chore(devops): dotnet release image + compose/bootstrap stabilization

Sprint SPRINT_20260417_024_DevOps_dotnet_release_image_stabilization.

- Dockerfile.platform + Dockerfile.dotnet-service adjustments for
  deterministic layer ordering and cache-friendly publish.
- devops/release/components.json updates.
- devops/compose: .env, README, legacy + stella-services docker-compose,
  stellaops env example, postgres-init 04/04b/15/16 authority + release
  schemas, setup.bootstrap.local.yaml.
- Gitea build_release.py script.
- scripts/register-local-integrations.ps1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

devops/compose/postgres-init/04-authority-schema.sql

@@ -466,11 +466,11 @@ CREATE INDEX IF NOT EXISTS idx_verdict_digest
 COMMENT ON TABLE authority.verdict_manifests IS 'VEX verdict manifests for deterministic replay verification';
 
 -- ============================================================================
--- SECTION 4b: Seed Default Tenant
+-- SECTION 4b: Bootstrap Default Tenant
 -- ============================================================================
 
 INSERT INTO authority.tenants (tenant_id, name, display_name, status)
-VALUES ('demo-prod', 'Production', 'Demo Production', 'active')
+VALUES ('default', 'Default', 'Default Tenant', 'active')
 ON CONFLICT (tenant_id) DO NOTHING;
 
 -- ============================================================================
@@ -618,51 +618,8 @@ END
 $$;
 
 -- ============================================================================
--- SECTION 8: Demo Seed Data
+-- SECTION 8: Bootstrap Notes
 -- ============================================================================
 
--- Roles for demo-prod tenant
-INSERT INTO authority.roles (id, tenant_id, name, display_name, description, is_system)
-VALUES
-    ('a0000002-0000-0000-0000-000000000001', 'demo-prod', 'admin', 'Administrator', 'Full platform access', true),
-    ('a0000002-0000-0000-0000-000000000002', 'demo-prod', 'operator', 'Operator', 'Release and deployment operations', true),
-    ('a0000002-0000-0000-0000-000000000003', 'demo-prod', 'viewer', 'Viewer', 'Read-only access', true)
-ON CONFLICT (tenant_id, name) DO NOTHING;
-
--- OAuth Clients
-INSERT INTO authority.clients (id, client_id, display_name, description, enabled, redirect_uris, post_logout_redirect_uris, allowed_scopes, allowed_grant_types, require_client_secret, require_pkce, properties)
-VALUES
-    ('demo-client-ui', 'stella-ops-ui', 'Stella Ops Console', 'Web UI application', true,
-     ARRAY['https://stella-ops.local/auth/callback', 'https://stella-ops.local/auth/silent-refresh', 'https://127.1.0.1/auth/callback', 'https://127.1.0.1/auth/silent-refresh'],
-     ARRAY['https://stella-ops.local/', 'https://127.1.0.1/'],
-     ARRAY['openid', 'profile', 'email', 'offline_access',
-            'ui.read', 'ui.admin', 'ui.preferences.read', 'ui.preferences.write',
-            'authority:tenants.read', 'authority:tenants.write',
-            'authority:users.read', 'authority:users.write',
-            'authority:roles.read', 'authority:roles.write',
-            'authority:clients.read', 'authority:clients.write',
-            'authority:tokens.read', 'authority:tokens.revoke',
-            'authority:branding.read', 'authority:branding.write',
-            'authority.audit.read',
-            'graph:read', 'sbom:read', 'scanner:read',
-            'policy:read', 'policy:simulate', 'policy:author', 'policy:review', 'policy:approve',
-            'policy:run', 'policy:activate', 'policy:audit', 'policy:edit', 'policy:operate', 'policy:publish',
-            'airgap:seal', 'airgap:status:read',
-            'orch:read', 'analytics.read', 'advisory:read', 'advisory-ai:view', 'advisory-ai:operate',
-            'vex:read', 'vexhub:read',
-            'exceptions:read', 'exceptions:approve', 'aoc:verify', 'findings:read',
-            'release:read', 'release:write', 'release:publish', 'scheduler:read', 'scheduler:operate',
-            'notify.viewer', 'notify.operator', 'notify.admin', 'notify.escalate',
-            'evidence:read',
-            'export.viewer', 'export.operator', 'export.admin',
-            'vuln:view', 'vuln:investigate', 'vuln:operate', 'vuln:audit',
-            'platform.context.read', 'platform.context.write',
-            'platform.idp.read', 'platform.idp.admin',
-            'doctor:run', 'doctor:admin', 'ops.health',
-            'integration:read', 'integration:write', 'integration:operate', 'registry.admin',
-            'timeline:read', 'timeline:write',
-            'signer:read', 'signer:sign', 'signer:rotate', 'signer:admin',
-            'trust:read', 'trust:write', 'trust:admin'],
-     ARRAY['authorization_code', 'refresh_token'],
-     false, true, '{"tenant": "demo-prod"}'::jsonb)
-ON CONFLICT (client_id) DO NOTHING;
+-- First-party clients are seeded by the Authority standard plugin at runtime.
+-- The first administrator is created through the setup wizard, not compose SQL.

devops/compose/postgres-init/04b-authority-dedicated-schema.sql

@@ -349,11 +349,11 @@ CREATE UNIQUE INDEX IF NOT EXISTS idx_verdict_replay ON authority.verdict_manife
 CREATE INDEX IF NOT EXISTS idx_verdict_digest ON authority.verdict_manifests(manifest_digest);
 
 -- ============================================================================
--- SECTION 5: Seed Data
+-- SECTION 5: Bootstrap Default Tenant
 -- ============================================================================
 
 INSERT INTO authority.tenants (tenant_id, name, display_name, status)
-VALUES ('demo-prod', 'Production', 'Demo Production', 'active')
+VALUES ('default', 'Default', 'Default Tenant', 'active')
 ON CONFLICT (tenant_id) DO NOTHING;
 
 -- ============================================================================
@@ -448,49 +448,8 @@ DO $$ BEGIN
 END $$;
 
 -- ============================================================================
--- SECTION 9: Demo Seed Data
+-- SECTION 9: Bootstrap Notes
 -- ============================================================================
 
-INSERT INTO authority.roles (id, tenant_id, name, display_name, description, is_system)
-VALUES
-    ('a0000002-0000-0000-0000-000000000001', 'demo-prod', 'admin', 'Administrator', 'Full platform access', true),
-    ('a0000002-0000-0000-0000-000000000002', 'demo-prod', 'operator', 'Operator', 'Release and deployment operations', true),
-    ('a0000002-0000-0000-0000-000000000003', 'demo-prod', 'viewer', 'Viewer', 'Read-only access', true)
-ON CONFLICT (tenant_id, name) DO NOTHING;
-
-INSERT INTO authority.clients (id, client_id, display_name, description, enabled, redirect_uris, post_logout_redirect_uris, allowed_scopes, allowed_grant_types, require_client_secret, require_pkce, properties)
-VALUES
-    ('demo-client-ui', 'stella-ops-ui', 'Stella Ops Console', 'Web UI application', true,
-     ARRAY['https://stella-ops.local/auth/callback', 'https://stella-ops.local/auth/silent-refresh', 'https://127.1.0.1/auth/callback', 'https://127.1.0.1/auth/silent-refresh'],
-     ARRAY['https://stella-ops.local/', 'https://127.1.0.1/'],
-     ARRAY['openid', 'profile', 'email', 'offline_access',
-            'ui.read', 'ui.admin', 'ui.preferences.read', 'ui.preferences.write',
-            'authority:tenants.read', 'authority:tenants.write',
-            'authority:users.read', 'authority:users.write',
-            'authority:roles.read', 'authority:roles.write',
-            'authority:clients.read', 'authority:clients.write',
-            'authority:tokens.read', 'authority:tokens.revoke',
-            'authority:branding.read', 'authority:branding.write',
-            'authority.audit.read',
-            'graph:read', 'sbom:read', 'scanner:read',
-            'policy:read', 'policy:simulate', 'policy:author', 'policy:review', 'policy:approve',
-            'policy:run', 'policy:activate', 'policy:audit', 'policy:edit', 'policy:operate', 'policy:publish',
-            'airgap:seal', 'airgap:status:read',
-            'orch:read', 'analytics.read', 'advisory:read', 'advisory-ai:view', 'advisory-ai:operate',
-            'vex:read', 'vexhub:read',
-            'exceptions:read', 'exceptions:approve', 'aoc:verify', 'findings:read',
-            'release:read', 'release:write', 'release:publish', 'scheduler:read', 'scheduler:operate',
-            'notify.viewer', 'notify.operator', 'notify.admin', 'notify.escalate',
-            'evidence:read',
-            'export.viewer', 'export.operator', 'export.admin',
-            'vuln:view', 'vuln:investigate', 'vuln:operate', 'vuln:audit',
-            'platform.context.read', 'platform.context.write',
-            'platform.idp.read', 'platform.idp.admin',
-            'doctor:run', 'doctor:admin', 'ops.health',
-            'integration:read', 'integration:write', 'integration:operate', 'registry.admin',
-            'timeline:read', 'timeline:write',
-            'signer:read', 'signer:sign', 'signer:rotate', 'signer:admin',
-            'trust:read', 'trust:write', 'trust:admin'],
-     ARRAY['authorization_code', 'refresh_token'],
-     false, true, '{"tenant": "demo-prod"}'::jsonb)
-ON CONFLICT (client_id) DO NOTHING;
+-- First-party clients are seeded by the Authority standard plugin at runtime.
+-- The first administrator is created through the setup wizard, not compose SQL.

devops/compose/postgres-init/15-platform-context-and-releases.sql

@@ -70,19 +70,5 @@ CREATE INDEX IF NOT EXISTS idx_control_bundles_tenant_name
 CREATE INDEX IF NOT EXISTS idx_control_bundles_tenant_updated
     ON release.control_bundles (tenant_id, updated_at DESC, id);
 
--- Seed demo context data for local development
-INSERT INTO platform.context_regions (region_id, display_name, sort_order, enabled)
-VALUES
-    ('us-east', 'US East', 1, true),
-    ('us-west', 'US West', 2, true),
-    ('eu-west', 'EU West', 3, true)
-ON CONFLICT (region_id) DO NOTHING;
-
-INSERT INTO platform.context_environments (environment_id, region_id, environment_type, display_name, sort_order, enabled)
-VALUES
-    ('dev', 'us-east', 'development', 'Development', 1, true),
-    ('stage', 'us-east', 'staging', 'Staging', 2, true),
-    ('prod-us-east', 'us-east', 'production', 'Production US East', 3, true),
-    ('prod-us-west', 'us-west', 'production', 'Production US West', 4, true),
-    ('prod-eu-west', 'eu-west', 'production', 'Production EU West', 5, true)
-ON CONFLICT (environment_id) DO NOTHING;
+-- Context regions/environments are intentionally left empty on fresh installs.
+-- The setup and admin surfaces create truthful operator-owned state as needed.

devops/compose/postgres-init/16-release-full-schema.sql

@@ -22,10 +22,14 @@ CREATE UNIQUE INDEX IF NOT EXISTS uq_shared_tenants_single_default
     ON shared.tenants (is_default)
     WHERE is_default;
 
--- Seed shared tenant for local dev
-INSERT INTO shared.tenants (tenant_id, name, display_name, status)
-VALUES ('demo-prod', 'Production', 'Demo Production', 'active')
-ON CONFLICT (tenant_id) DO NOTHING;
+-- Seed the generic default tenant required by release/shared foreign keys.
+INSERT INTO shared.tenants (tenant_id, name, display_name, is_default, status)
+VALUES ('default', 'Default', 'Default Tenant', true, 'active')
+ON CONFLICT (tenant_id) DO UPDATE
+SET name = EXCLUDED.name,
+    display_name = EXCLUDED.display_name,
+    is_default = EXCLUDED.is_default,
+    status = EXCLUDED.status;
 
 -- Release schemas
 CREATE SCHEMA IF NOT EXISTS release;