feat(platform): live-wire AGB v2 + DSE v3 + Architektur-Tab (#29)

AGB v2 (decision_method routing, 71%FP->~0) + DSE v3 (4-layer, recovered from container) + Architektur-Tab into /sdk/agent live path. Incl CI robustness (detect-changes.sh + PR-head checkout) + security (hardcoded Qdrant key removed, gitleaks allowlist).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

scripts/cleanup-qdrant-duplicates.py

@@ -18,6 +18,7 @@ Run with --dry-run to preview deletions without executing.
 
 import argparse
 import json
+import os
 import sys
 import time
 import requests
@@ -33,7 +34,7 @@ TARGETS = {
     },
     "production": {
         "url": "https://qdrant-dev.breakpilot.ai",
-        "api_key": "z9cKbT74vl1aKPD1QGIlKWfET47VH93u",
+        "api_key": os.environ.get("QDRANT_API_KEY"),
     },
 }
 

scripts/detect-changes.sh

@@ -2,16 +2,23 @@
 # Emit per-service + aggregate change flags for the CI / build workflows.
 #
 # Reads:
-#   BASE_SHA — diff base. Empty / unreachable → emit everything as true.
+#   BASE_SHA — diff base. Empty / unreachable / diff-failure → emit everything as true.
 #   HEAD_SHA — diff target. Defaults to HEAD.
 #
 # Writes key=value lines to $GITHUB_OUTPUT (defaults to /dev/stdout for local runs).
 #
+# ROBUSTNESS CONTRACT: this script must ALWAYS emit a full set of outputs. A
+# missing/empty output makes the job's `outputs:` mapping evaluate to a Go format
+# error (`%!t(string=)`) which fails detect-changes AND every job that `needs` it
+# (cascade). So we do NOT use `set -e` (an aborting git/grep must not kill the
+# script before it emits), we treat any base/diff failure as "rebuild all", and an
+# EXIT trap emits rebuild-all + forces exit 0 if we ever exit early/unexpectedly.
+#
 # Keys emitted:
 #   admin, backend, sdk, portal, tts, crawler, dsms_gateway, dsms_node
 #   any_python, any_node, any
 
-set -euo pipefail
+set -uo pipefail
 
 BASE_SHA="${BASE_SHA:-}"
 HEAD_SHA="${HEAD_SHA:-HEAD}"
@@ -31,17 +38,27 @@ emit_all_true() {
   done
 }
 
+# Safety net: never let the job end with undefined outputs. If we exit before
+# DONE=1 (any error / early termination), emit rebuild-all and exit 0 so the
+# step still succeeds — rebuild-all is the safe over-approximation.
+DONE=0
+trap '[ "$DONE" = 1 ] || emit_all_true "safety-net (unexpected exit)"; exit 0' EXIT
+
 if [ -z "$BASE_SHA" ]; then
   emit_all_true "no BASE_SHA provided"
-  exit 0
+  DONE=1; exit 0
 fi
 
 if ! git rev-parse --verify "${BASE_SHA}^{commit}" >/dev/null 2>&1; then
   emit_all_true "BASE_SHA ${BASE_SHA} unreachable"
-  exit 0
+  DONE=1; exit 0
+fi
+
+if ! changed=$(git diff --name-only "$BASE_SHA" "$HEAD_SHA" 2>/dev/null); then
+  emit_all_true "git diff against ${BASE_SHA} failed"
+  DONE=1; exit 0
 fi
 
-changed=$(git diff --name-only "$BASE_SHA" "$HEAD_SHA" || true)
 echo "Changed files since ${BASE_SHA}:"
 echo "${changed:-(none)}"
 echo "---"
@@ -91,3 +108,5 @@ else
   emit any false
   echo "  any: false"
 fi
+
+DONE=1

scripts/migrate-qdrant.py

@@ -6,6 +6,7 @@ Uses persistent HTTP sessions and rate limiting for hosted Qdrant.
 """
 
 import json
+import os
 import sys
 import time
 import requests
@@ -13,7 +14,7 @@ from urllib.parse import urljoin
 
 SOURCE_URL = "http://macmini:6333"
 TARGET_URL = "https://qdrant-dev.breakpilot.ai"
-TARGET_API_KEY = "z9cKbT74vl1aKPD1QGIlKWfET47VH93u"
+TARGET_API_KEY = os.environ.get("QDRANT_API_KEY", "")
 BATCH_SIZE = 20
 RATE_LIMIT_DELAY = 0.3  # seconds between batches
 

scripts/qa/delete_gpsr_prod.py

@@ -1,8 +1,9 @@
 """Delete eu_2023_988 duplicate from production Qdrant."""
 import httpx
+import os
 
 PROD_URL = "https://qdrant-dev.breakpilot.ai"
-HEADERS = {"api-key": "z9cKbT74vl1aKPD1QGIlKWfET47VH93u"}
+HEADERS = {"api-key": os.environ.get("QDRANT_API_KEY", "")}
 
 # Delete
 resp = httpx.post(