fix: QA preflight fixes — stale routes, missing hosts, policy URL

- Add workflow + release-orchestrator to hosts file
- Fix scheduler policy URL: policy.stella-ops.local → policy-engine.stella-ops.local
- Fix gateway stale routes: doctor-scheduler → scheduler, vulnexplorer → findings
- Remove stale "policy" from RequiredMicroservices (merged into policy-engine)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

devops/compose/docker-compose.stella-services.yml

@@ -989,14 +989,16 @@ services:
   # jobengine and jobengine-worker removed.
   # Release endpoints -> release-orchestrator service (Slot 47)
   # Workflow orchestration -> workflow service (Slot 46)
-  # Scheduler remains in Slot 14 (scheduler-web / scheduler-worker)
+  # Scheduler remains in Slot 19 (scheduler-web; worker merged in)
 
   # --- Slot 18: TaskRunner (REMOVED) ------------------------------------------
   # taskrunner-web and taskrunner-worker deleted; task_runner_id DB columns left as nullable legacy
 
-  # --- Slot 19: Scheduler ----------------------------------------------------
+  # --- Slot 19: Scheduler (web + embedded worker) ----------------------------
+  # Worker BackgroundServices now run embedded in the web process (Scheduler:Worker:Embedded=true).
+  # Set Scheduler__Worker__Embedded=false and restore scheduler-worker for K8s split deployments.
   scheduler-web:
-    <<: *resources-medium
+    <<: *resources-heavy
     image: stellaops/scheduler-web:dev
     container_name: stellaops-scheduler-web
     restart: unless-stopped
@@ -1006,64 +1008,67 @@ services:
       ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
       ConnectionStrings__Redis: "cache.stella-ops.local:6379"
       Scheduler__Authority__Enabled: "false"
-      # Worker options are validated even in web mode
+      # Embedded worker mode (all 8 BackgroundServices in this process)
+      Scheduler__Worker__Embedded: "true"
       scheduler__queue__Kind: "Redis"
       scheduler__queue__Redis__ConnectionString: "cache.stella-ops.local:6379"
       Scheduler__Storage__Postgres__Scheduler__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
       Scheduler__Storage__Postgres__Scheduler__SchemaName: "scheduler"
-      Scheduler__Worker__Runner__Scanner__BaseAddress: "http://scanner.stella-ops.local"
+      Scheduler__Worker__Runner__Scanner__BaseAddress: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner.stella-ops.local}"
       Scheduler__Worker__Graph__Cartographer__BaseAddress: "http://graph.stella-ops.local"
       Scheduler__Worker__Graph__SchedulerApi__BaseAddress: "http://scheduler.stella-ops.local"
-      Scheduler__Worker__Policy__Api__BaseAddress: "http://policy.stella-ops.local"
+      Scheduler__Worker__Policy__Api__BaseAddress: "http://policy-engine.stella-ops.local"
+      # Surface environment (merged from scheduler-worker)
+      SURFACE_FS_ENDPOINT: "http://s3.stella-ops.local:8333"
       Router__Enabled: "${SCHEDULER_ROUTER_ENABLED:-true}"
       Router__Messaging__ConsumerGroup: "scheduler"
     volumes:
       - ${STELLAOPS_CERT_VOLUME}
     tmpfs:
       - /plugins:mode=1777
+      - /var/lib/stellaops/surface:mode=1777
     ports:
       - "127.1.0.19:80:80"
     networks:
       stellaops:
         aliases:
           - scheduler.stella-ops.local
+          - scheduler-worker.stella-ops.local
       frontdoor: {}
     healthcheck:
       test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
       <<: *healthcheck-tcp
     labels: *release-labels
 
-  scheduler-worker:
-    <<: *resources-medium
-    image: stellaops/scheduler-worker:dev
-    container_name: stellaops-scheduler-worker
-    restart: unless-stopped
-    environment:
-      <<: [*kestrel-cert, *gc-medium]
-      # Queue config (Redis transport)
-      scheduler__queue__Kind: "Redis"
-      scheduler__queue__Redis__ConnectionString: "cache.stella-ops.local:6379"
-      # Persistence config (section: Scheduler:Storage, subsection: Postgres:Scheduler)
-      Scheduler__Storage__Postgres__Scheduler__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
-      Scheduler__Storage__Postgres__Scheduler__SchemaName: "scheduler"
-      # Worker config
-      Scheduler__Worker__Runner__Scanner__BaseAddress: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner.stella-ops.local}"
-      Scheduler__Worker__Graph__Cartographer__BaseAddress: "http://graph.stella-ops.local"
-      Scheduler__Worker__Graph__SchedulerApi__BaseAddress: "http://scheduler.stella-ops.local"
-      Scheduler__Worker__Policy__Api__BaseAddress: "http://policy.stella-ops.local"
-      # Surface environment
-      SURFACE_FS_ENDPOINT: "http://s3.stella-ops.local:8333"
-    volumes:
-      - ${STELLAOPS_CERT_VOLUME}
-    tmpfs:
-      - /var/lib/stellaops/surface:mode=1777
-    networks:
-      stellaops:
-        aliases:
-          - scheduler-worker.stella-ops.local
-    healthcheck:
-      <<: *healthcheck-worker
-    labels: *release-labels
+  # scheduler-worker: MERGED into scheduler-web (Scheduler:Worker:Embedded=true)
+  # Uncomment and set Scheduler__Worker__Embedded=false on scheduler-web for K8s split.
+  # scheduler-worker:
+  #   <<: *resources-medium
+  #   image: stellaops/scheduler-worker:dev
+  #   container_name: stellaops-scheduler-worker
+  #   restart: unless-stopped
+  #   environment:
+  #     <<: [*kestrel-cert, *gc-medium]
+  #     scheduler__queue__Kind: "Redis"
+  #     scheduler__queue__Redis__ConnectionString: "cache.stella-ops.local:6379"
+  #     Scheduler__Storage__Postgres__Scheduler__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
+  #     Scheduler__Storage__Postgres__Scheduler__SchemaName: "scheduler"
+  #     Scheduler__Worker__Runner__Scanner__BaseAddress: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner.stella-ops.local}"
+  #     Scheduler__Worker__Graph__Cartographer__BaseAddress: "http://graph.stella-ops.local"
+  #     Scheduler__Worker__Graph__SchedulerApi__BaseAddress: "http://scheduler.stella-ops.local"
+  #     Scheduler__Worker__Policy__Api__BaseAddress: "http://policy-engine.stella-ops.local"
+  #     SURFACE_FS_ENDPOINT: "http://s3.stella-ops.local:8333"
+  #   volumes:
+  #     - ${STELLAOPS_CERT_VOLUME}
+  #   tmpfs:
+  #     - /var/lib/stellaops/surface:mode=1777
+  #   networks:
+  #     stellaops:
+  #       aliases:
+  #         - scheduler-worker.stella-ops.local
+  #   healthcheck:
+  #     <<: *healthcheck-worker
+  #   labels: *release-labels
 
   # --- Slot 20: Graph API ----------------------------------------------------
   graph-api:

devops/compose/hosts.stellaops.local

@@ -23,7 +23,9 @@
 127.1.0.14 policy-engine.stella-ops.local
 127.1.0.14 policy-gateway.stella-ops.local  # backwards-compat alias (merged into policy-engine)
 127.1.0.16 riskengine.stella-ops.local
-127.1.0.17 orchestrator.stella-ops.local
+127.1.0.17 orchestrator.stella-ops.local  # legacy alias
+127.1.0.46 workflow.stella-ops.local
+127.1.0.47 release-orchestrator.stella-ops.local
 # 127.1.0.18 taskrunner.stella-ops.local  # REMOVED: TaskRunner service deleted
 127.1.0.19 scheduler.stella-ops.local
 127.1.0.20 graph.stella-ops.local

devops/compose/router-gateway-local.json

@@ -29,7 +29,6 @@
                                    "CheckInterval":  "5s",
                                    "RequiredMicroservices":  [
                                                                      "platform",
-                                                                     "policy",
                                                                      "policy-engine",
                                                                      "notify",
                                                                      "scanner",