refine stage-run identity and run lifecycle

WIP/README.md

@@ -0,0 +1,18 @@
+# Work-in-Progress Archive
+
+The `WIP/` directory quarantines legacy or experimental surfaces that are no longer part of the unified stage-run workflow but are retained for reference. The table below summarises what moved and the rationale.
+
+| New location | Previous path | Notes |
+| --- | --- | --- |
+| `WIP/code/backend_legacy/` | `backend/` | Historical Flask demo backend superseded by the canonical `core` + `apps` pipelines. |
+| `WIP/code/enterprise_legacy/` | `enterprise/` | Full enterprise stack (API, DB, UI) retained for documentation but replaced by the streamlined blended services. |
+| `WIP/code/fastapi_legacy/` | `fastapi/` | Early FastAPI experiments; keep isolated to avoid conflicting imports. |
+| `WIP/code/perf_experiments/` | `perf/` | Performance benchmarks and notes that are not part of supported runtime paths. |
+| `WIP/code/prototype_decision_api/` | `new_backend/` | Prototype decision API superseded by the new stage runner + ingest API flow. |
+| `WIP/code/prototypes/` | `prototypes/` | Miscellaneous proof-of-concept pipelines; archived until individually reviewed. |
+| `WIP/scripts/run_demo_steps_legacy.py` | `scripts/run_demo_steps.py` | Legacy multi-stage runner replaced by `python -m core.cli stage-run`. |
+| `WIP/ui/frontend_akido_public/` | `frontend-akido-public/` | Marketing UI build not aligned with the current CLI/API demo experience. |
+| `WIP/vendor/pydantic_stub/` | `pydantic/` | Local stub module for earlier experiments—kept out of import path. |
+| `WIP/vendor/torch_stub/` | `torch/` | Lightweight torch placeholder used only in archived notebooks. |
+
+By parking these assets under `WIP/`, we avoid accidental imports (enforced by `tests/test_no_wip_imports.py`) while keeping the material available for future reference or incremental migration work.

core/cli.py

@@ -7,6 +7,12 @@
 import os
 import sys
 from pathlib import Path
+
+ENTERPRISE_SRC = Path(__file__).resolve().parent.parent / "fixops-blended-enterprise"
+if ENTERPRISE_SRC.exists():
+    enterprise_path = str(ENTERPRISE_SRC)
+    if enterprise_path not in sys.path:
+        sys.path.insert(0, enterprise_path)
 from typing import Any, Dict, Iterable, Mapping, Optional, Sequence
 
 from apps.api.normalizers import InputNormalizer, NormalizedCVEFeed, NormalizedSARIF, NormalizedSBOM
@@ -17,6 +23,8 @@
 from core.storage import ArtefactArchive
 from core.probabilistic import ProbabilisticForecastEngine
 from core.stage_runner import StageRunner
+from src.services.run_registry import RunRegistry
+from src.services import id_allocator, signing
 
 
 def _apply_env_overrides(pairs: Iterable[str]) -> None:
@@ -167,32 +175,43 @@ def _handle_stage_run(args: argparse.Namespace) -> int:
         output_path = output_path.expanduser().resolve()
 
     if args.sign and not (os.environ.get("FIXOPS_SIGNING_KEY") and os.environ.get("FIXOPS_SIGNING_KID")):
-        print("Signing requested but FIXOPS_SIGNING_KEY/FIXOPS_SIGNING_KID not set; proceeding without signatures.")
+        print(
+            "Signing requested but FIXOPS_SIGNING_KEY/FIXOPS_SIGNING_KID not set; proceeding without signatures."
+        )
 
-    runner = StageRunner()
-    result = runner.run_stage(
+    registry = RunRegistry()
+    runner = StageRunner(registry, id_allocator, signing)
+    summary = runner.run_stage(
         args.stage,
         input_path,
         app_name=args.app,
-        app_id=args.app,
+        app_id=None,
         output_path=output_path,
         mode=args.mode,
         sign=args.sign,
         verify=args.verify,
         verbose=args.verbose,
     )
 
-    print(f"Stage '{result.stage}' materialised for app {result.app_id} run {result.run_id}.")
-    print(f"  Output file: {result.output_file}")
+    try:
+        output_relative = summary.output_file.relative_to(Path.cwd())
+    except ValueError:
+        output_relative = summary.output_file
+    print(f"✅ Stage {summary.stage} complete → wrote {output_relative}")
+    print(f"   app_id={summary.app_id} run_id={summary.run_id}")
     if output_path is not None:
-        print(f"  Copied output to: {output_path}")
-    print(f"  Run outputs directory: {result.outputs_dir}")
-    if result.signed:
-        print(f"  Signed manifests: {[path.name for path in result.signed]}")
-    if result.transparency_index:
-        print(f"  Transparency log: {result.transparency_index}")
-    if result.bundle:
-        print(f"  Evidence bundle: {result.bundle}")
+        print(f"   Copied output to: {output_path}")
+    if summary.signatures:
+        joined = ", ".join(path.name for path in summary.signatures)
+        print(f"   Signed manifests: {joined}")
+    if summary.transparency_index:
+        print(f"   Transparency index: {summary.transparency_index}")
+    if summary.verified is not None:
+        status = "passed" if summary.verified else "failed"
+        print(f"   Signature verification {status}")
+    if summary.bundle:
+        print(f"   Evidence bundle: {summary.bundle}")
+
     return 0