
+prompt = no
+[req_distinguished_name]
+EOF
+) >/dev/null 2>&1
+
+# Collector certificate (server + client auth)
+openssl req -new -nodes -newkey rsa:4096 \
+  -keyout "${COL_KEY}" \
+  -out "${COL_CSR}" \
+  -subj "/CN=stellaops-otel-collector" >/dev/null 2>&1
+
+openssl x509 -req -in "${COL_CSR}" -CA "${CA_CRT}" -CAkey "${CA_KEY}" \
+  -CAcreateserial -out "${COL_CRT}" -days 365 -sha256 \
+  -extensions v3_req -extfile <(cat <<'EOF'
+[v3_req]
+subjectAltName = @alt_names
+extendedKeyUsage = serverAuth, clientAuth
+[alt_names]
+DNS.1 = stellaops-otel-collector
+DNS.2 = localhost
+IP.1 = 127.0.0.1
+EOF
+) >/dev/null 2>&1
+
+# Client certificate
+openssl req -new -nodes -newkey rsa:4096 \
+  -keyout "${CLIENT_KEY}" \
+  -out "${CLIENT_CSR}" \
+  -subj "/CN=stellaops-otel-client" >/dev/null 2>&1
+
+openssl x509 -req -in "${CLIENT_CSR}" -CA "${CA_CRT}" -CAkey "${CA_KEY}" \
+  -CAcreateserial -out "${CLIENT_CRT}" -days 365 -sha256 \
+  -extensions v3_req -extfile <(cat <<'EOF'
+[v3_req]
+extendedKeyUsage = clientAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = stellaops-otel-client
+DNS.2 = localhost
+IP.1 = 127.0.0.1
+EOF
+) >/dev/null 2>&1
+
+rm -f "${COL_CSR}" "${CLIENT_CSR}"
+rm -f "${CERT_DIR}/ca.srl"
+
+echo "[✓] Certificates ready:"
+ls -1 "${CERT_DIR}"