chore: clean repo for public release, remove internal audit docs and plan artifacts, update README

README.md

@@ -81,12 +81,14 @@ Both Red Lead and Blue Lead must independently vote:
 
 ## Tech Stack
 
-- **Backend**: FastAPI (Python 3.11)
-- **Database**: PostgreSQL 15 with UUID primary keys and JSONB columns
+- **Backend**: FastAPI (Python 3.11) — Clean Modular Monolith with domain entities, services, and repository pattern
+- **Database**: PostgreSQL 16 with UUID primary keys and JSONB columns
 - **Object Storage**: MinIO (S3-compatible)
-- **ORM**: SQLAlchemy with Alembic migrations (18 migration files)
+- **ORM**: SQLAlchemy 2.x with Alembic migrations
 - **Frontend**: React 19 + TypeScript + Vite 7 + Tailwind CSS v4 + TanStack Query + TanStack Virtual
+- **Cache / Token Store**: Redis (token blacklist, score caching)
 - **Scheduler**: APScheduler (MITRE sync, Intel scan, Notification cleanup, Snapshots, Recurring campaigns)
+- **Testing**: Pytest (367+ tests), Ruff (linting), GitHub Actions CI
 - **Charts**: Recharts
 
 ## Quick Start
@@ -312,7 +314,7 @@ All variables are configured automatically by `scripts/install.sh`. For manual s
 
 Aegis includes several security hardening measures:
 
-- **Authentication:** JWT tokens stored in HttpOnly/Secure/SameSite cookies (immune to XSS theft). Token revocation via in-memory blacklist on logout.
+- **Authentication:** JWT tokens stored in HttpOnly/Secure/SameSite cookies (immune to XSS theft). Token revocation via Redis-backed blacklist on logout.
 - **Rate limiting:** Login endpoint limited to 5 attempts per minute per IP (via slowapi).
 - **Password policy:** Minimum 12 characters with uppercase, lowercase, digit, and special character.
 - **CORS:** Configurable origins via `CORS_ORIGINS` environment variable. Restrictive method and header lists.
@@ -332,54 +334,50 @@ Aegis includes several security hardening measures:
 Aegis/
 ├── docker-compose.yml
 ├── docker-compose.prod.yml
+├── .github/workflows/ci.yml      # GitHub Actions: ruff + pytest on PostgreSQL + Redis
 ├── docs/
 │   ├── API.md                     # Full API endpoint reference
-│   ├── ARCHITECTURE.md            # System architecture and DB schema
+│   ├── ARCHITECTURE.md            # System architecture, DB schema, service map
+│   ├── ADR.md                     # Architecture Decision Records
 │   ├── DATA_SOURCES.md            # External data source documentation
-│   └── SCORING.md                 # Scoring system and metrics
+│   ├── SCORING.md                 # Scoring system and metrics
+│   ├── TECHNOLOGY_JUSTIFICATION.md
+│   ├── C4_CONTEXT_DIAGRAM.md      # System context (C4 Level 1)
+│   └── C4_CONTAINER_DIAGRAM.md    # Container architecture (C4 Level 2)
 ├── backend/
 │   ├── Dockerfile
 │   ├── requirements.txt
 │   ├── alembic.ini
-│   ├── alembic/versions/          # b001–b018 migration files
+│   ├── alembic/versions/          # Database migration files
 │   ├── pytest.ini
+│   ├── tests/                     # 367+ pytest tests (domain, service, API)
 │   └── app/
 │       ├── main.py                # FastAPI app with all routers + lifespan
-│       ├── config.py              # Settings from environment
+│       ├── config.py              # Pydantic Settings from environment
 │       ├── database.py            # SQLAlchemy engine + session (lazy init)
 │       ├── storage.py             # MinIO/S3 helpers
 │       ├── auth.py                # Password hashing + JWT tokens
-│       ├── models/                # 18 model files (SQLAlchemy ORM)
+│       ├── domain/                # Pure business logic (zero framework imports)
+│       │   ├── entities/          # Rich domain entities (Technique, Campaign, etc.)
+│       │   ├── ports/             # Protocol interfaces (repos, ImportService)
+│       │   ├── value_objects/     # Immutable types (MitreId, ScoringWeights)
+│       │   ├── errors.py          # Domain exception hierarchy
+│       │   └── unit_of_work.py    # Transaction management
+│       ├── infrastructure/        # SQLAlchemy repos, Redis, mappers
+│       ├── models/                # SQLAlchemy ORM models
 │       ├── schemas/               # Pydantic request/response schemas
-│       ├── routers/               # 21 API routers
-│       ├── services/              # 20 business logic services
-│       ├── dependencies/          # Auth dependencies (get_current_user, require_role)
-│       └── jobs/
-│           └── mitre_sync_job.py  # APScheduler: 5 background jobs
-├── frontend/src/
-│   ├── App.tsx                    # Routes with lazy loading + role protection
-│   ├── api/                       # 22 API client modules (Axios + TanStack Query)
-│   ├── components/
-│   │   ├── Layout.tsx             # Sidebar + header + NotificationBell
-│   │   ├── Sidebar.tsx            # Role-aware collapsible navigation
-│   │   ├── heatmap/               # ATT&CK heatmap (6 components)
-│   │   ├── compliance/            # Compliance UI (gauge, controls table)
-│   │   └── test-detail/           # Test detail sub-components
-│   ├── hooks/
-│   │   └── useDebounce.ts         # Debounce hook for search inputs
-│   ├── context/
-│   │   └── AuthContext.tsx         # Auth state management
-│   └── pages/                     # 21 page components
-└── backend/tests/
-    ├── conftest.py                # SQLite test DB with JSONB/UUID compatibility
-    ├── fixtures/                  # YAML/TOML/JSON test fixtures
-    ├── test_data_sources.py       # Data source parsing tests
-    ├── test_scoring_and_compliance.py # Scoring + metrics + compliance tests
-    ├── test_campaigns_and_snapshots.py # Campaign, snapshot, and retest tests
-    ├── test_workflow.py           # Red/Blue workflow tests
-    ├── test_templates_crud.py     # Template CRUD tests
-    ├── test_metrics_v2.py         # V2 metrics tests
-    └── test_integration_v2.py     # Full integration E2E tests
+│       ├── routers/               # 27 thin HTTP adapter routers
+│       ├── services/              # 46 framework-agnostic business services
+│       ├── middleware/            # Error handler (domain exceptions → HTTP)
+│       ├── dependencies/          # FastAPI dependency injection (auth, repos)
+│       └── jobs/                  # APScheduler background jobs
+└── frontend/src/
+    ├── App.tsx                    # Routes with lazy loading + role protection
+    ├── api/                       # API client modules (Axios + TanStack Query)
+    ├── components/                # Reusable UI components
+    ├── hooks/                     # Custom hooks (useDebounce, etc.)
+    ├── context/                   # Auth state management
+    └── pages/                     # Page components
 ```
 
 ## Development
@@ -422,10 +420,13 @@ GET /api/v1/compliance/{framework_id}/gaps
 
 ## Further Documentation
 
-- **[Architecture](docs/ARCHITECTURE.md)** — Database schema, service layer, state machine diagrams
-- **[Data Sources](docs/DATA_SOURCES.md)** — All external data sources with import instructions
-- **[Scoring](docs/SCORING.md)** — Scoring system explained with examples and configuration
+- **[Architecture](docs/ARCHITECTURE.md)** — Database schema, backend layers, domain entities, service map
 - **[API Reference](docs/API.md)** — Full endpoint documentation
+- **[Scoring](docs/SCORING.md)** — Scoring system explained with examples and configuration
+- **[Data Sources](docs/DATA_SOURCES.md)** — All external data sources with import instructions
+- **[ADRs](docs/ADR.md)** — Architecture Decision Records
+- **[Technology Justification](docs/TECHNOLOGY_JUSTIFICATION.md)** — Technology choices and rationale
+- **[C4 Diagrams](docs/C4_CONTEXT_DIAGRAM.md)** — System context and container architecture
 
 ## License