scan_runs is the pipeline-run root; stage outcomes are stamped onto scan_runs.category_results under reserved __stage keys; a typed CredentialBroker is the only runtime path that resolves CredentialsRef; deploy-gate rematerialization (ADR-026 path b) is one job kind, generalised to all derived collections.
Current-state audit of sv0-platform's connector → ingest → chain-assemble → evaluate pipeline. Confirms Stream-1 Phases 1-3 already shipped (scheduler, atomic scope claim, execute_scan worker, connector-driver seam, sync→eval→evidence cascade). Identifies the single hard blocker (inert credential broker — `InProcessSubprocessDriver` constructed at `src/index.ts:98` with `env: undefined`) and ten secondary gaps. Drives the decision in ADR-027; lays out the seven-slice migration.
How connectors actually run inside the SecurityV0 platform — VM topology, credential delivery chain (1Password → Key Vault → Managed Identity → VM env → broker → subprocess), scheduler/driver path, tenant isolation invariants, and failure topology. Complements 05-connectors.md (interface contract) with the runtime/infra view.
Survey of how enterprise security platforms (Wiz, Orca, Datadog) onboard customer cloud + SaaS environments without long-lived shared secrets, paired with foundational cloud-provider federation patterns (AWS cross-account + external-ID, AWS IAM Roles Anywhere, AWS OIDC, Azure multi-tenant app + admin consent, Azure WIF, GCP WIF, GitHub App). Drives a per-connector credential-strategy recommendation for SecurityV0.
Inventory of every credential a Claude Code session in the SecurityV0 workspace touches in a day, with lifetimes, device-bound flags, a single daily morning-routine script, and an analysis of remote-from-iPhone options.
Design patterns for recovery service principals — lessons from the 2026-05-13 cancelled sv0-azure-backup-owner SP. Reference for the NEXT time a recovery SP is genuinely warranted.