docs consolidation and others

docs/modules/concelier/operations/authority-audit-runbook.md

@@ -9,7 +9,7 @@ This runbook helps operators verify and monitor the StellaOps Concelier ⇆ Auth
 - Authority integration is enabled in `concelier.yaml` (or via `CONCELIER_AUTHORITY__*` environment variables) with a valid `clientId`, secret, audience, and required scopes.
 - OTLP metrics/log exporters are configured (`concelier.telemetry.*`) or container stdout is shipped to your SIEM.
 - Operators have access to the Concelier job trigger endpoints via CLI or REST for smoke tests.
-- The rollout table in `docs/10_CONCELIER_CLI_QUICKSTART.md` has been reviewed so stakeholders align on the staged → enforced toggle timeline.
+- The rollout table in `docs/CONCELIER_CLI_QUICKSTART.md` has been reviewed so stakeholders align on the staged → enforced toggle timeline.
 
 ### Configuration snippet
 
@@ -120,18 +120,18 @@ Correlate audit logs with the following global meter exported via `Concelier.Sou
 
 ## 4. Rollout & Verification Procedure
 
-1. **Pre-checks**
-   - Align with your rollout plan and record the target dates in your change request.
-   - Confirm `allowAnonymousFallback` is `false` in production; keep `true` only during staged validation.
-   - Validate Authority issuer metadata is reachable from Concelier (`curl https://authority.internal/.well-known/openid-configuration` from the host).
-
-2. **Smoke test with valid token**
-   - Authenticate (cached): `stella auth login`.
-   - Mint a scoped token for curl (example):
-     - `TOKEN="$(stella auth token mint --service-account concelier-jobs --scope concelier.jobs.trigger --scope advisory:ingest --scope advisory:read --tenant tenant-default --reason \"concelier auth smoke test\" --raw)"`
-   - Trigger a read-only endpoint:
-     - `curl -H "Authorization: Bearer $TOKEN" -H "X-Stella-Tenant: tenant-default" https://concelier.internal/jobs/definitions`
-   - Expect HTTP 200/202 and an audit log with `bypass=False`, `scopes=concelier.jobs.trigger advisory:ingest advisory:read`, and `tenant=tenant-default`.
+1. **Pre-checks**
+   - Align with your rollout plan and record the target dates in your change request.
+   - Confirm `allowAnonymousFallback` is `false` in production; keep `true` only during staged validation.
+   - Validate Authority issuer metadata is reachable from Concelier (`curl https://authority.internal/.well-known/openid-configuration` from the host).
+
+2. **Smoke test with valid token**
+   - Authenticate (cached): `stella auth login`.
+   - Mint a scoped token for curl (example):
+     - `TOKEN="$(stella auth token mint --service-account concelier-jobs --scope concelier.jobs.trigger --scope advisory:ingest --scope advisory:read --tenant tenant-default --reason \"concelier auth smoke test\" --raw)"`
+   - Trigger a read-only endpoint:
+     - `curl -H "Authorization: Bearer $TOKEN" -H "X-Stella-Tenant: tenant-default" https://concelier.internal/jobs/definitions`
+   - Expect HTTP 200/202 and an audit log with `bypass=False`, `scopes=concelier.jobs.trigger advisory:ingest advisory:read`, and `tenant=tenant-default`.
 
 3. **Negative test without token**
    - Call the same endpoint without a token. Expect HTTP 401, `bypass=False`.
@@ -156,7 +156,7 @@ Correlate audit logs with the following global meter exported via `Concelier.Sou
 
 ## 6. References
 
-- `docs/21_INSTALL_GUIDE.md` - Authority configuration quick start.
-- `docs/17_SECURITY_HARDENING_GUIDE.md` - Security guardrails and enforcement.
-- `docs/modules/authority/operations/monitoring.md` - Authority-side monitoring and alerting playbook.
-- `src/Concelier/StellaOps.Concelier.WebService/Filters/JobAuthorizationAuditFilter.cs` - Source of audit log fields.
+- `docs/INSTALL_GUIDE.md` - Authority configuration quick start.
+- `docs/SECURITY_HARDENING_GUIDE.md` - Security guardrails and enforcement.
+- `docs/modules/authority/operations/monitoring.md` - Authority-side monitoring and alerting playbook.
+- `src/Concelier/StellaOps.Concelier.WebService/Filters/JobAuthorizationAuditFilter.cs` - Source of audit log fields.