Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build-baseline.yml:
- Around line 224-226: The workflow step named "Sync Python dependencies"
currently skips macOS x86_64 by using the if-condition; revert that skip so the
uv sync --project services/analysis-engine --group dev --frozen runs on macOS
x86_64 (remove or adjust the if guard) and instead address the PyTorch wheel
issue by adding a CI-friendly workaround: either pin a compatible PyTorch wheel
in the analysis-engine dependency config (pyproject/requirements) or add
commands in the workflow to install/build a macOS x86_64-compatible PyTorch
(e.g., install a compatible wheel or build from source) before running uv sync;
do not document this as a policy exception — keep the sync step enforced per the
cross-platform build policy.

In `@services/analysis-engine/src/bandscope_analysis/cli.py`:
- Around line 94-106: The stem separation block must be executed only after
request validation and only when the explicit opt-in flag is set; move the
librosa.load / AudioStemSeparator logic so it runs after your validator returns
success and behind a check for the CLI/handler flag (e.g. --separate-stems or a
boolean parameter separate_stems), and keep the existing try/except around the
heavy work (librosa.load, AudioStemSeparator(), separator.separate_audio) so
malformed payloads can't trigger file access or model inference before
validation; specifically, gate the use of audio_path, librosa.load,
AudioStemSeparator, and separator.separate_audio on validation success and
separate_stems == True.
- Around line 102-106: The stem-separation step currently swallows all
exceptions and never uses the produced stems (stems is only logged), so
separation can fail silently or be wasted on success; update the flow so that
AudioStemSeparator().separate_audio(...) returns are passed into the downstream
call (e.g., include stems in the payload or call run_analysis_job(request,
stems=stems)) when successful, and do not convert all errors to warnings — catch
only expected exceptions or log the full error and propagate/fail the job (raise
or return an error status) instead of continuing as success; update the
try/except around separate_audio to call run_analysis_job with the stems
variable on success and to surface failures (or use a controlled mock fallback
with an explicit flag) rather than a silent logging.warning.

In
`@services/analysis-engine/src/bandscope_analysis/separation/audio_separator.py`:
- Around line 38-46: 현재 _load_model 호출은
demucs.pretrained.get_model(self.model_name)를 직접 사용해 런타임에 원격 다운로드와 무결성 검증을
우회하므로, 로컬에 사전 프로비저닝된 weight와 체크섬을 우선 검증한 후 없으면 명시적으로 실패하도록 수정하세요: update
_load_model to first resolve a project-local artifact path for self.model_name
(or a configured model directory), verify the file exists and validate its
checksum/signature, only then load the model (and call .eval()); remove or gate
any fallback to demucs.pretrained.get_model that would perform a network fetch
so that cold-cache runs fail fast with a clear error rather than downloading
remotely.

In `@services/analysis-engine/tests/test_audio_separator.py`:
- Around line 42-64: The test currently only verifies apply_model was called but
not that it received the OOM-mitigation parameters; update the test in
test_audio_separator.py to assert apply_model was called with the expected
kwargs by inspecting mock_apply_model.call_args.kwargs after calling
separator.separate_audio (use the existing mock_apply_model and
separator.separate_audio/segment_seconds), and assert kwargs["split"] is True,
kwargs["segment"] == 2.0 (or segment_seconds), kwargs["overlap"] == 0.25,
kwargs["shifts"] == 1, and kwargs["progress"] is False; keep the existing checks
for call counts and returned stems.

In `@services/analysis-engine/tests/test_cli.py`:
- Around line 377-443: The test
test_cli_main_temporal_analyzer_and_separator_mock_success currently only checks
jobId and can pass without calling librosa.load or
AudioStemSeparator.separate_audio; update the test to assert those functions are
actually invoked with expected args: replace or wrap the current monkeypatch for
librosa.load and
bandscope_analysis.separation.audio_separator.AudioStemSeparator with
spies/mocks that record call counts and parameters, then after cli.main() assert
librosa.load was called with the expected path/sr/mono/duration and that
AudioStemSeparator.separate_audio was called with the expected audio,
sample_rate and segment_seconds; also add a complementary test (or extend this
one) exercising the --separate-stems gate to confirm separation is skipped when
the flag is absent and that separate_audio is not called.

In `@supply-chain/supplemental-component-inventory.json`:
- Around line 14-23: The htdemucs modelArtifacts entry is missing checksum
verification data; add a checksum field (and algorithm if your schema supports
it, e.g., checksumAlgorithm or checksumType) to the htdemucs object so releases
can validate cached weights; locate the "modelArtifacts" array and the entry
with "name": "htdemucs" (and "version": "demucs-v4.0", "sourceUrl": "...") and
include the checksum value and algorithm consistent with other artifacts in this
inventory.