Repair live canonical migrations and scanner cache bootstrap

src/Scanner/StellaOps.Scanner.Worker/Program.cs

@@ -57,6 +57,12 @@ using System.Diagnostics;
 using System.IO;
 
 var builder = WebApplication.CreateSlimBuilder(args);
+builder.Configuration.AddStellaOpsDefaults(options =>
+{
+    options.BasePath = builder.Environment.ContentRootPath;
+    options.EnvironmentPrefix = "SCANNER_";
+    options.YamlFiles.Add(new YamlConfigurationFile("../etc/scanner.yaml", true));
+});
 
 builder.Services.AddOptions<ScannerWorkerOptions>()
     .BindConfiguration(ScannerWorkerOptions.SectionName)

src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/ScannerWorkerConfigurationBootstrapTests.cs

@@ -0,0 +1,38 @@
+using Microsoft.Extensions.Configuration;
+using StellaOps.Configuration;
+using StellaOps.Scanner.Cache;
+using StellaOps.TestKit;
+using Xunit;
+
+namespace StellaOps.Scanner.Worker.Tests;
+
+public sealed class ScannerWorkerConfigurationBootstrapTests
+{
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public void AddStellaOpsDefaults_StripsScannerPrefixForCacheBinding()
+    {
+        const string expectedRootPath = "/var/lib/stellaops/cache/scanner";
+        const string environmentVariableName = "SCANNER_SCANNER__CACHE__ROOTPATH";
+
+        Environment.SetEnvironmentVariable(environmentVariableName, expectedRootPath);
+
+        try
+        {
+            var configuration = new ConfigurationBuilder()
+                .AddStellaOpsDefaults(options => options.EnvironmentPrefix = "SCANNER_")
+                .Build();
+
+            var options = configuration
+                .GetSection("scanner:cache")
+                .Get<ScannerCacheOptions>();
+
+            Assert.NotNull(options);
+            Assert.Equal(expectedRootPath, options.RootPath);
+        }
+        finally
+        {
+            Environment.SetEnvironmentVariable(environmentVariableName, null);
+        }
+    }
+}

src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/TASKS.md

@@ -6,6 +6,7 @@ Source of truth: `docs/implplan/SPRINT_20260130_002_Tools_csproj_remediation_sol
 | --- | --- | --- |
 | QA-SCANNER-VERIFY-009 | DONE | `SPRINT_20260212_002_Scanner_unchecked_feature_verification_batch1.md`: added deterministic `BinaryLookupStageExecutorTests` coverage for runtime patch verification, Build-ID mapping, and unified finding publication wiring (run-002, 2026-02-12). |
 | QA-SCANNER-VERIFY-008 | DONE | `SPRINT_20260212_002_Scanner_unchecked_feature_verification_batch1.md`: added worker entry-trace execution coverage for binary intelligence graph enrichment and validated run-002 pass (2026-02-12). |
+| TASK-014-003 | DONE | 2026-03-09: verified `SCANNER_` env-prefix binding for `scanner:cache:rootPath`; live worker now uses `/var/lib/stellaops/cache/scanner` on the writable hardened volume. |
 | REMED-05 | TODO | Remediation checklist: docs/implplan/audits/csproj-standards/remediation/checklists/src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/StellaOps.Scanner.Worker.Tests.md. |
 | REMED-06 | DONE | SOLID review notes captured for SPRINT_20260130_002. |
 | SPRINT-20260208-060-IDEMP-001 | DONE | Implement idempotent verdict attestation submission (idempotency key + dedupe + retry classification + tests). |