Phase 3D: Complete dashboard verification, CI operationalization, and testnet validation

## Summary

Completed end-to-end verification of local Grafana testnet stack with full dashboard
data availability, expanded validation automation, and documentation governance.

## Changes

### Dashboard Verification
- Verified all 3 dashboards (Operations, Tokenomics, LLM) show live data for 100% of queried targets
- Fixed backend metrics scraping by enabling local HTTP mode on compose-managed backend
- Resolved Prometheus DNS resolution for backend service alias
- Seeded TPM attestation latency metric through exporter event endpoint
- Updated operations_overview.json metric contract with warmup requirements

### Documentation & Governance
- Added docs/DOCUMENTATION_MAINTENANCE.md for governance policy
- Updated all README files and index docs with latest claim verification
- Created tests/docs/TEST_ENV_SETUP.md for local environment setup
- Updated CI_STATUS_AND_CLAIMS.md with validation workflow details
- Documented attestation warmup requirement for dashboard panels 64 and 68

### CI/CD Operationalization
- Added .github/workflows/full-validation-pr-gate.yml for pre-merge checks
- Added .github/workflows/full-validation-scheduled-deep.yml for 24h deep validation
- Added .github/workflows/docs-quality.yml for docs link and markdown validation
- Created tests/scripts/ci/check_validation_trends.py for SLO trend analysis
- Created tests/scripts/ci/write_validation_diff_summary.py for artifact summaries

### Validation Suite Expansion
- Added run_full_validation_suite.py with fast/deep profile support
- Added test_backend_live_e2e.py for live backend E2E validation
- Added test_browser_runtime_e2e.py with Playwright E2E browser runtime tests
- Added test_performance_regression_thresholds.py for latency SLO checks
- Added test_security_controls.py for auth/rate-limit/HTTPS enforcement
- Added test_security_fuzz_controls.py for fuzz/Byzantine validation
- Added test_soak_chaos_guard.py for soak and chaos scenario detection

### Backend & Security
- Updated sovereignmap_production_backend_v2.py with local verification overrides
- Updated secure_communication.py with enhanced trust verification paths
- Updated packages/training/api.py with improved error handling

### Frontend Performance
- Applied EMA smoothing to BrowserFLDemo.jsx polling loops
- Added render throttle (500ms cadence) for chart update efficiency
- Updated App.jsx with smoothing configuration for jitter reduction

### Local Testnet Infrastructure
- Updated docker-compose.full.yml with environment flags for local verification
  - SECURITY_ENFORCE_HTTPS toggle
  - SECURITY_ALLOW_LOCAL_HTTP toggle
  - ALLOW_INSECURE_DEV_ADMIN_TOKEN toggle
- Verified warm-up behavior: attestation events, FL training, policy updates, consensus
- Confirmed 0 active alerts after soak period with healthy latency metrics

### Dashboard Readability
- Updated grafana provisioning dashboards with human-friendly titles/descriptions
- Added tags for audience targeting (dev, ops, user)
- Verified all Prometheus target queries return live data

## Metrics & Validation

Live stack health (post-soak):
- Backend HTTP p95: ~62 ms (SLO: 100 ms)
- FL round p95: ~61 ms (SLO: 1000 ms)
- FL round rate: ~1.6 rounds/s (steady)
- Active alerts: 0
- TPM verification failures: 0
- Dashboard target coverage: 68/68 (ops), 32/32 (tokenomics), 19/19 (llm)
- Full validation suite: 9/9 checks passed

## Testing Done

- Live dashboard E2E verification against running Prometheus/Grafana
- Backend security controls validation
- Frontend unit tests
- Marketplace contract validation
- SDK package tests
- Dependency security audit
- 15-minute soak with alert monitoring
- Clean rescan after exporter reset (confirms alert accuracy)

Author: rwilliamspbg-ops

.github/workflows/docs-quality.yml

@@ -0,0 +1,65 @@
+name: Docs Quality
+
+on:
+  pull_request:
+    paths:
+      - "README.md"
+      - "docs/README.md"
+      - "Documentation/README.md"
+      - "docs/DOCUMENTATION_MAINTENANCE.md"
+      - "scripts/check_markdown_links_subset.py"
+      - ".github/workflows/docs-quality.yml"
+  push:
+    branches: [main]
+    paths:
+      - "README.md"
+      - "docs/README.md"
+      - "Documentation/README.md"
+      - "docs/DOCUMENTATION_MAINTENANCE.md"
+      - "scripts/check_markdown_links_subset.py"
+      - ".github/workflows/docs-quality.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  markdown-lint-and-links:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
+        with:
+          node-version: "20"
+
+      - name: Setup Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: "3.12"
+
+      - name: Markdown lint (targeted files)
+        run: |
+          cat > /tmp/markdownlint-docs-quality.json <<'EOF'
+          {
+            "default": true,
+            "MD013": false
+          }
+          EOF
+          npx --yes markdownlint-cli2 \
+            --config /tmp/markdownlint-docs-quality.json \
+            README.md \
+            docs/README.md \
+            Documentation/README.md \
+            docs/DOCUMENTATION_MAINTENANCE.md
+
+      - name: Local markdown link check (targeted files)
+        run: |
+          python scripts/check_markdown_links_subset.py \
+            README.md \
+            docs/README.md \
+            Documentation/README.md \
+            docs/DOCUMENTATION_MAINTENANCE.md

.github/workflows/full-validation-pr-gate.yml

@@ -0,0 +1,53 @@
+name: Full Validation PR Gate
+
+on:
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  validation-gate:
+    name: Fast Validation Gate
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: '3.11'
+
+      - name: Set up Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Prepare test environment
+        run: npm run test:setup
+
+      - name: Run fast validation profile
+        run: npm run test:full:fast
+
+      - name: Enforce trend SLOs
+        env:
+          VALIDATION_MAX_DURATION_REGRESSION_PCT: '40'
+          VALIDATION_ENFORCE_CATEGORY_ZERO_FAIL: '1'
+        run: npm run test:trends
+
+      - name: Write diff summary
+        run: npm run test:summary:diff
+
+      - name: Upload full validation artifacts
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+        with:
+          name: full-validation-pr-${{ github.run_id }}
+          path: test-results/full-validation
+          if-no-files-found: warn
+          retention-days: 14

.github/workflows/full-validation-scheduled-deep.yml

@@ -0,0 +1,65 @@
+name: Full Validation Scheduled Deep
+
+on:
+  schedule:
+    - cron: '0 2 * * *'
+    - cron: '0 3 * * 0'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  deep-validation:
+    name: Deep Validation and Soak
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: '3.11'
+
+      - name: Set up Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Decide soak mode
+        run: |
+          if [[ "${{ github.event_name }}" == "schedule" && "${{ github.event.schedule }}" == "0 3 * * 0" ]]; then
+            echo "SOAK_CHAOS_ENABLED=1" >> "$GITHUB_ENV"
+          else
+            echo "SOAK_CHAOS_ENABLED=0" >> "$GITHUB_ENV"
+          fi
+
+      - name: Prepare test environment
+        run: npm run test:setup
+
+      - name: Run deep validation profile
+        env:
+          PLAYWRIGHT_E2E_ENABLED: '1'
+          SOAK_CHAOS_STRICT: '0'
+        run: npm run test:full:deep
+
+      - name: Enforce trend SLOs
+        env:
+          VALIDATION_MAX_DURATION_REGRESSION_PCT: '60'
+          VALIDATION_ENFORCE_CATEGORY_ZERO_FAIL: '1'
+        run: npm run test:trends
+
+      - name: Write diff summary
+        run: npm run test:summary:diff
+
+      - name: Upload deep validation artifacts
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+        with:
+          name: full-validation-deep-${{ github.run_id }}
+          path: test-results/full-validation
+          if-no-files-found: warn
+          retention-days: 30

CONTRIBUTING.md

@@ -25,6 +25,7 @@ Use the repository PR template at `.github/pull_request_template.md` when openin
 - [ ] CI workflows pass on your branch
 - [ ] Security checks pass (including CodeQL)
 - [ ] Documentation is updated for any behavior/config changes
+- [ ] Documentation sync completed when workflows, tests, or security defaults changed
 - [ ] No secrets or credentials are committed
 
 ## Documentation Sync Requirements
@@ -59,8 +60,8 @@ The repository includes a Git-based reward scoring system to rank contributions.
 
 - Run `make contributors-rankings`
 - Outputs:
-	- `test-results/contributor-rankings/CONTRIBUTOR_RANKINGS.md`
-	- `test-results/contributor-rankings/contributor_rankings.json`
+  - `test-results/contributor-rankings/CONTRIBUTOR_RANKINGS.md`
+  - `test-results/contributor-rankings/contributor_rankings.json`
 
 Current points formula:
 

Documentation/MASTER_DOCUMENTATION_INDEX.md

@@ -2,8 +2,18 @@
 
 This index catalogs all documentation-like files in the repository and groups them by category and location.
 
+Current-branch canonical references:
+
+- [Root README](../README.md)
+- [docs index](../docs/README.md)
+- [Documentation hub](README.md)
+- [Documentation maintenance runbook](../docs/DOCUMENTATION_MAINTENANCE.md)
+- [Test environment and validation profiles](../tests/docs/TEST_ENV_SETUP.md)
+- [Full Validation PR gate workflow](../.github/workflows/full-validation-pr-gate.yml)
+- [Full Validation scheduled deep workflow](../.github/workflows/full-validation-scheduled-deep.yml)
+
 - Total indexed files: 269
-- Indexed on: 2026-03-13 23:39 UTC
+- Indexed on: 2026-04-04 00:00 UTC
 
 ## Category Index
 

Documentation/README.md

@@ -20,9 +20,17 @@ This folder centralizes repository documentation discovery.
 - [Project/TEST_FILE_RELOCATION_ADDENDUM_2026-03-15.md](Project/TEST_FILE_RELOCATION_ADDENDUM_2026-03-15.md)
 - [Performance/TPM_ATTESTATION_BOTTLENECK_ANALYSIS_2026-03-24.md](Performance/TPM_ATTESTATION_BOTTLENECK_ANALYSIS_2026-03-24.md)
 - [Security/API_AUTH_TOKEN_ROTATION_RUNBOOK.md](Security/API_AUTH_TOKEN_ROTATION_RUNBOOK.md)
+- [Security/CI_STATUS_AND_CLAIMS.md](Security/CI_STATUS_AND_CLAIMS.md)
 - [Deployment/PARTICIPANT_JOIN_LOCAL.md](Deployment/PARTICIPANT_JOIN_LOCAL.md)
 - [Deployment/WINDOWS_CLIENT_EXE.md](Deployment/WINDOWS_CLIENT_EXE.md)
 
+## Current Validation and Documentation Controls
+
+- [../docs/DOCUMENTATION_MAINTENANCE.md](../docs/DOCUMENTATION_MAINTENANCE.md)
+- [../tests/docs/TEST_ENV_SETUP.md](../tests/docs/TEST_ENV_SETUP.md)
+- [../.github/workflows/full-validation-pr-gate.yml](../.github/workflows/full-validation-pr-gate.yml)
+- [../.github/workflows/full-validation-scheduled-deep.yml](../.github/workflows/full-validation-scheduled-deep.yml)
+
 ## Topic Folders
 
 - [Security](Security)

Documentation/Security/CI_STATUS_AND_CLAIMS.md

@@ -7,11 +7,11 @@ This document defines what can be claimed from automation results and what still
 Latest local command results on this branch:
 
 - `make lint` surfaced `golangci-lint` typecheck failures caused by missing modules:
-	- `github.com/tetratelabs/wazero`
-	- `github.com/tetratelabs/wazero/api`
+  - `github.com/tetratelabs/wazero`
+  - `github.com/tetratelabs/wazero/api`
 - `go test ./...` failed due to:
-	- Missing modules (`wazero`, `wazero/api`, `github.com/stretchr/testify/assert`)
-	- Test/API drift in `internal/batch`, `internal/island`, `internal/p2p`, and `internal/tpm`
+  - Missing modules (`wazero`, `wazero/api`, `github.com/stretchr/testify/assert`)
+  - Test/API drift in `internal/batch`, `internal/island`, `internal/p2p`, and `internal/tpm`
 
 Claim constraint from this snapshot:
 
@@ -21,6 +21,7 @@ Claim constraint from this snapshot:
 ## Workflow Badges (main branch)
 
 [![Build and Test](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/build.yml/badge.svg?branch=main)](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/build.yml)
+[![Full Validation PR Gate](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/full-validation-pr-gate.yml/badge.svg?branch=main)](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/full-validation-pr-gate.yml)
 [![CodeQL Security Analysis](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/codeql-analysis.yml/badge.svg?branch=main)](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/codeql-analysis.yml)
 [![Lint Code Base](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/lint.yml/badge.svg?branch=main)](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/lint.yml)
 [![SGP-001 Audit Sync](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/audit-check.yml/badge.svg?branch=main)](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/audit-check.yml)
@@ -38,6 +39,7 @@ Claim constraint from this snapshot:
 
 - Code builds and workflow jobs complete for the tracked branch/commit.
 - Unit/integration suites wired into CI pass.
+- Full validation gate checks capability, security, and performance profiles for pull requests.
 - Static analysis/lint/security gates configured in workflows pass.
 - TPM emulation tests pass in CI via `swtpm`/`tpm2-tools`.
 - NPU fallback logic tests pass (selection/fallback behavior, not accelerator throughput).

Documentation/TESTING_INDEX.md

@@ -1,5 +1,16 @@
 # TESTING Documentation Index
 
+## Current Validation Entry Points
+
+- [Root test setup and profiles](../tests/docs/TEST_ENV_SETUP.md)
+- [Validation runner](../tests/scripts/python/run_full_validation_suite.py)
+- [Trend SLO checker](../tests/scripts/ci/check_validation_trends.py)
+- [Validation diff summary writer](../tests/scripts/ci/write_validation_diff_summary.py)
+- [PR gate workflow](../.github/workflows/full-validation-pr-gate.yml)
+- [Scheduled deep workflow](../.github/workflows/full-validation-scheduled-deep.yml)
+
+Note: this file is a broad catalog and includes historical testing documents. Use the links above for current branch validation behavior.
+
 ## Files
 
 - [Documentation/Deployment/GENESIS_LAUNCH_CHECKLIST.md](/Documentation/Deployment/GENESIS_LAUNCH_CHECKLIST.md)

README.md

@@ -30,6 +30,7 @@ Production-grade federated learning platform that combines Byzantine-resilient a
 [![FedAvg Benchmark Compare](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/fedavg-benchmark-compare.yml/badge.svg?branch=main)](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/fedavg-benchmark-compare.yml)
 [![API Spec Validation](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/api-spec-validation.yml/badge.svg?branch=main)](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/api-spec-validation.yml)
 [![API Docs Pages](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/api-docs-pages.yml/badge.svg?branch=main)](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/api-docs-pages.yml)
+[![Full Validation PR Gate](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/full-validation-pr-gate.yml/badge.svg?branch=main)](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/full-validation-pr-gate.yml)
 [![CodeQL Security Analysis](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/codeql-analysis.yml/badge.svg?branch=main)](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/codeql-analysis.yml)
 [![Security Supply Chain](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/security-supply-chain.yml/badge.svg?branch=main)](https://github.com/rwilliamspbg-ops/Sovereign_Map_Federated_Learning/actions/workflows/security-supply-chain.yml)
 [![License](https://img.shields.io/github/license/rwilliamspbg-ops/Sovereign_Map_Federated_Learning?style=flat-square)](LICENSE)
@@ -42,6 +43,8 @@ Production-grade federated learning platform that combines Byzantine-resilient a
 
 Documentation entrypoint: [docs/README.md](docs/README.md)
 
+> Canonical docs navigation: [docs/README.md](docs/README.md) for active operator guides and [Documentation/MASTER_DOCUMENTATION_INDEX.md](Documentation/MASTER_DOCUMENTATION_INDEX.md) for full repository documentation indexing.
+
 ## New Contributor Fast Path
 
 If you just cloned the repo and want to run tests quickly, use this sequence.
@@ -77,6 +80,41 @@ Where to get contribution guidance:
 - Runtime validation expectations: [README.md#contributor-first-steps](README.md#contributor-first-steps)
 - Operations dashboard metric contract: [docs/OPERATIONS_DASHBOARD_METRIC_CONTRACT.md](docs/OPERATIONS_DASHBOARD_METRIC_CONTRACT.md)
 
+## Validation and CI Upgrades April 2026
+
+The consolidated validation path now supports profile-based execution, trend SLO enforcement, artifact diff summaries, browser runtime cadence checks, and scheduled deep validation runs.
+
+What was added:
+
+- Required-style PR gate workflow: [.github/workflows/full-validation-pr-gate.yml](.github/workflows/full-validation-pr-gate.yml)
+- Scheduled deep workflow: [.github/workflows/full-validation-scheduled-deep.yml](.github/workflows/full-validation-scheduled-deep.yml)
+- Fast and deep suite profiles: [tests/scripts/python/run_full_validation_suite.py](tests/scripts/python/run_full_validation_suite.py)
+- Trend SLO checker: [tests/scripts/ci/check_validation_trends.py](tests/scripts/ci/check_validation_trends.py)
+- CI diff summary writer: [tests/scripts/ci/write_validation_diff_summary.py](tests/scripts/ci/write_validation_diff_summary.py)
+- Browser runtime E2E cadence check: [tests/scripts/python/test_browser_runtime_e2e.py](tests/scripts/python/test_browser_runtime_e2e.py)
+- Playwright runtime artifacts: [tests/e2e/runtime-cadence.spec.js](tests/e2e/runtime-cadence.spec.js), [tests/e2e/playwright.config.js](tests/e2e/playwright.config.js)
+
+Canonical commands:
+
+```bash
+npm run test:setup
+npm run test:full:fast
+npm run test:full:deep
+npm run test:trends
+npm run test:summary:diff
+```
+
+Validation artifacts:
+
+- `test-results/full-validation/full_validation_<timestamp>.json`
+- `test-results/full-validation/full_validation_<timestamp>.md`
+- `test-results/full-validation/history.jsonl`
+
+Documentation governance:
+
+- Documentation maintenance runbook: [docs/DOCUMENTATION_MAINTENANCE.md](docs/DOCUMENTATION_MAINTENANCE.md)
+- Test setup details and profile usage: [tests/docs/TEST_ENV_SETUP.md](tests/docs/TEST_ENV_SETUP.md)
+
 ## Mobile Shield Update March 2026
 
 The mobile hardening and store packaging track is now implemented in-repo.

docker-compose.full.yml

@@ -64,6 +64,9 @@ services:
       - PUBLIC_AGGREGATOR_PORT=${PUBLIC_AGGREGATOR_PORT:-8080}
       - OPS_PRIVACY_EPSILON_TARGET=${OPS_PRIVACY_EPSILON_TARGET:-1.0}
       - GEMINI_API_KEY=${GEMINI_API_KEY:-}
+      - SECURITY_ENFORCE_HTTPS=${SECURITY_ENFORCE_HTTPS:-true}
+      - SECURITY_ALLOW_LOCAL_HTTP=${SECURITY_ALLOW_LOCAL_HTTP:-true}
+      - ALLOW_INSECURE_DEV_ADMIN_TOKEN=${ALLOW_INSECURE_DEV_ADMIN_TOKEN:-false}
     ports:
       - "${BACKEND_API_HOST_PORT:-8000}:8000"  # Flask metrics API
       - "${BACKEND_GRPC_HOST_PORT:-8080}:8080"  # Flower aggregator