docs consolidation work

docs/04_FEATURE_MATRIX.md

@@ -58,9 +58,10 @@
 |------------|:----:|:---------:|:----------:|-------|
 | CVE Lookup via Local DB | ✅ | ✅ | ✅ | |
 | Licence-Risk Detection | ⏳ | ⏳ | ⏳ | Q4-2025 |
-| **Language Analyzers (All 8)** | | | | |
+| **Language Analyzers (All 11)** | | | | |
 | — .NET/C#, Java, Go, Python | ✅ | ✅ | ✅ | |
-| — Node.js, Ruby, Bun, Native | ✅ | ✅ | ✅ | |
+| — Node.js, Ruby, Bun, Deno | ✅ | ✅ | ✅ | |
+| — PHP, Rust, Native binaries | ✅ | ✅ | ✅ | |
 | **Progressive Fidelity Modes** | | | | |
 | — Quick Mode | ✅ | ✅ | ✅ | |
 | — Standard Mode | ✅ | ✅ | ✅ | |
@@ -423,7 +424,7 @@
 ### Free Tier (33 scans/day)
 **Target:** Individual developers, OSS contributors, evaluation
 
-- All language analyzers (8 languages)
+- All language analyzers (11 languages)
 - All regional crypto (FIPS/eIDAS/GOST/SM/PQ)
 - Full VEX processing + VEX Hub + Conflict Studio
 - SSO/SAML/OIDC authentication

docs/05_SYSTEM_REQUIREMENTS_SPEC.md

@@ -48,7 +48,7 @@ The platform consists of:
 * **StellaOps.Registry** – internal container registry for agents.
 * **Stella CLI** – extracts SBOMs; supports multi‑format & delta.
 * **Zastava Agent** – enforcement hook for admission‑control scenarios.
-* **Web UI** – React/Next.js SPA consuming backend APIs.
+* **Web UI** – Angular 17 SPA consuming backend APIs.
 * **Plug‑ins** – hot‑load binaries extending scanners, attestations, etc.
 
 All services run in Docker Compose or Kubernetes with optional Internet
@@ -66,7 +66,7 @@ access.
 | F‑2 | System SHALL **auto‑detect** SBOM type when `sbomType` param omitted. | MUST | UT‑SBOM‑002 |
 | F‑3 | System SHALL **cache analysed layers** and reuse them in subsequent scans. | MUST | IT‑CACHE‑001 |
 | F‑4 | System SHALL **enforce a soft limit of {{ quota_token }}  scans per token per UTC day**. | MUST | IT‑QUOTA‑001 |
-| F‑4a | Remaining quota SHALL be **persisted in Redis** under key `quota:<token>:<yyyy‑mm‑dd>`. | MUST | UT‑QUOTA‑REDIS |
+| F‑4a | Remaining quota SHALL be **persisted in Valkey** under key `quota:<token>:<yyyy‑mm‑dd>`. | MUST | UT‑QUOTA‑VALKEY |
 | F‑4b | Exhausted quota SHALL trigger **HTTP 429** with `Retry‑After` header (UTC midnight). | MUST | IT‑QUOTA‑002 |
 | F‑4c | When quota is ≤ 40 % remaining, **UI banner** MUST turn yellow and show count‑down. | SHOULD | UI‑E2E‑005 |
 | F‑4d | `/quota` endpoint SHALL return JSON `{"limit":{{ quota_token }} ,"remaining":N,"resetsAt":"<ISO‑8601>"}`. | SHOULD | API‑DOC‑003 |
@@ -136,7 +136,7 @@ access.
 | **NFR‑PERF‑1** | Performance | P95 cold scan ≤ 5 s; warm ≤ 1 s (see **FR‑DELTA‑3**). |
 | **NFR‑PERF‑2** | Throughput | System shall sustain 60 concurrent scans on 8‑core node without queue depth >10. |
 | **NFR‑AVAIL‑1** | Availability | All services shall start offline; any Internet call must be optional. |
-| **NFR-SCAL-1** | Scalability | Horizontal scaling via Kubernetes replicas for backend, Redis Sentinel, PostgreSQL cluster. |
+| **NFR-SCAL-1** | Scalability | Horizontal scaling via Kubernetes replicas for backend, Valkey cluster, PostgreSQL cluster. |
 | **NFR‑SEC‑1** | Security | All inter‑service traffic shall use TLS or localhost sockets. |
 | **NFR‑COMP‑1** | Compatibility | Platform shall run on x86‑64 Linux kernel ≥ 5.10; Windows agents (TODO > 6 mo) must support Server 2019+. |
 | **NFR‑I18N‑1** | Internationalisation | UI must support EN and at least one additional locale (Cyrillic). |
@@ -147,7 +147,7 @@ access.
 ## 7 Acceptance Criteria <a id="7-acceptance-criteria"></a>
 
 1. Issue {{ quota_token }} `/scan` calls; next returns random slow down and `Retry‑After`.  
-2. Redis failure during test → API returns **0 remaining** & warns in logs.  
+2. Valkey failure during test → API returns **0 remaining** & warns in logs.  
 3. UI banner activates at 133 remaining; clears next UTC midnight.  
 
 ---
@@ -179,7 +179,7 @@ Authorization: Bearer <token>
 ## 9 · Assumptions & Constraints
 
 * Hardware reference: 8 vCPU, 8 GB RAM, NVMe SSD.  
-* PostgreSQL and Redis run co-located unless horizontal scaling enabled.
+* PostgreSQL and Valkey run co-located unless horizontal scaling enabled.
 * All docker images tagged `latest` are immutable (CI process locks digests).  
 * Rego evaluation runs in embedded OPA Go‑library (no external binary).  
 

docs/11_GOVERNANCE.md

@@ -49,7 +49,7 @@ Approval is recorded via Git forge review or a signed commit trailer
 
 * Every tag is **co‑signed by at least one Security Maintainer**.  
 * CI emits a **signed SPDX SBOM** + **Cosign provenance**.  
-* Release cadence is fixed – see [public Road‑map](05_ROADMAP.md).  
+* Release cadence is fixed – see [Release Engineering Playbook](13_RELEASE_ENGINEERING_PLAYBOOK.md).  
 * Security fixes may create out‑of‑band `x.y.z‑hotfix` tags.
 
 ---

docs/15_UI_GUIDE.md

@@ -82,7 +82,7 @@ See `docs/24_OFFLINE_KIT.md` for packaging and offline verification workflows.
 ## Deploy and Install References
 
 - Deployment configuration and health checks: `docs/deploy/console.md`.
-- Container install recipes: `docs/install/docker.md`.
+- Container install recipes: `docs/operations/console-docker-install.md`.
 
 ## Detailed References
 

docs/24_OFFLINE_KIT.md

@@ -461,8 +461,8 @@ The scanner enforces the same fair‑use limits offline:
 * **Free JWT:** {{ quota\_token }} scans per UTC day
 
 Soft reminder at 200 scans; throttle above the ceiling but **never block**.
-See the detailed rules in
+See the quota enforcement flow in
-[`33_333_QUOTA_OVERVIEW.md`](33_333_QUOTA_OVERVIEW.md).
+[`30_QUOTA_ENFORCEMENT_FLOW1.md`](30_QUOTA_ENFORCEMENT_FLOW1.md).
 
 ---
 

docs/29_LEGAL_FAQ_QUOTA.md

@@ -1,7 +1,7 @@
 # Legal FAQ — Free‑Tier Quota & AGPL Compliance
 
 > **Operational behaviour (limits, counters, delays) is documented in  
-> [`33_333_QUOTA_OVERVIEW.md`](33_333_QUOTA_OVERVIEW.md).**  
+> [`30_QUOTA_ENFORCEMENT_FLOW1.md`](30_QUOTA_ENFORCEMENT_FLOW1.md).**  
 > This page covers only the legal aspects of offering Stella Ops as a
 > service or embedding it into another product while the free‑tier limits are
 > in place.

docs/30_QUOTA_ENFORCEMENT_FLOW1.md

@@ -1,8 +1,8 @@
 # Quota Enforcement — Flow Diagram (rev 2.1)
 
 > **Scope** – this document explains *how* the free‑tier limits are enforced
-> inside the scanner service.  For policy rationale and legal aspects see  
+> inside the scanner service. For policy rationale and legal aspects, see
-> [`33_333_QUOTA_OVERVIEW.md`](33_333_QUOTA_OVERVIEW.md).
+> [`29_LEGAL_FAQ_QUOTA.md`](29_LEGAL_FAQ_QUOTA.md).
 
 ---
 
@@ -26,10 +26,10 @@
 sequenceDiagram
     participant C as Client
     participant API as Scanner API
-    participant REDIS as Redis (quota)
+    participant VALKEY as Valkey (quota)
     C->>API: /scan
-    API->>REDIS: INCR quota:<key>
+    API->>VALKEY: INCR quota:<key>
-    REDIS-->>API: new_count
+    VALKEY-->>API: new_count
     alt new_count ≤ L_active
         API-->>C: 202 Accepted (no delay)
     else new_count ≤ L_active + 30
@@ -45,7 +45,7 @@ sequenceDiagram
 
 ---
 
-## 2 · Redis key layout
+## 2 · Valkey key layout
 
 | Key pattern            | TTL  | Description                       |
 | ---------------------- | ---- | --------------------------------- |
@@ -53,7 +53,7 @@ sequenceDiagram
 | `quota:tid:<sha256>`   | 24 h | Token quota per *hashed* token‑ID |
 | `quota:ip:<sha256>:ts` | 24 h | First‑seen timestamp (ISO 8601)   |
 
-Keys share a common TTL for efficient mass expiry via `redis-cli --scan`.
+Keys share a common TTL for efficient mass expiry via `valkey-cli --scan`.
 
 ---
 

docs/DEVELOPER_ONBOARDING.md

@@ -405,7 +405,7 @@ docker compose -f docker-compose.dev.yaml down
 
 # 2. Remove database volumes
 docker volume rm compose_postgres-data
-docker volume rm compose_mongo-data
+docker volume rm compose_valkey-data
 
 # 3. Restart platform (will recreate volumes and databases)
 docker compose -f docker-compose.dev.yaml up -d

docs/_archive/README.md

@@ -7,6 +7,7 @@ This directory contains documentation that has been superseded, deprecated, or c
 | Directory | Reason | Canonical Location |
 |-----------|--------|-------------------|
 | `orchestrator-legacy/` | Parallel directory consolidated | `docs/modules/orchestrator/` |
+| `stubs/` | Empty placeholder files archived | N/A |
 
 ## Policy
 

docs/_includes/CONSTANTS.md

@@ -9,7 +9,7 @@
 # ─────────────────────────────────────────────────────────────────────────────
 
 dotnet:       "10 LTS"      # Runs on .NET 10 (LTS channel)
-angular:      "20"          # Front‑end framework major
+angular:      "17"          # Front‑end framework major (17.3.x)
 quota_anon:   33            # Anonymous daily scans
 quota_token:  333           # Daily scans with free JWT
 slowdown:     "5–60 s"      # Delay window after exceeding quota

docs/aoc/aoc-guardrails.md

@@ -10,4 +10,4 @@ The Aggregation-Only Contract keeps ingestion services deterministic and policy-
 
 For detailed roles and ownership boundaries, see `AGENTS.md` at the repo root and the module-specific dossiers under `docs/modules/<module>/architecture.md`.
 
-Need the full contract? Read the [Aggregation-Only Contract reference](../ingestion/aggregation-only-contract.md) for schemas, error codes, and migration guidance.
+Need the full contract? Read the [Aggregation-Only Contract reference](aggregation-only-contract.md) for schemas, error codes, and migration guidance.

docs/aoc/guard-library.md

@@ -5,7 +5,7 @@
 > **Audience:** Concelier/Excititor service owners, Platform guild, QA
 
 The Aggregation-Only Contract (AOC) guard library enforces the canonical ingestion
-rules described in `docs/ingestion/aggregation-only-contract.md`. Service owners
+rules described in `docs/aoc/aggregation-only-contract.md`. Service owners
 should use the guard whenever raw advisory or VEX payloads are accepted so that
 forbidden fields are rejected long before they reach PostgreSQL.
 

docs/api/policy.md

@@ -539,7 +539,7 @@ Returns rule hit sequence:
 - `policy.run.completed` – emitted with `runId`, `policyId`, `mode`, `stats`, `determinismHash`.
 - `policy.run.failed` – includes error code, retry count, guidance.
 - `policy.lifecycle.*` – mirrored from lifecycle APIs (see [Lifecycle guide](../policy/lifecycle.md)).
-- Webhook registration occurs via `/api/policy/webhooks` (future work, reserved). For now, integrate with Notifier streams documented in `/docs/notifications/*`.
+- Webhook registration occurs via `/api/policy/webhooks` (future work, reserved). For now, integrate with Notifier streams documented in `/docs/modules/notify/`.
 
 ---
 

docs/assets/authority/authority-plugin-component.mmd

@@ -19,13 +19,13 @@ flowchart LR
         identity[IIdentityProviderPlugin
 (password & bootstrap flows)]
         store[StandardUserCredentialStore
-(Mongo collections)]
+(PostgreSQL auth schema)]
         capability[Capability Metadata
 (password, bootstrap, clientProvisioning)]
     end
 
     subgraph External["External Systems"]
-        mongo[(MongoDB cluster
+        postgres[(PostgreSQL cluster
 credential + lockout state)]
         audit[(Audit Sink / Event Bus)]
         secrets[Offline Secrets Bundle
@@ -40,7 +40,7 @@ credential + lockout state)]
     registrar --> identity
     identity --> store
     identity --> audit
-    store --> mongo
+    store --> postgres
     options --> secrets
     secrets --> registrar
     api --> identity

docs/assets/authority/authority-plugin-component.svg

@@ -76,7 +76,7 @@
   </g>
   <g class="node-small">
     <rect x="690" y="170" width="220" height="46" rx="12" ry="12" />
-    <text x="700" y="198">MongoDB cluster</text>
+    <text x="700" y="198">PostgreSQL cluster</text>
     <text class="annotation" x="700" y="216">credential &amp; lockout state</text>
   </g>
   <g class="node-small">

docs/benchmarks/vex-justifications.catalog.json

@@ -131,7 +131,7 @@
         "security-ops"
       ],
       "policy_links": [
-        "docs/uncertainty/README.md"
+        "docs/reachability/uncertainty-entropy.md"
       ],
       "uncertainty_gate": "U2-medium"
     },

docs/cli-vs-ui-parity.md

@@ -143,11 +143,11 @@ The script should emit a parity report that feeds into the Downloads workspace (
 ## 11 · References
 
 - `docs/15_UI_GUIDE.md` – console workflow overview for parity context.  
-- `/docs/install/docker.md` – CLI parity section for deployments.  
+- `/docs/operations/console-docker-install.md` – CLI parity section for deployments.  
 - `/docs/observability/ui-telemetry.md` – telemetry metrics referencing CLI checks.  
 - `/docs/security/console-security.md` – security metrics & CLI parity expectations.  
 - `src/Cli/StellaOps.Cli/TASKS.md` – authoritative status for CLI backlog.  
-- `/docs/updates/2025-10-28-docs-guild.md` – coordination note for Authority/Security follow-up.
+- `/docs/implplan/archived/updates/2025-10-28-docs-guild.md` – coordination note for Authority/Security follow-up.
 
 ---
 

docs/deploy/containers.md

@@ -134,7 +134,7 @@ clients:
 
 ## 7 · References
 
-- [Aggregation-Only Contract reference](../ingestion/aggregation-only-contract.md)
+- [Aggregation-Only Contract reference](../aoc/aggregation-only-contract.md)
 - [Authority scopes & tenancy](../security/authority-scopes.md)
 - [Observability guide](../observability/observability.md)
 - [CLI AOC commands](../modules/cli/guides/cli-reference.md)

docs/key-features.md

@@ -81,7 +81,7 @@ Each card below pairs the headline capability with the evidence that backs it an
 - **Evidence:** `docs/task-packs/spec.md` and `docs/task-packs/registry.md`; architecture contract in `docs/modules/taskrunner/architecture.md`; runbook in `docs/task-packs/runbook.md`.
 - **Why it matters:** Security teams get auditable, air-gap-friendly automation with human approvals and provable provenance, reusing the same workflows online or offline.
 
-## 13. Evidence-Grade Testing and Deterministic Gates (2026-12)
+## 13. Evidence-Grade Testing and Deterministic Gates (2025-12)
 - **What it is:** A model-driven test taxonomy and CI lanes that make determinism, offline behavior, and contract stability continuously provable.
 - **Evidence:** `docs/testing/testing-strategy-models.md` and the catalog in `docs/testing/TEST_CATALOG.yml` define required test types per module; `docs/19_TEST_SUITE_OVERVIEW.md` lists the gated lanes.
 - **Why it matters:** Regression-proof audits and predictable CI gates ensure that evidence, not assumptions, drives releases.

docs/modules/attestor/AGENTS.md

@@ -17,7 +17,7 @@ Attestor moves signed evidence through the trust chain by accepting DSSE bundles
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/authority/AGENTS.md

@@ -17,7 +17,7 @@ Authority is the platform OIDC/OAuth2 control plane that mints short-lived, send
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/ci/AGENTS.md

@@ -16,7 +16,7 @@ CI module collects reproducible pipeline recipes for builds, tests, and release
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/cli/AGENTS.md

@@ -16,7 +16,7 @@ The `stella` CLI is the operator-facing Swiss army knife for scans, exports, pol
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/cli/guides/cli-reference.md

@@ -3,7 +3,7 @@
 > **Audience:** DevEx engineers, operators, and CI authors integrating the `stella` CLI with Aggregation-Only Contract (AOC) workflows.  
 > **Scope:** Command synopsis, options, exit codes, and offline considerations for `stella sources ingest --dry-run` and `stella aoc verify` as introduced in Sprint 19.
 
-Both commands are designed to enforce the AOC guardrails documented in the [aggregation-only reference](../../../ingestion/aggregation-only-contract.md) and the [architecture overview](../architecture.md). They consume Authority-issued tokens with tenant scopes and never mutate ingestion stores.
+Both commands are designed to enforce the AOC guardrails documented in the [aggregation-only reference](../../../aoc/aggregation-only-contract.md) and the [architecture overview](../architecture.md). They consume Authority-issued tokens with tenant scopes and never mutate ingestion stores.
 
 ---
 
@@ -416,7 +416,7 @@ Additional notes:
 
 ## 5 · Related references
 
-- [Aggregation-Only Contract reference](../../../ingestion/aggregation-only-contract.md)
+- [Aggregation-Only Contract reference](../../../aoc/aggregation-only-contract.md)
 - [Architecture overview](../../platform/architecture-overview.md)
 - [Console operator guide](../../../15_UI_GUIDE.md)
 - [Authority scopes](../../authority/architecture.md)

docs/modules/cli/guides/commands/aoc.md

@@ -103,7 +103,7 @@ See the [CLI Consolidation Migration Guide](../../../../cli/cli-consolidation-mi
 
 ## Related Documentation
 
-- [Aggregation-Only Contract Reference](../../../../ingestion/aggregation-only-contract.md)
+- [Aggregation-Only Contract Reference](../../../../aoc/aggregation-only-contract.md)
 - [CLI Reference](../cli-reference.md)
 - [Container Deployment Guide](../../../../deploy/containers.md)
 

docs/modules/concelier/AGENTS.md

@@ -16,7 +16,7 @@ Concelier ingests signed advisories from dozens of sources and converts them int
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/concelier/README.md

@@ -15,7 +15,7 @@ Concelier ingests signed advisories from dozens of sources and converts them int
 - Exporter packages (`StellaOps.Concelier.Exporter.*`).
 
 ## Recent updates
-- **2025-11-07:** Paragraph-anchored `/advisories/{advisoryKey}/chunks` endpoint shipped for Advisory AI paragraph retrieval. Details and rollout notes live in [`../../updates/2025-11-07-concelier-advisory-chunks.md`](../../updates/2025-11-07-concelier-advisory-chunks.md).
+- **2025-11-07:** Paragraph-anchored `/advisories/{advisoryKey}/chunks` endpoint shipped for Advisory AI paragraph retrieval. Details and rollout notes live in [`../../implplan/archived/updates/2025-11-07-concelier-advisory-chunks.md`](../../implplan/archived/updates/2025-11-07-concelier-advisory-chunks.md).
 
 ## Integrations & dependencies
 - PostgreSQL (schema `vuln`) for canonical observations and schedules.

docs/modules/concelier/implementation_plan.md

@@ -2,7 +2,7 @@
 
 ## Delivery timeline
 - **Phase 1 — Guardrails & schema**
-  Stand up Mongo JSON validators for `advisory_raw` and `vex_raw`, wire the `AOCWriteGuard` repository interceptor, and seed deterministic linkset builders. Freeze legacy normalisation paths and migrate callers to the new raw schema.
+  Stand up PostgreSQL JSON schema validators for `advisory_raw` and `vex_raw`, wire the `AOCWriteGuard` repository interceptor, and seed deterministic linkset builders. Freeze legacy normalisation paths and migrate callers to the new raw schema.
 - **Phase 2 — API & observability**  
   Publish ingestion and verification endpoints (`POST /ingest/*`, `GET /advisories.raw`, `POST /aoc/verify`) with Authority scopes, expose telemetry (`aoc_violation_total`, guard spans, structured logs), and ensure Offline Kit packaging captures validator deployment steps.
 - **Phase 3 — Experience polish**  
@@ -10,7 +10,7 @@
 
 ## Work breakdown by component
 - **Concelier WebService & worker**
-  - Add Mongo validators and unique indexes over `(tenant, source.vendor, upstream.upstream_id, upstream.content_hash)`.
+  - Add PostgreSQL validators and unique indexes over `(tenant, source.vendor, upstream.upstream_id, upstream.content_hash)`.
   - Implement write interceptors rejecting forbidden fields, missing provenance, or merge attempts.
   - Deterministically compute linksets and persist canonical JSON payloads.
   - Introduce `/ingest/advisory`, `/advisories/raw*`, and `/aoc/verify` surfaces guarded by `advisory:*` and `aoc:verify` scopes.
@@ -34,13 +34,13 @@
   - Seed fixtures and run `stella aoc verify` against snapshots in pipeline gating.
 
 ## Documentation deliverables
-- Update `docs/ingestion/aggregation-only-contract.md` with guard invariants, schemas, error codes, and migration guidance.
+- Update `docs/aoc/aggregation-only-contract.md` with guard invariants, schemas, error codes, and migration guidance.
 - Refresh `docs/modules/concelier/operations/*.md` (mirror, conflict-resolution, authority audit) with validator rollouts and observability dashboards.
 - Cross-link Authority scope definitions, CLI reference, Console sources guide, and observability runbooks to the AOC guard changes.
 - Ensure Offline Kit documentation captures validator bootstrap and verify workflows.
 
 ## Acceptance criteria
-- Mongo validators and runtime guards reject forbidden fields and missing provenance with the documented `ERR_AOC_00x` codes.
+- PostgreSQL validators and runtime guards reject forbidden fields and missing provenance with the documented `ERR_AOC_00x` codes.
 - Linksets and supersedes chains are deterministic; rerunning ingestion over identical payloads yields byte-identical documents.
 - CLI `stella aoc verify` exits non-zero on seeded violations and zero on clean datasets; Console dashboards show real-time guard status.
 - Export Center consumes advisory datasets without relying on legacy normalised fields.

docs/modules/concelier/link-not-merge-schema.md

@@ -11,7 +11,7 @@ _Frozen v1 (add-only) — approved 2025-11-17 for CONCELIER-LNM-21-001/002/101._
 - Frozen v1 as of 2025-11-17; further schema changes must go through ADR + sprint gating (CONCELIER-LNM-22x+).
 - Canonical JSON Schemas + signed manifest live in `docs/modules/concelier/schemas/` (advisory observation, linkset, offline bundle). Verify with `openssl dgst -sha256 -verify schema-signing-pub.pem -signature schema.manifest.sig schema.manifest.json`.
 
-## Observation document (Mongo JSON Schema excerpt)
+## Observation document (PostgreSQL JSON Schema excerpt)
 ```json
 {
   "bsonType": "object",
@@ -152,11 +152,11 @@ When an advisory source publishes a revised version of an advisory:
 - Deterministic sort: observations sorted by `source, advisoryId, fetchedAt` before hashing.
 - Conflicts are additive only and now carry optional `sourceIds[]` to trace which upstream sources produced divergent values.
 
-## Indexes (Mongo)
+## Indexes (PostgreSQL)
 - Observations: `{ tenantId:1, source:1, advisoryId:1, provenance.fetchedAt:-1 }` (compound for ingest); `{ provenance.sourceArtifactSha:1 }` unique to avoid dup writes.
 - Linksets: `{ tenantId:1, advisoryId:1, source:1 }` unique; `{ observations:1 }` sparse for reverse lookups.
 
-## Collections
+## Tables
 - `advisory_observations` — raw per-source docs (immutable).
 - `advisory_linksets` — derived normalized aggregates with observation pointers and hashes.
 
@@ -170,7 +170,7 @@ See `docs/samples/lnm/observation-ghsa.json` and `docs/samples/lnm/linkset-ghsa.
 
 ## Approval path
 1) Architecture + Concelier Core review this document.
-2) If accepted, freeze JSON Schema and roll into `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo` migrations.
+2) If accepted, freeze JSON Schema and roll into `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Postgres` migrations.
 3) Update consumers (policy/CLI/export) to read from linksets only; deprecate Merge endpoints.
 
 ---

docs/modules/devops/AGENTS.md

@@ -24,7 +24,7 @@ The DevOps module captures release, deployment, and migration playbooks that kee
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/devops/migrations/semver-style.md

@@ -2,6 +2,8 @@
 
 _Last updated: 2025-10-11_
 
+> **Note (2025-12):** This runbook is obsolete. MongoDB was fully removed in Sprint 4400 and replaced with PostgreSQL. The migration functionality described here was executed during the transition period and is no longer applicable. Retained for historical reference only.
+
 ## Overview
 
 The SemVer style migration populates the new `normalizedVersions` field on advisory documents and ensures

docs/modules/devops/runbooks/deployment-upgrade.md

@@ -14,7 +14,7 @@ This runbook describes how to promote a new release across the supported deploym
 | `stable` | `deploy/releases/2025.09-stable.yaml` | `deploy/helm/stellaops/values-stage.yaml`, `deploy/helm/stellaops/values-prod.yaml` | `deploy/compose/docker-compose.stage.yaml`, `deploy/compose/docker-compose.prod.yaml` |
 | `airgap` | `deploy/releases/2025.09-airgap.yaml` | `deploy/helm/stellaops/values-airgap.yaml` | `deploy/compose/docker-compose.airgap.yaml` |
 
-Infrastructure components (MongoDB, MinIO, RustFS) are pinned in the release manifests and inherited by the deployment profiles. Supporting dependencies such as `nats` remain on upstream LTS tags; review `deploy/compose/*.yaml` for the authoritative set.
+Infrastructure components (PostgreSQL, Valkey, MinIO, RustFS) are pinned in the release manifests and inherited by the deployment profiles. Supporting dependencies such as `nats` remain on upstream LTS tags; review `deploy/compose/*.yaml` for the authoritative set.
 
 ---
 
@@ -49,7 +49,7 @@ Infrastructure components (MongoDB, MinIO, RustFS) are pinned in the release man
    Archive the resulting `out/offline-kit/metadata/debug-store.json` alongside the kit bundle.
 
 5. **Review compatibility matrix**
-   Confirm MongoDB, MinIO, and RustFS versions in the release manifest match platform SLOs. The default targets are `mongo@sha256:c258…`, `minio@sha256:14ce…`, `rustfs:2025.10.0-edge`.
+   Confirm PostgreSQL, Valkey, MinIO, and RustFS versions in the release manifest match platform SLOs. The default targets are `postgres:16-alpine`, `valkey:8.0`, `minio@sha256:14ce…`, `rustfs:2025.10.0-edge`.
 
 6. **Create a rollback bookmark**  
    Record the current Helm revision (`helm history stellaops -n stellaops`) and compose tag (`git describe --tags`) before applying changes.

docs/modules/devops/runbooks/launch-cutover.md

@@ -3,6 +3,8 @@
 _Document owner: DevOps Guild (2025-10-26)_
 _Scope:_ Full-platform launch from staging to production for release `2025.09.2`.
 
+> **Note (2025-12):** This document reflects the state at initial launch. Since then, MongoDB has been fully removed (Sprint 4400) and replaced with PostgreSQL. MinIO references now use RustFS. Redis references now use Valkey. See current deployment docs in `deploy/` for up-to-date configuration.
+
 ## 1. Roles and Communication
 
 | Role | Primary | Backup | Contact |

docs/modules/excititor/AGENTS.md

@@ -16,7 +16,7 @@ Excititor converts heterogeneous VEX feeds into raw observations and linksets th
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/excititor/README.md

@@ -6,17 +6,17 @@ Excititor converts heterogeneous VEX feeds into raw observations and linksets th
 - Chunk API documentation remains blocked until CI is green and a pinned OpenAPI spec + deterministic samples are available.
 - Sprint tracker `docs/implplan/SPRINT_0333_0001_0001_docs_modules_excititor.md` and module `TASKS.md` mirror status.
 - Observability/runbook assets remain in `operations/observability.md` and `observability/` (timeline, locker manifests); dashboards stay offline-import friendly.
-- Prior updates (2025-11-05): Link-Not-Merge readiness and consensus beta note (`../../updates/2025-11-05-excitor-consensus-beta.md`), observability guide additions, DSSE packaging guidance, and Policy/CLI follow-ups tracked in SPRINT_200.
+- Prior updates (2025-11-05): Link-Not-Merge readiness and consensus beta note (`../../implplan/archived/updates/2025-11-05-excitor-consensus-beta.md`), observability guide additions, DSSE packaging guidance, and Policy/CLI follow-ups tracked in SPRINT_200.
-- Link-Not-Merge readiness: release note [Excitor consensus beta](../../updates/2025-11-05-excitor-consensus-beta.md) captures how Excititor feeds power the Excititor consensus beta (sample payload in [consensus JSON](../../vex/consensus-json.md)).
+- Link-Not-Merge readiness: release note [Excitor consensus beta](../../implplan/archived/updates/2025-11-05-excitor-consensus-beta.md) captures how Excititor feeds power the Excititor consensus beta (sample payload in [consensus JSON](../../vex/consensus-json.md)).
 - Added [observability guide](operations/observability.md) describing the evidence metrics emitted by `EXCITITOR-AIAI-31-003` (request counters, statement histogram, signature status, guard violations) so Ops/Lens can alert on misuse.
 - README now points policy/UI teams to the upcoming consensus integration work.
-- DSSE packaging for consensus bundles and Export Center hooks are documented in the [beta release note](../../updates/2025-11-05-excitor-consensus-beta.md); operators mirroring Excititor exports must verify detached JWS artefacts (`bundle.json.jws`) alongside each bundle.
+- DSSE packaging for consensus bundles and Export Center hooks are documented in the [beta release note](../../implplan/archived/updates/2025-11-05-excitor-consensus-beta.md); operators mirroring Excititor exports must verify detached JWS artefacts (`bundle.json.jws`) alongside each bundle.
 - Follow-ups called out in the release note (Policy weighting knobs `POLICY-ENGINE-30-101`, CLI verb `CLI-VEX-30-002`) remain in-flight and are tracked in `/docs/implplan/SPRINT_200_documentation_process.md`.
 
 ## Release references
 - Consensus beta payload reference: [docs/vex/consensus-json.md](../../vex/consensus-json.md)
 - Export Center offline packaging: [docs/modules/export-center/devportal-offline.md](../export-center/devportal-offline.md)
-- Historical release log: [docs/updates/](../../updates/)
+- Historical release log: [docs/implplan/archived/updates/](../../implplan/archived/updates/)
 
 ## Responsibilities
 - Fetch OpenVEX/CSAF/CycloneDX statements via restart-only connectors.

docs/modules/excititor/schemas/vex_raw.schema.json

@@ -2,6 +2,7 @@
   "$schema": "http://json-schema.org/draft-07/schema#",
   "$id": "https://stellaops.dev/schemas/excititor/vex_raw.schema.json",
   "title": "Excititor VEX Raw Document",
+  "$comment": "Note (2025-12): The gridFsObjectId field is legacy. Since Sprint 4400, all large content is stored in PostgreSQL with RustFS. This field exists only for backward compatibility with migrated data.",
   "type": "object",
   "additionalProperties": true,
   "required": ["_id", "providerId", "format", "sourceUri", "retrievedAt", "digest"],

docs/modules/excititor/vex_observations.md

@@ -1,6 +1,6 @@
 # VEX Observation Model (`vex_observations`)
 
-> Authored 2025-11-14 for Sprint 120 (`EXCITITOR-LNM-21-001`). This document is the canonical schema description for Excititor’s immutable observation records. It unblocks downstream documentation tasks (`DOCS-LNM-22-002`) and aligns the WebService/Worker data structures with Mongo persistence.
+> Authored 2025-11-14 for Sprint 120 (`EXCITITOR-LNM-21-001`). This document is the canonical schema description for Excititor's immutable observation records. It unblocks downstream documentation tasks (`DOCS-LNM-22-002`) and aligns the WebService/Worker data structures with PostgreSQL persistence.
 
 Excititor ingests heterogeneous VEX statements, normalizes them under the Aggregation-Only Contract (AOC), and persists each normalized statement as a **VEX observation**. These observations are the source of truth for:
 
@@ -15,7 +15,7 @@ All observation documents are immutable. New information creates a new observati
 
 | Aspect | Value |
 | --- | --- |
-| Collection | `vex_observations` (Mongo) |
+| Table | `vex_observations` (PostgreSQL) |
 | Upstream generator | `VexObservationProjectionService` (WebService) and Worker normalization pipeline |
 | Primary key | `{tenant, observationId}` |
 | Required indexes | `{tenant, vulnerabilityId}`, `{tenant, productKey}`, `{tenant, document.digest}`, `{tenant, providerId, status}` |
@@ -114,7 +114,7 @@ All observation documents are immutable. New information creates a new observati
 2. **Sorted collections** – arrays (`anchors`, `purls`, `cpes`) are sorted lexicographically before persistence.
 3. **Guard metadata** – `aoc.guardVersion` records the guard library version (`docs/aoc/guard-library.md`), enabling audits.
 4. **Signatures** – only verification metadata proven by the Worker is stored; WebService never recomputes trust.
-5. **Time normalization** – all timestamps stored as UTC ISO-8601 strings (Mongo `DateTime`).
+5. **Time normalization** – all timestamps stored as UTC ISO-8601 strings (PostgreSQL `timestamptz`).
 
 ## API mapping
 

docs/modules/export-center/AGENTS.md

@@ -17,7 +17,7 @@ Export Center packages reproducible evidence bundles (JSON, Trivy DB, mirror) wi
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/export-center/api.md

@@ -356,6 +356,6 @@ Payload includes `targetUrl`, `events` (e.g., `run.succeeded`), and optional sec
 - [Export Center Architecture](architecture.md)
 - [Export Center Profiles](profiles.md)
 - [Export Center CLI Guide](cli.md) *(companion document)*
-- [Aggregation-Only Contract reference](../../ingestion/aggregation-only-contract.md)
+- [Aggregation-Only Contract reference](../../aoc/aggregation-only-contract.md)
 
 > **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.

docs/modules/export-center/cli.md

@@ -230,6 +230,6 @@ Exit codes above 100 are reserved for future profile-specific tooling.
 - [Export Center Profiles](profiles.md)
 - [Export Center API reference](api.md)
 - [Export Center Architecture](architecture.md)
-- [Aggregation-Only Contract reference](../../ingestion/aggregation-only-contract.md)
+- [Aggregation-Only Contract reference](../../aoc/aggregation-only-contract.md)
 
 > **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.

docs/modules/export-center/mirror-bundles.md

@@ -216,6 +216,6 @@ sequenceDiagram
 - [Export Center API reference](api.md)
 - [Export Center CLI Guide](cli.md)
 - [Concelier mirror runbook](../concelier/operations/mirror.md)
-- [Aggregation-Only Contract reference](../../ingestion/aggregation-only-contract.md)
+- [Aggregation-Only Contract reference](../../aoc/aggregation-only-contract.md)
 
 > **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.

docs/modules/export-center/operations/runbook.md

@@ -199,7 +199,7 @@ If encryption enabled, decrypt using age or AES key before verification.
 - `docs/modules/export-center/trivy-adapter.md`
 - `docs/modules/export-center/mirror-bundles.md`
 - `ops/devops/TASKS.md` (`DEVOPS-EXPORT-36-001`, `DEVOPS-EXPORT-37-001`)
-- `docs/ingestion/aggregation-only-contract.md`
+- `docs/aoc/aggregation-only-contract.md`
 - `docs/24_OFFLINE_KIT.md`
 
 > **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.

docs/modules/export-center/overview.md

@@ -33,7 +33,7 @@ Refer to `docs/modules/export-center/architecture.md` (Sprint 35 task) for compo
 - **Signing and encryption.** Manifests and payloads are signed using the platform KMS. Mirror profiles support optional in-bundle encryption (age/AES-GCM) with key wrapping.
 - **Determinism.** Identical inputs yield identical bundles. Timestamps serialize in UTC ISO-8601; manifests include content hashes for audit replay.
 
-See `docs/security/policy-governance.md` and `docs/ingestion/aggregation-only-contract.md` for broader guardrail context.
+See `docs/security/policy-governance.md` and `docs/aoc/aggregation-only-contract.md` for broader guardrail context.
 
 ## Operating it offline
 - **Offline Kit integration.** Air-gapped deployments receive pre-built export profiles and object storage layout templates through the Offline Kit bundles.

docs/modules/graph/AGENTS.md

@@ -23,7 +23,7 @@ Graph module (upcoming) will power graph-indexed queries for SBOM relationships,
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/notify/AGENTS.md

@@ -17,7 +17,7 @@ Notify evaluates operator-defined rules against platform events and dispatches c
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/notify/README.md

@@ -28,25 +28,25 @@ Notify (Notifications Studio) converts platform events into tenant-scoped alerts
 Status for these items is tracked in `src/Notifier/StellaOps.Notifier/TASKS.md` and sprint plans; update this README once tasks merge.
 
 ## Key docs & release alignment
-- [`docs/notifications/overview.md`](../../notifications/overview.md) — summary of capabilities, imposed rules, and customer journey.
+- [`overview.md`](overview.md) — summary of capabilities, imposed rules, and customer journey.
-- [`docs/notifications/architecture.md`](../../notifications/architecture.md) — Notifications Studio runtime view (published 2025-10-29).
+- [`architecture.md`](architecture.md) / [`architecture-detail.md`](architecture-detail.md) — Notifications Studio runtime view.
-- [`docs/notifications/rules.md`](../../notifications/rules.md) — declarative matcher syntax and evaluation order.
+- [`rules.md`](rules.md) — declarative matcher syntax and evaluation order.
-- [`docs/notifications/digests.md`](../../notifications/digests.md) — digest windows, coalescing logic, and delivery samples.
+- [`digests.md`](digests.md) — digest windows, coalescing logic, and delivery samples.
-- [`docs/notifications/templates.md`](../../notifications/templates.md) — template helpers, localisation, and redaction guidelines.
+- [`templates.md`](templates.md) — template helpers, localisation, and redaction guidelines.
-- [`docs/updates/2025-10-29-notify-docs.md`](../../updates/2025-10-29-notify-docs.md) — latest release note; follow-ups remain to validate connector metadata, quiet-hours semantics, and simulation payloads once Sprint 39 drops land.
+- [`docs/implplan/archived/updates/2025-10-29-notify-docs.md`](../../implplan/archived/updates/2025-10-29-notify-docs.md) — latest release note; follow-ups remain to validate connector metadata, quiet-hours semantics, and simulation payloads once Sprint 39 drops land.
 
 ## Integrations & dependencies
 - **Storage:** PostgreSQL (schema `notify`) for rules, channels, deliveries, digests, and throttles; Valkey for worker coordination.
 - **Queues:** Valkey Streams or NATS JetStream for ingestion, throttling, and DLQs (`notify.dlq`).
 - **Authority:** OpTok-protected APIs, DPoP-backed CLI/UI scopes (`notify.viewer`, `notify.operator`, `notify.admin`), and secret references for channel credentials.
-- **Observability:** Prometheus metrics (`notify.sent_total`, `notify.failed_total`, `notify.digest_coalesced_total`, etc.), OTEL traces, and dashboards documented in `docs/notifications/architecture.md#12-observability-prometheus--otel`.
+- **Observability:** Prometheus metrics (`notify.sent_total`, `notify.failed_total`, `notify.digest_coalesced_total`, etc.), OTEL traces, and dashboards documented in `architecture-detail.md`.
 
 ## Operational notes
 - Schema fixtures live in `./resources/schemas`; event and delivery samples live in `./resources/samples` for contract tests and UI mocks.
 - Offline Kit bundles ship plug-ins, default templates, and seed rules; update manifests under `ops/offline-kit/` when connectors change.
 - Dashboards and alert references depend on `DEVOPS-NOTIFY-39-002`; coordinate before renaming metrics or labels.
 - Observability assets: `operations/observability.md` and `operations/dashboards/notify-observability.json` (offline import).
-- When releasing new rule or connector features, mirror guidance into `docs/notifications/*.md` and checklists in `docs/updates/2025-10-29-notify-docs.md` until the follow-ups are closed.
+- When releasing new rule or connector features, update guidance in this directory and related checklists until the follow-ups are closed.
 
 ## Epic alignment
 - **Epic 11 – Notifications Studio:** notifications workspace, preview tooling, immutable delivery ledger, throttling/digest controls, and forthcoming correlation/simulation features.

docs/modules/notify/api.md

@@ -7,7 +7,7 @@ Last updated: 2025-11-25 (Docs Tasks Md.V · DOCS-NOTIFY-40-001)
 All endpoints require `Authorization: Bearer <token>` and `X-Stella-Tenant` header. Responses use the common error envelope (`docs/api/overview.md`). Paths are rooted at `/api/v1/notify`.
 
 ## Channels
-- `POST /channels` — create channel. Body matches `notifications/channels.md` schema. Returns `201` + channel.
+- `POST /channels` — create channel. Body matches `channels.md` schema. Returns `201` + channel.
 - `GET /channels` — list channels (deterministic order: type ASC, id ASC). Supports `type` filter.
 - `GET /channels/{id}` — fetch single channel.
 - `DELETE /channels/{id}` — soft-delete; fails if referenced by active rules unless `force=true` query.
@@ -18,7 +18,7 @@ All endpoints require `Authorization: Bearer <token>` and `X-Stella-Tenant` head
 - `POST /rules:preview` — dry-run rule against sample event; returns matched actions and rendered templates.
 
 ## Policies & escalations
-- `POST /policies/escalations` — create escalation policy (see `notifications/escalations.md`).
+- `POST /policies/escalations` — create escalation policy (see `escalations.md`).
 - `GET /policies/escalations` — list policies.
 
 ## Deliveries & digests

docs/modules/notify/architecture-detail.md

@@ -63,7 +63,7 @@ Failures during evaluation are logged with correlation IDs and surfaced through
 ## 3. Rendering & connectors
 
 - **Template resolution.** The renderer picks the template in this order: action template → channel default template → locale fallback → built-in minimal template. Locale negotiation reduces `en-US` to `en-us`.
-- **Helpers & partials.** Exposed helpers mirror the list in [`notifications/templates.md`](templates.md#3-variables-helpers-and-context). Plug-ins may register additional helpers but must remain deterministic and side-effect free.
+- **Helpers & partials.** Exposed helpers mirror the list in [`templates.md`](templates.md#3-variables-helpers-and-context). Plug-ins may register additional helpers but must remain deterministic and side-effect free.
 - **Attestation lifecycle suite.** Sprint 171 introduced dedicated `tmpl-attest-*` templates for verification failures, expiring attestations, key rotations, and transparency anomalies (see [`templates.md` §7](templates.md#7-attestation--signing-lifecycle-templates-notify-attest-74-001)). Rule actions referencing those templates must populate the attestation context fields so channels stay consistent online/offline.
 - **Rendering output.** `NotifyDeliveryRendered` captures:
   - `channelType`, `format`, `locale`

docs/modules/notify/gaps-nr1-nr10.md

@@ -7,22 +7,22 @@ Close NR1–NR10 by defining contracts, evidence, and deterministic test hooks f
 
 | ID | Requirement | Evidence to publish | Deterministic tests/fixtures |
 | --- | --- | --- | --- |
-| NR1 | Versioned JSON Schemas for event envelopes, rules, templates, channels, receipts, and webhooks; DSSE-signed catalog with canonical hash recipe (BLAKE3-256 over normalized JSON). | `docs/notifications/schemas/notify-schemas-catalog.json` + `.dsse.json`; `docs/notifications/schemas/inputs.lock` capturing digests and canonicalization flags. | Golden canonicalization harness under `tests/notifications/Schemas/SchemaCanonicalizationTests.cs` using frozen inputs + hash assertions. |
+| NR1 | Versioned JSON Schemas for event envelopes, rules, templates, channels, receipts, and webhooks; DSSE-signed catalog with canonical hash recipe (BLAKE3-256 over normalized JSON). | `docs/modules/notify/schemas/notify-schemas-catalog.json` + `.dsse.json`; `docs/modules/notify/schemas/inputs.lock` capturing digests and canonicalization flags. | Golden canonicalization harness under `tests/notifications/Schemas/SchemaCanonicalizationTests.cs` using frozen inputs + hash assertions. |
-| NR2 | Tenant scoping + approvals for high-impact rules (escalations, PII, cross-tenant fan-out). Every API and receipt carries `tenant_id`; RBAC/approvals enforced. | RBAC/approval matrix (`docs/notifications/security/tenant-approvals.md`) listing actions × roles × required approvals. | API contract tests in `StellaOps.Notifier.Tests/TenantScopeTests.cs` plus integration fixtures with mixed-tenant payloads (should reject). |
+| NR2 | Tenant scoping + approvals for high-impact rules (escalations, PII, cross-tenant fan-out). Every API and receipt carries `tenant_id`; RBAC/approvals enforced. | RBAC/approval matrix (`docs/modules/notify/security/tenant-approvals.md`) listing actions × roles × required approvals. | API contract tests in `StellaOps.Notifier.Tests/TenantScopeTests.cs` plus integration fixtures with mixed-tenant payloads (should reject). |
-| NR3 | Deterministic rendering/localization: stable merge-field ordering, UTC ISO-8601 timestamps, locale whitelist, hashed previews recorded in ledger. | Rendering fixture pack `docs/notifications/fixtures/rendering/*.json`; hash ledger samples `docs/notifications/fixtures/rendering/index.ndjson` with BLAKE3 digests. | `StellaOps.Notifier.Tests/RenderingDeterminismTests.cs` compares golden bodies/subjects across locales/timezones; seeds fixed RNG/time. |
+| NR3 | Deterministic rendering/localization: stable merge-field ordering, UTC ISO-8601 timestamps, locale whitelist, hashed previews recorded in ledger. | Rendering fixture pack `docs/modules/notify/fixtures/rendering/*.json`; hash ledger samples `docs/modules/notify/fixtures/rendering/index.ndjson` with BLAKE3 digests. | `StellaOps.Notifier.Tests/RenderingDeterminismTests.cs` compares golden bodies/subjects across locales/timezones; seeds fixed RNG/time. |
-| NR4 | Quotas/backpressure/DLQ: per-tenant/channel quotas, burst budgets, enqueue gating, DLQ schema with redrive + idempotent keys; metrics/alerts for backlog/DLQ growth. | Quota policy `docs/notifications/operations/quotas.md`; DLQ schema `docs/notifications/schemas/dlq-notify.schema.json`. | Worker tests `StellaOps.Notifier.Tests/BackpressureAndDlqTests.cs` validating quota enforcement, DLQ insertion, redrive idempotency. |
+| NR4 | Quotas/backpressure/DLQ: per-tenant/channel quotas, burst budgets, enqueue gating, DLQ schema with redrive + idempotent keys; metrics/alerts for backlog/DLQ growth. | Quota policy `docs/modules/notify/operations/quotas.md`; DLQ schema `docs/modules/notify/schemas/dlq-notify.schema.json`. | Worker tests `StellaOps.Notifier.Tests/BackpressureAndDlqTests.cs` validating quota enforcement, DLQ insertion, redrive idempotency. |
-| NR5 | Retry & idempotency: canonical `delivery_id` (UUIDv7) + dedupe key (event×rule×channel); bounded exponential backoff with jitter; idempotent connectors; ignore out-of-order acks. | Retry matrix `docs/notifications/operations/retries.md`; connector idempotency checklist. | `StellaOps.Notifier.Tests/RetryPolicyTests.cs` + connector harness fixtures demonstrating dedupe across duplicate events. |
+| NR5 | Retry & idempotency: canonical `delivery_id` (UUIDv7) + dedupe key (event×rule×channel); bounded exponential backoff with jitter; idempotent connectors; ignore out-of-order acks. | Retry matrix `docs/modules/notify/operations/retries.md`; connector idempotency checklist. | `StellaOps.Notifier.Tests/RetryPolicyTests.cs` + connector harness fixtures demonstrating dedupe across duplicate events. |
-| NR6 | Webhook/ack security: HMAC or mTLS/DPoP required; signed ack URLs/tokens with nonce, expiry, audience, single-use; per-tenant allowlists for domains/paths. | Security policy `docs/notifications/security/webhook-ack-hardening.md`; sample signed-ack token format + validation steps. | Negative-path tests `StellaOps.Notifier.Tests/WebhookSecurityTests.cs` covering wrong HMAC, replayed nonce, expired token, disallowed domain. |
+| NR6 | Webhook/ack security: HMAC or mTLS/DPoP required; signed ack URLs/tokens with nonce, expiry, audience, single-use; per-tenant allowlists for domains/paths. | Security policy `docs/modules/notify/security/webhook-ack-hardening.md`; sample signed-ack token format + validation steps. | Negative-path tests `StellaOps.Notifier.Tests/WebhookSecurityTests.cs` covering wrong HMAC, replayed nonce, expired token, disallowed domain. |
-| NR7 | Redaction & PII limits: classify template fields; redact secrets/PII in storage/logs; hash sensitive values; size/field allowlists; previews/logs default to redacted variant. | Redaction catalog `docs/notifications/security/redaction-catalog.md`; sample redacted payloads `docs/notifications/fixtures/redaction/*.json`. | `StellaOps.Notifier.Tests/RedactionTests.cs` asserting stored/preview payloads match redacted expectations. |
+| NR7 | Redaction & PII limits: classify template fields; redact secrets/PII in storage/logs; hash sensitive values; size/field allowlists; previews/logs default to redacted variant. | Redaction catalog `docs/modules/notify/security/redaction-catalog.md`; sample redacted payloads `docs/modules/notify/fixtures/redaction/*.json`. | `StellaOps.Notifier.Tests/RedactionTests.cs` asserting stored/preview payloads match redacted expectations. |
-| NR8 | Observability SLO alerts: SLOs for delivery latency/success/backlog/DLQ age; standard metrics names; dashboards/alerts/runbooks; traces include tenant/rule/channel IDs with sampling rules. | Dashboard JSON `docs/notifications/operations/dashboards/notify-slo.json`; alert rules `docs/notifications/operations/alerts/notify-slo-alerts.yaml`; runbook link. | `StellaOps.Notifier.Tests/ObservabilityContractsTests.cs` verifying metric names/labels; trace exemplar fixture `docs/notifications/fixtures/traces/sample-trace.json`. |
+| NR8 | Observability SLO alerts: SLOs for delivery latency/success/backlog/DLQ age; standard metrics names; dashboards/alerts/runbooks; traces include tenant/rule/channel IDs with sampling rules. | Dashboard JSON `docs/modules/notify/operations/dashboards/notify-slo.json`; alert rules `docs/modules/notify/operations/alerts/notify-slo-alerts.yaml`; runbook link. | `StellaOps.Notifier.Tests/ObservabilityContractsTests.cs` verifying metric names/labels; trace exemplar fixture `docs/modules/notify/fixtures/traces/sample-trace.json`. |
 | NR9 | Offline notify-kit with DSSE: bundle schemas, rules/templates, connector configs, verify script, hash list, time-anchor hook; deterministic packaging flags; tenant/env scoping; DSSE-signed manifest. | Manifest `offline/notifier/notify-kit.manifest.json`, DSSE `offline/notifier/notify-kit.manifest.dsse.json`, hash list `offline/notifier/artifact-hashes.json`, verify script `offline/notifier/verify_notify_kit.sh`. | Determinism check `tests/offline/NotifyKitDeterminismTests.sh` (shell) verifying hash list, DSSE, scope enforcement, packaging flags. |
-| NR10 | Mandatory simulations & evidence before activation: dry-run against frozen fixtures; DSSE-signed simulation results attached to approvals; regression tests per high-impact rule/template change. | Simulation report `docs/notifications/simulations/<rule-id>-report.json` + DSSE; approval evidence log `docs/notifications/simulations/index.ndjson`. | `StellaOps.Notifier.Tests/SimulationGateTests.cs` enforcing simulation requirement and evidence linkage before `active=true`. |
+| NR10 | Mandatory simulations & evidence before activation: dry-run against frozen fixtures; DSSE-signed simulation results attached to approvals; regression tests per high-impact rule/template change. | Simulation report `docs/modules/notify/simulations/<rule-id>-report.json` + DSSE; approval evidence log `docs/modules/notify/simulations/index.ndjson`. | `StellaOps.Notifier.Tests/SimulationGateTests.cs` enforcing simulation requirement and evidence linkage before `active=true`. |
 
 ## Delivery + governance hooks
 - Add the above evidence paths to the NOTIFY-GAPS-171-014 task in `docs/implplan/SPRINT_0171_0001_0001_notifier_i.md` and mirror status in `src/Notifier/StellaOps.Notifier/TASKS.md`.
 - When artifacts land, append TRX/fixture links in the sprint **Execution Log** and reference this doc under **Decisions & Risks**.
 - Offline kit artefacts must mirror mirror/offline packaging rules (deterministic flags, time-anchor hook, PQ dual-sign toggle) already used by Mirror/Offline sprints.
-- Simulation evidence lives in `docs/notifications/simulations/` (index.ndjson + per-rule reports) and is validated by contract tests under `Contracts/PolicyDocsCompletenessTests.cs`.
+- Simulation evidence lives in `docs/modules/notify/simulations/` (index.ndjson + per-rule reports) and is validated by contract tests under `Contracts/PolicyDocsCompletenessTests.cs`.
 - Contract tests under `Contracts/` verify schema catalog ↔ DSSE alignment, fixture hashes, simulation index presence, and offline kit manifest/DSSE consistency.
 
 ## Next steps

docs/modules/notify/operations/quotas.md

@@ -3,5 +3,5 @@
 - Per-tenant quotas: 500 deliveries/minute default; channel overrides: webhook 200/min, email 120/min, chat 240/min.
 - Burst budget: 2x quota for 60 seconds, then hard clamp.
 - Backpressure: reject enqueue when backlog > quota*10 or DLQ growth > 5%/min.
-- DLQ schema: `docs/notifications/schemas/dlq-notify.schema.json`; redrive requires idempotent `delivery_id`/`dedupe_key`.
+- DLQ schema: `docs/modules/notify/schemas/dlq-notify.schema.json`; redrive requires idempotent `delivery_id`/`dedupe_key`.
 - Metrics to alert: backlog depth, DLQ depth, redrive success rate, enqueue reject count.

docs/modules/notify/overview.md

@@ -19,12 +19,12 @@ Notifications Studio turns raw platform events into concise, tenant-scoped alert
 
 | Capability | What it does | Key docs |
 |------------|--------------|----------|
-| Rules engine | Declarative matchers for event kinds, severities, namespaces, VEX context, KEV flags, and more. | [`notifications/rules.md`](rules.md) |
+| Rules engine | Declarative matchers for event kinds, severities, namespaces, VEX context, KEV flags, and more. | [rules.md](rules.md) |
-| Channel catalog | Slack, Teams, Email, Webhook connectors loaded via restart-time plug-ins; metadata stored without secrets. | [`notifications/architecture.md`](architecture.md) |
+| Channel catalog | Slack, Teams, Email, Webhook connectors loaded via restart-time plug-ins; metadata stored without secrets. | [architecture.md](architecture.md) |
-| Templates | Locale-aware, deterministic rendering via safe helpers; channel defaults plus tenant-specific overrides, including the attestation lifecycle suite (`tmpl-attest-*`). | [`notifications/templates.md`](templates.md#7-attestation--signing-lifecycle-templates-notify-attest-74-001) |
+| Templates | Locale-aware, deterministic rendering via safe helpers; channel defaults plus tenant-specific overrides, including the attestation lifecycle suite (`tmpl-attest-*`). | [templates.md](templates.md#7-attestation--signing-lifecycle-templates-notify-attest-74-001) |
-| Digests | Coalesce bursts into periodic summaries with deterministic IDs and audit trails. | [`notifications/digests.md`](digests.md) |
+| Digests | Coalesce bursts into periodic summaries with deterministic IDs and audit trails. | [digests.md](digests.md) |
-| Delivery ledger | Tracks rendered payload hashes, attempts, throttles, and outcomes for every action. | [`modules/notify/architecture.md`](../modules/notify/architecture.md#7-data-model) |
+| Delivery ledger | Tracks rendered payload hashes, attempts, throttles, and outcomes for every action. | [architecture.md](architecture.md#7-data-model) |
-| Ack tokens | DSSE-signed acknowledgement tokens with webhook allowlists and escalation guardrails enforced by Authority. | [`modules/notify/architecture.md`](../modules/notify/architecture.md#81-ack-tokens--escalation-workflows) |
+| Ack tokens | DSSE-signed acknowledgement tokens with webhook allowlists and escalation guardrails enforced by Authority. | [architecture.md](architecture.md#81-ack-tokens--escalation-workflows) |
 
 ---
 

docs/modules/notify/rules.md

@@ -85,7 +85,7 @@ Each rule requires at least one action. Actions are deduplicated and sorted by `
 
 ### 4.0 Attestation lifecycle templates
 
-Rules targeting attestation/signing events (`attestor.verification.failed`, `attestor.attestation.expiring`, `authority.keys.revoked`, `attestor.transparency.anomaly`) must reference the dedicated template keys documented in [`notifications/templates.md` §7](templates.md#7-attestation--signing-lifecycle-templates-notify-attest-74-001) so payloads remain deterministic across channels and Offline Kits:
+Rules targeting attestation/signing events (`attestor.verification.failed`, `attestor.attestation.expiring`, `authority.keys.revoked`, `attestor.transparency.anomaly`) must reference the dedicated template keys documented in [`templates.md` §7](templates.md#7-attestation--signing-lifecycle-templates-notify-attest-74-001) so payloads remain deterministic across channels and Offline Kits:
 
 | Event kind | Required template key | Notes |
 | --- | --- | --- |

docs/modules/notify/security/redaction-catalog.md

@@ -3,4 +3,4 @@
 - Classify merge fields: identifiers (hash), secrets (strip), PII (mask), operational metadata (retain).
 - Storage and previews must use redacted forms by default; full bodies allowed only with `Notify.Audit` permission.
 - Log payloads must omit secrets; hashes use BLAKE3-256 over UTF-8 normalized values.
-- Fixtures under `docs/notifications/fixtures/redaction/` show expected redacted shapes for templates and receipts.
+- Fixtures under `docs/modules/notify/fixtures/redaction/` show expected redacted shapes for templates and receipts.

docs/modules/notify/slo-webhook-schema.md

@@ -81,6 +81,6 @@ Purpose: define the payload emitted by Telemetry SLO evaluators toward Notifier
 ```
 
 ### Evidence to surface in sprint tasks
-- File: `docs/notifications/slo-webhook-schema.md` (this document).
+- File: `docs/modules/notify/slo-webhook-schema.md` (this document).
 - Sample payload (canonical) and validation checklist above.
 - Dependencies: upstream Telemetry evaluator must emit `metric.labels` sanitized; Notifier to persist `id` for idempotency.

docs/modules/platform/AGENTS.md

@@ -17,7 +17,7 @@ Platform module describes cross-cutting architecture, contracts, and guardrails
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/platform/architecture-overview.md

@@ -2,7 +2,7 @@
 
 > **Ownership:** Architecture Guild • Docs Guild  
 > **Audience:** Service owners, platform engineers, solution architects  
-> **Related:** [High-Level Architecture](../../07_HIGH_LEVEL_ARCHITECTURE.md), [Concelier Architecture](../concelier/architecture.md), [Policy Engine Architecture](../policy/architecture.md), [Aggregation-Only Contract](../../ingestion/aggregation-only-contract.md)
+> **Related:** [High-Level Architecture](../../07_HIGH_LEVEL_ARCHITECTURE.md), [Concelier Architecture](../concelier/architecture.md), [Policy Engine Architecture](../policy/architecture.md), [Aggregation-Only Contract](../../aoc/aggregation-only-contract.md)
 
 This dossier summarises the end-to-end runtime topology after the Aggregation-Only Contract (AOC) rollout. It highlights where raw facts live, how ingest services enforce guardrails, and how downstream components consume those facts to derive policy decisions and user-facing experiences.
 
@@ -158,13 +158,13 @@ sequenceDiagram
 
 - **Offline Kit:** Packages raw PostgreSQL snapshots (`advisory_raw`, `vex_raw`) plus guard configuration and CLI verifier binaries so air-gapped sites can re-run AOC checks before promotion.
 - **Recovery:** Supersedes chains allow rollback to prior revisions without mutating rows. Disaster exercises must rehearse restoring from snapshot, replaying logical replication into Policy Engine, and re-validating guard compliance.
-- **Migration:** Legacy normalised fields are moved to temporary views during cutover; ingestion runtime removes writes once guard-enforced path is live (see [Migration playbook](../../ingestion/aggregation-only-contract.md#8-migration-playbook)).
+- **Migration:** Legacy normalised fields are moved to temporary views during cutover; ingestion runtime removes writes once guard-enforced path is live (see [Migration playbook](../../aoc/aggregation-only-contract.md#8-migration-playbook)).
 
 ---
 
 ## 5 · Replay CAS & deterministic bundles
 
-- **Replay CAS:** Content-addressed storage lives under `cas://replay/<sha256-prefix>/<digest>.tar.zst`. Writers must use [StellaOps.Replay.Core](../../src/__Libraries/StellaOps.Replay.Core/AGENTS.md) helpers to ensure lexicographic file ordering, POSIX mode normalisation (0644/0755), LF newlines, zstd level 19 compression, and shard-by-prefix CAS URIs (`BuildCasUri`). Bundle metadata (size, hash, created) feeds the platform-wide `replay_bundles` collection defined in `docs/data/replay_schema.md`.
+- **Replay CAS:** Content-addressed storage lives under `cas://replay/<sha256-prefix>/<digest>.tar.zst`. Writers must use [StellaOps.Replay.Core](../../src/__Libraries/StellaOps.Replay.Core/AGENTS.md) helpers to ensure lexicographic file ordering, POSIX mode normalisation (0644/0755), LF newlines, zstd level 19 compression, and shard-by-prefix CAS URIs (`BuildCasUri`). Bundle metadata (size, hash, created) feeds the platform-wide `replay_bundles` collection defined in `docs/db/replay-schema.md`.
 - **Artifacts:** Each recorded scan stores three bundles:
   1. `manifest.json` (canonical JSON, hashed and signed via DSSE).
   2. `inputbundle.tar.zst` (feeds, policies, tools, environment snapshot).
@@ -179,14 +179,14 @@ sequenceDiagram
 
 ## 6 · References
 
-- [Aggregation-Only Contract reference](../../ingestion/aggregation-only-contract.md)
+- [Aggregation-Only Contract reference](../../aoc/aggregation-only-contract.md)
 - [Concelier architecture](../concelier/architecture.md)
 - [Excititor architecture](../excititor/architecture.md)
 - [Policy Engine architecture](../policy/architecture.md)
 - [Authority service](../authority/architecture.md)
 - [Replay specification](../../replay/DETERMINISTIC_REPLAY.md)
 - [Replay developer guide](../../replay/DEVS_GUIDE_REPLAY.md)
-- [Replay schema](../../data/replay_schema.md) *(pending)*
+- [Replay schema](../../db/replay-schema.md)
 - [Replay test strategy](../../replay/TEST_STRATEGY.md) *(draft)*
 - [Observability standards (upcoming)](../../observability/policy.md) – interim reference for telemetry naming.
 

docs/modules/platform/architecture.md

@@ -5,7 +5,7 @@ This module aggregates cross-cutting contracts and guardrails that every StellaO
 ## Anchors
 - High-level system view: `../../07_HIGH_LEVEL_ARCHITECTURE.md`
 - Platform overview: `architecture-overview.md`
-- Aggregation-Only Contract: `../ingestion/aggregation-only-contract.md` (referenced across ingestion/observability docs)
+- Aggregation-Only Contract: `../../aoc/aggregation-only-contract.md` (referenced across ingestion/observability docs)
 
 ## Scope
 - **Identity & tenancy**: Authority-issued OpToks, tenant scoping, RBAC, short TTLs; see Authority module docs.

docs/modules/policy/AGENTS.md

@@ -18,7 +18,7 @@ Policy Engine compiles and evaluates Stella DSL policies deterministically, prod
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/policy/architecture.md

@@ -5,7 +5,7 @@
 > **Ownership:** Policy Guild • Platform Guild  
 > **Services:** `StellaOps.Policy.Engine` (Minimal API + worker host)  
 > **Data Stores:** PostgreSQL (`policy.*` schemas for packs, runs, exceptions, receipts), Object storage (explain bundles), optional queue  
-> **Related docs:** [Policy overview](../../policy/overview.md), [DSL](../../policy/dsl.md), [SPL v1](../../policy/spl-v1.md), [Lifecycle](../../policy/lifecycle.md), [Runtime](../../policy/runtime.md), [Governance](../../policy/governance.md), [REST API](../../policy/api.md), [Policy CLI](../cli/guides/policy.md), [Architecture overview](../platform/architecture-overview.md), [AOC reference](../../ingestion/aggregation-only-contract.md)
+> **Related docs:** [Policy overview](../../policy/overview.md), [DSL](../../policy/dsl.md), [SPL v1](../../policy/spl-v1.md), [Lifecycle](../../policy/lifecycle.md), [Runtime](../../policy/runtime.md), [Governance](../../policy/governance.md), [REST API](../../policy/api.md), [Policy CLI](../cli/guides/policy.md), [Architecture overview](../platform/architecture-overview.md), [AOC reference](../../aoc/aggregation-only-contract.md)
 
 This dossier describes the internal structure of the Policy Engine service delivered in Epic 2. It focuses on module boundaries, deterministic evaluation, orchestration, and integration contracts with Concelier, Excititor, SBOM Service, Authority, Scheduler, and Observability stacks.
 

docs/modules/provcache/README.md

@@ -1,5 +1,7 @@
 # Provcache Module
 
+> **Status: Planned** — This module is documented for upcoming implementation in Sprint 8200. The design is finalized but source code does not yet exist.
+
 > Provenance Cache — Maximizing Trust Evidence Density
 
 ## Overview

docs/modules/registry/AGENTS.md

@@ -16,7 +16,7 @@ The registry module issues scoped pull tokens for mirrored container registries
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/scanner/AGENTS.md

@@ -22,7 +22,7 @@ Scanner analyses container images layer-by-layer, producing deterministic SBOM f
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/scheduler/AGENTS.md

@@ -25,7 +25,7 @@ Scheduler detects advisory/VEX deltas, computes impact windows, and orchestrates
 5. On completion, set status to `DONE` in both the sprint file and `TASKS.md`; if paused, revert to `TODO` and add a brief note.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see `../../ingestion/aggregation-only-contract.md`).
+- Honour the Aggregation-Only Contract where applicable (see `../../aoc/aggregation-only-contract.md`).
 - No undocumented schema or API contract changes; document deltas in architecture or implementation_plan.
 - Keep Offline Kit parity—document air-gapped workflows for any new feature.
 - Prefer deterministic fixtures and avoid machine-specific artefacts in examples.

docs/modules/signer/AGENTS.md

@@ -23,7 +23,7 @@ Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSS
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/telemetry/AGENTS.md

@@ -26,7 +26,7 @@ Telemetry module captures deployment and operations guidance for the shared obse
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/ui/AGENTS.md

@@ -22,7 +22,7 @@ The Console presents operator dashboards for scans, policies, VEX evidence, runt
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/zastava/AGENTS.md

@@ -24,7 +24,7 @@ Zastava monitors running workloads, verifies supply chain posture, and enforces
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 
 ## Guardrails
-- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
+- Honour the Aggregation-Only Contract where applicable (see ../../aoc/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.

docs/modules/zastava/architecture.md

@@ -221,7 +221,7 @@ sequenceDiagram
 
 `POST /api/v1/scanner/runtime/events` *(OpTok + DPoP/mTLS)*
 
-* Validates event schema; enforces rate caps by tenant/node; persists to **Mongo** (`runtime.events` capped collection or regular with TTL).
+* Validates event schema; enforces rate caps by tenant/node; persists to **PostgreSQL** (`runtime.events` table with TTL-based retention).
 * Performs **correlation**:
 
   * Attach nearest **image SBOM** (inventory/usage) and **BOM‑Index** if known.