CD/CD consolidation

CLAUDE.md

@@ -53,7 +53,13 @@ npm run api:lint
 npm run docs:attestor:validate
 
 # Validate Helm chart
-helm lint deploy/helm/stellaops
+helm lint devops/helm/stellaops
+
+# Validate Docker Compose profiles
+./devops/scripts/validate-compose.sh
+
+# Run local CI tests
+./devops/scripts/test-local.sh
 ```
 
 ## Architecture
@@ -249,11 +255,66 @@ Before coding, confirm required docs are read:
 
 ## CI/CD
 
-Workflows are in `.gitea/workflows/`. Key workflows:
-- `build-test-deploy.yml` - Main build, test, and deployment pipeline
-- `cli-build.yml` - CLI multi-platform builds
-- `scanner-determinism.yml` - Scanner output reproducibility tests
-- `policy-lint.yml` - Policy validation
+### Folder Structure
+
+The CI/CD infrastructure uses a two-tier organization:
+
+| Folder | Purpose |
+|--------|---------|
+| `.gitea/workflows/` | Gitea Actions workflow YAML files (87+) |
+| `.gitea/scripts/` | CI/CD scripts called by workflows |
+| `devops/` | Deployment, tooling, and operational configs |
+
+### CI/CD Scripts (`.gitea/scripts/`)
+
+```
+.gitea/scripts/
+├── build/      # Build orchestration (build-cli.sh, build-multiarch.sh)
+├── test/       # Test execution (test-lane.sh, determinism-run.sh)
+├── validate/   # Validation (validate-sbom.sh, validate-helm.sh)
+├── sign/       # Signing (sign-signals.sh, publish-attestation.sh)
+├── release/    # Release automation (build_release.py, verify_release.py)
+├── metrics/    # Performance metrics (compute-reachability-metrics.sh)
+├── evidence/   # Evidence bundles (upload-all-evidence.sh)
+└── util/       # Utilities (cleanup-runner-space.sh)
+```
+
+### DevOps Folder (`devops/`)
+
+```
+devops/
+├── compose/        # Docker Compose profiles (dev, stage, prod, airgap)
+├── helm/           # Helm charts (stellaops)
+├── docker/         # Dockerfiles (platform, crypto-profile, ci)
+├── telemetry/      # OpenTelemetry, Prometheus, Grafana configs
+├── services/       # Service-specific configs (authority, crypto, signals)
+├── offline/        # Air-gap and offline deployment
+├── observability/  # Alerts, SLOs, incident management
+├── database/       # PostgreSQL and MongoDB configs
+├── ansible/        # Ansible playbooks
+├── gitlab/         # GitLab CI templates
+├── releases/       # Release manifests
+├── tools/          # Development tools (callgraph, corpus, feeds)
+└── scripts/        # DevOps scripts (test-local.sh, validate-compose.sh)
+```
+
+### Key Workflows
+
+| Workflow | Purpose |
+|----------|---------|
+| `build-test-deploy.yml` | Main build, test, and deployment pipeline |
+| `test-matrix.yml` | Unified test execution with TRX reporting |
+| `module-publish.yml` | Per-module NuGet and container publishing |
+| `release-suite.yml` | Full suite release (Ubuntu-style versioning) |
+| `cli-build.yml` | CLI multi-platform builds |
+| `scanner-determinism.yml` | Scanner output reproducibility tests |
+| `policy-lint.yml` | Policy validation |
+
+### Versioning
+
+- **Suite releases**: Ubuntu-style `YYYY.MM` with codenames (e.g., "2026.04 Nova")
+- **Module releases**: Semantic versioning `MAJOR.MINOR.PATCH`
+- See `docs/releases/VERSIONING.md` for full documentation
 
 ## Environment Variables