docs consolidation work

docs/modules/devops/AGENTS.md

@@ -1,14 +1,14 @@
 # DevOps agent guide
 
-## Mission
-The DevOps module captures release, deployment, and migration playbooks that keep StellaOps deterministic across environments.
-
-## Advisory Handling
-- Any new/updated advisory triggers immediate doc + sprint updates (no approval).
-- Update high-level + detailed docs; inline only short snippets; put runnable/long code in `docs/benchmarks/**` or `tests/**` (deterministic/offline) and link.
-- Add tasks + Execution Log entries in relevant `SPRINT_*.md` with doc paths/owners; add risks if schema/feed/transparency caps apply.
-- Check archived advisories; mark supersedes/extends if overlapping.
-- Defaults: hybrid reachability, deterministic/frozen feeds; act first, report after.
+## Mission
+The DevOps module captures release, deployment, and migration playbooks that keep StellaOps deterministic across environments.
+
+## Advisory Handling
+- Any new/updated advisory triggers immediate doc + sprint updates (no approval).
+- Update high-level + detailed docs; inline only short snippets; put runnable/long code in `docs/benchmarks/**` or `tests/**` (deterministic/offline) and link.
+- Add tasks + Execution Log entries in relevant `SPRINT_*.md` with doc paths/owners; add risks if schema/feed/transparency caps apply.
+- Check archived advisories; mark supersedes/extends if overlapping.
+- Defaults: hybrid reachability, deterministic/frozen feeds; act first, report after.
 
 ## Key docs
 - [Module README](./README.md)
@@ -24,7 +24,7 @@ The DevOps module captures release, deployment, and migration playbooks that kee
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/devops/governance-rules.md

@@ -0,0 +1,24 @@
+# DevOps Governance Rules Anchor (Sprint 33)
+
+> **Scope** · Exit deliverable for `DEVOPS-RULES-33-001`  
+> **Audience** · DevOps Guild, Platform leads, service owners  
+> **Related** · `ops/devops/TASKS.md`, `docs/backlog/2025-10-cleanup.md`, `docs/modules/platform/architecture-overview.md`
+
+This note consolidates the platform governance rules ratified on 30 October 2025.  
+Each rule captures intent, affected surfaces, enforcement actions, and references to the
+source-of-truth backlogs so that subsequent sprints do not re‑introduce conflicting work.
+
+| Rule | Intent & Rationale | Enforcement & Ownership | Follow-ups |
+|------|--------------------|-------------------------|------------|
+| **Gateway is a proxy only; Policy Engine owns overlays/simulations.** | Keep Gateway thin and deterministic: it authenticates, authorises, and forwards requests. All overlay composition, simulation, and policy evaluation stays inside Policy Engine so we avoid duplicated logic and time-of-check drift. | *Owners:* BE‑Base Platform Guild + Policy Engine Guild. <br/>*Enforcement:* Gateway PR reviews block embedded overlay code, new endpoints require `Policy Engine` contracts, CI parity checks compare Gateway ↔ Policy overlay schemas. | - Update open tasks referencing “gateway overlay” work to point at `POLICY-ENGINE-20-00x`.<br/>- Close or rewrite backlog items `WEB-POLICY-20-00x` that attempted to compute overlays in Gateway. |
+| **AOC ingestion is canonical-only; no merges at ingest.** | Concelier/Excititor persist upstream truth plus provenance. Derived severity, merges, or dedupe belong to downstream Policy workflows. This keeps ingestion auditable and replayable. | *Owners:* Concelier & Excititor guilds, DevOps Guild for CI pipelines. <br/>*Enforcement:* `StellaOps.Aoc` guard library, Mongo validators, Roslyn analyzer backlog (`WEB-AOC-19-003`), CI job `stella aoc verify`. | - Ensure ingestion tasks reference the guard library (`StellaOps.Aoc`).<br/>- Retire legacy tasks that still mention merge-at-ingest (see backlog cleanup note). |
+| **Single graph platform: Graph Indexer + Graph API (Cartographer retired).** | Replace the historical Cartographer service with the Graph Indexer + Graph API pairing so graph storage, overlays, and explorer flows share one platform. | *Owners:* Graph Platform Guild, Scheduler Guild, DevOps Guild. <br/>*Enforcement:* New graph work lands in `docs/modules/graph/**` and `src/Graph/**`. Gateway/UI/CLI tickets reference the Graph API endpoints only. | - Archive Cartographer handshake docs and mark Cartographer backlog items as historical.<br/>- Update Scheduler/SBOM/Console tickets to depend on `GRAPH-*` IDs instead of `CARTO-*`. |
+
+## Tracking & documentation
+
+- ✅ Rules recorded in correspoding sprint file `/docs/implplan/SPRINT_*.md` (Sprint 33) and `/docs/ops/devops/TASKS.md`.
+- ✅ Repository-wide references to “Cartographer as active platform” updated (see backlog note amendment and doc banner).
+- ✅ Changelog entry (`docs/updates/2025-10-30-devops-governance.md`) captures reviewer acknowledgement.
+
+Future adjustments to these rules must update this file and reference `DEVOPS-RULES-33-001`
+when proposing changes so the DevOps Guild can track history.

docs/modules/devops/migrations/semver-style.md

@@ -2,6 +2,8 @@
 
 _Last updated: 2025-10-11_
 
+> **Note (2025-12):** This runbook is obsolete. MongoDB was fully removed in Sprint 4400 and replaced with PostgreSQL. The migration functionality described here was executed during the transition period and is no longer applicable. Retained for historical reference only.
+
 ## Overview
 
 The SemVer style migration populates the new `normalizedVersions` field on advisory documents and ensures

docs/modules/devops/policy-schema-export.md

@@ -0,0 +1,27 @@
+# Policy Schema Export Automation
+
+This utility generates JSON Schema documents for the Policy Engine run contracts.
+
+## Command
+
+```
+scripts/export-policy-schemas.sh [output-directory]
+```
+
+When no output directory is supplied, schemas are written to `docs/schemas/`.
+
+The exporter builds against `StellaOps.Scheduler.Models` and emits:
+
+- `policy-run-request.schema.json`
+- `policy-run-status.schema.json`
+- `policy-diff-summary.schema.json`
+- `policy-explain-trace.schema.json`
+
+The build pipeline (`.gitea/workflows/build-test-deploy.yml`, job **Export policy run schemas**) runs this script on every push and pull request. Exports land under `artifacts/policy-schemas/<commit>/`, are published as the `policy-schema-exports` artifact, and changes trigger a Slack post to `#policy-engine` via the `POLICY_ENGINE_SCHEMA_WEBHOOK` secret. A unified diff is stored alongside the exports for downstream consumers.
+
+## CI integration checklist
+
+- [x] Invoke the script in the DevOps pipeline (see `DEVOPS-POLICY-20-004`).
+- [x] Publish the generated schemas as pipeline artifacts.
+- [x] Notify downstream consumers when schemas change (Slack `#policy-engine`, changelog snippet).
+- [ ] Gate CLI validation once schema artifacts are available.

docs/modules/devops/runbooks/deployment-upgrade.md

@@ -14,7 +14,7 @@ This runbook describes how to promote a new release across the supported deploym
 | `stable` | `deploy/releases/2025.09-stable.yaml` | `deploy/helm/stellaops/values-stage.yaml`, `deploy/helm/stellaops/values-prod.yaml` | `deploy/compose/docker-compose.stage.yaml`, `deploy/compose/docker-compose.prod.yaml` |
 | `airgap` | `deploy/releases/2025.09-airgap.yaml` | `deploy/helm/stellaops/values-airgap.yaml` | `deploy/compose/docker-compose.airgap.yaml` |
 
-Infrastructure components (MongoDB, MinIO, RustFS) are pinned in the release manifests and inherited by the deployment profiles. Supporting dependencies such as `nats` remain on upstream LTS tags; review `deploy/compose/*.yaml` for the authoritative set.
+Infrastructure components (PostgreSQL, Valkey, MinIO, RustFS) are pinned in the release manifests and inherited by the deployment profiles. Supporting dependencies such as `nats` remain on upstream LTS tags; review `deploy/compose/*.yaml` for the authoritative set.
 
 ---
 
@@ -48,8 +48,8 @@ Infrastructure components (MongoDB, MinIO, RustFS) are pinned in the release man
    ```
    Archive the resulting `out/offline-kit/metadata/debug-store.json` alongside the kit bundle.
 
-5. **Review compatibility matrix**  
-   Confirm MongoDB, MinIO, and RustFS versions in the release manifest match platform SLOs. The default targets are `mongo@sha256:c258…`, `minio@sha256:14ce…`, `rustfs:2025.10.0-edge`.
+5. **Review compatibility matrix**
+   Confirm PostgreSQL, Valkey, MinIO, and RustFS versions in the release manifest match platform SLOs. The default targets are `postgres:16-alpine`, `valkey:8.0`, `minio@sha256:14ce…`, `rustfs:2025.10.0-edge`.
 
 6. **Create a rollback bookmark**  
    Record the current Helm revision (`helm history stellaops -n stellaops`) and compose tag (`git describe --tags`) before applying changes.

docs/modules/devops/runbooks/launch-cutover.md

@@ -1,8 +1,10 @@
 # Launch Cutover Runbook - Stella Ops
 
-_Document owner: DevOps Guild (2025-10-26)_  
+_Document owner: DevOps Guild (2025-10-26)_
 _Scope:_ Full-platform launch from staging to production for release `2025.09.2`.
 
+> **Note (2025-12):** This document reflects the state at initial launch. Since then, MongoDB has been fully removed (Sprint 4400) and replaced with PostgreSQL. MinIO references now use RustFS. Redis references now use Valkey. See current deployment docs in `deploy/` for up-to-date configuration.
+
 ## 1. Roles and Communication
 
 | Role | Primary | Backup | Contact |