OPC # 0009: Gitea and OPC Build Webhooks

Co-authored-by: Copilot <copilot@github.com>

ControlPlane.Api/Endpoints/GitEndpoints.cs

@@ -19,13 +19,19 @@ public static class GitEndpoints
     // All responses include a repoKey field so the caller knows which repo each commit came from.
     // GET /api/git/log?grep=...&limit=25&page=1&repo=all
     // page is 1-based. Each repo contributes up to limit*page commits before merge-sort+skip/take.
+    // branch filters to commits reachable from the named local branch; requires a specific repo (not "all").
+    // Each result includes a branches[] array listing local branches that contain that commit.
     private static IResult GetLog(
         IConfiguration config,
         string? grep   = null,
         int     limit  = 25,
         int     page   = 1,
-        string  repo  = "all")
+        string  repo   = "all",
+        string? branch = null)
     {
+        if (!string.IsNullOrWhiteSpace(branch) && repo == "all")
+            return Results.BadRequest("'branch' filter requires a specific 'repo' parameter.");
+
         var repos = repo == "all"
             ? ResolveAllRepos(config)
             : ResolveNamedRepo(config, repo) is { } p
@@ -43,16 +49,30 @@ public static class GitEndpoints
 
             using var r = new Repository(repoPath);
 
+            CommitFilter filter;
+            if (!string.IsNullOrWhiteSpace(branch))
+            {
+                var branchRef = r.Branches[branch];
+                if (branchRef?.Tip is null)
+                    return Results.BadRequest($"Branch '{branch}' not found in repo '{repoKey}'.");
+                filter = new CommitFilter
+                {
+                    SortBy               = CommitSortStrategies.Topological | CommitSortStrategies.Time,
+                    IncludeReachableFrom = branchRef.Tip,
+                };
+            }
+            else
+            {
                 var tips = r.Branches
                     .Where(b => b.Tip != null)
                     .Select(b => (GitObject)b.Tip)
                     .ToList();
-
-            var filter = new CommitFilter
+                filter = new CommitFilter
                 {
                     SortBy               = CommitSortStrategies.Topological | CommitSortStrategies.Time,
                     IncludeReachableFrom = tips.Count > 0 ? tips : (object)r.Head,
                 };
+            }
 
             IEnumerable<Commit> query = r.Commits.QueryBy(filter);
 
@@ -63,11 +83,31 @@ public static class GitEndpoints
                 bucket.Add((c.Author.When, repoKey, ToGitCommit(r, c)));
         }
 
-        var commits = bucket
+        var pageEntries = bucket
             .OrderByDescending(x => x.When)
             .Skip((page - 1) * limit)
             .Take(limit)
-            .Select(x => new
+            .ToList();
+
+        // Annotate each commit with the local branches whose tip is a descendant of that commit.
+        var branchMap = new Dictionary<string, List<string>>(StringComparer.Ordinal);
+        foreach (var grp in pageEntries.GroupBy(x => x.RepoKey))
+        {
+            if (!repos.TryGetValue(grp.Key, out var rPath) || !Directory.Exists(rPath)) continue;
+            using var annotRepo = new Repository(rPath);
+            var localBranches = annotRepo.Branches.Where(b => !b.IsRemote && b.Tip != null).ToList();
+            foreach (var (_, _, c) in grp)
+            {
+                var target = annotRepo.Lookup<Commit>(c.Hash);
+                if (target is null) { branchMap[c.Hash] = []; continue; }
+                branchMap[c.Hash] = localBranches
+                    .Where(b => annotRepo.ObjectDatabase.FindMergeBase(b.Tip, target)?.Sha == target.Sha)
+                    .Select(b => b.FriendlyName)
+                    .ToList();
+            }
+        }
+
+        var commits = pageEntries.Select(x => new
         {
             repoKey   = x.RepoKey,
             hash      = x.Commit.Hash,
@@ -76,8 +116,8 @@ public static class GitEndpoints
             date      = x.Commit.Date,
             subject   = x.Commit.Subject,
             files     = x.Commit.Files,
-            })
-            .ToList();
+            branches  = branchMap.TryGetValue(x.Commit.Hash, out var br) ? (IReadOnlyList<string>)br : Array.Empty<string>(),
+        }).ToList();
 
         return Results.Ok(commits);
     }
@@ -127,18 +167,55 @@ public static class GitEndpoints
         return Results.NotFound();
     }
 
-    // GET /api/git/branches
-    private static IResult GetBranches(IConfiguration config)
+    // GET /api/git/branches?repo=all
+    // repo defaults to "default" (single configured repo). Pass "all" to get branches from all
+    // registered repos. Each result includes repoKey so the caller can group branches by repo.
+    private static IResult GetBranches(IConfiguration config, string repo = "default")
     {
-        var repoPath = ResolveRepo(config);
+        if (repo == "all")
+        {
+            var allRepos = ResolveAllRepos(config);
+            if (allRepos.Count == 0)
+                return Results.Problem("Could not locate any git repositories.");
+
+            var allBranches = new List<object>();
+            foreach (var (repoKey, rPath) in allRepos)
+            {
+                if (!Directory.Exists(rPath)) continue;
+                using var gitRepo = new Repository(rPath);
+                allBranches.AddRange(gitRepo.Branches
+                    .Where(b => !b.IsRemote && b.Tip != null)
+                    .OrderBy(b => b.FriendlyName)
+                    .Select(b => (object)new
+                    {
+                        repoKey,
+                        name      = b.FriendlyName,
+                        hash      = b.Tip.Sha,
+                        shortHash = b.Tip.Sha[..7],
+                        subject   = b.Tip.MessageShort,
+                        author    = b.Tip.Author.Name,
+                        date      = b.Tip.Author.When.ToString("yyyy-MM-dd HH:mm:ss zzz"),
+                        isHead    = b.IsCurrentRepositoryHead,
+                    }));
+            }
+            return Results.Ok(allBranches);
+        }
+
+        var repoPath = repo == "default"
+            ? ResolveRepo(config)
+            : ResolveNamedRepo(config, repo) ?? ResolveRepo(config);
+
         if (repoPath is null)
             return Results.Problem("Could not locate a git repository.");
 
-        using var repo = new Repository(repoPath);
-        var branches = repo.Branches
+        var repoLabel = repo == "default" ? "default" : repo;
+        using var singleRepo = new Repository(repoPath);
+        var branches = singleRepo.Branches
             .Where(b => !b.IsRemote && b.Tip != null)
+            .OrderBy(b => b.FriendlyName)
             .Select(b => new
             {
+                repoKey   = repoLabel,
                 name      = b.FriendlyName,
                 hash      = b.Tip.Sha,
                 shortHash = b.Tip.Sha[..7],
@@ -147,7 +224,6 @@ public static class GitEndpoints
                 date      = b.Tip.Author.When.ToString("yyyy-MM-dd HH:mm:ss zzz"),
                 isHead    = b.IsCurrentRepositoryHead,
             })
-            .OrderBy(b => b.name)
             .ToList();
 
         return Results.Ok(branches);

ControlPlane.Api/Endpoints/GiteaWebhookEndpoints.cs

@@ -0,0 +1,159 @@
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using ControlPlane.Core.Messages;
+using MassTransit;
+
+namespace ControlPlane.Api.Endpoints;
+
+public static class GiteaWebhookEndpoints
+{
+    // Map of Gitea repo name → solution file (relative to cloned repo root)
+    private static readonly Dictionary<string, string> RepoSolutions = new(StringComparer.OrdinalIgnoreCase)
+    {
+        ["OPC"]     = "ControlPlane.slnx",
+        ["Clarity"] = "Clarity.slnx",
+    };
+
+    public static IEndpointRouteBuilder MapGiteaWebhookEndpoints(this IEndpointRouteBuilder app)
+    {
+        app.MapPost("/api/hooks/gitea/push", HandlePushAsync)
+           .WithName("Gitea:PushWebhook")
+           .AllowAnonymous(); // validated via HMAC below
+
+        return app;
+    }
+
+    private static async Task<IResult> HandlePushAsync(
+        HttpRequest         request,
+        IPublishEndpoint    bus,
+        IConfiguration      config,
+        ILogger<GiteaWebhookEndpointsMarker> logger,
+        CancellationToken   ct)
+    {
+        // ── HMAC-SHA256 signature validation ─────────────────────────────────
+        var secret = config["Gitea:WebhookSecret"];
+        if (!string.IsNullOrWhiteSpace(secret))
+        {
+            if (!request.Headers.TryGetValue("X-Gitea-Signature", out var sigHeader))
+                return Results.Unauthorized();
+
+            var body = await ReadBodyAsync(request, ct);
+            var expectedSig = ComputeHmacSha256(body, secret);
+
+            if (!CryptographicOperations.FixedTimeEquals(
+                    Encoding.ASCII.GetBytes(sigHeader.ToString()),
+                    Encoding.ASCII.GetBytes(expectedSig)))
+            {
+                logger.LogWarning("Gitea push webhook: HMAC signature mismatch — ignoring.");
+                return Results.Unauthorized();
+            }
+
+            var payload = JsonSerializer.Deserialize<GiteaPushPayload>(body, JsonOpts);
+            return await ProcessPayloadAsync(payload, bus, logger, ct);
+        }
+        else
+        {
+            // No secret configured — accept without validation (dev only)
+            logger.LogWarning("Gitea:WebhookSecret is not configured — webhook signature validation is disabled.");
+            var payload = await JsonSerializer.DeserializeAsync<GiteaPushPayload>(
+                request.Body, JsonOpts, ct);
+            return await ProcessPayloadAsync(payload, bus, logger, ct);
+        }
+    }
+
+    private static async Task<IResult> ProcessPayloadAsync(
+        GiteaPushPayload?     payload,
+        IPublishEndpoint      bus,
+        ILogger<GiteaWebhookEndpointsMarker> logger,
+        CancellationToken     ct)
+    {
+        if (payload is null)
+            return Results.BadRequest("Could not parse push payload.");
+
+        // Only act on pushes to develop
+        if (payload.Ref != "refs/heads/develop")
+        {
+            logger.LogDebug("Gitea push webhook: ignoring push to {Ref}", payload.Ref);
+            return Results.Ok(new { skipped = true, reason = "not develop" });
+        }
+
+        var repoName = payload.Repository?.Name;
+        if (string.IsNullOrWhiteSpace(repoName) || !RepoSolutions.TryGetValue(repoName, out var solutionPath))
+        {
+            logger.LogWarning("Gitea push webhook: unknown or unsupported repo '{Repo}'", repoName);
+            return Results.Ok(new { skipped = true, reason = "unsupported repo" });
+        }
+
+        var headSha = payload.After;
+        if (string.IsNullOrWhiteSpace(headSha) || headSha == "0000000000000000000000000000000000000000")
+        {
+            logger.LogInformation("Gitea push webhook: branch deleted — nothing to build.");
+            return Results.Ok(new { skipped = true, reason = "branch deleted" });
+        }
+
+        logger.LogInformation(
+            "Gitea push webhook: queuing build for {Repo}@{Sha} ({Branch})",
+            repoName, headSha[..8], payload.Ref);
+
+        await bus.Publish(new BuildRequestedCommand
+        {
+            RepoName     = repoName,
+            HeadSha      = headSha,
+            Branch       = "develop",
+            SolutionPath = solutionPath,
+        }, ct);
+
+        return Results.Accepted(value: new { queued = true, repo = repoName, sha = headSha[..8] });
+    }
+
+    // ── Helpers ───────────────────────────────────────────────────────────────
+
+    private static async Task<byte[]> ReadBodyAsync(HttpRequest request, CancellationToken ct)
+    {
+        request.EnableBuffering();
+        using var ms = new MemoryStream();
+        await request.Body.CopyToAsync(ms, ct);
+        request.Body.Position = 0;
+        return ms.ToArray();
+    }
+
+    private static string ComputeHmacSha256(byte[] body, string secret)
+    {
+        var key  = Encoding.UTF8.GetBytes(secret);
+        var hash = HMACSHA256.HashData(key, body);
+        return Convert.ToHexString(hash).ToLowerInvariant();
+    }
+
+    private static readonly JsonSerializerOptions JsonOpts = new(JsonSerializerDefaults.Web);
+
+    // Marker type for logger category
+    private sealed class GiteaWebhookEndpointsMarker;
+}
+
+// ── Payload DTOs ──────────────────────────────────────────────────────────────
+
+public sealed class GiteaPushPayload
+{
+    [JsonPropertyName("ref")]
+    public string Ref { get; init; } = string.Empty;
+
+    [JsonPropertyName("before")]
+    public string Before { get; init; } = string.Empty;
+
+    [JsonPropertyName("after")]
+    public string After { get; init; } = string.Empty;
+
+    [JsonPropertyName("repository")]
+    public GiteaPushRepo? Repository { get; init; }
+}
+
+public sealed class GiteaPushRepo
+{
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("full_name")]
+    public string FullName { get; init; } = string.Empty;
+}

ControlPlane.Api/Endpoints/ProjectBuildEndpoints.cs

@@ -1,4 +1,5 @@
 using ControlPlane.Api.Services;
+using ControlPlane.Core.Models;
 using ControlPlane.Core.Services;
 using System.Text.Json;
 
@@ -16,6 +17,7 @@ public static class ProjectBuildEndpoints
         var group = app.MapGroup("/api/builds").WithTags("Builds");
         group.MapGet("/projects",       GetProjects);
         group.MapGet("/history",        GetHistory);
+        group.MapGet("/by-sha",         GetBySha);
         group.MapPost("/{projectName}", TriggerProjectBuild);
         return app;
     }
@@ -27,6 +29,31 @@ public static class ProjectBuildEndpoints
     private static async Task<IResult> GetHistory(BuildHistoryService history) =>
         Results.Ok(await history.GetBuildsAsync());
 
+    /// <summary>
+    /// Returns the latest SolutionBuild record for the given commit SHA, or null if none exists.
+    /// Used by the OPC CommitsTab to render per-commit CI status dots.
+    /// </summary>
+    private static async Task<IResult> GetBySha(string sha, BuildHistoryService history)
+    {
+        if (string.IsNullOrWhiteSpace(sha))
+            return Results.BadRequest("sha is required");
+
+        var builds = await history.GetBuildsByShaAsync(sha);
+        var latest = builds
+            .Where(b => b.Kind == BuildKind.SolutionBuild)
+            .MaxBy(b => b.StartedAt);
+
+        return Results.Ok(latest is null ? null : new
+        {
+            latest.Id,
+            latest.Status,
+            latest.StartedAt,
+            latest.FinishedAt,
+            latest.DurationMs,
+            latest.CommitSha,
+        });
+    }
+
     /// <summary>
     /// Triggers a build for a named project and streams SSE output.
     /// projectName must match one of the names returned by GET /api/builds/projects.

ControlPlane.Api/Program.cs

@@ -79,6 +79,7 @@ app.MapPromotionEndpoints();
 app.MapOpcEndpoints();
 app.MapGiteaEndpoints();
 app.MapInfraEndpoints();
+app.MapGiteaWebhookEndpoints();
 
 // Ensure OPC tables exist (idempotent — IF NOT EXISTS)
 var ds = app.Services.GetRequiredService<NpgsqlDataSource>();
@@ -166,6 +167,7 @@ await using (var cmd = ds.CreateCommand("""
 // Idempotent column additions for schema migrations
 await using (var migCmd = ds.CreateCommand("""
     ALTER TABLE release_record ADD COLUMN IF NOT EXISTS opc_numbers TEXT[] NOT NULL DEFAULT '{}';
+    ALTER TABLE release_record ADD COLUMN IF NOT EXISTS commit_sha  VARCHAR(40);
     """))
     await migCmd.ExecuteNonQueryAsync();
 

ControlPlane.Api/Services/GiteaService.cs

@@ -251,6 +251,40 @@ public class GiteaService
         return await res.Content.ReadFromJsonAsync<GiteaWebhook>(JsonOpts, ct);
     }
 
+    // ── Commit Status ─────────────────────────────────────────────────────────
+
+    /// <summary>
+    /// Posts a commit status to Gitea (the CI "check" shown on a commit / PR).
+    /// State values: "pending" | "success" | "failure" | "error".
+    /// Context identifies which check — use "controlplane/build" for the build gate.
+    /// </summary>
+    public async Task PostCommitStatusAsync(
+        string repoKey, string sha, string state, string description,
+        string context = "controlplane/build", CancellationToken ct = default)
+    {
+        var (owner, repo) = ResolveOwnerRepo(repoKey);
+        var body = JsonSerializer.Serialize(new
+        {
+            state,
+            description,
+            context,
+        }, JsonOpts);
+
+        try
+        {
+            var res = await _http.PostAsync(
+                $"repos/{owner}/{repo}/statuses/{sha}",
+                new StringContent(body, Encoding.UTF8, "application/json"), ct);
+
+            if (!res.IsSuccessStatusCode)
+            {
+                var err = await res.Content.ReadAsStringAsync(ct);
+                _log.LogWarning("Gitea PostCommitStatus {State} failed for {Sha}: {Err}", state, sha[..8], err);
+            }
+        }
+        catch (Exception ex) { _log.LogWarning(ex, "Gitea PostCommitStatus threw"); }
+    }
+
     // ── Helpers ───────────────────────────────────────────────────────────────
 
     private static string SlugifyTitle(string title) =>

ControlPlane.Api/Services/PromotionService.cs

@@ -52,6 +52,38 @@ public class PromotionService(IConfiguration config, ILogger<PromotionService> l
     private static Signature MakeSig() =>
         new("OPC Control Plane", "opc@clarity.internal", DateTimeOffset.UtcNow);
 
+    // ── Remote URL (config-driven, never reads .git/config URL) ──────────────
+
+    /// <summary>
+    /// Builds the HTTPS remote URL for a named repo entirely from Gitea config.
+    /// The local clone's .git/config remote URL is irrelevant — this is the authority.
+    /// </summary>
+    private string GetRemoteUrl(string repoName)
+    {
+        var baseUrl  = (config["Gitea:BaseUrl"]
+            ?? throw new InvalidOperationException("Gitea:BaseUrl is not configured.")).TrimEnd('/');
+        var owner    = config[$"Gitea:Repos:{repoName}:Owner"] ?? config["Gitea:Owner"]
+            ?? throw new InvalidOperationException($"Gitea owner not configured for '{repoName}'.");
+        var repoSlug = config[$"Gitea:Repos:{repoName}:Repo"] ?? repoName;
+        return $"{baseUrl}/{owner}/{repoSlug}.git";
+    }
+
+    /// <summary>
+    /// Returns the 'origin' remote after normalising its URL to the config-driven HTTPS URL.
+    /// If the clone was checked out with SSH (e.g. on a dev machine), this corrects it silently
+    /// so that LibGit2Sharp — which has no SSH support — always uses HTTPS.
+    /// </summary>
+    private Remote EnsureRemote(Repository repo, string repoName)
+    {
+        var url    = GetRemoteUrl(repoName);
+        var remote = repo.Network.Remotes["origin"];
+        if (remote is null)
+            return repo.Network.Remotes.Add("origin", url);
+        if (remote.Url != url)
+            repo.Network.Remotes.Update("origin", r => r.Url = url);
+        return repo.Network.Remotes["origin"]!;
+    }
+
     // ── Branch status ────────────────────────────────────────────────────────
 
     /// <summary>
@@ -72,13 +104,10 @@ public class PromotionService(IConfiguration config, ILogger<PromotionService> l
         // Fetch to get up-to-date remote refs; swallow network errors so status still works offline.
         try
         {
-            var remote = repo.Network.Remotes["origin"];
-            if (remote is not null)
-            {
+            var remote   = EnsureRemote(repo, repoName);
             var refSpecs = remote.FetchRefSpecs.Select(r => r.Specification).ToList();
             repo.Network.Fetch(remote.Name, refSpecs, MakeFetchOptions());
         }
-        }
         catch (Exception ex)
         {
             logger.LogWarning(ex, "Fetch during ladder status failed — continuing with cached refs");
@@ -91,7 +120,9 @@ public class PromotionService(IConfiguration config, ILogger<PromotionService> l
             ct.ThrowIfCancellationRequested();
 
             var branchName  = Ladder[i];
-            var branch     = repo.Branches[branchName];
+            // Always read from the remote tracking ref so the status reflects what is on origin,
+            // not the server's potentially-stale local branch pointer.
+            var branch      = repo.Branches[$"origin/{branchName}"];
 
             if (branch?.Tip is null)
             {
@@ -110,7 +141,7 @@ public class PromotionService(IConfiguration config, ILogger<PromotionService> l
 
             if (i + 1 < Ladder.Length)
             {
-                var nextBranch = repo.Branches[Ladder[i + 1]];
+                var nextBranch = repo.Branches[$"origin/{Ladder[i + 1]}"];
                 if (nextBranch?.Tip is not null)
                 {
                     var div = repo.ObjectDatabase.CalculateHistoryDivergence(tip, nextBranch.Tip);
@@ -215,14 +246,16 @@ public class PromotionService(IConfiguration config, ILogger<PromotionService> l
 
         // 1. Fetch latest remote state for all branches
         Log("  Fetching origin...");
-        var remote = repo.Network.Remotes["origin"]
-            ?? throw new InvalidOperationException("No 'origin' remote configured.");
+        var remote   = EnsureRemote(repo, repoName);
         var refSpecs = remote.FetchRefSpecs.Select(r => r.Specification).ToList();
         repo.Network.Fetch(remote.Name, refSpecs, MakeFetchOptions());
 
-        // 2. Resolve local branches
-        var fromBranch = repo.Branches[from]
-            ?? throw new InvalidOperationException($"Branch '{from}' not found.");
+        // 2. Resolve branches — always read from origin/ so we reflect what is actually on the remote,
+        //    never the server's potentially-stale local branch pointers.
+        var fromBranch = repo.Branches[$"origin/{from}"]
+            ?? throw new InvalidOperationException($"Remote branch 'origin/{from}' not found.");
+        // `to` is read locally because we need to mutate its ref and push — it is immediately
+        // fast-forwarded to origin/{to} in the next step so it is never stale when used.
         var toBranch = repo.Branches[to]
             ?? throw new InvalidOperationException($"Branch '{to}' not found.");
 
@@ -327,8 +360,7 @@ public class PromotionService(IConfiguration config, ILogger<PromotionService> l
 
             try
             {
-                var remote = repo.Network.Remotes["origin"]
-                    ?? throw new InvalidOperationException("No 'origin' remote.");
+                var remote = EnsureRemote(repo, repoName);
                 // Force push — "+" prefix overrides remote reflog
                 repo.Network.Push(remote, $"+refs/heads/{branchName}:refs/heads/{branchName}", MakePushOptions());
             }
@@ -419,8 +451,7 @@ public class PromotionService(IConfiguration config, ILogger<PromotionService> l
 
         // 1. Fetch
         Log("  Fetching origin...");
-        var remote = repo.Network.Remotes["origin"]
-            ?? throw new InvalidOperationException("No 'origin' remote configured.");
+        var remote   = EnsureRemote(repo, repoName);
         var refSpecs = remote.FetchRefSpecs.Select(r => r.Specification).ToList();
         repo.Network.Fetch(remote.Name, refSpecs, MakeFetchOptions());
 
@@ -548,13 +579,10 @@ public class PromotionService(IConfiguration config, ILogger<PromotionService> l
         // Fetch latest remote refs — swallow network errors so status still works offline.
         try
         {
-            var remote = repo.Network.Remotes["origin"];
-            if (remote is not null)
-            {
+            var remote   = EnsureRemote(repo, repoName);
             var refSpecs = remote.FetchRefSpecs.Select(r => r.Specification).ToList();
             repo.Network.Fetch(remote.Name, refSpecs, MakeFetchOptions());
         }
-        }
         catch (Exception ex)
         {
             logger.LogWarning(ex, "Fetch during conformance check failed — continuing with cached refs");
@@ -566,12 +594,13 @@ public class PromotionService(IConfiguration config, ILogger<PromotionService> l
 
             var branchName = Ladder[i];
             var srcName    = i > 0 ? Ladder[i - 1] : null; // predecessor branch (e.g. develop for staging)
-            var branch     = repo.Branches[branchName];
+            // Always read from origin/ tracking refs — never local branch pointers.
+            var branch     = repo.Branches[$"origin/{branchName}"];
 
             // ── Branch missing ──────────────────────────────────────────────
             if (branch?.Tip is null)
             {
-                var srcTip = srcName is not null ? repo.Branches[srcName]?.Tip?.Sha : null;
+                var srcTip = srcName is not null ? repo.Branches[$"origin/{srcName}"]?.Tip?.Sha : null;
                 checks.Add(new BranchConformanceCheck(
                     branchName, srcName,
                     ConformanceViolation.Missing,
@@ -592,7 +621,7 @@ public class PromotionService(IConfiguration config, ILogger<PromotionService> l
                 continue;
             }
 
-            var srcBranch = repo.Branches[srcName];
+            var srcBranch = repo.Branches[$"origin/{srcName}"];
             if (srcBranch?.Tip is null)
             {
                 // Source branch is itself missing — skip, it will be reported separately.
@@ -666,8 +695,7 @@ public class PromotionService(IConfiguration config, ILogger<PromotionService> l
 
             repo.Refs.Add($"refs/heads/{branchName}", commit.Sha);
 
-            var remote = repo.Network.Remotes["origin"]
-                ?? throw new InvalidOperationException("No 'origin' remote configured.");
+            var remote = EnsureRemote(repo, repoName);
 
             repo.Network.Push(remote, $"refs/heads/{branchName}:refs/heads/{branchName}", MakePushOptions());
 
@@ -759,6 +787,64 @@ public class PromotionService(IConfiguration config, ILogger<PromotionService> l
             return [];
         }
     }
+
+    /// <summary>
+    /// Returns distinct, sorted OPC numbers for commits reachable from <paramref name="toSha"/>
+    /// that are NOT reachable from <paramref name="fromSha"/> — i.e. the exact delta for this release.
+    /// Falls back to <see cref="ExtractOpcNumbersAsync"/> (last 50 commits) when <paramref name="fromSha"/>
+    /// is null (first-ever release for this environment).
+    /// </summary>
+    public Task<List<string>> ExtractOpcNumbersDeltaAsync(
+        string  repoName,
+        string  toSha,
+        string? fromSha,
+        CancellationToken ct = default) =>
+        fromSha is null
+            ? ExtractOpcNumbersAsync(repoName, ct: ct)
+            : Task.Run(() => ExtractOpcNumbersDeltaCore(repoName, toSha, fromSha), ct);
+
+    private List<string> ExtractOpcNumbersDeltaCore(string repoName, string toSha, string fromSha)
+    {
+        var repoPath = GetRepoPath(repoName);
+        if (string.IsNullOrWhiteSpace(repoPath) || !Directory.Exists(repoPath))
+            return [];
+        try
+        {
+            using var repo = new Repository(repoPath);
+            var toCommit   = repo.Lookup<Commit>(toSha);
+            var fromCommit = repo.Lookup<Commit>(fromSha);
+            if (toCommit is null) return [];
+
+            var filter = fromCommit is null
+                ? new CommitFilter { IncludeReachableFrom = toCommit }
+                : new CommitFilter { IncludeReachableFrom = toCommit, ExcludeReachableFrom = fromCommit };
+
+            var set = new HashSet<string>(StringComparer.Ordinal);
+            foreach (var commit in repo.Commits.QueryBy(filter))
+                foreach (System.Text.RegularExpressions.Match m in OpcTagPattern.Matches(commit.Message))
+                    set.Add($"OPC # {m.Groups[1].Value.PadLeft(4, '0')}");
+
+            return [.. set.OrderBy(x => x)];
+        }
+        catch (Exception ex)
+        {
+            logger.LogWarning(ex, "ExtractOpcNumbersDelta failed for {Repo} {From}..{To}", repoName, fromSha[..7], toSha[..7]);
+            return [];
+        }
+    }
+
+    /// <summary>Returns the full HEAD SHA of <paramref name="branch"/> in <paramref name="repoName"/>, or null.</summary>
+    public string? GetBranchTipSha(string repoName, string branch)
+    {
+        var repoPath = GetRepoPath(repoName);
+        if (string.IsNullOrWhiteSpace(repoPath) || !Directory.Exists(repoPath)) return null;
+        try
+        {
+            using var repo = new Repository(repoPath);
+            return (repo.Branches[$"origin/{branch}"] ?? repo.Branches[branch])?.Tip?.Sha;
+        }
+        catch { return null; }
+    }
 }
 
 /// <summary>A single unreleased commit — carries full SHA for cherry-pick operations.</summary>

ControlPlane.Api/Services/ReleaseService.cs

@@ -51,7 +51,12 @@ public class ReleaseService(
             return blocked;
         }
 
-        var record = await history.CreateReleaseAsync(targetEnv, ImageName);
+        // Resolve the Clarity branch for this environment and stamp the HEAD SHA
+        // before creating the record so we capture "what was deployed" accurately.
+        var branch    = targetEnv switch { "fdev" => "develop", "staging" => "staging", "uat" => "uat", _ => "main" };
+        var currentSha = promotions.GetBranchTipSha("Clarity", branch);
+
+        var record = await history.CreateReleaseAsync(targetEnv, ImageName, currentSha);
 
         try
         {
@@ -183,9 +188,16 @@ public class ReleaseService(
         }
         finally
         {
-            // Stamp OPC ticket numbers from recent commits on the target branch.
-            var branch = targetEnv switch { "fdev" => "develop", "staging" => "staging", "uat" => "uat", _ => "main" };
-            try   { record.OpcNumbers = await promotions.ExtractOpcNumbersAsync("Clarity", branch, 50, ct); }
+            // Stamp the exact OPC ticket numbers introduced by this release:
+            // diff from previous release's SHA to this release's SHA on the Clarity branch.
+            try
+            {
+                var prev = await history.GetLastSuccessfulReleaseForEnvAsync(targetEnv);
+                // Exclude the current (in-flight) record — it's not succeeded yet
+                var prevSha = prev?.Id == record.Id ? null : prev?.CommitSha;
+                if (currentSha is not null)
+                    record.OpcNumbers = await promotions.ExtractOpcNumbersDeltaAsync("Clarity", currentSha, prevSha, ct);
+            }
             catch { /* git not configured — continue without OPC stamp */ }
 
             await history.UpdateReleaseAsync(record);

ControlPlane.Api/appsettings.json

@@ -22,10 +22,14 @@
     "Owner":         "ClarityStack",
     "Repo":          "OPC",
     "Token":         "fcf9f66415754fb639a8343e3904e06b1d78c646",
+    "WebhookSecret": "",
     "Repos": {
       "Clarity": { "Owner": "ClarityStack", "Repo": "Clarity"  },
       "OPC":     { "Owner": "ClarityStack", "Repo": "OPC"      },
       "Gateway": { "Owner": "ClarityStack", "Repo": "Gateway"  }
     }
+  },
+  "Build": {
+    "WorkDir": "C:\\Users\\amadzarak\\source\\clarity-builds"
   }
 }

ControlPlane.AppHost/AppHost.cs

@@ -20,6 +20,9 @@ var clientAssetsPath = Path.GetFullPath(Path.Combine(builder.AppHostDirectory, "
 var nginxConfDPath   = Path.GetFullPath(Path.Combine(builder.AppHostDirectory, "..", "infra", "nginx", "conf.d"));
 var vaultKeysFile    = Path.GetFullPath(Path.Combine(builder.AppHostDirectory, "..", "infra", "vault", "data", "init.json"));
 
+// Build working directory for BuildConsumer (clone/pull repos here when running builds)
+var buildWorkDir     = Path.GetFullPath(Path.Combine(builder.AppHostDirectory, "..", "..", "..", "clarity-builds"));
+
 #region CONTROLPLANE POSTGRES
 // ControlPlane owns this — isolated from platform infra postgres.
 // Override via: dotnet user-secrets set "Parameters:cp-postgres-password" "yourpassword"
@@ -48,6 +51,7 @@ var api = builder.AddProject<Projects.ControlPlane_Api>("controlplane-api")
     .WaitFor(controlPlaneDb)
     .WithEnvironment("ClientAssets__Folder",  clientAssetsPath)
     .WithEnvironment("Docker__RepoRoot",      Path.GetFullPath(Path.Combine(builder.AppHostDirectory, "..", "..")))  // ClarityStack/ root — needed for Directory.*.props
+    .WithEnvironment("Build__WorkDir",        buildWorkDir)
     .WithExternalHttpEndpoints();
 #endregion
 
@@ -82,6 +86,10 @@ builder.AddProject<Projects.ControlPlane_Worker>("controlplane-worker")
     // Platform Postgres connection string for tenant database provisioning (infra/docker-compose.yml)
     .WithEnvironment("ConnectionStrings__platformdb",
         "Host=localhost;Port=5432;Username=postgres;Password=postgres")
+    .WithEnvironment("Build__WorkDir", buildWorkDir)
+    .WithEnvironment("Gitea__BaseUrl", "https://opc.clarity.test")
+    .WithEnvironment("Gitea__Owner",   "ClarityStack")
+    .WithEnvironment("Gitea__Token",   "fcf9f66415754fb639a8343e3904e06b1d78c646")
     .WithReference(controlPlaneDb)
     .WaitFor(controlPlaneDb);
 #endregion

ControlPlane.Core/Interfaces/SagaContext.cs

@@ -24,6 +24,11 @@ public class SagaContext
     // Written by LaunchStep — primary app container name
     public string? ContainerName { get; set; }
 
+    // Written by VaultStep — scoped periodic token for the tenant (not the root token)
+    // and its accessor used for compensation/revocation
+    public string? VaultToken { get; set; }
+    public string? VaultTokenAccessor { get; set; }
+
     // Written by PulumiStep (DedicatedVM/Enterprise tier) — target host details for subsequent steps
     public string? VmIpAddress { get; set; }
     public string? VmSshKeyPath { get; set; }

ControlPlane.Core/Messages/BuildMessages.cs

@@ -0,0 +1,23 @@
+namespace ControlPlane.Core.Messages;
+
+/// <summary>
+/// API -> Worker: run dotnet build for the given repo at the given commit SHA.
+/// Published when Gitea fires a push webhook for refs/heads/develop.
+/// </summary>
+public record BuildRequestedCommand
+{
+    /// <summary>Gitea repo name (e.g. "OPC" or "Clarity").</summary>
+    public string RepoName    { get; init; } = string.Empty;
+
+    /// <summary>HEAD commit SHA of the push that triggered this build.</summary>
+    public string HeadSha     { get; init; } = string.Empty;
+
+    /// <summary>Branch that was pushed to (e.g. "develop").</summary>
+    public string Branch      { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Relative path to the solution file to build, e.g. "ControlPlane.slnx".
+    /// Relative to the cloned repo root.
+    /// </summary>
+    public string SolutionPath { get; init; } = string.Empty;
+}

ControlPlane.Core/Models/ReleaseRecord.cs

@@ -17,6 +17,7 @@ public class ReleaseRecord
     public DateTimeOffset? FinishedAt  { get; set; }
     public List<TenantReleaseResult> Tenants    { get; set; } = [];
     public List<string>              OpcNumbers { get; set; } = [];
+    public string?                   CommitSha  { get; set; }  // Clarity branch HEAD SHA at release time
 }
 
 public class TenantReleaseResult

ControlPlane.Core/Services/BuildHistoryService.cs

@@ -142,13 +142,13 @@ public class BuildHistoryService(NpgsqlDataSource db, ILogger<BuildHistoryServic
 
     // ── Releases ────────────────────────────────────────────────────────────
 
-    public async Task<ReleaseRecord> CreateReleaseAsync(string environment, string imageName)
+    public async Task<ReleaseRecord> CreateReleaseAsync(string environment, string imageName, string? commitSha = null)
     {
-        var record = new ReleaseRecord { Environment = environment, ImageName = imageName };
+        var record = new ReleaseRecord { Environment = environment, ImageName = imageName, CommitSha = commitSha };
 
         await using var cmd = db.CreateCommand("""
-            INSERT INTO release_record (id, environment, image_name, status, started_at, opc_numbers)
-            VALUES ($1, $2, $3, $4, $5, $6)
+            INSERT INTO release_record (id, environment, image_name, status, started_at, opc_numbers, commit_sha)
+            VALUES ($1, $2, $3, $4, $5, $6, $7)
             """);
         cmd.Parameters.AddWithValue(record.Id);
         cmd.Parameters.AddWithValue(record.Environment);
@@ -156,6 +156,7 @@ public class BuildHistoryService(NpgsqlDataSource db, ILogger<BuildHistoryServic
         cmd.Parameters.AddWithValue(record.Status.ToString());
         cmd.Parameters.AddWithValue(record.StartedAt);
         cmd.Parameters.Add(new NpgsqlParameter<string[]> { TypedValue = [.. record.OpcNumbers] });
+        cmd.Parameters.AddWithValue((object?)record.CommitSha ?? DBNull.Value);
         await cmd.ExecuteNonQueryAsync();
 
         return record;
@@ -169,12 +170,13 @@ public class BuildHistoryService(NpgsqlDataSource db, ILogger<BuildHistoryServic
         await using var tx   = await conn.BeginTransactionAsync();
 
         await using var upd = new NpgsqlCommand("""
-            UPDATE release_record SET status = $2, finished_at = $3, opc_numbers = $4 WHERE id = $1
+            UPDATE release_record SET status = $2, finished_at = $3, opc_numbers = $4, commit_sha = $5 WHERE id = $1
             """, conn, tx);
         upd.Parameters.AddWithValue(record.Id);
         upd.Parameters.AddWithValue(record.Status.ToString());
         upd.Parameters.AddWithValue(record.FinishedAt!.Value);
         upd.Parameters.Add(new NpgsqlParameter<string[]> { TypedValue = [.. record.OpcNumbers] });
+        upd.Parameters.AddWithValue((object?)record.CommitSha ?? DBNull.Value);
         await upd.ExecuteNonQueryAsync();
 
         // Replace tenant results wholesale on each update
@@ -206,7 +208,7 @@ public class BuildHistoryService(NpgsqlDataSource db, ILogger<BuildHistoryServic
         var lookup  = new Dictionary<string, ReleaseRecord>();
 
         await using var cmd = db.CreateCommand("""
-            SELECT id, environment, image_name, status, started_at, finished_at, opc_numbers
+            SELECT id, environment, image_name, status, started_at, finished_at, opc_numbers, commit_sha
             FROM release_record
             ORDER BY started_at DESC
             LIMIT 50
@@ -224,6 +226,7 @@ public class BuildHistoryService(NpgsqlDataSource db, ILogger<BuildHistoryServic
                     StartedAt   = reader.GetFieldValue<DateTimeOffset>(4),
                     FinishedAt  = reader.IsDBNull(5) ? null : reader.GetFieldValue<DateTimeOffset>(5),
                     OpcNumbers  = reader.IsDBNull(6) ? [] : [.. reader.GetFieldValue<string[]>(6)],
+                    CommitSha   = reader.IsDBNull(7) ? null : reader.GetString(7),
                 };
                 ordered.Add(r);
                 lookup[r.Id] = r;
@@ -254,5 +257,34 @@ public class BuildHistoryService(NpgsqlDataSource db, ILogger<BuildHistoryServic
 
         return ordered;
     }
+
+    /// <summary>
+    /// Returns the most recent succeeded release for <paramref name="environment"/>, or null if none exists.
+    /// Used to calculate the OPC ticket delta between releases (previousSha..currentSha).
+    /// </summary>
+    public async Task<ReleaseRecord?> GetLastSuccessfulReleaseForEnvAsync(string environment)
+    {
+        await using var cmd = db.CreateCommand("""
+            SELECT id, environment, image_name, status, started_at, finished_at, opc_numbers, commit_sha
+            FROM release_record
+            WHERE environment = $1 AND status = 'Succeeded'
+            ORDER BY started_at DESC
+            LIMIT 1
+            """);
+        cmd.Parameters.AddWithValue(environment);
+        await using var reader = await cmd.ExecuteReaderAsync();
+        if (!await reader.ReadAsync()) return null;
+        return new ReleaseRecord
+        {
+            Id          = reader.GetString(0),
+            Environment = reader.GetString(1),
+            ImageName   = reader.GetString(2),
+            Status      = Enum.Parse<ReleaseStatus>(reader.GetString(3)),
+            StartedAt   = reader.GetFieldValue<DateTimeOffset>(4),
+            FinishedAt  = reader.IsDBNull(5) ? null : reader.GetFieldValue<DateTimeOffset>(5),
+            OpcNumbers  = reader.IsDBNull(6) ? [] : [.. reader.GetFieldValue<string[]>(6)],
+            CommitSha   = reader.IsDBNull(7) ? null : reader.GetString(7),
+        };
+    }
 }
 

ControlPlane.Worker/BuildConsumer.cs

@@ -0,0 +1,253 @@
+using System.Diagnostics;
+using System.Net.Http.Json;
+using System.Text;
+using System.Text.Json;
+using ControlPlane.Core.Messages;
+using ControlPlane.Core.Models;
+using ControlPlane.Core.Services;
+using LibGit2Sharp;
+using MassTransit;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging;
+
+namespace ControlPlane.Worker;
+
+/// <summary>
+/// MassTransit consumer. Triggered by BuildRequestedCommand (published by the Gitea push webhook).
+/// Clones or updates the repo, runs dotnet build, and reports status back to Gitea.
+/// Runs inside the SDK-based Worker container — dotnet CLI is always available.
+/// </summary>
+public sealed class BuildConsumer(
+    BuildHistoryService  history,
+    IConfiguration       config,
+    IHttpClientFactory   httpFactory,
+    ILogger<BuildConsumer> logger) : IConsumer<BuildRequestedCommand>
+{
+    private static readonly JsonSerializerOptions JsonOpts = new(JsonSerializerDefaults.Web);
+
+    public async Task Consume(ConsumeContext<BuildRequestedCommand> context)
+    {
+        var cmd = context.Message;
+        var ct  = context.CancellationToken;
+
+        logger.LogInformation(
+            "BuildConsumer: starting build for {Repo}@{Sha}",
+            cmd.RepoName, cmd.HeadSha[..Math.Min(8, cmd.HeadSha.Length)]);
+
+        // 1. Create a build record — CommitSha written on Complete
+        var record = await history.CreateBuildAsync(BuildKind.SolutionBuild, cmd.SolutionPath);
+        record.CommitSha = cmd.HeadSha;
+
+        // 2. Signal pending to Gitea immediately so the commit shows ⏳
+        await PostCommitStatusAsync(cmd.RepoName, cmd.HeadSha, "pending", "Build running…", ct);
+
+        try
+        {
+            // 3. Ensure repo is cloned / up-to-date
+            var workDir = await Task.Run(() => EnsureRepo(cmd.RepoName, cmd.HeadSha, record), ct);
+            if (workDir is null)
+            {
+                await FailAsync(record, cmd, "Failed to prepare repository clone.", ct);
+                return;
+            }
+
+            // 4. Run dotnet build
+            var solutionPath = Path.Combine(workDir, cmd.SolutionPath
+                .Replace('/', Path.DirectorySeparatorChar));
+
+            var exitCode = await RunBuildAsync(solutionPath, record, ct);
+            var status   = exitCode == 0 ? BuildStatus.Succeeded : BuildStatus.Failed;
+            var summary  = exitCode == 0
+                ? "✔ Build succeeded."
+                : $"✖ Build failed (exit {exitCode}).";
+
+            record.Log.Add(summary);
+            logger.LogInformation("BuildConsumer: {Repo} build {Status}", cmd.RepoName, status);
+
+            // 5. Persist final record + post status to Gitea
+            await history.CompleteBuildAsync(record, status);
+            await PostCommitStatusAsync(
+                cmd.RepoName, cmd.HeadSha,
+                exitCode == 0 ? "success" : "failure",
+                summary, ct);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "BuildConsumer: unhandled exception for {Repo}@{Sha}", cmd.RepoName, cmd.HeadSha);
+            await FailAsync(record, cmd, $"Unhandled exception: {ex.Message}", ct);
+        }
+    }
+
+    // ── Repository management ─────────────────────────────────────────────────
+
+    private string? EnsureRepo(string repoName, string headSha, BuildRecord record)
+    {
+        var baseDir  = config["Build:WorkDir"] ?? "/opt/clarity-builds";
+        var repoDir  = Path.Combine(baseDir, repoName);
+        var remoteUrl = BuildRemoteUrl(repoName);
+
+        void Log(string msg)
+        {
+            record.Log.Add(msg);
+            logger.LogInformation("[{Repo}] {Msg}", repoName, msg);
+        }
+
+        try
+        {
+            if (!Repository.IsValid(repoDir))
+            {
+                Log($"Cloning {remoteUrl} → {repoDir}");
+                Directory.CreateDirectory(repoDir);
+                Repository.Clone(remoteUrl, repoDir, new CloneOptions
+                {
+                    FetchOptions =
+                    {
+                        CredentialsProvider = MakeCredentials(),
+                        CertificateCheck    = (_, _, _) => true,
+                    },
+                });
+            }
+            else
+            {
+                Log($"Pulling latest for {repoName}");
+                using var repo   = new Repository(repoDir);
+                var remote = EnsureRemote(repo, repoName);
+                Commands.Fetch(repo, remote.Name, remote.FetchRefSpecs.Select(r => r.Specification), new FetchOptions
+                {
+                    CredentialsProvider = MakeCredentials(),
+                    CertificateCheck    = (_, _, _) => true,
+                }, null);
+
+                // Reset to the exact SHA we want to build
+                var commit = repo.Lookup<Commit>(headSha);
+                if (commit is null)
+                {
+                    Log($"Warning: SHA {headSha[..8]} not found after fetch — building HEAD instead.");
+                }
+                else
+                {
+                    repo.Reset(ResetMode.Hard, commit);
+                    Log($"Reset to {headSha[..8]}");
+                }
+            }
+
+            return repoDir;
+        }
+        catch (Exception ex)
+        {
+            Log($"✖ Git error: {ex.Message}");
+            logger.LogError(ex, "Failed to prepare repo {Repo}", repoName);
+            return null;
+        }
+    }
+
+    private Remote EnsureRemote(Repository repo, string repoName)
+    {
+        var url    = BuildRemoteUrl(repoName);
+        var remote = repo.Network.Remotes["origin"];
+        if (remote is null)
+            return repo.Network.Remotes.Add("origin", url);
+        if (remote.Url != url)
+            repo.Network.Remotes.Update("origin", r => r.Url = url);
+        return repo.Network.Remotes["origin"]!;
+    }
+
+    private string BuildRemoteUrl(string repoName)
+    {
+        var baseUrl = (config["Gitea:BaseUrl"] ?? "https://opc.clarity.test").TrimEnd('/');
+        var owner   = config["Gitea:Owner"] ?? "ClarityStack";
+        return $"{baseUrl}/{owner}/{repoName}.git";
+    }
+
+    private LibGit2Sharp.Handlers.CredentialsHandler MakeCredentials()
+    {
+        var user  = config["Gitea:Owner"] ?? "git";
+        var token = config["Gitea:Token"] ?? string.Empty;
+        return (_, _, _) => new UsernamePasswordCredentials { Username = user, Password = token };
+    }
+
+    // ── Build execution ───────────────────────────────────────────────────────
+
+    private async Task<int> RunBuildAsync(string solutionPath, BuildRecord record, CancellationToken ct)
+    {
+        var psi = new ProcessStartInfo("dotnet",
+            $"build \"{solutionPath}\" -c Release --no-incremental --nologo")
+        {
+            RedirectStandardOutput = true,
+            RedirectStandardError  = true,
+            UseShellExecute        = false,
+            CreateNoWindow         = true,
+        };
+
+        record.Log.Add($"▶ dotnet build {Path.GetFileName(solutionPath)} -c Release");
+        record.Log.Add("──────────────────────────────────────────────────");
+
+        using var proc = new Process { StartInfo = psi, EnableRaisingEvents = true };
+
+        void HandleLine(string? line)
+        {
+            if (line is null) return;
+            // Non-blocking fire-and-forget flush every 20 lines
+            _ = history.AppendBuildLogAsync(record, line);
+        }
+
+        proc.OutputDataReceived += (_, e) => HandleLine(e.Data);
+        proc.ErrorDataReceived  += (_, e) => HandleLine(e.Data);
+
+        proc.Start();
+        proc.BeginOutputReadLine();
+        proc.BeginErrorReadLine();
+
+        await proc.WaitForExitAsync(ct);
+        return proc.ExitCode;
+    }
+
+    // ── Gitea commit status ───────────────────────────────────────────────────
+
+    private async Task PostCommitStatusAsync(
+        string repoName, string sha, string state, string description, CancellationToken ct)
+    {
+        try
+        {
+            var owner = config["Gitea:Owner"] ?? "ClarityStack";
+
+            using var http = httpFactory.CreateClient("gitea");
+
+            var url  = $"api/v1/repos/{owner}/{repoName}/statuses/{sha}";
+            var body = JsonSerializer.Serialize(new
+            {
+                state,
+                description,
+                context = "controlplane/build",
+            }, JsonOpts);
+
+            var resp = await http.PostAsync(
+                url,
+                new StringContent(body, Encoding.UTF8, "application/json"),
+                ct);
+
+            if (!resp.IsSuccessStatusCode)
+            {
+                var err = await resp.Content.ReadAsStringAsync(ct);
+                logger.LogWarning(
+                    "PostCommitStatus failed for {Repo}@{Sha}: {Status} {Err}",
+                    repoName, sha[..Math.Min(8, sha.Length)], resp.StatusCode, err);
+            }
+        }
+        catch (Exception ex)
+        {
+            // Never let a failed status post break the build flow
+            logger.LogWarning(ex, "PostCommitStatus threw for {Repo}", repoName);
+        }
+    }
+
+    // ── Helpers ───────────────────────────────────────────────────────────────
+
+    private async Task FailAsync(
+        BuildRecord record, BuildRequestedCommand cmd, string reason, CancellationToken ct)
+    {
+        record.Log.Add($"✖ {reason}");
+        await history.CompleteBuildAsync(record, BuildStatus.Failed);
+        await PostCommitStatusAsync(cmd.RepoName, cmd.HeadSha, "failure", reason, ct);
+    }
+}

ControlPlane.Worker/ControlPlane.Worker.csproj

@@ -6,6 +6,7 @@
 
   <ItemGroup>
     <PackageReference Include="Docker.DotNet" />
+    <PackageReference Include="LibGit2Sharp" />
     <PackageReference Include="Microsoft.Extensions.Hosting" />
     <PackageReference Include="Npgsql" />
     <PackageReference Include="Keycloak.AuthServices.Sdk" />

ControlPlane.Worker/Dockerfile

@@ -14,17 +14,10 @@ RUN dotnet publish "ControlPlane.Worker/ControlPlane.Worker.csproj" \
     -c Release -o /app/publish --no-restore
 
 # ── Runtime stage ─────────────────────────────────────────────────────────────
-FROM mcr.microsoft.com/dotnet/aspnet:10.0 AS runtime
+# SDK image — required so BuildConsumer can invoke `dotnet build` on cloned repos.
+FROM mcr.microsoft.com/dotnet/sdk:10.0 AS runtime
 WORKDIR /app
 
-# Install Pulumi CLI so the Automation API can shell out to it
-RUN apt-get update && apt-get install -y --no-install-recommends curl ca-certificates \
-    && curl -fsSL https://get.pulumi.com | sh \
-    && apt-get purge -y curl \
-    && rm -rf /var/lib/apt/lists/*
-
-ENV PATH="/root/.pulumi/bin:${PATH}"
-
 COPY --from=build /app/publish .
 
 ENTRYPOINT ["dotnet", "ControlPlane.Worker.dll"]

ControlPlane.Worker/Program.cs

@@ -6,6 +6,7 @@ using ControlPlane.Worker.Services;
 using ControlPlane.Worker.Steps;
 using Keycloak.AuthServices.Sdk;
 using MassTransit;
+using Npgsql;
 
 var builder = Host.CreateApplicationBuilder(args);
 
@@ -26,6 +27,22 @@ builder.Services.AddKeycloakAdminHttpClient(o =>
 // Custom admin client - handles realm creation, roles, role assignment (not in SDK)
 builder.Services.AddSingleton<KeycloakAdminClient>();
 
+// Named HttpClient for Gitea commit status API (self-signed cert + token auth)
+builder.Services.AddHttpClient("gitea", (sp, client) =>
+{
+    var cfg = sp.GetRequiredService<IConfiguration>();
+    client.BaseAddress = new Uri(cfg["Gitea:BaseUrl"] ?? "https://opc.clarity.test");
+    client.DefaultRequestHeaders.Authorization =
+        new System.Net.Http.Headers.AuthenticationHeaderValue("token", cfg["Gitea:Token"]);
+}).ConfigurePrimaryHttpMessageHandler(() =>
+    new HttpClientHandler { ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator });
+
+// opcdb for build/release history tracking
+var opcConnStr = builder.Configuration.GetConnectionString("opcdb");
+builder.Services.AddSingleton(NpgsqlDataSource.Create(
+    !string.IsNullOrWhiteSpace(opcConnStr) ? opcConnStr : "Host=127.0.0.1;Port=5433;Database=opcdb;Username=postgres;Password=controlplane-dev"));
+builder.Services.AddSingleton<BuildHistoryService>();
+
 // Docker container manager for per-tenant Clarity.Server instances
 builder.Services.AddSingleton<ClarityContainerService>();
 
@@ -44,6 +61,7 @@ builder.Services.AddMassTransit(x =>
     x.SetKebabCaseEndpointNameFormatter();
 
     x.AddConsumer<ProvisioningConsumer>();
+    x.AddConsumer<BuildConsumer>();
 
     x.UsingRabbitMq((ctx, cfg) =>
     {

ControlPlane.Worker/Services/ClarityContainerService.cs

@@ -105,6 +105,9 @@ public class ClarityContainerService(
                 ["clarity.subdomain"]              = subdomain,
                 ["clarity.siteCode"]               = siteCode,
                 ["clarity.env"]                    = environment,
+                // Groups containers in Docker Desktop by environment tier (fdev / uat / prod).
+                ["com.docker.compose.project"]     = $"clarity-{environment.ToLowerInvariant()}",
+                ["com.docker.compose.service"]     = name,
             },
         }, cancellationToken);
 

ControlPlane.Worker/Steps/KeycloakStep.cs

@@ -41,6 +41,17 @@ public class KeycloakStep(
         }, cancellationToken);
 
         // clarity-web-app: public OIDC client used by the React frontend.
+        // fdev is a developer dogfood environment — allow localhost redirect URIs so that a
+        // local Aspire dev loop (any port) can complete the OIDC flow against the shared
+        // OPC infra Keycloak without any post-provisioning patching.
+        var isFdev = string.Equals(context.Job.Environment, "fdev", StringComparison.OrdinalIgnoreCase);
+        var redirectUris = isFdev
+            ? new[] { $"{tenantOrigin}/*", "http://localhost:*/*", "http://*.dev.localhost:*/*" }
+            : new[] { $"{tenantOrigin}/*" };
+        var webOrigins = isFdev
+            ? "+"          // match all valid redirect URI origins
+            : tenantOrigin;
+
         await adminClient.CreateClientAsync(realmId, new
         {
             clientId                  = "clarity-web-app",
@@ -51,8 +62,8 @@ public class KeycloakStep(
             directAccessGrantsEnabled = false,
             rootUrl                   = tenantOrigin,
             baseUrl                   = "/",
-            redirectUris              = new[] { $"{tenantOrigin}/*" },
-            webOrigins                = new[] { tenantOrigin },
+            redirectUris,
+            webOrigins                = new[] { webOrigins },
         }, cancellationToken);
 
         // Ensure tokens issued by clarity-web-app include "clarity-rest-api" in the `aud` claim

ControlPlane.Worker/Steps/LaunchStep.cs

@@ -32,7 +32,7 @@ public class LaunchStep(
             subdomain:                job.Subdomain,
             keycloakRealm:            $"clarity-{job.Subdomain.ToLowerInvariant()}",
             postgresConnectionString: context.TenantConnectionString,
-            vaultToken:               ReadVaultToken(config),
+            vaultToken:               context.VaultToken ?? ReadVaultToken(config),
             jobId:                    job.Id,
             cancellationToken:        cancellationToken);
 

ControlPlane.Worker/Steps/VaultStep.cs

@@ -1,6 +1,9 @@
 using ControlPlane.Core.Interfaces;
 using ControlPlane.Core.Models;
+using System.Net.Http.Headers;
+using System.Text;
 using System.Text.Json;
+using System.Text.Json.Nodes;
 
 namespace ControlPlane.Worker.Steps;
 
@@ -8,38 +11,117 @@ public class VaultStep(ILogger<VaultStep> logger, IConfiguration config) : ISaga
 {
     public string StepName => "Cryptographic Pre-Flight (Vault)";
 
-    public Task ExecuteAsync(SagaContext context, CancellationToken cancellationToken)
+    // Policy grants the tenant token exactly the three Transit operations Clarity.Server needs:
+    //   GenerateTenantKEKAsync  → datakey/plaintext  (first boot only)
+    //   DecryptTenantKEKAsync   → decrypt            (every restart)
+    //   RewrapTenantKEKAsync    → rewrap             (key rotation)
+    private const string PolicyTemplate = """
+        path "clarity-transit/datakey/plaintext/master-key" {
+          capabilities = ["update"]
+        }
+        path "clarity-transit/decrypt/master-key" {
+          capabilities = ["update"]
+        }
+        path "clarity-transit/rewrap/master-key" {
+          capabilities = ["update"]
+        }
+        """;
+
+    public async Task ExecuteAsync(SagaContext context, CancellationToken cancellationToken)
     {
-        // TODO: VaultSharp
-        // 1. Assert Transit engine is active and healthy
-        // 2. Derive/validate TenantContextId (e.g. FL_COM_001)
-        // 3. Register TenantContextId in a KV entry or TenantRegistry table
-        //    so Clarity.Server can resolve the derivation path later
-        //
-        // Root token is read at runtime from the persisted init.json on the Vault volume:
-        //   var token = ReadRootToken();
-        logger.LogInformation("[{JobId}] Vault step is a stub - VaultSharp not yet wired.", context.Job.Id);
+        var rootToken = ReadRootToken();
+        var vaultAddr = (config["Vault:Address"] ?? "http://localhost:8200").TrimEnd('/');
+        var subdomain = context.Job.Subdomain.ToLowerInvariant();
+        var policyName = $"clarity-tenant-{subdomain}";
+
+        using var http = new HttpClient { BaseAddress = new Uri(vaultAddr) };
+        http.DefaultRequestHeaders.Add("X-Vault-Token", rootToken);
+
+        // ── 1. Assert Transit engine + master-key are healthy ─────────────────
+        logger.LogInformation("[{JobId}] Verifying Vault Transit engine and master-key.", context.Job.Id);
+        var healthRes = await http.GetAsync("v1/clarity-transit/keys/master-key", cancellationToken);
+        if (!healthRes.IsSuccessStatusCode)
+            throw new InvalidOperationException(
+                $"Vault Transit master-key not found at {vaultAddr}. " +
+                "Ensure OPC infra is running and the entrypoint has bootstrapped Vault.");
+
+        // ── 2. Upsert per-tenant policy (idempotent PUT) ──────────────────────
+        logger.LogInformation("[{JobId}] Writing Vault policy '{Policy}'.", context.Job.Id, policyName);
+        var policyBody = JsonSerializer.Serialize(new { policy = PolicyTemplate });
+        var policyRes = await http.PutAsync(
+            $"v1/sys/policies/acl/{policyName}",
+            new StringContent(policyBody, Encoding.UTF8, "application/json"),
+            cancellationToken);
+        policyRes.EnsureSuccessStatusCode();
+
+        // ── 3. Create scoped periodic token bound to tenant policy ────────────
+        logger.LogInformation("[{JobId}] Creating scoped Vault token for policy '{Policy}'.", context.Job.Id, policyName);
+        var tokenBody = JsonSerializer.Serialize(new
+        {
+            policies  = new[] { policyName },
+            period    = "72h",
+            renewable = true,
+            metadata  = new Dictionary<string, string>
+            {
+                ["tenant"]    = subdomain,
+                ["createdBy"] = "ControlPlane.Worker",
+            },
+        });
+        var tokenRes = await http.PostAsync(
+            "v1/auth/token/create",
+            new StringContent(tokenBody, Encoding.UTF8, "application/json"),
+            cancellationToken);
+        tokenRes.EnsureSuccessStatusCode();
+
+        var tokenJson = JsonNode.Parse(await tokenRes.Content.ReadAsStringAsync(cancellationToken))!;
+        context.VaultToken         = tokenJson["auth"]!["client_token"]!.GetValue<string>();
+        context.VaultTokenAccessor = tokenJson["auth"]!["accessor"]!.GetValue<string>();
+
+        logger.LogInformation("[{JobId}] Vault step complete. Token accessor: {Accessor}",
+            context.Job.Id, context.VaultTokenAccessor);
+
         context.Job.CompletedSteps |= CompletedSteps.VaultVerified;
-        return Task.CompletedTask;
     }
 
-    public Task CompensateAsync(SagaContext context, CancellationToken cancellationToken)
+    public async Task CompensateAsync(SagaContext context, CancellationToken cancellationToken)
     {
-        logger.LogInformation("[{JobId}] Vault step: no compensation needed.", context.Job.Id);
-        return Task.CompletedTask;
+        if (string.IsNullOrWhiteSpace(context.VaultTokenAccessor)) return;
+
+        logger.LogWarning("[{JobId}] Compensating Vault — revoking token accessor {Accessor}.",
+            context.Job.Id, context.VaultTokenAccessor);
+
+        try
+        {
+            var rootToken = ReadRootToken();
+            var vaultAddr = (config["Vault:Address"] ?? "http://localhost:8200").TrimEnd('/');
+            using var http = new HttpClient { BaseAddress = new Uri(vaultAddr) };
+            http.DefaultRequestHeaders.Add("X-Vault-Token", rootToken);
+
+            var body = JsonSerializer.Serialize(new { accessor = context.VaultTokenAccessor });
+            await http.PostAsync(
+                "v1/auth/token/revoke-accessor",
+                new StringContent(body, Encoding.UTF8, "application/json"),
+                cancellationToken);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "[{JobId}] Failed to revoke Vault token accessor {Accessor} during compensation.",
+                context.Job.Id, context.VaultTokenAccessor);
+        }
     }
 
-    /// <summary>
-    /// Reads the root token from the init.json written by the Vault entrypoint on first boot.
-    /// Path is injected via Vault__KeysFile config.
-    /// </summary>
     internal string ReadRootToken()
     {
-        var path = config["Vault__KeysFile"]
-            ?? throw new InvalidOperationException("Vault__KeysFile is not configured.");
-
+        var path = config["Vault:KeysFile"] ?? config["Vault__KeysFile"];
+        if (!string.IsNullOrWhiteSpace(path) && File.Exists(path))
+        {
             using var doc = JsonDocument.Parse(File.ReadAllText(path));
-        return doc.RootElement.GetProperty("root_token").GetString()
-            ?? throw new InvalidOperationException("root_token not found in Vault init.json.");
+            if (doc.RootElement.TryGetProperty("root_token", out var tok))
+                return tok.GetString()!;
+        }
+
+        return config["Vault:Token"]
+            ?? throw new InvalidOperationException(
+                "Cannot resolve Vault root token: neither Vault:KeysFile nor Vault:Token is configured.");
     }
 }

ControlPlane.Worker/appsettings.Development.json

@@ -0,0 +1,8 @@
+{
+  "Vault": {
+    "KeysFile": "C:\\Users\\amadzarak\\source\\repos\\ClarityStack\\OPC\\infra\\vault\\data\\init.json"
+  },
+  "Build": {
+    "WorkDir": "C:\\Users\\amadzarak\\source\\clarity-builds"
+  }
+}

ControlPlane.Worker/appsettings.json

@@ -20,12 +20,20 @@
 
   // ── Vault ─────────────────────────────────────────────────────────────────────
   // Worker uses localhost:8200 for admin calls.
-  // Vault__KeysFile is machine-specific → still injected by Aspire AppHost.
+  // Vault:KeysFile is machine-specific → set in appsettings.Development.json.
   "Vault": {
     "Address": "http://localhost:8200",
     "ContainerAddress": "http://vault:8200"
   },
 
+  // ── Gitea ─────────────────────────────────────────────────────────────────────
+  // Used by BuildConsumer to post commit statuses and clone repos.
+  "Gitea": {
+    "BaseUrl": "https://opc.clarity.test",
+    "Owner":   "ClarityStack",
+    "Token":   "fcf9f66415754fb639a8343e3904e06b1d78c646"
+  },
+
   // ── ClarityInfraOptions (Clarity section) ─────────────────────────────────────
   // These values describe what gets injected INTO tenant containers at docker run time.
   // Containers live on clarity-net → use Docker DNS names (keycloak, vault, postgres).

Directory.Build.props

@@ -0,0 +1,8 @@
+<Project>
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <TreatWarningsAsErrors>false</TreatWarningsAsErrors>
+  </PropertyGroup>
+</Project>

Directory.Packages.props

@@ -0,0 +1,52 @@
+<Project>
+  <PropertyGroup>
+    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
+  </PropertyGroup>
+  <!-- Aspire Packages -->
+  <ItemGroup>
+    <PackageVersion Include="Aspire.Hosting.PostgreSQL" Version="13.2.2" />
+    <PackageVersion Include="Aspire.Keycloak.Authentication" Version="13.2.2-preview.1.26207.2" />
+    <PackageVersion Include="Aspire.Npgsql.EntityFrameworkCore.PostgreSQL" Version="13.2.2" />
+    <PackageVersion Include="Aspire.StackExchange.Redis.OutputCaching" Version="13.2.2" />
+    <PackageVersion Include="Aspire.Hosting.JavaScript" Version="13.2.2" />
+    <PackageVersion Include="Aspire.Hosting.Keycloak" Version="13.2.2-preview.1.26207.2" />
+    <PackageVersion Include="Aspire.Hosting.Redis" Version="13.2.2" />
+    <PackageVersion Include="CommunityToolkit.Aspire.Hosting.Minio" Version="13.2.1-beta.532" />
+    <PackageVersion Include="CommunityToolkit.Aspire.Minio.Client" Version="13.2.1-beta.532" />
+    <PackageVersion Include="Docker.DotNet" Version="3.125.15" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore" Version="10.0.6" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Design" Version="10.0.6" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Tools" Version="10.0.6" />
+    <PackageVersion Include="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.7" />
+    <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.7" />
+    <PackageVersion Include="Npgsql" Version="10.0.2" />
+    <PackageVersion Include="LibGit2Sharp" Version="0.31.0" />
+    <PackageVersion Include="Scalar.Aspire" Version="0.9.24" />
+    <PackageVersion Include="VaultSharp" Version="1.17.5.1" />
+    <PackageVersion Include="Yarp.ReverseProxy" Version="2.3.0" />
+  </ItemGroup>
+  <!-- Clarity.MigrationService -->
+  <ItemGroup>
+    <PackageVersion Include="Microsoft.Extensions.Hosting" Version="10.0.6" />
+  </ItemGroup>
+  <!-- ControlPlane -->
+  <ItemGroup>
+    <PackageVersion Include="Aspire.Hosting.Sdk" Version="13.2.2" />
+    <PackageVersion Include="Aspire.Hosting.RabbitMQ" Version="13.2.2" />
+    <PackageVersion Include="Aspire.RabbitMQ.Client" Version="13.2.2" />
+    <PackageVersion Include="Keycloak.AuthServices.Sdk" Version="2.9.0" />
+    <PackageVersion Include="MassTransit" Version="8.4.1" />
+    <PackageVersion Include="MassTransit.RabbitMQ" Version="8.4.1" />
+  </ItemGroup>
+  <!-- Clarity.Server -->
+  <ItemGroup>
+    <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="10.0.6" />
+    <PackageVersion Include="Microsoft.Extensions.Http.Resilience" Version="10.5.0" />
+    <PackageVersion Include="Microsoft.Extensions.ServiceDiscovery" Version="10.5.0" />
+    <PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.15.2" />
+    <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.15.2" />
+    <PackageVersion Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.15.1" />
+    <PackageVersion Include="OpenTelemetry.Instrumentation.Http" Version="1.15.0" />
+    <PackageVersion Include="OpenTelemetry.Instrumentation.Runtime" Version="1.15.0" />
+  </ItemGroup>
+</Project>

clarity.controlplane/src/api/buildApi.ts

@@ -30,6 +30,29 @@ export async function getBuildHistory(): Promise<BuildRecord[]> {
   return res.json();
 }
 
+export interface ShaBuildResult {
+  id:          string;
+  status:      'Running' | 'Succeeded' | 'Failed';
+  startedAt:   string;
+  finishedAt?: string;
+  durationMs?: number;
+  commitSha?:  string;
+}
+
+/** Returns the latest SolutionBuild for a given SHA, or null if none exists. */
+export async function getBuildBySha(sha: string): Promise<ShaBuildResult | null> {
+  const res = await fetch(`${BASE_URL}/api/builds/by-sha?sha=${encodeURIComponent(sha)}`);
+  if (!res.ok) throw new Error(`getBuildBySha failed: ${res.statusText}`);
+  return res.json();
+}
+
+/** Batch-fetches SolutionBuild status for multiple SHAs. Returns a map of sha -> result|null. */
+export async function getBuildsByShas(shas: string[]): Promise<Map<string, ShaBuildResult | null>> {
+  const unique  = [...new Set(shas.filter(Boolean))];
+  const entries = await Promise.all(unique.map(async (sha) => [sha, await getBuildBySha(sha)] as const));
+  return new Map(entries);
+}
+
 export function triggerProjectBuild(
   projectName: string,
   onLine:      (line: string) => void,

clarity.controlplane/src/api/opcApi.ts

@@ -121,6 +121,7 @@ export interface LinkedCommit {
   date:      string;
   subject:   string;
   files:     string[];
+  branches:  string[];
 }
 
 export async function getLinkedCommits(opcNumber: string): Promise<LinkedCommit[]> {
@@ -212,14 +213,31 @@ export async function getChangesets(
   limit  = 25,
   repo   = 'all',
   grep?: string,
+  branch?: string,
 ): Promise<LinkedCommit[]> {
   const params = new URLSearchParams({ page: String(page), limit: String(limit), repo });
   if (grep)   params.set('grep',   grep);
+  if (branch) params.set('branch', branch);
   const res = await fetch(`${BASE_URL}/api/git/log?${params}`);
   if (!res.ok) throw new Error(`Failed to load changesets: ${res.statusText}`);
   return res.json();
 }
 
+// ── Local git branches (from LibGit2 repos) ───────────────────────────────────
+
+export interface RepoBranchInfo {
+  repoKey:  string;
+  name:     string;
+  hash:     string;
+  isHead:   boolean;
+}
+
+export async function getBranches(repo = 'all'): Promise<RepoBranchInfo[]> {
+  const res = await fetch(`${BASE_URL}/api/git/branches?repo=${encodeURIComponent(repo)}`);
+  if (!res.ok) throw new Error(`Failed to load branches: ${res.statusText}`);
+  return res.json();
+}
+
 // ── Commit detail (full diff) ─────────────────────────────────────────────────
 
 export interface CommitFile {

clarity.controlplane/src/index.css

@@ -804,30 +804,116 @@ body {
 
 .opc-sdlc-pipeline {
   display: flex;
-  align-items: center;
-  flex-wrap: wrap;
-  gap: 0.2rem;
-  margin-bottom: 0.35rem;
-}
-
-.opc-sdlc-stage-item {
-  display: flex;
-  align-items: center;
-  gap: 0.2rem;
+  align-items: flex-start;
+  flex-wrap: nowrap;
+  gap: 0;
+  overflow-x: auto;
+  padding-bottom: 0.25rem;
 }
 
 .opc-sdlc-arrow {
   color: #8f99a8;
-  font-size: 0.8rem;
+  font-size: 1rem;
   font-weight: 600;
-  margin: 0 0.1rem;
+  flex-shrink: 0;
+  align-self: center;
+  margin: 0 0.4rem;
   user-select: none;
 }
 
-.opc-sdlc-furthest {
-  font-size: 0.75rem;
+/* Individual branch box */
+.opc-sdlc-box {
+  flex: 1 1 140px;
+  min-width: 130px;
+  max-width: 200px;
+  display: flex;
+  flex-direction: column;
+  border: 1px solid #dce0e6;
+  border-radius: 6px;
+  background: #fff;
+  overflow: hidden;
+  flex-shrink: 0;
+}
+
+.opc-sdlc-box--reached {
+  border-width: 2px;
+}
+
+.opc-sdlc-box-header {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding: 0.3rem 0.5rem;
+  background: #f6f7f9;
+  border-bottom: 1px solid #e5e8eb;
+  flex-shrink: 0;
+}
+
+.opc-sdlc-box-count {
+  font-size: 0.68rem;
   color: #738091;
-  margin-top: 0.3rem;
+  background: #e5e8eb;
+  border-radius: 10px;
+  padding: 0 6px;
+  line-height: 1.5;
+}
+
+/* Scrollable body */
+.opc-sdlc-box-body {
+  flex: 1;
+  overflow-y: auto;
+  max-height: 140px;
+  min-height: 60px;
+  padding: 0.3rem 0.4rem;
+  display: flex;
+  flex-direction: column;
+  gap: 0.15rem;
+}
+
+.opc-sdlc-sha-row {
+  display: flex;
+  align-items: baseline;
+  gap: 0.35rem;
+  padding: 0.1rem 0.2rem;
+  border-radius: 3px;
+  opacity: 0.35;
+}
+
+.opc-sdlc-sha-row--reached {
+  opacity: 1;
+}
+
+.opc-sdlc-sha {
+  font-family: 'Consolas', 'Courier New', monospace;
+  font-size: 0.7rem;
+  color: #2d72d2;
+  flex-shrink: 0;
+}
+
+.opc-sdlc-sha-msg {
+  font-size: 0.68rem;
+  color: #4a5568;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+  flex: 1;
+  min-width: 0;
+}
+
+.opc-sdlc-box-empty {
+  font-size: 0.7rem;
+  color: #a3acb6;
+  font-style: italic;
+  padding: 0.2rem 0;
+}
+
+.opc-sdlc-box-pending {
+  font-size: 0.68rem;
+  color: #a3acb6;
+  font-style: italic;
+  margin-top: auto;
+  padding-top: 0.25rem;
+  border-top: 1px dashed #e5e8eb;
 }
 
 /* Commits section labels */
@@ -1206,3 +1292,50 @@ body {
   min-width: 60px;
   text-align: center;
 }
+
+.cs-page-with-tree {
+  display: flex;
+  gap: 1.5rem;
+  align-items: flex-start;
+}
+
+.cs-branch-tree {
+  width: 200px;
+  flex-shrink: 0;
+  position: sticky;
+  top: 1rem;
+  border: 1px solid #dce0e6;
+  border-radius: 8px;
+  overflow: hidden;
+  padding: 0.25rem 0;
+  max-height: calc(100vh - 8rem);
+  overflow-y: auto;
+}
+
+.cs-branch-tree .bp6-tree-node-content {
+  font-size: 0.82rem;
+  height: 28px;
+}
+
+.cs-branch-tree .bp6-tree-node-content:hover {
+  background: #f6f7f9;
+}
+
+.cs-branch-tree .bp6-tree-node.bp6-tree-node-selected > .bp6-tree-node-content {
+  background: #e8f0fb;
+  color: #215db0;
+}
+
+.cs-content-area {
+  flex: 1;
+  min-width: 0;
+}
+
+.cs-branch-badge {
+  font-size: 0.67rem;
+  letter-spacing: 0.01em;
+  white-space: nowrap;
+  margin-left: 0.5rem;
+  opacity: 0.85;
+  vertical-align: middle;
+}

clarity.controlplane/src/opc/OpcPage.tsx

@@ -1,4 +1,4 @@
-import { useState, useMemo, useEffect, useCallback } from 'react';
+import { useState, useMemo, useEffect, useCallback, Fragment } from 'react';
 import { GitCommitDrawer } from '../components/GitCommitDrawer';
 import {
   Button, Callout, Divider, Drawer, FormGroup,
@@ -79,15 +79,6 @@ const SDLC_STAGES: { branch: string; label: string; intent: Intent }[] = [
   { branch: 'main',    label: 'Production', intent: Intent.SUCCESS  },
 ];
 
-function deriveSdlcSummary(coverage: BranchCoverage[]): { label: string; intent: Intent } | null {
-  for (let i = SDLC_STAGES.length - 1; i >= 0; i--) {
-    const stage = SDLC_STAGES[i];
-    const hit = coverage.find(c => c.branch === stage.branch);
-    if (hit?.contains) return { label: stage.label, intent: stage.intent };
-  }
-  return null;
-}
-
 // Aggregate per-repo branch coverage into a single view.
 // A stage is "reached" only when every repo that recognised at least one hash
 // reports contains=true for that branch. Repos that recognised no hashes are
@@ -487,42 +478,48 @@ function CommitsTab({ opc, isActive }: { opc: Opc; isActive: boolean }) {
 
       {/* SDLC Delivery Chain */}
       {coverage.length > 0 && (() => {
-        const summary = deriveSdlcSummary(coverage);
+        const allCommits = [
+          ...autoCommits,
+          ...pinned.map(p => ({ repoKey: 'pinned', hash: p.hash, shortHash: p.shortHash, author: p.pinnedBy, date: p.pinnedAt, subject: p.subject, files: [] })),
+        ].filter((c, i, a) => a.findIndex(x => x.hash === c.hash) === i);
+
         return (
           <div className="opc-delivery-chain">
-            <div className="opc-field-label" style={{ marginBottom: '0.6rem' }}>Delivery Chain</div>
+            <div className="opc-field-label" style={{ marginBottom: '0.75rem' }}>Delivery Chain</div>
             <div className="opc-sdlc-pipeline">
               {SDLC_STAGES.map((stage, i) => {
                 const hit     = coverage.find(c => c.branch === stage.branch);
                 const reached = hit?.contains ?? false;
                 return (
-                  <div key={stage.branch} className="opc-sdlc-stage-item">
+                  <Fragment key={stage.branch}>
                     {i > 0 && <span className="opc-sdlc-arrow">→</span>}
-                    <Tooltip content={
-                      reached
-                        ? `All linked commits have reached ${stage.label}`
-                        : hit
-                          ? `Not all linked commits have reached ${stage.label} yet`
-                          : `${stage.label} branch not found locally`
-                    }>
-                      <Tag
-                        intent={reached ? stage.intent : Intent.NONE}
-                        icon={reached ? 'tick-circle' : 'circle'}
-                        minimal={!reached}
-                        round
-                      >
+                    <div className={`opc-sdlc-box${reached ? ' opc-sdlc-box--reached' : ''}`} style={{ borderColor: reached ? SDLC_STAGES[i].intent === 'primary' ? '#2d72d2' : SDLC_STAGES[i].intent === 'warning' ? '#c87619' : SDLC_STAGES[i].intent === 'danger' ? '#ac2f33' : '#1c6e42' : '#dce0e6' }}>
+                      {/* Box header */}
+                      <div className="opc-sdlc-box-header">
+                        <Tag intent={reached ? stage.intent : Intent.NONE} minimal={!reached} round style={{ fontWeight: 600, fontSize: '0.72rem' }}>
                           {stage.label}
                         </Tag>
-                    </Tooltip>
+                        {reached && <span className="opc-sdlc-box-count">{allCommits.length}</span>}
                       </div>
+                      {/* Scrollable SHA list */}
+                      <div className="opc-sdlc-box-body">
+                        {allCommits.length === 0 ? (
+                          <span className="opc-sdlc-box-empty">No linked commits</span>
+                        ) : allCommits.map(c => (
+                          <div key={c.hash} className={`opc-sdlc-sha-row${reached ? ' opc-sdlc-sha-row--reached' : ''}`} title={c.subject}>
+                            <code className="opc-sdlc-sha">{c.shortHash}</code>
+                            <span className="opc-sdlc-sha-msg">{c.subject}</span>
+                          </div>
+                        ))}
+                        {!reached && allCommits.length > 0 && (
+                          <div className="opc-sdlc-box-pending">Not yet promoted</div>
+                        )}
+                      </div>
+                    </div>
+                  </Fragment>
                 );
               })}
             </div>
-            {summary && (
-              <div className="opc-sdlc-furthest">
-                Furthest: <strong>{summary.label}</strong>
-              </div>
-            )}
           </div>
         );
       })()}

clarity.controlplane/src/pages/BuildMonitorPage.css

@@ -0,0 +1,229 @@
+/* ── Section headings ───────────────────────────────────────────────────────── */
+.bm-section-title {
+  font-size: 0.75rem;
+  font-weight: 600;
+  color: #5f6b7c;
+  text-transform: uppercase;
+  letter-spacing: 0.06em;
+  margin-bottom: 0.75rem;
+}
+
+/* ── Pipeline card grid ─────────────────────────────────────────────────────── */
+.bm-pipeline-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fill, minmax(230px, 1fr));
+  gap: 1rem;
+  margin-bottom: 2rem;
+}
+
+.bm-pipeline-card {
+  background: #fff;
+  border: 1px solid #e5e8eb;
+  border-radius: 10px;
+  padding: 0.9rem 1rem;
+  box-shadow: 0 1px 3px rgba(0, 0, 0, 0.04);
+  display: flex;
+  flex-direction: column;
+  gap: 0.7rem;
+  transition: box-shadow 0.15s, border-color 0.15s;
+}
+
+.bm-pipeline-card:hover {
+  box-shadow: 0 4px 14px rgba(0, 0, 0, 0.08);
+  border-color: #c5cbd3;
+}
+
+.bm-pipeline-card-top {
+  display: flex;
+  align-items: flex-start;
+  gap: 0.55rem;
+}
+
+.bm-pipeline-dot {
+  width: 9px;
+  height: 9px;
+  border-radius: 50%;
+  flex-shrink: 0;
+  margin-top: 4px;
+}
+
+.bm-pipeline-info {
+  flex: 1;
+  min-width: 0;
+}
+
+.bm-pipeline-name {
+  font-weight: 600;
+  font-size: 0.875rem;
+  color: #1c2127;
+  display: block;
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+}
+
+.bm-pipeline-sub {
+  font-family: 'Cascadia Code', 'Consolas', monospace;
+  font-size: 0.62rem;
+  color: #8f99a8;
+  display: block;
+  margin-top: 2px;
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+}
+
+.bm-pipeline-card-actions {
+  display: flex;
+  align-items: center;
+  gap: 4px;
+  flex-shrink: 0;
+}
+
+/* ── Spark bar ──────────────────────────────────────────────────────────────── */
+.bm-pipeline-card-bottom {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 0.5rem;
+  min-height: 30px;
+}
+
+.bm-spark { display: block; flex-shrink: 0; }
+
+.bm-spark-empty {
+  font-size: 0.7rem;
+  color: #c5cbd3;
+  font-style: italic;
+}
+
+.bm-pipeline-status-text {
+  font-size: 0.7rem;
+  color: #8f99a8;
+  text-align: right;
+  white-space: nowrap;
+}
+
+/* ── Card log area ──────────────────────────────────────────────────────────── */
+.bm-pipeline-log-toggle {
+  border-top: 1px solid #f0f2f5;
+  padding-top: 0.4rem;
+  margin-top: -0.1rem;
+}
+
+/* ── Log viewer ─────────────────────────────────────────────────────────────── */
+.bm-log-viewer {
+  font-family: 'Cascadia Code', 'Consolas', monospace;
+  font-size: 0.68rem;
+  background: #0d1117;
+  color: #c9d1d9;
+  padding: 0.5rem 0.75rem;
+  max-height: 220px;
+  overflow-y: auto;
+  white-space: pre-wrap;
+  word-break: break-all;
+  border-radius: 6px;
+  line-height: 1.55;
+}
+
+/* ── Runs list ──────────────────────────────────────────────────────────────── */
+.bm-runs-list {
+  background: #fff;
+  border: 1px solid #e5e8eb;
+  border-radius: 10px;
+  overflow: hidden;
+}
+
+.bm-run-row {
+  display: flex;
+  align-items: center;
+  gap: 0.75rem;
+  padding: 0.55rem 1rem;
+  border-bottom: 1px solid #f0f2f5;
+  font-size: 0.825rem;
+  cursor: default;
+}
+
+.bm-run-row:last-of-type {
+  border-bottom: none;
+}
+
+.bm-run-row:hover {
+  background: #f8f9fb;
+}
+
+.bm-run-dot {
+  width: 8px;
+  height: 8px;
+  border-radius: 50%;
+  flex-shrink: 0;
+}
+
+.bm-run-main {
+  flex: 1;
+  min-width: 0;
+  display: flex;
+  align-items: center;
+  gap: 0.45rem;
+}
+
+.bm-run-name {
+  font-weight: 600;
+  color: #1c2127;
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  max-width: 220px;
+}
+
+.bm-run-sha {
+  font-family: 'Cascadia Code', 'Consolas', monospace;
+  font-size: 0.7rem;
+  color: #215db0;
+  background: #e8f0fc;
+  padding: 1px 6px;
+  border-radius: 4px;
+  text-decoration: none;
+  white-space: nowrap;
+  flex-shrink: 0;
+}
+
+.bm-run-sha:hover { text-decoration: underline; }
+
+.bm-run-trigger {
+  font-size: 0.7rem;
+  color: #8f99a8;
+  background: #f0f2f5;
+  padding: 1px 6px;
+  border-radius: 4px;
+  white-space: nowrap;
+  flex-shrink: 0;
+}
+
+.bm-run-time {
+  color: #8f99a8;
+  font-size: 0.78rem;
+  white-space: nowrap;
+  min-width: 68px;
+  text-align: right;
+  flex-shrink: 0;
+}
+
+.bm-run-dur {
+  color: #8f99a8;
+  font-size: 0.78rem;
+  white-space: nowrap;
+  min-width: 46px;
+  text-align: right;
+  flex-shrink: 0;
+}
+
+.bm-run-log-panel {
+  padding: 0 0 0;
+  background: #0d1117;
+}
+
+.bm-run-log-panel .bm-log-viewer {
+  border-radius: 0;
+  max-height: 260px;
+}

clarity.controlplane/src/pages/BuildMonitorPage.tsx

@@ -1,13 +1,19 @@
-import { useEffect, useRef, useState } from 'react';
+import { useEffect, useRef, useState } from 'react';
 import {
-  Button, Callout, Intent, Tag, Spinner, NonIdealState,
-  Collapse, HTMLTable,
+  Button, Callout, Collapse, Intent, NonIdealState, Spinner, Tag,
 } from '@blueprintjs/core';
 import { getProjects, getBuildHistory, type ProjectDefinition, type BuildRecord } from '../api/buildApi';
-import { getGitLog, type GitCommit } from '../api/gitApi';
+import './BuildMonitorPage.css';
 
 const BASE_URL = import.meta.env.VITE_API_URL ?? '';
 
+const KIND_LABEL: Record<string, string> = {
+  DotnetProject: '.NET',
+  NpmProject:    'npm',
+  DockerImage:   'Docker',
+  SolutionBuild: 'CI',
+};
+
 const KIND_INTENT: Record<string, Intent> = {
   DotnetProject:  Intent.PRIMARY,
   NpmProject:     Intent.WARNING,
@@ -15,223 +21,184 @@ const KIND_INTENT: Record<string, Intent> = {
   SolutionBuild:  Intent.SUCCESS,
 };
 
-const STATUS_INTENT: Record<string, Intent> = {
-  Succeeded: Intent.SUCCESS,
-  Failed:    Intent.DANGER,
-  Running:   Intent.PRIMARY,
+const STATUS_COLOR: Record<string, string> = {
+  Succeeded: '#2d9e2d',
+  Failed:    '#c23030',
+  Running:   '#3d8bd4',
 };
 
-// ── Git history panel ─────────────────────────────────────────────────────────
-
-function GitHistoryPanel({ relativePath }: { relativePath: string }) {
-  const [commits,  setCommits]  = useState<GitCommit[]>([]);
-  const [loading,  setLoading]  = useState(false);
-  const [open,     setOpen]     = useState(false);
-  const [fetched,  setFetched]  = useState(false);
-  const [error,    setError]    = useState<string | null>(null);
-
-  const toggle = async () => {
-    if (!open && !fetched) {
-      setLoading(true);
-      setError(null);
-      try {
-        const data = await getGitLog(relativePath, 10);
-        setCommits(data);
-        setFetched(true);
-      } catch (e) {
-        setError(e instanceof Error ? e.message : 'Failed to load git history');
-      } finally {
-        setLoading(false);
+function timeAgo(dateStr: string): string {
+  const s = Math.floor((Date.now() - new Date(dateStr).getTime()) / 1000);
+  if (s < 60)  return `${s}s ago`;
+  const m = Math.floor(s / 60);
+  if (m < 60)  return `${m}m ago`;
+  const h = Math.floor(m / 60);
+  if (h < 24)  return `${h}h ago`;
+  return `${Math.floor(h / 24)}d ago`;
 }
-    }
-    setOpen((o) => !o);
-  };
 
+// SparkBar ------------------------------------------------------------------
+
+function SparkBar({ builds }: { builds: BuildRecord[] }) {
+  const bars = [...builds]
+    .sort((a, b) => new Date(a.startedAt).getTime() - new Date(b.startedAt).getTime())
+    .slice(-20);
+
+  if (bars.length === 0) return <span className="bm-spark-empty">no history</span>;
+
+  const W = 5, GAP = 2, H = 28;
   return (
-    <div style={{ marginTop: '0.5rem' }}>
-      <Button
-        minimal small
-        icon="git-branch"
-        text={open ? 'Hide history' : 'Git history'}
-        onClick={toggle}
-        loading={loading}
-      />
-
-      <Collapse isOpen={open && !loading}>
-        {error && <Callout intent={Intent.DANGER} compact style={{ marginTop: '0.25rem' }}>{error}</Callout>}
-        {commits.length === 0 && !error && (
-          <p style={{ fontSize: '0.75rem', color: '#8f99a8', marginTop: '0.5rem' }}>No commits found for this path.</p>
-        )}
-        {commits.length > 0 && (
-          <HTMLTable className="bp6-html-table-condensed bp6-html-table-striped" style={{ width: '100%', marginTop: '0.5rem', fontSize: '0.72rem' }}>
-            <thead>
-              <tr>
-                <th style={{ width: 60 }}>Commit</th>
-                <th>Message</th>
-                <th>Author</th>
-                <th style={{ width: 140 }}>Date</th>
-                <th style={{ width: 40, textAlign: 'right' }}>Files</th>
-              </tr>
-            </thead>
-            <tbody>
-              {commits.map((c) => (
-                <tr key={c.hash}>
-                  <td>
-                    <code style={{ fontSize: '0.7rem', color: '#4a90d9' }}>{c.shortHash}</code>
-                  </td>
-                  <td style={{ maxWidth: 320, overflow: 'hidden', textOverflow: 'ellipsis', whiteSpace: 'nowrap' }}>
-                    {c.subject}
-                  </td>
-                  <td style={{ color: '#738091' }}>{c.author}</td>
-                  <td style={{ color: '#738091' }}>
-                    {new Date(c.date).toLocaleString(undefined, { dateStyle: 'short', timeStyle: 'short' })}
-                  </td>
-                  <td style={{ textAlign: 'right', color: '#8f99a8' }}>
-                    <span title={c.files.join('\n')}>{c.files.length}</span>
-                  </td>
-                </tr>
+    <svg width={bars.length * (W + GAP) - GAP} height={H} className="bm-spark">
+      {bars.map((b, i) => (
+        <rect key={b.id} x={i * (W + GAP)} y={0} width={W} height={H} rx={1}
+          fill={STATUS_COLOR[b.status] ?? '#c5cbd3'} />
       ))}
-            </tbody>
-          </HTMLTable>
-        )}
-      </Collapse>
+    </svg>
+  );
+}
+
+// LogViewer -----------------------------------------------------------------
+
+function LogViewer({ lines }: { lines: string[] }) {
+  const ref = useRef<HTMLDivElement>(null);
+  useEffect(() => { if (ref.current) ref.current.scrollTop = ref.current.scrollHeight; }, [lines]);
+  return (
+    <div ref={ref} className="bm-log-viewer">
+      {lines.map((l, i) => <div key={i}>{l}</div>)}
     </div>
   );
 }
 
-// ── Per-project card ──────────────────────────────────────────────────────────
+// PipelineCard --------------------------------------------------------------
 
-function ProjectCard({
-  project,
-  lastBuild,
-  onBuilt,
-}: {
-  project:   ProjectDefinition;
-  lastBuild: BuildRecord | undefined;
-  onBuilt:   () => void;
-}) {
-  const [building, setBuilding] = useState(false);
-  const [logs,     setLogs]     = useState<string[]>([]);
-  const [open,     setOpen]     = useState(false);
-  const [error,    setError]    = useState<string | null>(null);
-  const logRef                  = useRef<HTMLDivElement>(null);
-
-  useEffect(() => {
-    if (logRef.current) logRef.current.scrollTop = logRef.current.scrollHeight;
-  }, [logs]);
-
-  const handleBuild = async () => {
-    setBuilding(true);
-    setOpen(true);
-    setLogs([]);
-    setError(null);
-
-    try {
-      const res = await fetch(
-        `${BASE_URL}/api/builds/${encodeURIComponent(project.name)}`,
-        { method: 'POST' }
-      );
-      if (!res.ok || !res.body) throw new Error(res.statusText);
-
-      const reader  = res.body.getReader();
-      const decoder = new TextDecoder();
-      let   buffer  = '';
-
-      while (true) {
-        const { done, value } = await reader.read();
-        if (done) break;
-        buffer += decoder.decode(value, { stream: true });
-        const parts = buffer.split('\n\n');
-        buffer = parts.pop() ?? '';
-        for (const chunk of parts) {
-          const dataLine = chunk.replace(/^data:\s*/m, '').trim();
-          if (!dataLine) continue;
-          try {
-            const msg = JSON.parse(dataLine);
-            if (msg.done) onBuilt();
-            else if (typeof msg.line === 'string')
-              setLogs((p) => [...p.slice(-1000), msg.line]);
-          } catch { /* ignore */ }
+interface PipelineCardProps {
+  name:        string;
+  kind:        string;
+  subtitle?:   string;
+  builds:      BuildRecord[];
+  onBuild?:    () => void;
+  building?:   boolean;
+  buildLogs?:  string[];
+  buildError?: string | null;
 }
-      }
-    } catch (e) {
-      setError(e instanceof Error ? e.message : 'Unknown error');
-    } finally {
-      setBuilding(false);
-    }
-  };
 
-  const statusIntent = lastBuild ? STATUS_INTENT[lastBuild.status] : Intent.NONE;
-  const statusLabel  = lastBuild?.status ?? 'Never built';
-  const lastRun      = lastBuild ? new Date(lastBuild.startedAt).toLocaleString() : '—';
-  const duration     = lastBuild?.durationMs != null
-    ? `${(lastBuild.durationMs / 1000).toFixed(1)}s` : null;
+function PipelineCard({ name, kind, subtitle, builds, onBuild, building, buildLogs, buildError }: PipelineCardProps) {
+  const [logsOpen, setLogsOpen] = useState(false);
+
+  const latest   = [...builds].sort((a, b) => new Date(b.startedAt).getTime() - new Date(a.startedAt).getTime())[0];
+  const dotColor = building
+    ? STATUS_COLOR.Running
+    : latest ? (STATUS_COLOR[latest.status] ?? '#c5cbd3') : '#c5cbd3';
+
+  useEffect(() => { if (building) setLogsOpen(true); }, [building]);
+
+  const statusText = building
+    ? 'Building...'
+    : latest ? `${latest.status} · ${timeAgo(latest.startedAt)}`
+    : 'Never built';
 
   return (
-    <div className="job-card">
-      <div className="job-card-header">
-        <div>
-          <strong>{project.name}</strong>
-          <span className="job-card-subdomain" style={{ fontFamily: 'monospace', fontSize: '0.72rem' }}>
-            {project.relativePath}
-          </span>
+    <div className="bm-pipeline-card">
+      <div className="bm-pipeline-card-top">
+        <div className="bm-pipeline-dot" style={{ background: dotColor }} />
+        <div className="bm-pipeline-info">
+          <span className="bm-pipeline-name">{name}</span>
+          {subtitle && <code className="bm-pipeline-sub">{subtitle}</code>}
         </div>
-        <div style={{ display: 'flex', gap: '0.4rem', alignItems: 'center' }}>
-          <Tag intent={KIND_INTENT[project.kind] ?? Intent.NONE} minimal round>{project.kind}</Tag>
-          <Tag intent={statusIntent} round>{statusLabel}</Tag>
-          {duration && <Tag minimal round>{duration}</Tag>}
+        <div className="bm-pipeline-card-actions">
+          <Tag minimal round intent={KIND_INTENT[kind] ?? Intent.NONE} style={{ fontSize: '0.65rem' }}>
+            {KIND_LABEL[kind] ?? kind}
+          </Tag>
+          {onBuild && (
+            <Button icon="play" small minimal intent={Intent.PRIMARY} loading={building} onClick={onBuild} />
+          )}
         </div>
       </div>
 
-      <div style={{ display: 'flex', gap: '0.5rem', alignItems: 'center', padding: '0.5rem 0 0.25rem' }}>
-        <Button
-          icon="play"
-          small
-          intent={Intent.PRIMARY}
-          loading={building}
-          onClick={handleBuild}
-          text="Build"
-        />
-        <span style={{ fontSize: '0.75rem', color: '#999' }}>Last run: {lastRun}</span>
-        {logs.length > 0 && (
+      <div className="bm-pipeline-card-bottom">
+        <SparkBar builds={builds} />
+        <span className="bm-pipeline-status-text">{statusText}</span>
+      </div>
+
+      {buildLogs && buildLogs.length > 0 && (
+        <>
+          <div className="bm-pipeline-log-toggle">
             <Button minimal small
-            icon={open ? 'chevron-up' : 'chevron-down'}
-            onClick={() => setOpen((o) => !o)}
-            text={open ? 'Hide log' : 'Show log'}
-          />
-        )}
-      </div>
-
-      {error && <Callout intent={Intent.DANGER} compact style={{ marginTop: '0.25rem' }}>{error}</Callout>}
-
-      {open && logs.length > 0 && (
-        <div
-          ref={logRef}
-          style={{
-            fontFamily: 'monospace', fontSize: '0.7rem',
-            background: '#111', color: '#d4d4d4',
-            padding: '0.5rem 0.75rem', borderRadius: 4,
-            height: 200, overflowY: 'auto',
-            whiteSpace: 'pre-wrap', wordBreak: 'break-all',
-            marginTop: '0.5rem',
-          }}
-        >
-          {logs.map((l, i) => <div key={i}>{l}</div>)}
+              icon={logsOpen ? 'chevron-up' : 'chevron-down'}
+              text={logsOpen ? 'Hide log' : 'Show log'}
+              onClick={() => setLogsOpen((o) => !o)} />
           </div>
+          <Collapse isOpen={logsOpen} keepChildrenMounted>
+            <LogViewer lines={buildLogs} />
+          </Collapse>
+        </>
       )}
 
-      <GitHistoryPanel relativePath={project.relativePath} />
+      {buildError && (
+        <Callout intent={Intent.DANGER} compact style={{ marginTop: '0.4rem' }}>{buildError}</Callout>
+      )}
     </div>
   );
 }
 
-// ── Page ──────────────────────────────────────────────────────────────────────
+// RunRow --------------------------------------------------------------------
+
+function RunRow({ build, giteaBase }: { build: BuildRecord; giteaBase: string }) {
+  const [open, setOpen] = useState(false);
+
+  const repo      = build.target.replace(/\.slnx?$/, '');
+  const shortSha  = build.commitSha?.slice(0, 7);
+  const shaUrl    = build.commitSha && build.kind === 'SolutionBuild'
+    ? `${giteaBase}/ClarityStack/${repo === 'ControlPlane' ? 'OPC' : repo}/commit/${build.commitSha}`
+    : null;
+  const duration  = build.durationMs != null ? `${(build.durationMs / 1000).toFixed(1)}s` : '-';
+  const dotColor  = STATUS_COLOR[build.status] ?? '#c5cbd3';
+  const dispName  = build.kind === 'SolutionBuild' ? repo : (build.target.split('/').pop() ?? build.target);
+
+  return (
+    <>
+      <div className="bm-run-row">
+        <span className="bm-run-dot" style={{ background: dotColor }} />
+        <div className="bm-run-main">
+          <span className="bm-run-name">{dispName}</span>
+          {shortSha && shaUrl
+            ? <a href={shaUrl} target="_blank" rel="noopener noreferrer" className="bm-run-sha">{shortSha}</a>
+            : <span className="bm-run-trigger">manual</span>}
+        </div>
+        <Tag minimal round intent={KIND_INTENT[build.kind] ?? Intent.NONE} style={{ fontSize: '0.65rem' }}>
+          {KIND_LABEL[build.kind] ?? build.kind}
+        </Tag>
+        <span className="bm-run-time">{timeAgo(build.startedAt)}</span>
+        <span className="bm-run-dur">{duration}</span>
+        {build.log.length > 0
+          ? <Button minimal small icon={open ? 'chevron-up' : 'chevron-down'} onClick={() => setOpen((o) => !o)} />
+          : <span style={{ width: 24, flexShrink: 0 }} />}
+      </div>
+      <Collapse isOpen={open} keepChildrenMounted>
+        <div className="bm-run-log-panel">
+          <LogViewer lines={build.log} />
+        </div>
+      </Collapse>
+    </>
+  );
+}
+
+// Page ----------------------------------------------------------------------
+
+interface ProjectBuildState {
+  building: boolean;
+  logs:     string[];
+  error:    string | null;
+}
 
 export default function BuildMonitorPage() {
   const [projects,    setProjects]    = useState<ProjectDefinition[]>([]);
   const [history,     setHistory]     = useState<BuildRecord[]>([]);
   const [loading,     setLoading]     = useState(true);
   const [error,       setError]       = useState<string | null>(null);
+  const [buildStates, setBuildStates] = useState<Record<string, ProjectBuildState>>({});
+
+  const giteaBase = (import.meta.env.VITE_GITEA_URL as string | undefined) ?? 'https://opc.clarity.test';
 
   const load = async () => {
     setLoading(true);
@@ -247,55 +214,109 @@ export default function BuildMonitorPage() {
     }
   };
 
-  useEffect(() => { (async () => { await load(); })(); }, []);
+  useEffect(() => { load(); }, []);
 
-  // Find latest build per project — match exactly by relativePath (= build target)
-  const lastBuildFor = (project: ProjectDefinition): BuildRecord | undefined =>
-    history.find((b) => b.target === project.relativePath);
+  const makeBuildHandler = (project: ProjectDefinition) => async () => {
+    setBuildStates((s) => ({ ...s, [project.name]: { building: true, logs: [], error: null } }));
+    try {
+      const res = await fetch(`${BASE_URL}/api/builds/${encodeURIComponent(project.name)}`, { method: 'POST' });
+      if (!res.ok || !res.body) throw new Error(res.statusText);
+      const reader  = res.body.getReader();
+      const decoder = new TextDecoder();
+      let   buffer  = '';
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        buffer += decoder.decode(value, { stream: true });
+        const parts = buffer.split('\n\n');
+        buffer = parts.pop() ?? '';
+        for (const chunk of parts) {
+          const dataLine = chunk.replace(/^data:\s*/m, '').trim();
+          if (!dataLine) continue;
+          try {
+            const msg = JSON.parse(dataLine);
+            if (msg.done) load();
+            else if (typeof msg.line === 'string')
+              setBuildStates((s) => ({
+                ...s,
+                [project.name]: { ...s[project.name], logs: [...(s[project.name]?.logs ?? []).slice(-1000), msg.line] },
+              }));
+          } catch { /* ignore */ }
+        }
+      }
+    } catch (e) {
+      const err = e instanceof Error ? e.message : 'Unknown error';
+      setBuildStates((s) => ({ ...s, [project.name]: { ...s[project.name], error: err } }));
+    } finally {
+      setBuildStates((s) => ({ ...s, [project.name]: { ...s[project.name], building: false } }));
+    }
+  };
+
+  const ciTargets  = [...new Set(history.filter((b) => b.kind === 'SolutionBuild').map((b) => b.target))];
+  const recentRuns = [...history]
+    .sort((a, b) => new Date(b.startedAt).getTime() - new Date(a.startedAt).getTime())
+    .slice(0, 50);
 
   return (
     <>
       <div className="page-header">
         <div>
           <h1>Build Monitor</h1>
-          <p>Trigger and track builds for every project in the solution.</p>
+          <p>CI gate builds and manual per-project builds</p>
         </div>
-        <div style={{ display: 'flex', gap: '0.5rem', alignItems: 'center' }}>
         <Button icon="refresh" minimal onClick={load} loading={loading} title="Refresh" />
-          <Button
-            icon="play"
-            text="Build All"
-            intent={Intent.WARNING}
-            disabled={loading || projects.length === 0}
-            onClick={async () => {
-              for (const p of projects) {
-                await fetch(`${BASE_URL}/api/builds/${encodeURIComponent(p.name)}`, { method: 'POST' });
-              }
-              load();
-            }}
-          />
-        </div>
       </div>
 
       {error && (
-        <Callout intent={Intent.DANGER} title="Failed to load projects" style={{ marginBottom: '1rem' }}>
-          {error}
-        </Callout>
+        <Callout intent={Intent.DANGER} title="Failed to load" style={{ marginBottom: '1rem' }}>{error}</Callout>
       )}
 
-      {loading && <NonIdealState icon={<Spinner />} title="Loading projects..." />}
+      {loading && <NonIdealState icon={<Spinner />} title="Loading..." />}
 
       {!loading && !error && (
-        <div className="job-list">
-          {projects.map((p) => (
-            <ProjectCard
-              key={p.name}
-              project={p}
-              lastBuild={lastBuildFor(p)}
-              onBuilt={load}
-            />
+        <>
+          <p className="bm-section-title">Pipelines</p>
+          <div className="bm-pipeline-grid">
+            {ciTargets.map((target) => {
+              const repo = target.replace(/\.slnx?$/, '');
+              return (
+                <PipelineCard key={target}
+                  name={repo}
+                  kind="SolutionBuild"
+                  subtitle={target}
+                  builds={history.filter((b) => b.target === target)} />
+              );
+            })}
+            {projects.map((p) => {
+              const bs = buildStates[p.name];
+              return (
+                <PipelineCard key={p.name}
+                  name={p.name}
+                  kind={p.kind}
+                  subtitle={p.relativePath}
+                  builds={history.filter((b) => b.target === p.relativePath)}
+                  onBuild={makeBuildHandler(p)}
+                  building={bs?.building}
+                  buildLogs={bs?.logs}
+                  buildError={bs?.error} />
+              );
+            })}
+            {ciTargets.length === 0 && projects.length === 0 && (
+              <span style={{ color: '#8f99a8', fontSize: '0.875rem' }}>No pipelines configured.</span>
+            )}
+          </div>
+
+          {recentRuns.length > 0 && (
+            <>
+              <p className="bm-section-title" style={{ marginTop: '2rem' }}>Recent Runs</p>
+              <div className="bm-runs-list">
+                {recentRuns.map((b) => (
+                  <RunRow key={b.id} build={b} giteaBase={giteaBase} />
                 ))}
               </div>
+            </>
+          )}
+        </>
       )}
     </>
   );

clarity.controlplane/src/pages/ChangesetsPage.tsx

@@ -1,7 +1,8 @@
-import { useState, useEffect, useCallback } from 'react';
-import { Button, HTMLSelect, InputGroup, Intent, NonIdealState, Spinner, Tag, Tooltip } from '@blueprintjs/core';
+import { useState, useEffect, useCallback, useMemo } from 'react';
+import { Button, HTMLSelect, InputGroup, Intent, NonIdealState, Spinner, Tag, Tooltip, Tree } from '@blueprintjs/core';
+import type { TreeNodeInfo } from '@blueprintjs/core';
 import { GitCommitDrawer } from '../components/GitCommitDrawer';
-import { getChangesets } from '../api/opcApi';
+import { getChangesets, getBranches } from '../api/opcApi';
 import type { LinkedCommit } from '../api/opcApi';
 
 const PAGE_SIZE = 25;
@@ -19,6 +20,29 @@ const REPO_INTENT: Record<string, Intent> = {
   Gateway: Intent.SUCCESS,
 };
 
+const REPO_COLOR: Record<string, string> = {
+  Clarity: '#215db0',
+  OPC:     '#935610',
+  Gateway: '#1c6e42',
+};
+
+const SDLC_ORDER = ['develop', 'staging', 'uat', 'main'] as const;
+
+function getBranchLabel(branches: string[]): string | null {
+  if (branches.length === 0) return null;
+  const sdlc = branches.filter(b => (SDLC_ORDER as readonly string[]).includes(b));
+  if (sdlc.length === 0) return branches[0];
+  const highest = sdlc.reduce((a, b) =>
+    SDLC_ORDER.indexOf(b as typeof SDLC_ORDER[number]) > SDLC_ORDER.indexOf(a as typeof SDLC_ORDER[number]) ? b : a,
+  );
+  const idx = SDLC_ORDER.indexOf(highest as typeof SDLC_ORDER[number]);
+  if (idx > 0) {
+    const prev = SDLC_ORDER[idx - 1];
+    if (branches.includes(prev)) return `${prev} → ${highest}`;
+  }
+  return highest;
+}
+
 export default function ChangesetsPage() {
   const [commits,        setCommits]        = useState<LinkedCommit[]>([]);
   const [loading,        setLoading]        = useState(true);
@@ -29,13 +53,29 @@ export default function ChangesetsPage() {
   const [grepFilter,     setGrepFilter]     = useState('');
   const [grepInput,      setGrepInput]      = useState('');
   const [viewingHash,    setViewingHash]    = useState<string | null>(null);
+  const [branchMap,      setBranchMap]      = useState<Record<string, string[]>>({});
+  const [selectedBranch, setSelectedBranch] = useState<{ repoKey: string; branch: string } | null>(null);
+  const [expandedRepos,  setExpandedRepos]  = useState<Set<string>>(new Set());
 
-  const load = useCallback(async (p: number, repo: string, grep: string) => {
+  // Load branches for the tree once on mount
+  useEffect(() => {
+    getBranches('all')
+      .then(data => {
+        const map: Record<string, string[]> = {};
+        for (const b of data) {
+          if (!map[b.repoKey]) map[b.repoKey] = [];
+          map[b.repoKey].push(b.name);
+        }
+        setBranchMap(map);
+      })
+      .catch(() => { /* branch tree is non-critical */ });
+  }, []);
+
+  const load = useCallback(async (p: number, repo: string, grep: string, branch?: string) => {
     setLoading(true);
     setError(null);
     try {
-      // Fetch one extra to detect whether there's a next page
-      const rows = await getChangesets(p, PAGE_SIZE + 1, repo, grep || undefined);
+      const rows = await getChangesets(p, PAGE_SIZE + 1, repo, grep || undefined, branch);
       setHasMore(rows.length > PAGE_SIZE);
       setCommits(rows.slice(0, PAGE_SIZE));
     } catch (e) {
@@ -47,25 +87,77 @@ export default function ChangesetsPage() {
   }, []);
 
   useEffect(() => {
-    load(page, repoFilter, grepFilter);
-  }, [load, page, repoFilter, grepFilter]);
+    const effectiveRepo   = selectedBranch ? selectedBranch.repoKey : repoFilter;
+    const effectiveBranch = selectedBranch?.branch;
+    load(page, effectiveRepo, grepFilter, effectiveBranch);
+  }, [load, page, repoFilter, grepFilter, selectedBranch]);
 
-  const applySearch = () => {
-    setPage(1);
-    setGrepFilter(grepInput);
-  };
-
-  const clearSearch = () => {
-    setGrepInput('');
-    setGrepFilter('');
-    setPage(1);
-  };
+  const applySearch = () => { setPage(1); setGrepFilter(grepInput); };
+  const clearSearch = () => { setGrepInput(''); setGrepFilter(''); setPage(1); };
 
   const handleRepoChange = (repo: string) => {
     setPage(1);
+    setSelectedBranch(null);
     setRepoFilter(repo);
   };
 
+  const treeNodes = useMemo((): TreeNodeInfo[] => [
+    {
+      id:         'all',
+      label:      'All Branches',
+      icon:       'git-branch',
+      isSelected: selectedBranch === null,
+    },
+    ...Object.keys(branchMap).map(repoKey => ({
+      id:         `repo|${repoKey}`,
+      label:      <span style={{ color: REPO_COLOR[repoKey] ?? 'inherit', fontWeight: 500 }}>{repoKey}</span>,
+      icon:       (expandedRepos.has(repoKey) ? 'folder-open' : 'folder-close') as TreeNodeInfo['icon'],
+      isExpanded: expandedRepos.has(repoKey),
+      isSelected: false,
+      childNodes: branchMap[repoKey].map(name => ({
+        id:         `branch|${repoKey}|${name}`,
+        label:      name,
+        icon:       'git-commit' as TreeNodeInfo['icon'],
+        isSelected: selectedBranch?.repoKey === repoKey && selectedBranch?.branch === name,
+      })),
+    })),
+  ], [branchMap, expandedRepos, selectedBranch]);
+
+  const handleNodeClick = (node: TreeNodeInfo) => {
+    const id = String(node.id);
+    if (id === 'all') {
+      setPage(1);
+      setSelectedBranch(null);
+    } else if (id.startsWith('branch|')) {
+      const [, repoKey, ...rest] = id.split('|');
+      setPage(1);
+      setSelectedBranch({ repoKey, branch: rest.join('|') });
+    } else if (id.startsWith('repo|')) {
+      const repoKey = id.slice(5);
+      setExpandedRepos(s => {
+        const next = new Set(s);
+        next.has(repoKey) ? next.delete(repoKey) : next.add(repoKey);
+        return next;
+      });
+    }
+  };
+
+  const handleNodeExpand = (node: TreeNodeInfo) => {
+    const id = String(node.id);
+    if (id.startsWith('repo|')) setExpandedRepos(s => new Set([...s, id.slice(5)]));
+  };
+
+  const handleNodeCollapse = (node: TreeNodeInfo) => {
+    const id = String(node.id);
+    if (id.startsWith('repo|')) setExpandedRepos(s => { const n = new Set(s); n.delete(id.slice(5)); return n; });
+  };
+
+  const doRefresh = () => {
+    const effectiveRepo   = selectedBranch ? selectedBranch.repoKey : repoFilter;
+    const effectiveBranch = selectedBranch?.branch;
+    load(page, effectiveRepo, grepFilter, effectiveBranch);
+  };
+
   return (
     <div>
       <div className="page-header">
@@ -73,15 +165,29 @@ export default function ChangesetsPage() {
           <h1>Changesets</h1>
           <p>Chronological commit timeline across all three repos.</p>
         </div>
-        <Button icon="refresh" minimal onClick={() => load(page, repoFilter, grepFilter)} />
+        <Button icon="refresh" minimal onClick={doRefresh} />
       </div>
 
+      <div className="cs-page-with-tree">
+        {/* Branch tree */}
+        <div className="cs-branch-tree">
+          <Tree
+            contents={treeNodes}
+            onNodeClick={handleNodeClick}
+            onNodeExpand={handleNodeExpand}
+            onNodeCollapse={handleNodeCollapse}
+          />
+        </div>
+
+        {/* Main content */}
+        <div className="cs-content-area">
           {/* Filter bar */}
           <div className="opc-filter-bar">
             <HTMLSelect
               value={repoFilter}
               onChange={e => handleRepoChange(e.target.value)}
               options={REPO_OPTIONS}
+              disabled={!!selectedBranch}
             />
             <InputGroup
               leftIcon="search"
@@ -98,6 +204,16 @@ export default function ChangesetsPage() {
             {grepFilter && (
               <Button minimal small icon="cross" text="Clear" onClick={clearSearch} />
             )}
+            {selectedBranch && (
+              <Tag
+                minimal
+                intent={REPO_INTENT[selectedBranch.repoKey] ?? Intent.NONE}
+                icon="git-branch"
+                onRemove={() => { setPage(1); setSelectedBranch(null); }}
+              >
+                {selectedBranch.repoKey} / {selectedBranch.branch}
+              </Tag>
+            )}
             <span className="opc-count-badge">{loading ? '…' : `${commits.length} shown`}</span>
           </div>
 
@@ -106,13 +222,15 @@ export default function ChangesetsPage() {
             <NonIdealState icon={<Spinner />} title="Loading changesets…" />
           ) : error ? (
             <NonIdealState icon="warning-sign" title="Could not load commits"
-          description={error} intent={Intent.DANGER} />
+              description={error} />
           ) : commits.length === 0 ? (
             <NonIdealState icon="git-commit" title="No commits found"
               description="Try changing the repo filter or clearing the search." />
           ) : (
             <div className="cs-timeline">
-          {commits.map(c => (
+              {commits.map(c => {
+                const branchLabel = getBranchLabel(c.branches ?? []);
+                return (
                   <div
                     key={`${c.repoKey}-${c.hash}`}
                     className="cs-row"
@@ -140,10 +258,14 @@ export default function ChangesetsPage() {
                         {c.files.length > 0 && (
                           <span className="cs-file-count"> · {c.files.length} file{c.files.length !== 1 ? 's' : ''}</span>
                         )}
+                        {branchLabel && (
+                          <Tag minimal className="cs-branch-badge">{branchLabel}</Tag>
+                        )}
                       </div>
                     </div>
                   </div>
-          ))}
+                );
+              })}
             </div>
           )}
 
@@ -167,6 +289,8 @@ export default function ChangesetsPage() {
               />
             </div>
           )}
+        </div>
+      </div>
 
       <GitCommitDrawer hash={viewingHash} onClose={() => setViewingHash(null)} />
     </div>

clarity.controlplane/src/pages/DashboardPage.tsx

@@ -43,6 +43,15 @@ function TenantCard({ t }: { t: TenantRecord }) {
         <div style={{ display: 'flex', gap: '0.4rem', alignItems: 'center' }}>
           <Tag intent={ENV_INTENT[t.environment] ?? Intent.NONE} round minimal>{t.environment}</Tag>
           <Tag intent={t.status === 'Provisioned' ? Intent.SUCCESS : Intent.WARNING} round>{t.status}</Tag>
+          {t.containerImage && (() => {
+            const sha = t.containerImage.includes(':') ? t.containerImage.split(':').pop()! : t.containerImage;
+            return (
+              <Tag minimal round style={{ fontFamily: 'monospace', fontSize: '0.7rem', color: '#8f99a8' }}
+                title={t.containerImage}>
+                {sha.slice(0, 7)}
+              </Tag>
+            );
+          })()}
         </div>
       </div>
 

infra/docker-compose.yml

@@ -177,6 +177,7 @@ services:
       GITEA__server__SSH_DOMAIN: opc.clarity.test
       GITEA__server__SSH_PORT:   "2222"
       GITEA__service__DISABLE_REGISTRATION: "true"
+      GITEA__webhook__ALLOWED_HOST_LIST: "host.docker.internal,loopback,private"
     volumes:
       - clarity-gitea-data:/data
     depends_on:

scripts/create-external-volumes.ps1

@@ -0,0 +1,45 @@
+# OPC # 0004: One-time migration — make postgres-data and minio-data external volumes
+# Run this ONCE before doing `docker compose up -d` with the updated docker-compose.yml.
+# Safe to run while containers are stopped. Do NOT run while containers are running.
+#
+# Usage:
+#   cd OPC/scripts
+#   .\create-external-volumes.ps1
+
+$ErrorActionPreference = "Stop"
+
+function Migrate-Volume($composeName, $externalName) {
+    Write-Host "`nMigrating: $composeName -> $externalName" -ForegroundColor Cyan
+
+    $existing = docker volume ls --format "{{.Name}}" | Where-Object { $_ -eq $externalName }
+    if ($existing) {
+        Write-Host "  Volume '$externalName' already exists — skipping copy." -ForegroundColor Yellow
+        return
+    }
+
+    # Check source exists
+    $source = docker volume ls --format "{{.Name}}" | Where-Object { $_ -eq $composeName }
+    if (-not $source) {
+        Write-Host "  Source volume '$composeName' not found — creating empty external volume." -ForegroundColor Yellow
+        docker volume create $externalName | Out-Null
+        return
+    }
+
+    # Create external volume
+    docker volume create $externalName | Out-Null
+    Write-Host "  Created '$externalName'"
+
+    # Copy data using a temporary alpine container
+    docker run --rm `
+        -v "${composeName}:/from" `
+        -v "${externalName}:/to" `
+        alpine sh -c "cd /from && cp -a . /to"
+    Write-Host "  Data copied." -ForegroundColor Green
+}
+
+# The compose project name prefixes anonymous volumes as "clarity-platform_<name>"
+Migrate-Volume "clarity-platform_postgres-data" "postgres-data"
+Migrate-Volume "clarity-platform_minio-data"    "minio-data"
+
+Write-Host "`nDone. You can now run: docker compose up -d" -ForegroundColor Green
+Write-Host "The old 'clarity-platform_postgres-data' and 'clarity-platform_minio-data' volumes can be removed with 'docker volume rm' once you've verified everything is working."