chore(devops): dotnet release image + compose/bootstrap stabilization

Sprint SPRINT_20260417_024_DevOps_dotnet_release_image_stabilization.

- Dockerfile.platform + Dockerfile.dotnet-service adjustments for
  deterministic layer ordering and cache-friendly publish.
- devops/release/components.json updates.
- devops/compose: .env, README, legacy + stella-services docker-compose,
  stellaops env example, postgres-init 04/04b/15/16 authority + release
  schemas, setup.bootstrap.local.yaml.
- Gitea build_release.py script.
- scripts/register-local-integrations.ps1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

devops/compose/postgres-init/04-authority-schema.sql

@@ -466,11 +466,11 @@ CREATE INDEX IF NOT EXISTS idx_verdict_digest
 COMMENT ON TABLE authority.verdict_manifests IS 'VEX verdict manifests for deterministic replay verification';
 
 -- ============================================================================
--- SECTION 4b: Seed Default Tenant
+-- SECTION 4b: Bootstrap Default Tenant
 -- ============================================================================
 
 INSERT INTO authority.tenants (tenant_id, name, display_name, status)
-VALUES ('demo-prod', 'Production', 'Demo Production', 'active')
+VALUES ('default', 'Default', 'Default Tenant', 'active')
 ON CONFLICT (tenant_id) DO NOTHING;
 
 -- ============================================================================
@@ -618,51 +618,8 @@ END
 $$;
 
 -- ============================================================================
--- SECTION 8: Demo Seed Data
+-- SECTION 8: Bootstrap Notes
 -- ============================================================================
 
--- Roles for demo-prod tenant
-INSERT INTO authority.roles (id, tenant_id, name, display_name, description, is_system)
-VALUES
-    ('a0000002-0000-0000-0000-000000000001', 'demo-prod', 'admin', 'Administrator', 'Full platform access', true),
-    ('a0000002-0000-0000-0000-000000000002', 'demo-prod', 'operator', 'Operator', 'Release and deployment operations', true),
-    ('a0000002-0000-0000-0000-000000000003', 'demo-prod', 'viewer', 'Viewer', 'Read-only access', true)
-ON CONFLICT (tenant_id, name) DO NOTHING;
-
--- OAuth Clients
-INSERT INTO authority.clients (id, client_id, display_name, description, enabled, redirect_uris, post_logout_redirect_uris, allowed_scopes, allowed_grant_types, require_client_secret, require_pkce, properties)
-VALUES
-    ('demo-client-ui', 'stella-ops-ui', 'Stella Ops Console', 'Web UI application', true,
-     ARRAY['https://stella-ops.local/auth/callback', 'https://stella-ops.local/auth/silent-refresh', 'https://127.1.0.1/auth/callback', 'https://127.1.0.1/auth/silent-refresh'],
-     ARRAY['https://stella-ops.local/', 'https://127.1.0.1/'],
-     ARRAY['openid', 'profile', 'email', 'offline_access',
-            'ui.read', 'ui.admin', 'ui.preferences.read', 'ui.preferences.write',
-            'authority:tenants.read', 'authority:tenants.write',
-            'authority:users.read', 'authority:users.write',
-            'authority:roles.read', 'authority:roles.write',
-            'authority:clients.read', 'authority:clients.write',
-            'authority:tokens.read', 'authority:tokens.revoke',
-            'authority:branding.read', 'authority:branding.write',
-            'authority.audit.read',
-            'graph:read', 'sbom:read', 'scanner:read',
-            'policy:read', 'policy:simulate', 'policy:author', 'policy:review', 'policy:approve',
-            'policy:run', 'policy:activate', 'policy:audit', 'policy:edit', 'policy:operate', 'policy:publish',
-            'airgap:seal', 'airgap:status:read',
-            'orch:read', 'analytics.read', 'advisory:read', 'advisory-ai:view', 'advisory-ai:operate',
-            'vex:read', 'vexhub:read',
-            'exceptions:read', 'exceptions:approve', 'aoc:verify', 'findings:read',
-            'release:read', 'release:write', 'release:publish', 'scheduler:read', 'scheduler:operate',
-            'notify.viewer', 'notify.operator', 'notify.admin', 'notify.escalate',
-            'evidence:read',
-            'export.viewer', 'export.operator', 'export.admin',
-            'vuln:view', 'vuln:investigate', 'vuln:operate', 'vuln:audit',
-            'platform.context.read', 'platform.context.write',
-            'platform.idp.read', 'platform.idp.admin',
-            'doctor:run', 'doctor:admin', 'ops.health',
-            'integration:read', 'integration:write', 'integration:operate', 'registry.admin',
-            'timeline:read', 'timeline:write',
-            'signer:read', 'signer:sign', 'signer:rotate', 'signer:admin',
-            'trust:read', 'trust:write', 'trust:admin'],
-     ARRAY['authorization_code', 'refresh_token'],
-     false, true, '{"tenant": "demo-prod"}'::jsonb)
-ON CONFLICT (client_id) DO NOTHING;
+-- First-party clients are seeded by the Authority standard plugin at runtime.
+-- The first administrator is created through the setup wizard, not compose SQL.