feat(web): close sprint 006 onboarding ux

docs/UI_GUIDE.md

@@ -131,17 +131,63 @@ Some settings are controlled at the organization level:
 
 **Storage Key:** `stellaops.remediation-pr.preferences`
 
-### Review VEX Conflicts and Issuer Trust
-
-- Use **Advisories & VEX** to see which providers contributed statements, whether signatures verified, and where conflicts exist.
-- The Console should not silently hide conflicts; it should show what disagrees and why, and how policy resolved it.
-
-See `docs/VEX_CONSENSUS_GUIDE.md` for the underlying concepts.
-
-### Export and Verify Evidence Bundles
-
-- Exports are intended to be portable and verifiable (audits, incident response, air-gap review).
-- Expect deterministic ordering, UTC timestamps, and hash manifests.
+### Review VEX Conflicts and Issuer Trust
+
+- Use **Advisories & VEX** to see which providers contributed statements, whether signatures verified, and where conflicts exist.
+- The Console should not silently hide conflicts; it should show what disagrees and why, and how policy resolved it.
+
+See `docs/VEX_CONSENSUS_GUIDE.md` for the underlying concepts.
+
+### Bootstrap Integrations in the Recommended Order
+
+- Use **Setup > Integrations** as the first-stop onboarding page for new tenants.
+- The **Suggested Setup Order** card now shows the recommended sequence, a short "why this matters" explanation for each connector class, and a completion badge driven by the live connector counts.
+- The intended order is: **Registries -> Source Control -> CI/CD -> Advisory & VEX Sources -> Secrets**.
+- Treat the badges as an onboarding checklist: `Done` means Stella already has at least one connector in that category; `Not started` means the category still blocks part of the release-evidence flow.
+
+### Contextual Helper and Educational Empty States
+
+- The **Stella Helper** is no longer route-only on key onboarding surfaces. Dashboard, Approvals, Integrations, topology pages, Deployments, Supply-Chain Data, Unknowns, and Policy Audit now push live context such as `no-environments`, `approval-pending`, `critical-open`, `agents-none`, `no-sbom-components`, `no-audit-events`, `empty-table`, and `empty-list` so the helper can explain what the operator should do next.
+- Treat helper context wiring as a page-owned responsibility: each page should publish a scoped set of current states, and clear that scope automatically on destroy so stale tips do not leak across routes.
+- Empty states should teach, not just report absence. On queue, release, security, topology, and audit screens, prefer: what data is missing, why Stella needs it, and the next action to take.
+- The current baseline examples are the Releases catalog, the Audit & Compliance overview, and the shared topology inventory page. All three now explain what should eventually appear in the table, why the page matters, and where the operator should go next when it is empty.
+- Route pages should also render the shared **About this page** panel directly under the title area. The panel opens by default on a first visit, explains key concepts and common actions, and persists the user's collapsed state through `StellaPreferencesService`.
+
+### Sidebar Context
+
+- The sidebar now reuses the canonical navigation metadata as operator-facing context, instead of relying on unlabeled section names alone.
+- Section headers should include a short description of what belongs in that area of the product. Keep these explanations one sentence and action-oriented.
+- Top-level navigation items may render a short helper line under the label when the sidebar is expanded. Use the canonical item tooltip text first; only add local fallback copy when the route is not present in `navigation.config.ts`.
+- Badge chips should explain what they count. Current examples: Deployments combines failed runs and pending approvals, Releases counts blocked gates, and Vulnerabilities counts critical findings still awaiting triage.
+- On first-visit paths, highlight only the next recommended onboarding stop and auto-open its nav group. The current guided order is: **Diagnostics -> Integrations -> Scan Image -> Dashboard**.
+
+### Command Palette Help
+
+- The Ctrl+K palette now supports inline help commands without leaving the current flow.
+- Use `help: <term>` to search the current glossary terms. Example: `help: sbom` explains the term and routes to the most relevant page for deeper context.
+- Use `guide: first setup` to launch the setup wizard from the palette, with the setup workflow steps surfaced inline first.
+- Use `guide: scan image` to show the scan workflow as ordered inline steps: open the scan form, review supply-chain data, then triage the findings.
+- Plain searches can surface **Help & Guides** results alongside indexed docs/API/Doctor results, so glossary and workflow guidance stays visible even when the user does not type the explicit command prefix.
+
+### Glossary Tooltips
+
+- Stella now keeps a central domain glossary in the plain-language service and uses it for both command-palette help results and inline tooltip annotations.
+- Tooltip definitions are written for developers, not security specialists. Each definition should answer two questions quickly: what the term means, and why the operator should care.
+- Auto-detection wraps only the first occurrence of a term inside a given block of copy to avoid turning whole paragraphs into link soup.
+- Shared onboarding surfaces now annotate glossary terms by default: `ContextHeaderComponent`, both `app-empty-state` implementations, and the pages that already opted into `stellaopsGlossaryTooltip`.
+- Legacy routed pages that still render raw `header.page-header` or `div.page-header` blocks are covered centrally from `AppShellComponent`, so older screens inherit glossary help without per-page imports.
+- High-value terms now covered include: **SBOM**, **VEX**, **CVE**, **CVSS**, **EPSS**, **KEV**, **Reachability**, **DSSE**, **Attestation**, **Policy Gate**, **Policy Pack**, **Evidence Bundle**, **Promotion**, **Exception**, **Digest**, and **Provenance**.
+
+### Status Chip Guidance
+
+- The topbar status chips are part of onboarding, not just diagnostics chrome. Tooltips should explain what each signal means in plain language and what the operator should do when it goes red or stale.
+- Current warning states include actionable guidance, such as missing policy baselines or offline advisory feeds, so the tooltip can point the operator at the next setup or recovery step.
+- Keep the copy practical: what changed, why it matters to release decisions, and which page or workflow resolves it.
+
+### Export and Verify Evidence Bundles
+
+- Exports are intended to be portable and verifiable (audits, incident response, air-gap review).
+- Expect deterministic ordering, UTC timestamps, and hash manifests.
 
 See `docs/OFFLINE_KIT.md` for packaging and offline verification workflows.