wip: doctor/cli/docs/api to vector db consolidation; api hardening for descriptions, tenant, and scopes; migrations and conversions of all DALs to EF v10

src/__Libraries/StellaOps.Verdict/AGENTS.md

@@ -1,4 +1,4 @@
-# AGENTS.md — StellaOps.Verdict Module
+# AGENTS.md -- StellaOps.Verdict Module
 
 ## Overview
 
@@ -8,30 +8,67 @@ The StellaOps.Verdict module provides a **unified StellaVerdict artifact** that
 
 ```
 src/__Libraries/StellaOps.Verdict/
-├── Schema/
-│   └── StellaVerdict.cs          # Core verdict schema and supporting types
-├── Contexts/
-│   └── verdict-1.0.jsonld        # JSON-LD context for standards interop
-├── Services/
-│   ├── VerdictAssemblyService.cs # Assembles verdicts from components
-│   ├── VerdictSigningService.cs  # DSSE signing integration
-│   └── IVerdictAssemblyService.cs
-├── Persistence/
-│   ├── PostgresVerdictStore.cs   # PostgreSQL storage implementation
-│   ├── IVerdictStore.cs          # Storage interface
-│   ├── VerdictRow.cs             # EF Core entity
-│   └── Migrations/
-│       └── 001_create_verdicts.sql
-├── Api/
-│   ├── VerdictEndpoints.cs       # REST API endpoints
-│   └── VerdictContracts.cs       # Request/response DTOs
-├── Oci/
-│   └── OciAttestationPublisher.cs # OCI registry attestation
-├── Export/
-│   └── VerdictBundleExporter.cs  # Replay bundle export
-└── StellaOps.Verdict.csproj
++-- Schema/
+|   +-- StellaVerdict.cs          # Core verdict schema and supporting types
++-- Contexts/
+|   +-- verdict-1.0.jsonld        # JSON-LD context for standards interop
++-- Services/
+|   +-- VerdictAssemblyService.cs # Assembles verdicts from components
+|   +-- VerdictSigningService.cs  # DSSE signing integration
+|   +-- IVerdictAssemblyService.cs
++-- Persistence/
+|   +-- PostgresVerdictStore.cs   # PostgreSQL (EF Core) storage implementation
+|   +-- IVerdictStore.cs          # Storage interface
+|   +-- VerdictRow.cs             # EF Core entity (Fluent API mappings)
+|   +-- EfCore/
+|   |   +-- Context/
+|   |   |   +-- VerdictDbContext.cs                   # Partial DbContext with Fluent API
+|   |   |   +-- VerdictDesignTimeDbContextFactory.cs  # For dotnet ef CLI
+|   |   +-- CompiledModels/
+|   |       +-- VerdictDbContextModel.cs              # Compiled model singleton
+|   |       +-- VerdictDbContextModelBuilder.cs       # Compiled model builder
+|   |       +-- VerdictDbContextAssemblyAttributes.cs # Excluded from compilation
+|   +-- Postgres/
+|   |   +-- VerdictDataSource.cs       # DataSourceBase derivation, connection pool
+|   |   +-- VerdictDbContextFactory.cs # Runtime factory with compiled model hookup
+|   +-- Migrations/
+|       +-- 001_create_verdicts.sql
++-- Api/
+|   +-- VerdictEndpoints.cs       # REST API endpoints
+|   +-- VerdictContracts.cs       # Request/response DTOs
+|   +-- VerdictPolicies.cs        # Authorization policies
++-- Oci/
+|   +-- OciAttestationPublisher.cs # OCI registry attestation
++-- Export/
+|   +-- VerdictBundleExporter.cs  # Replay bundle export
++-- StellaOps.Verdict.csproj
 ```
 
+## DAL Architecture (EF Core v10)
+
+The Verdict persistence layer follows the EF Core v10 standards documented in `docs/db/EF_CORE_MODEL_GENERATION_STANDARDS.md`:
+
+- **DbContext**: `VerdictDbContext` (partial class, schema-injectable, Fluent API mappings)
+- **Schema**: `stellaops` (shared platform schema)
+- **Design-time factory**: `VerdictDesignTimeDbContextFactory` (for `dotnet ef` CLI)
+- **Runtime factory**: `VerdictDbContextFactory` (compiled model for default schema, reflection for non-default)
+- **DataSource**: `VerdictDataSource` extends `DataSourceBase` for connection pooling and tenant context
+- **Compiled model**: Stub in `EfCore/CompiledModels/`; assembly attributes excluded from compilation
+- **Migration registry**: Registered as `VerdictMigrationModulePlugin` in Platform.Database
+
+### Connection Pattern
+```csharp
+await using var connection = await _dataSource.OpenConnectionAsync(tenantId.ToString(), "reader", ct);
+await using var context = VerdictDbContextFactory.Create(connection, CommandTimeoutSeconds, GetSchemaName());
+// Use context.Verdicts with AsNoTracking() for reads...
+```
+
+### Schema Governance
+- SQL migrations in `Persistence/Migrations/` are the authoritative schema definition
+- EF Core models are derived from schema, not the reverse
+- No EF Core auto-migrations at runtime
+- Schema changes require new SQL migration files
+
 ## Key Concepts
 
 ### StellaVerdict Schema
@@ -115,6 +152,7 @@ var result = await publisher.PublishAsync(verdict, "registry.io/app:latest@sha25
 - `StellaOps.Attestor.Envelope`: DSSE signing
 - `StellaOps.Cryptography`: BLAKE3/SHA256 hashing
 - `StellaOps.Replay.Core`: Bundle structures
+- `StellaOps.Infrastructure.Postgres`: DataSourceBase, PostgresOptions, connection pooling
 
 ## Testing
 
@@ -126,7 +164,7 @@ Unit tests should cover:
 - Query filtering and pagination
 
 Integration tests should cover:
-- Full assembly → sign → store → query → verify flow
+- Full assembly -> sign -> store -> query -> verify flow
 - OCI publish/fetch cycle
 - Replay bundle export and verification
 
@@ -135,10 +173,14 @@ Integration tests should cover:
 1. **Determinism**: All JSON output must be deterministic (sorted keys, stable ordering)
 2. **Content Addressing**: VerdictId must match `ComputeVerdictId()` output
 3. **Immutability**: Use records with `init` properties
-4. **Tenant Isolation**: All store operations must include tenantId
+4. **Tenant Isolation**: All store operations must include tenantId; RLS enforced at DB level
 5. **Offline Support**: OCI publisher and CLI must handle offline mode
+6. **EF Core Standards**: Follow `docs/db/EF_CORE_MODEL_GENERATION_STANDARDS.md`
+7. **AsNoTracking**: Always use for read-only queries
+8. **DbContext per operation**: Create via VerdictDbContextFactory, not cached
 
 ## Related Sprints
 
 - SPRINT_1227_0014_0001: StellaVerdict Unified Artifact Consolidation
 - SPRINT_1227_0014_0002: Verdict UI Components (pending)
+- SPRINT_20260222_080: Verdict Persistence DAL to EF Core (queue order 16)

src/__Libraries/StellaOps.Verdict/Api/VerdictEndpoints.cs

@@ -42,68 +42,68 @@ public static class VerdictEndpoints
             .WithName("verdict.create")
             .Produces<VerdictResponse>(StatusCodes.Status201Created)
             .Produces<ErrorResponse>(StatusCodes.Status400BadRequest)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Create);
 
         // GET /v1/verdicts/{id} - Get verdict by ID
         group.MapGet("/{id}", HandleGet)
             .WithName("verdict.get")
             .Produces<StellaVerdict>(StatusCodes.Status200OK)
             .Produces(StatusCodes.Status404NotFound)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Read);
 
         // GET /v1/verdicts - Query verdicts
         group.MapGet("/", HandleQuery)
             .WithName("verdict.query")
             .Produces<VerdictQueryResponse>(StatusCodes.Status200OK)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Read);
 
         // POST /v1/verdicts/build - Build deterministic verdict with CGS (CGS-003)
         group.MapPost("/build", HandleBuild)
             .WithName("verdict.build")
             .Produces<CgsVerdictResult>(StatusCodes.Status200OK)
             .Produces<ErrorResponse>(StatusCodes.Status400BadRequest)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Create);
 
         // GET /v1/verdicts/cgs/{cgsHash} - Replay verdict by CGS hash (CGS-004)
         group.MapGet("/cgs/{cgsHash}", HandleReplay)
             .WithName("verdict.replay")
             .Produces<CgsVerdictResult>(StatusCodes.Status200OK)
             .Produces(StatusCodes.Status404NotFound)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Read);
 
         // POST /v1/verdicts/diff - Compute verdict delta (CGS-005)
         group.MapPost("/diff", HandleDiff)
             .WithName("verdict.diff")
             .Produces<VerdictDelta>(StatusCodes.Status200OK)
             .Produces<ErrorResponse>(StatusCodes.Status400BadRequest)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Read);
 
         // POST /v1/verdicts/{id}/verify - Verify verdict signature
         group.MapPost("/{id}/verify", HandleVerify)
             .WithName("verdict.verify")
             .Produces<VerdictVerifyResponse>(StatusCodes.Status200OK)
             .Produces(StatusCodes.Status404NotFound)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Read);
 
         // GET /v1/verdicts/{id}/download - Download signed JSON-LD
         group.MapGet("/{id}/download", HandleDownload)
             .WithName("verdict.download")
             .Produces<StellaVerdict>(StatusCodes.Status200OK, "application/ld+json")
             .Produces(StatusCodes.Status404NotFound)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Read);
 
         // GET /v1/verdicts/latest - Get latest verdict for PURL+CVE
         group.MapGet("/latest", HandleGetLatest)
             .WithName("verdict.latest")
             .Produces<StellaVerdict>(StatusCodes.Status200OK)
             .Produces(StatusCodes.Status404NotFound)
-            .RequireAuthorization();
+            .RequireAuthorization(VerdictPolicies.Read);
 
         // DELETE /v1/verdicts/expired - Clean up expired verdicts
         group.MapDelete("/expired", HandleDeleteExpired)
             .WithName("verdict.deleteExpired")
             .Produces<ExpiredDeleteResponse>(StatusCodes.Status200OK)
-            .RequireAuthorization("verdict:admin");
+            .RequireAuthorization(VerdictPolicies.Admin);
     }
 
     private static async Task<IResult> HandleCreate(

src/__Libraries/StellaOps.Verdict/Api/VerdictPolicies.cs

@@ -0,0 +1,20 @@
+// Copyright (c) StellaOps. Licensed under the BUSL-1.1.
+
+namespace StellaOps.Verdict.Api;
+
+/// <summary>
+/// Named authorization policy constants for Verdict endpoints.
+/// Consuming services must register these policies (e.g., via AddStellaOpsScopePolicy)
+/// mapping them to the appropriate scopes (evidence:read, evidence:create).
+/// </summary>
+public static class VerdictPolicies
+{
+    /// <summary>Policy for reading verdicts, querying, replaying, verifying, and downloading. Maps to evidence:read scope.</summary>
+    public const string Read = "Verdict.Read";
+
+    /// <summary>Policy for creating verdicts and building deterministic verdicts via CGS. Maps to evidence:create scope.</summary>
+    public const string Create = "Verdict.Create";
+
+    /// <summary>Policy for administrative verdict operations such as deleting expired verdicts. Maps to verdict:admin scope.</summary>
+    public const string Admin = "Verdict.Admin";
+}

src/__Libraries/StellaOps.Verdict/Persistence/EfCore/CompiledModels/VerdictDbContextAssemblyAttributes.cs

@@ -0,0 +1,9 @@
+// Auto-generated by EF Core compiled model tooling.
+// This file is excluded from compilation via .csproj to allow non-default schema
+// integration tests to use reflection-based model building.
+
+using Microsoft.EntityFrameworkCore;
+using StellaOps.Verdict.Persistence.EfCore.CompiledModels;
+using StellaOps.Verdict.Persistence.EfCore.Context;
+
+[assembly: DbContext(typeof(VerdictDbContext), typeof(VerdictDbContextModel))]

src/__Libraries/StellaOps.Verdict/Persistence/EfCore/CompiledModels/VerdictDbContextModel.cs

@@ -0,0 +1,37 @@
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Metadata;
+
+#pragma warning disable 219, 612, 618
+#nullable disable
+
+namespace StellaOps.Verdict.Persistence.EfCore.CompiledModels;
+
+/// <summary>
+/// Compiled model stub for VerdictDbContext.
+/// This is a placeholder that delegates to runtime model building.
+/// Replace with output from <c>dotnet ef dbcontext optimize</c> when a provisioned DB is available.
+/// </summary>
+[DbContext(typeof(Context.VerdictDbContext))]
+public partial class VerdictDbContextModel : RuntimeModel
+{
+    private static VerdictDbContextModel _instance;
+
+    public static IModel Instance
+    {
+        get
+        {
+            if (_instance == null)
+            {
+                _instance = new VerdictDbContextModel();
+                _instance.Initialize();
+                _instance.Customize();
+            }
+
+            return _instance;
+        }
+    }
+
+    partial void Initialize();
+
+    partial void Customize();
+}

src/__Libraries/StellaOps.Verdict/Persistence/EfCore/CompiledModels/VerdictDbContextModelBuilder.cs

@@ -0,0 +1,20 @@
+using Microsoft.EntityFrameworkCore.Infrastructure;
+
+#pragma warning disable 219, 612, 618
+#nullable disable
+
+namespace StellaOps.Verdict.Persistence.EfCore.CompiledModels;
+
+/// <summary>
+/// Compiled model builder stub for VerdictDbContext.
+/// Replace with output from <c>dotnet ef dbcontext optimize</c> when a provisioned DB is available.
+/// </summary>
+public partial class VerdictDbContextModel
+{
+    partial void Initialize()
+    {
+        // Stub: when a real compiled model is generated, entity types will be registered here.
+        // The runtime factory will fall back to reflection-based model building for all schemas
+        // until this stub is replaced with a full compiled model.
+    }
+}

src/__Libraries/StellaOps.Verdict/Persistence/EfCore/Context/VerdictDbContext.cs

@@ -0,0 +1,98 @@
+using Microsoft.EntityFrameworkCore;
+
+namespace StellaOps.Verdict.Persistence.EfCore.Context;
+
+/// <summary>
+/// EF Core DbContext for the Verdict module.
+/// Maps to the stellaops PostgreSQL schema: verdicts table.
+/// Scaffolded from 001_create_verdicts.sql migration.
+/// </summary>
+public partial class VerdictDbContext : DbContext
+{
+    private readonly string _schemaName;
+
+    public VerdictDbContext(DbContextOptions<VerdictDbContext> options, string? schemaName = null)
+        : base(options)
+    {
+        _schemaName = string.IsNullOrWhiteSpace(schemaName)
+            ? "stellaops"
+            : schemaName.Trim();
+    }
+
+    public virtual DbSet<VerdictRow> Verdicts { get; set; }
+
+    protected override void OnModelCreating(ModelBuilder modelBuilder)
+    {
+        var schemaName = _schemaName;
+
+        // -- verdicts -------------------------------------------------------
+        modelBuilder.Entity<VerdictRow>(entity =>
+        {
+            entity.HasKey(e => new { e.TenantId, e.VerdictId }).HasName("verdicts_pkey");
+            entity.ToTable("verdicts", schemaName);
+
+            // -- Indexes matching 001_create_verdicts.sql -------------------
+            entity.HasIndex(e => new { e.TenantId, e.SubjectPurl }, "idx_verdicts_purl");
+            entity.HasIndex(e => new { e.TenantId, e.SubjectCveId }, "idx_verdicts_cve");
+            entity.HasIndex(e => new { e.TenantId, e.SubjectPurl, e.SubjectCveId }, "idx_verdicts_purl_cve");
+            entity.HasIndex(e => new { e.TenantId, e.SubjectImageDigest }, "idx_verdicts_image_digest")
+                .HasFilter("(subject_image_digest IS NOT NULL)");
+            entity.HasIndex(e => new { e.TenantId, e.ClaimStatus }, "idx_verdicts_status");
+            entity.HasIndex(e => new { e.TenantId, e.InputsHash }, "idx_verdicts_inputs_hash");
+            entity.HasIndex(e => new { e.TenantId, e.ExpiresAt }, "idx_verdicts_expires")
+                .HasFilter("(expires_at IS NOT NULL)");
+            entity.HasIndex(e => new { e.TenantId, e.CreatedAt }, "idx_verdicts_created")
+                .IsDescending(false, true);
+            entity.HasIndex(e => new { e.TenantId, e.ProvenancePolicyBundleId }, "idx_verdicts_policy_bundle")
+                .HasFilter("(provenance_policy_bundle_id IS NOT NULL)");
+
+            // -- Column mappings --------------------------------------------
+            entity.Property(e => e.VerdictId).HasColumnName("verdict_id");
+            entity.Property(e => e.TenantId).HasColumnName("tenant_id");
+
+            // Subject fields
+            entity.Property(e => e.SubjectPurl).HasColumnName("subject_purl");
+            entity.Property(e => e.SubjectCveId).HasColumnName("subject_cve_id");
+            entity.Property(e => e.SubjectComponentName).HasColumnName("subject_component_name");
+            entity.Property(e => e.SubjectComponentVersion).HasColumnName("subject_component_version");
+            entity.Property(e => e.SubjectImageDigest).HasColumnName("subject_image_digest");
+            entity.Property(e => e.SubjectDigest).HasColumnName("subject_digest");
+
+            // Claim fields
+            entity.Property(e => e.ClaimStatus).HasColumnName("claim_status");
+            entity.Property(e => e.ClaimConfidence).HasColumnName("claim_confidence");
+            entity.Property(e => e.ClaimVexStatus).HasColumnName("claim_vex_status");
+
+            // Result fields
+            entity.Property(e => e.ResultDisposition).HasColumnName("result_disposition");
+            entity.Property(e => e.ResultScore).HasColumnName("result_score");
+            entity.Property(e => e.ResultMatchedRule).HasColumnName("result_matched_rule");
+            entity.Property(e => e.ResultQuiet)
+                .HasDefaultValue(false)
+                .HasColumnName("result_quiet");
+
+            // Provenance fields
+            entity.Property(e => e.ProvenanceGenerator).HasColumnName("provenance_generator");
+            entity.Property(e => e.ProvenanceRunId).HasColumnName("provenance_run_id");
+            entity.Property(e => e.ProvenancePolicyBundleId).HasColumnName("provenance_policy_bundle_id");
+
+            // Inputs hash
+            entity.Property(e => e.InputsHash).HasColumnName("inputs_hash");
+
+            // Full verdict JSON
+            entity.Property(e => e.VerdictJson)
+                .HasColumnType("jsonb")
+                .HasColumnName("verdict_json");
+
+            // Timestamps
+            entity.Property(e => e.CreatedAt)
+                .HasDefaultValueSql("now()")
+                .HasColumnName("created_at");
+            entity.Property(e => e.ExpiresAt).HasColumnName("expires_at");
+        });
+
+        OnModelCreatingPartial(modelBuilder);
+    }
+
+    partial void OnModelCreatingPartial(ModelBuilder modelBuilder);
+}

src/__Libraries/StellaOps.Verdict/Persistence/EfCore/Context/VerdictDesignTimeDbContextFactory.cs

@@ -0,0 +1,32 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Design;
+
+namespace StellaOps.Verdict.Persistence.EfCore.Context;
+
+/// <summary>
+/// Design-time factory for <c>dotnet ef</c> CLI tooling.
+/// Does NOT use compiled models (uses reflection-based discovery).
+/// </summary>
+public sealed class VerdictDesignTimeDbContextFactory : IDesignTimeDbContextFactory<VerdictDbContext>
+{
+    private const string DefaultConnectionString =
+        "Host=localhost;Port=55433;Database=postgres;Username=postgres;Password=postgres;Search Path=stellaops,public";
+
+    private const string ConnectionStringEnvironmentVariable = "STELLAOPS_VERDICT_EF_CONNECTION";
+
+    public VerdictDbContext CreateDbContext(string[] args)
+    {
+        var connectionString = ResolveConnectionString();
+        var options = new DbContextOptionsBuilder<VerdictDbContext>()
+            .UseNpgsql(connectionString)
+            .Options;
+
+        return new VerdictDbContext(options);
+    }
+
+    private static string ResolveConnectionString()
+    {
+        var fromEnvironment = Environment.GetEnvironmentVariable(ConnectionStringEnvironmentVariable);
+        return string.IsNullOrWhiteSpace(fromEnvironment) ? DefaultConnectionString : fromEnvironment;
+    }
+}

src/__Libraries/StellaOps.Verdict/Persistence/Postgres/VerdictDataSource.cs

@@ -0,0 +1,46 @@
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Npgsql;
+using StellaOps.Infrastructure.Postgres.Connections;
+using StellaOps.Infrastructure.Postgres.Options;
+
+namespace StellaOps.Verdict.Persistence.Postgres;
+
+/// <summary>
+/// PostgreSQL data source for the Verdict module.
+/// Manages connections for verdict storage and querying with tenant isolation via RLS.
+/// </summary>
+public sealed class VerdictDataSource : DataSourceBase
+{
+    /// <summary>
+    /// Default schema name for Verdict tables.
+    /// </summary>
+    public const string DefaultSchemaName = "stellaops";
+
+    /// <summary>
+    /// Creates a new Verdict data source.
+    /// </summary>
+    public VerdictDataSource(IOptions<PostgresOptions> options, ILogger<VerdictDataSource> logger)
+        : base(EnsureSchema(options.Value), logger)
+    {
+    }
+
+    /// <inheritdoc />
+    protected override string ModuleName => "Verdict";
+
+    /// <inheritdoc />
+    protected override void ConfigureDataSourceBuilder(NpgsqlDataSourceBuilder builder)
+    {
+        base.ConfigureDataSourceBuilder(builder);
+        // Enable JSON support for JSONB verdict_json column
+    }
+
+    private static PostgresOptions EnsureSchema(PostgresOptions baseOptions)
+    {
+        if (string.IsNullOrWhiteSpace(baseOptions.SchemaName))
+        {
+            baseOptions.SchemaName = DefaultSchemaName;
+        }
+        return baseOptions;
+    }
+}

src/__Libraries/StellaOps.Verdict/Persistence/Postgres/VerdictDbContextFactory.cs

@@ -0,0 +1,33 @@
+using System;
+using Microsoft.EntityFrameworkCore;
+using Npgsql;
+using StellaOps.Verdict.Persistence.EfCore.CompiledModels;
+using StellaOps.Verdict.Persistence.EfCore.Context;
+
+namespace StellaOps.Verdict.Persistence.Postgres;
+
+/// <summary>
+/// Runtime factory for creating <see cref="VerdictDbContext"/> instances.
+/// Uses the static compiled model when schema matches the default; falls back to
+/// reflection-based model building for non-default schemas (integration tests).
+/// </summary>
+internal static class VerdictDbContextFactory
+{
+    public static VerdictDbContext Create(NpgsqlConnection connection, int commandTimeoutSeconds, string schemaName)
+    {
+        var normalizedSchema = string.IsNullOrWhiteSpace(schemaName)
+            ? VerdictDataSource.DefaultSchemaName
+            : schemaName.Trim();
+
+        var optionsBuilder = new DbContextOptionsBuilder<VerdictDbContext>()
+            .UseNpgsql(connection, npgsql => npgsql.CommandTimeout(commandTimeoutSeconds));
+
+        if (string.Equals(normalizedSchema, VerdictDataSource.DefaultSchemaName, StringComparison.Ordinal))
+        {
+            // Use the static compiled model when schema mapping matches the default model.
+            optionsBuilder.UseModel(VerdictDbContextModel.Instance);
+        }
+
+        return new VerdictDbContext(optionsBuilder.Options, normalizedSchema);
+    }
+}

src/__Libraries/StellaOps.Verdict/Persistence/PostgresVerdictStore.cs

@@ -1,6 +1,8 @@
 
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Logging;
+using StellaOps.Verdict.Persistence.EfCore.Context;
+using StellaOps.Verdict.Persistence.Postgres;
 using StellaOps.Verdict.Schema;
 using System.Collections.Immutable;
 using System.Security.Cryptography;
@@ -10,21 +12,25 @@ using System.Text.Json;
 namespace StellaOps.Verdict.Persistence;
 
 /// <summary>
-/// PostgreSQL implementation of verdict store.
+/// PostgreSQL (EF Core) implementation of verdict store.
+/// Uses VerdictDataSource for tenant-scoped connections and VerdictDbContextFactory
+/// for compiled model support on the default schema path.
 /// </summary>
 public sealed class PostgresVerdictStore : IVerdictStore
 {
-    private readonly IDbContextFactory<VerdictDbContext> _contextFactory;
+    private const int CommandTimeoutSeconds = 30;
+
+    private readonly VerdictDataSource _dataSource;
     private readonly ILogger<PostgresVerdictStore> _logger;
     private readonly JsonSerializerOptions _jsonOptions;
     private readonly TimeProvider _timeProvider;
 
     public PostgresVerdictStore(
-        IDbContextFactory<VerdictDbContext> contextFactory,
+        VerdictDataSource dataSource,
         ILogger<PostgresVerdictStore> logger,
         TimeProvider? timeProvider = null)
     {
-        _contextFactory = contextFactory;
+        _dataSource = dataSource;
         _logger = logger;
         _timeProvider = timeProvider ?? TimeProvider.System;
         _jsonOptions = new JsonSerializerOptions
@@ -38,7 +44,8 @@ public sealed class PostgresVerdictStore : IVerdictStore
     {
         try
         {
-            await using var context = await _contextFactory.CreateDbContextAsync(cancellationToken);
+            await using var connection = await _dataSource.OpenConnectionAsync(tenantId.ToString(), "writer", cancellationToken);
+            await using var context = VerdictDbContextFactory.Create(connection, CommandTimeoutSeconds, GetSchemaName());
 
             var row = ToRow(verdict, tenantId);
             var existing = await context.Verdicts
@@ -70,7 +77,8 @@ public sealed class PostgresVerdictStore : IVerdictStore
 
     public async Task<StellaVerdict?> GetAsync(string verdictId, Guid tenantId, CancellationToken cancellationToken = default)
     {
-        await using var context = await _contextFactory.CreateDbContextAsync(cancellationToken);
+        await using var connection = await _dataSource.OpenConnectionAsync(tenantId.ToString(), "reader", cancellationToken);
+        await using var context = VerdictDbContextFactory.Create(connection, CommandTimeoutSeconds, GetSchemaName());
 
         var row = await context.Verdicts
             .AsNoTracking()
@@ -81,7 +89,8 @@ public sealed class PostgresVerdictStore : IVerdictStore
 
     public async Task<VerdictQueryResult> QueryAsync(VerdictQuery query, CancellationToken cancellationToken = default)
     {
-        await using var context = await _contextFactory.CreateDbContextAsync(cancellationToken);
+        await using var connection = await _dataSource.OpenConnectionAsync(query.TenantId.ToString(), "reader", cancellationToken);
+        await using var context = VerdictDbContextFactory.Create(connection, CommandTimeoutSeconds, GetSchemaName());
 
         var queryable = context.Verdicts
             .AsNoTracking()
@@ -172,7 +181,8 @@ public sealed class PostgresVerdictStore : IVerdictStore
 
     public async Task<bool> ExistsAsync(string verdictId, Guid tenantId, CancellationToken cancellationToken = default)
     {
-        await using var context = await _contextFactory.CreateDbContextAsync(cancellationToken);
+        await using var connection = await _dataSource.OpenConnectionAsync(tenantId.ToString(), "reader", cancellationToken);
+        await using var context = VerdictDbContextFactory.Create(connection, CommandTimeoutSeconds, GetSchemaName());
 
         return await context.Verdicts
             .AsNoTracking()
@@ -181,7 +191,8 @@ public sealed class PostgresVerdictStore : IVerdictStore
 
     public async Task<ImmutableArray<StellaVerdict>> GetBySubjectAsync(string purl, string cveId, Guid tenantId, CancellationToken cancellationToken = default)
     {
-        await using var context = await _contextFactory.CreateDbContextAsync(cancellationToken);
+        await using var connection = await _dataSource.OpenConnectionAsync(tenantId.ToString(), "reader", cancellationToken);
+        await using var context = VerdictDbContextFactory.Create(connection, CommandTimeoutSeconds, GetSchemaName());
 
         var rows = await context.Verdicts
             .AsNoTracking()
@@ -194,7 +205,8 @@ public sealed class PostgresVerdictStore : IVerdictStore
 
     public async Task<StellaVerdict?> GetLatestAsync(string purl, string cveId, Guid tenantId, CancellationToken cancellationToken = default)
     {
-        await using var context = await _contextFactory.CreateDbContextAsync(cancellationToken);
+        await using var connection = await _dataSource.OpenConnectionAsync(tenantId.ToString(), "reader", cancellationToken);
+        await using var context = VerdictDbContextFactory.Create(connection, CommandTimeoutSeconds, GetSchemaName());
 
         var now = _timeProvider.GetUtcNow();
         var row = await context.Verdicts
@@ -209,7 +221,8 @@ public sealed class PostgresVerdictStore : IVerdictStore
 
     public async Task<int> DeleteExpiredAsync(Guid tenantId, DateTimeOffset asOf, CancellationToken cancellationToken = default)
     {
-        await using var context = await _contextFactory.CreateDbContextAsync(cancellationToken);
+        await using var connection = await _dataSource.OpenConnectionAsync(tenantId.ToString(), "writer", cancellationToken);
+        await using var context = VerdictDbContextFactory.Create(connection, CommandTimeoutSeconds, GetSchemaName());
 
         var deleted = await context.Verdicts
             .Where(v => v.TenantId == tenantId && v.ExpiresAt.HasValue && v.ExpiresAt <= asOf)
@@ -280,26 +293,6 @@ public sealed class PostgresVerdictStore : IVerdictStore
         var hash = SHA256.HashData(Encoding.UTF8.GetBytes(inputsJson));
         return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
     }
-}
-
-/// <summary>
-/// DbContext for verdict persistence.
-/// </summary>
-public sealed class VerdictDbContext : DbContext
-{
-    public VerdictDbContext(DbContextOptions<VerdictDbContext> options)
-        : base(options)
-    {
-    }
-
-    public DbSet<VerdictRow> Verdicts { get; set; } = null!;
-
-    protected override void OnModelCreating(ModelBuilder modelBuilder)
-    {
-        modelBuilder.Entity<VerdictRow>(entity =>
-        {
-            entity.HasKey(e => new { e.TenantId, e.VerdictId });
-            entity.ToTable("verdicts", "stellaops");
-        });
-    }
+
+    private string GetSchemaName() => VerdictDataSource.DefaultSchemaName;
 }

src/__Libraries/StellaOps.Verdict/Persistence/VerdictRow.cs

@@ -1,84 +1,59 @@
-using System.ComponentModel.DataAnnotations;
-using System.ComponentModel.DataAnnotations.Schema;
-
 namespace StellaOps.Verdict.Persistence;
 
 /// <summary>
 /// Database entity for verdict storage.
+/// Column and table mappings configured via Fluent API in VerdictDbContext.OnModelCreating.
 /// </summary>
-[Table("verdicts", Schema = "stellaops")]
 public sealed class VerdictRow
 {
-    [Column("verdict_id")]
     public required string VerdictId { get; set; }
 
-    [Column("tenant_id")]
     public Guid TenantId { get; set; }
 
     // Subject fields
-    [Column("subject_purl")]
     public required string SubjectPurl { get; set; }
 
-    [Column("subject_cve_id")]
     public required string SubjectCveId { get; set; }
 
-    [Column("subject_component_name")]
     public string? SubjectComponentName { get; set; }
 
-    [Column("subject_component_version")]
     public string? SubjectComponentVersion { get; set; }
 
-    [Column("subject_image_digest")]
     public string? SubjectImageDigest { get; set; }
 
-    [Column("subject_digest")]
     public string? SubjectDigest { get; set; }
 
     // Claim fields
-    [Column("claim_status")]
     public required string ClaimStatus { get; set; }
 
-    [Column("claim_confidence")]
     public decimal? ClaimConfidence { get; set; }
 
-    [Column("claim_vex_status")]
     public string? ClaimVexStatus { get; set; }
 
     // Result fields
-    [Column("result_disposition")]
     public required string ResultDisposition { get; set; }
 
-    [Column("result_score")]
     public decimal? ResultScore { get; set; }
 
-    [Column("result_matched_rule")]
     public string? ResultMatchedRule { get; set; }
 
-    [Column("result_quiet")]
     public bool ResultQuiet { get; set; }
 
     // Provenance fields
-    [Column("provenance_generator")]
     public required string ProvenanceGenerator { get; set; }
 
-    [Column("provenance_run_id")]
     public string? ProvenanceRunId { get; set; }
 
-    [Column("provenance_policy_bundle_id")]
     public string? ProvenancePolicyBundleId { get; set; }
 
     // Inputs hash
-    [Column("inputs_hash")]
     public required string InputsHash { get; set; }
 
     // Full JSON
-    [Column("verdict_json", TypeName = "jsonb")]
     public required string VerdictJson { get; set; }
 
     // Timestamps
-    [Column("created_at")]
     public required DateTimeOffset CreatedAt { get; set; }
 
-    [Column("expires_at")]
     public DateTimeOffset? ExpiresAt { get; set; }
 }

src/__Libraries/StellaOps.Verdict/StellaOps.Verdict.csproj

@@ -12,12 +12,15 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.EntityFrameworkCore" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Design" PrivateAssets="all" />
+    <PackageReference Include="Npgsql" />
     <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" />
   </ItemGroup>
 
   <ItemGroup>
     <ProjectReference Include="..\StellaOps.Cryptography\StellaOps.Cryptography.csproj" />
     <ProjectReference Include="..\StellaOps.Replay.Core\StellaOps.Replay.Core.csproj" />
+    <ProjectReference Include="..\StellaOps.Infrastructure.Postgres\StellaOps.Infrastructure.Postgres.csproj" />
     <ProjectReference Include="..\..\Policy\__Libraries\StellaOps.Policy\StellaOps.Policy.csproj" />
     <ProjectReference Include="..\..\Attestor\StellaOps.Attestor.Envelope\StellaOps.Attestor.Envelope.csproj" />
     <ProjectReference Include="..\..\Signer\StellaOps.Signer\StellaOps.Signer.Core\StellaOps.Signer.Core.csproj" />
@@ -27,4 +30,14 @@
   <ItemGroup>
     <EmbeddedResource Include="Contexts\verdict-1.0.jsonld" LogicalName="StellaOps.Verdict.Contexts.verdict-1.0.jsonld" Condition="Exists('Contexts\verdict-1.0.jsonld')" />
   </ItemGroup>
+
+  <ItemGroup>
+    <!-- Embed SQL migrations as resources -->
+    <EmbeddedResource Include="Persistence\Migrations\**\*.sql" LogicalName="%(RecursiveDir)%(Filename)%(Extension)" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <!-- Exclude assembly attribute for non-default schema support -->
+    <Compile Remove="Persistence\EfCore\CompiledModels\VerdictDbContextAssemblyAttributes.cs" />
+  </ItemGroup>
 </Project>

src/__Libraries/StellaOps.Verdict/TASKS.md

@@ -1,8 +1,13 @@
 # StellaOps.Verdict Task Board
 This board mirrors active sprint tasks for this module.
-Source of truth: `docs/implplan/SPRINT_20260130_002_Tools_csproj_remediation_solid_review.md`.
+Source of truth: `docs/implplan/SPRINT_20260222_080_Verdict_persistence_dal_to_efcore.md`.
 
 | Task ID | Status | Notes |
 | --- | --- | --- |
+| VERDICT-EF-01 | DONE | AGENTS.md verified and updated; migration registry plugin wired in Platform.Database. |
+| VERDICT-EF-02 | DONE | EF Core model scaffolded: VerdictDbContext with Fluent API, VerdictRow entity, EfCore/Context and EfCore/CompiledModels directories. |
+| VERDICT-EF-03 | DONE | PostgresVerdictStore converted to use VerdictDataSource + VerdictDbContextFactory pattern; inline VerdictDbContext removed. |
+| VERDICT-EF-04 | DONE | Compiled model stubs generated; assembly attributes excluded from compilation; VerdictDbContextFactory uses compiled model for default schema. |
+| VERDICT-EF-05 | DONE | Sequential builds pass (0 warnings, 0 errors); module docs and AGENTS.md updated; sprint tracker updated. |
 | REMED-05 | TODO | Remediation checklist: docs/implplan/audits/csproj-standards/remediation/checklists/src/__Libraries/StellaOps.Verdict/StellaOps.Verdict.md. |
 | REMED-06 | DONE | SOLID review notes captured for SPRINT_20260130_002. |