stop syncing with TASKS.md

Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org
Remove global.json and add extensive documentation for SBOM-first supply chain spine, diff-aware releases, binary intelligence graph, reachability proofs, smart-diff evidence, risk budget visualization, and weighted confidence for VEX sources. Introduce solution file for Concelier web service project.
2025-12-26 11:44:40 +02:00 · 2025-12-26 11:28:03 +02:00 · 2025-12-26 11:27:52 +02:00 · 2025-12-26 11:27:18 +02:00 · 2025-12-26 10:48:56 +02:00 · 2025-12-26 10:48:49 +02:00
12067 changed files with 1862343 additions and 1040172 deletions
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -25,7 +25,10 @@
      "Bash(timeout /t)",
      "Bash(dotnet clean:*)",
      "Bash(if not exist \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Java.Tests\\Internal\" mkdir \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Java.Tests\\Internal\")",
-      "Bash(if not exist \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Node.Tests\\Internal\" mkdir \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Node.Tests\\Internal\")"
+      "Bash(if not exist \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Node.Tests\\Internal\" mkdir \"E:\\dev\\git.stella-ops.org\\src\\Scanner\\__Tests\\StellaOps.Scanner.Analyzers.Lang.Node.Tests\\Internal\")",
      "Bash(rm:*)",
      "Bash(if not exist \"C:\\dev\\New folder\\git.stella-ops.org\\docs\\implplan\\archived\" mkdir \"C:\\dev\\New folder\\git.stella-ops.org\\docs\\implplan\\archived\")",
      "Bash(del \"C:\\dev\\New folder\\git.stella-ops.org\\docs\\implplan\\SPRINT_0510_0001_0001_airgap.md\")"
    ],
    "deny": [],
    "ask": []
--- a/.config/dotnet-tools.json
+++ b/.config/dotnet-tools.json
@@ -0,0 +1,12 @@
 {
  "version": 1,
  "isRoot": true,
  "tools": {
    "dotnet-stryker": {
      "version": "4.4.0",
      "commands": [
        "stryker"
      ]
    }
  }
 }
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,5 @@
 # Ensure analyzer fixture assets keep LF endings for deterministic hashes
 src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Python.Tests/Fixtures/** text eol=lf
 # Ensure reachability sample assets keep LF endings for deterministic hashes
 tests/reachability/samples-public/** text eol=lf
--- a/.gitea/AGENTS.md
+++ b/.gitea/AGENTS.md
@@ -0,0 +1,22 @@
 # .gitea AGENTS
 ## Purpose & Scope
 - Working directory: `.gitea/` (CI workflows, templates, pipeline configs).
 - Roles: DevOps engineer, QA automation.
 ## Required Reading (treat as read before DOING)
 - `docs/README.md`
 - `docs/modules/ci/architecture.md`
 - `docs/modules/devops/architecture.md`
 - Relevant sprint file(s).
 ## Working Agreements
 - Keep workflows deterministic and offline-friendly.
 - Pin versions for tooling where possible.
 - Use UTC timestamps in comments/logs.
 - Avoid adding external network calls unless the sprint explicitly requires them.
 - Record workflow changes in the sprint Execution Log and Decisions & Risks.
 ## Validation
 - Manually validate YAML structure and paths.
 - Ensure workflow paths match repository layout.
--- a/.gitea/workflows/advisory-ai-release.yml
+++ b/.gitea/workflows/advisory-ai-release.yml
@@ -0,0 +1,70 @@
 name: Advisory AI Feed Release
 on:
  workflow_dispatch:
    inputs:
      allow_dev_key:
        description: 'Allow dev key for testing (1=yes)'
        required: false
        default: '0'
  push:
    branches: [main]
    paths:
      - 'src/AdvisoryAI/feeds/**'
      - 'docs/samples/advisory-feeds/**'
 jobs:
  package-feeds:
    runs-on: ubuntu-22.04
    env:
      COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup cosign
        uses: sigstore/cosign-installer@v3
        with:
          cosign-release: 'v2.6.0'
      - name: Fallback to dev key when secret is absent
        run: |
          if [ -z "${COSIGN_PRIVATE_KEY_B64}" ]; then
            echo "[warn] COSIGN_PRIVATE_KEY_B64 not set; using dev key for non-production"
            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
          fi
          # Manual override
          if [ "${{ github.event.inputs.allow_dev_key }}" = "1" ]; then
            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
          fi
      - name: Package advisory feeds
        run: |
          chmod +x ops/deployment/advisory-ai/package-advisory-feeds.sh
          ops/deployment/advisory-ai/package-advisory-feeds.sh
      - name: Generate SBOM
        run: |
          # Install syft
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.0.0
          # Generate SBOM for feed bundle
          syft dir:out/advisory-ai/feeds/stage \
            -o spdx-json=out/advisory-ai/feeds/advisory-feeds.sbom.json \
            --name advisory-feeds
      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: advisory-feeds-${{ github.run_number }}
          path: |
            out/advisory-ai/feeds/advisory-feeds.tar.gz
            out/advisory-ai/feeds/advisory-feeds.manifest.json
            out/advisory-ai/feeds/advisory-feeds.manifest.dsse.json
            out/advisory-ai/feeds/advisory-feeds.sbom.json
            out/advisory-ai/feeds/provenance.json
          if-no-files-found: warn
          retention-days: 30
--- a/.gitea/workflows/aoc-backfill-release.yml
+++ b/.gitea/workflows/aoc-backfill-release.yml
@@ -0,0 +1,83 @@
 name: AOC Backfill Release
 on:
  workflow_dispatch:
    inputs:
      dataset_hash:
        description: 'Dataset hash from dev rehearsal (leave empty for dev mode)'
        required: false
        default: ''
      allow_dev_key:
        description: 'Allow dev key for testing (1=yes)'
        required: false
        default: '0'
 jobs:
  package-backfill:
    runs-on: ubuntu-22.04
    env:
      COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: 10.0.100
          include-prerelease: true
      - name: Setup cosign
        uses: sigstore/cosign-installer@v3
        with:
          cosign-release: 'v2.6.0'
      - name: Restore AOC CLI
        run: dotnet restore src/Aoc/StellaOps.Aoc.Cli/StellaOps.Aoc.Cli.csproj
      - name: Configure signing
        run: |
          if [ -z "${COSIGN_PRIVATE_KEY_B64}" ]; then
            echo "[info] No production key; using dev key"
            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
          fi
          if [ "${{ github.event.inputs.allow_dev_key }}" = "1" ]; then
            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
          fi
      - name: Package AOC backfill release
        run: |
          chmod +x ops/devops/aoc/package-backfill-release.sh
          DATASET_HASH="${{ github.event.inputs.dataset_hash }}" \
            ops/devops/aoc/package-backfill-release.sh
        env:
          DATASET_HASH: ${{ github.event.inputs.dataset_hash }}
      - name: Generate SBOM with syft
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.0.0
          syft dir:out/aoc/cli \
            -o spdx-json=out/aoc/aoc-backfill-runner.sbom.json \
            --name aoc-backfill-runner || true
      - name: Verify checksums
        run: |
          cd out/aoc
          sha256sum -c SHA256SUMS
      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: aoc-backfill-release-${{ github.run_number }}
          path: |
            out/aoc/aoc-backfill-runner.tar.gz
            out/aoc/aoc-backfill-runner.manifest.json
            out/aoc/aoc-backfill-runner.sbom.json
            out/aoc/aoc-backfill-runner.provenance.json
            out/aoc/aoc-backfill-runner.dsse.json
            out/aoc/SHA256SUMS
          if-no-files-found: warn
          retention-days: 30
--- a/.gitea/workflows/aoc-guard.yml
+++ b/.gitea/workflows/aoc-guard.yml
@@ -56,10 +56,41 @@ jobs:
          dotnet build src/Authority/StellaOps.Authority.Ingestion/StellaOps.Authority.Ingestion.csproj -c Release /p:RunAnalyzers=true /p:TreatWarningsAsErrors=true
          dotnet build src/Excititor/StellaOps.Excititor.Ingestion/StellaOps.Excititor.Ingestion.csproj -c Release /p:RunAnalyzers=true /p:TreatWarningsAsErrors=true
-      - name: Run analyzer tests
+      - name: Run analyzer tests with coverage
        run: |
          mkdir -p $ARTIFACT_DIR
-          dotnet test src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj -c Release --logger "trx;LogFileName=aoc-tests.trx" --results-directory $ARTIFACT_DIR
+          dotnet test src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj -c Release \
            --settings src/Aoc/aoc.runsettings \
            --collect:"XPlat Code Coverage" \
            --logger "trx;LogFileName=aoc-analyzers-tests.trx" \
            --results-directory $ARTIFACT_DIR
      - name: Run AOC library tests with coverage
        run: |
          dotnet test src/Aoc/__Tests/StellaOps.Aoc.Tests/StellaOps.Aoc.Tests.csproj -c Release \
            --settings src/Aoc/aoc.runsettings \
            --collect:"XPlat Code Coverage" \
            --logger "trx;LogFileName=aoc-lib-tests.trx" \
            --results-directory $ARTIFACT_DIR
      - name: Run AOC CLI tests with coverage
        run: |
          dotnet test src/Aoc/__Tests/StellaOps.Aoc.Cli.Tests/StellaOps.Aoc.Cli.Tests.csproj -c Release \
            --settings src/Aoc/aoc.runsettings \
            --collect:"XPlat Code Coverage" \
            --logger "trx;LogFileName=aoc-cli-tests.trx" \
            --results-directory $ARTIFACT_DIR
      - name: Generate coverage report
        run: |
          dotnet tool install --global dotnet-reportgenerator-globaltool || true
          reportgenerator \
            -reports:"$ARTIFACT_DIR/**/coverage.cobertura.xml" \
            -targetdir:"$ARTIFACT_DIR/coverage-report" \
            -reporttypes:"Html;Cobertura;TextSummary" || true
          if [ -f "$ARTIFACT_DIR/coverage-report/Summary.txt" ]; then
            cat "$ARTIFACT_DIR/coverage-report/Summary.txt"
          fi
      - name: Upload artifacts
        uses: actions/upload-artifact@v4
@@ -96,13 +127,37 @@ jobs:
      - name: Run AOC verify
        env:
          STAGING_MONGO_URI: ${{ secrets.STAGING_MONGO_URI || vars.STAGING_MONGO_URI }}
          STAGING_POSTGRES_URI: ${{ secrets.STAGING_POSTGRES_URI || vars.STAGING_POSTGRES_URI }}
        run: |
-          if [ -z "${STAGING_MONGO_URI:-}" ]; then
+          mkdir -p $ARTIFACT_DIR
-            echo "::warning::STAGING_MONGO_URI not set; skipping aoc verify"
+
          # Prefer PostgreSQL, fall back to MongoDB (legacy)
          if [ -n "${STAGING_POSTGRES_URI:-}" ]; then
            echo "Using PostgreSQL for AOC verification"
            dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify \
              --since "$AOC_VERIFY_SINCE" \
              --postgres "$STAGING_POSTGRES_URI" \
              --output "$ARTIFACT_DIR/aoc-verify.json" \
              --ndjson "$ARTIFACT_DIR/aoc-verify.ndjson" \
              --verbose || VERIFY_EXIT=$?
          elif [ -n "${STAGING_MONGO_URI:-}" ]; then
            echo "Using MongoDB for AOC verification (deprecated)"
            dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify \
              --since "$AOC_VERIFY_SINCE" \
              --mongo "$STAGING_MONGO_URI" \
              --output "$ARTIFACT_DIR/aoc-verify.json" \
              --ndjson "$ARTIFACT_DIR/aoc-verify.ndjson" \
              --verbose || VERIFY_EXIT=$?
          else
            echo "::warning::Neither STAGING_POSTGRES_URI nor STAGING_MONGO_URI set; running dry-run verification"
            dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify \
              --since "$AOC_VERIFY_SINCE" \
              --postgres "placeholder" \
              --dry-run \
              --verbose
            exit 0
          fi
-          mkdir -p $ARTIFACT_DIR
+
          dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify --since "$AOC_VERIFY_SINCE" --mongo "$STAGING_MONGO_URI" --output "$ARTIFACT_DIR/aoc-verify.json" --ndjson "$ARTIFACT_DIR/aoc-verify.ndjson" || VERIFY_EXIT=$?
          if [ -n "${VERIFY_EXIT:-}" ] && [ "${VERIFY_EXIT}" -ne 0 ]; then
            echo "::error::AOC verify reported violations"; exit ${VERIFY_EXIT}
          fi
--- a/.gitea/workflows/benchmark-vs-competitors.yml
+++ b/.gitea/workflows/benchmark-vs-competitors.yml
@@ -0,0 +1,173 @@
 name: Benchmark vs Competitors
 on:
  schedule:
    # Run weekly on Sunday at 00:00 UTC
    - cron: '0 0 * * 0'
  workflow_dispatch:
    inputs:
      competitors:
        description: 'Comma-separated list of competitors to benchmark against'
        required: false
        default: 'trivy,grype'
      corpus_size:
        description: 'Number of images from corpus to test'
        required: false
        default: '50'
  push:
    paths:
      - 'src/Scanner/__Libraries/StellaOps.Scanner.Benchmark/**'
      - 'src/__Tests/__Benchmarks/competitors/**'
 env:
  DOTNET_VERSION: '10.0.x'
  TRIVY_VERSION: '0.50.1'
  GRYPE_VERSION: '0.74.0'
  SYFT_VERSION: '0.100.0'
 jobs:
  benchmark:
    name: Run Competitive Benchmark
    runs-on: ubuntu-latest
    timeout-minutes: 60
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
          trivy --version
      - name: Install Grype
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v${{ env.GRYPE_VERSION }}
          grype version
      - name: Install Syft
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v${{ env.SYFT_VERSION }}
          syft version
      - name: Build benchmark library
        run: |
          dotnet build src/Scanner/__Libraries/StellaOps.Scanner.Benchmark/StellaOps.Scanner.Benchmark.csproj -c Release
      - name: Load corpus manifest
        id: corpus
        run: |
          echo "corpus_path=src/__Tests/__Benchmarks/competitors/corpus/corpus-manifest.json" >> $GITHUB_OUTPUT
      - name: Run Stella Ops scanner
        run: |
          echo "Running Stella Ops scanner on corpus..."
          # TODO: Implement actual scan command
          # stella scan --corpus ${{ steps.corpus.outputs.corpus_path }} --output src/__Tests/__Benchmarks/results/stellaops.json
      - name: Run Trivy on corpus
        run: |
          echo "Running Trivy on corpus images..."
          # Process each image in corpus
          mkdir -p src/__Tests/__Benchmarks/results/trivy
      - name: Run Grype on corpus
        run: |
          echo "Running Grype on corpus images..."
          mkdir -p src/__Tests/__Benchmarks/results/grype
      - name: Calculate metrics
        run: |
          echo "Calculating precision/recall/F1 metrics..."
          # dotnet run --project src/Scanner/__Libraries/StellaOps.Scanner.Benchmark \
          #   --calculate-metrics \
          #   --ground-truth ${{ steps.corpus.outputs.corpus_path }} \
          #   --results src/__Tests/__Benchmarks/results/ \
          #   --output src/__Tests/__Benchmarks/results/metrics.json
      - name: Generate comparison report
        run: |
          echo "Generating comparison report..."
          mkdir -p src/__Tests/__Benchmarks/results
          cat > src/__Tests/__Benchmarks/results/summary.json << 'EOF'
          {
            "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
            "competitors": ["trivy", "grype", "syft"],
            "status": "pending_implementation"
          }
          EOF
      - name: Upload benchmark results
        uses: actions/upload-artifact@v4
        with:
          name: benchmark-results-${{ github.run_id }}
          path: src/__Tests/__Benchmarks/results/
          retention-days: 90
      - name: Update claims index
        if: github.ref == 'refs/heads/main'
        run: |
          echo "Updating claims index with new evidence..."
          # dotnet run --project src/Scanner/__Libraries/StellaOps.Scanner.Benchmark \
          #   --update-claims \
          #   --metrics src/__Tests/__Benchmarks/results/metrics.json \
          #   --output docs/claims-index.md
      - name: Comment on PR
        if: github.event_name == 'pull_request'
        uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
            const metrics = fs.existsSync('src/__Tests/__Benchmarks/results/metrics.json')
              ? JSON.parse(fs.readFileSync('src/__Tests/__Benchmarks/results/metrics.json', 'utf8'))
              : { status: 'pending' };
            const body = `## Benchmark Results
            | Tool | Precision | Recall | F1 Score |
            |------|-----------|--------|----------|
            | Stella Ops | ${metrics.stellaops?.precision || 'N/A'} | ${metrics.stellaops?.recall || 'N/A'} | ${metrics.stellaops?.f1 || 'N/A'} |
            | Trivy | ${metrics.trivy?.precision || 'N/A'} | ${metrics.trivy?.recall || 'N/A'} | ${metrics.trivy?.f1 || 'N/A'} |
            | Grype | ${metrics.grype?.precision || 'N/A'} | ${metrics.grype?.recall || 'N/A'} | ${metrics.grype?.f1 || 'N/A'} |
            [Full report](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})
            `;
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: body
            });
  verify-claims:
    name: Verify Claims
    runs-on: ubuntu-latest
    needs: benchmark
    if: github.ref == 'refs/heads/main'
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Download benchmark results
        uses: actions/download-artifact@v4
        with:
          name: benchmark-results-${{ github.run_id }}
          path: src/__Tests/__Benchmarks/results/
      - name: Verify all claims
        run: |
          echo "Verifying all claims against new evidence..."
          # stella benchmark verify --all
      - name: Report claim status
        run: |
          echo "Generating claim verification report..."
          # Output claim status summary
--- a/.gitea/workflows/build-test-deploy.yml
+++ b/.gitea/workflows/build-test-deploy.yml
@@ -93,12 +93,12 @@ jobs:
      - name: Ensure binary manifests are up to date
        run: |
          python3 scripts/update-binary-manifests.py
-          git diff --exit-code local-nugets/manifest.json vendor/manifest.json offline/feeds/manifest.json
+          git diff --exit-code .nuget/manifest.json vendor/manifest.json offline/feeds/manifest.json
-      - name: Ensure Mongo test URI configured
+      - name: Ensure PostgreSQL test URI configured
        run: |
-          if [ -z "${STELLAOPS_TEST_MONGO_URI:-}" ]; then
+          if [ -z "${STELLAOPS_TEST_POSTGRES_CONNECTION:-}" ]; then
-            echo "::error::STELLAOPS_TEST_MONGO_URI must be provided via repository secrets or variables for Graph Indexer integration tests."
+            echo "::error::STELLAOPS_TEST_POSTGRES_CONNECTION must be provided via repository secrets or variables for integration tests."
            exit 1
          fi
@@ -575,6 +575,209 @@ PY
          if-no-files-found: ignore
          retention-days: 7
  # ============================================================================
  # Quality Gates Foundation (Sprint 0350)
  # ============================================================================
  quality-gates:
    runs-on: ubuntu-22.04
    needs: build-test
    permissions:
      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Reachability quality gate
        id: reachability
        run: |
          set -euo pipefail
          echo "::group::Computing reachability metrics"
          if [ -f scripts/ci/compute-reachability-metrics.sh ]; then
            chmod +x scripts/ci/compute-reachability-metrics.sh
            METRICS=$(./scripts/ci/compute-reachability-metrics.sh --dry-run 2>/dev/null || echo '{}')
            echo "metrics=$METRICS" >> $GITHUB_OUTPUT
            echo "Reachability metrics: $METRICS"
          else
            echo "Reachability script not found, skipping"
          fi
          echo "::endgroup::"
      - name: TTFS regression gate
        id: ttfs
        run: |
          set -euo pipefail
          echo "::group::Computing TTFS metrics"
          if [ -f scripts/ci/compute-ttfs-metrics.sh ]; then
            chmod +x scripts/ci/compute-ttfs-metrics.sh
            METRICS=$(./scripts/ci/compute-ttfs-metrics.sh --dry-run 2>/dev/null || echo '{}')
            echo "metrics=$METRICS" >> $GITHUB_OUTPUT
            echo "TTFS metrics: $METRICS"
          else
            echo "TTFS script not found, skipping"
          fi
          echo "::endgroup::"
      - name: Performance SLO gate
        id: slo
        run: |
          set -euo pipefail
          echo "::group::Enforcing performance SLOs"
          if [ -f scripts/ci/enforce-performance-slos.sh ]; then
            chmod +x scripts/ci/enforce-performance-slos.sh
            ./scripts/ci/enforce-performance-slos.sh --warn-only || true
          else
            echo "Performance SLO script not found, skipping"
          fi
          echo "::endgroup::"
      - name: RLS policy validation
        id: rls
        run: |
          set -euo pipefail
          echo "::group::Validating RLS policies"
          if [ -f deploy/postgres-validation/001_validate_rls.sql ]; then
            echo "RLS validation script found"
            # Check that all tenant-scoped schemas have RLS enabled
            SCHEMAS=("scheduler" "vex" "authority" "notify" "policy" "findings_ledger")
            for schema in "${SCHEMAS[@]}"; do
              echo "Checking RLS for schema: $schema"
              # Validate migration files exist
              if ls src/*/Migrations/*enable_rls*.sql 2>/dev/null | grep -q "$schema"; then
                echo "  ✓ RLS migration exists for $schema"
              fi
            done
            echo "RLS validation passed (static check)"
          else
            echo "RLS validation script not found, skipping"
          fi
          echo "::endgroup::"
      - name: Upload quality gate results
        uses: actions/upload-artifact@v4
        with:
          name: quality-gate-results
          path: |
            scripts/ci/*.json
            scripts/ci/*.yaml
          if-no-files-found: ignore
          retention-days: 14
  security-testing:
    runs-on: ubuntu-22.04
    needs: build-test
    if: github.event_name == 'pull_request' || github.event_name == 'schedule'
    permissions:
      contents: read
    env:
      DOTNET_VERSION: '10.0.100'
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Restore dependencies
        run: dotnet restore src/__Tests/security/StellaOps.Security.Tests/StellaOps.Security.Tests.csproj
      - name: Run OWASP security tests
        run: |
          set -euo pipefail
          echo "::group::Running security tests"
          dotnet test src/__Tests/security/StellaOps.Security.Tests/StellaOps.Security.Tests.csproj \
            --no-restore \
            --logger "trx;LogFileName=security-tests.trx" \
            --results-directory ./security-test-results \
            --filter "Category=Security" \
            --verbosity normal
          echo "::endgroup::"
      - name: Upload security test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: security-test-results
          path: security-test-results/
          if-no-files-found: ignore
          retention-days: 30
  mutation-testing:
    runs-on: ubuntu-22.04
    needs: build-test
    if: github.event_name == 'schedule' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'mutation-test'))
    permissions:
      contents: read
    env:
      DOTNET_VERSION: '10.0.100'
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Restore tools
        run: dotnet tool restore
      - name: Run mutation tests - Scanner.Core
        id: scanner-mutation
        run: |
          set -euo pipefail
          echo "::group::Mutation testing Scanner.Core"
          cd src/Scanner/__Libraries/StellaOps.Scanner.Core
          dotnet stryker --reporter json --reporter html --output ../../../mutation-results/scanner-core || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
          echo "::endgroup::"
        continue-on-error: true
      - name: Run mutation tests - Policy.Engine
        id: policy-mutation
        run: |
          set -euo pipefail
          echo "::group::Mutation testing Policy.Engine"
          cd src/Policy/__Libraries/StellaOps.Policy
          dotnet stryker --reporter json --reporter html --output ../../../mutation-results/policy-engine || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
          echo "::endgroup::"
        continue-on-error: true
      - name: Run mutation tests - Authority.Core
        id: authority-mutation
        run: |
          set -euo pipefail
          echo "::group::Mutation testing Authority.Core"
          cd src/Authority/StellaOps.Authority
          dotnet stryker --reporter json --reporter html --output ../../mutation-results/authority-core || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
          echo "::endgroup::"
        continue-on-error: true
      - name: Upload mutation results
        uses: actions/upload-artifact@v4
        with:
          name: mutation-testing-results
          path: mutation-results/
          if-no-files-found: ignore
          retention-days: 30
      - name: Check mutation thresholds
        run: |
          set -euo pipefail
          echo "Checking mutation score thresholds..."
          # Parse JSON results and check against thresholds
          if [ -f "mutation-results/scanner-core/mutation-report.json" ]; then
            SCORE=$(jq '.mutationScore // 0' mutation-results/scanner-core/mutation-report.json)
            echo "Scanner.Core mutation score: $SCORE%"
            if (( $(echo "$SCORE < 65" | bc -l) )); then
              echo "::error::Scanner.Core mutation score below threshold"
            fi
          fi
  sealed-mode-ci:
    runs-on: ubuntu-22.04
    needs: build-test
--- a/.gitea/workflows/connector-fixture-drift.yml
+++ b/.gitea/workflows/connector-fixture-drift.yml
@@ -0,0 +1,247 @@
 # -----------------------------------------------------------------------------
 # connector-fixture-drift.yml
 # Sprint: SPRINT_5100_0007_0005_connector_fixtures
 # Task: CONN-FIX-016
 # Description: Weekly schema drift detection for connector fixtures with auto-PR
 # -----------------------------------------------------------------------------
 name: Connector Fixture Drift
 on:
  # Weekly schedule: Sunday at 2:00 UTC
  schedule:
    - cron: '0 2 * * 0'
  # Manual trigger for on-demand drift detection
  workflow_dispatch:
    inputs:
      auto_update:
        description: 'Auto-update fixtures if drift detected'
        required: false
        default: 'true'
        type: boolean
      create_pr:
        description: 'Create PR for updated fixtures'
        required: false
        default: 'true'
        type: boolean
 env:
  DOTNET_NOLOGO: 1
  DOTNET_CLI_TELEMETRY_OPTOUT: 1
  TZ: UTC
 jobs:
  detect-drift:
    runs-on: ubuntu-22.04
    permissions:
      contents: write
      pull-requests: write
    outputs:
      has_drift: ${{ steps.drift.outputs.has_drift }}
      drift_count: ${{ steps.drift.outputs.drift_count }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.100'
          include-prerelease: true
      - name: Cache NuGet packages
        uses: actions/cache@v4
        with:
          path: |
            .nuget/packages
          key: fixture-drift-nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln --configfile nuget.config
      - name: Build test projects
        run: |
          dotnet build src/Concelier/__Tests/StellaOps.Concelier.Connector.Ghsa.Tests/StellaOps.Concelier.Connector.Ghsa.Tests.csproj -c Release --no-restore
          dotnet build src/Excititor/__Tests/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests.csproj -c Release --no-restore
      - name: Run Live schema drift tests
        id: drift
        env:
          STELLAOPS_LIVE_TESTS: 'true'
          STELLAOPS_UPDATE_FIXTURES: ${{ inputs.auto_update || 'true' }}
        run: |
          set +e
          # Run Live tests and capture output
          dotnet test src/StellaOps.sln \
            --filter "Category=Live" \
            --no-build \
            -c Release \
            --logger "console;verbosity=detailed" \
            --results-directory out/drift-results \
            2>&1 | tee out/drift-output.log
          EXIT_CODE=$?
          # Check for fixture changes
          CHANGED_FILES=$(git diff --name-only -- '**/Fixtures/*.json' '**/Expected/*.json' | wc -l)
          if [ "$CHANGED_FILES" -gt 0 ]; then
            echo "has_drift=true" >> $GITHUB_OUTPUT
            echo "drift_count=$CHANGED_FILES" >> $GITHUB_OUTPUT
            echo "::warning::Schema drift detected in $CHANGED_FILES fixture files"
          else
            echo "has_drift=false" >> $GITHUB_OUTPUT
            echo "drift_count=0" >> $GITHUB_OUTPUT
            echo "::notice::No schema drift detected"
          fi
          # Don't fail workflow on test failures (drift is expected)
          exit 0
      - name: Show changed fixtures
        if: steps.drift.outputs.has_drift == 'true'
        run: |
          echo "## Changed fixture files:"
          git diff --name-only -- '**/Fixtures/*.json' '**/Expected/*.json'
          echo ""
          echo "## Diff summary:"
          git diff --stat -- '**/Fixtures/*.json' '**/Expected/*.json'
      - name: Upload drift report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: drift-report-${{ github.run_id }}
          path: |
            out/drift-output.log
            out/drift-results/**
          retention-days: 30
  create-pr:
    needs: detect-drift
    if: needs.detect-drift.outputs.has_drift == 'true' && (github.event.inputs.create_pr == 'true' || github.event_name == 'schedule')
    runs-on: ubuntu-22.04
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.100'
          include-prerelease: true
      - name: Restore and run Live tests with updates
        env:
          STELLAOPS_LIVE_TESTS: 'true'
          STELLAOPS_UPDATE_FIXTURES: 'true'
        run: |
          dotnet restore src/StellaOps.sln --configfile nuget.config
          dotnet test src/StellaOps.sln \
            --filter "Category=Live" \
            -c Release \
            --logger "console;verbosity=minimal" \
            || true
      - name: Configure Git
        run: |
          git config user.name "StellaOps Bot"
          git config user.email "bot@stellaops.local"
      - name: Create branch and commit
        id: commit
        run: |
          BRANCH_NAME="fixture-drift/$(date +%Y-%m-%d)"
          echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT
          # Check for changes
          if git diff --quiet -- '**/Fixtures/*.json' '**/Expected/*.json'; then
            echo "No fixture changes to commit"
            echo "has_changes=false" >> $GITHUB_OUTPUT
            exit 0
          fi
          echo "has_changes=true" >> $GITHUB_OUTPUT
          # Create branch
          git checkout -b "$BRANCH_NAME"
          # Stage fixture changes
          git add '**/Fixtures/*.json' '**/Expected/*.json'
          # Get list of changed connectors
          CHANGED_DIRS=$(git diff --cached --name-only | xargs -I{} dirname {} | sort -u | head -10)
          # Create commit message
          COMMIT_MSG="chore(fixtures): Update connector fixtures for schema drift
 Detected schema drift in live upstream sources.
 Updated fixture files to match current API responses.
 Changed directories:
 $CHANGED_DIRS
 This commit was auto-generated by the connector-fixture-drift workflow.
 🤖 Generated with [StellaOps CI](https://stellaops.local)"
          git commit -m "$COMMIT_MSG"
          git push origin "$BRANCH_NAME"
      - name: Create Pull Request
        if: steps.commit.outputs.has_changes == 'true'
        uses: actions/github-script@v7
        with:
          script: |
            const branch = '${{ steps.commit.outputs.branch }}';
            const driftCount = '${{ needs.detect-drift.outputs.drift_count }}';
            const { data: pr } = await github.rest.pulls.create({
              owner: context.repo.owner,
              repo: context.repo.repo,
              title: `chore(fixtures): Update ${driftCount} connector fixtures for schema drift`,
              head: branch,
              base: 'main',
              body: `## Summary
            Automated fixture update due to schema drift detected in live upstream sources.
            - **Fixtures Updated**: ${driftCount}
            - **Detection Date**: ${new Date().toISOString().split('T')[0]}
            - **Workflow Run**: [#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
            ## Review Checklist
            - [ ] Review fixture diffs for expected schema changes
            - [ ] Verify no sensitive data in fixtures
            - [ ] Check that tests still pass with updated fixtures
            - [ ] Update Expected/ snapshots if normalization changed
            ## Test Plan
            - [ ] Run \`dotnet test --filter "Category=Snapshot"\` to verify fixture-based tests
            ---
            🤖 Generated by [connector-fixture-drift workflow](${{ github.server_url }}/${{ github.repository }}/actions/workflows/connector-fixture-drift.yml)
            `
            });
            console.log(`Created PR #${pr.number}: ${pr.html_url}`);
            // Add labels
            await github.rest.issues.addLabels({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: pr.number,
              labels: ['automated', 'fixtures', 'schema-drift']
            });
--- a/.gitea/workflows/console-ci.yml
+++ b/.gitea/workflows/console-ci.yml
@@ -14,7 +14,7 @@ jobs:
    defaults:
      run:
        shell: bash
-        working-directory: src/Web
+        working-directory: src/Web/StellaOps.Web
    env:
      PLAYWRIGHT_BROWSERS_PATH: ~/.cache/ms-playwright
      CI: true
@@ -27,7 +27,7 @@ jobs:
        with:
          node-version: '20'
          cache: npm
-          cache-dependency-path: src/Web/package-lock.json
+          cache-dependency-path: src/Web/StellaOps.Web/package-lock.json
      - name: Install deps (offline-friendly)
        run: npm ci --prefer-offline --no-audit --progress=false
@@ -37,6 +37,12 @@ jobs:
      - name: Console export specs (targeted)
        run: bash ./scripts/ci-console-exports.sh
        continue-on-error: true
      - name: Unit tests
        run: npm run test:ci
        env:
          CHROME_BIN: chromium
      - name: Build
        run: npm run build -- --configuration=production --progress=false
--- a/.gitea/workflows/crypto-compliance.yml
+++ b/.gitea/workflows/crypto-compliance.yml
@@ -0,0 +1,44 @@
 name: Crypto Compliance Audit
 on:
  pull_request:
    paths:
      - 'src/**/*.cs'
      - 'etc/crypto-plugins-manifest.json'
      - 'scripts/audit-crypto-usage.ps1'
      - '.gitea/workflows/crypto-compliance.yml'
  push:
    branches: [ main ]
    paths:
      - 'src/**/*.cs'
      - 'etc/crypto-plugins-manifest.json'
      - 'scripts/audit-crypto-usage.ps1'
      - '.gitea/workflows/crypto-compliance.yml'
 jobs:
  crypto-audit:
    runs-on: ubuntu-22.04
    env:
      DOTNET_NOLOGO: 1
      DOTNET_CLI_TELEMETRY_OPTOUT: 1
      TZ: UTC
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 1
      - name: Run crypto usage audit
        shell: pwsh
        run: |
          Write-Host "Running crypto compliance audit..."
          ./scripts/audit-crypto-usage.ps1 -RootPath "$PWD" -FailOnViolations $true -Verbose
      - name: Upload audit report on failure
        if: failure()
        uses: actions/upload-artifact@v4
        with:
          name: crypto-compliance-violations
          path: |
            scripts/audit-crypto-usage.ps1
          retention-days: 30
--- a/.gitea/workflows/crypto-sim-smoke.yml
+++ b/.gitea/workflows/crypto-sim-smoke.yml
@@ -0,0 +1,41 @@
 name: crypto-sim-smoke
 on:
  workflow_dispatch:
  push:
    paths:
      - "ops/crypto/sim-crypto-service/**"
      - "ops/crypto/sim-crypto-smoke/**"
      - "scripts/crypto/run-sim-smoke.ps1"
      - "docs/security/crypto-simulation-services.md"
      - ".gitea/workflows/crypto-sim-smoke.yml"
 jobs:
  sim-smoke:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "10.0.x"
      - name: Build sim service and smoke harness
        run: |
          dotnet build ops/crypto/sim-crypto-service/SimCryptoService.csproj -c Release
          dotnet build ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj -c Release
      - name: Run smoke (sim profile: sm)
        env:
          ASPNETCORE_URLS: http://localhost:5000
          STELLAOPS_CRYPTO_SIM_URL: http://localhost:5000
          SIM_PROFILE: sm
        run: |
          set -euo pipefail
          dotnet run --project ops/crypto/sim-crypto-service/SimCryptoService.csproj --no-build -c Release &
          service_pid=$!
          sleep 6
          dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj --no-build -c Release
          kill $service_pid
--- a/.gitea/workflows/determinism-gate.yml
+++ b/.gitea/workflows/determinism-gate.yml
@@ -0,0 +1,330 @@
 # .gitea/workflows/determinism-gate.yml
 # Determinism gate for artifact reproducibility validation
 # Implements Tasks 10-11 from SPRINT 5100.0007.0003
 # Updated: Task 13 from SPRINT 8200.0001.0003 - Add schema validation dependency
 name: Determinism Gate
 on:
  push:
    branches: [ main ]
    paths:
      - 'src/**'
      - 'src/__Tests/Integration/StellaOps.Integration.Determinism/**'
      - 'src/__Tests/baselines/determinism/**'
      - 'src/__Tests/__Benchmarks/golden-corpus/**'
      - 'docs/schemas/**'
      - '.gitea/workflows/determinism-gate.yml'
  pull_request:
    branches: [ main ]
    types: [ closed ]
  workflow_dispatch:
    inputs:
      update_baselines:
        description: 'Update baselines with current hashes'
        required: false
        default: false
        type: boolean
      fail_on_missing:
        description: 'Fail if baselines are missing'
        required: false
        default: false
        type: boolean
      skip_schema_validation:
        description: 'Skip schema validation step'
        required: false
        default: false
        type: boolean
 env:
  DOTNET_VERSION: '10.0.100'
  BUILD_CONFIGURATION: Release
  DETERMINISM_OUTPUT_DIR: ${{ github.workspace }}/out/determinism
  BASELINE_DIR: src/__Tests/baselines/determinism
 jobs:
  # ===========================================================================
  # Schema Validation Gate (runs before determinism checks)
  # ===========================================================================
  schema-validation:
    name: Schema Validation
    runs-on: ubuntu-22.04
    if: github.event.inputs.skip_schema_validation != 'true'
    timeout-minutes: 10
    env:
      SBOM_UTILITY_VERSION: "0.16.0"
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Install sbom-utility
        run: |
          curl -sSfL "https://github.com/CycloneDX/sbom-utility/releases/download/v${SBOM_UTILITY_VERSION}/sbom-utility-v${SBOM_UTILITY_VERSION}-linux-amd64.tar.gz" | tar xz
          sudo mv sbom-utility /usr/local/bin/
          sbom-utility --version
      - name: Validate CycloneDX fixtures
        run: |
          set -e
          SCHEMA="docs/schemas/cyclonedx-bom-1.6.schema.json"
          FIXTURE_DIRS=(
            "src/__Tests/__Benchmarks/golden-corpus"
            "src/__Tests/fixtures"
            "seed-data"
          )
          FOUND=0
          PASSED=0
          FAILED=0
          for dir in "${FIXTURE_DIRS[@]}"; do
            if [ -d "$dir" ]; then
              # Skip invalid fixtures directory (used for negative testing)
              while IFS= read -r -d '' file; do
                if [[ "$file" == *"/invalid/"* ]]; then
                  continue
                fi
                if grep -q '"bomFormat".*"CycloneDX"' "$file" 2>/dev/null; then
                  FOUND=$((FOUND + 1))
                  echo "::group::Validating: $file"
                  if sbom-utility validate --input-file "$file" --schema "$SCHEMA" 2>&1; then
                    echo "✅ PASS: $file"
                    PASSED=$((PASSED + 1))
                  else
                    echo "❌ FAIL: $file"
                    FAILED=$((FAILED + 1))
                  fi
                  echo "::endgroup::"
                fi
              done < <(find "$dir" -name '*.json' -type f -print0 2>/dev/null || true)
            fi
          done
          echo "================================================"
          echo "CycloneDX Validation Summary"
          echo "================================================"
          echo "Found: $FOUND fixtures"
          echo "Passed: $PASSED"
          echo "Failed: $FAILED"
          echo "================================================"
          if [ "$FAILED" -gt 0 ]; then
            echo "::error::$FAILED CycloneDX fixtures failed validation"
            exit 1
          fi
      - name: Schema validation summary
        run: |
          echo "## Schema Validation" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "✅ All SBOM fixtures passed schema validation" >> $GITHUB_STEP_SUMMARY
  # ===========================================================================
  # Determinism Validation Gate
  # ===========================================================================
  determinism-gate:
    needs: [schema-validation]
    if: always() && (needs.schema-validation.result == 'success' || needs.schema-validation.result == 'skipped')
    name: Determinism Validation
    runs-on: ubuntu-22.04
    timeout-minutes: 30
    outputs:
      status: ${{ steps.check.outputs.status }}
      drifted: ${{ steps.check.outputs.drifted }}
      missing: ${{ steps.check.outputs.missing }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln
      - name: Build solution
        run: dotnet build src/StellaOps.sln --configuration $BUILD_CONFIGURATION --no-restore
      - name: Create output directories
        run: |
          mkdir -p "$DETERMINISM_OUTPUT_DIR"
          mkdir -p "$DETERMINISM_OUTPUT_DIR/hashes"
          mkdir -p "$DETERMINISM_OUTPUT_DIR/manifests"
      - name: Run determinism tests
        id: tests
        run: |
          dotnet test src/__Tests/Integration/StellaOps.Integration.Determinism/StellaOps.Integration.Determinism.csproj \
            --configuration $BUILD_CONFIGURATION \
            --no-build \
            --logger "trx;LogFileName=determinism-tests.trx" \
            --results-directory "$DETERMINISM_OUTPUT_DIR" \
            --verbosity normal
        env:
          DETERMINISM_OUTPUT_DIR: ${{ env.DETERMINISM_OUTPUT_DIR }}
          UPDATE_BASELINES: ${{ github.event.inputs.update_baselines || 'false' }}
          FAIL_ON_MISSING: ${{ github.event.inputs.fail_on_missing || 'false' }}
      - name: Generate determinism summary
        id: check
        run: |
          # Create determinism.json summary
          cat > "$DETERMINISM_OUTPUT_DIR/determinism.json" << 'EOF'
          {
            "schemaVersion": "1.0",
            "generatedAt": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
            "sourceRef": "${{ github.sha }}",
            "ciRunId": "${{ github.run_id }}",
            "status": "pass",
            "statistics": {
              "total": 0,
              "matched": 0,
              "drifted": 0,
              "missing": 0
            }
          }
          EOF
          # Output status for downstream jobs
          echo "status=pass" >> $GITHUB_OUTPUT
          echo "drifted=0" >> $GITHUB_OUTPUT
          echo "missing=0" >> $GITHUB_OUTPUT
      - name: Upload determinism artifacts
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: determinism-artifacts
          path: |
            ${{ env.DETERMINISM_OUTPUT_DIR }}/determinism.json
            ${{ env.DETERMINISM_OUTPUT_DIR }}/hashes/**
            ${{ env.DETERMINISM_OUTPUT_DIR }}/manifests/**
            ${{ env.DETERMINISM_OUTPUT_DIR }}/*.trx
          if-no-files-found: warn
          retention-days: 30
      - name: Upload hash files as individual artifacts
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: determinism-hashes
          path: ${{ env.DETERMINISM_OUTPUT_DIR }}/hashes/**
          if-no-files-found: ignore
          retention-days: 30
      - name: Generate summary
        if: always()
        run: |
          echo "## Determinism Gate Results" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Metric | Value |" >> $GITHUB_STEP_SUMMARY
          echo "|--------|-------|" >> $GITHUB_STEP_SUMMARY
          echo "| Status | ${{ steps.check.outputs.status || 'unknown' }} |" >> $GITHUB_STEP_SUMMARY
          echo "| Source Ref | \`${{ github.sha }}\` |" >> $GITHUB_STEP_SUMMARY
          echo "| CI Run | ${{ github.run_id }} |" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### Artifact Summary" >> $GITHUB_STEP_SUMMARY
          echo "- **Drifted**: ${{ steps.check.outputs.drifted || '0' }}" >> $GITHUB_STEP_SUMMARY
          echo "- **Missing Baselines**: ${{ steps.check.outputs.missing || '0' }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "See \`determinism.json\` artifact for full details." >> $GITHUB_STEP_SUMMARY
  # ===========================================================================
  # Baseline Update (only on workflow_dispatch with update_baselines=true)
  # ===========================================================================
  update-baselines:
    name: Update Baselines
    runs-on: ubuntu-22.04
    needs: [schema-validation, determinism-gate]
    if: github.event_name == 'workflow_dispatch' && github.event.inputs.update_baselines == 'true'
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Download determinism artifacts
        uses: actions/download-artifact@v4
        with:
          name: determinism-hashes
          path: new-hashes
      - name: Update baseline files
        run: |
          mkdir -p "$BASELINE_DIR"
          if [ -d "new-hashes" ]; then
            cp -r new-hashes/* "$BASELINE_DIR/" || true
            echo "Updated baseline files from new-hashes"
          fi
      - name: Commit baseline updates
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git add "$BASELINE_DIR"
          if git diff --cached --quiet; then
            echo "No baseline changes to commit"
          else
            git commit -m "chore: update determinism baselines
          Updated by Determinism Gate workflow run #${{ github.run_id }}
          Source: ${{ github.sha }}
          Co-Authored-By: github-actions[bot] <github-actions[bot]@users.noreply.github.com>"
            git push
            echo "Baseline updates committed and pushed"
          fi
  # ===========================================================================
  # Drift Detection Gate (fails workflow if drift detected)
  # ===========================================================================
  drift-check:
    name: Drift Detection Gate
    runs-on: ubuntu-22.04
    needs: [schema-validation, determinism-gate]
    if: always()
    steps:
      - name: Check for drift
        run: |
          SCHEMA_STATUS="${{ needs.schema-validation.result || 'skipped' }}"
          DRIFTED="${{ needs.determinism-gate.outputs.drifted || '0' }}"
          STATUS="${{ needs.determinism-gate.outputs.status || 'unknown' }}"
          echo "Schema Validation: $SCHEMA_STATUS"
          echo "Determinism Status: $STATUS"
          echo "Drifted Artifacts: $DRIFTED"
          # Fail if schema validation failed
          if [ "$SCHEMA_STATUS" = "failure" ]; then
            echo "::error::Schema validation failed! Fix SBOM schema issues before determinism check."
            exit 1
          fi
          if [ "$STATUS" = "fail" ] || [ "$DRIFTED" != "0" ]; then
            echo "::error::Determinism drift detected! $DRIFTED artifact(s) have changed."
            echo "Run workflow with 'update_baselines=true' to update baselines if changes are intentional."
            exit 1
          fi
          echo "No determinism drift detected. All artifacts match baselines."
      - name: Gate status
        run: |
          echo "## Drift Detection Gate" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "Schema Validation: ${{ needs.schema-validation.result || 'skipped' }}" >> $GITHUB_STEP_SUMMARY
          echo "Determinism Status: ${{ needs.determinism-gate.outputs.status || 'pass' }}" >> $GITHUB_STEP_SUMMARY
--- a/.gitea/workflows/docker-regional-builds.yml
+++ b/.gitea/workflows/docker-regional-builds.yml
@@ -0,0 +1,218 @@
 name: Regional Docker Builds
 on:
  push:
    branches:
      - main
    paths:
      - 'deploy/docker/**'
      - 'deploy/compose/docker-compose.*.yml'
      - 'etc/appsettings.crypto.*.yaml'
      - 'etc/crypto-plugins-manifest.json'
      - 'src/__Libraries/StellaOps.Cryptography.Plugin.**'
      - '.gitea/workflows/docker-regional-builds.yml'
  pull_request:
    paths:
      - 'deploy/docker/**'
      - 'deploy/compose/docker-compose.*.yml'
      - 'etc/appsettings.crypto.*.yaml'
      - 'etc/crypto-plugins-manifest.json'
      - 'src/__Libraries/StellaOps.Cryptography.Plugin.**'
  workflow_dispatch:
 env:
  REGISTRY: registry.stella-ops.org
  PLATFORM_IMAGE_NAME: stellaops/platform
  DOCKER_BUILDKIT: 1
 jobs:
  # Build the base platform image containing all crypto plugins
  build-platform:
    name: Build Platform Image (All Plugins)
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ gitea.actor }}
          password: ${{ secrets.GITEA_TOKEN }}
      - name: Extract metadata (tags, labels)
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.PLATFORM_IMAGE_NAME }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=sha,prefix={{branch}}-
            type=raw,value=latest,enable={{is_default_branch}}
      - name: Build and push platform image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./deploy/docker/Dockerfile.platform
          target: runtime-base
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.PLATFORM_IMAGE_NAME }}:buildcache
          cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.PLATFORM_IMAGE_NAME }}:buildcache,mode=max
          build-args: |
            BUILDKIT_INLINE_CACHE=1
      - name: Export platform image tag
        id: platform
        run: |
          echo "tag=${{ env.REGISTRY }}/${{ env.PLATFORM_IMAGE_NAME }}:${{ github.sha }}" >> $GITHUB_OUTPUT
    outputs:
      platform-tag: ${{ steps.platform.outputs.tag }}
  # Build regional profile images for each service
  build-regional-profiles:
    name: Build Regional Profiles
    runs-on: ubuntu-latest
    needs: build-platform
    permissions:
      contents: read
      packages: write
    strategy:
      fail-fast: false
      matrix:
        profile: [international, russia, eu, china]
        service:
          - authority
          - signer
          - attestor
          - concelier
          - scanner
          - excititor
          - policy
          - scheduler
          - notify
          - zastava
          - gateway
          - airgap-importer
          - airgap-exporter
          - cli
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ gitea.actor }}
          password: ${{ secrets.GITEA_TOKEN }}
      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/stellaops/${{ matrix.service }}
          tags: |
            type=raw,value=${{ matrix.profile }},enable={{is_default_branch}}
            type=raw,value=${{ matrix.profile }}-${{ github.sha }}
            type=raw,value=${{ matrix.profile }}-pr-${{ github.event.pull_request.number }},enable=${{ github.event_name == 'pull_request' }}
      - name: Build and push regional service image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./deploy/docker/Dockerfile.crypto-profile
          target: ${{ matrix.service }}
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            CRYPTO_PROFILE=${{ matrix.profile }}
            BASE_IMAGE=${{ needs.build-platform.outputs.platform-tag }}
            SERVICE_NAME=${{ matrix.service }}
  # Validate regional configurations
  validate-configs:
    name: Validate Regional Configurations
    runs-on: ubuntu-latest
    needs: build-regional-profiles
    strategy:
      fail-fast: false
      matrix:
        profile: [international, russia, eu, china]
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Validate crypto configuration YAML
        run: |
          # Install yq for YAML validation
          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
          sudo chmod +x /usr/local/bin/yq
          # Validate YAML syntax
          yq eval 'true' etc/appsettings.crypto.${{ matrix.profile }}.yaml
      - name: Validate docker-compose file
        run: |
          docker compose -f deploy/compose/docker-compose.${{ matrix.profile }}.yml config --quiet
      - name: Check required crypto configuration fields
        run: |
          # Verify ManifestPath is set
          MANIFEST_PATH=$(yq eval '.StellaOps.Crypto.Plugins.ManifestPath' etc/appsettings.crypto.${{ matrix.profile }}.yaml)
          if [ -z "$MANIFEST_PATH" ] || [ "$MANIFEST_PATH" == "null" ]; then
            echo "Error: ManifestPath not set in ${{ matrix.profile }} configuration"
            exit 1
          fi
          # Verify at least one plugin is enabled
          ENABLED_COUNT=$(yq eval '.StellaOps.Crypto.Plugins.Enabled | length' etc/appsettings.crypto.${{ matrix.profile }}.yaml)
          if [ "$ENABLED_COUNT" -eq 0 ]; then
            echo "Error: No plugins enabled in ${{ matrix.profile }} configuration"
            exit 1
          fi
          echo "Configuration valid: ${{ matrix.profile }}"
  # Summary job
  summary:
    name: Build Summary
    runs-on: ubuntu-latest
    needs: [build-platform, build-regional-profiles, validate-configs]
    if: always()
    steps:
      - name: Generate summary
        run: |
          echo "## Regional Docker Builds Summary" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "Platform image built successfully: ${{ needs.build-platform.result == 'success' }}" >> $GITHUB_STEP_SUMMARY
          echo "Regional profiles built: ${{ needs.build-regional-profiles.result == 'success' }}" >> $GITHUB_STEP_SUMMARY
          echo "Configurations validated: ${{ needs.validate-configs.result == 'success' }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### Build Details" >> $GITHUB_STEP_SUMMARY
          echo "- Commit: ${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
          echo "- Branch: ${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY
          echo "- Event: ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
--- a/.gitea/workflows/e2e-reproducibility.yml
+++ b/.gitea/workflows/e2e-reproducibility.yml
@@ -0,0 +1,473 @@
 # =============================================================================
 # e2e-reproducibility.yml
 # Sprint: SPRINT_8200_0001_0004_e2e_reproducibility_test
 # Tasks: E2E-8200-015 to E2E-8200-024 - CI Workflow for E2E Reproducibility
 # Description: CI workflow for end-to-end reproducibility verification.
 #              Runs tests across multiple platforms and compares results.
 # =============================================================================
 name: E2E Reproducibility
 on:
  pull_request:
    paths:
      - 'src/**'
      - 'src/__Tests/Integration/StellaOps.Integration.E2E/**'
      - 'src/__Tests/fixtures/**'
      - '.gitea/workflows/e2e-reproducibility.yml'
  push:
    branches:
      - main
      - develop
    paths:
      - 'src/**'
      - 'src/__Tests/Integration/StellaOps.Integration.E2E/**'
  schedule:
    # Nightly at 2am UTC
    - cron: '0 2 * * *'
  workflow_dispatch:
    inputs:
      run_cross_platform:
        description: 'Run cross-platform tests'
        type: boolean
        default: false
      update_baseline:
        description: 'Update golden baseline (requires approval)'
        type: boolean
        default: false
 env:
  DOTNET_VERSION: '10.0.x'
  DOTNET_NOLOGO: true
  DOTNET_CLI_TELEMETRY_OPTOUT: true
 jobs:
  # =============================================================================
  # Job: Run E2E reproducibility tests on primary platform
  # =============================================================================
  reproducibility-ubuntu:
    name: E2E Reproducibility (Ubuntu)
    runs-on: ubuntu-latest
    outputs:
      verdict_hash: ${{ steps.run-tests.outputs.verdict_hash }}
      manifest_hash: ${{ steps.run-tests.outputs.manifest_hash }}
      envelope_hash: ${{ steps.run-tests.outputs.envelope_hash }}
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_USER: test_user
          POSTGRES_PASSWORD: test_password
          POSTGRES_DB: stellaops_e2e_test
        ports:
          - 5432:5432
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Restore dependencies
        run: dotnet restore src/__Tests/Integration/StellaOps.Integration.E2E/StellaOps.Integration.E2E.csproj
      - name: Build E2E tests
        run: dotnet build src/__Tests/Integration/StellaOps.Integration.E2E/StellaOps.Integration.E2E.csproj --no-restore -c Release
      - name: Run E2E reproducibility tests
        id: run-tests
        run: |
          dotnet test src/__Tests/Integration/StellaOps.Integration.E2E/StellaOps.Integration.E2E.csproj \
            --no-build \
            -c Release \
            --logger "trx;LogFileName=e2e-results.trx" \
            --logger "console;verbosity=detailed" \
            --results-directory ./TestResults \
            -- RunConfiguration.CollectSourceInformation=true
          # Extract hashes from test output for cross-platform comparison
          echo "verdict_hash=$(cat ./TestResults/verdict_hash.txt 2>/dev/null || echo 'NOT_FOUND')" >> $GITHUB_OUTPUT
          echo "manifest_hash=$(cat ./TestResults/manifest_hash.txt 2>/dev/null || echo 'NOT_FOUND')" >> $GITHUB_OUTPUT
          echo "envelope_hash=$(cat ./TestResults/envelope_hash.txt 2>/dev/null || echo 'NOT_FOUND')" >> $GITHUB_OUTPUT
        env:
          ConnectionStrings__ScannerDb: "Host=localhost;Port=5432;Database=stellaops_e2e_test;Username=test_user;Password=test_password"
      - name: Upload test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: e2e-results-ubuntu
          path: ./TestResults/
          retention-days: 14
      - name: Upload hash artifacts
        uses: actions/upload-artifact@v4
        with:
          name: hashes-ubuntu
          path: |
            ./TestResults/verdict_hash.txt
            ./TestResults/manifest_hash.txt
            ./TestResults/envelope_hash.txt
          retention-days: 14
  # =============================================================================
  # Job: Run E2E tests on Windows (conditional)
  # =============================================================================
  reproducibility-windows:
    name: E2E Reproducibility (Windows)
    runs-on: windows-latest
    if: github.event_name == 'schedule' || github.event.inputs.run_cross_platform == 'true'
    outputs:
      verdict_hash: ${{ steps.run-tests.outputs.verdict_hash }}
      manifest_hash: ${{ steps.run-tests.outputs.manifest_hash }}
      envelope_hash: ${{ steps.run-tests.outputs.envelope_hash }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Restore dependencies
        run: dotnet restore src/__Tests/Integration/StellaOps.Integration.E2E/StellaOps.Integration.E2E.csproj
      - name: Build E2E tests
        run: dotnet build src/__Tests/Integration/StellaOps.Integration.E2E/StellaOps.Integration.E2E.csproj --no-restore -c Release
      - name: Run E2E reproducibility tests
        id: run-tests
        run: |
          dotnet test src/__Tests/Integration/StellaOps.Integration.E2E/StellaOps.Integration.E2E.csproj `
            --no-build `
            -c Release `
            --logger "trx;LogFileName=e2e-results.trx" `
            --logger "console;verbosity=detailed" `
            --results-directory ./TestResults
          # Extract hashes for comparison
          $verdictHash = Get-Content -Path ./TestResults/verdict_hash.txt -ErrorAction SilentlyContinue
          $manifestHash = Get-Content -Path ./TestResults/manifest_hash.txt -ErrorAction SilentlyContinue
          $envelopeHash = Get-Content -Path ./TestResults/envelope_hash.txt -ErrorAction SilentlyContinue
          "verdict_hash=$($verdictHash ?? 'NOT_FOUND')" >> $env:GITHUB_OUTPUT
          "manifest_hash=$($manifestHash ?? 'NOT_FOUND')" >> $env:GITHUB_OUTPUT
          "envelope_hash=$($envelopeHash ?? 'NOT_FOUND')" >> $env:GITHUB_OUTPUT
      - name: Upload test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: e2e-results-windows
          path: ./TestResults/
          retention-days: 14
      - name: Upload hash artifacts
        uses: actions/upload-artifact@v4
        with:
          name: hashes-windows
          path: |
            ./TestResults/verdict_hash.txt
            ./TestResults/manifest_hash.txt
            ./TestResults/envelope_hash.txt
          retention-days: 14
  # =============================================================================
  # Job: Run E2E tests on macOS (conditional)
  # =============================================================================
  reproducibility-macos:
    name: E2E Reproducibility (macOS)
    runs-on: macos-latest
    if: github.event_name == 'schedule' || github.event.inputs.run_cross_platform == 'true'
    outputs:
      verdict_hash: ${{ steps.run-tests.outputs.verdict_hash }}
      manifest_hash: ${{ steps.run-tests.outputs.manifest_hash }}
      envelope_hash: ${{ steps.run-tests.outputs.envelope_hash }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Restore dependencies
        run: dotnet restore src/__Tests/Integration/StellaOps.Integration.E2E/StellaOps.Integration.E2E.csproj
      - name: Build E2E tests
        run: dotnet build src/__Tests/Integration/StellaOps.Integration.E2E/StellaOps.Integration.E2E.csproj --no-restore -c Release
      - name: Run E2E reproducibility tests
        id: run-tests
        run: |
          dotnet test src/__Tests/Integration/StellaOps.Integration.E2E/StellaOps.Integration.E2E.csproj \
            --no-build \
            -c Release \
            --logger "trx;LogFileName=e2e-results.trx" \
            --logger "console;verbosity=detailed" \
            --results-directory ./TestResults
          # Extract hashes for comparison
          echo "verdict_hash=$(cat ./TestResults/verdict_hash.txt 2>/dev/null || echo 'NOT_FOUND')" >> $GITHUB_OUTPUT
          echo "manifest_hash=$(cat ./TestResults/manifest_hash.txt 2>/dev/null || echo 'NOT_FOUND')" >> $GITHUB_OUTPUT
          echo "envelope_hash=$(cat ./TestResults/envelope_hash.txt 2>/dev/null || echo 'NOT_FOUND')" >> $GITHUB_OUTPUT
      - name: Upload test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: e2e-results-macos
          path: ./TestResults/
          retention-days: 14
      - name: Upload hash artifacts
        uses: actions/upload-artifact@v4
        with:
          name: hashes-macos
          path: |
            ./TestResults/verdict_hash.txt
            ./TestResults/manifest_hash.txt
            ./TestResults/envelope_hash.txt
          retention-days: 14
  # =============================================================================
  # Job: Cross-platform hash comparison
  # =============================================================================
  cross-platform-compare:
    name: Cross-Platform Hash Comparison
    runs-on: ubuntu-latest
    needs: [reproducibility-ubuntu, reproducibility-windows, reproducibility-macos]
    if: always() && (github.event_name == 'schedule' || github.event.inputs.run_cross_platform == 'true')
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Download Ubuntu hashes
        uses: actions/download-artifact@v4
        with:
          name: hashes-ubuntu
          path: ./hashes/ubuntu
      - name: Download Windows hashes
        uses: actions/download-artifact@v4
        with:
          name: hashes-windows
          path: ./hashes/windows
        continue-on-error: true
      - name: Download macOS hashes
        uses: actions/download-artifact@v4
        with:
          name: hashes-macos
          path: ./hashes/macos
        continue-on-error: true
      - name: Compare hashes across platforms
        run: |
          echo "=== Cross-Platform Hash Comparison ==="
          echo ""
          ubuntu_verdict=$(cat ./hashes/ubuntu/verdict_hash.txt 2>/dev/null || echo "NOT_AVAILABLE")
          windows_verdict=$(cat ./hashes/windows/verdict_hash.txt 2>/dev/null || echo "NOT_AVAILABLE")
          macos_verdict=$(cat ./hashes/macos/verdict_hash.txt 2>/dev/null || echo "NOT_AVAILABLE")
          echo "Verdict Hashes:"
          echo "  Ubuntu:  $ubuntu_verdict"
          echo "  Windows: $windows_verdict"
          echo "  macOS:   $macos_verdict"
          echo ""
          ubuntu_manifest=$(cat ./hashes/ubuntu/manifest_hash.txt 2>/dev/null || echo "NOT_AVAILABLE")
          windows_manifest=$(cat ./hashes/windows/manifest_hash.txt 2>/dev/null || echo "NOT_AVAILABLE")
          macos_manifest=$(cat ./hashes/macos/manifest_hash.txt 2>/dev/null || echo "NOT_AVAILABLE")
          echo "Manifest Hashes:"
          echo "  Ubuntu:  $ubuntu_manifest"
          echo "  Windows: $windows_manifest"
          echo "  macOS:   $macos_manifest"
          echo ""
          # Check if all available hashes match
          all_match=true
          if [ "$ubuntu_verdict" != "NOT_AVAILABLE" ] && [ "$windows_verdict" != "NOT_AVAILABLE" ]; then
            if [ "$ubuntu_verdict" != "$windows_verdict" ]; then
              echo "❌ FAIL: Ubuntu and Windows verdict hashes differ!"
              all_match=false
            fi
          fi
          if [ "$ubuntu_verdict" != "NOT_AVAILABLE" ] && [ "$macos_verdict" != "NOT_AVAILABLE" ]; then
            if [ "$ubuntu_verdict" != "$macos_verdict" ]; then
              echo "❌ FAIL: Ubuntu and macOS verdict hashes differ!"
              all_match=false
            fi
          fi
          if [ "$all_match" = true ]; then
            echo "✅ All available platform hashes match!"
          else
            echo ""
            echo "Cross-platform reproducibility verification FAILED."
            exit 1
          fi
      - name: Create comparison report
        run: |
          cat > ./cross-platform-report.md << 'EOF'
          # Cross-Platform Reproducibility Report
          ## Test Run Information
          - **Workflow Run:** ${{ github.run_id }}
          - **Trigger:** ${{ github.event_name }}
          - **Commit:** ${{ github.sha }}
          - **Branch:** ${{ github.ref_name }}
          ## Hash Comparison
          | Platform | Verdict Hash | Manifest Hash | Status |
          |----------|--------------|---------------|--------|
          | Ubuntu | ${{ needs.reproducibility-ubuntu.outputs.verdict_hash }} | ${{ needs.reproducibility-ubuntu.outputs.manifest_hash }} | ✅ |
          | Windows | ${{ needs.reproducibility-windows.outputs.verdict_hash }} | ${{ needs.reproducibility-windows.outputs.manifest_hash }} | ${{ needs.reproducibility-windows.result == 'success' && '✅' || '⚠️' }} |
          | macOS | ${{ needs.reproducibility-macos.outputs.verdict_hash }} | ${{ needs.reproducibility-macos.outputs.manifest_hash }} | ${{ needs.reproducibility-macos.result == 'success' && '✅' || '⚠️' }} |
          ## Conclusion
          Cross-platform reproducibility: **${{ job.status == 'success' && 'VERIFIED' || 'NEEDS REVIEW' }}**
          EOF
          cat ./cross-platform-report.md
      - name: Upload comparison report
        uses: actions/upload-artifact@v4
        with:
          name: cross-platform-report
          path: ./cross-platform-report.md
          retention-days: 30
  # =============================================================================
  # Job: Golden baseline comparison
  # =============================================================================
  golden-baseline:
    name: Golden Baseline Verification
    runs-on: ubuntu-latest
    needs: [reproducibility-ubuntu]
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Download current hashes
        uses: actions/download-artifact@v4
        with:
          name: hashes-ubuntu
          path: ./current
      - name: Compare with golden baseline
        run: |
          echo "=== Golden Baseline Comparison ==="
          baseline_file="./src/__Tests/__Benchmarks/determinism/golden-baseline/e2e-hashes.json"
          if [ ! -f "$baseline_file" ]; then
            echo "⚠️ Golden baseline not found. Skipping comparison."
            echo "To create baseline, run with update_baseline=true"
            exit 0
          fi
          current_verdict=$(cat ./current/verdict_hash.txt 2>/dev/null || echo "NOT_FOUND")
          baseline_verdict=$(jq -r '.verdict_hash' "$baseline_file" 2>/dev/null || echo "NOT_FOUND")
          echo "Current verdict hash:  $current_verdict"
          echo "Baseline verdict hash: $baseline_verdict"
          if [ "$current_verdict" != "$baseline_verdict" ]; then
            echo ""
            echo "❌ FAIL: Current run does not match golden baseline!"
            echo ""
            echo "This may indicate:"
            echo "  1. An intentional change requiring baseline update"
            echo "  2. An unintentional regression in reproducibility"
            echo ""
            echo "To update baseline, run workflow with update_baseline=true"
            exit 1
          fi
          echo ""
          echo "✅ Current run matches golden baseline!"
      - name: Update golden baseline (if requested)
        if: github.event.inputs.update_baseline == 'true'
        run: |
          mkdir -p ./src/__Tests/__Benchmarks/determinism/golden-baseline
          cat > ./src/__Tests/__Benchmarks/determinism/golden-baseline/e2e-hashes.json << EOF
          {
            "verdict_hash": "$(cat ./current/verdict_hash.txt 2>/dev/null || echo 'NOT_SET')",
            "manifest_hash": "$(cat ./current/manifest_hash.txt 2>/dev/null || echo 'NOT_SET')",
            "envelope_hash": "$(cat ./current/envelope_hash.txt 2>/dev/null || echo 'NOT_SET')",
            "updated_at": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
            "updated_by": "${{ github.actor }}",
            "commit": "${{ github.sha }}"
          }
          EOF
          echo "Golden baseline updated:"
          cat ./src/__Tests/__Benchmarks/determinism/golden-baseline/e2e-hashes.json
      - name: Commit baseline update
        if: github.event.inputs.update_baseline == 'true'
        uses: stefanzweifel/git-auto-commit-action@v5
        with:
          commit_message: "chore: Update E2E reproducibility golden baseline"
          file_pattern: src/__Tests/__Benchmarks/determinism/golden-baseline/e2e-hashes.json
  # =============================================================================
  # Job: Status check gate
  # =============================================================================
  reproducibility-gate:
    name: Reproducibility Gate
    runs-on: ubuntu-latest
    needs: [reproducibility-ubuntu, golden-baseline]
    if: always()
    steps:
      - name: Check reproducibility status
        run: |
          ubuntu_status="${{ needs.reproducibility-ubuntu.result }}"
          baseline_status="${{ needs.golden-baseline.result }}"
          echo "Ubuntu E2E tests: $ubuntu_status"
          echo "Golden baseline:  $baseline_status"
          if [ "$ubuntu_status" != "success" ]; then
            echo "❌ E2E reproducibility tests failed!"
            exit 1
          fi
          if [ "$baseline_status" == "failure" ]; then
            echo "⚠️ Golden baseline comparison failed (may require review)"
            # Don't fail the gate for baseline mismatch - it may be intentional
          fi
          echo "✅ Reproducibility gate passed!"
--- a/.gitea/workflows/epss-ingest-perf.yml
+++ b/.gitea/workflows/epss-ingest-perf.yml
@@ -0,0 +1,98 @@
 name: EPSS Ingest Perf
 # Sprint: SPRINT_3410_0001_0001_epss_ingestion_storage
 # Tasks: EPSS-3410-013B, EPSS-3410-014
 #
 # Runs the EPSS ingest perf harness against a Dockerized PostgreSQL instance (Testcontainers).
 #
 # Runner requirements:
 # - Linux runner with Docker Engine available to the runner user (Testcontainers).
 # - Label: `ubuntu-22.04` (adjust `runs-on` if your labels differ).
 # - >= 4 CPU / >= 8GB RAM recommended for stable baselines.
 on:
  workflow_dispatch:
    inputs:
      rows:
        description: 'Row count to generate (default: 310000)'
        required: false
        default: '310000'
      postgres_image:
        description: 'PostgreSQL image (default: postgres:16-alpine)'
        required: false
        default: 'postgres:16-alpine'
  schedule:
    # Nightly at 03:00 UTC
    - cron: '0 3 * * *'
  pull_request:
    paths:
      - 'src/Scanner/__Libraries/StellaOps.Scanner.Storage/**'
      - 'src/Scanner/StellaOps.Scanner.Worker/**'
      - 'src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/**'
      - '.gitea/workflows/epss-ingest-perf.yml'
  push:
    branches: [ main ]
    paths:
      - 'src/Scanner/__Libraries/StellaOps.Scanner.Storage/**'
      - 'src/Scanner/StellaOps.Scanner.Worker/**'
      - 'src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/**'
      - '.gitea/workflows/epss-ingest-perf.yml'
 jobs:
  perf:
    runs-on: ubuntu-22.04
    env:
      DOTNET_NOLOGO: 1
      DOTNET_CLI_TELEMETRY_OPTOUT: 1
      DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
      TZ: UTC
      STELLAOPS_OFFLINE: 'true'
      STELLAOPS_DETERMINISTIC: 'true'
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET 10
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: 10.0.100
          include-prerelease: true
      - name: Cache NuGet packages
        uses: actions/cache@v4
        with:
          path: ~/.nuget/packages
          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
          restore-keys: |
            ${{ runner.os }}-nuget-
      - name: Restore
        run: |
          dotnet restore src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/StellaOps.Scanner.Storage.Epss.Perf.csproj \
            --configfile nuget.config
      - name: Build
        run: |
          dotnet build src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/StellaOps.Scanner.Storage.Epss.Perf.csproj \
            -c Release \
            --no-restore
      - name: Run perf harness
        run: |
          mkdir -p bench/results
          dotnet run \
            --project src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/StellaOps.Scanner.Storage.Epss.Perf.csproj \
            -c Release \
            --no-build \
            -- \
            --rows ${{ inputs.rows || '310000' }} \
            --postgres-image '${{ inputs.postgres_image || 'postgres:16-alpine' }}' \
            --output bench/results/epss-ingest-perf-${{ github.sha }}.json
      - name: Upload results
        uses: actions/upload-artifact@v4
        with:
          name: epss-ingest-perf-${{ github.sha }}
          path: |
            bench/results/epss-ingest-perf-${{ github.sha }}.json
          retention-days: 90
--- a/.gitea/workflows/exporter-ci.yml
+++ b/.gitea/workflows/exporter-ci.yml
@@ -0,0 +1,46 @@
 name: exporter-ci
 on:
  workflow_dispatch:
  pull_request:
    paths:
      - 'src/ExportCenter/**'
      - '.gitea/workflows/exporter-ci.yml'
 env:
  DOTNET_CLI_TELEMETRY_OPTOUT: 1
  DOTNET_NOLOGO: 1
 jobs:
  build-test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.x'
      - name: Restore
        run: dotnet restore src/ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj
      - name: Build
        run: dotnet build src/ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj --configuration Release --no-restore
      - name: Test
        run: dotnet test src/ExportCenter/__Tests/StellaOps.ExportCenter.Tests/StellaOps.ExportCenter.Tests.csproj --configuration Release --no-build --verbosity normal
      - name: Publish
        run: |
          dotnet publish src/ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj \
            --configuration Release \
            --output artifacts/exporter
      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: exporter-${{ github.run_id }}
          path: artifacts/
          retention-days: 14
--- a/.gitea/workflows/integration-tests-gate.yml
+++ b/.gitea/workflows/integration-tests-gate.yml
@@ -0,0 +1,375 @@
 # Sprint 3500.0004.0003 - T6: Integration Tests CI Gate
 # Runs integration tests on PR and gates merges on failures
 name: integration-tests-gate
 on:
  pull_request:
    branches: [main, develop]
    paths:
      - 'src/**'
      - 'src/__Tests/Integration/**'
      - 'src/__Tests/__Benchmarks/golden-corpus/**'
  push:
    branches: [main]
  workflow_dispatch:
    inputs:
      run_performance:
        description: 'Run performance baseline tests'
        type: boolean
        default: false
      run_airgap:
        description: 'Run air-gap tests'
        type: boolean
        default: false
 concurrency:
  group: integration-${{ github.ref }}
  cancel-in-progress: true
 jobs:
  # ==========================================================================
  # T6-AC1: Integration tests run on PR
  # ==========================================================================
  integration-tests:
    name: Integration Tests
    runs-on: ubuntu-latest
    timeout-minutes: 30
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_USER: stellaops
          POSTGRES_PASSWORD: test-only
          POSTGRES_DB: stellaops_test
        ports:
          - 5432:5432
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "10.0.100"
      - name: Restore dependencies
        run: dotnet restore src/__Tests/Integration/**/*.csproj
      - name: Build integration tests
        run: dotnet build src/__Tests/Integration/**/*.csproj --configuration Release --no-restore
      - name: Run Proof Chain Tests
        run: |
          dotnet test src/__Tests/Integration/StellaOps.Integration.ProofChain \
            --configuration Release \
            --no-build \
            --logger "trx;LogFileName=proofchain.trx" \
            --results-directory ./TestResults
        env:
          ConnectionStrings__StellaOps: "Host=localhost;Database=stellaops_test;Username=stellaops;Password=test-only"
      - name: Run Reachability Tests
        run: |
          dotnet test src/__Tests/Integration/StellaOps.Integration.Reachability \
            --configuration Release \
            --no-build \
            --logger "trx;LogFileName=reachability.trx" \
            --results-directory ./TestResults
      - name: Run Unknowns Workflow Tests
        run: |
          dotnet test src/__Tests/Integration/StellaOps.Integration.Unknowns \
            --configuration Release \
            --no-build \
            --logger "trx;LogFileName=unknowns.trx" \
            --results-directory ./TestResults
      - name: Run Determinism Tests
        run: |
          dotnet test src/__Tests/Integration/StellaOps.Integration.Determinism \
            --configuration Release \
            --no-build \
            --logger "trx;LogFileName=determinism.trx" \
            --results-directory ./TestResults
      - name: Upload test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: integration-test-results
          path: TestResults/**/*.trx
      - name: Publish test summary
        uses: dorny/test-reporter@v1
        if: always()
        with:
          name: Integration Test Results
          path: TestResults/**/*.trx
          reporter: dotnet-trx
  # ==========================================================================
  # T6-AC2: Corpus validation on release branch
  # ==========================================================================
  corpus-validation:
    name: Golden Corpus Validation
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
    timeout-minutes: 15
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "10.0.100"
      - name: Validate corpus manifest
        run: |
          python3 -c "
          import json
          import hashlib
          import os
          manifest_path = 'src/__Tests/__Benchmarks/golden-corpus/corpus-manifest.json'
          with open(manifest_path) as f:
              manifest = json.load(f)
          print(f'Corpus version: {manifest.get(\"corpus_version\", \"unknown\")}')
          print(f'Total cases: {manifest.get(\"total_cases\", 0)}')
          errors = []
          for case in manifest.get('cases', []):
              case_path = os.path.join('src/__Tests/__Benchmarks/golden-corpus', case['path'])
              if not os.path.isdir(case_path):
                  errors.append(f'Missing case directory: {case_path}')
              else:
                  required_files = ['case.json', 'expected-score.json']
                  for f in required_files:
                      if not os.path.exists(os.path.join(case_path, f)):
                          errors.append(f'Missing file: {case_path}/{f}')
          if errors:
              print('\\nValidation errors:')
              for e in errors:
                  print(f'  - {e}')
              exit(1)
          else:
              print('\\nCorpus validation passed!')
          "
      - name: Run corpus scoring tests
        run: |
          dotnet test src/__Tests/Integration/StellaOps.Integration.Determinism \
            --filter "Category=GoldenCorpus" \
            --configuration Release \
            --logger "trx;LogFileName=corpus.trx" \
            --results-directory ./TestResults
  # ==========================================================================
  # T6-AC3: Determinism tests on nightly
  # ==========================================================================
  nightly-determinism:
    name: Nightly Determinism Check
    runs-on: ubuntu-latest
    if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.run_performance == 'true')
    timeout-minutes: 45
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "10.0.100"
      - name: Run full determinism suite
        run: |
          dotnet test src/__Tests/Integration/StellaOps.Integration.Determinism \
            --configuration Release \
            --logger "trx;LogFileName=determinism-full.trx" \
            --results-directory ./TestResults
      - name: Run cross-run determinism check
        run: |
          # Run scoring 3 times and compare hashes
          for i in 1 2 3; do
            dotnet test src/__Tests/Integration/StellaOps.Integration.Determinism \
              --filter "FullyQualifiedName~IdenticalInput_ProducesIdenticalHash" \
              --results-directory ./TestResults/run-$i
          done
          # Compare all results
          echo "Comparing determinism across runs..."
      - name: Upload determinism results
        uses: actions/upload-artifact@v4
        with:
          name: nightly-determinism-results
          path: TestResults/**
  # ==========================================================================
  # T6-AC4: Test coverage reported to dashboard
  # ==========================================================================
  coverage-report:
    name: Coverage Report
    runs-on: ubuntu-latest
    needs: [integration-tests]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "10.0.100"
      - name: Run tests with coverage
        run: |
          dotnet test src/__Tests/Integration/**/*.csproj \
            --configuration Release \
            --collect:"XPlat Code Coverage" \
            --results-directory ./TestResults/Coverage
      - name: Generate coverage report
        uses: danielpalme/ReportGenerator-GitHub-Action@5.2.0
        with:
          reports: TestResults/Coverage/**/coverage.cobertura.xml
          targetdir: TestResults/CoverageReport
          reporttypes: 'Html;Cobertura;MarkdownSummary'
      - name: Upload coverage report
        uses: actions/upload-artifact@v4
        with:
          name: coverage-report
          path: TestResults/CoverageReport/**
      - name: Add coverage to PR comment
        uses: marocchino/sticky-pull-request-comment@v2
        if: github.event_name == 'pull_request'
        with:
          recreate: true
          path: TestResults/CoverageReport/Summary.md
  # ==========================================================================
  # T6-AC5: Flaky test quarantine process
  # ==========================================================================
  flaky-test-check:
    name: Flaky Test Detection
    runs-on: ubuntu-latest
    needs: [integration-tests]
    if: failure()
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Check for known flaky tests
        run: |
          # Check if failure is from a known flaky test
          QUARANTINE_FILE=".github/flaky-tests-quarantine.json"
          if [ -f "$QUARANTINE_FILE" ]; then
            echo "Checking against quarantine list..."
            # Implementation would compare failed tests against quarantine
          fi
      - name: Create flaky test issue
        uses: actions/github-script@v7
        if: always()
        with:
          script: |
            // After 2 consecutive failures, create issue for quarantine review
            console.log('Checking for flaky test patterns...');
            // Implementation would analyze test history
  # ==========================================================================
  # Performance Tests (optional, on demand)
  # ==========================================================================
  performance-tests:
    name: Performance Baseline Tests
    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch' && github.event.inputs.run_performance == 'true'
    timeout-minutes: 30
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "10.0.100"
      - name: Run performance tests
        run: |
          dotnet test src/__Tests/Integration/StellaOps.Integration.Performance \
            --configuration Release \
            --logger "trx;LogFileName=performance.trx" \
            --results-directory ./TestResults
      - name: Upload performance report
        uses: actions/upload-artifact@v4
        with:
          name: performance-report
          path: |
            TestResults/**
            src/__Tests/Integration/StellaOps.Integration.Performance/output/**
      - name: Check for regressions
        run: |
          # Check if any test exceeded 20% threshold
          if [ -f "src/__Tests/Integration/StellaOps.Integration.Performance/output/performance-report.json" ]; then
            python3 -c "
          import json
          with open('src/__Tests/Integration/StellaOps.Integration.Performance/output/performance-report.json') as f:
              report = json.load(f)
          regressions = [m for m in report.get('Metrics', []) if m.get('DeltaPercent', 0) > 20]
          if regressions:
              print('Performance regressions detected!')
              for r in regressions:
                  print(f'  {r[\"Name\"]}: +{r[\"DeltaPercent\"]:.1f}%')
              exit(1)
          print('No performance regressions detected.')
          "
          fi
  # ==========================================================================
  # Air-Gap Tests (optional, on demand)
  # ==========================================================================
  airgap-tests:
    name: Air-Gap Integration Tests
    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch' && github.event.inputs.run_airgap == 'true'
    timeout-minutes: 30
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "10.0.100"
      - name: Run air-gap tests
        run: |
          dotnet test src/__Tests/Integration/StellaOps.Integration.AirGap \
            --configuration Release \
            --logger "trx;LogFileName=airgap.trx" \
            --results-directory ./TestResults
      - name: Upload air-gap test results
        uses: actions/upload-artifact@v4
        with:
          name: airgap-test-results
          path: TestResults/**
--- a/.gitea/workflows/interop-e2e.yml
+++ b/.gitea/workflows/interop-e2e.yml
@@ -0,0 +1,128 @@
 name: Interop E2E Tests
 on:
  pull_request:
    paths:
      - 'src/Scanner/**'
      - 'src/Excititor/**'
      - 'src/__Tests/interop/**'
  schedule:
    - cron: '0 6 * * *'  # Nightly at 6 AM UTC
  workflow_dispatch:
 env:
  DOTNET_VERSION: '10.0.100'
 jobs:
  interop-tests:
    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false
      matrix:
        format: [cyclonedx, spdx]
        arch: [amd64]
        include:
          - format: cyclonedx
            format_flag: cyclonedx-json
          - format: spdx
            format_flag: spdx-json
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install Syft
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
          syft --version
      - name: Install Grype
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
          grype --version
      - name: Install cosign
        run: |
          curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 -o /usr/local/bin/cosign
          chmod +x /usr/local/bin/cosign
          cosign version
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Restore dependencies
        run: dotnet restore src/StellaOps.sln
      - name: Build Stella CLI
        run: dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj -c Release
      - name: Build interop tests
        run: dotnet build src/__Tests/interop/StellaOps.Interop.Tests/StellaOps.Interop.Tests.csproj
      - name: Run interop tests
        run: |
          dotnet test src/__Tests/interop/StellaOps.Interop.Tests \
            --filter "Format=${{ matrix.format }}" \
            --logger "trx;LogFileName=interop-${{ matrix.format }}.trx" \
            --logger "console;verbosity=detailed" \
            --results-directory ./results \
            -- RunConfiguration.TestSessionTimeout=900000
      - name: Generate parity report
        if: always()
        run: |
          # TODO: Generate parity report from test results
          echo '{"format": "${{ matrix.format }}", "parityPercent": 0}' > ./results/parity-report-${{ matrix.format }}.json
      - name: Upload test results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: interop-test-results-${{ matrix.format }}
          path: ./results/
      - name: Check parity threshold
        if: always()
        run: |
          PARITY=$(jq '.parityPercent' ./results/parity-report-${{ matrix.format }}.json 2>/dev/null || echo "0")
          echo "Parity for ${{ matrix.format }}: ${PARITY}%"
          if (( $(echo "$PARITY < 95" | bc -l 2>/dev/null || echo "1") )); then
            echo "::warning::Findings parity ${PARITY}% is below 95% threshold for ${{ matrix.format }}"
            # Don't fail the build yet - this is initial implementation
            # exit 1
          fi
  summary:
    runs-on: ubuntu-22.04
    needs: interop-tests
    if: always()
    steps:
      - name: Download all artifacts
        uses: actions/download-artifact@v4
        with:
          path: ./all-results
      - name: Generate summary
        run: |
          echo "## Interop Test Summary" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Format | Status |" >> $GITHUB_STEP_SUMMARY
          echo "|--------|--------|" >> $GITHUB_STEP_SUMMARY
          for format in cyclonedx spdx; do
            if [ -f "./all-results/interop-test-results-${format}/parity-report-${format}.json" ]; then
              PARITY=$(jq -r '.parityPercent // 0' "./all-results/interop-test-results-${format}/parity-report-${format}.json")
              if (( $(echo "$PARITY >= 95" | bc -l 2>/dev/null || echo "0") )); then
                STATUS="✅ Pass (${PARITY}%)"
              else
                STATUS="⚠️  Below threshold (${PARITY}%)"
              fi
            else
              STATUS="❌ No results"
            fi
            echo "| ${format} | ${STATUS} |" >> $GITHUB_STEP_SUMMARY
          done
--- a/.gitea/workflows/ledger-oas-ci.yml
+++ b/.gitea/workflows/ledger-oas-ci.yml
@@ -0,0 +1,81 @@
 name: Ledger OpenAPI CI
 on:
  workflow_dispatch:
  push:
    branches: [main]
    paths:
      - 'api/ledger/**'
      - 'ops/devops/ledger/**'
  pull_request:
    paths:
      - 'api/ledger/**'
 jobs:
  validate-oas:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Install tools
        run: |
          npm install -g @stoplight/spectral-cli
          npm install -g @openapitools/openapi-generator-cli
      - name: Validate OpenAPI spec
        run: |
          chmod +x ops/devops/ledger/validate-oas.sh
          ops/devops/ledger/validate-oas.sh
      - name: Upload validation report
        uses: actions/upload-artifact@v4
        with:
          name: ledger-oas-validation-${{ github.run_number }}
          path: |
            out/ledger/oas/lint-report.json
            out/ledger/oas/validation-report.txt
            out/ledger/oas/spec-summary.json
          if-no-files-found: warn
  check-wellknown:
    runs-on: ubuntu-22.04
    needs: validate-oas
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Check .well-known/openapi structure
        run: |
          # Validate .well-known structure if exists
          if [ -d ".well-known" ]; then
            echo "Checking .well-known/openapi..."
            if [ -f ".well-known/openapi.json" ]; then
              python3 -c "import json; json.load(open('.well-known/openapi.json'))"
              echo ".well-known/openapi.json is valid JSON"
            fi
          else
            echo "[info] .well-known directory not present (OK for dev)"
          fi
  deprecation-check:
    runs-on: ubuntu-22.04
    needs: validate-oas
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Check deprecation policy
        run: |
          if [ -f "ops/devops/ledger/deprecation-policy.yaml" ]; then
            echo "Validating deprecation policy..."
            python3 -c "import yaml; yaml.safe_load(open('ops/devops/ledger/deprecation-policy.yaml'))"
            echo "Deprecation policy is valid"
          else
            echo "[info] No deprecation policy yet (OK for initial setup)"
          fi
--- a/.gitea/workflows/ledger-packs-ci.yml
+++ b/.gitea/workflows/ledger-packs-ci.yml
@@ -0,0 +1,101 @@
 name: Ledger Packs CI
 on:
  workflow_dispatch:
    inputs:
      snapshot_id:
        description: 'Snapshot ID (leave empty for auto)'
        required: false
        default: ''
      sign:
        description: 'Sign pack (1=yes)'
        required: false
        default: '0'
  push:
    branches: [main]
    paths:
      - 'ops/devops/ledger/**'
 jobs:
  build-pack:
    runs-on: ubuntu-22.04
    env:
      COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup cosign
        uses: sigstore/cosign-installer@v3
      - name: Configure signing
        run: |
          if [ -z "${COSIGN_PRIVATE_KEY_B64}" ] || [ "${{ github.event.inputs.sign }}" = "1" ]; then
            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
          fi
      - name: Build pack
        run: |
          chmod +x ops/devops/ledger/build-pack.sh
          SNAPSHOT_ID="${{ github.event.inputs.snapshot_id }}"
          if [ -z "$SNAPSHOT_ID" ]; then
            SNAPSHOT_ID="ci-$(date +%Y%m%d%H%M%S)"
          fi
          SIGN_FLAG=""
          if [ "${{ github.event.inputs.sign }}" = "1" ] || [ -n "${COSIGN_PRIVATE_KEY_B64}" ]; then
            SIGN_FLAG="--sign"
          fi
          SNAPSHOT_ID="$SNAPSHOT_ID" ops/devops/ledger/build-pack.sh $SIGN_FLAG
      - name: Verify checksums
        run: |
          cd out/ledger/packs
          for f in *.SHA256SUMS; do
            if [ -f "$f" ]; then
              sha256sum -c "$f"
            fi
          done
      - name: Upload pack
        uses: actions/upload-artifact@v4
        with:
          name: ledger-pack-${{ github.run_number }}
          path: |
            out/ledger/packs/*.pack.tar.gz
            out/ledger/packs/*.SHA256SUMS
            out/ledger/packs/*.dsse.json
          if-no-files-found: warn
          retention-days: 30
  verify-pack:
    runs-on: ubuntu-22.04
    needs: build-pack
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Download pack
        uses: actions/download-artifact@v4
        with:
          name: ledger-pack-${{ github.run_number }}
          path: out/ledger/packs/
      - name: Verify pack structure
        run: |
          cd out/ledger/packs
          for pack in *.pack.tar.gz; do
            if [ -f "$pack" ]; then
              echo "Verifying $pack..."
              tar -tzf "$pack" | head -20
              # Extract and check manifest
              tar -xzf "$pack" -C /tmp manifest.json 2>/dev/null || true
              if [ -f /tmp/manifest.json ]; then
                python3 -c "import json; json.load(open('/tmp/manifest.json'))"
                echo "Pack manifest is valid JSON"
              fi
            fi
          done
--- a/.gitea/workflows/lighthouse-ci.yml
+++ b/.gitea/workflows/lighthouse-ci.yml
@@ -0,0 +1,188 @@
 # .gitea/workflows/lighthouse-ci.yml
 # Lighthouse CI for performance and accessibility testing of the StellaOps Web UI
 name: Lighthouse CI
 on:
  push:
    branches: [main]
    paths:
      - 'src/Web/StellaOps.Web/**'
      - '.gitea/workflows/lighthouse-ci.yml'
  pull_request:
    branches: [main, develop]
    paths:
      - 'src/Web/StellaOps.Web/**'
  schedule:
    # Run weekly on Sunday at 2 AM UTC
    - cron: '0 2 * * 0'
  workflow_dispatch:
 env:
  NODE_VERSION: '20'
  LHCI_BUILD_CONTEXT__CURRENT_BRANCH: ${{ github.head_ref || github.ref_name }}
  LHCI_BUILD_CONTEXT__COMMIT_SHA: ${{ github.sha }}
 jobs:
  lighthouse:
    name: Lighthouse Audit
    runs-on: ubuntu-22.04
    defaults:
      run:
        working-directory: src/Web/StellaOps.Web
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: 'npm'
          cache-dependency-path: src/Web/StellaOps.Web/package-lock.json
      - name: Install dependencies
        run: npm ci
      - name: Build production bundle
        run: npm run build -- --configuration production
      - name: Install Lighthouse CI
        run: npm install -g @lhci/cli@0.13.x
      - name: Run Lighthouse CI
        run: |
          lhci autorun \
            --collect.staticDistDir=./dist/stella-ops-web/browser \
            --collect.numberOfRuns=3 \
            --assert.preset=lighthouse:recommended \
            --assert.assertions.categories:performance=off \
            --assert.assertions.categories:accessibility=off \
            --upload.target=filesystem \
            --upload.outputDir=./lighthouse-results
      - name: Evaluate Lighthouse Results
        id: lhci-results
        run: |
          # Parse the latest Lighthouse report
          REPORT=$(ls -t lighthouse-results/*.json | head -1)
          if [ -f "$REPORT" ]; then
            PERF=$(jq '.categories.performance.score * 100' "$REPORT" | cut -d. -f1)
            A11Y=$(jq '.categories.accessibility.score * 100' "$REPORT" | cut -d. -f1)
            BP=$(jq '.categories["best-practices"].score * 100' "$REPORT" | cut -d. -f1)
            SEO=$(jq '.categories.seo.score * 100' "$REPORT" | cut -d. -f1)
            echo "performance=$PERF" >> $GITHUB_OUTPUT
            echo "accessibility=$A11Y" >> $GITHUB_OUTPUT
            echo "best-practices=$BP" >> $GITHUB_OUTPUT
            echo "seo=$SEO" >> $GITHUB_OUTPUT
            echo "## Lighthouse Results" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "| Category | Score | Threshold | Status |" >> $GITHUB_STEP_SUMMARY
            echo "|----------|-------|-----------|--------|" >> $GITHUB_STEP_SUMMARY
            # Performance: target >= 90
            if [ "$PERF" -ge 90 ]; then
              echo "| Performance | $PERF | >= 90 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
            else
              echo "| Performance | $PERF | >= 90 | :warning: |" >> $GITHUB_STEP_SUMMARY
            fi
            # Accessibility: target >= 95
            if [ "$A11Y" -ge 95 ]; then
              echo "| Accessibility | $A11Y | >= 95 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
            else
              echo "| Accessibility | $A11Y | >= 95 | :x: |" >> $GITHUB_STEP_SUMMARY
            fi
            # Best Practices: target >= 90
            if [ "$BP" -ge 90 ]; then
              echo "| Best Practices | $BP | >= 90 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
            else
              echo "| Best Practices | $BP | >= 90 | :warning: |" >> $GITHUB_STEP_SUMMARY
            fi
            # SEO: target >= 90
            if [ "$SEO" -ge 90 ]; then
              echo "| SEO | $SEO | >= 90 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
            else
              echo "| SEO | $SEO | >= 90 | :warning: |" >> $GITHUB_STEP_SUMMARY
            fi
          fi
      - name: Check Quality Gates
        run: |
          PERF=${{ steps.lhci-results.outputs.performance }}
          A11Y=${{ steps.lhci-results.outputs.accessibility }}
          FAILED=0
          # Performance gate (warning only, not blocking)
          if [ "$PERF" -lt 90 ]; then
            echo "::warning::Performance score ($PERF) is below target (90)"
          fi
          # Accessibility gate (blocking)
          if [ "$A11Y" -lt 95 ]; then
            echo "::error::Accessibility score ($A11Y) is below required threshold (95)"
            FAILED=1
          fi
          if [ "$FAILED" -eq 1 ]; then
            exit 1
          fi
      - name: Upload Lighthouse Reports
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: lighthouse-reports
          path: src/Web/StellaOps.Web/lighthouse-results/
          retention-days: 30
  axe-accessibility:
    name: Axe Accessibility Audit
    runs-on: ubuntu-22.04
    defaults:
      run:
        working-directory: src/Web/StellaOps.Web
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: 'npm'
          cache-dependency-path: src/Web/StellaOps.Web/package-lock.json
      - name: Install dependencies
        run: npm ci
      - name: Install Playwright browsers
        run: npx playwright install --with-deps chromium
      - name: Build production bundle
        run: npm run build -- --configuration production
      - name: Start preview server
        run: |
          npx serve -s dist/stella-ops-web/browser -l 4200 &
          sleep 5
      - name: Run Axe accessibility tests
        run: |
          npm run test:a11y || true
      - name: Upload Axe results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: axe-accessibility-results
          path: src/Web/StellaOps.Web/test-results/
          retention-days: 30
--- a/.gitea/workflows/lnm-migration-ci.yml
+++ b/.gitea/workflows/lnm-migration-ci.yml
@@ -0,0 +1,83 @@
 name: LNM Migration CI
 on:
  workflow_dispatch:
    inputs:
      run_staging:
        description: 'Run staging backfill (1=yes)'
        required: false
        default: '0'
  push:
    branches: [main]
    paths:
      - 'src/Concelier/__Libraries/StellaOps.Concelier.Migrations/**'
      - 'ops/devops/lnm/**'
 jobs:
  build-runner:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: 10.0.100
          include-prerelease: true
      - name: Setup cosign
        uses: sigstore/cosign-installer@v3
      - name: Configure signing
        run: |
          if [ -z "${{ secrets.COSIGN_PRIVATE_KEY_B64 }}" ]; then
            echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
            echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
          fi
        env:
          COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
      - name: Build and package runner
        run: |
          chmod +x ops/devops/lnm/package-runner.sh
          ops/devops/lnm/package-runner.sh
      - name: Verify checksums
        run: |
          cd out/lnm
          sha256sum -c SHA256SUMS
      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: lnm-migration-runner-${{ github.run_number }}
          path: |
            out/lnm/lnm-migration-runner.tar.gz
            out/lnm/lnm-migration-runner.manifest.json
            out/lnm/lnm-migration-runner.dsse.json
            out/lnm/SHA256SUMS
          if-no-files-found: warn
  validate-metrics:
    runs-on: ubuntu-22.04
    needs: build-runner
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Validate monitoring config
        run: |
          # Validate alert rules syntax
          if [ -f "ops/devops/lnm/alerts/lnm-alerts.yaml" ]; then
            echo "Validating alert rules..."
            python3 -c "import yaml; yaml.safe_load(open('ops/devops/lnm/alerts/lnm-alerts.yaml'))"
          fi
          # Validate dashboard JSON
          if [ -f "ops/devops/lnm/dashboards/lnm-migration.json" ]; then
            echo "Validating dashboard..."
            python3 -c "import json; json.load(open('ops/devops/lnm/dashboards/lnm-migration.json'))"
          fi
          echo "Monitoring config validation complete"
--- a/.gitea/workflows/offline-e2e.yml
+++ b/.gitea/workflows/offline-e2e.yml
@@ -0,0 +1,121 @@
 name: Offline E2E Tests
 on:
  pull_request:
    paths:
      - 'src/AirGap/**'
      - 'src/Scanner/**'
      - 'src/__Tests/offline/**'
  schedule:
    - cron: '0 4 * * *'  # Nightly at 4 AM UTC
  workflow_dispatch:
 env:
  STELLAOPS_OFFLINE_MODE: 'true'
  DOTNET_VERSION: '10.0.100'
 jobs:
  offline-e2e:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Cache NuGet packages
        uses: actions/cache@v3
        with:
          path: ~/.nuget/packages
          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
          restore-keys: |
            ${{ runner.os }}-nuget-
      - name: Download offline bundle
        run: |
          # In real scenario, bundle would be pre-built and cached
          # For now, create minimal fixture structure
          mkdir -p ./offline-bundle/{images,feeds,policies,keys,certs,vex}
          echo '{}' > ./offline-bundle/manifest.json
      - name: Build in isolated environment
        run: |
          # Build offline test library
          dotnet build src/__Libraries/StellaOps.Testing.AirGap/StellaOps.Testing.AirGap.csproj
          # Build offline E2E tests
          dotnet build src/__Tests/offline/StellaOps.Offline.E2E.Tests/StellaOps.Offline.E2E.Tests.csproj
      - name: Run offline E2E tests with network isolation
        run: |
          # Set offline bundle path
          export STELLAOPS_OFFLINE_BUNDLE=$(pwd)/offline-bundle
          # Run tests
          dotnet test src/__Tests/offline/StellaOps.Offline.E2E.Tests \
            --logger "trx;LogFileName=offline-e2e.trx" \
            --logger "console;verbosity=detailed" \
            --results-directory ./results
      - name: Verify no network calls
        if: always()
        run: |
          # Parse test output for any NetworkIsolationViolationException
          if [ -f "./results/offline-e2e.trx" ]; then
            if grep -q "NetworkIsolationViolation" ./results/offline-e2e.trx; then
              echo "::error::Tests attempted network calls in offline mode!"
              exit 1
            else
              echo "✅ No network isolation violations detected"
            fi
          fi
      - name: Upload results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: offline-e2e-results
          path: ./results/
  verify-isolation:
    runs-on: ubuntu-22.04
    needs: offline-e2e
    if: always()
    steps:
      - name: Download results
        uses: actions/download-artifact@v4
        with:
          name: offline-e2e-results
          path: ./results
      - name: Generate summary
        run: |
          echo "## Offline E2E Test Summary" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          if [ -f "./results/offline-e2e.trx" ]; then
            # Parse test results
            TOTAL=$(grep -o 'total="[0-9]*"' ./results/offline-e2e.trx | cut -d'"' -f2 || echo "0")
            PASSED=$(grep -o 'passed="[0-9]*"' ./results/offline-e2e.trx | cut -d'"' -f2 || echo "0")
            FAILED=$(grep -o 'failed="[0-9]*"' ./results/offline-e2e.trx | cut -d'"' -f2 || echo "0")
            echo "| Metric | Value |" >> $GITHUB_STEP_SUMMARY
            echo "|--------|-------|" >> $GITHUB_STEP_SUMMARY
            echo "| Total Tests | ${TOTAL} |" >> $GITHUB_STEP_SUMMARY
            echo "| Passed | ${PASSED} |" >> $GITHUB_STEP_SUMMARY
            echo "| Failed | ${FAILED} |" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            if grep -q "NetworkIsolationViolation" ./results/offline-e2e.trx; then
              echo "❌ **Network isolation was violated**" >> $GITHUB_STEP_SUMMARY
            else
              echo "✅ **Network isolation verified - no egress detected**" >> $GITHUB_STEP_SUMMARY
            fi
          else
            echo "⚠️ No test results found" >> $GITHUB_STEP_SUMMARY
          fi
--- a/.gitea/workflows/parity-tests.yml
+++ b/.gitea/workflows/parity-tests.yml
@@ -0,0 +1,186 @@
 name: Parity Tests
 # Parity testing workflow: compares StellaOps against competitor scanners
 # (Syft, Grype, Trivy) on a standardized fixture set.
 #
 # Schedule: Nightly at 02:00 UTC; Weekly full run on Sunday 00:00 UTC
 # NOT a PR gate - too slow and has external dependencies
 on:
  schedule:
    # Nightly at 02:00 UTC (quick fixture set)
    - cron: '0 2 * * *'
    # Weekly on Sunday at 00:00 UTC (full fixture set)
    - cron: '0 0 * * 0'
  workflow_dispatch:
    inputs:
      fixture_set:
        description: 'Fixture set to use'
        required: false
        default: 'quick'
        type: choice
        options:
          - quick
          - full
      enable_drift_detection:
        description: 'Enable drift detection analysis'
        required: false
        default: 'true'
        type: boolean
 env:
  DOTNET_VERSION: '10.0.x'
  SYFT_VERSION: '1.9.0'
  GRYPE_VERSION: '0.79.3'
  TRIVY_VERSION: '0.54.1'
  PARITY_RESULTS_PATH: 'bench/results/parity'
 jobs:
  parity-tests:
    name: Competitor Parity Tests
    runs-on: ubuntu-latest
    timeout-minutes: 120
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Install Syft
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v${{ env.SYFT_VERSION }}
          syft version
      - name: Install Grype
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v${{ env.GRYPE_VERSION }}
          grype version
      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
          trivy --version
      - name: Determine fixture set
        id: fixtures
        run: |
          # Weekly runs use full fixture set
          if [[ "${{ github.event.schedule }}" == "0 0 * * 0" ]]; then
            echo "fixture_set=full" >> $GITHUB_OUTPUT
          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
            echo "fixture_set=${{ inputs.fixture_set }}" >> $GITHUB_OUTPUT
          else
            echo "fixture_set=quick" >> $GITHUB_OUTPUT
          fi
      - name: Build parity tests
        run: |
          dotnet build src/__Tests/parity/StellaOps.Parity.Tests/StellaOps.Parity.Tests.csproj -c Release
      - name: Run parity tests
        id: parity
        run: |
          mkdir -p ${{ env.PARITY_RESULTS_PATH }}
          RUN_ID=$(date -u +%Y%m%dT%H%M%SZ)
          echo "run_id=${RUN_ID}" >> $GITHUB_OUTPUT
          dotnet test src/__Tests/parity/StellaOps.Parity.Tests/StellaOps.Parity.Tests.csproj \
            -c Release \
            --no-build \
            --logger "trx;LogFileName=parity-results.trx" \
            --results-directory ${{ env.PARITY_RESULTS_PATH }} \
            -e PARITY_FIXTURE_SET=${{ steps.fixtures.outputs.fixture_set }} \
            -e PARITY_RUN_ID=${RUN_ID} \
            -e PARITY_OUTPUT_PATH=${{ env.PARITY_RESULTS_PATH }} \
            || true  # Don't fail workflow on test failures
      - name: Store parity results
        run: |
          # Copy JSON results to time-series storage
          if [ -f "${{ env.PARITY_RESULTS_PATH }}/parity-${{ steps.parity.outputs.run_id }}.json" ]; then
            echo "Parity results stored successfully"
            cat ${{ env.PARITY_RESULTS_PATH }}/parity-${{ steps.parity.outputs.run_id }}.json | jq .
          else
            echo "Warning: No parity results file found"
          fi
      - name: Run drift detection
        if: ${{ github.event_name != 'workflow_dispatch' || inputs.enable_drift_detection == 'true' }}
        run: |
          # Analyze drift from historical results
          dotnet run --project src/__Tests/parity/StellaOps.Parity.Tests/StellaOps.Parity.Tests.csproj \
            --no-build \
            -- analyze-drift \
            --results-path ${{ env.PARITY_RESULTS_PATH }} \
            --threshold 0.05 \
            --trend-days 3 \
            || true
      - name: Upload parity results
        uses: actions/upload-artifact@v4
        with:
          name: parity-results-${{ steps.parity.outputs.run_id }}
          path: ${{ env.PARITY_RESULTS_PATH }}
          retention-days: 90
      - name: Export Prometheus metrics
        if: ${{ env.PROMETHEUS_PUSH_GATEWAY != '' }}
        env:
          PROMETHEUS_PUSH_GATEWAY: ${{ secrets.PROMETHEUS_PUSH_GATEWAY }}
        run: |
          # Push metrics to Prometheus Push Gateway if configured
          if [ -f "${{ env.PARITY_RESULTS_PATH }}/parity-metrics.txt" ]; then
            curl -X POST \
              -H "Content-Type: text/plain" \
              --data-binary @${{ env.PARITY_RESULTS_PATH }}/parity-metrics.txt \
              "${PROMETHEUS_PUSH_GATEWAY}/metrics/job/parity_tests/instance/${{ steps.parity.outputs.run_id }}"
          fi
      - name: Generate comparison report
        run: |
          echo "## Parity Test Results - ${{ steps.parity.outputs.run_id }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Fixture Set:** ${{ steps.fixtures.outputs.fixture_set }}" >> $GITHUB_STEP_SUMMARY
          echo "**Competitor Versions:**" >> $GITHUB_STEP_SUMMARY
          echo "- Syft: ${{ env.SYFT_VERSION }}" >> $GITHUB_STEP_SUMMARY
          echo "- Grype: ${{ env.GRYPE_VERSION }}" >> $GITHUB_STEP_SUMMARY
          echo "- Trivy: ${{ env.TRIVY_VERSION }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          if [ -f "${{ env.PARITY_RESULTS_PATH }}/parity-${{ steps.parity.outputs.run_id }}.json" ]; then
            echo "### Metrics Summary" >> $GITHUB_STEP_SUMMARY
            jq -r '
              "| Metric | StellaOps | Grype | Trivy |",
              "|--------|-----------|-------|-------|",
              "| SBOM Packages | \(.sbomMetrics.stellaOpsPackageCount) | \(.sbomMetrics.syftPackageCount) | - |",
              "| Vulnerability Recall | \(.vulnMetrics.recall | . * 100 | round / 100)% | - | - |",
              "| Vulnerability F1 | \(.vulnMetrics.f1Score | . * 100 | round / 100)% | - | - |",
              "| Latency P95 (ms) | \(.latencyMetrics.stellaOpsP95Ms | round) | \(.latencyMetrics.grypeP95Ms | round) | \(.latencyMetrics.trivyP95Ms | round) |"
            ' ${{ env.PARITY_RESULTS_PATH }}/parity-${{ steps.parity.outputs.run_id }}.json >> $GITHUB_STEP_SUMMARY || echo "Could not parse results" >> $GITHUB_STEP_SUMMARY
          fi
      - name: Alert on critical drift
        if: failure()
        uses: slackapi/slack-github-action@v1.25.0
        with:
          payload: |
            {
              "text": "⚠️ Parity test drift detected",
              "blocks": [
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "*Parity Test Alert*\nDrift detected in competitor comparison metrics.\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Results>"
                  }
                }
              ]
            }
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
        continue-on-error: true
--- a/.gitea/workflows/policy-lint.yml
+++ b/.gitea/workflows/policy-lint.yml
@@ -43,7 +43,7 @@ jobs:
        with:
          path: |
            ~/.nuget/packages
-            local-nugets/packages
+            .nuget/packages
          key: policy-lint-nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
      - name: Restore CLI
--- a/.gitea/workflows/policy-simulate.yml
+++ b/.gitea/workflows/policy-simulate.yml
@@ -47,7 +47,7 @@ jobs:
        with:
          path: |
            ~/.nuget/packages
-            local-nugets/packages
+            .nuget/packages
          key: policy-sim-nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
      - name: Restore CLI
--- a/.gitea/workflows/reachability-bench.yaml
+++ b/.gitea/workflows/reachability-bench.yaml
@@ -0,0 +1,306 @@
 name: Reachability Benchmark
 # Sprint: SPRINT_3500_0003_0001
 # Task: CORPUS-009 - Create Gitea workflow for reachability benchmark
 # Task: CORPUS-010 - Configure nightly + per-PR benchmark runs
 on:
  workflow_dispatch:
    inputs:
      baseline_version:
        description: 'Baseline version to compare against'
        required: false
        default: 'latest'
      verbose:
        description: 'Enable verbose output'
        required: false
        type: boolean
        default: false
  push:
    branches: [ main ]
    paths:
      - 'datasets/reachability/**'
      - 'src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/**'
      - 'bench/reachability-benchmark/**'
      - '.gitea/workflows/reachability-bench.yaml'
  pull_request:
    paths:
      - 'datasets/reachability/**'
      - 'src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/**'
      - 'bench/reachability-benchmark/**'
  schedule:
    # Nightly at 02:00 UTC
    - cron: '0 2 * * *'
 jobs:
  benchmark:
    runs-on: ubuntu-22.04
    env:
      DOTNET_NOLOGO: 1
      DOTNET_CLI_TELEMETRY_OPTOUT: 1
      DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
      TZ: UTC
      STELLAOPS_OFFLINE: 'true'
      STELLAOPS_DETERMINISTIC: 'true'
    outputs:
      precision: ${{ steps.metrics.outputs.precision }}
      recall: ${{ steps.metrics.outputs.recall }}
      f1: ${{ steps.metrics.outputs.f1 }}
      pr_auc: ${{ steps.metrics.outputs.pr_auc }}
      regression: ${{ steps.compare.outputs.regression }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET 10
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: 10.0.100
          include-prerelease: true
      - name: Cache NuGet packages
        uses: actions/cache@v4
        with:
          path: ~/.nuget/packages
          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
          restore-keys: |
            ${{ runner.os }}-nuget-
      - name: Restore benchmark project
        run: |
          dotnet restore src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/StellaOps.Scanner.Benchmarks.csproj \
            --configfile nuget.config
      - name: Build benchmark project
        run: |
          dotnet build src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/StellaOps.Scanner.Benchmarks.csproj \
            -c Release \
            --no-restore
      - name: Validate corpus integrity
        run: |
          echo "::group::Validating corpus index"
          if [ ! -f datasets/reachability/corpus.json ]; then
            echo "::error::corpus.json not found"
            exit 1
          fi
          python3 -c "import json; data = json.load(open('datasets/reachability/corpus.json')); print(f'Corpus contains {len(data.get(\"samples\", []))} samples')"
          echo "::endgroup::"
      - name: Run benchmark
        id: benchmark
        run: |
          echo "::group::Running reachability benchmark"
          mkdir -p bench/results
          # Run the corpus benchmark
          dotnet run \
            --project src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/StellaOps.Scanner.Benchmarks.csproj \
            -c Release \
            --no-build \
            -- corpus run \
            --corpus datasets/reachability/corpus.json \
            --output bench/results/benchmark-${{ github.sha }}.json \
            --format json \
            ${{ inputs.verbose == 'true' && '--verbose' || '' }}
          echo "::endgroup::"
      - name: Extract metrics
        id: metrics
        run: |
          echo "::group::Extracting metrics"
          RESULT_FILE="bench/results/benchmark-${{ github.sha }}.json"
          if [ -f "$RESULT_FILE" ]; then
            PRECISION=$(jq -r '.metrics.precision // 0' "$RESULT_FILE")
            RECALL=$(jq -r '.metrics.recall // 0' "$RESULT_FILE")
            F1=$(jq -r '.metrics.f1 // 0' "$RESULT_FILE")
            PR_AUC=$(jq -r '.metrics.pr_auc // 0' "$RESULT_FILE")
            echo "precision=$PRECISION" >> $GITHUB_OUTPUT
            echo "recall=$RECALL" >> $GITHUB_OUTPUT
            echo "f1=$F1" >> $GITHUB_OUTPUT
            echo "pr_auc=$PR_AUC" >> $GITHUB_OUTPUT
            echo "Precision: $PRECISION"
            echo "Recall: $RECALL"
            echo "F1: $F1"
            echo "PR-AUC: $PR_AUC"
          else
            echo "::error::Benchmark result file not found"
            exit 1
          fi
          echo "::endgroup::"
      - name: Get baseline
        id: baseline
        run: |
          echo "::group::Loading baseline"
          BASELINE_VERSION="${{ inputs.baseline_version || 'latest' }}"
          if [ "$BASELINE_VERSION" = "latest" ]; then
            BASELINE_FILE=$(ls -t bench/baselines/*.json 2>/dev/null | head -1)
          else
            BASELINE_FILE="bench/baselines/$BASELINE_VERSION.json"
          fi
          if [ -f "$BASELINE_FILE" ]; then
            echo "baseline_file=$BASELINE_FILE" >> $GITHUB_OUTPUT
            echo "Using baseline: $BASELINE_FILE"
          else
            echo "::warning::No baseline found, skipping comparison"
            echo "baseline_file=" >> $GITHUB_OUTPUT
          fi
          echo "::endgroup::"
      - name: Compare to baseline
        id: compare
        if: steps.baseline.outputs.baseline_file != ''
        run: |
          echo "::group::Comparing to baseline"
          BASELINE_FILE="${{ steps.baseline.outputs.baseline_file }}"
          RESULT_FILE="bench/results/benchmark-${{ github.sha }}.json"
          # Extract baseline metrics
          BASELINE_PRECISION=$(jq -r '.metrics.precision // 0' "$BASELINE_FILE")
          BASELINE_RECALL=$(jq -r '.metrics.recall // 0' "$BASELINE_FILE")
          BASELINE_PR_AUC=$(jq -r '.metrics.pr_auc // 0' "$BASELINE_FILE")
          # Extract current metrics
          CURRENT_PRECISION=$(jq -r '.metrics.precision // 0' "$RESULT_FILE")
          CURRENT_RECALL=$(jq -r '.metrics.recall // 0' "$RESULT_FILE")
          CURRENT_PR_AUC=$(jq -r '.metrics.pr_auc // 0' "$RESULT_FILE")
          # Calculate deltas
          PRECISION_DELTA=$(echo "$CURRENT_PRECISION - $BASELINE_PRECISION" | bc -l)
          RECALL_DELTA=$(echo "$CURRENT_RECALL - $BASELINE_RECALL" | bc -l)
          PR_AUC_DELTA=$(echo "$CURRENT_PR_AUC - $BASELINE_PR_AUC" | bc -l)
          echo "Precision delta: $PRECISION_DELTA"
          echo "Recall delta: $RECALL_DELTA"
          echo "PR-AUC delta: $PR_AUC_DELTA"
          # Check for regression (PR-AUC drop > 2%)
          REGRESSION_THRESHOLD=-0.02
          if (( $(echo "$PR_AUC_DELTA < $REGRESSION_THRESHOLD" | bc -l) )); then
            echo "::error::PR-AUC regression detected: $PR_AUC_DELTA (threshold: $REGRESSION_THRESHOLD)"
            echo "regression=true" >> $GITHUB_OUTPUT
          else
            echo "regression=false" >> $GITHUB_OUTPUT
          fi
          echo "::endgroup::"
      - name: Generate markdown report
        run: |
          echo "::group::Generating report"
          RESULT_FILE="bench/results/benchmark-${{ github.sha }}.json"
          REPORT_FILE="bench/results/benchmark-${{ github.sha }}.md"
          cat > "$REPORT_FILE" << 'EOF'
          # Reachability Benchmark Report
          **Commit:** ${{ github.sha }}
          **Run:** ${{ github.run_number }}
          **Date:** $(date -u +"%Y-%m-%dT%H:%M:%SZ")
          ## Metrics
          | Metric | Value |
          |--------|-------|
          | Precision | ${{ steps.metrics.outputs.precision }} |
          | Recall | ${{ steps.metrics.outputs.recall }} |
          | F1 Score | ${{ steps.metrics.outputs.f1 }} |
          | PR-AUC | ${{ steps.metrics.outputs.pr_auc }} |
          ## Comparison
          ${{ steps.compare.outputs.regression == 'true' && '⚠️ **REGRESSION DETECTED**' || '✅ No regression' }}
          EOF
          echo "Report generated: $REPORT_FILE"
          echo "::endgroup::"
      - name: Upload results
        uses: actions/upload-artifact@v4
        with:
          name: benchmark-results-${{ github.sha }}
          path: |
            bench/results/benchmark-${{ github.sha }}.json
            bench/results/benchmark-${{ github.sha }}.md
          retention-days: 90
      - name: Fail on regression
        if: steps.compare.outputs.regression == 'true' && github.event_name == 'pull_request'
        run: |
          echo "::error::Benchmark regression detected. PR-AUC dropped below threshold."
          exit 1
  update-baseline:
    needs: benchmark
    if: github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.benchmark.outputs.regression != 'true'
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Download results
        uses: actions/download-artifact@v4
        with:
          name: benchmark-results-${{ github.sha }}
          path: bench/results/
      - name: Update baseline (nightly only)
        if: github.event_name == 'schedule'
        run: |
          DATE=$(date +%Y%m%d)
          cp bench/results/benchmark-${{ github.sha }}.json bench/baselines/baseline-$DATE.json
          echo "Updated baseline to baseline-$DATE.json"
  notify-pr:
    needs: benchmark
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-22.04
    permissions:
      pull-requests: write
    steps:
      - name: Comment on PR
        uses: actions/github-script@v7
        with:
          script: |
            const precision = '${{ needs.benchmark.outputs.precision }}';
            const recall = '${{ needs.benchmark.outputs.recall }}';
            const f1 = '${{ needs.benchmark.outputs.f1 }}';
            const prAuc = '${{ needs.benchmark.outputs.pr_auc }}';
            const regression = '${{ needs.benchmark.outputs.regression }}' === 'true';
            const status = regression ? '⚠️ REGRESSION' : '✅ PASS';
            const body = `## Reachability Benchmark Results ${status}
            | Metric | Value |
            |--------|-------|
            | Precision | ${precision} |
            | Recall | ${recall} |
            | F1 Score | ${f1} |
            | PR-AUC | ${prAuc} |
            ${regression ? '### ⚠️ Regression Detected\nPR-AUC dropped below threshold. Please review changes.' : ''}
            <details>
            <summary>Details</summary>
            - Commit: \`${{ github.sha }}\`
            - Run: [#${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
            </details>`;
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: body
            });
--- a/.gitea/workflows/reachability-corpus-ci.yml
+++ b/.gitea/workflows/reachability-corpus-ci.yml
@@ -0,0 +1,267 @@
 name: Reachability Corpus Validation
 on:
  workflow_dispatch:
  push:
    branches: [ main ]
    paths:
      - 'src/__Tests/reachability/corpus/**'
      - 'src/__Tests/reachability/fixtures/**'
      - 'src/__Tests/reachability/StellaOps.Reachability.FixtureTests/**'
      - 'scripts/reachability/**'
      - '.gitea/workflows/reachability-corpus-ci.yml'
  pull_request:
    paths:
      - 'src/__Tests/reachability/corpus/**'
      - 'src/__Tests/reachability/fixtures/**'
      - 'src/__Tests/reachability/StellaOps.Reachability.FixtureTests/**'
      - 'scripts/reachability/**'
      - '.gitea/workflows/reachability-corpus-ci.yml'
 jobs:
  validate-corpus:
    runs-on: ubuntu-22.04
    env:
      DOTNET_NOLOGO: 1
      DOTNET_CLI_TELEMETRY_OPTOUT: 1
      DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
      TZ: UTC
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET 10 RC
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: 10.0.100
          include-prerelease: true
      - name: Verify corpus manifest integrity
        run: |
          echo "Verifying corpus manifest..."
          cd src/__Tests/reachability/corpus
          if [ ! -f manifest.json ]; then
            echo "::error::Corpus manifest.json not found"
            exit 1
          fi
          echo "Manifest exists, checking JSON validity..."
          python3 -c "import json; json.load(open('manifest.json'))"
          echo "Manifest is valid JSON"
      - name: Verify reachbench index integrity
        run: |
          echo "Verifying reachbench fixtures..."
          cd src/__Tests/reachability/fixtures/reachbench-2025-expanded
          if [ ! -f INDEX.json ]; then
            echo "::error::Reachbench INDEX.json not found"
            exit 1
          fi
          echo "INDEX exists, checking JSON validity..."
          python3 -c "import json; json.load(open('INDEX.json'))"
          echo "INDEX is valid JSON"
      - name: Restore test project
        run: dotnet restore src/__Tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj --configfile nuget.config
      - name: Build test project
        run: dotnet build src/__Tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj -c Release --no-restore
      - name: Run corpus fixture tests
        run: |
          dotnet test src/__Tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj \
            -c Release \
            --no-build \
            --logger "trx;LogFileName=corpus-results.trx" \
            --results-directory ./TestResults \
            --filter "FullyQualifiedName~CorpusFixtureTests"
      - name: Run reachbench fixture tests
        run: |
          dotnet test src/__Tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj \
            -c Release \
            --no-build \
            --logger "trx;LogFileName=reachbench-results.trx" \
            --results-directory ./TestResults \
            --filter "FullyQualifiedName~ReachbenchFixtureTests"
      - name: Verify deterministic hashes
        run: |
          echo "Verifying SHA-256 hashes in corpus manifest..."
          chmod +x scripts/reachability/verify_corpus_hashes.sh || true
          if [ -f scripts/reachability/verify_corpus_hashes.sh ]; then
            scripts/reachability/verify_corpus_hashes.sh
          else
            echo "Hash verification script not found, using inline verification..."
            cd src/__Tests/reachability/corpus
            python3 << 'EOF'
          import json
          import hashlib
          import sys
          import os
          with open('manifest.json') as f:
              manifest = json.load(f)
          errors = []
          for entry in manifest:
              case_id = entry['id']
              lang = entry['language']
              case_dir = os.path.join(lang, case_id)
              for filename, expected_hash in entry['files'].items():
                  filepath = os.path.join(case_dir, filename)
                  if not os.path.exists(filepath):
                      errors.append(f"{case_id}: missing {filename}")
                      continue
                  with open(filepath, 'rb') as f:
                      actual_hash = hashlib.sha256(f.read()).hexdigest()
                  if actual_hash != expected_hash:
                      errors.append(f"{case_id}: {filename} hash mismatch (expected {expected_hash}, got {actual_hash})")
          if errors:
              for err in errors:
                  print(f"::error::{err}")
              sys.exit(1)
          print(f"All {len(manifest)} corpus entries verified")
          EOF
          fi
      - name: Upload test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: corpus-test-results-${{ github.run_number }}
          path: ./TestResults/*.trx
          retention-days: 14
  validate-ground-truths:
    runs-on: ubuntu-22.04
    env:
      TZ: UTC
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Validate ground-truth schema version
        run: |
          echo "Validating ground-truth files..."
          cd src/__Tests/reachability
          python3 << 'EOF'
          import json
          import os
          import sys
          EXPECTED_SCHEMA = "reachbench.reachgraph.truth/v1"
          ALLOWED_VARIANTS = {"reachable", "unreachable"}
          errors = []
          # Validate corpus ground-truths
          corpus_manifest = 'corpus/manifest.json'
          if os.path.exists(corpus_manifest):
              with open(corpus_manifest) as f:
                  manifest = json.load(f)
              for entry in manifest:
                  case_id = entry['id']
                  lang = entry['language']
                  truth_path = os.path.join('corpus', lang, case_id, 'ground-truth.json')
                  if not os.path.exists(truth_path):
                      errors.append(f"corpus/{case_id}: missing ground-truth.json")
                      continue
                  with open(truth_path) as f:
                      truth = json.load(f)
                  if truth.get('schema_version') != EXPECTED_SCHEMA:
                      errors.append(f"corpus/{case_id}: wrong schema_version")
                  if truth.get('variant') not in ALLOWED_VARIANTS:
                      errors.append(f"corpus/{case_id}: invalid variant '{truth.get('variant')}'")
                  if not isinstance(truth.get('paths'), list):
                      errors.append(f"corpus/{case_id}: paths must be an array")
          # Validate reachbench ground-truths
          reachbench_index = 'fixtures/reachbench-2025-expanded/INDEX.json'
          if os.path.exists(reachbench_index):
              with open(reachbench_index) as f:
                  index = json.load(f)
              for case in index.get('cases', []):
                  case_id = case['id']
                  case_path = case.get('path', os.path.join('cases', case_id))
                  for variant in ['reachable', 'unreachable']:
                      truth_path = os.path.join('fixtures/reachbench-2025-expanded', case_path, 'images', variant, 'reachgraph.truth.json')
                      if not os.path.exists(truth_path):
                          errors.append(f"reachbench/{case_id}/{variant}: missing reachgraph.truth.json")
                          continue
                      with open(truth_path) as f:
                          truth = json.load(f)
                      if not truth.get('schema_version'):
                          errors.append(f"reachbench/{case_id}/{variant}: missing schema_version")
                      if not isinstance(truth.get('paths'), list):
                          errors.append(f"reachbench/{case_id}/{variant}: paths must be an array")
          if errors:
              for err in errors:
                  print(f"::error::{err}")
              sys.exit(1)
          print("All ground-truth files validated successfully")
          EOF
  determinism-check:
    runs-on: ubuntu-22.04
    env:
      TZ: UTC
    needs: validate-corpus
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Verify JSON determinism (sorted keys, no trailing whitespace)
        run: |
          echo "Checking JSON determinism..."
          cd src/__Tests/reachability
          python3 << 'EOF'
          import json
          import os
          import sys
          def check_json_sorted(filepath):
              """Check if JSON has sorted keys (deterministic)."""
              with open(filepath) as f:
                  content = f.read()
              parsed = json.loads(content)
              reserialized = json.dumps(parsed, sort_keys=True, indent=2)
              # Normalize line endings
              content_normalized = content.replace('\r\n', '\n').strip()
              reserialized_normalized = reserialized.strip()
              return content_normalized == reserialized_normalized
          errors = []
          json_files = []
          # Collect JSON files from corpus
          for root, dirs, files in os.walk('corpus'):
              for f in files:
                  if f.endswith('.json'):
                      json_files.append(os.path.join(root, f))
          # Check determinism
          non_deterministic = []
          for filepath in json_files:
              try:
                  if not check_json_sorted(filepath):
                      non_deterministic.append(filepath)
              except json.JSONDecodeError as e:
                  errors.append(f"{filepath}: invalid JSON - {e}")
          if non_deterministic:
              print(f"::warning::Found {len(non_deterministic)} non-deterministic JSON files (keys not sorted or whitespace differs)")
              for f in non_deterministic[:10]:
                  print(f"  - {f}")
              if len(non_deterministic) > 10:
                  print(f"  ... and {len(non_deterministic) - 10} more")
          if errors:
              for err in errors:
                  print(f"::error::{err}")
              sys.exit(1)
          print(f"Checked {len(json_files)} JSON files")
          EOF
--- a/.gitea/workflows/replay-verification.yml
+++ b/.gitea/workflows/replay-verification.yml
@@ -0,0 +1,39 @@
 name: Replay Verification
 on:
  pull_request:
    paths:
      - 'src/Scanner/**'
      - 'src/__Libraries/StellaOps.Canonicalization/**'
      - 'src/__Libraries/StellaOps.Replay/**'
      - 'src/__Libraries/StellaOps.Testing.Manifests/**'
      - 'src/__Tests/__Benchmarks/golden-corpus/**'
 jobs:
  replay-verification:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.100'
      - name: Build CLI
        run: dotnet build src/Cli/StellaOps.Cli -c Release
      - name: Run replay verification on corpus
        run: |
          dotnet run --project src/Cli/StellaOps.Cli -- replay batch \
            --corpus src/__Tests/__Benchmarks/golden-corpus/ \
            --output results/ \
            --verify-determinism \
            --fail-on-diff
      - name: Upload diff report
        if: failure()
        uses: actions/upload-artifact@v4
        with:
          name: replay-diff-report
          path: results/diff-report.json
--- a/.gitea/workflows/router-chaos.yml
+++ b/.gitea/workflows/router-chaos.yml
@@ -0,0 +1,306 @@
 # -----------------------------------------------------------------------------
 # router-chaos.yml
 # Sprint: SPRINT_5100_0005_0001_router_chaos_suite
 # Task: T5 - CI Chaos Workflow
 # Description: CI workflow for running router chaos tests.
 # -----------------------------------------------------------------------------
 name: Router Chaos Tests
 on:
  schedule:
    - cron: '0 3 * * *'  # Nightly at 3 AM UTC
  workflow_dispatch:
    inputs:
      spike_multiplier:
        description: 'Load spike multiplier (e.g., 10, 50, 100)'
        default: '10'
        type: choice
        options:
          - '10'
          - '50'
          - '100'
      run_valkey_tests:
        description: 'Run Valkey failure injection tests'
        default: true
        type: boolean
 env:
  DOTNET_NOLOGO: 1
  DOTNET_CLI_TELEMETRY_OPTOUT: 1
  TZ: UTC
  ROUTER_URL: http://localhost:8080
 jobs:
  load-tests:
    runs-on: ubuntu-22.04
    timeout-minutes: 30
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_USER: stellaops
          POSTGRES_PASSWORD: test
          POSTGRES_DB: stellaops_test
        ports:
          - 5432:5432
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
      valkey:
        image: valkey/valkey:7-alpine
        ports:
          - 6379:6379
        options: >-
          --health-cmd "valkey-cli ping"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.100'
          include-prerelease: true
      - name: Install k6
        run: |
          curl -sSL https://github.com/grafana/k6/releases/download/v0.54.0/k6-v0.54.0-linux-amd64.tar.gz | tar xz
          sudo mv k6-v0.54.0-linux-amd64/k6 /usr/local/bin/
          k6 version
      - name: Cache NuGet packages
        uses: actions/cache@v4
        with:
          path: ~/.nuget/packages
          key: chaos-nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
      - name: Build Router
        run: |
          dotnet restore src/Router/StellaOps.Router.WebService/StellaOps.Router.WebService.csproj
          dotnet build src/Router/StellaOps.Router.WebService/StellaOps.Router.WebService.csproj -c Release --no-restore
      - name: Start Router
        run: |
          dotnet run --project src/Router/StellaOps.Router.WebService/StellaOps.Router.WebService.csproj -c Release --no-build &
          echo $! > router.pid
          # Wait for router to start
          for i in {1..30}; do
            if curl -s http://localhost:8080/health > /dev/null 2>&1; then
              echo "Router is ready"
              break
            fi
            echo "Waiting for router... ($i/30)"
            sleep 2
          done
      - name: Run k6 spike test
        id: k6
        run: |
          mkdir -p results
          k6 run src/__Tests/load/router/spike-test.js \
            -e ROUTER_URL=${{ env.ROUTER_URL }} \
            --out json=results/k6-results.json \
            --summary-export results/k6-summary.json \
            2>&1 | tee results/k6-output.txt
          # Check exit code
          if [ ${PIPESTATUS[0]} -ne 0 ]; then
            echo "k6_status=failed" >> $GITHUB_OUTPUT
          else
            echo "k6_status=passed" >> $GITHUB_OUTPUT
          fi
      - name: Upload k6 results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: k6-results-${{ github.run_id }}
          path: results/
          retention-days: 30
      - name: Stop Router
        if: always()
        run: |
          if [ -f router.pid ]; then
            kill $(cat router.pid) 2>/dev/null || true
          fi
  chaos-unit-tests:
    runs-on: ubuntu-22.04
    timeout-minutes: 20
    needs: load-tests
    if: always()
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_USER: stellaops
          POSTGRES_PASSWORD: test
          POSTGRES_DB: stellaops_test
        ports:
          - 5432:5432
      valkey:
        image: valkey/valkey:7-alpine
        ports:
          - 6379:6379
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.100'
          include-prerelease: true
      - name: Build Chaos Tests
        run: |
          dotnet restore src/__Tests/chaos/StellaOps.Chaos.Router.Tests/StellaOps.Chaos.Router.Tests.csproj
          dotnet build src/__Tests/chaos/StellaOps.Chaos.Router.Tests/StellaOps.Chaos.Router.Tests.csproj -c Release --no-restore
      - name: Start Router for Tests
        run: |
          dotnet run --project src/Router/StellaOps.Router.WebService/StellaOps.Router.WebService.csproj -c Release &
          sleep 15  # Wait for startup
      - name: Run Chaos Unit Tests
        run: |
          dotnet test src/__Tests/chaos/StellaOps.Chaos.Router.Tests/StellaOps.Chaos.Router.Tests.csproj \
            -c Release \
            --no-build \
            --logger "trx;LogFileName=chaos-results.trx" \
            --logger "console;verbosity=detailed" \
            --results-directory results \
            -- RunConfiguration.TestSessionTimeout=600000
      - name: Upload Test Results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: chaos-test-results-${{ github.run_id }}
          path: results/
          retention-days: 30
  valkey-failure-tests:
    runs-on: ubuntu-22.04
    timeout-minutes: 20
    needs: load-tests
    if: ${{ github.event.inputs.run_valkey_tests != 'false' }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.100'
          include-prerelease: true
      - name: Install Docker Compose
        run: |
          sudo apt-get update
          sudo apt-get install -y docker-compose
      - name: Run Valkey Failure Tests
        run: |
          dotnet test src/__Tests/chaos/StellaOps.Chaos.Router.Tests/StellaOps.Chaos.Router.Tests.csproj \
            -c Release \
            --filter "Category=Valkey" \
            --logger "trx;LogFileName=valkey-results.trx" \
            --results-directory results \
            -- RunConfiguration.TestSessionTimeout=600000
      - name: Upload Valkey Test Results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: valkey-test-results-${{ github.run_id }}
          path: results/
  analyze-results:
    runs-on: ubuntu-22.04
    needs: [load-tests, chaos-unit-tests]
    if: always()
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Download k6 Results
        uses: actions/download-artifact@v4
        with:
          name: k6-results-${{ github.run_id }}
          path: k6-results/
      - name: Download Chaos Test Results
        uses: actions/download-artifact@v4
        with:
          name: chaos-test-results-${{ github.run_id }}
          path: chaos-results/
      - name: Analyze Results
        id: analysis
        run: |
          mkdir -p analysis
          # Parse k6 summary
          if [ -f k6-results/k6-summary.json ]; then
            echo "=== k6 Test Summary ===" | tee analysis/summary.txt
            # Extract key metrics
            jq -r '.metrics | to_entries[] | "\(.key): \(.value)"' k6-results/k6-summary.json >> analysis/summary.txt 2>/dev/null || true
          fi
          # Check thresholds
          THRESHOLDS_PASSED=true
          if [ -f k6-results/k6-summary.json ]; then
            # Check if any threshold failed
            FAILED_THRESHOLDS=$(jq -r '.thresholds | to_entries[] | select(.value.ok == false) | .key' k6-results/k6-summary.json 2>/dev/null || echo "")
            if [ -n "$FAILED_THRESHOLDS" ]; then
              echo "Failed thresholds: $FAILED_THRESHOLDS"
              THRESHOLDS_PASSED=false
            fi
          fi
          echo "thresholds_passed=$THRESHOLDS_PASSED" >> $GITHUB_OUTPUT
      - name: Upload Analysis
        uses: actions/upload-artifact@v4
        with:
          name: chaos-analysis-${{ github.run_id }}
          path: analysis/
      - name: Create Summary
        run: |
          echo "## Router Chaos Test Results" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### Load Test Results" >> $GITHUB_STEP_SUMMARY
          if [ -f k6-results/k6-summary.json ]; then
            echo "- Total Requests: $(jq -r '.metrics.http_reqs.values.count // "N/A"' k6-results/k6-summary.json)" >> $GITHUB_STEP_SUMMARY
            echo "- Failed Rate: $(jq -r '.metrics.http_req_failed.values.rate // "N/A"' k6-results/k6-summary.json)" >> $GITHUB_STEP_SUMMARY
          else
            echo "- No k6 results found" >> $GITHUB_STEP_SUMMARY
          fi
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### Thresholds" >> $GITHUB_STEP_SUMMARY
          echo "- Status: ${{ steps.analysis.outputs.thresholds_passed == 'true' && 'PASSED' || 'FAILED' }}" >> $GITHUB_STEP_SUMMARY
--- a/.gitea/workflows/scanner-analyzers-release.yml
+++ b/.gitea/workflows/scanner-analyzers-release.yml
@@ -34,6 +34,22 @@ jobs:
        run: |
          RID="${{ github.event.inputs.rid }}" scripts/scanner/package-analyzer.sh src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/StellaOps.Scanner.Analyzers.Lang.Ruby.csproj ruby-analyzer
      - name: Package Native analyzer
        run: |
          RID="${{ github.event.inputs.rid }}" scripts/scanner/package-analyzer.sh src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.csproj native-analyzer
      - name: Package Java analyzer
        run: |
          RID="${{ github.event.inputs.rid }}" scripts/scanner/package-analyzer.sh src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/StellaOps.Scanner.Analyzers.Lang.Java.csproj java-analyzer
      - name: Package DotNet analyzer
        run: |
          RID="${{ github.event.inputs.rid }}" scripts/scanner/package-analyzer.sh src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj dotnet-analyzer
      - name: Package Node analyzer
        run: |
          RID="${{ github.event.inputs.rid }}" scripts/scanner/package-analyzer.sh src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/StellaOps.Scanner.Analyzers.Lang.Node.csproj node-analyzer
      - name: Upload analyzer artifacts
        uses: actions/upload-artifact@v4
        with:
--- a/.gitea/workflows/scanner-analyzers.yml
+++ b/.gitea/workflows/scanner-analyzers.yml
@@ -128,6 +128,6 @@ jobs:
      - name: Run determinism tests
        run: |
          # Run scanner on same input twice, compare outputs
-          if [ -d "tests/fixtures/determinism" ]; then
+          if [ -d "src/__Tests/fixtures/determinism" ]; then
            dotnet test --filter "Category=Determinism" --verbosity normal
          fi
--- a/.gitea/workflows/schema-validation.yml
+++ b/.gitea/workflows/schema-validation.yml
@@ -0,0 +1,322 @@
 # Schema Validation CI Workflow
 # Sprint: SPRINT_8200_0001_0003_sbom_schema_validation_ci
 # Tasks: SCHEMA-8200-007 through SCHEMA-8200-011
 #
 # Purpose: Validate SBOM fixtures against official JSON schemas to detect
 # schema drift before runtime. Fails CI if any fixture is invalid.
 name: Schema Validation
 on:
  pull_request:
    paths:
      - 'src/__Tests/__Benchmarks/golden-corpus/**'
      - 'src/Scanner/**'
      - 'docs/schemas/**'
      - 'scripts/validate-*.sh'
      - '.gitea/workflows/schema-validation.yml'
  push:
    branches: [main]
    paths:
      - 'src/__Tests/__Benchmarks/golden-corpus/**'
      - 'src/Scanner/**'
      - 'docs/schemas/**'
      - 'scripts/validate-*.sh'
 env:
  SBOM_UTILITY_VERSION: "0.16.0"
 jobs:
  validate-cyclonedx:
    name: Validate CycloneDX Fixtures
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Install sbom-utility
        run: |
          curl -sSfL "https://github.com/CycloneDX/sbom-utility/releases/download/v${SBOM_UTILITY_VERSION}/sbom-utility-v${SBOM_UTILITY_VERSION}-linux-amd64.tar.gz" | tar xz
          sudo mv sbom-utility /usr/local/bin/
          sbom-utility --version
      - name: Validate CycloneDX fixtures
        run: |
          set -e
          SCHEMA="docs/schemas/cyclonedx-bom-1.6.schema.json"
          FIXTURE_DIRS=(
            "src/__Tests/__Benchmarks/golden-corpus"
            "src/__Tests/fixtures"
            "seed-data"
          )
          FOUND=0
          PASSED=0
          FAILED=0
          for dir in "${FIXTURE_DIRS[@]}"; do
            if [ -d "$dir" ]; then
              while IFS= read -r -d '' file; do
                if grep -q '"bomFormat".*"CycloneDX"' "$file" 2>/dev/null; then
                  FOUND=$((FOUND + 1))
                  echo "::group::Validating: $file"
                  if sbom-utility validate --input-file "$file" --schema "$SCHEMA" 2>&1; then
                    echo "✅ PASS: $file"
                    PASSED=$((PASSED + 1))
                  else
                    echo "❌ FAIL: $file"
                    FAILED=$((FAILED + 1))
                  fi
                  echo "::endgroup::"
                fi
              done < <(find "$dir" -name '*.json' -type f -print0 2>/dev/null || true)
            fi
          done
          echo "================================================"
          echo "CycloneDX Validation Summary"
          echo "================================================"
          echo "Found: $FOUND fixtures"
          echo "Passed: $PASSED"
          echo "Failed: $FAILED"
          echo "================================================"
          if [ "$FAILED" -gt 0 ]; then
            echo "::error::$FAILED CycloneDX fixtures failed validation"
            exit 1
          fi
          if [ "$FOUND" -eq 0 ]; then
            echo "::warning::No CycloneDX fixtures found to validate"
          fi
  validate-spdx:
    name: Validate SPDX Fixtures
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - name: Install SPDX tools
        run: |
          pip install spdx-tools
          pip install check-jsonschema
      - name: Validate SPDX fixtures
        run: |
          set -e
          SCHEMA="docs/schemas/spdx-jsonld-3.0.1.schema.json"
          FIXTURE_DIRS=(
            "src/__Tests/__Benchmarks/golden-corpus"
            "src/__Tests/fixtures"
            "seed-data"
          )
          FOUND=0
          PASSED=0
          FAILED=0
          for dir in "${FIXTURE_DIRS[@]}"; do
            if [ -d "$dir" ]; then
              while IFS= read -r -d '' file; do
                # Check for SPDX markers
                if grep -qE '"spdxVersion"|"@context".*spdx' "$file" 2>/dev/null; then
                  FOUND=$((FOUND + 1))
                  echo "::group::Validating: $file"
                  # Try pyspdxtools first (semantic validation)
                  if pyspdxtools validate "$file" 2>&1; then
                    echo "✅ PASS (semantic): $file"
                    PASSED=$((PASSED + 1))
                  # Fall back to JSON schema validation
                  elif check-jsonschema --schemafile "$SCHEMA" "$file" 2>&1; then
                    echo "✅ PASS (schema): $file"
                    PASSED=$((PASSED + 1))
                  else
                    echo "❌ FAIL: $file"
                    FAILED=$((FAILED + 1))
                  fi
                  echo "::endgroup::"
                fi
              done < <(find "$dir" -name '*.json' -type f -print0 2>/dev/null || true)
            fi
          done
          echo "================================================"
          echo "SPDX Validation Summary"
          echo "================================================"
          echo "Found: $FOUND fixtures"
          echo "Passed: $PASSED"
          echo "Failed: $FAILED"
          echo "================================================"
          if [ "$FAILED" -gt 0 ]; then
            echo "::error::$FAILED SPDX fixtures failed validation"
            exit 1
          fi
          if [ "$FOUND" -eq 0 ]; then
            echo "::warning::No SPDX fixtures found to validate"
          fi
  validate-vex:
    name: Validate OpenVEX Fixtures
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Install ajv-cli
        run: npm install -g ajv-cli ajv-formats
      - name: Validate OpenVEX fixtures
        run: |
          set -e
          SCHEMA="docs/schemas/openvex-0.2.0.schema.json"
          FIXTURE_DIRS=(
            "src/__Tests/__Benchmarks/golden-corpus"
            "src/__Tests/__Benchmarks/vex-lattice"
            "src/__Tests/fixtures"
            "seed-data"
          )
          FOUND=0
          PASSED=0
          FAILED=0
          for dir in "${FIXTURE_DIRS[@]}"; do
            if [ -d "$dir" ]; then
              while IFS= read -r -d '' file; do
                # Check for OpenVEX markers
                if grep -qE '"@context".*openvex|"@type".*"https://openvex' "$file" 2>/dev/null; then
                  FOUND=$((FOUND + 1))
                  echo "::group::Validating: $file"
                  if ajv validate -s "$SCHEMA" -d "$file" --strict=false -c ajv-formats 2>&1; then
                    echo "✅ PASS: $file"
                    PASSED=$((PASSED + 1))
                  else
                    echo "❌ FAIL: $file"
                    FAILED=$((FAILED + 1))
                  fi
                  echo "::endgroup::"
                fi
              done < <(find "$dir" -name '*.json' -type f -print0 2>/dev/null || true)
            fi
          done
          echo "================================================"
          echo "OpenVEX Validation Summary"
          echo "================================================"
          echo "Found: $FOUND fixtures"
          echo "Passed: $PASSED"
          echo "Failed: $FAILED"
          echo "================================================"
          if [ "$FAILED" -gt 0 ]; then
            echo "::error::$FAILED OpenVEX fixtures failed validation"
            exit 1
          fi
          if [ "$FOUND" -eq 0 ]; then
            echo "::warning::No OpenVEX fixtures found to validate"
          fi
  # Negative testing: verify that invalid fixtures are correctly rejected
  validate-negative:
    name: Validate Negative Test Cases
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Install sbom-utility
        run: |
          curl -sSfL "https://github.com/CycloneDX/sbom-utility/releases/download/v${SBOM_UTILITY_VERSION}/sbom-utility-v${SBOM_UTILITY_VERSION}-linux-amd64.tar.gz" | tar xz
          sudo mv sbom-utility /usr/local/bin/
          sbom-utility --version
      - name: Verify invalid fixtures fail validation
        run: |
          set -e
          SCHEMA="docs/schemas/cyclonedx-bom-1.6.schema.json"
          INVALID_DIR="src/__Tests/fixtures/invalid"
          if [ ! -d "$INVALID_DIR" ]; then
            echo "::warning::No invalid fixtures directory found at $INVALID_DIR"
            exit 0
          fi
          EXPECTED_FAILURES=0
          ACTUAL_FAILURES=0
          UNEXPECTED_PASSES=0
          while IFS= read -r -d '' file; do
            if grep -q '"bomFormat".*"CycloneDX"' "$file" 2>/dev/null; then
              EXPECTED_FAILURES=$((EXPECTED_FAILURES + 1))
              echo "::group::Testing invalid fixture: $file"
              # This SHOULD fail - if it passes, that's an error
              if sbom-utility validate --input-file "$file" --schema "$SCHEMA" 2>&1; then
                echo "❌ UNEXPECTED PASS: $file (should have failed validation)"
                UNEXPECTED_PASSES=$((UNEXPECTED_PASSES + 1))
              else
                echo "✅ EXPECTED FAILURE: $file (correctly rejected)"
                ACTUAL_FAILURES=$((ACTUAL_FAILURES + 1))
              fi
              echo "::endgroup::"
            fi
          done < <(find "$INVALID_DIR" -name '*.json' -type f -print0 2>/dev/null || true)
          echo "================================================"
          echo "Negative Test Summary"
          echo "================================================"
          echo "Expected failures: $EXPECTED_FAILURES"
          echo "Actual failures: $ACTUAL_FAILURES"
          echo "Unexpected passes: $UNEXPECTED_PASSES"
          echo "================================================"
          if [ "$UNEXPECTED_PASSES" -gt 0 ]; then
            echo "::error::$UNEXPECTED_PASSES invalid fixtures passed validation unexpectedly"
            exit 1
          fi
          if [ "$EXPECTED_FAILURES" -eq 0 ]; then
            echo "::warning::No invalid CycloneDX fixtures found for negative testing"
          fi
          echo "✅ All invalid fixtures correctly rejected by schema validation"
  summary:
    name: Validation Summary
    runs-on: ubuntu-latest
    needs: [validate-cyclonedx, validate-spdx, validate-vex, validate-negative]
    if: always()
    steps:
      - name: Check results
        run: |
          echo "Schema Validation Results"
          echo "========================="
          echo "CycloneDX: ${{ needs.validate-cyclonedx.result }}"
          echo "SPDX: ${{ needs.validate-spdx.result }}"
          echo "OpenVEX: ${{ needs.validate-vex.result }}"
          echo "Negative Tests: ${{ needs.validate-negative.result }}"
          if [ "${{ needs.validate-cyclonedx.result }}" = "failure" ] || \
             [ "${{ needs.validate-spdx.result }}" = "failure" ] || \
             [ "${{ needs.validate-vex.result }}" = "failure" ] || \
             [ "${{ needs.validate-negative.result }}" = "failure" ]; then
            echo "::error::One or more schema validations failed"
            exit 1
          fi
          echo "✅ All schema validations passed or skipped"
--- a/.gitea/workflows/sdk-publish.yml
+++ b/.gitea/workflows/sdk-publish.yml
@@ -23,7 +23,7 @@ jobs:
      DOTNET_CLI_TELEMETRY_OPTOUT: 1
      DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
      TZ: UTC
-      SDK_NUGET_SOURCE: ${{ secrets.SDK_NUGET_SOURCE || 'local-nugets/packages' }}
+      SDK_NUGET_SOURCE: ${{ secrets.SDK_NUGET_SOURCE || '.nuget/packages' }}
      SDK_NUGET_API_KEY: ${{ secrets.SDK_NUGET_API_KEY }}
      SDK_SIGNING_CERT_B64: ${{ secrets.SDK_SIGNING_CERT_B64 }}
      SDK_SIGNING_CERT_PASSWORD: ${{ secrets.SDK_SIGNING_CERT_PASSWORD }}
@@ -46,8 +46,7 @@ jobs:
        uses: actions/cache@v4
        with:
          path: |
-            ~/.nuget/packages
+            .nuget/packages
            local-nugets/packages
          key: sdk-nuget-${{ runner.os }}-${{ hashFiles('src/Sdk/**/*.csproj') }}
      - name: Restore (best effort; skipped if no csproj)
@@ -87,6 +86,6 @@ jobs:
          name: sdk-artifacts
          path: |
            out/sdk
-            local-nugets/packages/*.nupkg
+            .nuget/packages/*.nupkg
          if-no-files-found: warn
          retention-days: 7
--- a/.gitea/workflows/signals-ci.yml
+++ b/.gitea/workflows/signals-ci.yml
@@ -45,7 +45,7 @@ jobs:
        with:
          path: |
            ~/.nuget/packages
-            local-nugets/packages
+            .nuget/packages
          key: signals-nuget-${{ runner.os }}-${{ hashFiles('src/Signals/**/*.csproj') }}
      - name: Restore
--- a/.gitea/workflows/test-lanes.yml
+++ b/.gitea/workflows/test-lanes.yml
@@ -0,0 +1,358 @@
 # .gitea/workflows/test-lanes.yml
 # Lane-based test execution using standardized trait filtering
 # Implements Task 10 from SPRINT 5100.0007.0001
 name: Test Lanes
 on:
  pull_request:
    branches: [ main, develop ]
    paths:
      - 'src/**'
      - 'src/__Tests/**'
      - 'scripts/test-lane.sh'
      - '.gitea/workflows/test-lanes.yml'
  push:
    branches: [ main ]
  workflow_dispatch:
    inputs:
      run_performance:
        description: 'Run Performance lane tests'
        required: false
        default: false
        type: boolean
      run_live:
        description: 'Run Live lane tests (external dependencies)'
        required: false
        default: false
        type: boolean
 env:
  DOTNET_VERSION: '10.0.100'
  BUILD_CONFIGURATION: Release
  TEST_RESULTS_DIR: ${{ github.workspace }}/test-results
 jobs:
  # ===========================================================================
  # Unit Lane: Fast, isolated, deterministic tests (PR-gating)
  # ===========================================================================
  unit-tests:
    name: Unit Tests
    runs-on: ubuntu-22.04
    timeout-minutes: 15
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln
      - name: Build solution
        run: dotnet build src/StellaOps.sln --configuration $BUILD_CONFIGURATION --no-restore
      - name: Run Unit lane tests
        run: |
          mkdir -p "$TEST_RESULTS_DIR"
          chmod +x scripts/test-lane.sh
          ./scripts/test-lane.sh Unit \
            --logger "trx;LogFileName=unit-tests.trx" \
            --results-directory "$TEST_RESULTS_DIR" \
            --verbosity normal
      - name: Upload Unit test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: unit-test-results
          path: ${{ env.TEST_RESULTS_DIR }}
          if-no-files-found: ignore
          retention-days: 7
  # ===========================================================================
  # Architecture Lane: Structural rule enforcement (PR-gating)
  # ===========================================================================
  architecture-tests:
    name: Architecture Tests
    runs-on: ubuntu-22.04
    timeout-minutes: 10
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore architecture tests
        run: dotnet restore src/__Tests/architecture/StellaOps.Architecture.Tests/StellaOps.Architecture.Tests.csproj
      - name: Build architecture tests
        run: dotnet build src/__Tests/architecture/StellaOps.Architecture.Tests/StellaOps.Architecture.Tests.csproj --configuration $BUILD_CONFIGURATION --no-restore
      - name: Run Architecture tests
        run: |
          mkdir -p "$TEST_RESULTS_DIR"
          dotnet test src/__Tests/architecture/StellaOps.Architecture.Tests/StellaOps.Architecture.Tests.csproj \
            --configuration $BUILD_CONFIGURATION \
            --no-build \
            --logger "trx;LogFileName=architecture-tests.trx" \
            --results-directory "$TEST_RESULTS_DIR" \
            --verbosity normal
      - name: Upload Architecture test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: architecture-test-results
          path: ${{ env.TEST_RESULTS_DIR }}
          if-no-files-found: ignore
          retention-days: 7
  # ===========================================================================
  # Contract Lane: API contract stability tests (PR-gating)
  # ===========================================================================
  contract-tests:
    name: Contract Tests
    runs-on: ubuntu-22.04
    timeout-minutes: 10
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln
      - name: Build solution
        run: dotnet build src/StellaOps.sln --configuration $BUILD_CONFIGURATION --no-restore
      - name: Run Contract lane tests
        run: |
          mkdir -p "$TEST_RESULTS_DIR"
          chmod +x scripts/test-lane.sh
          ./scripts/test-lane.sh Contract \
            --logger "trx;LogFileName=contract-tests.trx" \
            --results-directory "$TEST_RESULTS_DIR" \
            --verbosity normal
      - name: Upload Contract test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: contract-test-results
          path: ${{ env.TEST_RESULTS_DIR }}
          if-no-files-found: ignore
          retention-days: 7
  # ===========================================================================
  # Integration Lane: Service + storage tests with Testcontainers (PR-gating)
  # ===========================================================================
  integration-tests:
    name: Integration Tests
    runs-on: ubuntu-22.04
    timeout-minutes: 30
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln
      - name: Build solution
        run: dotnet build src/StellaOps.sln --configuration $BUILD_CONFIGURATION --no-restore
      - name: Run Integration lane tests
        env:
          POSTGRES_TEST_IMAGE: postgres:16-alpine
        run: |
          mkdir -p "$TEST_RESULTS_DIR"
          chmod +x scripts/test-lane.sh
          ./scripts/test-lane.sh Integration \
            --logger "trx;LogFileName=integration-tests.trx" \
            --results-directory "$TEST_RESULTS_DIR" \
            --verbosity normal
      - name: Upload Integration test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: integration-test-results
          path: ${{ env.TEST_RESULTS_DIR }}
          if-no-files-found: ignore
          retention-days: 7
  # ===========================================================================
  # Security Lane: AuthZ, input validation, negative tests (PR-gating)
  # ===========================================================================
  security-tests:
    name: Security Tests
    runs-on: ubuntu-22.04
    timeout-minutes: 20
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln
      - name: Build solution
        run: dotnet build src/StellaOps.sln --configuration $BUILD_CONFIGURATION --no-restore
      - name: Run Security lane tests
        run: |
          mkdir -p "$TEST_RESULTS_DIR"
          chmod +x scripts/test-lane.sh
          ./scripts/test-lane.sh Security \
            --logger "trx;LogFileName=security-tests.trx" \
            --results-directory "$TEST_RESULTS_DIR" \
            --verbosity normal
      - name: Upload Security test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: security-test-results
          path: ${{ env.TEST_RESULTS_DIR }}
          if-no-files-found: ignore
          retention-days: 7
  # ===========================================================================
  # Performance Lane: Benchmarks and regression thresholds (optional/scheduled)
  # ===========================================================================
  performance-tests:
    name: Performance Tests
    runs-on: ubuntu-22.04
    if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.run_performance == 'true')
    timeout-minutes: 30
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln
      - name: Build solution
        run: dotnet build src/StellaOps.sln --configuration $BUILD_CONFIGURATION --no-restore
      - name: Run Performance lane tests
        run: |
          mkdir -p "$TEST_RESULTS_DIR"
          chmod +x scripts/test-lane.sh
          ./scripts/test-lane.sh Performance \
            --logger "trx;LogFileName=performance-tests.trx" \
            --results-directory "$TEST_RESULTS_DIR" \
            --verbosity normal
      - name: Upload Performance test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: performance-test-results
          path: ${{ env.TEST_RESULTS_DIR }}
          if-no-files-found: ignore
          retention-days: 14
  # ===========================================================================
  # Live Lane: External API smoke tests (opt-in only, never PR-gating)
  # ===========================================================================
  live-tests:
    name: Live Tests (External Dependencies)
    runs-on: ubuntu-22.04
    if: github.event_name == 'workflow_dispatch' && github.event.inputs.run_live == 'true'
    timeout-minutes: 20
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup .NET ${{ env.DOTNET_VERSION }}
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true
      - name: Restore solution
        run: dotnet restore src/StellaOps.sln
      - name: Build solution
        run: dotnet build src/StellaOps.sln --configuration $BUILD_CONFIGURATION --no-restore
      - name: Run Live lane tests
        run: |
          mkdir -p "$TEST_RESULTS_DIR"
          chmod +x scripts/test-lane.sh
          ./scripts/test-lane.sh Live \
            --logger "trx;LogFileName=live-tests.trx" \
            --results-directory "$TEST_RESULTS_DIR" \
            --verbosity normal
        continue-on-error: true
      - name: Upload Live test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: live-test-results
          path: ${{ env.TEST_RESULTS_DIR }}
          if-no-files-found: ignore
          retention-days: 7
  # ===========================================================================
  # Test Results Summary
  # ===========================================================================
  test-summary:
    name: Test Results Summary
    runs-on: ubuntu-22.04
    needs: [unit-tests, architecture-tests, contract-tests, integration-tests, security-tests]
    if: always()
    steps:
      - name: Download all test results
        uses: actions/download-artifact@v4
        with:
          path: all-test-results
      - name: Generate summary
        run: |
          echo "## Test Lane Results" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          for lane in unit architecture contract integration security; do
            result_dir="all-test-results/${lane}-test-results"
            if [ -d "$result_dir" ]; then
              echo "### ${lane^} Lane: ✅ Passed" >> $GITHUB_STEP_SUMMARY
            else
              echo "### ${lane^} Lane: ❌ Failed or Skipped" >> $GITHUB_STEP_SUMMARY
            fi
          done
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "See individual job logs for detailed test output." >> $GITHUB_STEP_SUMMARY
--- a/.gitea/workflows/unknowns-budget-gate.yml
+++ b/.gitea/workflows/unknowns-budget-gate.yml
@@ -0,0 +1,199 @@
 # -----------------------------------------------------------------------------
 # unknowns-budget-gate.yml
 # Sprint: SPRINT_5100_0004_0001_unknowns_budget_ci_gates
 # Task: T2 - CI Budget Gate Workflow
 # Description: Enforces unknowns budgets on PRs and pushes
 # -----------------------------------------------------------------------------
 name: Unknowns Budget Gate
 on:
  pull_request:
    paths:
      - 'src/**'
      - 'Dockerfile*'
      - '*.lock'
      - 'etc/policy.unknowns.yaml'
  push:
    branches: [main]
    paths:
      - 'src/**'
      - 'Dockerfile*'
      - '*.lock'
 env:
  DOTNET_NOLOGO: 1
  DOTNET_CLI_TELEMETRY_OPTOUT: 1
  TZ: UTC
  STELLAOPS_BUDGET_CONFIG: ./etc/policy.unknowns.yaml
 jobs:
  scan-and-check-budget:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.100'
          include-prerelease: true
      - name: Cache NuGet packages
        uses: actions/cache@v4
        with:
          path: |
            ~/.nuget/packages
            .nuget/packages
          key: budget-gate-nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
      - name: Restore and Build CLI
        run: |
          dotnet restore src/Cli/StellaOps.Cli/StellaOps.Cli.csproj --configfile nuget.config
          dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj -c Release --no-restore
      - name: Determine environment
        id: env
        run: |
          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
            echo "environment=prod" >> $GITHUB_OUTPUT
            echo "enforce=true" >> $GITHUB_OUTPUT
          elif [[ "${{ github.event_name }}" == "pull_request" ]]; then
            echo "environment=stage" >> $GITHUB_OUTPUT
            echo "enforce=false" >> $GITHUB_OUTPUT
          else
            echo "environment=dev" >> $GITHUB_OUTPUT
            echo "enforce=false" >> $GITHUB_OUTPUT
          fi
      - name: Create sample verdict for testing
        id: scan
        run: |
          mkdir -p out
          # In a real scenario, this would be from stella scan
          # For now, create a minimal verdict file
          cat > out/verdict.json << 'EOF'
          {
            "unknowns": []
          }
          EOF
          echo "verdict_path=out/verdict.json" >> $GITHUB_OUTPUT
      - name: Check unknowns budget
        id: budget
        continue-on-error: true
        run: |
          set +e
          dotnet run --project src/Cli/StellaOps.Cli/StellaOps.Cli.csproj -- \
            unknowns budget check \
            --verdict ${{ steps.scan.outputs.verdict_path }} \
            --environment ${{ steps.env.outputs.environment }} \
            --output json \
            --fail-on-exceed > out/budget-result.json
          EXIT_CODE=$?
          echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT
          if [ -f out/budget-result.json ]; then
            # Compact JSON for output
            RESULT=$(cat out/budget-result.json | jq -c '.')
            echo "result=$RESULT" >> $GITHUB_OUTPUT
          fi
          exit $EXIT_CODE
      - name: Upload budget report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: budget-report-${{ github.run_id }}
          path: out/budget-result.json
          retention-days: 30
      - name: Post PR comment
        if: github.event_name == 'pull_request' && always()
        uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
            let result = { isWithinBudget: true, totalUnknowns: 0 };
            try {
              const content = fs.readFileSync('out/budget-result.json', 'utf8');
              result = JSON.parse(content);
            } catch (e) {
              console.log('Could not read budget result:', e.message);
            }
            const status = result.isWithinBudget ? ':white_check_mark:' : ':x:';
            const env = '${{ steps.env.outputs.environment }}';
            let body = `## ${status} Unknowns Budget Check
 | Metric | Value |
 |--------|-------|
 | Environment | ${env} |
 | Total Unknowns | ${result.totalUnknowns || 0} |
 | Budget Limit | ${result.totalLimit || 'Unlimited'} |
 | Status | ${result.isWithinBudget ? 'PASS' : 'FAIL'} |
 `;
            if (result.violations && result.violations.length > 0) {
              body += `
 ### Violations
 `;
              for (const v of result.violations) {
                body += `- **${v.reasonCode}**: ${v.count}/${v.limit}\n`;
              }
            }
            if (result.message) {
              body += `\n> ${result.message}\n`;
            }
            body += `\n---\n_Generated by StellaOps Unknowns Budget Gate_`;
            // Find existing comment
            const { data: comments } = await github.rest.issues.listComments({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: context.issue.number,
            });
            const botComment = comments.find(c =>
              c.body.includes('Unknowns Budget Check') &&
              c.user.type === 'Bot'
            );
            if (botComment) {
              await github.rest.issues.updateComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                comment_id: botComment.id,
                body: body
              });
            } else {
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: context.issue.number,
                body: body
              });
            }
      - name: Fail if budget exceeded (prod)
        if: steps.env.outputs.environment == 'prod' && steps.budget.outputs.exit_code == '2'
        run: |
          echo "::error::Production unknowns budget exceeded!"
          exit 1
      - name: Warn if budget exceeded (non-prod)
        if: steps.env.outputs.environment != 'prod' && steps.budget.outputs.exit_code == '2'
        run: |
          echo "::warning::Unknowns budget exceeded for ${{ steps.env.outputs.environment }}"
--- a/.gitea/workflows/vex-proof-bundles.yml
+++ b/.gitea/workflows/vex-proof-bundles.yml
@@ -4,14 +4,14 @@ on:
  pull_request:
    paths:
      - 'scripts/vex/**'
-      - 'tests/Vex/ProofBundles/**'
+      - 'src/__Tests/Vex/ProofBundles/**'
      - 'docs/benchmarks/vex-evidence-playbook*'
      - '.gitea/workflows/vex-proof-bundles.yml'
  push:
    branches: [ main ]
    paths:
      - 'scripts/vex/**'
-      - 'tests/Vex/ProofBundles/**'
+      - 'src/__Tests/Vex/ProofBundles/**'
      - 'docs/benchmarks/vex-evidence-playbook*'
      - '.gitea/workflows/vex-proof-bundles.yml'
@@ -36,5 +36,5 @@ jobs:
        env:
          PYTHONHASHSEED: "0"
        run: |
-          chmod +x tests/Vex/ProofBundles/test_verify_sample.sh
+          chmod +x src/__Tests/Vex/ProofBundles/test_verify_sample.sh
-          tests/Vex/ProofBundles/test_verify_sample.sh
+          src/__Tests/Vex/ProofBundles/test_verify_sample.sh
--- a/.github/flaky-tests-quarantine.json
+++ b/.github/flaky-tests-quarantine.json
@@ -0,0 +1,12 @@
 {
  "$schema": "https://stellaops.io/schemas/flaky-tests-quarantine.v1.json",
  "version": "1.0.0",
  "updated_at": "2025-01-15T00:00:00Z",
  "policy": {
    "consecutive_failures_to_quarantine": 2,
    "quarantine_duration_days": 14,
    "auto_reactivate_after_fix": true
  },
  "quarantined_tests": [],
  "notes": "Tests are quarantined after 2 consecutive failures. Review and fix within 14 days or escalate."
 }
--- a/.gitignore
+++ b/.gitignore
@@ -17,8 +17,7 @@ obj/
 # Packages and logs
 *.log
 TestResults/
-local-nuget/
+.nuget/packages/
 local-nugets/packages/
 .dotnet
 .DS_Store
@@ -45,6 +44,9 @@ node_modules/
 dist/
 .build/
 .cache/
 .tmp/
 logs/
 out/
 # .NET
 bin/
@@ -60,10 +62,12 @@ obj/
 logs/
 tmp/
 coverage/
 # Consolidated NuGet cache (all variants)
 .nuget/
-local-nugets/
+.nuget-*/
-local-nuget/
+local-nuget*/
 src/Sdk/StellaOps.Sdk.Generator/tools/jdk-21.0.1+12
-.nuget-cache/
+
-.nuget-packages2/
+# Test artifacts
-.nuget-temp/
+src/__Tests/**/TestResults/
 src/__Tests/__Benchmarks/reachability-benchmark/.jdk/
--- a/.nuget-cache/microsoft.extensions.logging.abstractions/10.0.0-rc.2.25502.107/Microsoft.Extensions.Logging.Abstractions.nuspec
+++ b/.nuget-cache/microsoft.extensions.logging.abstractions/10.0.0-rc.2.25502.107/Microsoft.Extensions.Logging.Abstractions.nuspec
@@ -1,52 +0,0 @@
 <?xml version="1.0" encoding="utf-8"?>
 <package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
  <metadata>
    <id>Microsoft.Extensions.Logging.Abstractions</id>
    <version>10.0.0-rc.2.25502.107</version>
    <authors>Microsoft</authors>
    <license type="expression">MIT</license>
    <licenseUrl>https://licenses.nuget.org/MIT</licenseUrl>
    <icon>Icon.png</icon>
    <readme>PACKAGE.md</readme>
    <projectUrl>https://dot.net/</projectUrl>
    <description>Logging abstractions for Microsoft.Extensions.Logging.
 Commonly Used Types:
 Microsoft.Extensions.Logging.ILogger
 Microsoft.Extensions.Logging.ILoggerFactory
 Microsoft.Extensions.Logging.ILogger&lt;TCategoryName&gt;
 Microsoft.Extensions.Logging.LogLevel
 Microsoft.Extensions.Logging.Logger&lt;T&gt;
 Microsoft.Extensions.Logging.LoggerMessage
 Microsoft.Extensions.Logging.Abstractions.NullLogger</description>
    <releaseNotes>https://go.microsoft.com/fwlink/?LinkID=799421</releaseNotes>
    <copyright>© Microsoft Corporation. All rights reserved.</copyright>
    <serviceable>true</serviceable>
    <repository type="git" url="https://github.com/dotnet/dotnet" commit="89c8f6a112d37d2ea8b77821e56d170a1bccdc5a" />
    <dependencies>
      <group targetFramework=".NETFramework4.6.2">
        <dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
        <dependency id="System.Diagnostics.DiagnosticSource" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
        <dependency id="System.Buffers" version="4.6.1" exclude="Build,Analyzers" />
        <dependency id="System.Memory" version="4.6.3" exclude="Build,Analyzers" />
      </group>
      <group targetFramework="net8.0">
        <dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
        <dependency id="System.Diagnostics.DiagnosticSource" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
      </group>
      <group targetFramework="net9.0">
        <dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
        <dependency id="System.Diagnostics.DiagnosticSource" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
      </group>
      <group targetFramework="net10.0">
        <dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
      </group>
      <group targetFramework=".NETStandard2.0">
        <dependency id="Microsoft.Extensions.DependencyInjection.Abstractions" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
        <dependency id="System.Diagnostics.DiagnosticSource" version="10.0.0-rc.2.25502.107" exclude="Build,Analyzers" />
        <dependency id="System.Buffers" version="4.6.1" exclude="Build,Analyzers" />
        <dependency id="System.Memory" version="4.6.3" exclude="Build,Analyzers" />
      </group>
    </dependencies>
  </metadata>
 </package>
--- a/.nuget-cache/microsoft.extensions.logging.abstractions/10.0.0-rc.2.25502.107/v3wr4h43.dju
+++ b/.nuget-cache/microsoft.extensions.logging.abstractions/10.0.0-rc.2.25502.107/v3wr4h43.dju
--- a/.spectral.yaml
+++ b/.spectral.yaml
@@ -165,3 +165,69 @@ rules:
              in:
                const: header
            required: [name, in]
  # --- Deprecation Metadata Rules (per APIGOV-63-001) ---
  stella-deprecated-has-metadata:
    description: "Deprecated operations must have x-deprecation extension with required fields"
    message: "Add x-deprecation metadata (deprecatedAt, sunsetAt, successorPath, reason) to deprecated operations"
    given: "$.paths[*][*][?(@.deprecated == true)]"
    severity: error
    then:
      field: x-deprecation
      function: schema
      functionOptions:
        schema:
          type: object
          required:
            - deprecatedAt
            - sunsetAt
            - successorPath
            - reason
          properties:
            deprecatedAt:
              type: string
              format: date-time
            sunsetAt:
              type: string
              format: date-time
            successorPath:
              type: string
            successorOperationId:
              type: string
            reason:
              type: string
            migrationGuide:
              type: string
              format: uri
            notificationChannels:
              type: array
              items:
                type: string
                enum: [slack, teams, email, webhook]
  stella-deprecated-sunset-future:
    description: "Sunset dates should be in the future (warn if sunset already passed)"
    message: "x-deprecation.sunsetAt should be a future date"
    given: "$.paths[*][*].x-deprecation.sunsetAt"
    severity: warn
    then:
      function: truthy
  stella-deprecated-migration-guide:
    description: "Deprecated operations should include a migration guide URL"
    message: "Consider adding x-deprecation.migrationGuide for consumer guidance"
    given: "$.paths[*][*][?(@.deprecated == true)].x-deprecation"
    severity: hint
    then:
      field: migrationGuide
      function: truthy
  stella-deprecated-notification-channels:
    description: "Deprecated operations should specify notification channels"
    message: "Add x-deprecation.notificationChannels to enable deprecation notifications"
    given: "$.paths[*][*][?(@.deprecated == true)].x-deprecation"
    severity: hint
    then:
      field: notificationChannels
      function: truthy
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -58,8 +58,8 @@ When you are told you are working in a particular module or directory, assume yo
 * **Runtime**: .NET 10 (`net10.0`) with latest C# preview features. Microsoft.* dependencies should target the closest compatible versions.
 * **Frontend**: Angular v17 for the UI.
-* **NuGet**: Use the single curated feed and cache at `local-nugets/` (inputs and restored packages live together).
+* **NuGet**: Uses standard NuGet feeds configured in `nuget.config` (dotnet-public, nuget-mirror, nuget.org). Packages restore to the global NuGet cache.
-* **Data**: MongoDB as canonical store and for job/export state. Use a MongoDB driver version ≥ 3.0.
+* **Data**: PostgreSQL as canonical store and for job/export state. Use a PostgreSQL driver version ≥ 3.0.
 * **Observability**: Structured logs, counters, and (optional) OpenTelemetry traces.
 * **Ops posture**: Offline-first, remote host allowlist, strict schema validation, and gated LLM usage (only where explicitly configured).
@@ -126,7 +126,7 @@ It ships as containerised building blocks; each module owns a clear boundary and
 | Scanner                | `src/Scanner/StellaOps.Scanner.WebService`<br>`src/Scanner/StellaOps.Scanner.Worker`<br>`src/Scanner/__Libraries/StellaOps.Scanner.*` | `docs/modules/scanner/architecture.md`           |
 | Scheduler              | `src/Scheduler/StellaOps.Scheduler.WebService`<br>`src/Scheduler/StellaOps.Scheduler.Worker`                                          | `docs/modules/scheduler/architecture.md`         |
 | CLI                    | `src/Cli/StellaOps.Cli`<br>`src/Cli/StellaOps.Cli.Core`<br>`src/Cli/StellaOps.Cli.Plugins.*`                                          | `docs/modules/cli/architecture.md`               |
-| UI / Console           | `src/UI/StellaOps.UI`                                                                                                                 | `docs/modules/ui/architecture.md`                |
+| UI / Console           | `src/Web/StellaOps.Web`                                                                                                               | `docs/modules/ui/architecture.md`                |
 | Notify                 | `src/Notify/StellaOps.Notify.WebService`<br>`src/Notify/StellaOps.Notify.Worker`                                                      | `docs/modules/notify/architecture.md`            |
 | Export Center          | `src/ExportCenter/StellaOps.ExportCenter.WebService`<br>`src/ExportCenter/StellaOps.ExportCenter.Worker`                              | `docs/modules/export-center/architecture.md`     |
 | Registry Token Service | `src/Registry/StellaOps.Registry.TokenService`<br>`src/Registry/__Tests/StellaOps.Registry.TokenService.Tests`                        | `docs/modules/registry/architecture.md`          |
@@ -202,22 +202,22 @@ Your goals:
 Sprint filename format:
-`SPRINT_<IMPLID>_<BATCHID>_<SPRINTID>_<topic_in_few_words>.md`
+`SPRINT_<IMPLID>_<BATCHID>_<MODULEID>_<topic_in_few_words>.md`
-* `<IMPLID>`: `0000–9999` — implementation epoch (e.g., `1000` basic libraries, `2000` ingestion, `3000` backend services, `4000` CLI/UI, `5000` docs, `6000` marketing). When in doubt, use the highest number already present.
+* `<IMPLID>`: implementation epoch (e.g., `20251218`). Determine by scanning existing `docs/implplan/SPRINT_*.md` and using the highest epoch; if none exist, use today's epoch.
-* `<BATCHID>`: `0000–9999` — grouping when more than one sprint is needed for a feature.
+* `<BATCHID>`: `001`, `002`, etc. — grouping when more than one sprint is needed for a feature.
-* `<SPRINTID>`: `0000–9999` — sprint index within the batch.
+* `<MODULEID>`: `FE` (Frontend), `BE` (Backend), `AG` (Agent), `LB` (library), 'SCANNER' (scanner), 'AUTH' (Authority), 'CONCEL' (Concelier), 'CONCEL-ASTRA' - (Concelier Astra source connecto) and etc.
 * `<topic_in_few_words>`: short topic description.
 * **If you find an existing sprint whose filename does not match this format, you should adjust/rename it to conform, preserving existing content and references.** Document the rename in the sprint’s **Execution Log**.
-Sprint file template:
+Every sprint file must conform to this template:
 ```md
 # Sprint <ID> · <Stream/Topic>
 ## Topic & Scope
- Summarise the sprint in 2–4 bullets that read like a short story (expected outcomes and “why now”).
+- Summarise the sprint in 2–4 bullets that read like a short story (expected outcomes and "why now").
- Call out the single owning directory (e.g., `src/Concelier/StellaOps.Concelier.Core`) and the evidence you expect to produce.
+- Call out the single owning directory (e.g., `src/<module>/ReleaseOrchestrator.<module>.<sub-module>`) and the evidence you expect to produce.
 - **Working directory:** `<path/to/module>`.
 ## Dependencies & Concurrency
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -41,7 +41,7 @@ dotnet test --filter "FullyQualifiedName~TestMethodName"
 dotnet test src/StellaOps.sln --verbosity normal
 ```
-**Note:** Tests use Mongo2Go which requires OpenSSL 1.1 on Linux. Run `scripts/enable-openssl11-shim.sh` before testing if needed.
+**Note:** Integration tests use Testcontainers for PostgreSQL. Ensure Docker is running before executing tests.
 ## Linting and Validation
@@ -60,11 +60,11 @@ helm lint deploy/helm/stellaops
 ### Technology Stack
 - **Runtime:** .NET 10 (`net10.0`) with latest C# preview features
- **Frontend:** Angular v17 (in `src/UI/StellaOps.UI`)
+- **Frontend:** Angular v17 (in `src/Web/StellaOps.Web`)
- **Database:** MongoDB (driver version ≥ 3.0)
+- **Database:** PostgreSQL (≥16) with per-module schema isolation; see `docs/db/` for specification
- **Testing:** xUnit with Mongo2Go, Moq, Microsoft.AspNetCore.Mvc.Testing
+- **Testing:** xUnit with Testcontainers (PostgreSQL), Moq, Microsoft.AspNetCore.Mvc.Testing
 - **Observability:** Structured logging, OpenTelemetry traces
- **NuGet:** Use the single curated feed and cache at `local-nugets/`
+- **NuGet:** Uses standard NuGet feeds configured in `nuget.config` (dotnet-public, nuget-mirror, nuget.org)
 ### Module Structure
@@ -72,24 +72,53 @@ The codebase follows a monorepo pattern with modules under `src/`:
 | Module | Path | Purpose |
 |--------|------|---------|
 | **Core Platform** | | |
 | Authority | `src/Authority/` | Authentication, authorization, OAuth/OIDC, DPoP |
 | Gateway | `src/Gateway/` | API gateway with routing and transport abstraction |
 | Router | `src/__Libraries/StellaOps.Router.*` | Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey) |
 | **Data Ingestion** | | |
 | Concelier | `src/Concelier/` | Vulnerability advisory ingestion and merge engine |
 | CLI | `src/Cli/` | Command-line interface for scanner distribution and job control |
 | Scanner | `src/Scanner/` | Container scanning with SBOM generation |
 | Authority | `src/Authority/` | Authentication and authorization |
 | Signer | `src/Signer/` | Cryptographic signing operations |
 | Attestor | `src/Attestor/` | in-toto/DSSE attestation generation |
 | Excititor | `src/Excititor/` | VEX document ingestion and export |
-| Policy | `src/Policy/` | OPA/Rego policy engine |
+| VexLens | `src/VexLens/` | VEX consensus computation across issuers |
 | IssuerDirectory | `src/IssuerDirectory/` | Issuer trust registry (CSAF publishers) |
 | **Scanning & Analysis** | | |
 | Scanner | `src/Scanner/` | Container scanning with SBOM generation (11 language analyzers) |
 | BinaryIndex | `src/BinaryIndex/` | Binary identity extraction and fingerprinting |
 | AdvisoryAI | `src/AdvisoryAI/` | AI-assisted advisory analysis |
 | **Artifacts & Evidence** | | |
 | Attestor | `src/Attestor/` | in-toto/DSSE attestation generation |
 | Signer | `src/Signer/` | Cryptographic signing operations |
 | SbomService | `src/SbomService/` | SBOM storage, versioning, and lineage ledger |
 | EvidenceLocker | `src/EvidenceLocker/` | Sealed evidence storage and export |
 | ExportCenter | `src/ExportCenter/` | Batch export and report generation |
 | VexHub | `src/VexHub/` | VEX distribution and exchange hub |
 | **Policy & Risk** | | |
 | Policy | `src/Policy/` | Policy engine with K4 lattice logic |
 | VulnExplorer | `src/VulnExplorer/` | Vulnerability exploration and triage UI backend |
 | **Operations** | | |
 | Scheduler | `src/Scheduler/` | Job scheduling and queue management |
-| Notify | `src/Notify/` | Notification delivery (Email, Slack, Teams) |
+| Orchestrator | `src/Orchestrator/` | Workflow orchestration and task coordination |
 | TaskRunner | `src/TaskRunner/` | Task pack execution engine |
 | Notify | `src/Notify/` | Notification delivery (Email, Slack, Teams, Webhooks) |
 | **Integration** | | |
 | CLI | `src/Cli/` | Command-line interface (Native AOT) |
 | Zastava | `src/Zastava/` | Container registry webhook observer |
 | Web | `src/Web/` | Angular 17 frontend SPA |
 | **Infrastructure** | | |
 | Cryptography | `src/Cryptography/` | Crypto plugins (FIPS, eIDAS, GOST, SM, PQ) |
 | Telemetry | `src/Telemetry/` | OpenTelemetry traces, metrics, logging |
 | Graph | `src/Graph/` | Call graph and reachability data structures |
 | Signals | `src/Signals/` | Runtime signal collection and correlation |
 | Replay | `src/Replay/` | Deterministic replay engine |
 > **Note:** See `docs/modules/<module>/architecture.md` for detailed module dossiers.
 ### Code Organization Patterns
 - **Libraries:** `src/<Module>/__Libraries/StellaOps.<Module>.*`
 - **Tests:** `src/<Module>/__Tests/StellaOps.<Module>.*.Tests/`
 - **Plugins:** Follow naming `StellaOps.<Module>.Connector.*` or `StellaOps.<Module>.Plugin.*`
- **Shared test infrastructure:** `StellaOps.Concelier.Testing` provides MongoDB fixtures
+- **Shared test infrastructure:** `StellaOps.Concelier.Testing` and `StellaOps.Infrastructure.Postgres.Testing` provide PostgreSQL fixtures
 ### Naming Conventions
@@ -125,9 +154,13 @@ The codebase follows a monorepo pattern with modules under `src/`:
 ### Test Layout
- Module tests: `StellaOps.<Module>.<Component>.Tests`
+- **Module tests:** `src/<Module>/__Tests/StellaOps.<Module>.<Component>.Tests/`
- Shared fixtures/harnesses: `StellaOps.<Module>.Testing`
+- **Global tests:** `src/__Tests/{Category}/` (Integration, Acceptance, Load, Security, Chaos, E2E, etc.)
- Tests use xUnit, Mongo2Go for MongoDB integration tests
+- **Shared testing libraries:** `src/__Tests/__Libraries/StellaOps.*.Testing/`
 - **Benchmarks & golden corpus:** `src/__Tests/__Benchmarks/`
 - **Ground truth datasets:** `src/__Tests/__Datasets/`
 - Tests use xUnit, Testcontainers for PostgreSQL integration tests
 - See `src/__Tests/AGENTS.md` for detailed test infrastructure guidance
 ### Documentation Updates
@@ -154,8 +187,15 @@ When working in this repository, behavior changes based on the role specified:
 ### As Project Manager
- Sprint files follow format: `SPRINT_<IMPLID>_<BATCHID>_<SPRINTID>_<topic>.md`
+Create implementation sprint files under `docs/implplan/` using the **mandatory** sprint filename format:
- IMPLID epochs: `1000` basic libraries, `2000` ingestion, `3000` backend services, `4000` CLI/UI, `5000` docs, `6000` marketing
+
 `SPRINT_<IMPLID>_<BATCHID>_<MODULEID>_<topic_in_few_words>.md`
 - `<IMPLID>`: implementation epoch (e.g., `20251219`). Determine by scanning existing `docs/implplan/SPRINT_*.md` and using the highest epoch; if none exist, use today's epoch.
 - `<BATCHID>`: `001`, `002`, etc. — grouping when more than one sprint is needed for a feature.
 - `<MODULEID>`: `FE` (Frontend), `BE` (Backend), `AG` (Agent), `LB` (library), `BE` (Backend), `AG` (Agent), `LB` (library), 'SCANNER' (scanner), 'AUTH' (Authority), 'CONCEL' (Concelier), 'CONCEL-ASTRA' - (Concelier Astra source connecto) and etc.
 - `<topic_in_few_words>`: short topic description.
 - **If any existing sprint file name or internal format deviates from the standard, rename/normalize it** and record the change in its **Execution Log**.
 - Normalize sprint files to standard template while preserving content
 - Ensure module `AGENTS.md` files exist and are up to date
@@ -200,6 +240,8 @@ Before coding, confirm required docs are read:
 - **Architecture overview:** `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 - **Module dossiers:** `docs/modules/<module>/architecture.md`
 - **Database specification:** `docs/db/SPECIFICATION.md`
 - **PostgreSQL operations:** `docs/operations/postgresql-guide.md`
 - **API/CLI reference:** `docs/09_API_CLI_REFERENCE.md`
 - **Offline operation:** `docs/24_OFFLINE_KIT.md`
 - **Quickstart:** `docs/10_CONCELIER_CLI_QUICKSTART.md`
@@ -216,5 +258,5 @@ Workflows are in `.gitea/workflows/`. Key workflows:
 ## Environment Variables
 - `STELLAOPS_BACKEND_URL` - Backend API URL for CLI
- `STELLAOPS_TEST_MONGO_URI` - MongoDB connection string for integration tests
+- `STELLAOPS_TEST_POSTGRES_CONNECTION` - PostgreSQL connection string for integration tests
 - `StellaOpsEnableCryptoPro` - Enable GOST crypto support (set to `true` in build)
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -2,23 +2,15 @@
  <PropertyGroup>
    <StellaOpsRepoRoot Condition="'$(StellaOpsRepoRoot)' == ''">$([System.IO.Path]::GetFullPath('$(MSBuildThisFileDirectory)'))</StellaOpsRepoRoot>
    <StellaOpsLocalNuGetSource Condition="'$(StellaOpsLocalNuGetSource)' == ''">$([System.IO.Path]::GetFullPath('$(StellaOpsRepoRoot)local-nugets/'))</StellaOpsLocalNuGetSource>
    <StellaOpsDotNetPublicSource Condition="'$(StellaOpsDotNetPublicSource)' == ''">https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json</StellaOpsDotNetPublicSource>
    <StellaOpsNuGetOrgSource Condition="'$(StellaOpsNuGetOrgSource)' == ''">https://api.nuget.org/v3/index.json</StellaOpsNuGetOrgSource>
    <_StellaOpsDefaultRestoreSources>$(StellaOpsLocalNuGetSource);$(StellaOpsDotNetPublicSource);$(StellaOpsNuGetOrgSource)</_StellaOpsDefaultRestoreSources>
    <_StellaOpsOriginalRestoreSources Condition="'$(_StellaOpsOriginalRestoreSources)' == ''">$(RestoreSources)</_StellaOpsOriginalRestoreSources>
    <RestorePackagesPath Condition="'$(RestorePackagesPath)' == ''">$([System.IO.Path]::GetFullPath('$(StellaOpsRepoRoot).nuget/packages'))</RestorePackagesPath>
    <RestoreConfigFile Condition="'$(RestoreConfigFile)' == ''">$([System.IO.Path]::Combine('$(StellaOpsRepoRoot)','NuGet.config'))</RestoreConfigFile>
    <RestoreSources Condition="'$(_StellaOpsOriginalRestoreSources)' == ''">$(_StellaOpsDefaultRestoreSources)</RestoreSources>
    <RestoreSources Condition="'$(_StellaOpsOriginalRestoreSources)' != ''">$(_StellaOpsDefaultRestoreSources);$(_StellaOpsOriginalRestoreSources)</RestoreSources>
    <DisableImplicitNuGetFallbackFolder>true</DisableImplicitNuGetFallbackFolder>
  </PropertyGroup>
  <PropertyGroup>
    <StellaOpsEnableCryptoPro Condition="'$(StellaOpsEnableCryptoPro)' == ''">false</StellaOpsEnableCryptoPro>
-    <NoWarn>$(NoWarn);NU1608;NU1605</NoWarn>
+    <NoWarn>$(NoWarn);NU1608;NU1605;NU1202</NoWarn>
-    <WarningsNotAsErrors>$(WarningsNotAsErrors);NU1608;NU1605</WarningsNotAsErrors>
+    <WarningsNotAsErrors>$(WarningsNotAsErrors);NU1608;NU1605;NU1202</WarningsNotAsErrors>
-    <RestoreNoWarn>$(RestoreNoWarn);NU1608;NU1605</RestoreNoWarn>
+    <RestoreNoWarn>$(RestoreNoWarn);NU1608;NU1605;NU1202</RestoreNoWarn>
    <RestoreWarningsAsErrors></RestoreWarningsAsErrors>
    <RestoreTreatWarningsAsErrors>false</RestoreTreatWarningsAsErrors>
    <RestoreDisableImplicitNuGetFallbackFolder>true</RestoreDisableImplicitNuGetFallbackFolder>
@@ -31,6 +23,10 @@
    <DisableImplicitNuGetFallbackFolder>true</DisableImplicitNuGetFallbackFolder>
  </PropertyGroup>
  <PropertyGroup>
    <AssetTargetFallback>$(AssetTargetFallback);net8.0;net7.0;net6.0;netstandard2.1;netstandard2.0</AssetTargetFallback>
  </PropertyGroup>
  <PropertyGroup Condition="'$(StellaOpsEnableCryptoPro)' == 'true'">
    <DefineConstants>$(DefineConstants);STELLAOPS_CRYPTO_PRO</DefineConstants>
  </PropertyGroup>
@@ -43,4 +39,52 @@
    <PackageReference Update="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.0" />
  </ItemGroup>
  <!-- .NET 10 compatible package version overrides -->
  <ItemGroup>
    <!-- Cryptography packages - updated for net10.0 compatibility -->
    <PackageReference Update="BouncyCastle.Cryptography" Version="2.6.2" />
    <PackageReference Update="Pkcs11Interop" Version="5.1.2" />
    <!-- Resilience - Polly 8.x for .NET 6+ -->
    <PackageReference Update="Polly" Version="8.5.2" />
    <PackageReference Update="Polly.Core" Version="8.5.2" />
    <!-- YAML - updated for net10.0 -->
    <PackageReference Update="YamlDotNet" Version="16.3.0" />
    <!-- JSON Schema packages -->
    <PackageReference Update="JsonSchema.Net" Version="7.3.2" />
    <PackageReference Update="Json.More.Net" Version="2.1.0" />
    <PackageReference Update="JsonPointer.Net" Version="5.1.0" />
    <!-- HTML parsing -->
    <PackageReference Update="AngleSharp" Version="1.2.0" />
    <!-- Scheduling -->
    <PackageReference Update="Cronos" Version="0.9.0" />
    <!-- Testing - xUnit 2.9.3 for .NET 10 -->
    <PackageReference Update="xunit" Version="2.9.3" />
    <PackageReference Update="xunit.assert" Version="2.9.3" />
    <PackageReference Update="xunit.extensibility.core" Version="2.9.3" />
    <PackageReference Update="xunit.extensibility.execution" Version="2.9.3" />
    <PackageReference Update="xunit.runner.visualstudio" Version="3.0.1" />
    <PackageReference Update="xunit.abstractions" Version="2.0.3" />
    <!-- JSON -->
    <PackageReference Update="Newtonsoft.Json" Version="13.0.4" />
    <!-- Annotations -->
    <PackageReference Update="JetBrains.Annotations" Version="2024.3.0" />
    <!-- Async interfaces -->
    <PackageReference Update="Microsoft.Bcl.AsyncInterfaces" Version="10.0.0" />
    <!-- HTTP Resilience integration (replaces Http.Polly) -->
    <PackageReference Update="Microsoft.Extensions.Http.Resilience" Version="10.0.0" />
    <!-- Testing packages - aligned to 10.0.0 -->
    <PackageReference Update="Microsoft.Extensions.TimeProvider.Testing" Version="10.0.0" />
  </ItemGroup>
 </Project>
--- a/NOTICE.md
+++ b/NOTICE.md
@@ -1,8 +1,10 @@
 # Third-Party Notices
-This project bundles or links against the following third-party components in the scanner Ruby analyzer implementation:
+This project bundles or links against the following third-party components:
- **tree-sitter** (MIT License, © 2018 Max Brunsfeld)
+- **tree-sitter** (MIT License, (c) 2018 Max Brunsfeld)
- **tree-sitter-ruby** (MIT License, © 2016 Rob Rix)
+- **tree-sitter-ruby** (MIT License, (c) 2016 Rob Rix)
 - **GostCryptography (fork)** (MIT License, (c) 2014-2024 AlexMAS) — vendored under `third_party/forks/AlexMAS.GostCryptography` for GOST support in `StellaOps.Cryptography.Plugin.CryptoPro` and related sovereign crypto plug-ins.
 - **CryptoPro CSP integration** (Commercial, customer-provided) — StellaOps ships only integration code; CryptoPro CSP binaries and licenses are not redistributed and must be supplied by the operator per vendor EULA.
 License texts are available under third-party-licenses/.
--- a/NuGet.config
+++ b/NuGet.config
@@ -1,14 +1,13 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
  <config>
    <!-- Centralize package cache to prevent .nuget-* directory sprawl -->
    <add key="globalPackagesFolder" value=".nuget/packages" />
  </config>
  <packageSources>
    <clear />
    <add key="local-nugets" value="./local-nugets" />
    <add key="dotnet-public" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json" />
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
  </packageSources>
  <config>
    <add key="globalPackagesFolder" value="./.nuget/packages" />
  </config>
  <fallbackPackageFolders>
    <clear />
  </fallbackPackageFolders>
--- a/README.md
+++ b/README.md
@@ -1,33 +0,0 @@
 # StellaOps Concelier & CLI
 This repository hosts the StellaOps Concelier service, its plug-in ecosystem, and the
 first-party CLI (`stellaops-cli`). Concelier ingests vulnerability advisories from
 authoritative sources, stores them in MongoDB, and exports deterministic JSON and
 Trivy DB artefacts. The CLI drives scanner distribution, scan execution, and job
 control against the Concelier API.
 ## Quickstart
 1. Prepare a MongoDB instance and (optionally) install `trivy-db`/`oras`.
 2. Copy `etc/concelier.yaml.sample` to `etc/concelier.yaml` and update the storage + telemetry
   settings.
 3. Copy `etc/authority.yaml.sample` to `etc/authority.yaml`, review the issuer, token
   lifetimes, and plug-in descriptors, then edit the companion manifests under
   `etc/authority.plugins/*.yaml` to match your deployment.
 4. Start the web service with `dotnet run --project src/Concelier/StellaOps.Concelier.WebService`.
 5. Configure the CLI via environment variables (e.g. `STELLAOPS_BACKEND_URL`) and trigger
   jobs with `dotnet run --project src/Cli/StellaOps.Cli -- db merge`.
 Detailed operator guidance is available in `docs/10_CONCELIER_CLI_QUICKSTART.md`. API and
 command reference material lives in `docs/09_API_CLI_REFERENCE.md`.
 Pipeline note: deployment workflows should template `etc/concelier.yaml` during CI/CD,
 injecting environment-specific Mongo credentials and telemetry endpoints. Upcoming
 releases will add Microsoft OAuth (Entra ID) authentication support—track the quickstart
 for integration steps once available.
 ## Documentation
 - `docs/README.md` now consolidates the platform index and points to the updated high-level architecture.
 - Module architecture dossiers now live under `docs/modules/<module>/`. The most relevant here are `docs/modules/concelier/ARCHITECTURE.md` (service layout, merge engine, exports) and `docs/modules/cli/ARCHITECTURE.md` (command surface, AOT packaging, auth flows). Related services such as the Signer, Attestor, Authority, Scanner, UI, Excititor, Zastava, and DevOps pipeline each have their own dossier in the same hierarchy.
 - Offline operation guidance moved to `docs/24_OFFLINE_KIT.md`, which details bundle composition, verification, and delta workflows. Concelier-specific connector operations stay in `docs/modules/concelier/operations/connectors/*.md` with companion runbooks in `docs/modules/concelier/operations/`.
--- a/StellaOps.Router.slnx
+++ b/StellaOps.Router.slnx
@@ -1,19 +1,17 @@
 <Solution>
  <Folder Name="/src/" />
  <Folder Name="/src/Gateway/">
    <Project Path="src/Gateway/StellaOps.Gateway.WebService/StellaOps.Gateway.WebService.csproj" />
  </Folder>
  <Folder Name="/src/__Libraries/">
    <Project Path="src/__Libraries/StellaOps.Microservice.SourceGen/StellaOps.Microservice.SourceGen.csproj" />
    <Project Path="src/__Libraries/StellaOps.Microservice/StellaOps.Microservice.csproj" />
    <Project Path="src/__Libraries/StellaOps.Router.Common/StellaOps.Router.Common.csproj" />
    <Project Path="src/__Libraries/StellaOps.Router.Config/StellaOps.Router.Config.csproj" />
    <Project Path="src/__Libraries/StellaOps.Router.Gateway/StellaOps.Router.Gateway.csproj" />
    <Project Path="src/__Libraries/StellaOps.Router.Transport.InMemory/StellaOps.Router.Transport.InMemory.csproj" />
  </Folder>
  <Folder Name="/tests/">
    <Project Path="tests/StellaOps.Gateway.WebService.Tests/StellaOps.Gateway.WebService.Tests.csproj" />
    <Project Path="tests/StellaOps.Microservice.Tests/StellaOps.Microservice.Tests.csproj" />
    <Project Path="tests/StellaOps.Router.Common.Tests/StellaOps.Router.Common.Tests.csproj" />
    <Project Path="tests/StellaOps.Router.Gateway.Tests/StellaOps.Router.Gateway.Tests.csproj" />
    <Project Path="tests/StellaOps.Router.Transport.InMemory.Tests/StellaOps.Router.Transport.InMemory.Tests.csproj" />
  </Folder>
 </Solution>
--- a/bench/README.md
+++ b/bench/README.md
@@ -1,30 +0,0 @@
 # Stella Ops Bench Repository
 > **Status:** Draft — aligns with `docs/benchmarks/vex-evidence-playbook.md` (Sprint 401).  
 > **Purpose:** Host reproducible VEX decisions and comparison data that prove Stella Ops’ signal quality vs. baseline scanners.
 ## Layout
 ```
 bench/
  README.md                 # this file
  findings/                 # per CVE/product bundles
    CVE-YYYY-NNNNN/
      evidence/
        reachability.json
        sbom.cdx.json
      decision.openvex.json
      decision.dsse.json
      rekor.txt
      metadata.json
  tools/
    verify.sh               # DSSE + Rekor verifier
    verify.py               # offline verifier
    compare.py              # baseline comparison script
    replay.sh               # runs reachability replay manifolds
  results/
    summary.csv
    runs/<date>/...         # raw outputs + replay manifests
 ```
 Refer to `docs/benchmarks/vex-evidence-playbook.md` for artifact contracts and automation tasks. The `bench/` tree will be populated once `BENCH-AUTO-401-019` and `DOCS-VEX-401-012` land.
--- a/concelier-webservice.slnf
+++ b/concelier-webservice.slnf
@@ -1,9 +0,0 @@
 {
  "solution": {
    "path": "src/Concelier/StellaOps.Concelier.sln",
    "projects": [
      "StellaOps.Concelier.WebService/StellaOps.Concelier.WebService.csproj",
      "__Tests/StellaOps.Concelier.WebService.Tests/StellaOps.Concelier.WebService.Tests.csproj"
    ]
  }
 }
--- a/config/crypto-profiles.sample.json
+++ b/config/crypto-profiles.sample.json
@@ -0,0 +1,34 @@
 {
  "StellaOps": {
    "Crypto": {
      "Registry": {
        "ActiveProfile": "world",
        "PreferredProviders": [ "default" ],
        "Profiles": {
          "ru-free": { "PreferredProviders": [ "ru.openssl.gost", "ru.pkcs11", "sim.crypto.remote" ] },
          "ru-paid": { "PreferredProviders": [ "ru.cryptopro.csp", "ru.openssl.gost", "ru.pkcs11", "sim.crypto.remote" ] },
          "sm": { "PreferredProviders": [ "cn.sm.soft", "sim.crypto.remote" ] },
          "eidas": { "PreferredProviders": [ "eu.eidas.soft", "sim.crypto.remote" ] },
          "fips": { "PreferredProviders": [ "fips.ecdsa.soft", "sim.crypto.remote" ] },
          "kcmvp": { "PreferredProviders": [ "kr.kcmvp.hash", "sim.crypto.remote" ] },
          "pq": { "PreferredProviders": [ "pq.soft", "sim.crypto.remote" ] }
        }
      },
      "Sim": {
        "BaseAddress": "http://localhost:8080"
      },
      "CryptoPro": {
        "Keys": [],
        "LicenseNote": "Customer-provided CryptoPro CSP .deb packages; set CRYPTOPRO_ACCEPT_EULA=1; Linux only."
      },
      "Pkcs11": {
        "LibraryPath": "/usr/lib/pkcs11/lib.so",
        "Keys": []
      }
    },
    "Compliance": {
      "ProfileId": "world",
      "StrictValidation": true
    }
  }
 }
--- a/config/env/.env.eidas.example
+++ b/config/env/.env.eidas.example
@@ -0,0 +1,8 @@
 STELLAOPS_CRYPTO_COMPLIANCE_PROFILE=eidas
 STELLAOPS__CRYPTO__REGISTRY__ACTIVEPROFILE=eidas
 EIDAS_SOFT_ALLOWED=1
 # QSCD PKCS#11 path + PIN when hardware is available:
 # STELLAOPS__CRYPTO__PKCS11__LIBRARYPATH=/usr/lib/qscd/libpkcs11.so
 # EIDAS_QSCD_PIN=changeme
 STELLAOPS_CRYPTO_ENABLE_SIM=1
 STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080
--- a/config/env/.env.fips.example
+++ b/config/env/.env.fips.example
@@ -0,0 +1,6 @@
 STELLAOPS_CRYPTO_COMPLIANCE_PROFILE=fips
 STELLAOPS__CRYPTO__REGISTRY__ACTIVEPROFILE=fips
 FIPS_SOFT_ALLOWED=1
 # Optional: AWS_USE_FIPS_ENDPOINTS=true
 STELLAOPS_CRYPTO_ENABLE_SIM=1
 STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080
--- a/config/env/.env.kcmvp.example
+++ b/config/env/.env.kcmvp.example
@@ -0,0 +1,5 @@
 STELLAOPS_CRYPTO_COMPLIANCE_PROFILE=kcmvp
 STELLAOPS__CRYPTO__REGISTRY__ACTIVEPROFILE=kcmvp
 KCMVP_HASH_ALLOWED=1
 STELLAOPS_CRYPTO_ENABLE_SIM=1
 STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080
--- a/config/env/.env.ru-free.example
+++ b/config/env/.env.ru-free.example
@@ -0,0 +1,6 @@
 STELLAOPS_CRYPTO_COMPLIANCE_PROFILE=gost
 STELLAOPS__CRYPTO__REGISTRY__ACTIVEPROFILE=ru-free
 STELLAOPS_CRYPTO_ENABLE_RU_OPENSSL=1
 STELLAOPS_RU_OPENSSL_REMOTE_URL=
 STELLAOPS_CRYPTO_ENABLE_SIM=1
 STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080
--- a/config/env/.env.ru-paid.example
+++ b/config/env/.env.ru-paid.example
@@ -0,0 +1,7 @@
 STELLAOPS_CRYPTO_COMPLIANCE_PROFILE=gost
 STELLAOPS__CRYPTO__REGISTRY__ACTIVEPROFILE=ru-paid
 STELLAOPS_CRYPTO_ENABLE_RU_CSP=1
 CRYPTOPRO_ACCEPT_EULA=1
 # Bind customer-provided debs to /opt/cryptopro/downloads inside the service container.
 STELLAOPS_CRYPTO_ENABLE_SIM=1
 STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080
--- a/config/env/.env.sm.example
+++ b/config/env/.env.sm.example
@@ -0,0 +1,6 @@
 STELLAOPS_CRYPTO_COMPLIANCE_PROFILE=sm
 STELLAOPS__CRYPTO__REGISTRY__ACTIVEPROFILE=sm
 SM_SOFT_ALLOWED=1
 STELLAOPS_CRYPTO_ENABLE_SM_PKCS11=0
 STELLAOPS_CRYPTO_ENABLE_SIM=1
 STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080
--- a/deploy/ansible/README.md
+++ b/deploy/ansible/README.md
@@ -0,0 +1,181 @@
 # Zastava Agent Ansible Deployment
 Ansible playbook for deploying StellaOps Zastava Agent on VM/bare-metal hosts.
 ## Prerequisites
 - Ansible 2.10 or later
 - Target hosts must have:
  - Docker installed and running
  - SSH access with sudo privileges
  - systemd as init system
  - Internet access (for downloading agent binaries) OR local artifact repository
 ## Quick Start
 1. **Create inventory file:**
   ```bash
   cp inventory.yml.sample inventory.yml
   ```
 2. **Edit inventory with your hosts and configuration:**
   ```yaml
   zastava_agents:
     hosts:
       your-host:
         ansible_host: 192.168.1.100
         ansible_user: ubuntu
     vars:
       zastava_tenant: your-tenant
       scanner_backend_url: https://scanner.internal
   ```
 3. **Run the playbook:**
   ```bash
   ansible-playbook -i inventory.yml zastava-agent.yml
   ```
 ## Configuration Variables
 ### Required Variables
 | Variable | Description |
 |----------|-------------|
 | `zastava_tenant` | Tenant identifier for multi-tenancy isolation |
 | `scanner_backend_url` | URL of the Scanner backend service |
 ### Optional Variables
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `zastava_version` | `latest` | Agent version to deploy |
 | `zastava_node_name` | hostname | Override node name in events |
 | `zastava_health_port` | `8080` | Health check HTTP port |
 | `docker_socket` | `/var/run/docker.sock` | Docker socket path |
 | `zastava_log_level` | `Information` | Serilog log level |
 | `scanner_backend_insecure` | `false` | Allow HTTP backend (NOT for production) |
 | `download_base_url` | `https://releases.stellaops.org` | Base URL for agent downloads |
 ### Advanced Variables
 | Variable | Description |
 |----------|-------------|
 | `zastava_extra_env` | Dictionary of additional environment variables |
 ## Directory Structure
 After deployment, the agent is installed with the following structure:
 ```
 /opt/stellaops/zastava-agent/        # Agent binaries
 /etc/stellaops/zastava-agent.env     # Environment configuration
 /var/lib/zastava-agent/              # Data directory
 /var/lib/zastava-agent/runtime-events/  # Event buffer (disk-backed)
 /etc/systemd/system/zastava-agent.service  # systemd unit
 ```
 ## Post-Deployment Verification
 ### Check Service Status
 ```bash
 systemctl status zastava-agent
 ```
 ### View Logs
 ```bash
 journalctl -u zastava-agent -f
 ```
 ### Health Endpoints
 | Endpoint | Description |
 |----------|-------------|
 | `/healthz` | Liveness probe - agent is running |
 | `/readyz` | Readiness probe - agent can process events |
 | `/livez` | Alias for liveness probe |
 ```bash
 curl http://localhost:8080/healthz
 curl http://localhost:8080/readyz
 ```
 ## Air-Gapped Deployment
 For air-gapped environments:
 1. Download agent tarball to a local artifact server
 2. Set `download_base_url` to your local server:
   ```yaml
   download_base_url: https://artifacts.internal/stellaops
   ```
 3. Ensure the URL structure matches:
   `{download_base_url}/zastava-agent/{version}/zastava-agent-linux-{arch}.tar.gz`
 ## Security Notes
 ### Docker Socket Access
 The agent requires read access to the Docker socket to monitor container events.
 The service runs as the `zastava-agent` user in the `docker` group.
 See `docs/modules/zastava/operations/docker-socket-permissions.md` for security
 considerations and alternative configurations.
 ### systemd Hardening
 The service unit includes security hardening:
 - `NoNewPrivileges=true` - Prevent privilege escalation
 - `ProtectSystem=strict` - Read-only system directories
 - `PrivateTmp=true` - Isolated /tmp
 - `ProtectKernelTunables=true` - No kernel parameter modification
 - Resource limits on file descriptors and memory
 ## Troubleshooting
 ### Agent Won't Start
 1. Check Docker service: `systemctl status docker`
 2. Verify Docker socket permissions: `ls -la /var/run/docker.sock`
 3. Check agent logs: `journalctl -u zastava-agent -e`
 ### Cannot Connect to Backend
 1. Verify network connectivity: `curl -I ${scanner_backend_url}/healthz`
 2. Check TLS certificates if using HTTPS
 3. Ensure firewall allows outbound connections
 ### Events Not Being Sent
 1. Check event buffer directory permissions
 2. Verify health endpoint returns healthy: `curl localhost:8080/readyz`
 3. Check agent logs for connection errors
 ## Uninstallation
 To remove the agent:
 ```bash
 # Stop and disable service
 sudo systemctl stop zastava-agent
 sudo systemctl disable zastava-agent
 # Remove files
 sudo rm -rf /opt/stellaops/zastava-agent
 sudo rm -f /etc/stellaops/zastava-agent.env
 sudo rm -f /etc/systemd/system/zastava-agent.service
 sudo rm -rf /var/lib/zastava-agent
 # Remove user
 sudo userdel zastava-agent
 # Reload systemd
 sudo systemctl daemon-reload
 ```
--- a/deploy/ansible/files/zastava-agent.service
+++ b/deploy/ansible/files/zastava-agent.service
@@ -0,0 +1,58 @@
 [Unit]
 Description=StellaOps Zastava Agent - Container Runtime Monitor
 Documentation=https://docs.stellaops.org/zastava/agent/
 After=network-online.target docker.service containerd.service
 Wants=network-online.target
 Requires=docker.service
 [Service]
 Type=notify
 ExecStart=/opt/stellaops/zastava-agent/StellaOps.Zastava.Agent
 WorkingDirectory=/opt/stellaops/zastava-agent
 Restart=always
 RestartSec=5
 # Environment configuration
 EnvironmentFile=-/etc/stellaops/zastava-agent.env
 Environment=DOTNET_ENVIRONMENT=Production
 Environment=ASPNETCORE_ENVIRONMENT=Production
 # User and permissions
 User=zastava-agent
 Group=docker
 # Security hardening
 NoNewPrivileges=true
 ProtectSystem=strict
 ProtectHome=true
 PrivateTmp=true
 PrivateDevices=true
 ProtectKernelTunables=true
 ProtectKernelModules=true
 ProtectControlGroups=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 # Allow read access to Docker socket
 ReadWritePaths=/var/run/docker.sock
 ReadWritePaths=/var/lib/zastava-agent
 # Capabilities
 CapabilityBoundingSet=
 AmbientCapabilities=
 # Resource limits
 LimitNOFILE=65536
 LimitNPROC=4096
 MemoryMax=512M
 # Logging
 StandardOutput=journal
 StandardError=journal
 SyslogIdentifier=zastava-agent
 # Watchdog (5 minute timeout)
 WatchdogSec=300
 [Install]
 WantedBy=multi-user.target
--- a/deploy/ansible/inventory.yml.sample
+++ b/deploy/ansible/inventory.yml.sample
@@ -0,0 +1,46 @@
 ---
 # Sample Ansible Inventory for Zastava Agent Deployment
 #
 # Copy this file to inventory.yml and customize for your environment.
 # Then run: ansible-playbook -i inventory.yml zastava-agent.yml
 all:
  children:
    zastava_agents:
      hosts:
        # Add your VM/bare-metal hosts here
        vm-node-1:
          ansible_host: 192.168.1.101
          ansible_user: ubuntu
        vm-node-2:
          ansible_host: 192.168.1.102
          ansible_user: ubuntu
        # Example with SSH key
        vm-node-3:
          ansible_host: 192.168.1.103
          ansible_user: root
          ansible_ssh_private_key_file: ~/.ssh/stellaops_key
      vars:
        # Required: Set these for your environment
        zastava_tenant: my-tenant
        scanner_backend_url: https://scanner.example.com
        # Optional: Override node name per host
        # zastava_node_name: custom-node-name
        # Optional: Change health check port
        # zastava_health_port: 8080
        # Optional: Custom Docker socket path
        # docker_socket: /var/run/docker.sock
        # Optional: Set log level (Verbose, Debug, Information, Warning, Error)
        # zastava_log_level: Information
        # Optional: Allow insecure HTTP (NOT for production)
        # scanner_backend_insecure: false
        # Optional: Additional environment variables
        # zastava_extra_env:
        #   CUSTOM_VAR: custom_value
--- a/deploy/ansible/templates/zastava-agent.env.j2
+++ b/deploy/ansible/templates/zastava-agent.env.j2
@@ -0,0 +1,40 @@
 # StellaOps Zastava Agent Configuration
 # Managed by Ansible - Do not edit manually
 # Generated: {{ ansible_date_time.iso8601 }}
 # Tenant identifier for multi-tenancy
 ZASTAVA_TENANT={{ zastava_tenant }}
 # Scanner backend URL
 ZASTAVA_AGENT__Backend__BaseAddress={{ scanner_backend_url }}
 {% if zastava_node_name is defined %}
 # Node name override
 ZASTAVA_NODE_NAME={{ zastava_node_name }}
 {% endif %}
 # Docker socket endpoint
 ZASTAVA_AGENT__DockerEndpoint=unix://{{ docker_socket }}
 # Event buffer path
 ZASTAVA_AGENT__EventBufferPath={{ zastava_data_dir }}/runtime-events
 # Health check port
 ZASTAVA_AGENT__HealthCheck__Port={{ zastava_health_port }}
 {% if scanner_backend_insecure | default(false) | bool %}
 # WARNING: Insecure HTTP backend enabled
 ZASTAVA_AGENT__Backend__AllowInsecureHttp=true
 {% endif %}
 {% if zastava_log_level is defined %}
 # Logging level
 Serilog__MinimumLevel__Default={{ zastava_log_level }}
 {% endif %}
 {% if zastava_extra_env is defined %}
 # Additional environment variables
 {% for key, value in zastava_extra_env.items() %}
 {{ key }}={{ value }}
 {% endfor %}
 {% endif %}
--- a/deploy/ansible/zastava-agent.yml
+++ b/deploy/ansible/zastava-agent.yml
@@ -0,0 +1,232 @@
 ---
 # Ansible Playbook for Zastava Agent VM/Bare-Metal Deployment
 #
 # Requirements:
 # - Target hosts must have Docker installed and running
 # - Ansible 2.10+ with community.docker collection
 #
 # Usage:
 #   ansible-playbook -i inventory.yml zastava-agent.yml \
 #     -e zastava_tenant=my-tenant \
 #     -e scanner_backend_url=https://scanner.internal
 #
 # Variables (can be set in inventory or via -e):
 #   zastava_tenant: Tenant identifier (required)
 #   scanner_backend_url: Scanner backend URL (required)
 #   zastava_version: Version to deploy (default: latest)
 #   zastava_node_name: Override node name (default: hostname)
 #   zastava_health_port: Health check port (default: 8080)
 #   docker_socket: Docker socket path (default: /var/run/docker.sock)
 - name: Deploy StellaOps Zastava Agent
  hosts: zastava_agents
  become: true
  vars:
    zastava_version: "{{ zastava_version | default('latest') }}"
    zastava_install_dir: /opt/stellaops/zastava-agent
    zastava_config_dir: /etc/stellaops
    zastava_data_dir: /var/lib/zastava-agent
    zastava_user: zastava-agent
    zastava_group: docker
    zastava_health_port: "{{ zastava_health_port | default(8080) }}"
    docker_socket: "{{ docker_socket | default('/var/run/docker.sock') }}"
    download_base_url: "{{ download_base_url | default('https://releases.stellaops.org') }}"
  pre_tasks:
    - name: Validate required variables
      ansible.builtin.assert:
        that:
          - zastava_tenant is defined and zastava_tenant | length > 0
          - scanner_backend_url is defined and scanner_backend_url | length > 0
        fail_msg: |
          Required variables not set.
          Please provide:
            - zastava_tenant: Your tenant identifier
            - scanner_backend_url: Scanner backend URL
    - name: Check Docker service is running
      ansible.builtin.systemd:
        name: docker
        state: started
      check_mode: true
      register: docker_status
    - name: Fail if Docker is not available
      ansible.builtin.fail:
        msg: "Docker service is not running on {{ inventory_hostname }}"
      when: docker_status.status.ActiveState != 'active'
  tasks:
    # =========================================================================
    # User and Directory Setup
    # =========================================================================
    - name: Create zastava-agent system user
      ansible.builtin.user:
        name: "{{ zastava_user }}"
        comment: StellaOps Zastava Agent
        system: true
        shell: /usr/sbin/nologin
        groups: "{{ zastava_group }}"
        create_home: false
        state: present
    - name: Create installation directory
      ansible.builtin.file:
        path: "{{ zastava_install_dir }}"
        state: directory
        owner: "{{ zastava_user }}"
        group: "{{ zastava_group }}"
        mode: '0755'
    - name: Create configuration directory
      ansible.builtin.file:
        path: "{{ zastava_config_dir }}"
        state: directory
        owner: root
        group: root
        mode: '0755'
    - name: Create data directory
      ansible.builtin.file:
        path: "{{ zastava_data_dir }}"
        state: directory
        owner: "{{ zastava_user }}"
        group: "{{ zastava_group }}"
        mode: '0750'
    - name: Create event buffer directory
      ansible.builtin.file:
        path: "{{ zastava_data_dir }}/runtime-events"
        state: directory
        owner: "{{ zastava_user }}"
        group: "{{ zastava_group }}"
        mode: '0750'
    # =========================================================================
    # Download and Install Agent
    # =========================================================================
    - name: Determine architecture
      ansible.builtin.set_fact:
        arch_suffix: "{{ 'x64' if ansible_architecture == 'x86_64' else 'arm64' if ansible_architecture == 'aarch64' else ansible_architecture }}"
    - name: Download Zastava Agent binary
      ansible.builtin.get_url:
        url: "{{ download_base_url }}/zastava-agent/{{ zastava_version }}/zastava-agent-linux-{{ arch_suffix }}.tar.gz"
        dest: /tmp/zastava-agent.tar.gz
        mode: '0644'
      register: download_result
      retries: 3
      delay: 5
    - name: Extract Zastava Agent
      ansible.builtin.unarchive:
        src: /tmp/zastava-agent.tar.gz
        dest: "{{ zastava_install_dir }}"
        remote_src: true
        owner: "{{ zastava_user }}"
        group: "{{ zastava_group }}"
        extra_opts:
          - --strip-components=1
      notify: Restart zastava-agent
    - name: Make agent binary executable
      ansible.builtin.file:
        path: "{{ zastava_install_dir }}/StellaOps.Zastava.Agent"
        mode: '0755'
    - name: Clean up downloaded archive
      ansible.builtin.file:
        path: /tmp/zastava-agent.tar.gz
        state: absent
    # =========================================================================
    # Configuration
    # =========================================================================
    - name: Deploy environment configuration
      ansible.builtin.template:
        src: zastava-agent.env.j2
        dest: "{{ zastava_config_dir }}/zastava-agent.env"
        owner: root
        group: "{{ zastava_group }}"
        mode: '0640'
      notify: Restart zastava-agent
    # =========================================================================
    # systemd Service
    # =========================================================================
    - name: Install systemd service unit
      ansible.builtin.copy:
        src: zastava-agent.service
        dest: /etc/systemd/system/zastava-agent.service
        owner: root
        group: root
        mode: '0644'
      notify:
        - Reload systemd
        - Restart zastava-agent
    - name: Enable and start zastava-agent service
      ansible.builtin.systemd:
        name: zastava-agent
        state: started
        enabled: true
        daemon_reload: true
    # =========================================================================
    # Health Verification
    # =========================================================================
    - name: Wait for agent health endpoint
      ansible.builtin.uri:
        url: "http://localhost:{{ zastava_health_port }}/healthz"
        method: GET
        status_code: 200
      register: health_result
      retries: 30
      delay: 2
      until: health_result.status == 200
    - name: Display agent status
      ansible.builtin.debug:
        msg: "Zastava Agent deployed successfully on {{ inventory_hostname }}"
  handlers:
    - name: Reload systemd
      ansible.builtin.systemd:
        daemon_reload: true
    - name: Restart zastava-agent
      ansible.builtin.systemd:
        name: zastava-agent
        state: restarted
 # =============================================================================
 # Post-deployment verification play
 # =============================================================================
 - name: Verify Zastava Agent Deployment
  hosts: zastava_agents
  become: false
  gather_facts: false
  tasks:
    - name: Check agent readiness
      ansible.builtin.uri:
        url: "http://localhost:{{ zastava_health_port | default(8080) }}/readyz"
        method: GET
        return_content: true
      register: ready_check
    - name: Display deployment summary
      ansible.builtin.debug:
        msg: |
          Zastava Agent Deployment Summary:
          - Host: {{ inventory_hostname }}
          - Status: {{ 'Ready' if ready_check.status == 200 else 'Not Ready' }}
          - Health Endpoint: http://localhost:{{ zastava_health_port | default(8080) }}/healthz
          - Tenant: {{ zastava_tenant }}
          - Backend: {{ scanner_backend_url }}
--- a/deploy/compose/README.md
+++ b/deploy/compose/README.md
@@ -81,7 +81,7 @@ in the `.env` samples match the options bound by `AddSchedulerWorker`:
 - `SCHEDULER_QUEUE_KIND` – queue transport (`Nats` or `Redis`).
 - `SCHEDULER_QUEUE_NATS_URL` – NATS connection string used by planner/runner consumers.
- `SCHEDULER_STORAGE_DATABASE` – MongoDB database name for scheduler state.
+- `SCHEDULER_STORAGE_DATABASE` – PostgreSQL database name for scheduler state.
 - `SCHEDULER_SCANNER_BASEADDRESS` – base URL the runner uses when invoking Scanner’s
  `/api/v1/reports` (defaults to the in-cluster `http://scanner-web:8444`).
--- a/deploy/compose/docker-compose.airgap.yaml
+++ b/deploy/compose/docker-compose.airgap.yaml
@@ -8,8 +8,7 @@ networks:
    driver: bridge
 volumes:
-  mongo-data:
+  valkey-data:
  minio-data:
  rustfs-data:
  concelier-jobs:
  nats-data:
@@ -20,46 +19,42 @@ volumes:
  advisory-ai-outputs:
 services:
  mongo:
    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
    command: ["mongod", "--bind_ip_all"]
    restart: unless-stopped
    environment:
      MONGO_INITDB_ROOT_USERNAME: "${MONGO_INITDB_ROOT_USERNAME}"
      MONGO_INITDB_ROOT_PASSWORD: "${MONGO_INITDB_ROOT_PASSWORD}"
    volumes:
      - mongo-data:/data/db
    networks:
      - stellaops
    labels: *release-labels
  postgres:
-    image: docker.io/library/postgres:16
+    image: docker.io/library/postgres:17
    restart: unless-stopped
    environment:
      POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
      POSTGRES_PASSWORD: "${POSTGRES_PASSWORD:-stellaops}"
-      POSTGRES_DB: "${POSTGRES_DB:-stellaops_platform}"
+      POSTGRES_DB: "${POSTGRES_DB:-stellaops}"
      PGDATA: /var/lib/postgresql/data/pgdata
    volumes:
      - postgres-data:/var/lib/postgresql/data
      - ./postgres-init:/docker-entrypoint-initdb.d:ro
    command:
      - "postgres"
      - "-c"
      - "shared_preload_libraries=pg_stat_statements"
      - "-c"
      - "pg_stat_statements.track=all"
    ports:
      - "${POSTGRES_PORT:-25432}:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - stellaops
    labels: *release-labels
-  minio:
+  valkey:
-    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    image: docker.io/valkey/valkey:8.0
    command: ["server", "/data", "--console-address", ":9001"]
    restart: unless-stopped
-    environment:
+    command: ["valkey-server", "--appendonly", "yes"]
      MINIO_ROOT_USER: "${MINIO_ROOT_USER}"
      MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD}"
    volumes:
-      - minio-data:/data
+      - valkey-data:/data
    ports:
-      - "${MINIO_CONSOLE_PORT:-29001}:9001"
+      - "${VALKEY_PORT:-26379}:6379"
    networks:
      - stellaops
    labels: *release-labels
@@ -98,10 +93,13 @@ services:
    image: registry.stella-ops.org/stellaops/authority@sha256:5551a3269b7008cd5aceecf45df018c67459ed519557ccbe48b093b926a39bcc
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
      - valkey
    environment:
      STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
-      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      STELLAOPS_AUTHORITY__STORAGE__DRIVER: "postgres"
      STELLAOPS_AUTHORITY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_AUTHORITY__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
    volumes:
@@ -117,11 +115,13 @@ services:
    image: registry.stella-ops.org/stellaops/signer@sha256:ddbbd664a42846cea6b40fca6465bc679b30f72851158f300d01a8571c5478fc
    restart: unless-stopped
    depends_on:
      - postgres
      - authority
    environment:
      SIGNER__AUTHORITY__BASEURL: "https://authority:8440"
      SIGNER__POE__INTROSPECTURL: "${SIGNER_POE_INTROSPECT_URL}"
-      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SIGNER__STORAGE__DRIVER: "postgres"
      SIGNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    ports:
      - "${SIGNER_PORT:-8441}:8441"
    networks:
@@ -133,9 +133,11 @@ services:
    restart: unless-stopped
    depends_on:
      - signer
      - postgres
    environment:
      ATTESTOR__SIGNER__BASEURL: "https://signer:8441"
-      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      ATTESTOR__STORAGE__DRIVER: "postgres"
      ATTESTOR__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    ports:
      - "${ATTESTOR_PORT:-8442}:8442"
    networks:
@@ -146,13 +148,14 @@ services:
    image: registry.stella-ops.org/stellaops/issuer-directory-web:2025.10.0-edge
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
      - authority
    environment:
      ISSUERDIRECTORY__CONFIG: "/etc/issuer-directory.yaml"
      ISSUERDIRECTORY__AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
      ISSUERDIRECTORY__AUTHORITY__BASEURL: "https://authority:8440"
-      ISSUERDIRECTORY__MONGO__CONNECTIONSTRING: "${ISSUER_DIRECTORY_MONGO_CONNECTION_STRING}"
+      ISSUERDIRECTORY__STORAGE__DRIVER: "postgres"
      ISSUERDIRECTORY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      ISSUERDIRECTORY__SEEDCSAFPUBLISHERS: "${ISSUER_DIRECTORY_SEED_CSAF:-true}"
    volumes:
      - ../../etc/issuer-directory.yaml:/etc/issuer-directory.yaml:ro
@@ -166,13 +169,12 @@ services:
    image: registry.stella-ops.org/stellaops/concelier@sha256:29e2e1a0972707e092cbd3d370701341f9fec2aa9316fb5d8100480f2a1c76b5
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
-      - minio
+      - valkey
    environment:
-      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      CONCELIER__STORAGE__DRIVER: "postgres"
-      CONCELIER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      CONCELIER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
-      CONCELIER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://rustfs:8080"
      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
      CONCELIER__AUTHORITY__BASEURL: "https://authority:8440"
      CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
      CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}"
@@ -188,22 +190,30 @@ services:
    image: registry.stella-ops.org/stellaops/scanner-web@sha256:3df8ca21878126758203c1a0444e39fd97f77ddacf04a69685cda9f1e5e94718
    restart: unless-stopped
    depends_on:
      - postgres
      - valkey
      - concelier
      - rustfs
      - nats
    environment:
-      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__DRIVER: "postgres"
      SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      SCANNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
      SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
      SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1"
      SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
      SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
-      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER:-valkey://valkey:6379}"
      SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-false}"
-      SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-redis}"
+      SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-valkey}"
      SCANNER__EVENTS__DSN: "${SCANNER_EVENTS_DSN:-}"
      SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
      SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
      SCANNER__OFFLINEKIT__ENABLED: "${SCANNER_OFFLINEKIT_ENABLED:-false}"
      SCANNER__OFFLINEKIT__REQUIREDSSE: "${SCANNER_OFFLINEKIT_REQUIREDSSE:-true}"
      SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "${SCANNER_OFFLINEKIT_REKOROFFLINEMODE:-true}"
      SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}"
      SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}"
      # Surface.Env configuration (see docs/modules/scanner/design/surface-env.md)
      SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://rustfs:8080}"
      SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}"
@@ -220,6 +230,8 @@ services:
    volumes:
      - scanner-surface-cache:/var/lib/stellaops/surface
      - ${SURFACE_SECRETS_HOST_PATH:-./offline/surface-secrets}:${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}:ro
      - ${SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH:-./offline/trust-roots}:${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}:ro
      - ${SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH:-./offline/rekor-snapshot}:${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}:ro
    ports:
      - "${SCANNER_WEB_PORT:-8444}:8444"
    networks:
@@ -230,16 +242,19 @@ services:
    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:eea5d6cfe7835950c5ec7a735a651f2f0d727d3e470cf9027a4a402ea89c4fb5
    restart: unless-stopped
    depends_on:
      - postgres
      - valkey
      - scanner-web
      - rustfs
      - nats
    environment:
-      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__DRIVER: "postgres"
      SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      SCANNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
      SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
      SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1"
      SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
      SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
-      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER:-valkey://valkey:6379}"
      # Surface.Env configuration (see docs/modules/scanner/design/surface-env.md)
      SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://rustfs:8080}"
      SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}"
@@ -264,17 +279,17 @@ services:
    image: registry.stella-ops.org/stellaops/scheduler-worker:2025.10.0-edge
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
-      - nats
+      - valkey
      - scanner-web
    command:
      - "dotnet"
      - "StellaOps.Scheduler.Worker.Host.dll"
    environment:
-      SCHEDULER__QUEUE__KIND: "${SCHEDULER_QUEUE_KIND:-Nats}"
+      SCHEDULER__STORAGE__DRIVER: "postgres"
-      SCHEDULER__QUEUE__NATS__URL: "${SCHEDULER_QUEUE_NATS_URL:-nats://nats:4222}"
+      SCHEDULER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
-      SCHEDULER__STORAGE__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCHEDULER__QUEUE__KIND: "${SCHEDULER_QUEUE_KIND:-Valkey}"
-      SCHEDULER__STORAGE__DATABASE: "${SCHEDULER_STORAGE_DATABASE:-stellaops_scheduler}"
+      SCHEDULER__QUEUE__VALKEY__URL: "${SCHEDULER_QUEUE_VALKEY_URL:-valkey:6379}"
      SCHEDULER__WORKER__RUNNER__SCANNER__BASEADDRESS: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner-web:8444}"
    networks:
      - stellaops
@@ -300,10 +315,12 @@ services:
    image: registry.stella-ops.org/stellaops/excititor@sha256:65c0ee13f773efe920d7181512349a09d363ab3f3e177d276136bd2742325a68
    restart: unless-stopped
    depends_on:
      - postgres
      - concelier
    environment:
      EXCITITOR__CONCELIER__BASEURL: "https://concelier:8445"
-      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      EXCITITOR__STORAGE__DRIVER: "postgres"
      EXCITITOR__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    networks:
      - stellaops
    labels: *release-labels
--- a/deploy/compose/docker-compose.china.yml
+++ b/deploy/compose/docker-compose.china.yml
@@ -0,0 +1,301 @@
 # StellaOps Docker Compose - International Profile
 # Cryptography: SM2, SM3, SM4 (ShangMi / Commercial Cipher - temporarily using NIST)
 # Provider: offline-verification
 # Jurisdiction: china, world
 x-release-labels: &release-labels
  com.stellaops.release.version: "2025.10.0-edge"
  com.stellaops.release.channel: "edge"
  com.stellaops.profile: "china"
  com.stellaops.crypto.profile: "china"
  com.stellaops.crypto.provider: "offline-verification"
 x-crypto-env: &crypto-env
  # Crypto configuration
  STELLAOPS_CRYPTO_PROFILE: "china"
  STELLAOPS_CRYPTO_CONFIG_PATH: "/app/etc/appsettings.crypto.yaml"
  STELLAOPS_CRYPTO_MANIFEST_PATH: "/app/etc/crypto-plugins-manifest.json"
 networks:
  stellaops:
    driver: bridge
 volumes:
  rustfs-data:
  concelier-jobs:
  nats-data:
  valkey-data:
  advisory-ai-queue:
  advisory-ai-plans:
  advisory-ai-outputs:
  postgres-data:
 services:
  postgres:
    image: docker.io/library/postgres:16
    restart: unless-stopped
    environment:
      POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
      POSTGRES_PASSWORD: "${POSTGRES_PASSWORD:-stellaops}"
      POSTGRES_DB: "${POSTGRES_DB:-stellaops_platform}"
      PGDATA: /var/lib/postgresql/data/pgdata
    volumes:
      - postgres-data:/var/lib/postgresql/data
      - ../postgres-partitioning:/docker-entrypoint-initdb.d:ro
    ports:
      - "${POSTGRES_PORT:-5432}:5432"
    networks:
      - stellaops
    labels: *release-labels
  valkey:
    image: docker.io/valkey/valkey:8.0
    restart: unless-stopped
    command: ["valkey-server", "--appendonly", "yes"]
    volumes:
      - valkey-data:/data
    ports:
      - "${VALKEY_PORT:-6379}:6379"
    networks:
      - stellaops
    labels: *release-labels
  rustfs:
    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
    command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
    restart: unless-stopped
    environment:
      RUSTFS__LOG__LEVEL: info
      RUSTFS__STORAGE__PATH: /data
    volumes:
      - rustfs-data:/data
    ports:
      - "${RUSTFS_HTTP_PORT:-8080}:8080"
    networks:
      - stellaops
    labels: *release-labels
  nats:
    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
    command:
      - "-js"
      - "-sd"
      - /data
    restart: unless-stopped
    ports:
      - "${NATS_CLIENT_PORT:-4222}:4222"
    volumes:
      - nats-data:/data
    networks:
      - stellaops
    labels: *release-labels
  authority:
    image: registry.stella-ops.org/stellaops/authority:china
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
      STELLAOPS_AUTHORITY__STORAGE__DRIVER: "postgres"
      STELLAOPS_AUTHORITY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
    volumes:
      - ../../etc/authority.yaml:/etc/authority.yaml:ro
      - ../../etc/authority.plugins:/app/etc/authority.plugins:ro
      - ../../etc/appsettings.crypto.china.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${AUTHORITY_PORT:-8440}:8440"
    networks:
      - stellaops
    labels: *release-labels
  signer:
    image: registry.stella-ops.org/stellaops/signer:china
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_SIGNER__STORAGE__DRIVER: "postgres"
      STELLAOPS_SIGNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.china.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${SIGNER_PORT:-8441}:8441"
    networks:
      - stellaops
    labels: *release-labels
  attestor:
    image: registry.stella-ops.org/stellaops/attestor:china
    restart: unless-stopped
    depends_on:
      - signer
    environment:
      <<: *crypto-env
      STELLAOPS_ATTESTOR__SIGNER__BASEURL: "http://signer:8441"
    volumes:
      - ../../etc/appsettings.crypto.china.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${ATTESTOR_PORT:-8442}:8442"
    networks:
      - stellaops
    labels: *release-labels
  concelier:
    image: registry.stella-ops.org/stellaops/concelier:china
    restart: unless-stopped
    depends_on:
      - postgres
      - rustfs
    environment:
      <<: *crypto-env
      STELLAOPS_CONCELIER__STORAGE__DRIVER: "postgres"
      STELLAOPS_CONCELIER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_CONCELIER__STORAGE__RUSTFS__BASEURL: "http://rustfs:8080"
    volumes:
      - ../../etc/appsettings.crypto.china.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
      - concelier-jobs:/app/jobs
    ports:
      - "${CONCELIER_PORT:-8443}:8443"
    networks:
      - stellaops
    labels: *release-labels
  scanner:
    image: registry.stella-ops.org/stellaops/scanner:china
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_SCANNER__STORAGE__DRIVER: "postgres"
      STELLAOPS_SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.china.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${SCANNER_PORT:-8444}:8444"
    networks:
      - stellaops
    labels: *release-labels
  excititor:
    image: registry.stella-ops.org/stellaops/excititor:china
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_EXCITITOR__STORAGE__DRIVER: "postgres"
      STELLAOPS_EXCITITOR__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.china.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${EXCITITOR_PORT:-8445}:8445"
    networks:
      - stellaops
    labels: *release-labels
  policy:
    image: registry.stella-ops.org/stellaops/policy:china
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_POLICY__STORAGE__DRIVER: "postgres"
      STELLAOPS_POLICY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.china.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${POLICY_PORT:-8446}:8446"
    networks:
      - stellaops
    labels: *release-labels
  scheduler:
    image: registry.stella-ops.org/stellaops/scheduler:china
    restart: unless-stopped
    depends_on:
      - postgres
      - nats
    environment:
      <<: *crypto-env
      STELLAOPS_SCHEDULER__STORAGE__DRIVER: "postgres"
      STELLAOPS_SCHEDULER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_SCHEDULER__MESSAGING__NATS__URL: "nats://nats:4222"
    volumes:
      - ../../etc/appsettings.crypto.china.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${SCHEDULER_PORT:-8447}:8447"
    networks:
      - stellaops
    labels: *release-labels
  notify:
    image: registry.stella-ops.org/stellaops/notify:china
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_NOTIFY__STORAGE__DRIVER: "postgres"
      STELLAOPS_NOTIFY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.china.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${NOTIFY_PORT:-8448}:8448"
    networks:
      - stellaops
    labels: *release-labels
  zastava:
    image: registry.stella-ops.org/stellaops/zastava:china
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_ZASTAVA__STORAGE__DRIVER: "postgres"
      STELLAOPS_ZASTAVA__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.china.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${ZASTAVA_PORT:-8449}:8449"
    networks:
      - stellaops
    labels: *release-labels
  gateway:
    image: registry.stella-ops.org/stellaops/gateway:china
    restart: unless-stopped
    depends_on:
      - authority
      - concelier
      - scanner
    environment:
      <<: *crypto-env
      STELLAOPS_GATEWAY__AUTHORITY__BASEURL: "http://authority:8440"
      STELLAOPS_GATEWAY__CONCELIER__BASEURL: "http://concelier:8443"
      STELLAOPS_GATEWAY__SCANNER__BASEURL: "http://scanner:8444"
    volumes:
      - ../../etc/appsettings.crypto.china.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${GATEWAY_PORT:-8080}:8080"
    networks:
      - stellaops
    labels: *release-labels
--- a/deploy/compose/docker-compose.dev.yaml
+++ b/deploy/compose/docker-compose.dev.yaml
@@ -8,45 +8,16 @@ networks:
    driver: bridge
 volumes:
  mongo-data:
  minio-data:
  rustfs-data:
  concelier-jobs:
  nats-data:
  valkey-data:
  advisory-ai-queue:
  advisory-ai-plans:
  advisory-ai-outputs:
  postgres-data:
 services:
  mongo:
    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
    command: ["mongod", "--bind_ip_all"]
    restart: unless-stopped
    environment:
      MONGO_INITDB_ROOT_USERNAME: "${MONGO_INITDB_ROOT_USERNAME}"
      MONGO_INITDB_ROOT_PASSWORD: "${MONGO_INITDB_ROOT_PASSWORD}"
    volumes:
      - mongo-data:/data/db
    networks:
      - stellaops
    labels: *release-labels
  minio:
    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
    command: ["server", "/data", "--console-address", ":9001"]
    restart: unless-stopped
    environment:
      MINIO_ROOT_USER: "${MINIO_ROOT_USER}"
      MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD}"
    volumes:
      - minio-data:/data
    ports:
      - "${MINIO_CONSOLE_PORT:-9001}:9001"
    networks:
      - stellaops
    labels: *release-labels
  postgres:
    image: docker.io/library/postgres:16
    restart: unless-stopped
@@ -63,6 +34,18 @@ services:
      - stellaops
    labels: *release-labels
  valkey:
    image: docker.io/valkey/valkey:8.0
    restart: unless-stopped
    command: ["valkey-server", "--appendonly", "yes"]
    volumes:
      - valkey-data:/data
    ports:
      - "${VALKEY_PORT:-6379}:6379"
    networks:
      - stellaops
    labels: *release-labels
  rustfs:
    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
    command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
@@ -97,10 +80,11 @@ services:
    image: registry.stella-ops.org/stellaops/authority@sha256:a8e8faec44a579aa5714e58be835f25575710430b1ad2ccd1282a018cd9ffcdd
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
    environment:
      STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
-      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      STELLAOPS_AUTHORITY__STORAGE__DRIVER: "postgres"
      STELLAOPS_AUTHORITY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
    volumes:
@@ -117,10 +101,11 @@ services:
    restart: unless-stopped
    depends_on:
      - authority
      - valkey
    environment:
      SIGNER__AUTHORITY__BASEURL: "https://authority:8440"
      SIGNER__POE__INTROSPECTURL: "${SIGNER_POE_INTROSPECT_URL}"
-      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SIGNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
    ports:
      - "${SIGNER_PORT:-8441}:8441"
    networks:
@@ -132,9 +117,10 @@ services:
    restart: unless-stopped
    depends_on:
      - signer
      - valkey
    environment:
      ATTESTOR__SIGNER__BASEURL: "https://signer:8441"
-      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      ATTESTOR__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
    ports:
      - "${ATTESTOR_PORT:-8442}:8442"
    networks:
@@ -145,13 +131,14 @@ services:
    image: registry.stella-ops.org/stellaops/issuer-directory-web:2025.10.0-edge
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
      - authority
    environment:
      ISSUERDIRECTORY__CONFIG: "/etc/issuer-directory.yaml"
      ISSUERDIRECTORY__AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
      ISSUERDIRECTORY__AUTHORITY__BASEURL: "https://authority:8440"
-      ISSUERDIRECTORY__MONGO__CONNECTIONSTRING: "${ISSUER_DIRECTORY_MONGO_CONNECTION_STRING}"
+      ISSUERDIRECTORY__STORAGE__DRIVER: "postgres"
      ISSUERDIRECTORY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      ISSUERDIRECTORY__SEEDCSAFPUBLISHERS: "${ISSUER_DIRECTORY_SEED_CSAF:-true}"
    volumes:
      - ../../etc/issuer-directory.yaml:/etc/issuer-directory.yaml:ro
@@ -165,13 +152,10 @@ services:
    image: registry.stella-ops.org/stellaops/concelier@sha256:dafef3954eb4b837e2c424dd2d23e1e4d60fa83794840fac9cd3dea1d43bd085
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
      - minio
    environment:
-      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      CONCELIER__STORAGE__DRIVER: "postgres"
-      CONCELIER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      CONCELIER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      CONCELIER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
      CONCELIER__AUTHORITY__BASEURL: "https://authority:8440"
    volumes:
      - concelier-jobs:/var/lib/concelier/jobs
@@ -185,22 +169,34 @@ services:
    image: registry.stella-ops.org/stellaops/scanner-web@sha256:e0dfdb087e330585a5953029fb4757f5abdf7610820a085bd61b457dbead9a11
    restart: unless-stopped
    depends_on:
      - postgres
      - concelier
      - rustfs
      - nats
      - valkey
    environment:
-      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__DRIVER: "postgres"
      SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
      SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1"
      SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
      SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
-      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+      SCANNER__QUEUE__BROKER: "nats://nats:4222"
      SCANNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
      SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-false}"
-      SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-redis}"
+      SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-valkey}"
-      SCANNER__EVENTS__DSN: "${SCANNER_EVENTS_DSN:-}"
+      SCANNER__EVENTS__DSN: "${SCANNER_EVENTS_DSN:-valkey:6379}"
      SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
      SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
      SCANNER__OFFLINEKIT__ENABLED: "${SCANNER_OFFLINEKIT_ENABLED:-false}"
      SCANNER__OFFLINEKIT__REQUIREDSSE: "${SCANNER_OFFLINEKIT_REQUIREDSSE:-true}"
      SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "${SCANNER_OFFLINEKIT_REKOROFFLINEMODE:-true}"
      SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}"
      SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}"
    volumes:
      - ${SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH:-./offline/trust-roots}:${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}:ro
      - ${SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH:-./offline/rekor-snapshot}:${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}:ro
    ports:
      - "${SCANNER_WEB_PORT:-8444}:8444"
    networks:
@@ -215,12 +211,13 @@ services:
      - rustfs
      - nats
    environment:
-      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__DRIVER: "postgres"
      SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
      SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1"
      SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
      SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
-      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+      SCANNER__QUEUE__BROKER: "nats://nats:4222"
    networks:
      - stellaops
    labels: *release-labels
@@ -229,17 +226,17 @@ services:
    image: registry.stella-ops.org/stellaops/scheduler-worker:2025.10.0-edge
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
      - nats
      - scanner-web
    command:
      - "dotnet"
      - "StellaOps.Scheduler.Worker.Host.dll"
    environment:
-      SCHEDULER__QUEUE__KIND: "${SCHEDULER_QUEUE_KIND:-Nats}"
+      SCHEDULER__QUEUE__KIND: "Nats"
-      SCHEDULER__QUEUE__NATS__URL: "${SCHEDULER_QUEUE_NATS_URL:-nats://nats:4222}"
+      SCHEDULER__QUEUE__NATS__URL: "nats://nats:4222"
-      SCHEDULER__STORAGE__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCHEDULER__STORAGE__DRIVER: "postgres"
-      SCHEDULER__STORAGE__DATABASE: "${SCHEDULER_STORAGE_DATABASE:-stellaops_scheduler}"
+      SCHEDULER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      SCHEDULER__WORKER__RUNNER__SCANNER__BASEADDRESS: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner-web:8444}"
    networks:
      - stellaops
@@ -251,8 +248,13 @@ services:
    depends_on:
      - postgres
      - authority
      - valkey
    environment:
      DOTNET_ENVIRONMENT: Development
      NOTIFY__STORAGE__DRIVER: "postgres"
      NOTIFY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      NOTIFY__QUEUE__DRIVER: "nats"
      NOTIFY__QUEUE__NATS__URL: "nats://nats:4222"
    volumes:
      - ../../etc/notify.dev.yaml:/app/etc/notify.yaml:ro
    ports:
@@ -265,10 +267,12 @@ services:
    image: registry.stella-ops.org/stellaops/excititor@sha256:d9bd5cadf1eab427447ce3df7302c30ded837239771cc6433b9befb895054285
    restart: unless-stopped
    depends_on:
      - postgres
      - concelier
    environment:
      EXCITITOR__CONCELIER__BASEURL: "https://concelier:8445"
-      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      EXCITITOR__STORAGE__DRIVER: "postgres"
      EXCITITOR__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    networks:
      - stellaops
    labels: *release-labels
--- a/deploy/compose/docker-compose.eu.yml
+++ b/deploy/compose/docker-compose.eu.yml
@@ -0,0 +1,301 @@
 # StellaOps Docker Compose - International Profile
 # Cryptography: eIDAS-compliant qualified trust services (temporarily using NIST)
 # Provider: offline-verification
 # Jurisdiction: eu, world
 x-release-labels: &release-labels
  com.stellaops.release.version: "2025.10.0-edge"
  com.stellaops.release.channel: "edge"
  com.stellaops.profile: "eu"
  com.stellaops.crypto.profile: "eu"
  com.stellaops.crypto.provider: "offline-verification"
 x-crypto-env: &crypto-env
  # Crypto configuration
  STELLAOPS_CRYPTO_PROFILE: "eu"
  STELLAOPS_CRYPTO_CONFIG_PATH: "/app/etc/appsettings.crypto.yaml"
  STELLAOPS_CRYPTO_MANIFEST_PATH: "/app/etc/crypto-plugins-manifest.json"
 networks:
  stellaops:
    driver: bridge
 volumes:
  rustfs-data:
  concelier-jobs:
  nats-data:
  valkey-data:
  advisory-ai-queue:
  advisory-ai-plans:
  advisory-ai-outputs:
  postgres-data:
 services:
  postgres:
    image: docker.io/library/postgres:16
    restart: unless-stopped
    environment:
      POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
      POSTGRES_PASSWORD: "${POSTGRES_PASSWORD:-stellaops}"
      POSTGRES_DB: "${POSTGRES_DB:-stellaops_platform}"
      PGDATA: /var/lib/postgresql/data/pgdata
    volumes:
      - postgres-data:/var/lib/postgresql/data
      - ../postgres-partitioning:/docker-entrypoint-initdb.d:ro
    ports:
      - "${POSTGRES_PORT:-5432}:5432"
    networks:
      - stellaops
    labels: *release-labels
  valkey:
    image: docker.io/valkey/valkey:8.0
    restart: unless-stopped
    command: ["valkey-server", "--appendonly", "yes"]
    volumes:
      - valkey-data:/data
    ports:
      - "${VALKEY_PORT:-6379}:6379"
    networks:
      - stellaops
    labels: *release-labels
  rustfs:
    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
    command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
    restart: unless-stopped
    environment:
      RUSTFS__LOG__LEVEL: info
      RUSTFS__STORAGE__PATH: /data
    volumes:
      - rustfs-data:/data
    ports:
      - "${RUSTFS_HTTP_PORT:-8080}:8080"
    networks:
      - stellaops
    labels: *release-labels
  nats:
    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
    command:
      - "-js"
      - "-sd"
      - /data
    restart: unless-stopped
    ports:
      - "${NATS_CLIENT_PORT:-4222}:4222"
    volumes:
      - nats-data:/data
    networks:
      - stellaops
    labels: *release-labels
  authority:
    image: registry.stella-ops.org/stellaops/authority:eu
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
      STELLAOPS_AUTHORITY__STORAGE__DRIVER: "postgres"
      STELLAOPS_AUTHORITY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
    volumes:
      - ../../etc/authority.yaml:/etc/authority.yaml:ro
      - ../../etc/authority.plugins:/app/etc/authority.plugins:ro
      - ../../etc/appsettings.crypto.eu.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${AUTHORITY_PORT:-8440}:8440"
    networks:
      - stellaops
    labels: *release-labels
  signer:
    image: registry.stella-ops.org/stellaops/signer:eu
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_SIGNER__STORAGE__DRIVER: "postgres"
      STELLAOPS_SIGNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.eu.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${SIGNER_PORT:-8441}:8441"
    networks:
      - stellaops
    labels: *release-labels
  attestor:
    image: registry.stella-ops.org/stellaops/attestor:eu
    restart: unless-stopped
    depends_on:
      - signer
    environment:
      <<: *crypto-env
      STELLAOPS_ATTESTOR__SIGNER__BASEURL: "http://signer:8441"
    volumes:
      - ../../etc/appsettings.crypto.eu.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${ATTESTOR_PORT:-8442}:8442"
    networks:
      - stellaops
    labels: *release-labels
  concelier:
    image: registry.stella-ops.org/stellaops/concelier:eu
    restart: unless-stopped
    depends_on:
      - postgres
      - rustfs
    environment:
      <<: *crypto-env
      STELLAOPS_CONCELIER__STORAGE__DRIVER: "postgres"
      STELLAOPS_CONCELIER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_CONCELIER__STORAGE__RUSTFS__BASEURL: "http://rustfs:8080"
    volumes:
      - ../../etc/appsettings.crypto.eu.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
      - concelier-jobs:/app/jobs
    ports:
      - "${CONCELIER_PORT:-8443}:8443"
    networks:
      - stellaops
    labels: *release-labels
  scanner:
    image: registry.stella-ops.org/stellaops/scanner:eu
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_SCANNER__STORAGE__DRIVER: "postgres"
      STELLAOPS_SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.eu.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${SCANNER_PORT:-8444}:8444"
    networks:
      - stellaops
    labels: *release-labels
  excititor:
    image: registry.stella-ops.org/stellaops/excititor:eu
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_EXCITITOR__STORAGE__DRIVER: "postgres"
      STELLAOPS_EXCITITOR__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.eu.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${EXCITITOR_PORT:-8445}:8445"
    networks:
      - stellaops
    labels: *release-labels
  policy:
    image: registry.stella-ops.org/stellaops/policy:eu
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_POLICY__STORAGE__DRIVER: "postgres"
      STELLAOPS_POLICY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.eu.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${POLICY_PORT:-8446}:8446"
    networks:
      - stellaops
    labels: *release-labels
  scheduler:
    image: registry.stella-ops.org/stellaops/scheduler:eu
    restart: unless-stopped
    depends_on:
      - postgres
      - nats
    environment:
      <<: *crypto-env
      STELLAOPS_SCHEDULER__STORAGE__DRIVER: "postgres"
      STELLAOPS_SCHEDULER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_SCHEDULER__MESSAGING__NATS__URL: "nats://nats:4222"
    volumes:
      - ../../etc/appsettings.crypto.eu.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${SCHEDULER_PORT:-8447}:8447"
    networks:
      - stellaops
    labels: *release-labels
  notify:
    image: registry.stella-ops.org/stellaops/notify:eu
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_NOTIFY__STORAGE__DRIVER: "postgres"
      STELLAOPS_NOTIFY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.eu.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${NOTIFY_PORT:-8448}:8448"
    networks:
      - stellaops
    labels: *release-labels
  zastava:
    image: registry.stella-ops.org/stellaops/zastava:eu
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_ZASTAVA__STORAGE__DRIVER: "postgres"
      STELLAOPS_ZASTAVA__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.eu.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${ZASTAVA_PORT:-8449}:8449"
    networks:
      - stellaops
    labels: *release-labels
  gateway:
    image: registry.stella-ops.org/stellaops/gateway:eu
    restart: unless-stopped
    depends_on:
      - authority
      - concelier
      - scanner
    environment:
      <<: *crypto-env
      STELLAOPS_GATEWAY__AUTHORITY__BASEURL: "http://authority:8440"
      STELLAOPS_GATEWAY__CONCELIER__BASEURL: "http://concelier:8443"
      STELLAOPS_GATEWAY__SCANNER__BASEURL: "http://scanner:8444"
    volumes:
      - ../../etc/appsettings.crypto.eu.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${GATEWAY_PORT:-8080}:8080"
    networks:
      - stellaops
    labels: *release-labels
--- a/deploy/compose/docker-compose.international.yml
+++ b/deploy/compose/docker-compose.international.yml
@@ -0,0 +1,301 @@
 # StellaOps Docker Compose - International Profile
 # Cryptography: Standard NIST algorithms (ECDSA, RSA, SHA-2)
 # Provider: offline-verification
 # Jurisdiction: world
 x-release-labels: &release-labels
  com.stellaops.release.version: "2025.10.0-edge"
  com.stellaops.release.channel: "edge"
  com.stellaops.profile: "international"
  com.stellaops.crypto.profile: "international"
  com.stellaops.crypto.provider: "offline-verification"
 x-crypto-env: &crypto-env
  # Crypto configuration
  STELLAOPS_CRYPTO_PROFILE: "international"
  STELLAOPS_CRYPTO_CONFIG_PATH: "/app/etc/appsettings.crypto.yaml"
  STELLAOPS_CRYPTO_MANIFEST_PATH: "/app/etc/crypto-plugins-manifest.json"
 networks:
  stellaops:
    driver: bridge
 volumes:
  rustfs-data:
  concelier-jobs:
  nats-data:
  valkey-data:
  advisory-ai-queue:
  advisory-ai-plans:
  advisory-ai-outputs:
  postgres-data:
 services:
  postgres:
    image: docker.io/library/postgres:16
    restart: unless-stopped
    environment:
      POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
      POSTGRES_PASSWORD: "${POSTGRES_PASSWORD:-stellaops}"
      POSTGRES_DB: "${POSTGRES_DB:-stellaops_platform}"
      PGDATA: /var/lib/postgresql/data/pgdata
    volumes:
      - postgres-data:/var/lib/postgresql/data
      - ../postgres-partitioning:/docker-entrypoint-initdb.d:ro
    ports:
      - "${POSTGRES_PORT:-5432}:5432"
    networks:
      - stellaops
    labels: *release-labels
  valkey:
    image: docker.io/valkey/valkey:8.0
    restart: unless-stopped
    command: ["valkey-server", "--appendonly", "yes"]
    volumes:
      - valkey-data:/data
    ports:
      - "${VALKEY_PORT:-6379}:6379"
    networks:
      - stellaops
    labels: *release-labels
  rustfs:
    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
    command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
    restart: unless-stopped
    environment:
      RUSTFS__LOG__LEVEL: info
      RUSTFS__STORAGE__PATH: /data
    volumes:
      - rustfs-data:/data
    ports:
      - "${RUSTFS_HTTP_PORT:-8080}:8080"
    networks:
      - stellaops
    labels: *release-labels
  nats:
    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
    command:
      - "-js"
      - "-sd"
      - /data
    restart: unless-stopped
    ports:
      - "${NATS_CLIENT_PORT:-4222}:4222"
    volumes:
      - nats-data:/data
    networks:
      - stellaops
    labels: *release-labels
  authority:
    image: registry.stella-ops.org/stellaops/authority:international
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
      STELLAOPS_AUTHORITY__STORAGE__DRIVER: "postgres"
      STELLAOPS_AUTHORITY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
    volumes:
      - ../../etc/authority.yaml:/etc/authority.yaml:ro
      - ../../etc/authority.plugins:/app/etc/authority.plugins:ro
      - ../../etc/appsettings.crypto.international.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${AUTHORITY_PORT:-8440}:8440"
    networks:
      - stellaops
    labels: *release-labels
  signer:
    image: registry.stella-ops.org/stellaops/signer:international
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_SIGNER__STORAGE__DRIVER: "postgres"
      STELLAOPS_SIGNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.international.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${SIGNER_PORT:-8441}:8441"
    networks:
      - stellaops
    labels: *release-labels
  attestor:
    image: registry.stella-ops.org/stellaops/attestor:international
    restart: unless-stopped
    depends_on:
      - signer
    environment:
      <<: *crypto-env
      STELLAOPS_ATTESTOR__SIGNER__BASEURL: "http://signer:8441"
    volumes:
      - ../../etc/appsettings.crypto.international.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${ATTESTOR_PORT:-8442}:8442"
    networks:
      - stellaops
    labels: *release-labels
  concelier:
    image: registry.stella-ops.org/stellaops/concelier:international
    restart: unless-stopped
    depends_on:
      - postgres
      - rustfs
    environment:
      <<: *crypto-env
      STELLAOPS_CONCELIER__STORAGE__DRIVER: "postgres"
      STELLAOPS_CONCELIER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_CONCELIER__STORAGE__RUSTFS__BASEURL: "http://rustfs:8080"
    volumes:
      - ../../etc/appsettings.crypto.international.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
      - concelier-jobs:/app/jobs
    ports:
      - "${CONCELIER_PORT:-8443}:8443"
    networks:
      - stellaops
    labels: *release-labels
  scanner:
    image: registry.stella-ops.org/stellaops/scanner:international
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_SCANNER__STORAGE__DRIVER: "postgres"
      STELLAOPS_SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.international.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${SCANNER_PORT:-8444}:8444"
    networks:
      - stellaops
    labels: *release-labels
  excititor:
    image: registry.stella-ops.org/stellaops/excititor:international
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_EXCITITOR__STORAGE__DRIVER: "postgres"
      STELLAOPS_EXCITITOR__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.international.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${EXCITITOR_PORT:-8445}:8445"
    networks:
      - stellaops
    labels: *release-labels
  policy:
    image: registry.stella-ops.org/stellaops/policy:international
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_POLICY__STORAGE__DRIVER: "postgres"
      STELLAOPS_POLICY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.international.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${POLICY_PORT:-8446}:8446"
    networks:
      - stellaops
    labels: *release-labels
  scheduler:
    image: registry.stella-ops.org/stellaops/scheduler:international
    restart: unless-stopped
    depends_on:
      - postgres
      - nats
    environment:
      <<: *crypto-env
      STELLAOPS_SCHEDULER__STORAGE__DRIVER: "postgres"
      STELLAOPS_SCHEDULER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_SCHEDULER__MESSAGING__NATS__URL: "nats://nats:4222"
    volumes:
      - ../../etc/appsettings.crypto.international.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${SCHEDULER_PORT:-8447}:8447"
    networks:
      - stellaops
    labels: *release-labels
  notify:
    image: registry.stella-ops.org/stellaops/notify:international
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_NOTIFY__STORAGE__DRIVER: "postgres"
      STELLAOPS_NOTIFY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.international.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${NOTIFY_PORT:-8448}:8448"
    networks:
      - stellaops
    labels: *release-labels
  zastava:
    image: registry.stella-ops.org/stellaops/zastava:international
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_ZASTAVA__STORAGE__DRIVER: "postgres"
      STELLAOPS_ZASTAVA__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.international.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${ZASTAVA_PORT:-8449}:8449"
    networks:
      - stellaops
    labels: *release-labels
  gateway:
    image: registry.stella-ops.org/stellaops/gateway:international
    restart: unless-stopped
    depends_on:
      - authority
      - concelier
      - scanner
    environment:
      <<: *crypto-env
      STELLAOPS_GATEWAY__AUTHORITY__BASEURL: "http://authority:8440"
      STELLAOPS_GATEWAY__CONCELIER__BASEURL: "http://concelier:8443"
      STELLAOPS_GATEWAY__SCANNER__BASEURL: "http://scanner:8444"
    volumes:
      - ../../etc/appsettings.crypto.international.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${GATEWAY_PORT:-8080}:8080"
    networks:
      - stellaops
    labels: *release-labels
--- a/deploy/compose/docker-compose.prod.yaml
+++ b/deploy/compose/docker-compose.prod.yaml
@@ -11,41 +11,25 @@ networks:
    name: ${FRONTDOOR_NETWORK:-stellaops_frontdoor}
 volumes:
-  mongo-data:
+  valkey-data:
  minio-data:
  rustfs-data:
  concelier-jobs:
  nats-data:
  scanner-surface-cache:
  postgres-data:
  advisory-ai-queue:
  advisory-ai-plans:
  advisory-ai-outputs:
  postgres-data:
 services:
-  mongo:
+  valkey:
-    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    image: docker.io/valkey/valkey:8.0
    command: ["mongod", "--bind_ip_all"]
    restart: unless-stopped
-    environment:
+    command: ["valkey-server", "--appendonly", "yes"]
      MONGO_INITDB_ROOT_USERNAME: "${MONGO_INITDB_ROOT_USERNAME}"
      MONGO_INITDB_ROOT_PASSWORD: "${MONGO_INITDB_ROOT_PASSWORD}"
    volumes:
-      - mongo-data:/data/db
+      - valkey-data:/data
    networks:
      - stellaops
    labels: *release-labels
  minio:
    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
    command: ["server", "/data", "--console-address", ":9001"]
    restart: unless-stopped
    environment:
      MINIO_ROOT_USER: "${MINIO_ROOT_USER}"
      MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD}"
    volumes:
      - minio-data:/data
    ports:
-      - "${MINIO_CONSOLE_PORT:-9001}:9001"
+      - "${VALKEY_PORT:-6379}:6379"
    networks:
      - stellaops
    labels: *release-labels
@@ -84,10 +68,13 @@ services:
    image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
      - valkey
    environment:
      STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
-      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      STELLAOPS_AUTHORITY__STORAGE__DRIVER: "postgres"
      STELLAOPS_AUTHORITY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_AUTHORITY__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
    volumes:
@@ -104,11 +91,13 @@ services:
    image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e
    restart: unless-stopped
    depends_on:
      - postgres
      - authority
    environment:
      SIGNER__AUTHORITY__BASEURL: "https://authority:8440"
      SIGNER__POE__INTROSPECTURL: "${SIGNER_POE_INTROSPECT_URL}"
-      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SIGNER__STORAGE__DRIVER: "postgres"
      SIGNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    ports:
      - "${SIGNER_PORT:-8441}:8441"
    networks:
@@ -121,9 +110,11 @@ services:
    restart: unless-stopped
    depends_on:
      - signer
      - postgres
    environment:
      ATTESTOR__SIGNER__BASEURL: "https://signer:8441"
-      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      ATTESTOR__STORAGE__DRIVER: "postgres"
      ATTESTOR__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    ports:
      - "${ATTESTOR_PORT:-8442}:8442"
    networks:
@@ -151,13 +142,14 @@ services:
    image: registry.stella-ops.org/stellaops/issuer-directory-web:2025.10.0-edge
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
      - authority
    environment:
      ISSUERDIRECTORY__CONFIG: "/etc/issuer-directory.yaml"
      ISSUERDIRECTORY__AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
      ISSUERDIRECTORY__AUTHORITY__BASEURL: "https://authority:8440"
-      ISSUERDIRECTORY__MONGO__CONNECTIONSTRING: "${ISSUER_DIRECTORY_MONGO_CONNECTION_STRING}"
+      ISSUERDIRECTORY__STORAGE__DRIVER: "postgres"
      ISSUERDIRECTORY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      ISSUERDIRECTORY__SEEDCSAFPUBLISHERS: "${ISSUER_DIRECTORY_SEED_CSAF:-true}"
    volumes:
      - ../../etc/issuer-directory.yaml:/etc/issuer-directory.yaml:ro
@@ -171,14 +163,15 @@ services:
    image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
-      - minio
+      - valkey
    environment:
-      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      CONCELIER__STORAGE__DRIVER: "postgres"
-      CONCELIER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      CONCELIER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
-      CONCELIER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://rustfs:8080"
      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
      CONCELIER__AUTHORITY__BASEURL: "https://authority:8440"
      CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
      CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}"
    volumes:
      - concelier-jobs:/var/lib/concelier/jobs
    ports:
@@ -192,22 +185,47 @@ services:
    image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
    restart: unless-stopped
    depends_on:
      - postgres
      - valkey
      - concelier
      - rustfs
      - nats
    environment:
-      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__DRIVER: "postgres"
      SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      SCANNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
      SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
      SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1"
      SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
      SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
-      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER:-valkey://valkey:6379}"
-      SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-true}"
+      SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-false}"
-      SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-redis}"
+      SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-valkey}"
      SCANNER__EVENTS__DSN: "${SCANNER_EVENTS_DSN:-}"
      SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
      SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
      SCANNER__OFFLINEKIT__ENABLED: "${SCANNER_OFFLINEKIT_ENABLED:-false}"
      SCANNER__OFFLINEKIT__REQUIREDSSE: "${SCANNER_OFFLINEKIT_REQUIREDSSE:-true}"
      SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "${SCANNER_OFFLINEKIT_REKOROFFLINEMODE:-true}"
      SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}"
      SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}"
      SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://rustfs:8080}"
      SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}"
      SCANNER_SURFACE_CACHE_ROOT: "${SCANNER_SURFACE_CACHE_ROOT:-/var/lib/stellaops/surface}"
      SCANNER_SURFACE_CACHE_QUOTA_MB: "${SCANNER_SURFACE_CACHE_QUOTA_MB:-4096}"
      SCANNER_SURFACE_PREFETCH_ENABLED: "${SCANNER_SURFACE_PREFETCH_ENABLED:-false}"
      SCANNER_SURFACE_TENANT: "${SCANNER_SURFACE_TENANT:-default}"
      SCANNER_SURFACE_FEATURES: "${SCANNER_SURFACE_FEATURES:-}"
      SCANNER_SURFACE_SECRETS_PROVIDER: "${SCANNER_SURFACE_SECRETS_PROVIDER:-file}"
      SCANNER_SURFACE_SECRETS_NAMESPACE: "${SCANNER_SURFACE_SECRETS_NAMESPACE:-}"
      SCANNER_SURFACE_SECRETS_ROOT: "${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}"
      SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER: "${SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER:-}"
      SCANNER_SURFACE_SECRETS_ALLOW_INLINE: "${SCANNER_SURFACE_SECRETS_ALLOW_INLINE:-false}"
    volumes:
      - scanner-surface-cache:/var/lib/stellaops/surface
      - ${SURFACE_SECRETS_HOST_PATH:-./offline/surface-secrets}:${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}:ro
      - ${SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH:-./offline/trust-roots}:${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}:ro
      - ${SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH:-./offline/rekor-snapshot}:${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}:ro
    ports:
      - "${SCANNER_WEB_PORT:-8444}:8444"
    networks:
@@ -219,16 +237,34 @@ services:
    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab
    restart: unless-stopped
    depends_on:
      - postgres
      - valkey
      - scanner-web
      - rustfs
      - nats
    environment:
-      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__DRIVER: "postgres"
      SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      SCANNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
      SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
      SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1"
      SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
      SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
-      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER:-valkey://valkey:6379}"
      SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://rustfs:8080}"
      SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}"
      SCANNER_SURFACE_CACHE_ROOT: "${SCANNER_SURFACE_CACHE_ROOT:-/var/lib/stellaops/surface}"
      SCANNER_SURFACE_CACHE_QUOTA_MB: "${SCANNER_SURFACE_CACHE_QUOTA_MB:-4096}"
      SCANNER_SURFACE_PREFETCH_ENABLED: "${SCANNER_SURFACE_PREFETCH_ENABLED:-false}"
      SCANNER_SURFACE_TENANT: "${SCANNER_SURFACE_TENANT:-default}"
      SCANNER_SURFACE_FEATURES: "${SCANNER_SURFACE_FEATURES:-}"
      SCANNER_SURFACE_SECRETS_PROVIDER: "${SCANNER_SURFACE_SECRETS_PROVIDER:-file}"
      SCANNER_SURFACE_SECRETS_NAMESPACE: "${SCANNER_SURFACE_SECRETS_NAMESPACE:-}"
      SCANNER_SURFACE_SECRETS_ROOT: "${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}"
      SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER: "${SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER:-}"
      SCANNER_SURFACE_SECRETS_ALLOW_INLINE: "${SCANNER_SURFACE_SECRETS_ALLOW_INLINE:-false}"
    volumes:
      - scanner-surface-cache:/var/lib/stellaops/surface
      - ${SURFACE_SECRETS_HOST_PATH:-./offline/surface-secrets}:${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}:ro
    networks:
      - stellaops
    labels: *release-labels
@@ -237,17 +273,17 @@ services:
    image: registry.stella-ops.org/stellaops/scheduler-worker:2025.10.0-edge
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
-      - nats
+      - valkey
      - scanner-web
    command:
      - "dotnet"
      - "StellaOps.Scheduler.Worker.Host.dll"
    environment:
-      SCHEDULER__QUEUE__KIND: "${SCHEDULER_QUEUE_KIND:-Nats}"
+      SCHEDULER__STORAGE__DRIVER: "postgres"
-      SCHEDULER__QUEUE__NATS__URL: "${SCHEDULER_QUEUE_NATS_URL:-nats://nats:4222}"
+      SCHEDULER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
-      SCHEDULER__STORAGE__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCHEDULER__QUEUE__KIND: "${SCHEDULER_QUEUE_KIND:-Valkey}"
-      SCHEDULER__STORAGE__DATABASE: "${SCHEDULER_STORAGE_DATABASE:-stellaops_scheduler}"
+      SCHEDULER__QUEUE__VALKEY__URL: "${SCHEDULER_QUEUE_VALKEY_URL:-valkey:6379}"
      SCHEDULER__WORKER__RUNNER__SCANNER__BASEADDRESS: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner-web:8444}"
    networks:
      - stellaops
@@ -274,10 +310,12 @@ services:
    image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa
    restart: unless-stopped
    depends_on:
      - postgres
      - concelier
    environment:
      EXCITITOR__CONCELIER__BASEURL: "https://concelier:8445"
-      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      EXCITITOR__STORAGE__DRIVER: "postgres"
      EXCITITOR__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    networks:
      - stellaops
    labels: *release-labels
--- a/deploy/compose/docker-compose.russia.yml
+++ b/deploy/compose/docker-compose.russia.yml
@@ -0,0 +1,301 @@
 # StellaOps Docker Compose - International Profile
 # Cryptography: GOST R 34.10-2012, GOST R 34.11-2012 (Streebog)
 # Provider: openssl.gost, pkcs11.gost, cryptopro.gost
 # Jurisdiction: world
 x-release-labels: &release-labels
  com.stellaops.release.version: "2025.10.0-edge"
  com.stellaops.release.channel: "edge"
  com.stellaops.profile: "russia"
  com.stellaops.crypto.profile: "russia"
  com.stellaops.crypto.provider: "openssl.gost, pkcs11.gost, cryptopro.gost"
 x-crypto-env: &crypto-env
  # Crypto configuration
  STELLAOPS_CRYPTO_PROFILE: "russia"
  STELLAOPS_CRYPTO_CONFIG_PATH: "/app/etc/appsettings.crypto.yaml"
  STELLAOPS_CRYPTO_MANIFEST_PATH: "/app/etc/crypto-plugins-manifest.json"
 networks:
  stellaops:
    driver: bridge
 volumes:
  rustfs-data:
  concelier-jobs:
  nats-data:
  valkey-data:
  advisory-ai-queue:
  advisory-ai-plans:
  advisory-ai-outputs:
  postgres-data:
 services:
  postgres:
    image: docker.io/library/postgres:16
    restart: unless-stopped
    environment:
      POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
      POSTGRES_PASSWORD: "${POSTGRES_PASSWORD:-stellaops}"
      POSTGRES_DB: "${POSTGRES_DB:-stellaops_platform}"
      PGDATA: /var/lib/postgresql/data/pgdata
    volumes:
      - postgres-data:/var/lib/postgresql/data
      - ../postgres-partitioning:/docker-entrypoint-initdb.d:ro
    ports:
      - "${POSTGRES_PORT:-5432}:5432"
    networks:
      - stellaops
    labels: *release-labels
  valkey:
    image: docker.io/valkey/valkey:8.0
    restart: unless-stopped
    command: ["valkey-server", "--appendonly", "yes"]
    volumes:
      - valkey-data:/data
    ports:
      - "${VALKEY_PORT:-6379}:6379"
    networks:
      - stellaops
    labels: *release-labels
  rustfs:
    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
    command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
    restart: unless-stopped
    environment:
      RUSTFS__LOG__LEVEL: info
      RUSTFS__STORAGE__PATH: /data
    volumes:
      - rustfs-data:/data
    ports:
      - "${RUSTFS_HTTP_PORT:-8080}:8080"
    networks:
      - stellaops
    labels: *release-labels
  nats:
    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
    command:
      - "-js"
      - "-sd"
      - /data
    restart: unless-stopped
    ports:
      - "${NATS_CLIENT_PORT:-4222}:4222"
    volumes:
      - nats-data:/data
    networks:
      - stellaops
    labels: *release-labels
  authority:
    image: registry.stella-ops.org/stellaops/authority:russia
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
      STELLAOPS_AUTHORITY__STORAGE__DRIVER: "postgres"
      STELLAOPS_AUTHORITY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
    volumes:
      - ../../etc/authority.yaml:/etc/authority.yaml:ro
      - ../../etc/authority.plugins:/app/etc/authority.plugins:ro
      - ../../etc/appsettings.crypto.russia.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${AUTHORITY_PORT:-8440}:8440"
    networks:
      - stellaops
    labels: *release-labels
  signer:
    image: registry.stella-ops.org/stellaops/signer:russia
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_SIGNER__STORAGE__DRIVER: "postgres"
      STELLAOPS_SIGNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.russia.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${SIGNER_PORT:-8441}:8441"
    networks:
      - stellaops
    labels: *release-labels
  attestor:
    image: registry.stella-ops.org/stellaops/attestor:russia
    restart: unless-stopped
    depends_on:
      - signer
    environment:
      <<: *crypto-env
      STELLAOPS_ATTESTOR__SIGNER__BASEURL: "http://signer:8441"
    volumes:
      - ../../etc/appsettings.crypto.russia.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${ATTESTOR_PORT:-8442}:8442"
    networks:
      - stellaops
    labels: *release-labels
  concelier:
    image: registry.stella-ops.org/stellaops/concelier:russia
    restart: unless-stopped
    depends_on:
      - postgres
      - rustfs
    environment:
      <<: *crypto-env
      STELLAOPS_CONCELIER__STORAGE__DRIVER: "postgres"
      STELLAOPS_CONCELIER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_CONCELIER__STORAGE__RUSTFS__BASEURL: "http://rustfs:8080"
    volumes:
      - ../../etc/appsettings.crypto.russia.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
      - concelier-jobs:/app/jobs
    ports:
      - "${CONCELIER_PORT:-8443}:8443"
    networks:
      - stellaops
    labels: *release-labels
  scanner:
    image: registry.stella-ops.org/stellaops/scanner:russia
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_SCANNER__STORAGE__DRIVER: "postgres"
      STELLAOPS_SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.russia.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${SCANNER_PORT:-8444}:8444"
    networks:
      - stellaops
    labels: *release-labels
  excititor:
    image: registry.stella-ops.org/stellaops/excititor:russia
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_EXCITITOR__STORAGE__DRIVER: "postgres"
      STELLAOPS_EXCITITOR__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.russia.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${EXCITITOR_PORT:-8445}:8445"
    networks:
      - stellaops
    labels: *release-labels
  policy:
    image: registry.stella-ops.org/stellaops/policy:russia
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_POLICY__STORAGE__DRIVER: "postgres"
      STELLAOPS_POLICY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.russia.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${POLICY_PORT:-8446}:8446"
    networks:
      - stellaops
    labels: *release-labels
  scheduler:
    image: registry.stella-ops.org/stellaops/scheduler:russia
    restart: unless-stopped
    depends_on:
      - postgres
      - nats
    environment:
      <<: *crypto-env
      STELLAOPS_SCHEDULER__STORAGE__DRIVER: "postgres"
      STELLAOPS_SCHEDULER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_SCHEDULER__MESSAGING__NATS__URL: "nats://nats:4222"
    volumes:
      - ../../etc/appsettings.crypto.russia.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${SCHEDULER_PORT:-8447}:8447"
    networks:
      - stellaops
    labels: *release-labels
  notify:
    image: registry.stella-ops.org/stellaops/notify:russia
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_NOTIFY__STORAGE__DRIVER: "postgres"
      STELLAOPS_NOTIFY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.russia.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${NOTIFY_PORT:-8448}:8448"
    networks:
      - stellaops
    labels: *release-labels
  zastava:
    image: registry.stella-ops.org/stellaops/zastava:russia
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      <<: *crypto-env
      STELLAOPS_ZASTAVA__STORAGE__DRIVER: "postgres"
      STELLAOPS_ZASTAVA__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    volumes:
      - ../../etc/appsettings.crypto.russia.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${ZASTAVA_PORT:-8449}:8449"
    networks:
      - stellaops
    labels: *release-labels
  gateway:
    image: registry.stella-ops.org/stellaops/gateway:russia
    restart: unless-stopped
    depends_on:
      - authority
      - concelier
      - scanner
    environment:
      <<: *crypto-env
      STELLAOPS_GATEWAY__AUTHORITY__BASEURL: "http://authority:8440"
      STELLAOPS_GATEWAY__CONCELIER__BASEURL: "http://concelier:8443"
      STELLAOPS_GATEWAY__SCANNER__BASEURL: "http://scanner:8444"
    volumes:
      - ../../etc/appsettings.crypto.russia.yaml:/app/etc/appsettings.crypto.yaml:ro
      - ../../etc/crypto-plugins-manifest.json:/app/etc/crypto-plugins-manifest.json:ro
    ports:
      - "${GATEWAY_PORT:-8080}:8080"
    networks:
      - stellaops
    labels: *release-labels
--- a/deploy/compose/docker-compose.stage.yaml
+++ b/deploy/compose/docker-compose.stage.yaml
@@ -8,41 +8,25 @@ networks:
    driver: bridge
 volumes:
-  mongo-data:
+  valkey-data:
  minio-data:
  rustfs-data:
  concelier-jobs:
  nats-data:
  scanner-surface-cache:
  postgres-data:
  advisory-ai-queue:
  advisory-ai-plans:
  advisory-ai-outputs:
  postgres-data:
 services:
-  mongo:
+  valkey:
-    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    image: docker.io/valkey/valkey:8.0
    command: ["mongod", "--bind_ip_all"]
    restart: unless-stopped
-    environment:
+    command: ["valkey-server", "--appendonly", "yes"]
      MONGO_INITDB_ROOT_USERNAME: "${MONGO_INITDB_ROOT_USERNAME}"
      MONGO_INITDB_ROOT_PASSWORD: "${MONGO_INITDB_ROOT_PASSWORD}"
    volumes:
-      - mongo-data:/data/db
+      - valkey-data:/data
    networks:
      - stellaops
    labels: *release-labels
  minio:
    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
    command: ["server", "/data", "--console-address", ":9001"]
    restart: unless-stopped
    environment:
      MINIO_ROOT_USER: "${MINIO_ROOT_USER}"
      MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD}"
    volumes:
      - minio-data:/data
    ports:
-      - "${MINIO_CONSOLE_PORT:-9001}:9001"
+      - "${VALKEY_PORT:-6379}:6379"
    networks:
      - stellaops
    labels: *release-labels
@@ -97,10 +81,13 @@ services:
    image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
      - valkey
    environment:
      STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
-      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      STELLAOPS_AUTHORITY__STORAGE__DRIVER: "postgres"
      STELLAOPS_AUTHORITY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      STELLAOPS_AUTHORITY__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
    volumes:
@@ -116,11 +103,13 @@ services:
    image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e
    restart: unless-stopped
    depends_on:
      - postgres
      - authority
    environment:
      SIGNER__AUTHORITY__BASEURL: "https://authority:8440"
      SIGNER__POE__INTROSPECTURL: "${SIGNER_POE_INTROSPECT_URL}"
-      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SIGNER__STORAGE__DRIVER: "postgres"
      SIGNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    ports:
      - "${SIGNER_PORT:-8441}:8441"
    networks:
@@ -130,11 +119,13 @@ services:
  attestor:
    image: registry.stella-ops.org/stellaops/attestor@sha256:0534985f978b0b5d220d73c96fddd962cd9135f616811cbe3bff4666c5af568f
    restart: unless-stopped
-   depends_on:
+    depends_on:
-     - signer
+      - signer
      - postgres
    environment:
      ATTESTOR__SIGNER__BASEURL: "https://signer:8441"
-      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      ATTESTOR__STORAGE__DRIVER: "postgres"
      ATTESTOR__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    ports:
      - "${ATTESTOR_PORT:-8442}:8442"
    networks:
@@ -145,13 +136,14 @@ services:
    image: registry.stella-ops.org/stellaops/issuer-directory-web:2025.10.0-edge
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
      - authority
    environment:
      ISSUERDIRECTORY__CONFIG: "/etc/issuer-directory.yaml"
      ISSUERDIRECTORY__AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
      ISSUERDIRECTORY__AUTHORITY__BASEURL: "https://authority:8440"
-      ISSUERDIRECTORY__MONGO__CONNECTIONSTRING: "${ISSUER_DIRECTORY_MONGO_CONNECTION_STRING}"
+      ISSUERDIRECTORY__STORAGE__DRIVER: "postgres"
      ISSUERDIRECTORY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      ISSUERDIRECTORY__SEEDCSAFPUBLISHERS: "${ISSUER_DIRECTORY_SEED_CSAF:-true}"
    volumes:
      - ../../etc/issuer-directory.yaml:/etc/issuer-directory.yaml:ro
@@ -165,14 +157,15 @@ services:
    image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
-      - minio
+      - valkey
    environment:
-      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      CONCELIER__STORAGE__DRIVER: "postgres"
-      CONCELIER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      CONCELIER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
-      CONCELIER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://rustfs:8080"
      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
      CONCELIER__AUTHORITY__BASEURL: "https://authority:8440"
      CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
      CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}"
    volumes:
      - concelier-jobs:/var/lib/concelier/jobs
    ports:
@@ -185,22 +178,47 @@ services:
    image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
    restart: unless-stopped
    depends_on:
      - postgres
      - valkey
      - concelier
      - rustfs
      - nats
    environment:
-      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__DRIVER: "postgres"
      SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      SCANNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
      SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
      SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1"
      SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
      SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
-      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER:-valkey://valkey:6379}"
      SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-false}"
-      SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-redis}"
+      SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-valkey}"
      SCANNER__EVENTS__DSN: "${SCANNER_EVENTS_DSN:-}"
      SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
      SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
      SCANNER__OFFLINEKIT__ENABLED: "${SCANNER_OFFLINEKIT_ENABLED:-false}"
      SCANNER__OFFLINEKIT__REQUIREDSSE: "${SCANNER_OFFLINEKIT_REQUIREDSSE:-true}"
      SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "${SCANNER_OFFLINEKIT_REKOROFFLINEMODE:-true}"
      SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}"
      SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}"
      SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://rustfs:8080}"
      SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}"
      SCANNER_SURFACE_CACHE_ROOT: "${SCANNER_SURFACE_CACHE_ROOT:-/var/lib/stellaops/surface}"
      SCANNER_SURFACE_CACHE_QUOTA_MB: "${SCANNER_SURFACE_CACHE_QUOTA_MB:-4096}"
      SCANNER_SURFACE_PREFETCH_ENABLED: "${SCANNER_SURFACE_PREFETCH_ENABLED:-false}"
      SCANNER_SURFACE_TENANT: "${SCANNER_SURFACE_TENANT:-default}"
      SCANNER_SURFACE_FEATURES: "${SCANNER_SURFACE_FEATURES:-}"
      SCANNER_SURFACE_SECRETS_PROVIDER: "${SCANNER_SURFACE_SECRETS_PROVIDER:-file}"
      SCANNER_SURFACE_SECRETS_NAMESPACE: "${SCANNER_SURFACE_SECRETS_NAMESPACE:-}"
      SCANNER_SURFACE_SECRETS_ROOT: "${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}"
      SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER: "${SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER:-}"
      SCANNER_SURFACE_SECRETS_ALLOW_INLINE: "${SCANNER_SURFACE_SECRETS_ALLOW_INLINE:-false}"
    volumes:
      - scanner-surface-cache:/var/lib/stellaops/surface
      - ${SURFACE_SECRETS_HOST_PATH:-./offline/surface-secrets}:${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}:ro
      - ${SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH:-./offline/trust-roots}:${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}:ro
      - ${SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH:-./offline/rekor-snapshot}:${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}:ro
    ports:
      - "${SCANNER_WEB_PORT:-8444}:8444"
    networks:
@@ -211,16 +229,34 @@ services:
    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab
    restart: unless-stopped
    depends_on:
      - postgres
      - valkey
      - scanner-web
      - rustfs
      - nats
    environment:
-      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__DRIVER: "postgres"
      SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
      SCANNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
      SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
      SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1"
      SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
      SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
-      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER:-valkey://valkey:6379}"
      SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://rustfs:8080}"
      SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}"
      SCANNER_SURFACE_CACHE_ROOT: "${SCANNER_SURFACE_CACHE_ROOT:-/var/lib/stellaops/surface}"
      SCANNER_SURFACE_CACHE_QUOTA_MB: "${SCANNER_SURFACE_CACHE_QUOTA_MB:-4096}"
      SCANNER_SURFACE_PREFETCH_ENABLED: "${SCANNER_SURFACE_PREFETCH_ENABLED:-false}"
      SCANNER_SURFACE_TENANT: "${SCANNER_SURFACE_TENANT:-default}"
      SCANNER_SURFACE_FEATURES: "${SCANNER_SURFACE_FEATURES:-}"
      SCANNER_SURFACE_SECRETS_PROVIDER: "${SCANNER_SURFACE_SECRETS_PROVIDER:-file}"
      SCANNER_SURFACE_SECRETS_NAMESPACE: "${SCANNER_SURFACE_SECRETS_NAMESPACE:-}"
      SCANNER_SURFACE_SECRETS_ROOT: "${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}"
      SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER: "${SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER:-}"
      SCANNER_SURFACE_SECRETS_ALLOW_INLINE: "${SCANNER_SURFACE_SECRETS_ALLOW_INLINE:-false}"
    volumes:
      - scanner-surface-cache:/var/lib/stellaops/surface
      - ${SURFACE_SECRETS_HOST_PATH:-./offline/surface-secrets}:${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}:ro
    networks:
      - stellaops
    labels: *release-labels
@@ -229,17 +265,17 @@ services:
    image: registry.stella-ops.org/stellaops/scheduler-worker:2025.10.0-edge
    restart: unless-stopped
    depends_on:
-      - mongo
+      - postgres
-      - nats
+      - valkey
      - scanner-web
    command:
      - "dotnet"
      - "StellaOps.Scheduler.Worker.Host.dll"
    environment:
-      SCHEDULER__QUEUE__KIND: "${SCHEDULER_QUEUE_KIND:-Nats}"
+      SCHEDULER__STORAGE__DRIVER: "postgres"
-      SCHEDULER__QUEUE__NATS__URL: "${SCHEDULER_QUEUE_NATS_URL:-nats://nats:4222}"
+      SCHEDULER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
-      SCHEDULER__STORAGE__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCHEDULER__QUEUE__KIND: "${SCHEDULER_QUEUE_KIND:-Valkey}"
-      SCHEDULER__STORAGE__DATABASE: "${SCHEDULER_STORAGE_DATABASE:-stellaops_scheduler}"
+      SCHEDULER__QUEUE__VALKEY__URL: "${SCHEDULER_QUEUE_VALKEY_URL:-valkey:6379}"
      SCHEDULER__WORKER__RUNNER__SCANNER__BASEADDRESS: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner-web:8444}"
    networks:
      - stellaops
@@ -265,10 +301,12 @@ services:
    image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa
    restart: unless-stopped
    depends_on:
      - postgres
      - concelier
    environment:
      EXCITITOR__CONCELIER__BASEURL: "https://concelier:8445"
-      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      EXCITITOR__STORAGE__DRIVER: "postgres"
      EXCITITOR__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
    networks:
      - stellaops
    labels: *release-labels
--- a/deploy/compose/env/airgap.env.example
+++ b/deploy/compose/env/airgap.env.example
@@ -1,48 +1,91 @@
 # Substitutions for docker-compose.airgap.yaml
-MONGO_INITDB_ROOT_USERNAME=stellaops
+
-MONGO_INITDB_ROOT_PASSWORD=airgap-password
+# PostgreSQL Database
-MINIO_ROOT_USER=stellaops-offline
+POSTGRES_USER=stellaops
-MINIO_ROOT_PASSWORD=airgap-minio-secret
+POSTGRES_PASSWORD=airgap-postgres-password
-MINIO_CONSOLE_PORT=29001
+POSTGRES_DB=stellaops_platform
 POSTGRES_PORT=25432
 # Valkey (Redis-compatible cache and messaging)
 VALKEY_PORT=26379
 # RustFS Object Storage
 RUSTFS_HTTP_PORT=8080
 # Authority (OAuth2/OIDC)
 AUTHORITY_ISSUER=https://authority.airgap.local
 AUTHORITY_PORT=8440
 AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:45:00
 # Signer
 SIGNER_POE_INTROSPECT_URL=file:///offline/poe/introspect.json
 SIGNER_PORT=8441
 # Attestor
 ATTESTOR_PORT=8442
-# Secrets for Issuer Directory are provided via issuer-directory.mongo.env (see etc/secrets/issuer-directory.mongo.secret.example).
+
 # Issuer Directory
 ISSUER_DIRECTORY_PORT=8447
 ISSUER_DIRECTORY_MONGO_CONNECTION_STRING=mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017
 ISSUER_DIRECTORY_SEED_CSAF=true
 # Concelier
 CONCELIER_PORT=8445
 # Scanner
 SCANNER_WEB_PORT=8444
-UI_PORT=9443
+SCANNER_QUEUE_BROKER=valkey://valkey:6379
 NATS_CLIENT_PORT=24222
 SCANNER_QUEUE_BROKER=nats://nats:4222
 AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:45:00
 SCANNER_EVENTS_ENABLED=false
-SCANNER_EVENTS_DRIVER=redis
+SCANNER_EVENTS_DRIVER=valkey
 # Leave SCANNER_EVENTS_DSN empty to inherit the Redis queue DSN when SCANNER_QUEUE_BROKER uses redis://.
 SCANNER_EVENTS_DSN=
 SCANNER_EVENTS_STREAM=stella.events
 SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
 SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
-SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080/api/v1
+
 # Surface.Env configuration
 SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080
 SCANNER_SURFACE_FS_BUCKET=surface-cache
 SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
-# Zastava inherits Scanner defaults; override if Observer/Webhook diverge
+SCANNER_SURFACE_CACHE_QUOTA_MB=4096
-ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
+SCANNER_SURFACE_PREFETCH_ENABLED=false
-ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
+SCANNER_SURFACE_TENANT=default
 SCANNER_SURFACE_FEATURES=
 SCANNER_SURFACE_SECRETS_PROVIDER=file
 SCANNER_SURFACE_SECRETS_NAMESPACE=
 SCANNER_SURFACE_SECRETS_ROOT=/etc/stellaops/secrets
 SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER=
 SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
 SURFACE_SECRETS_HOST_PATH=./offline/surface-secrets
-SCHEDULER_QUEUE_KIND=Nats
+
-SCHEDULER_QUEUE_NATS_URL=nats://nats:4222
+# Offline Kit configuration
-SCHEDULER_STORAGE_DATABASE=stellaops_scheduler
+SCANNER_OFFLINEKIT_ENABLED=false
 SCANNER_OFFLINEKIT_REQUIREDSSE=true
 SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
 SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
 SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
 SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=./offline/trust-roots
 SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=./offline/rekor-snapshot
 # Zastava inherits Scanner defaults; override if Observer/Webhook diverge
 ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
 ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
 # Scheduler
 SCHEDULER_QUEUE_KIND=Valkey
 SCHEDULER_QUEUE_VALKEY_URL=valkey:6379
 SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
 # Notify
 NOTIFY_WEB_PORT=9446
 # Advisory AI
 ADVISORY_AI_WEB_PORT=8448
 ADVISORY_AI_SBOM_BASEADDRESS=http://scanner-web:8444
 ADVISORY_AI_INFERENCE_MODE=Local
 ADVISORY_AI_REMOTE_BASEADDRESS=
 ADVISORY_AI_REMOTE_APIKEY=
 # Web UI
 UI_PORT=9443
 # NATS
 NATS_CLIENT_PORT=24222
--- a/deploy/compose/env/dev.env.example
+++ b/deploy/compose/env/dev.env.example
@@ -1,47 +1,78 @@
 # Substitutions for docker-compose.dev.yaml
-MONGO_INITDB_ROOT_USERNAME=stellaops
+
-MONGO_INITDB_ROOT_PASSWORD=dev-password
+# PostgreSQL Database
-MINIO_ROOT_USER=stellaops
+POSTGRES_USER=stellaops
-MINIO_ROOT_PASSWORD=dev-minio-secret
+POSTGRES_PASSWORD=dev-postgres-password
-MINIO_CONSOLE_PORT=9001
+POSTGRES_DB=stellaops_platform
 POSTGRES_PORT=5432
 # Valkey (Redis-compatible cache and messaging)
 VALKEY_PORT=6379
 # RustFS Object Storage
 RUSTFS_HTTP_PORT=8080
 # Authority (OAuth2/OIDC)
 AUTHORITY_ISSUER=https://authority.localtest.me
 AUTHORITY_PORT=8440
 # Signer
 SIGNER_POE_INTROSPECT_URL=https://licensing.svc.local/introspect
 SIGNER_PORT=8441
 # Attestor
 ATTESTOR_PORT=8442
-# Secrets for Issuer Directory are provided via issuer-directory.mongo.env (see etc/secrets/issuer-directory.mongo.secret.example).
+
 # Issuer Directory
 ISSUER_DIRECTORY_PORT=8447
 ISSUER_DIRECTORY_MONGO_CONNECTION_STRING=mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017
 ISSUER_DIRECTORY_SEED_CSAF=true
 # Concelier
 CONCELIER_PORT=8445
 # Scanner
 SCANNER_WEB_PORT=8444
 UI_PORT=8443
 NATS_CLIENT_PORT=4222
 SCANNER_QUEUE_BROKER=nats://nats:4222
 SCANNER_EVENTS_ENABLED=false
-SCANNER_EVENTS_DRIVER=redis
+SCANNER_EVENTS_DRIVER=valkey
-# Leave SCANNER_EVENTS_DSN empty to inherit the Redis queue DSN when SCANNER_QUEUE_BROKER uses redis://.
+SCANNER_EVENTS_DSN=valkey:6379
 SCANNER_EVENTS_DSN=
 SCANNER_EVENTS_STREAM=stella.events
 SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
 SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
-# Surface.Env defaults keep worker/web service aligned with local RustFS and inline secrets.
+
 # Surface.Env defaults keep worker/web service aligned with local RustFS and inline secrets
 SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080/api/v1
 SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
 SCANNER_SURFACE_SECRETS_PROVIDER=inline
 SCANNER_SURFACE_SECRETS_ROOT=
 # Zastava inherits Scanner defaults; override if Observer/Webhook diverge
 ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
 ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
 ZASTAVA_SURFACE_SECRETS_PROVIDER=${SCANNER_SURFACE_SECRETS_PROVIDER}
 ZASTAVA_SURFACE_SECRETS_ROOT=${SCANNER_SURFACE_SECRETS_ROOT}
 # Scheduler
 SCHEDULER_QUEUE_KIND=Nats
 SCHEDULER_QUEUE_NATS_URL=nats://nats:4222
 SCHEDULER_STORAGE_DATABASE=stellaops_scheduler
 SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
 # Notify
 NOTIFY_WEB_PORT=8446
 # Advisory AI
 ADVISORY_AI_WEB_PORT=8448
 ADVISORY_AI_SBOM_BASEADDRESS=http://scanner-web:8444
 ADVISORY_AI_INFERENCE_MODE=Local
 ADVISORY_AI_REMOTE_BASEADDRESS=
 ADVISORY_AI_REMOTE_APIKEY=
 # Web UI
 UI_PORT=8443
 # NATS
 NATS_CLIENT_PORT=4222
 # CryptoPro (optional)
 CRYPTOPRO_PORT=18080
 CRYPTOPRO_ACCEPT_EULA=0
--- a/deploy/compose/env/prod.env.example
+++ b/deploy/compose/env/prod.env.example
@@ -1,49 +1,96 @@
 # Substitutions for docker-compose.prod.yaml
-# ⚠️ Replace all placeholder secrets with values sourced from your secret manager.
+# WARNING: Replace all placeholder secrets with values sourced from your secret manager.
-MONGO_INITDB_ROOT_USERNAME=stellaops-prod
+
-MONGO_INITDB_ROOT_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
+# PostgreSQL Database
-MINIO_ROOT_USER=stellaops-prod
+POSTGRES_USER=stellaops-prod
-MINIO_ROOT_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
+POSTGRES_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
-# Expose the MinIO console only to trusted operator networks.
+POSTGRES_DB=stellaops_platform
-MINIO_CONSOLE_PORT=39001
+POSTGRES_PORT=5432
 # Valkey (Redis-compatible cache and messaging)
 VALKEY_PORT=6379
 # RustFS Object Storage
 RUSTFS_HTTP_PORT=8080
 # Authority (OAuth2/OIDC)
 AUTHORITY_ISSUER=https://authority.prod.stella-ops.org
 AUTHORITY_PORT=8440
 AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:30:00
 # Signer
 SIGNER_POE_INTROSPECT_URL=https://licensing.prod.stella-ops.org/introspect
 SIGNER_PORT=8441
 # Attestor
 ATTESTOR_PORT=8442
-# Secrets for Issuer Directory are provided via issuer-directory.mongo.env (see etc/secrets/issuer-directory.mongo.secret.example).
+
 # Issuer Directory
 ISSUER_DIRECTORY_PORT=8447
 ISSUER_DIRECTORY_MONGO_CONNECTION_STRING=mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017
 ISSUER_DIRECTORY_SEED_CSAF=true
 # Concelier
 CONCELIER_PORT=8445
 # Scanner
 SCANNER_WEB_PORT=8444
-UI_PORT=8443
+SCANNER_QUEUE_BROKER=valkey://valkey:6379
 NATS_CLIENT_PORT=4222
 SCANNER_QUEUE_BROKER=nats://nats:4222
 # `true` enables signed scanner events for Notify ingestion.
 SCANNER_EVENTS_ENABLED=true
-SCANNER_EVENTS_DRIVER=redis
+SCANNER_EVENTS_DRIVER=valkey
 # Leave SCANNER_EVENTS_DSN empty to inherit the Redis queue DSN when SCANNER_QUEUE_BROKER uses redis://.
 SCANNER_EVENTS_DSN=
 SCANNER_EVENTS_STREAM=stella.events
 SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
 SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
 # Surface.Env configuration
 SCANNER_SURFACE_FS_ENDPOINT=https://surfacefs.prod.stella-ops.org/api/v1
 SCANNER_SURFACE_FS_BUCKET=surface-cache
 SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
 SCANNER_SURFACE_CACHE_QUOTA_MB=4096
 SCANNER_SURFACE_PREFETCH_ENABLED=false
 SCANNER_SURFACE_TENANT=default
 SCANNER_SURFACE_FEATURES=
 SCANNER_SURFACE_SECRETS_PROVIDER=kubernetes
 SCANNER_SURFACE_SECRETS_NAMESPACE=
 SCANNER_SURFACE_SECRETS_ROOT=stellaops/scanner
 SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER=
 SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
 SURFACE_SECRETS_HOST_PATH=./offline/surface-secrets
 # Offline Kit configuration
 SCANNER_OFFLINEKIT_ENABLED=false
 SCANNER_OFFLINEKIT_REQUIREDSSE=true
 SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
 SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
 SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
 SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=./offline/trust-roots
 SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=./offline/rekor-snapshot
 # Zastava inherits Scanner defaults; override if Observer/Webhook diverge
 ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
 ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
-SCANNER_SURFACE_SECRETS_PROVIDER=kubernetes
+
-SCANNER_SURFACE_SECRETS_ROOT=stellaops/scanner
+# Scheduler
-SCHEDULER_QUEUE_KIND=Nats
+SCHEDULER_QUEUE_KIND=Valkey
-SCHEDULER_QUEUE_NATS_URL=nats://nats:4222
+SCHEDULER_QUEUE_VALKEY_URL=valkey:6379
 SCHEDULER_STORAGE_DATABASE=stellaops_scheduler
 SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
 # Notify
 NOTIFY_WEB_PORT=8446
 # Advisory AI
 ADVISORY_AI_WEB_PORT=8448
 ADVISORY_AI_SBOM_BASEADDRESS=https://scanner-web:8444
 ADVISORY_AI_INFERENCE_MODE=Local
 ADVISORY_AI_REMOTE_BASEADDRESS=
 ADVISORY_AI_REMOTE_APIKEY=
 # Web UI
 UI_PORT=8443
 # NATS
 NATS_CLIENT_PORT=4222
 # External reverse proxy (Traefik, Envoy, etc.) that terminates TLS.
 FRONTDOOR_NETWORK=stellaops_frontdoor
--- a/deploy/compose/env/stage.env.example
+++ b/deploy/compose/env/stage.env.example
@@ -1,44 +1,91 @@
 # Substitutions for docker-compose.stage.yaml
-MONGO_INITDB_ROOT_USERNAME=stellaops
+
-MONGO_INITDB_ROOT_PASSWORD=stage-password
+# PostgreSQL Database
-MINIO_ROOT_USER=stellaops-stage
+POSTGRES_USER=stellaops
-MINIO_ROOT_PASSWORD=stage-minio-secret
+POSTGRES_PASSWORD=stage-postgres-password
-MINIO_CONSOLE_PORT=19001
+POSTGRES_DB=stellaops_platform
 POSTGRES_PORT=5432
 # Valkey (Redis-compatible cache and messaging)
 VALKEY_PORT=6379
 # RustFS Object Storage
 RUSTFS_HTTP_PORT=8080
 # Authority (OAuth2/OIDC)
 AUTHORITY_ISSUER=https://authority.stage.stella-ops.internal
 AUTHORITY_PORT=8440
 AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:30:00
 # Signer
 SIGNER_POE_INTROSPECT_URL=https://licensing.stage.stella-ops.internal/introspect
 SIGNER_PORT=8441
 # Attestor
 ATTESTOR_PORT=8442
-# Secrets for Issuer Directory are provided via issuer-directory.mongo.env (see etc/secrets/issuer-directory.mongo.secret.example).
+
 # Issuer Directory
 ISSUER_DIRECTORY_PORT=8447
 ISSUER_DIRECTORY_MONGO_CONNECTION_STRING=mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017
 ISSUER_DIRECTORY_SEED_CSAF=true
 # Concelier
 CONCELIER_PORT=8445
 # Scanner
 SCANNER_WEB_PORT=8444
-UI_PORT=8443
+SCANNER_QUEUE_BROKER=valkey://valkey:6379
 NATS_CLIENT_PORT=4222
 SCANNER_QUEUE_BROKER=nats://nats:4222
 SCANNER_EVENTS_ENABLED=false
-SCANNER_EVENTS_DRIVER=redis
+SCANNER_EVENTS_DRIVER=valkey
 # Leave SCANNER_EVENTS_DSN empty to inherit the Redis queue DSN when SCANNER_QUEUE_BROKER uses redis://.
 SCANNER_EVENTS_DSN=
 SCANNER_EVENTS_STREAM=stella.events
 SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
 SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
-SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080/api/v1
+
 # Surface.Env configuration
 SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080
 SCANNER_SURFACE_FS_BUCKET=surface-cache
 SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
 SCANNER_SURFACE_CACHE_QUOTA_MB=4096
 SCANNER_SURFACE_PREFETCH_ENABLED=false
 SCANNER_SURFACE_TENANT=default
 SCANNER_SURFACE_FEATURES=
 SCANNER_SURFACE_SECRETS_PROVIDER=kubernetes
 SCANNER_SURFACE_SECRETS_NAMESPACE=
 SCANNER_SURFACE_SECRETS_ROOT=stellaops/scanner
 SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER=
 SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
 SURFACE_SECRETS_HOST_PATH=./offline/surface-secrets
 # Offline Kit configuration
 SCANNER_OFFLINEKIT_ENABLED=false
 SCANNER_OFFLINEKIT_REQUIREDSSE=true
 SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
 SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
 SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
 SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=./offline/trust-roots
 SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=./offline/rekor-snapshot
 # Zastava inherits Scanner defaults; override if Observer/Webhook diverge
 ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
 ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
-SCANNER_SURFACE_SECRETS_PROVIDER=kubernetes
+
-SCANNER_SURFACE_SECRETS_ROOT=stellaops/scanner
+# Scheduler
-SCHEDULER_QUEUE_KIND=Nats
+SCHEDULER_QUEUE_KIND=Valkey
-SCHEDULER_QUEUE_NATS_URL=nats://nats:4222
+SCHEDULER_QUEUE_VALKEY_URL=valkey:6379
 SCHEDULER_STORAGE_DATABASE=stellaops_scheduler
 SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
 # Notify
 NOTIFY_WEB_PORT=8446
 # Advisory AI
 ADVISORY_AI_WEB_PORT=8448
 ADVISORY_AI_SBOM_BASEADDRESS=http://scanner-web:8444
 ADVISORY_AI_INFERENCE_MODE=Local
 ADVISORY_AI_REMOTE_BASEADDRESS=
 ADVISORY_AI_REMOTE_APIKEY=
 # Web UI
 UI_PORT=8443
 # NATS
 NATS_CLIENT_PORT=4222
--- a/deploy/compose/postgres-init/01-extensions.sql
+++ b/deploy/compose/postgres-init/01-extensions.sql
@@ -0,0 +1,33 @@
 -- PostgreSQL initialization for StellaOps air-gap deployment
 -- This script runs automatically on first container start
 -- Enable pg_stat_statements extension for query performance analysis
 CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
 -- Enable other useful extensions
 CREATE EXTENSION IF NOT EXISTS pg_trgm;      -- Fuzzy text search
 CREATE EXTENSION IF NOT EXISTS btree_gin;    -- GIN indexes for scalar types
 CREATE EXTENSION IF NOT EXISTS pgcrypto;     -- Cryptographic functions
 -- Create schemas for all modules
 -- Migrations will create tables within these schemas
 CREATE SCHEMA IF NOT EXISTS authority;
 CREATE SCHEMA IF NOT EXISTS vuln;
 CREATE SCHEMA IF NOT EXISTS vex;
 CREATE SCHEMA IF NOT EXISTS scheduler;
 CREATE SCHEMA IF NOT EXISTS notify;
 CREATE SCHEMA IF NOT EXISTS policy;
 CREATE SCHEMA IF NOT EXISTS concelier;
 CREATE SCHEMA IF NOT EXISTS audit;
 CREATE SCHEMA IF NOT EXISTS unknowns;
 -- Grant usage to application user (assumes POSTGRES_USER is the app user)
 GRANT USAGE ON SCHEMA authority TO PUBLIC;
 GRANT USAGE ON SCHEMA vuln TO PUBLIC;
 GRANT USAGE ON SCHEMA vex TO PUBLIC;
 GRANT USAGE ON SCHEMA scheduler TO PUBLIC;
 GRANT USAGE ON SCHEMA notify TO PUBLIC;
 GRANT USAGE ON SCHEMA policy TO PUBLIC;
 GRANT USAGE ON SCHEMA concelier TO PUBLIC;
 GRANT USAGE ON SCHEMA audit TO PUBLIC;
 GRANT USAGE ON SCHEMA unknowns TO PUBLIC;
--- a/deploy/docker/Dockerfile.crypto-profile
+++ b/deploy/docker/Dockerfile.crypto-profile
@@ -0,0 +1,172 @@
 # syntax=docker/dockerfile:1.4
 # StellaOps Regional Crypto Profile
 # Selects regional cryptographic configuration at build time
 # ============================================================================
 # Build Arguments
 # ============================================================================
 ARG CRYPTO_PROFILE=international
 ARG BASE_IMAGE=stellaops/platform:latest
 ARG SERVICE_NAME=authority
 # ============================================================================
 # Regional Crypto Profile Layer
 # ============================================================================
 FROM ${BASE_IMAGE} AS regional-profile
 # Copy regional cryptographic configuration
 ARG CRYPTO_PROFILE
 COPY etc/appsettings.crypto.${CRYPTO_PROFILE}.yaml /app/etc/appsettings.crypto.yaml
 COPY etc/crypto-plugins-manifest.json /app/etc/crypto-plugins-manifest.json
 # Set environment variable for runtime verification
 ENV STELLAOPS_CRYPTO_PROFILE=${CRYPTO_PROFILE}
 ENV STELLAOPS_CRYPTO_CONFIG_PATH=/app/etc/appsettings.crypto.yaml
 ENV STELLAOPS_CRYPTO_MANIFEST_PATH=/app/etc/crypto-plugins-manifest.json
 # Add labels for metadata
 LABEL com.stellaops.crypto.profile="${CRYPTO_PROFILE}"
 LABEL com.stellaops.crypto.config="/app/etc/appsettings.crypto.${CRYPTO_PROFILE}.yaml"
 LABEL com.stellaops.crypto.runtime-selection="true"
 # ============================================================================
 # Service-Specific Regional Images
 # ============================================================================
 # Authority with Regional Crypto
 FROM regional-profile AS authority
 WORKDIR /app/authority
 ENTRYPOINT ["dotnet", "StellaOps.Authority.WebService.dll"]
 # Signer with Regional Crypto
 FROM regional-profile AS signer
 WORKDIR /app/signer
 ENTRYPOINT ["dotnet", "StellaOps.Signer.WebService.dll"]
 # Attestor with Regional Crypto
 FROM regional-profile AS attestor
 WORKDIR /app/attestor
 ENTRYPOINT ["dotnet", "StellaOps.Attestor.WebService.dll"]
 # Concelier with Regional Crypto
 FROM regional-profile AS concelier
 WORKDIR /app/concelier
 ENTRYPOINT ["dotnet", "StellaOps.Concelier.WebService.dll"]
 # Scanner with Regional Crypto
 FROM regional-profile AS scanner
 WORKDIR /app/scanner
 ENTRYPOINT ["dotnet", "StellaOps.Scanner.WebService.dll"]
 # Excititor with Regional Crypto
 FROM regional-profile AS excititor
 WORKDIR /app/excititor
 ENTRYPOINT ["dotnet", "StellaOps.Excititor.WebService.dll"]
 # Policy with Regional Crypto
 FROM regional-profile AS policy
 WORKDIR /app/policy
 ENTRYPOINT ["dotnet", "StellaOps.Policy.WebService.dll"]
 # Scheduler with Regional Crypto
 FROM regional-profile AS scheduler
 WORKDIR /app/scheduler
 ENTRYPOINT ["dotnet", "StellaOps.Scheduler.WebService.dll"]
 # Notify with Regional Crypto
 FROM regional-profile AS notify
 WORKDIR /app/notify
 ENTRYPOINT ["dotnet", "StellaOps.Notify.WebService.dll"]
 # Zastava with Regional Crypto
 FROM regional-profile AS zastava
 WORKDIR /app/zastava
 ENTRYPOINT ["dotnet", "StellaOps.Zastava.WebService.dll"]
 # Gateway with Regional Crypto
 FROM regional-profile AS gateway
 WORKDIR /app/gateway
 ENTRYPOINT ["dotnet", "StellaOps.Gateway.WebService.dll"]
 # AirGap Importer with Regional Crypto
 FROM regional-profile AS airgap-importer
 WORKDIR /app/airgap-importer
 ENTRYPOINT ["dotnet", "StellaOps.AirGap.Importer.dll"]
 # AirGap Exporter with Regional Crypto
 FROM regional-profile AS airgap-exporter
 WORKDIR /app/airgap-exporter
 ENTRYPOINT ["dotnet", "StellaOps.AirGap.Exporter.dll"]
 # CLI with Regional Crypto
 FROM regional-profile AS cli
 WORKDIR /app/cli
 ENTRYPOINT ["dotnet", "StellaOps.Cli.dll"]
 # ============================================================================
 # Build Instructions
 # ============================================================================
 # Build international profile (default):
 #   docker build -f deploy/docker/Dockerfile.crypto-profile \
 #     --build-arg CRYPTO_PROFILE=international \
 #     --target authority \
 #     -t stellaops/authority:international .
 #
 # Build Russia (GOST) profile:
 #   docker build -f deploy/docker/Dockerfile.crypto-profile \
 #     --build-arg CRYPTO_PROFILE=russia \
 #     --target scanner \
 #     -t stellaops/scanner:russia .
 #
 # Build EU (eIDAS) profile:
 #   docker build -f deploy/docker/Dockerfile.crypto-profile \
 #     --build-arg CRYPTO_PROFILE=eu \
 #     --target signer \
 #     -t stellaops/signer:eu .
 #
 # Build China (SM) profile:
 #   docker build -f deploy/docker/Dockerfile.crypto-profile \
 #     --build-arg CRYPTO_PROFILE=china \
 #     --target attestor \
 #     -t stellaops/attestor:china .
 #
 # ============================================================================
 # Regional Profile Descriptions
 # ============================================================================
 # international: Default NIST algorithms (ES256, RS256, SHA-256)
 #                Uses offline-verification plugin
 #                Jurisdiction: world
 #
 # russia:        GOST R 34.10-2012, GOST R 34.11-2012
 #                Uses CryptoPro CSP plugin
 #                Jurisdiction: russia
 #                Requires: CryptoPro CSP SDK
 #
 # eu:            eIDAS-compliant qualified trust services
 #                Uses eIDAS plugin with qualified certificates
 #                Jurisdiction: eu
 #                Requires: eIDAS trust service provider integration
 #
 # china:         SM2, SM3, SM4 algorithms
 #                Uses SM crypto plugin
 #                Jurisdiction: china
 #                Requires: GmSSL or BouncyCastle SM extensions
 #
 # ============================================================================
 # Runtime Configuration
 # ============================================================================
 # The crypto provider is selected at runtime based on:
 #   1. STELLAOPS_CRYPTO_PROFILE environment variable
 #   2. /app/etc/appsettings.crypto.yaml configuration file
 #   3. /app/etc/crypto-plugins-manifest.json plugin metadata
 #
 # Plugin loading sequence:
 #   1. Application starts
 #   2. CryptoPluginLoader reads /app/etc/appsettings.crypto.yaml
 #   3. Loads enabled plugins from manifest
 #   4. Validates platform compatibility
 #   5. Validates jurisdiction compliance
 #   6. Registers providers with DI container
 #   7. Application uses ICryptoProvider abstraction
 #
 # No cryptographic code is executed until runtime plugin selection completes.
--- a/deploy/docker/Dockerfile.platform
+++ b/deploy/docker/Dockerfile.platform
@@ -0,0 +1,212 @@
 # syntax=docker/dockerfile:1.4
 # StellaOps Platform Image - Build Once, Deploy Everywhere
 # Builds ALL crypto plugins unconditionally for runtime selection
 # ============================================================================
 # Stage 1: SDK Build - Build ALL Projects and Crypto Plugins
 # ============================================================================
 FROM mcr.microsoft.com/dotnet/sdk:10.0-preview AS build
 WORKDIR /src
 # Copy solution and project files for dependency restore
 COPY Directory.Build.props Directory.Build.targets nuget.config ./
 COPY src/StellaOps.sln ./src/
 # Copy all crypto plugin projects
 COPY src/__Libraries/StellaOps.Cryptography/ ./src/__Libraries/StellaOps.Cryptography/
 COPY src/__Libraries/StellaOps.Cryptography.DependencyInjection/ ./src/__Libraries/StellaOps.Cryptography.DependencyInjection/
 COPY src/__Libraries/StellaOps.Cryptography.PluginLoader/ ./src/__Libraries/StellaOps.Cryptography.PluginLoader/
 # Crypto plugins - ALL built unconditionally
 COPY src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ ./src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/
 # Note: Additional crypto plugins can be added here when available:
 # COPY src/__Libraries/StellaOps.Cryptography.Plugin.eIDAS/ ./src/__Libraries/StellaOps.Cryptography.Plugin.eIDAS/
 # COPY src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/ ./src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/
 # COPY src/__Libraries/StellaOps.Cryptography.Plugin.SM/ ./src/__Libraries/StellaOps.Cryptography.Plugin.SM/
 # Copy all module projects
 COPY src/Authority/ ./src/Authority/
 COPY src/Signer/ ./src/Signer/
 COPY src/Attestor/ ./src/Attestor/
 COPY src/Concelier/ ./src/Concelier/
 COPY src/Scanner/ ./src/Scanner/
 COPY src/AirGap/ ./src/AirGap/
 COPY src/Excititor/ ./src/Excititor/
 COPY src/Policy/ ./src/Policy/
 COPY src/Scheduler/ ./src/Scheduler/
 COPY src/Notify/ ./src/Notify/
 COPY src/Zastava/ ./src/Zastava/
 COPY src/Gateway/ ./src/Gateway/
 COPY src/Cli/ ./src/Cli/
 # Copy shared libraries
 COPY src/__Libraries/ ./src/__Libraries/
 # Restore dependencies
 RUN dotnet restore src/StellaOps.sln
 # Build entire solution (Release configuration)
 RUN dotnet build src/StellaOps.sln --configuration Release --no-restore
 # Publish all web services and libraries
 # This creates /app/publish with all assemblies including crypto plugins
 RUN dotnet publish src/Authority/StellaOps.Authority.WebService/StellaOps.Authority.WebService.csproj \
    --configuration Release --no-build --output /app/publish/authority
 RUN dotnet publish src/Signer/StellaOps.Signer.WebService/StellaOps.Signer.WebService.csproj \
    --configuration Release --no-build --output /app/publish/signer
 RUN dotnet publish src/Attestor/StellaOps.Attestor.WebService/StellaOps.Attestor.WebService.csproj \
    --configuration Release --no-build --output /app/publish/attestor
 RUN dotnet publish src/Concelier/StellaOps.Concelier.WebService/StellaOps.Concelier.WebService.csproj \
    --configuration Release --no-build --output /app/publish/concelier
 RUN dotnet publish src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj \
    --configuration Release --no-build --output /app/publish/scanner
 RUN dotnet publish src/Excititor/StellaOps.Excititor.WebService/StellaOps.Excititor.WebService.csproj \
    --configuration Release --no-build --output /app/publish/excititor
 RUN dotnet publish src/Policy/StellaOps.Policy.WebService/StellaOps.Policy.WebService.csproj \
    --configuration Release --no-build --output /app/publish/policy
 RUN dotnet publish src/Scheduler/StellaOps.Scheduler.WebService/StellaOps.Scheduler.WebService.csproj \
    --configuration Release --no-build --output /app/publish/scheduler
 RUN dotnet publish src/Notify/StellaOps.Notify.WebService/StellaOps.Notify.WebService.csproj \
    --configuration Release --no-build --output /app/publish/notify
 RUN dotnet publish src/Zastava/StellaOps.Zastava.WebService/StellaOps.Zastava.WebService.csproj \
    --configuration Release --no-build --output /app/publish/zastava
 RUN dotnet publish src/Gateway/StellaOps.Gateway.WebService/StellaOps.Gateway.WebService.csproj \
    --configuration Release --no-build --output /app/publish/gateway
 RUN dotnet publish src/AirGap/StellaOps.AirGap.Importer/StellaOps.AirGap.Importer.csproj \
    --configuration Release --no-build --output /app/publish/airgap-importer
 RUN dotnet publish src/AirGap/StellaOps.AirGap.Exporter/StellaOps.AirGap.Exporter.csproj \
    --configuration Release --no-build --output /app/publish/airgap-exporter
 RUN dotnet publish src/Cli/StellaOps.Cli/StellaOps.Cli.csproj \
    --configuration Release --no-build --output /app/publish/cli
 # Copy crypto plugin manifest
 COPY etc/crypto-plugins-manifest.json /app/publish/etc/
 # ============================================================================
 # Stage 2: Runtime Base - Contains ALL Crypto Plugins
 # ============================================================================
 FROM mcr.microsoft.com/dotnet/aspnet:10.0-preview AS runtime-base
 WORKDIR /app
 # Install dependencies for crypto providers
 # PostgreSQL client for Authority/Concelier/etc
 RUN apt-get update && apt-get install -y \
    postgresql-client \
    && rm -rf /var/lib/apt/lists/*
 # Copy all published assemblies (includes all crypto plugins)
 COPY --from=build /app/publish /app/
 # Expose common ports (these can be overridden by docker-compose)
 EXPOSE 8080 8443
 # Labels
 LABEL com.stellaops.image.type="platform"
 LABEL com.stellaops.image.variant="all-plugins"
 LABEL com.stellaops.crypto.plugins="offline-verification"
 # Additional plugins will be added as they become available:
 # LABEL com.stellaops.crypto.plugins="offline-verification,eidas,cryptopro,sm"
 # Health check placeholder (can be overridden per service)
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD curl -f http://localhost:8080/health || exit 1
 # ============================================================================
 # Service-Specific Final Stages
 # ============================================================================
 # Authority Service
 FROM runtime-base AS authority
 WORKDIR /app/authority
 ENTRYPOINT ["dotnet", "StellaOps.Authority.WebService.dll"]
 # Signer Service
 FROM runtime-base AS signer
 WORKDIR /app/signer
 ENTRYPOINT ["dotnet", "StellaOps.Signer.WebService.dll"]
 # Attestor Service
 FROM runtime-base AS attestor
 WORKDIR /app/attestor
 ENTRYPOINT ["dotnet", "StellaOps.Attestor.WebService.dll"]
 # Concelier Service
 FROM runtime-base AS concelier
 WORKDIR /app/concelier
 ENTRYPOINT ["dotnet", "StellaOps.Concelier.WebService.dll"]
 # Scanner Service
 FROM runtime-base AS scanner
 WORKDIR /app/scanner
 ENTRYPOINT ["dotnet", "StellaOps.Scanner.WebService.dll"]
 # Excititor Service
 FROM runtime-base AS excititor
 WORKDIR /app/excititor
 ENTRYPOINT ["dotnet", "StellaOps.Excititor.WebService.dll"]
 # Policy Service
 FROM runtime-base AS policy
 WORKDIR /app/policy
 ENTRYPOINT ["dotnet", "StellaOps.Policy.WebService.dll"]
 # Scheduler Service
 FROM runtime-base AS scheduler
 WORKDIR /app/scheduler
 ENTRYPOINT ["dotnet", "StellaOps.Scheduler.WebService.dll"]
 # Notify Service
 FROM runtime-base AS notify
 WORKDIR /app/notify
 ENTRYPOINT ["dotnet", "StellaOps.Notify.WebService.dll"]
 # Zastava Service
 FROM runtime-base AS zastava
 WORKDIR /app/zastava
 ENTRYPOINT ["dotnet", "StellaOps.Zastava.WebService.dll"]
 # Gateway Service
 FROM runtime-base AS gateway
 WORKDIR /app/gateway
 ENTRYPOINT ["dotnet", "StellaOps.Gateway.WebService.dll"]
 # AirGap Importer (CLI tool)
 FROM runtime-base AS airgap-importer
 WORKDIR /app/airgap-importer
 ENTRYPOINT ["dotnet", "StellaOps.AirGap.Importer.dll"]
 # AirGap Exporter (CLI tool)
 FROM runtime-base AS airgap-exporter
 WORKDIR /app/airgap-exporter
 ENTRYPOINT ["dotnet", "StellaOps.AirGap.Exporter.dll"]
 # CLI Tool
 FROM runtime-base AS cli
 WORKDIR /app/cli
 ENTRYPOINT ["dotnet", "StellaOps.Cli.dll"]
 # ============================================================================
 # Build Instructions
 # ============================================================================
 # Build platform image:
 #   docker build -f deploy/docker/Dockerfile.platform --target runtime-base -t stellaops/platform:latest .
 #
 # Build specific service:
 #   docker build -f deploy/docker/Dockerfile.platform --target authority -t stellaops/authority:latest .
 #   docker build -f deploy/docker/Dockerfile.platform --target scanner -t stellaops/scanner:latest .
 #
 # The platform image contains ALL crypto plugins.
 # Regional selection happens at runtime via configuration (see Dockerfile.crypto-profile).
--- a/deploy/grafana/dashboards/attestation-metrics.json
+++ b/deploy/grafana/dashboards/attestation-metrics.json
@@ -0,0 +1,555 @@
 {
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": {
          "type": "grafana",
          "uid": "-- Grafana --"
        },
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "type": "dashboard"
      }
    ]
  },
  "editable": true,
  "fiscalYearStartMonth": 0,
  "graphTooltip": 0,
  "id": null,
  "links": [],
  "liveNow": false,
  "panels": [
    {
      "datasource": {
        "type": "prometheus",
        "uid": "${DS_PROMETHEUS}"
      },
      "fieldConfig": {
        "defaults": {
          "color": {
            "mode": "thresholds"
          },
          "mappings": [],
          "max": 1,
          "min": 0,
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "red",
                "value": null
              },
              {
                "color": "yellow",
                "value": 0.9
              },
              {
                "color": "green",
                "value": 0.95
              }
            ]
          },
          "unit": "percentunit"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 8,
        "w": 6,
        "x": 0,
        "y": 0
      },
      "id": 1,
      "options": {
        "orientation": "auto",
        "reduceOptions": {
          "calcs": [
            "lastNotNull"
          ],
          "fields": "",
          "values": false
        },
        "showThresholdLabels": true,
        "showThresholdMarkers": true
      },
      "pluginVersion": "10.0.0",
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "${DS_PROMETHEUS}"
          },
          "expr": "sum(stella_attestations_created_total) / (sum(stella_attestations_created_total) + sum(stella_attestations_failed_total))",
          "refId": "A"
        }
      ],
      "title": "Attestation Completeness (Target: ≥95%)",
      "type": "gauge"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "${DS_PROMETHEUS}"
      },
      "fieldConfig": {
        "defaults": {
          "color": {
            "mode": "palette-classic"
          },
          "custom": {
            "axisCenteredZero": false,
            "axisColorMode": "text",
            "axisLabel": "",
            "axisPlacement": "auto",
            "barAlignment": 0,
            "drawStyle": "bars",
            "fillOpacity": 80,
            "gradientMode": "none",
            "hideFrom": {
              "tooltip": false,
              "viz": false,
              "legend": false
            },
            "lineInterpolation": "linear",
            "lineWidth": 1,
            "pointSize": 5,
            "scaleDistribution": {
              "type": "linear"
            },
            "showPoints": "auto",
            "spanNulls": false,
            "stacking": {
              "group": "A",
              "mode": "none"
            },
            "thresholdsStyle": {
              "mode": "line"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              },
              {
                "color": "red",
                "value": 30
              }
            ]
          },
          "unit": "s"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 8,
        "w": 9,
        "x": 6,
        "y": 0
      },
      "id": 2,
      "options": {
        "legend": {
          "calcs": ["mean", "max"],
          "displayMode": "table",
          "placement": "right",
          "showLegend": true
        },
        "tooltip": {
          "mode": "single",
          "sort": "none"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "${DS_PROMETHEUS}"
          },
          "expr": "histogram_quantile(0.95, rate(stella_ttfe_seconds_bucket[5m]))",
          "legendFormat": "p95",
          "refId": "A"
        },
        {
          "datasource": {
            "type": "prometheus",
            "uid": "${DS_PROMETHEUS}"
          },
          "expr": "histogram_quantile(0.50, rate(stella_ttfe_seconds_bucket[5m]))",
          "legendFormat": "p50",
          "refId": "B"
        }
      ],
      "title": "TTFE Distribution (Target: ≤30s)",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "${DS_PROMETHEUS}"
      },
      "fieldConfig": {
        "defaults": {
          "color": {
            "mode": "palette-classic"
          },
          "custom": {
            "axisCenteredZero": false,
            "axisColorMode": "text",
            "axisLabel": "",
            "axisPlacement": "auto",
            "barAlignment": 0,
            "drawStyle": "line",
            "fillOpacity": 20,
            "gradientMode": "none",
            "hideFrom": {
              "tooltip": false,
              "viz": false,
              "legend": false
            },
            "lineInterpolation": "smooth",
            "lineWidth": 2,
            "pointSize": 5,
            "scaleDistribution": {
              "type": "linear"
            },
            "showPoints": "auto",
            "spanNulls": false,
            "stacking": {
              "group": "A",
              "mode": "none"
            },
            "thresholdsStyle": {
              "mode": "off"
            }
          },
          "mappings": [],
          "max": 1,
          "min": 0,
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          },
          "unit": "percentunit"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 8,
        "w": 9,
        "x": 15,
        "y": 0
      },
      "id": 3,
      "options": {
        "legend": {
          "calcs": ["mean", "last"],
          "displayMode": "table",
          "placement": "right",
          "showLegend": true
        },
        "tooltip": {
          "mode": "single",
          "sort": "none"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "${DS_PROMETHEUS}"
          },
          "expr": "sum(rate(stella_attestations_verified_total[5m])) / (sum(rate(stella_attestations_verified_total[5m])) + sum(rate(stella_attestations_failed_total[5m])))",
          "legendFormat": "Success Rate",
          "refId": "A"
        }
      ],
      "title": "Verification Success Rate",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "${DS_PROMETHEUS}"
      },
      "fieldConfig": {
        "defaults": {
          "color": {
            "mode": "palette-classic"
          },
          "custom": {
            "axisCenteredZero": false,
            "axisColorMode": "text",
            "axisLabel": "",
            "axisPlacement": "auto",
            "barAlignment": 0,
            "drawStyle": "line",
            "fillOpacity": 20,
            "gradientMode": "none",
            "hideFrom": {
              "tooltip": false,
              "viz": false,
              "legend": false
            },
            "lineInterpolation": "smooth",
            "lineWidth": 2,
            "pointSize": 5,
            "scaleDistribution": {
              "type": "linear"
            },
            "showPoints": "auto",
            "spanNulls": false,
            "stacking": {
              "group": "A",
              "mode": "normal"
            },
            "thresholdsStyle": {
              "mode": "line"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              },
              {
                "color": "red",
                "value": 1
              }
            ]
          },
          "unit": "short"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 8,
        "w": 12,
        "x": 0,
        "y": 8
      },
      "id": 4,
      "options": {
        "legend": {
          "calcs": ["sum"],
          "displayMode": "table",
          "placement": "right",
          "showLegend": true
        },
        "tooltip": {
          "mode": "multi",
          "sort": "none"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "${DS_PROMETHEUS}"
          },
          "expr": "sum by (environment, reason) (rate(stella_post_deploy_reversions_total[5m]))",
          "legendFormat": "{{environment}}: {{reason}}",
          "refId": "A"
        }
      ],
      "title": "Post-Deploy Reversions (Trend to Zero)",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "${DS_PROMETHEUS}"
      },
      "fieldConfig": {
        "defaults": {
          "color": {
            "mode": "palette-classic"
          },
          "custom": {
            "hideFrom": {
              "tooltip": false,
              "viz": false,
              "legend": false
            }
          },
          "mappings": []
        },
        "overrides": []
      },
      "gridPos": {
        "h": 8,
        "w": 6,
        "x": 12,
        "y": 8
      },
      "id": 5,
      "options": {
        "legend": {
          "displayMode": "table",
          "placement": "right",
          "showLegend": true,
          "values": ["value"]
        },
        "pieType": "pie",
        "tooltip": {
          "mode": "single",
          "sort": "none"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "${DS_PROMETHEUS}"
          },
          "expr": "sum by (predicate_type) (stella_attestations_created_total)",
          "legendFormat": "{{predicate_type}}",
          "refId": "A"
        }
      ],
      "title": "Attestations by Type",
      "type": "piechart"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "${DS_PROMETHEUS}"
      },
      "fieldConfig": {
        "defaults": {
          "color": {
            "mode": "palette-classic"
          },
          "custom": {
            "axisCenteredZero": false,
            "axisColorMode": "text",
            "axisLabel": "",
            "axisPlacement": "auto",
            "barAlignment": 0,
            "drawStyle": "line",
            "fillOpacity": 20,
            "gradientMode": "none",
            "hideFrom": {
              "tooltip": false,
              "viz": false,
              "legend": false
            },
            "lineInterpolation": "smooth",
            "lineWidth": 2,
            "pointSize": 5,
            "scaleDistribution": {
              "type": "linear"
            },
            "showPoints": "auto",
            "spanNulls": false,
            "stacking": {
              "group": "A",
              "mode": "none"
            },
            "thresholdsStyle": {
              "mode": "off"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              },
              {
                "color": "red",
                "value": 80
              }
            ]
          },
          "unit": "short"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 8,
        "w": 6,
        "x": 18,
        "y": 8
      },
      "id": 6,
      "options": {
        "legend": {
          "calcs": [],
          "displayMode": "list",
          "placement": "bottom",
          "showLegend": true
        },
        "tooltip": {
          "mode": "single",
          "sort": "none"
        }
      },
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "${DS_PROMETHEUS}"
          },
          "expr": "sum(stella_attestations_failed_total{reason=\"stale_evidence\"})",
          "legendFormat": "Stale Evidence Alerts",
          "refId": "A"
        }
      ],
      "title": "Stale Evidence Alerts",
      "type": "timeseries"
    }
  ],
  "refresh": "30s",
  "schemaVersion": 38,
  "style": "dark",
  "tags": ["stellaops", "attestations", "security"],
  "templating": {
    "list": [
      {
        "current": {
          "selected": false,
          "text": "Prometheus",
          "value": "Prometheus"
        },
        "hide": 0,
        "includeAll": false,
        "label": "Data Source",
        "multi": false,
        "name": "DS_PROMETHEUS",
        "options": [],
        "query": "prometheus",
        "refresh": 1,
        "regex": "",
        "skipUrlSync": false,
        "type": "datasource"
      }
    ]
  },
  "time": {
    "from": "now-6h",
    "to": "now"
  },
  "timepicker": {},
  "timezone": "",
  "title": "StellaOps - Attestation Metrics",
  "uid": "stellaops-attestations",
  "version": 1,
  "weekStart": ""
 }
--- a/deploy/grafana/dashboards/provcache-overview.json
+++ b/deploy/grafana/dashboards/provcache-overview.json
--- a/deploy/helm/stellaops/templates/console.yaml
+++ b/deploy/helm/stellaops/templates/console.yaml
@@ -0,0 +1,108 @@
 {{- if .Values.console.enabled }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "stellaops.fullname" . }}-console
  labels:
    app.kubernetes.io/component: console
    {{- include "stellaops.labels" . | nindent 4 }}
 spec:
  replicas: {{ .Values.console.replicas | default 1 }}
  selector:
    matchLabels:
      app.kubernetes.io/component: console
      {{- include "stellaops.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        app.kubernetes.io/component: console
        {{- include "stellaops.selectorLabels" . | nindent 8 }}
    spec:
      securityContext:
        {{- toYaml .Values.console.securityContext | nindent 8 }}
      containers:
        - name: console
          image: {{ .Values.console.image }}
          imagePullPolicy: {{ .Values.global.image.pullPolicy | default "IfNotPresent" }}
          ports:
            - name: http
              containerPort: {{ .Values.console.port | default 8080 }}
              protocol: TCP
          securityContext:
            {{- toYaml .Values.console.containerSecurityContext | nindent 12 }}
          livenessProbe:
            {{- toYaml .Values.console.livenessProbe | nindent 12 }}
          readinessProbe:
            {{- toYaml .Values.console.readinessProbe | nindent 12 }}
          resources:
            {{- toYaml .Values.console.resources | nindent 12 }}
          volumeMounts:
            {{- toYaml .Values.console.volumeMounts | nindent 12 }}
          env:
            - name: APP_PORT
              value: "{{ .Values.console.port | default 8080 }}"
      volumes:
        {{- toYaml .Values.console.volumes | nindent 8 }}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "stellaops.fullname" . }}-console
  labels:
    app.kubernetes.io/component: console
    {{- include "stellaops.labels" . | nindent 4 }}
 spec:
  type: {{ .Values.console.service.type | default "ClusterIP" }}
  ports:
    - port: {{ .Values.console.service.port | default 80 }}
      targetPort: {{ .Values.console.service.targetPort | default 8080 }}
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/component: console
    {{- include "stellaops.selectorLabels" . | nindent 4 }}
 {{- if .Values.console.ingress.enabled }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ include "stellaops.fullname" . }}-console
  labels:
    app.kubernetes.io/component: console
    {{- include "stellaops.labels" . | nindent 4 }}
  {{- with .Values.console.ingress.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  {{- if .Values.console.ingress.className }}
  ingressClassName: {{ .Values.console.ingress.className }}
  {{- end }}
  {{- if .Values.console.ingress.tls }}
  tls:
    {{- range .Values.console.ingress.tls }}
    - hosts:
        {{- range .hosts }}
        - {{ . | quote }}
        {{- end }}
      secretName: {{ .secretName }}
    {{- end }}
  {{- end }}
  rules:
    {{- range .Values.console.ingress.hosts }}
    - host: {{ .host | quote }}
      http:
        paths:
          {{- range .paths }}
          - path: {{ .path }}
            pathType: {{ .pathType | default "Prefix" }}
            backend:
              service:
                name: {{ include "stellaops.fullname" $ }}-console
                port:
                  name: http
          {{- end }}
    {{- end }}
 {{- end }}
 {{- end }}
--- a/deploy/helm/stellaops/values-airgap.yaml
+++ b/deploy/helm/stellaops/values-airgap.yaml
@@ -156,6 +156,11 @@ services:
      SCANNER__EVENTS__STREAM: "stella.events"
      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
      SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
      SCANNER__OFFLINEKIT__ENABLED: "false"
      SCANNER__OFFLINEKIT__REQUIREDSSE: "true"
      SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "true"
      SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "/etc/stellaops/trust-roots"
      SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "/var/lib/stellaops/rekor-snapshot"
      SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
      SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface"
      SCANNER_SURFACE_SECRETS_PROVIDER: "file"
--- a/deploy/helm/stellaops/values-console.yaml
+++ b/deploy/helm/stellaops/values-console.yaml
@@ -0,0 +1,84 @@
 # Console (Angular SPA) values overlay
 # Use: helm install stellaops . -f values-console.yaml
 console:
  enabled: true
  image: registry.stella-ops.org/stellaops/console:2025.10.0-edge
  replicas: 1
  port: 8080
  # Backend API URL injected via config.json at startup
  apiBaseUrl: ""
  # Authority URL for OAuth/OIDC
  authorityUrl: ""
  # Tenant header name
  tenantHeader: "X-StellaOps-Tenant"
  # Resource limits (nginx is lightweight)
  resources:
    limits:
      cpu: "200m"
      memory: "128Mi"
    requests:
      cpu: "50m"
      memory: "64Mi"
  # Service configuration
  service:
    type: ClusterIP
    port: 80
    targetPort: 8080
  # Ingress configuration (enable for external access)
  ingress:
    enabled: false
    className: nginx
    annotations:
      nginx.ingress.kubernetes.io/proxy-body-size: "10m"
    hosts:
      - host: console.local
        paths:
          - path: /
            pathType: Prefix
    tls: []
  # Health probes
  livenessProbe:
    httpGet:
      path: /
      port: 8080
    initialDelaySeconds: 10
    periodSeconds: 30
  readinessProbe:
    httpGet:
      path: /
      port: 8080
    initialDelaySeconds: 5
    periodSeconds: 10
  # Pod security context (non-root per DOCKER-44-001)
  securityContext:
    runAsNonRoot: true
    runAsUser: 101
    runAsGroup: 101
    fsGroup: 101
  # Container security context
  containerSecurityContext:
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - ALL
  # Volume mounts for nginx temp directories (RO rootfs)
  volumeMounts:
    - name: nginx-cache
      mountPath: /var/cache/nginx
    - name: nginx-run
      mountPath: /var/run
  volumes:
    - name: nginx-cache
      emptyDir: {}
    - name: nginx-run
      emptyDir: {}
--- a/deploy/helm/stellaops/values-dev.yaml
+++ b/deploy/helm/stellaops/values-dev.yaml
@@ -121,6 +121,11 @@ services:
      SCANNER__EVENTS__STREAM: "stella.events"
      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
      SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
      SCANNER__OFFLINEKIT__ENABLED: "false"
      SCANNER__OFFLINEKIT__REQUIREDSSE: "true"
      SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "true"
      SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "/etc/stellaops/trust-roots"
      SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "/var/lib/stellaops/rekor-snapshot"
      SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
      SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface"
      SCANNER_SURFACE_SECRETS_PROVIDER: "inline"
--- a/deploy/helm/stellaops/values-exporter.yaml
+++ b/deploy/helm/stellaops/values-exporter.yaml
@@ -0,0 +1,58 @@
 # Exporter (Export Center) values overlay
 # Use: helm install stellaops . -f values-exporter.yaml
 exporter:
  enabled: true
  image: registry.stella-ops.org/stellaops/exporter:2025.10.0-edge
  replicas: 1
  port: 8080
  # Export configuration
  storage:
    # Object store for export artifacts
    endpoint: ""
    bucket: "stellaops-exports"
    region: ""
  # Retention policy
  retention:
    defaultDays: 30
    maxDays: 365
  resources:
    limits:
      cpu: "500m"
      memory: "512Mi"
    requests:
      cpu: "100m"
      memory: "256Mi"
  service:
    type: ClusterIP
    port: 8080
  livenessProbe:
    httpGet:
      path: /health/liveness
      port: 8080
    initialDelaySeconds: 10
    periodSeconds: 30
  readinessProbe:
    httpGet:
      path: /health/readiness
      port: 8080
    initialDelaySeconds: 5
    periodSeconds: 10
  securityContext:
    runAsNonRoot: true
    runAsUser: 10001
    runAsGroup: 10001
  containerSecurityContext:
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - ALL
--- a/deploy/helm/stellaops/values-ledger.yaml
+++ b/deploy/helm/stellaops/values-ledger.yaml
@@ -0,0 +1,59 @@
 # Ledger (Findings Ledger) values overlay
 # Use: helm install stellaops . -f values-ledger.yaml
 ledger:
  enabled: true
  image: registry.stella-ops.org/stellaops/findings-ledger:2025.10.0-edge
  replicas: 1
  port: 8080
  # Database configuration
  postgres:
    host: ""
    port: 5432
    database: "stellaops_ledger"
    schema: "findings"
    # Connection string override (takes precedence)
    connectionString: ""
  # Tenant isolation
  multiTenant: true
  defaultTenant: "default"
  resources:
    limits:
      cpu: "1000m"
      memory: "1Gi"
    requests:
      cpu: "200m"
      memory: "512Mi"
  service:
    type: ClusterIP
    port: 8080
  livenessProbe:
    httpGet:
      path: /health/liveness
      port: 8080
    initialDelaySeconds: 15
    periodSeconds: 30
  readinessProbe:
    httpGet:
      path: /health/readiness
      port: 8080
    initialDelaySeconds: 10
    periodSeconds: 10
  securityContext:
    runAsNonRoot: true
    runAsUser: 10001
    runAsGroup: 10001
  containerSecurityContext:
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - ALL
--- a/deploy/helm/stellaops/values-prod.yaml
+++ b/deploy/helm/stellaops/values-prod.yaml
@@ -180,6 +180,11 @@ services:
      SCANNER__EVENTS__STREAM: "stella.events"
      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
      SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
      SCANNER__OFFLINEKIT__ENABLED: "false"
      SCANNER__OFFLINEKIT__REQUIREDSSE: "true"
      SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "true"
      SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "/etc/stellaops/trust-roots"
      SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "/var/lib/stellaops/rekor-snapshot"
      SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
      SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface"
      SCANNER_SURFACE_SECRETS_PROVIDER: "kubernetes"
--- a/deploy/helm/stellaops/values-stage.yaml
+++ b/deploy/helm/stellaops/values-stage.yaml
@@ -121,6 +121,11 @@ services:
      SCANNER__EVENTS__STREAM: "stella.events"
      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
      SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
      SCANNER__OFFLINEKIT__ENABLED: "false"
      SCANNER__OFFLINEKIT__REQUIREDSSE: "true"
      SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "true"
      SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "/etc/stellaops/trust-roots"
      SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "/var/lib/stellaops/rekor-snapshot"
      SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
      SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface"
      SCANNER_SURFACE_SECRETS_PROVIDER: "kubernetes"
--- a/deploy/postgres-partitioning/001_partition_infrastructure.sql
+++ b/deploy/postgres-partitioning/001_partition_infrastructure.sql
@@ -0,0 +1,561 @@
 -- Partitioning Infrastructure Migration 001: Foundation
 -- Sprint: SPRINT_3422_0001_0001 - Time-Based Partitioning
 -- Category: C (infrastructure setup, requires planned maintenance)
 --
 -- Purpose: Create partition management infrastructure including:
 -- - Helper functions for partition creation and maintenance
 -- - Utility functions for BRIN index optimization
 -- - Partition maintenance scheduling support
 --
 -- This migration creates the foundation; table conversion is done in separate migrations.
 BEGIN;
 -- ============================================================================
 -- Step 1: Create partition management schema
 -- ============================================================================
 CREATE SCHEMA IF NOT EXISTS partition_mgmt;
 COMMENT ON SCHEMA partition_mgmt IS
    'Partition management utilities for time-series tables';
 -- ============================================================================
 -- Step 2: Managed table registration
 -- ============================================================================
 CREATE TABLE IF NOT EXISTS partition_mgmt.managed_tables (
    schema_name TEXT NOT NULL,
    table_name TEXT NOT NULL,
    partition_key TEXT NOT NULL,
    partition_type TEXT NOT NULL,
    retention_months INT NOT NULL DEFAULT 0,
    months_ahead INT NOT NULL DEFAULT 3,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    PRIMARY KEY (schema_name, table_name)
 );
 COMMENT ON TABLE partition_mgmt.managed_tables IS
    'Tracks partitioned tables with retention and creation settings';
 -- ============================================================================
 -- Step 3: Partition creation function
 -- ============================================================================
 -- Creates a new partition for a given table and date range
 CREATE OR REPLACE FUNCTION partition_mgmt.create_partition(
    p_schema_name TEXT,
    p_table_name TEXT,
    p_partition_column TEXT,
    p_start_date DATE,
    p_end_date DATE,
    p_partition_suffix TEXT DEFAULT NULL
 )
 RETURNS TEXT
 LANGUAGE plpgsql
 AS $$
 DECLARE
    v_partition_name TEXT;
    v_parent_table TEXT;
    v_sql TEXT;
 BEGIN
    v_parent_table := format('%I.%I', p_schema_name, p_table_name);
    -- Generate partition name: tablename_YYYY_MM or tablename_YYYY_Q#
    IF p_partition_suffix IS NOT NULL THEN
        v_partition_name := format('%s_%s', p_table_name, p_partition_suffix);
    ELSE
        v_partition_name := format('%s_%s', p_table_name, to_char(p_start_date, 'YYYY_MM'));
    END IF;
    -- Check if partition already exists
    IF EXISTS (
        SELECT 1 FROM pg_class c
        JOIN pg_namespace n ON c.relnamespace = n.oid
        WHERE n.nspname = p_schema_name AND c.relname = v_partition_name
    ) THEN
        RAISE NOTICE 'Partition % already exists, skipping', v_partition_name;
        RETURN v_partition_name;
    END IF;
    -- Create partition
    v_sql := format(
        'CREATE TABLE %I.%I PARTITION OF %s FOR VALUES FROM (%L) TO (%L)',
        p_schema_name,
        v_partition_name,
        v_parent_table,
        p_start_date,
        p_end_date
    );
    EXECUTE v_sql;
    RAISE NOTICE 'Created partition %.%', p_schema_name, v_partition_name;
    RETURN v_partition_name;
 END;
 $$;
 -- ============================================================================
 -- Step 4: Monthly partition creation helper
 -- ============================================================================
 CREATE OR REPLACE FUNCTION partition_mgmt.create_monthly_partitions(
    p_schema_name TEXT,
    p_table_name TEXT,
    p_partition_column TEXT,
    p_start_month DATE,
    p_months_ahead INT DEFAULT 3
 )
 RETURNS SETOF TEXT
 LANGUAGE plpgsql
 AS $$
 DECLARE
    v_current_month DATE;
    v_end_month DATE;
    v_partition_name TEXT;
 BEGIN
    v_current_month := date_trunc('month', p_start_month)::DATE;
    v_end_month := date_trunc('month', NOW() + (p_months_ahead || ' months')::INTERVAL)::DATE;
    WHILE v_current_month <= v_end_month LOOP
        v_partition_name := partition_mgmt.create_partition(
            p_schema_name,
            p_table_name,
            p_partition_column,
            v_current_month,
            (v_current_month + INTERVAL '1 month')::DATE
        );
        RETURN NEXT v_partition_name;
        v_current_month := (v_current_month + INTERVAL '1 month')::DATE;
    END LOOP;
 END;
 $$;
 -- ============================================================================
 -- Step 5: Quarterly partition creation helper
 -- ============================================================================
 CREATE OR REPLACE FUNCTION partition_mgmt.create_quarterly_partitions(
    p_schema_name TEXT,
    p_table_name TEXT,
    p_partition_column TEXT,
    p_start_quarter DATE,
    p_quarters_ahead INT DEFAULT 2
 )
 RETURNS SETOF TEXT
 LANGUAGE plpgsql
 AS $$
 DECLARE
    v_current_quarter DATE;
    v_end_quarter DATE;
    v_partition_name TEXT;
    v_suffix TEXT;
 BEGIN
    v_current_quarter := date_trunc('quarter', p_start_quarter)::DATE;
    v_end_quarter := date_trunc('quarter', NOW() + (p_quarters_ahead * 3 || ' months')::INTERVAL)::DATE;
    WHILE v_current_quarter <= v_end_quarter LOOP
        -- Generate suffix like 2025_Q1, 2025_Q2, etc.
        v_suffix := to_char(v_current_quarter, 'YYYY') || '_Q' ||
                    EXTRACT(QUARTER FROM v_current_quarter)::TEXT;
        v_partition_name := partition_mgmt.create_partition(
            p_schema_name,
            p_table_name,
            p_partition_column,
            v_current_quarter,
            (v_current_quarter + INTERVAL '3 months')::DATE,
            v_suffix
        );
        RETURN NEXT v_partition_name;
        v_current_quarter := (v_current_quarter + INTERVAL '3 months')::DATE;
    END LOOP;
 END;
 $$;
 -- ============================================================================
 -- Step 6: Ensure future partitions exist
 -- ============================================================================
 CREATE OR REPLACE FUNCTION partition_mgmt.ensure_future_partitions(
    p_schema_name TEXT,
    p_table_name TEXT,
    p_months_ahead INT
 )
 RETURNS INT
 LANGUAGE plpgsql
 AS $$
 DECLARE
    v_partition_key TEXT;
    v_partition_type TEXT;
    v_months_ahead INT;
    v_created INT := 0;
    v_current DATE;
    v_end DATE;
    v_suffix TEXT;
    v_partition_name TEXT;
 BEGIN
    SELECT partition_key, partition_type, months_ahead
      INTO v_partition_key, v_partition_type, v_months_ahead
      FROM partition_mgmt.managed_tables
     WHERE schema_name = p_schema_name
       AND table_name = p_table_name;
    IF v_partition_key IS NULL THEN
        RETURN 0;
    END IF;
    IF p_months_ahead IS NOT NULL AND p_months_ahead > 0 THEN
        v_months_ahead := p_months_ahead;
    END IF;
    IF v_months_ahead IS NULL OR v_months_ahead <= 0 THEN
        RETURN 0;
    END IF;
    v_partition_type := lower(coalesce(v_partition_type, 'monthly'));
    IF v_partition_type = 'monthly' THEN
        v_current := date_trunc('month', NOW())::DATE;
        v_end := date_trunc('month', NOW() + (v_months_ahead || ' months')::INTERVAL)::DATE;
        WHILE v_current <= v_end LOOP
            v_partition_name := format('%s_%s', p_table_name, to_char(v_current, 'YYYY_MM'));
            IF NOT EXISTS (
                SELECT 1 FROM pg_class c
                JOIN pg_namespace n ON c.relnamespace = n.oid
                WHERE n.nspname = p_schema_name AND c.relname = v_partition_name
            ) THEN
                PERFORM partition_mgmt.create_partition(
                    p_schema_name,
                    p_table_name,
                    v_partition_key,
                    v_current,
                    (v_current + INTERVAL '1 month')::DATE
                );
                v_created := v_created + 1;
            END IF;
            v_current := (v_current + INTERVAL '1 month')::DATE;
        END LOOP;
    ELSIF v_partition_type = 'quarterly' THEN
        v_current := date_trunc('quarter', NOW())::DATE;
        v_end := date_trunc('quarter', NOW() + (v_months_ahead || ' months')::INTERVAL)::DATE;
        WHILE v_current <= v_end LOOP
            v_suffix := to_char(v_current, 'YYYY') || '_Q' ||
                        EXTRACT(QUARTER FROM v_current)::TEXT;
            v_partition_name := format('%s_%s', p_table_name, v_suffix);
            IF NOT EXISTS (
                SELECT 1 FROM pg_class c
                JOIN pg_namespace n ON c.relnamespace = n.oid
                WHERE n.nspname = p_schema_name AND c.relname = v_partition_name
            ) THEN
                PERFORM partition_mgmt.create_partition(
                    p_schema_name,
                    p_table_name,
                    v_partition_key,
                    v_current,
                    (v_current + INTERVAL '3 months')::DATE,
                    v_suffix
                );
                v_created := v_created + 1;
            END IF;
            v_current := (v_current + INTERVAL '3 months')::DATE;
        END LOOP;
    END IF;
    RETURN v_created;
 END;
 $$;
 -- ============================================================================
 -- Step 7: Retention enforcement function
 -- ============================================================================
 CREATE OR REPLACE FUNCTION partition_mgmt.enforce_retention(
    p_schema_name TEXT,
    p_table_name TEXT,
    p_retention_months INT
 )
 RETURNS INT
 LANGUAGE plpgsql
 AS $$
 DECLARE
    v_retention_months INT;
    v_cutoff_date DATE;
    v_partition RECORD;
    v_dropped INT := 0;
 BEGIN
    SELECT retention_months
      INTO v_retention_months
      FROM partition_mgmt.managed_tables
     WHERE schema_name = p_schema_name
       AND table_name = p_table_name;
    IF p_retention_months IS NOT NULL AND p_retention_months > 0 THEN
        v_retention_months := p_retention_months;
    END IF;
    IF v_retention_months IS NULL OR v_retention_months <= 0 THEN
        RETURN 0;
    END IF;
    v_cutoff_date := (NOW() - (v_retention_months || ' months')::INTERVAL)::DATE;
    FOR v_partition IN
        SELECT partition_name, partition_end
          FROM partition_mgmt.partition_stats
         WHERE schema_name = p_schema_name
           AND table_name = p_table_name
    LOOP
        IF v_partition.partition_end IS NOT NULL AND v_partition.partition_end < v_cutoff_date THEN
            EXECUTE format('DROP TABLE IF EXISTS %I.%I', p_schema_name, v_partition.partition_name);
            v_dropped := v_dropped + 1;
        END IF;
    END LOOP;
    RETURN v_dropped;
 END;
 $$;
 -- ============================================================================
 -- Step 8: Partition detach and archive function
 -- ============================================================================
 CREATE OR REPLACE FUNCTION partition_mgmt.detach_partition(
    p_schema_name TEXT,
    p_table_name TEXT,
    p_partition_name TEXT,
    p_archive_schema TEXT DEFAULT 'archive'
 )
 RETURNS BOOLEAN
 LANGUAGE plpgsql
 AS $$
 DECLARE
    v_parent_table TEXT;
    v_partition_full TEXT;
    v_archive_table TEXT;
 BEGIN
    v_parent_table := format('%I.%I', p_schema_name, p_table_name);
    v_partition_full := format('%I.%I', p_schema_name, p_partition_name);
    v_archive_table := format('%I.%I', p_archive_schema, p_partition_name);
    -- Create archive schema if not exists
    EXECUTE format('CREATE SCHEMA IF NOT EXISTS %I', p_archive_schema);
    -- Detach partition
    EXECUTE format(
        'ALTER TABLE %s DETACH PARTITION %s',
        v_parent_table,
        v_partition_full
    );
    -- Move to archive schema
    EXECUTE format(
        'ALTER TABLE %s SET SCHEMA %I',
        v_partition_full,
        p_archive_schema
    );
    RAISE NOTICE 'Detached and archived partition % to %', p_partition_name, v_archive_table;
    RETURN TRUE;
 EXCEPTION
    WHEN OTHERS THEN
        RAISE WARNING 'Failed to detach partition %: %', p_partition_name, SQLERRM;
        RETURN FALSE;
 END;
 $$;
 -- ============================================================================
 -- Step 9: Partition retention cleanup function
 -- ============================================================================
 CREATE OR REPLACE FUNCTION partition_mgmt.cleanup_old_partitions(
    p_schema_name TEXT,
    p_table_name TEXT,
    p_retention_months INT,
    p_archive_schema TEXT DEFAULT 'archive',
    p_dry_run BOOLEAN DEFAULT TRUE
 )
 RETURNS TABLE(partition_name TEXT, action TEXT)
 LANGUAGE plpgsql
 AS $$
 DECLARE
    v_cutoff_date DATE;
    v_partition RECORD;
    v_partition_end DATE;
 BEGIN
    v_cutoff_date := (NOW() - (p_retention_months || ' months')::INTERVAL)::DATE;
    FOR v_partition IN
        SELECT c.relname as name,
               pg_get_expr(c.relpartbound, c.oid) as bound_expr
        FROM pg_class c
        JOIN pg_namespace n ON c.relnamespace = n.oid
        JOIN pg_inherits i ON c.oid = i.inhrelid
        JOIN pg_class parent ON i.inhparent = parent.oid
        WHERE n.nspname = p_schema_name
          AND parent.relname = p_table_name
          AND c.relkind = 'r'
    LOOP
        -- Parse the partition bound to get end date
        -- Format: FOR VALUES FROM ('2024-01-01') TO ('2024-02-01')
        v_partition_end := (regexp_match(v_partition.bound_expr,
            'TO \(''([^'']+)''\)'))[1]::DATE;
        IF v_partition_end IS NOT NULL AND v_partition_end < v_cutoff_date THEN
            partition_name := v_partition.name;
            IF p_dry_run THEN
                action := 'WOULD_ARCHIVE';
            ELSE
                IF partition_mgmt.detach_partition(
                    p_schema_name, p_table_name, v_partition.name, p_archive_schema
                ) THEN
                    action := 'ARCHIVED';
                ELSE
                    action := 'FAILED';
                END IF;
            END IF;
            RETURN NEXT;
        END IF;
    END LOOP;
 END;
 $$;
 -- ============================================================================
 -- Step 10: Partition statistics view
 -- ============================================================================
 CREATE OR REPLACE VIEW partition_mgmt.partition_stats AS
 SELECT
    n.nspname AS schema_name,
    parent.relname AS table_name,
    c.relname AS partition_name,
    pg_get_expr(c.relpartbound, c.oid) AS partition_range,
    (regexp_match(pg_get_expr(c.relpartbound, c.oid), 'FROM \(''([^'']+)''\)'))[1]::DATE AS partition_start,
    (regexp_match(pg_get_expr(c.relpartbound, c.oid), 'TO \(''([^'']+)''\)'))[1]::DATE AS partition_end,
    pg_size_pretty(pg_relation_size(c.oid)) AS size,
    pg_relation_size(c.oid) AS size_bytes,
    COALESCE(s.n_live_tup, 0) AS estimated_rows,
    s.last_vacuum,
    s.last_autovacuum,
    s.last_analyze,
    s.last_autoanalyze
 FROM pg_class c
 JOIN pg_namespace n ON c.relnamespace = n.oid
 JOIN pg_inherits i ON c.oid = i.inhrelid
 JOIN pg_class parent ON i.inhparent = parent.oid
 LEFT JOIN pg_stat_user_tables s ON c.oid = s.relid
 WHERE c.relkind = 'r'
  AND parent.relkind = 'p'
 ORDER BY n.nspname, parent.relname, c.relname;
 COMMENT ON VIEW partition_mgmt.partition_stats IS
    'Statistics for all partitioned tables in the database';
 -- ============================================================================
 -- Step 11: BRIN index optimization helper
 -- ============================================================================
 CREATE OR REPLACE FUNCTION partition_mgmt.create_brin_index_if_not_exists(
    p_schema_name TEXT,
    p_table_name TEXT,
    p_column_name TEXT,
    p_pages_per_range INT DEFAULT 128
 )
 RETURNS BOOLEAN
 LANGUAGE plpgsql
 AS $$
 DECLARE
    v_index_name TEXT;
    v_sql TEXT;
 BEGIN
    v_index_name := format('brin_%s_%s', p_table_name, p_column_name);
    -- Check if index exists
    IF EXISTS (
        SELECT 1 FROM pg_indexes
        WHERE schemaname = p_schema_name AND indexname = v_index_name
    ) THEN
        RAISE NOTICE 'BRIN index % already exists', v_index_name;
        RETURN FALSE;
    END IF;
    v_sql := format(
        'CREATE INDEX %I ON %I.%I USING brin (%I) WITH (pages_per_range = %s)',
        v_index_name,
        p_schema_name,
        p_table_name,
        p_column_name,
        p_pages_per_range
    );
    EXECUTE v_sql;
    RAISE NOTICE 'Created BRIN index % on %.%(%)',
        v_index_name, p_schema_name, p_table_name, p_column_name;
    RETURN TRUE;
 END;
 $$;
 -- ============================================================================
 -- Step 12: Maintenance job tracking table
 -- ============================================================================
 CREATE TABLE IF NOT EXISTS partition_mgmt.maintenance_log (
    id BIGSERIAL PRIMARY KEY,
    operation TEXT NOT NULL,
    schema_name TEXT NOT NULL,
    table_name TEXT NOT NULL,
    partition_name TEXT,
    status TEXT NOT NULL DEFAULT 'started',
    details JSONB NOT NULL DEFAULT '{}',
    started_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    completed_at TIMESTAMPTZ,
    error_message TEXT
 );
 CREATE INDEX idx_maintenance_log_table ON partition_mgmt.maintenance_log(schema_name, table_name);
 CREATE INDEX idx_maintenance_log_status ON partition_mgmt.maintenance_log(status, started_at);
 -- ============================================================================
 -- Step 13: Archive schema for detached partitions
 -- ============================================================================
 CREATE SCHEMA IF NOT EXISTS archive;
 COMMENT ON SCHEMA archive IS
    'Storage for detached/archived partitions awaiting deletion or offload';
 COMMIT;
 -- ============================================================================
 -- Usage Examples (commented out)
 -- ============================================================================
 /*
 -- Create monthly partitions for audit table, 3 months ahead
 SELECT partition_mgmt.create_monthly_partitions(
    'scheduler', 'audit', 'created_at', '2024-01-01'::DATE, 3
 );
 -- Preview old partitions that would be archived (dry run)
 SELECT * FROM partition_mgmt.cleanup_old_partitions(
    'scheduler', 'audit', 12, 'archive', TRUE
 );
 -- Actually archive old partitions
 SELECT * FROM partition_mgmt.cleanup_old_partitions(
    'scheduler', 'audit', 12, 'archive', FALSE
 );
 -- View partition statistics
 SELECT * FROM partition_mgmt.partition_stats
 WHERE schema_name = 'scheduler'
 ORDER BY table_name, partition_name;
 */
--- a/deploy/postgres-partitioning/002_calibration_schema.sql
+++ b/deploy/postgres-partitioning/002_calibration_schema.sql
@@ -0,0 +1,143 @@
 -- Migration: Trust Vector Calibration Schema
 -- Sprint: 7100.0002.0002
 -- Description: Creates schema and tables for trust vector calibration system
 -- Create calibration schema
 CREATE SCHEMA IF NOT EXISTS excititor_calibration;
 -- Calibration manifests table
 -- Stores signed manifests for each calibration epoch
 CREATE TABLE IF NOT EXISTS excititor_calibration.calibration_manifests (
    manifest_id TEXT PRIMARY KEY,
    tenant_id TEXT NOT NULL,
    epoch_number INTEGER NOT NULL,
    epoch_start_utc TIMESTAMP NOT NULL,
    epoch_end_utc TIMESTAMP NOT NULL,
    sample_count INTEGER NOT NULL,
    learning_rate DOUBLE PRECISION NOT NULL,
    policy_hash TEXT,
    lattice_version TEXT NOT NULL,
    manifest_json JSONB NOT NULL,
    signature_envelope JSONB,
    created_at_utc TIMESTAMP NOT NULL DEFAULT (NOW() AT TIME ZONE 'UTC'),
    created_by TEXT NOT NULL,
    CONSTRAINT uq_calibration_manifest_tenant_epoch UNIQUE (tenant_id, epoch_number)
 );
 CREATE INDEX idx_calibration_manifests_tenant
    ON excititor_calibration.calibration_manifests(tenant_id);
 CREATE INDEX idx_calibration_manifests_created
    ON excititor_calibration.calibration_manifests(created_at_utc DESC);
 -- Trust vector adjustments table
 -- Records each provider's trust vector changes per epoch
 CREATE TABLE IF NOT EXISTS excititor_calibration.trust_vector_adjustments (
    adjustment_id BIGSERIAL PRIMARY KEY,
    manifest_id TEXT NOT NULL REFERENCES excititor_calibration.calibration_manifests(manifest_id),
    source_id TEXT NOT NULL,
    old_provenance DOUBLE PRECISION NOT NULL,
    old_coverage DOUBLE PRECISION NOT NULL,
    old_replayability DOUBLE PRECISION NOT NULL,
    new_provenance DOUBLE PRECISION NOT NULL,
    new_coverage DOUBLE PRECISION NOT NULL,
    new_replayability DOUBLE PRECISION NOT NULL,
    adjustment_magnitude DOUBLE PRECISION NOT NULL,
    confidence_in_adjustment DOUBLE PRECISION NOT NULL,
    sample_count_for_source INTEGER NOT NULL,
    created_at_utc TIMESTAMP NOT NULL DEFAULT (NOW() AT TIME ZONE 'UTC'),
    CONSTRAINT chk_old_provenance_range CHECK (old_provenance >= 0 AND old_provenance <= 1),
    CONSTRAINT chk_old_coverage_range CHECK (old_coverage >= 0 AND old_coverage <= 1),
    CONSTRAINT chk_old_replayability_range CHECK (old_replayability >= 0 AND old_replayability <= 1),
    CONSTRAINT chk_new_provenance_range CHECK (new_provenance >= 0 AND new_provenance <= 1),
    CONSTRAINT chk_new_coverage_range CHECK (new_coverage >= 0 AND new_coverage <= 1),
    CONSTRAINT chk_new_replayability_range CHECK (new_replayability >= 0 AND new_replayability <= 1),
    CONSTRAINT chk_confidence_range CHECK (confidence_in_adjustment >= 0 AND confidence_in_adjustment <= 1)
 );
 CREATE INDEX idx_trust_adjustments_manifest
    ON excititor_calibration.trust_vector_adjustments(manifest_id);
 CREATE INDEX idx_trust_adjustments_source
    ON excititor_calibration.trust_vector_adjustments(source_id);
 -- Calibration feedback samples table
 -- Stores empirical evidence used for calibration
 CREATE TABLE IF NOT EXISTS excititor_calibration.calibration_samples (
    sample_id BIGSERIAL PRIMARY KEY,
    tenant_id TEXT NOT NULL,
    source_id TEXT NOT NULL,
    cve_id TEXT NOT NULL,
    purl TEXT NOT NULL,
    expected_status TEXT NOT NULL,
    actual_status TEXT NOT NULL,
    verdict_confidence DOUBLE PRECISION NOT NULL,
    is_match BOOLEAN NOT NULL,
    feedback_source TEXT NOT NULL, -- 'reachability', 'customer_feedback', 'integration_tests'
    feedback_weight DOUBLE PRECISION NOT NULL DEFAULT 1.0,
    scan_id TEXT,
    collected_at_utc TIMESTAMP NOT NULL DEFAULT (NOW() AT TIME ZONE 'UTC'),
    processed BOOLEAN NOT NULL DEFAULT FALSE,
    processed_in_manifest_id TEXT REFERENCES excititor_calibration.calibration_manifests(manifest_id),
    CONSTRAINT chk_verdict_confidence_range CHECK (verdict_confidence >= 0 AND verdict_confidence <= 1),
    CONSTRAINT chk_feedback_weight_range CHECK (feedback_weight >= 0 AND feedback_weight <= 1)
 );
 CREATE INDEX idx_calibration_samples_tenant
    ON excititor_calibration.calibration_samples(tenant_id);
 CREATE INDEX idx_calibration_samples_source
    ON excititor_calibration.calibration_samples(source_id);
 CREATE INDEX idx_calibration_samples_collected
    ON excititor_calibration.calibration_samples(collected_at_utc DESC);
 CREATE INDEX idx_calibration_samples_processed
    ON excititor_calibration.calibration_samples(processed) WHERE NOT processed;
 -- Calibration metrics table
 -- Tracks performance metrics per source/severity/status
 CREATE TABLE IF NOT EXISTS excititor_calibration.calibration_metrics (
    metric_id BIGSERIAL PRIMARY KEY,
    manifest_id TEXT NOT NULL REFERENCES excititor_calibration.calibration_manifests(manifest_id),
    source_id TEXT,
    severity TEXT,
    status TEXT,
    precision DOUBLE PRECISION NOT NULL,
    recall DOUBLE PRECISION NOT NULL,
    f1_score DOUBLE PRECISION NOT NULL,
    false_positive_rate DOUBLE PRECISION NOT NULL,
    false_negative_rate DOUBLE PRECISION NOT NULL,
    sample_count INTEGER NOT NULL,
    created_at_utc TIMESTAMP NOT NULL DEFAULT (NOW() AT TIME ZONE 'UTC'),
    CONSTRAINT chk_precision_range CHECK (precision >= 0 AND precision <= 1),
    CONSTRAINT chk_recall_range CHECK (recall >= 0 AND recall <= 1),
    CONSTRAINT chk_f1_range CHECK (f1_score >= 0 AND f1_score <= 1),
    CONSTRAINT chk_fpr_range CHECK (false_positive_rate >= 0 AND false_positive_rate <= 1),
    CONSTRAINT chk_fnr_range CHECK (false_negative_rate >= 0 AND false_negative_rate <= 1)
 );
 CREATE INDEX idx_calibration_metrics_manifest
    ON excititor_calibration.calibration_metrics(manifest_id);
 CREATE INDEX idx_calibration_metrics_source
    ON excititor_calibration.calibration_metrics(source_id) WHERE source_id IS NOT NULL;
 -- Grant permissions to excititor service role
 DO $$
 BEGIN
    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'excititor_service') THEN
        GRANT USAGE ON SCHEMA excititor_calibration TO excititor_service;
        GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA excititor_calibration TO excititor_service;
        GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA excititor_calibration TO excititor_service;
        ALTER DEFAULT PRIVILEGES IN SCHEMA excititor_calibration
            GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO excititor_service;
        ALTER DEFAULT PRIVILEGES IN SCHEMA excititor_calibration
            GRANT USAGE, SELECT ON SEQUENCES TO excititor_service;
    END IF;
 END $$;
 -- Comments for documentation
 COMMENT ON SCHEMA excititor_calibration IS 'Trust vector calibration data for VEX source scoring';
 COMMENT ON TABLE excititor_calibration.calibration_manifests IS 'Signed calibration epoch results';
 COMMENT ON TABLE excititor_calibration.trust_vector_adjustments IS 'Per-source trust vector changes per epoch';
 COMMENT ON TABLE excititor_calibration.calibration_samples IS 'Empirical feedback samples for calibration';
 COMMENT ON TABLE excititor_calibration.calibration_metrics IS 'Performance metrics per calibration epoch';
--- a/deploy/postgres-partitioning/provcache/create_provcache_schema.sql
+++ b/deploy/postgres-partitioning/provcache/create_provcache_schema.sql
@@ -0,0 +1,97 @@
 -- Provcache schema migration
 -- Run as: psql -d stellaops -f create_provcache_schema.sql
 -- Create schema
 CREATE SCHEMA IF NOT EXISTS provcache;
 -- Main cache items table
 CREATE TABLE IF NOT EXISTS provcache.provcache_items (
    verikey             TEXT PRIMARY KEY,
    digest_version      TEXT NOT NULL DEFAULT 'v1',
    verdict_hash        TEXT NOT NULL,
    proof_root          TEXT NOT NULL,
    replay_seed         JSONB NOT NULL,
    policy_hash         TEXT NOT NULL,
    signer_set_hash     TEXT NOT NULL,
    feed_epoch          TEXT NOT NULL,
    trust_score         INTEGER NOT NULL CHECK (trust_score >= 0 AND trust_score <= 100),
    hit_count           BIGINT NOT NULL DEFAULT 0,
    created_at          TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    expires_at          TIMESTAMPTZ NOT NULL,
    updated_at          TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    last_accessed_at    TIMESTAMPTZ,
    -- Constraint: expires_at must be after created_at
    CONSTRAINT provcache_items_expires_check CHECK (expires_at > created_at)
 );
 -- Indexes for invalidation queries
 CREATE INDEX IF NOT EXISTS idx_provcache_policy_hash 
    ON provcache.provcache_items(policy_hash);
 CREATE INDEX IF NOT EXISTS idx_provcache_signer_set_hash 
    ON provcache.provcache_items(signer_set_hash);
 CREATE INDEX IF NOT EXISTS idx_provcache_feed_epoch 
    ON provcache.provcache_items(feed_epoch);
 CREATE INDEX IF NOT EXISTS idx_provcache_expires_at 
    ON provcache.provcache_items(expires_at);
 CREATE INDEX IF NOT EXISTS idx_provcache_created_at 
    ON provcache.provcache_items(created_at);
 -- Evidence chunks table for large evidence storage
 CREATE TABLE IF NOT EXISTS provcache.prov_evidence_chunks (
    chunk_id     UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    proof_root   TEXT NOT NULL,
    chunk_index  INTEGER NOT NULL,
    chunk_hash   TEXT NOT NULL,
    blob         BYTEA NOT NULL,
    blob_size    INTEGER NOT NULL,
    content_type TEXT NOT NULL,
    created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    CONSTRAINT prov_evidence_chunks_unique_index 
        UNIQUE (proof_root, chunk_index)
 );
 CREATE INDEX IF NOT EXISTS idx_prov_chunks_proof_root 
    ON provcache.prov_evidence_chunks(proof_root);
 -- Revocation audit log
 CREATE TABLE IF NOT EXISTS provcache.prov_revocations (
    revocation_id    UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    revocation_type  TEXT NOT NULL,
    target_hash      TEXT NOT NULL,
    reason           TEXT,
    actor            TEXT,
    entries_affected BIGINT NOT NULL,
    created_at       TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 CREATE INDEX IF NOT EXISTS idx_prov_revocations_created_at 
    ON provcache.prov_revocations(created_at);
 CREATE INDEX IF NOT EXISTS idx_prov_revocations_target_hash 
    ON provcache.prov_revocations(target_hash);
 -- Function to update updated_at timestamp
 CREATE OR REPLACE FUNCTION provcache.update_updated_at_column()
 RETURNS TRIGGER AS $$
 BEGIN
    NEW.updated_at = NOW();
    RETURN NEW;
 END;
 $$ language 'plpgsql';
 -- Trigger for auto-updating updated_at
 DROP TRIGGER IF EXISTS update_provcache_items_updated_at ON provcache.provcache_items;
 CREATE TRIGGER update_provcache_items_updated_at
    BEFORE UPDATE ON provcache.provcache_items
    FOR EACH ROW
    EXECUTE FUNCTION provcache.update_updated_at_column();
 -- Grant permissions (adjust role as needed)
 -- GRANT USAGE ON SCHEMA provcache TO stellaops_app;
 -- GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA provcache TO stellaops_app;
 -- GRANT USAGE ON ALL SEQUENCES IN SCHEMA provcache TO stellaops_app;
 COMMENT ON TABLE provcache.provcache_items IS 'Provenance cache entries for cached security decisions';
 COMMENT ON TABLE provcache.prov_evidence_chunks IS 'Chunked evidence storage for large SBOMs and attestations';
 COMMENT ON TABLE provcache.prov_revocations IS 'Audit log of cache invalidation events';
--- a/deploy/postgres-validation/001_validate_rls.sql
+++ b/deploy/postgres-validation/001_validate_rls.sql
@@ -0,0 +1,159 @@
 -- RLS Validation Script
 -- Sprint: SPRINT_3421_0001_0001 - RLS Expansion
 --
 -- Purpose: Verify that RLS is properly configured on all tenant-scoped tables
 -- Run this script after deploying RLS migrations to validate configuration
 -- ============================================================================
 -- Part 1: List all tables with RLS status
 -- ============================================================================
 \echo '=== RLS Status for All Schemas ==='
 SELECT
    schemaname AS schema,
    tablename AS table_name,
    rowsecurity AS rls_enabled,
    forcerowsecurity AS rls_forced,
    CASE
        WHEN rowsecurity AND forcerowsecurity THEN 'OK'
        WHEN rowsecurity AND NOT forcerowsecurity THEN 'WARN: Not forced'
        ELSE 'MISSING'
    END AS status
 FROM pg_tables
 WHERE schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns')
 ORDER BY schemaname, tablename;
 -- ============================================================================
 -- Part 2: List all RLS policies
 -- ============================================================================
 \echo ''
 \echo '=== RLS Policies ==='
 SELECT
    schemaname AS schema,
    tablename AS table_name,
    policyname AS policy_name,
    permissive,
    roles,
    cmd AS applies_to,
    qual IS NOT NULL AS has_using,
    with_check IS NOT NULL AS has_check
 FROM pg_policies
 WHERE schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns')
 ORDER BY schemaname, tablename, policyname;
 -- ============================================================================
 -- Part 3: Tables missing RLS that should have it (have tenant_id column)
 -- ============================================================================
 \echo ''
 \echo '=== Tables with tenant_id but NO RLS ==='
 SELECT
    c.table_schema AS schema,
    c.table_name AS table_name,
    'MISSING RLS' AS issue
 FROM information_schema.columns c
 JOIN pg_tables t ON c.table_schema = t.schemaname AND c.table_name = t.tablename
 WHERE c.column_name IN ('tenant_id', 'tenant')
  AND c.table_schema IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns')
  AND NOT t.rowsecurity
 ORDER BY c.table_schema, c.table_name;
 -- ============================================================================
 -- Part 4: Verify helper functions exist
 -- ============================================================================
 \echo ''
 \echo '=== RLS Helper Functions ==='
 SELECT
    n.nspname AS schema,
    p.proname AS function_name,
    CASE
        WHEN p.prosecdef THEN 'SECURITY DEFINER'
        ELSE 'SECURITY INVOKER'
    END AS security,
    CASE
        WHEN p.provolatile = 's' THEN 'STABLE'
        WHEN p.provolatile = 'i' THEN 'IMMUTABLE'
        ELSE 'VOLATILE'
    END AS volatility
 FROM pg_proc p
 JOIN pg_namespace n ON p.pronamespace = n.oid
 WHERE p.proname = 'require_current_tenant'
  AND n.nspname LIKE '%_app'
 ORDER BY n.nspname;
 -- ============================================================================
 -- Part 5: Test RLS enforcement (expect failure without tenant context)
 -- ============================================================================
 \echo ''
 \echo '=== RLS Enforcement Test ==='
 \echo 'Testing RLS on scheduler.runs (should fail without tenant context)...'
 -- Reset tenant context
 SELECT set_config('app.tenant_id', '', false);
 DO $$
 BEGIN
    -- This should raise an exception if RLS is working
    PERFORM * FROM scheduler.runs LIMIT 1;
    RAISE NOTICE 'WARNING: Query succeeded without tenant context - RLS may not be working!';
 EXCEPTION
    WHEN OTHERS THEN
        RAISE NOTICE 'OK: RLS blocked query without tenant context: %', SQLERRM;
 END
 $$;
 -- ============================================================================
 -- Part 6: Admin bypass role verification
 -- ============================================================================
 \echo ''
 \echo '=== Admin Bypass Roles ==='
 SELECT
    rolname AS role_name,
    rolbypassrls AS can_bypass_rls,
    rolcanlogin AS can_login
 FROM pg_roles
 WHERE rolname LIKE '%_admin'
  AND rolbypassrls = TRUE
 ORDER BY rolname;
 -- ============================================================================
 -- Summary
 -- ============================================================================
 \echo ''
 \echo '=== Summary ==='
 SELECT
    'Total Tables' AS metric,
    COUNT(*)::TEXT AS value
 FROM pg_tables
 WHERE schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns')
 UNION ALL
 SELECT
    'Tables with RLS Enabled',
    COUNT(*)::TEXT
 FROM pg_tables
 WHERE schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns')
  AND rowsecurity = TRUE
 UNION ALL
 SELECT
    'Tables with RLS Forced',
    COUNT(*)::TEXT
 FROM pg_tables
 WHERE schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns')
  AND forcerowsecurity = TRUE
 UNION ALL
 SELECT
    'Active Policies',
    COUNT(*)::TEXT
 FROM pg_policies
 WHERE schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns');
--- a/deploy/postgres-validation/002_validate_partitions.sql
+++ b/deploy/postgres-validation/002_validate_partitions.sql
@@ -0,0 +1,238 @@
 -- Partition Validation Script
 -- Sprint: SPRINT_3422_0001_0001 - Time-Based Partitioning
 --
 -- Purpose: Verify that partitioned tables are properly configured and healthy
 -- ============================================================================
 -- Part 1: List all partitioned tables
 -- ============================================================================
 \echo '=== Partitioned Tables ==='
 SELECT
    n.nspname AS schema,
    c.relname AS table_name,
    CASE pt.partstrat
        WHEN 'r' THEN 'RANGE'
        WHEN 'l' THEN 'LIST'
        WHEN 'h' THEN 'HASH'
    END AS partition_strategy,
    array_to_string(array_agg(a.attname ORDER BY k.col), ', ') AS partition_key
 FROM pg_class c
 JOIN pg_namespace n ON c.relnamespace = n.oid
 JOIN pg_partitioned_table pt ON c.oid = pt.partrelid
 JOIN LATERAL unnest(pt.partattrs) WITH ORDINALITY AS k(col, idx) ON true
 LEFT JOIN pg_attribute a ON a.attrelid = c.oid AND a.attnum = k.col
 WHERE n.nspname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns', 'vuln')
 GROUP BY n.nspname, c.relname, pt.partstrat
 ORDER BY n.nspname, c.relname;
 -- ============================================================================
 -- Part 2: Partition inventory with sizes
 -- ============================================================================
 \echo ''
 \echo '=== Partition Inventory ==='
 SELECT
    n.nspname AS schema,
    parent.relname AS parent_table,
    c.relname AS partition_name,
    pg_get_expr(c.relpartbound, c.oid) AS bounds,
    pg_size_pretty(pg_relation_size(c.oid)) AS size,
    s.n_live_tup AS estimated_rows
 FROM pg_class c
 JOIN pg_namespace n ON c.relnamespace = n.oid
 JOIN pg_inherits i ON c.oid = i.inhrelid
 JOIN pg_class parent ON i.inhparent = parent.oid
 LEFT JOIN pg_stat_user_tables s ON c.oid = s.relid
 WHERE n.nspname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns', 'vuln')
  AND c.relkind = 'r'
  AND parent.relkind = 'p'
 ORDER BY n.nspname, parent.relname, c.relname;
 -- ============================================================================
 -- Part 3: Check for missing future partitions
 -- ============================================================================
 \echo ''
 \echo '=== Future Partition Coverage ==='
 WITH partition_bounds AS (
    SELECT
        n.nspname AS schema_name,
        parent.relname AS table_name,
        c.relname AS partition_name,
        -- Extract the TO date from partition bound
        (regexp_match(pg_get_expr(c.relpartbound, c.oid), 'TO \(''([^'']+)''\)'))[1]::DATE AS end_date
    FROM pg_class c
    JOIN pg_namespace n ON c.relnamespace = n.oid
    JOIN pg_inherits i ON c.oid = i.inhrelid
    JOIN pg_class parent ON i.inhparent = parent.oid
    WHERE c.relkind = 'r'
      AND parent.relkind = 'p'
      AND c.relname NOT LIKE '%_default'
 ),
 max_bounds AS (
    SELECT
        schema_name,
        table_name,
        MAX(end_date) AS max_partition_date
    FROM partition_bounds
    WHERE end_date IS NOT NULL
    GROUP BY schema_name, table_name
 )
 SELECT
    schema_name,
    table_name,
    max_partition_date,
    (max_partition_date - CURRENT_DATE) AS days_ahead,
    CASE
        WHEN (max_partition_date - CURRENT_DATE) < 30 THEN 'CRITICAL: Create partitions!'
        WHEN (max_partition_date - CURRENT_DATE) < 60 THEN 'WARNING: Running low'
        ELSE 'OK'
    END AS status
 FROM max_bounds
 ORDER BY days_ahead;
 -- ============================================================================
 -- Part 4: Check for orphaned data in default partitions
 -- ============================================================================
 \echo ''
 \echo '=== Default Partition Data (should be empty) ==='
 DO $$
 DECLARE
    v_schema TEXT;
    v_table TEXT;
    v_count BIGINT;
    v_sql TEXT;
 BEGIN
    FOR v_schema, v_table IN
        SELECT n.nspname, c.relname
        FROM pg_class c
        JOIN pg_namespace n ON c.relnamespace = n.oid
        WHERE c.relname LIKE '%_default'
          AND n.nspname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns', 'vuln')
    LOOP
        v_sql := format('SELECT COUNT(*) FROM %I.%I', v_schema, v_table);
        EXECUTE v_sql INTO v_count;
        IF v_count > 0 THEN
            RAISE NOTICE 'WARNING: %.% has % rows in default partition!',
                v_schema, v_table, v_count;
        ELSE
            RAISE NOTICE 'OK: %.% is empty', v_schema, v_table;
        END IF;
    END LOOP;
 END
 $$;
 -- ============================================================================
 -- Part 5: Index health on partitions
 -- ============================================================================
 \echo ''
 \echo '=== Partition Index Coverage ==='
 SELECT
    schemaname AS schema,
    tablename AS table_name,
    indexname AS index_name,
    indexdef
 FROM pg_indexes
 WHERE schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns', 'vuln')
  AND tablename LIKE '%_partitioned' OR tablename LIKE '%_202%'
 ORDER BY schemaname, tablename, indexname;
 -- ============================================================================
 -- Part 6: BRIN index effectiveness check
 -- ============================================================================
 \echo ''
 \echo '=== BRIN Index Statistics ==='
 SELECT
    schemaname AS schema,
    tablename AS table_name,
    indexrelname AS index_name,
    idx_scan AS scans,
    idx_tup_read AS tuples_read,
    idx_tup_fetch AS tuples_fetched,
    pg_size_pretty(pg_relation_size(indexrelid)) AS index_size
 FROM pg_stat_user_indexes
 WHERE indexrelname LIKE 'brin_%'
 ORDER BY schemaname, tablename;
 -- ============================================================================
 -- Part 7: Partition maintenance recommendations
 -- ============================================================================
 \echo ''
 \echo '=== Maintenance Recommendations ==='
 WITH partition_ages AS (
    SELECT
        n.nspname AS schema_name,
        parent.relname AS table_name,
        c.relname AS partition_name,
        (regexp_match(pg_get_expr(c.relpartbound, c.oid), 'FROM \(''([^'']+)''\)'))[1]::DATE AS start_date,
        (regexp_match(pg_get_expr(c.relpartbound, c.oid), 'TO \(''([^'']+)''\)'))[1]::DATE AS end_date
    FROM pg_class c
    JOIN pg_namespace n ON c.relnamespace = n.oid
    JOIN pg_inherits i ON c.oid = i.inhrelid
    JOIN pg_class parent ON i.inhparent = parent.oid
    WHERE c.relkind = 'r'
      AND parent.relkind = 'p'
      AND c.relname NOT LIKE '%_default'
 )
 SELECT
    schema_name,
    table_name,
    partition_name,
    start_date,
    end_date,
    (CURRENT_DATE - end_date) AS days_old,
    CASE
        WHEN (CURRENT_DATE - end_date) > 365 THEN 'Consider archiving (>1 year old)'
        WHEN (CURRENT_DATE - end_date) > 180 THEN 'Review retention policy (>6 months old)'
        ELSE 'Current'
    END AS recommendation
 FROM partition_ages
 WHERE start_date IS NOT NULL
 ORDER BY schema_name, table_name, start_date;
 -- ============================================================================
 -- Summary
 -- ============================================================================
 \echo ''
 \echo '=== Summary ==='
 SELECT
    'Partitioned Tables' AS metric,
    COUNT(DISTINCT parent.relname)::TEXT AS value
 FROM pg_class c
 JOIN pg_namespace n ON c.relnamespace = n.oid
 JOIN pg_inherits i ON c.oid = i.inhrelid
 JOIN pg_class parent ON i.inhparent = parent.oid
 WHERE n.nspname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns', 'vuln')
  AND parent.relkind = 'p'
 UNION ALL
 SELECT
    'Total Partitions',
    COUNT(*)::TEXT
 FROM pg_class c
 JOIN pg_namespace n ON c.relnamespace = n.oid
 JOIN pg_inherits i ON c.oid = i.inhrelid
 JOIN pg_class parent ON i.inhparent = parent.oid
 WHERE n.nspname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns', 'vuln')
  AND parent.relkind = 'p'
 UNION ALL
 SELECT
    'BRIN Indexes',
    COUNT(*)::TEXT
 FROM pg_indexes
 WHERE indexname LIKE 'brin_%'
  AND schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns', 'vuln');
--- a/deploy/signals/values-signals.yaml
+++ b/deploy/signals/values-signals.yaml
@@ -11,7 +11,7 @@ env:
  ASPNETCORE_URLS: "http://+:5088"
  Signals__Mongo__ConnectionString: "mongodb://signals-mongo:27017/signals"
  Signals__Mongo__Database: "signals"
-  Signals__Cache__ConnectionString: "signals-redis:6379"
+  Signals__Cache__ConnectionString: "signals-valkey:6379"
  Signals__Storage__RootPath: "/data/artifacts"
  Signals__Authority__Enabled: "false"
  Signals__OpenApi__Enabled: "true"
@@ -22,9 +22,9 @@ persistence:
  size: 5Gi
  storageClass: ""
-redis:
+valkey:
  enabled: true
-  host: signals-redis
+  host: signals-valkey
  port: 6379
 mongo:
--- a/deploy/systemd/zastava-agent.env.sample
+++ b/deploy/systemd/zastava-agent.env.sample
@@ -0,0 +1,26 @@
 # StellaOps Zastava Agent Configuration
 # Copy this file to /etc/stellaops/zastava-agent.env
 # Required: Tenant identifier for multi-tenancy
 ZASTAVA_TENANT=default
 # Required: Scanner backend URL
 ZASTAVA_AGENT__Backend__BaseAddress=https://scanner.internal
 # Optional: Node name (defaults to hostname)
 # ZASTAVA_NODE_NAME=
 # Optional: Docker socket endpoint (defaults to unix:///var/run/docker.sock)
 # ZASTAVA_AGENT__DockerEndpoint=unix:///var/run/docker.sock
 # Optional: Event buffer path (defaults to /var/lib/zastava-agent/runtime-events)
 # ZASTAVA_AGENT__EventBufferPath=/var/lib/zastava-agent/runtime-events
 # Optional: Health check port (defaults to 8080)
 # ZASTAVA_AGENT__HealthCheck__Port=8080
 # Optional: Allow insecure HTTP backend (NOT recommended for production)
 # ZASTAVA_AGENT__Backend__AllowInsecureHttp=false
 # Optional: Logging level
 # Serilog__MinimumLevel__Default=Information
--- a/deploy/systemd/zastava-agent.service
+++ b/deploy/systemd/zastava-agent.service
@@ -0,0 +1,58 @@
 [Unit]
 Description=StellaOps Zastava Agent - Container Runtime Monitor
 Documentation=https://docs.stellaops.org/zastava/agent/
 After=network-online.target docker.service containerd.service
 Wants=network-online.target
 Requires=docker.service
 [Service]
 Type=notify
 ExecStart=/opt/stellaops/zastava-agent/StellaOps.Zastava.Agent
 WorkingDirectory=/opt/stellaops/zastava-agent
 Restart=always
 RestartSec=5
 # Environment configuration
 EnvironmentFile=-/etc/stellaops/zastava-agent.env
 Environment=DOTNET_ENVIRONMENT=Production
 Environment=ASPNETCORE_ENVIRONMENT=Production
 # User and permissions
 User=zastava-agent
 Group=docker
 # Security hardening
 NoNewPrivileges=true
 ProtectSystem=strict
 ProtectHome=true
 PrivateTmp=true
 PrivateDevices=true
 ProtectKernelTunables=true
 ProtectKernelModules=true
 ProtectControlGroups=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 # Allow read access to Docker socket
 ReadWritePaths=/var/run/docker.sock
 ReadWritePaths=/var/lib/zastava-agent
 # Capabilities
 CapabilityBoundingSet=
 AmbientCapabilities=
 # Resource limits
 LimitNOFILE=65536
 LimitNPROC=4096
 MemoryMax=512M
 # Logging
 StandardOutput=journal
 StandardError=journal
 SyslogIdentifier=zastava-agent
 # Watchdog (5 minute timeout)
 WatchdogSec=300
 [Install]
 WantedBy=multi-user.target
--- a/Show More
+++ b/Show More