Introduce FogPlatformSpecs, FogPlatformStatuses, FogPlatformReconcileTasks,
ServicePlatformReconcileTasks, and HubRouterConfigLocks with Sequelize
models, managers, deduplicated enqueue, and stale task reclaim.

Extract router/NATS lifecycle into FogPlatformService with full recompute
of service-derived TCP bridges. Add ServicePlatformService for hub
connector/listener, K8s Service lifecycle, ConfigMap lock, and fog fan-out.

Run fog and service reconcile claims in one worker with backoff and max
attempts. Add periodic drift sweep and delay reconcile-heavy jobs on boot
to reduce SQLite lock contention on single-controller deployments.

…PIs.

Enqueue fog and service reconcile tasks on create, update, and delete.
Add spec fallback for router/nats modes, platformStatus on fog GET, manual
reconcile endpoints, and agent warning gating during non-Ready phases.

Add platformStatus, provisioningStatus hub semantics, reconcile routes,
and architecture overview for the three-layer reconcile model.

…c_b lifecycle.

Enforce connection limits and fresh DB transactions on close, add HA AMQP fail-fast,
30s SIGTERM drain, stale session reconcile job, batched log session queries, and OTEL metrics.

Replace callback-based db.run/db.close with sqliteRun/sqliteClose and reliable rollback on failure.

… tests.

Cover same-replica pairing, mock AMQP cross-replica relay, RBAC and rate limits,
session quotas and timeouts, graceful drain, and a 500-pair load probe script.

Add architecture HA section, ws-sessions operations guide, and changelog entry for session hardening.

Scrub phase labels from Dockerfile, PKI guide, RBAC reference, rbac-audit script, and OIDC test README.