Make local UI setup truthful and rerunnable

devops/compose/README.md

@@ -115,6 +115,13 @@ This sequence is the canonical migration gate for on-prem upgradeable deployment
 Current behavior details:
 
 - `./postgres-init` scripts execute only during first PostgreSQL initialization (`/docker-entrypoint-initdb.d` mount).
+- `postgres-init/14-platform-environment-settings.sql` now creates the
+  canonical installation-scoped `platform.environment_settings` table without
+  pre-seeding `SetupComplete=true`; fresh local databases therefore enter the
+  setup wizard until the Platform setup session is finalized. Existing local
+  volumes that still carry the legacy `(tenant_id, key)` table shape are
+  auto-converged by Platform release migration
+  `064_EnvironmentSettingsInstallationScopeConvergence.sql`.
 - Some services run startup migrations via hosted services; others are currently CLI-only or not wired yet.
 - Use `docs/db/MIGRATION_INVENTORY.md` as the authoritative current-state matrix before production upgrades.
 - Consolidation target policy and module cutover waves are defined in `docs/db/MIGRATION_CONSOLIDATION_PLAN.md`.
@@ -331,7 +338,10 @@ The harness now supports inline GitLab secret staging through the browser when
 `STELLAOPS_UI_BOOTSTRAP_GITLAB_REGISTRY_BASIC` are supplied. The separate
 first-run setup wizard now reaches the Platform setup API through the
 frontdoor and uses persisted installation-scoped setup sessions for the five
-truthful control-plane steps.
+truthful control-plane steps. The local compose lane also forwards
+`AUTHORITY_BOOTSTRAP_APIKEY` into Platform as `STELLAOPS_BOOTSTRAP_KEY` so the
+wizard can call Authority's `/internal/users` bootstrap endpoint during the
+Admin step.
 
 **Hosts file entries** (add to `C:\Windows\System32\drivers\etc\hosts`):
 ```

devops/compose/docker-compose.stella-ops.legacy.yml

@@ -464,6 +464,7 @@ services:
       STELLAOPS_SIGNALS_URL: "http://signals.stella-ops.local"
       STELLAOPS_ADVISORYAI_URL: "http://advisoryai.stella-ops.local"
       STELLAOPS_UNKNOWNS_URL: "http://unknowns.stella-ops.local"
+      STELLAOPS_BOOTSTRAP_KEY: "${AUTHORITY_BOOTSTRAP_APIKEY:-stellaops-dev-bootstrap-key}"
       Router__Enabled: "${PLATFORM_ROUTER_ENABLED:-true}"
       Router__Messaging__ConsumerGroup: "platform"
     volumes:
@@ -965,6 +966,9 @@ services:
       ConnectionStrings__Redis: "cache.stella-ops.local:6379"
       Postgres__ConnectionString: *postgres-connection
       Postgres__SchemaName: "vexhub"
+      Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
+      Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
+      Authority__ResourceServer__RequireHttpsMetadata: "false"
       Router__Enabled: "${VEXHUB_ROUTER_ENABLED:-true}"
       Router__Messaging__ConsumerGroup: "vexhub"
     volumes:
@@ -988,13 +992,22 @@ services:
     container_name: stellaops-vexlens-web
     restart: unless-stopped
     depends_on: *depends-infra
-    environment:
-      ASPNETCORE_URLS: "http://+:8080"
-      <<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
-      ConnectionStrings__Default: *postgres-connection
-      ConnectionStrings__Redis: "cache.stella-ops.local:6379"
-      Router__Enabled: "${VEXLENS_ROUTER_ENABLED:-true}"
-      Router__Messaging__ConsumerGroup: "vexlens"
+      environment:
+        ASPNETCORE_URLS: "http://+:8080"
+        <<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
+        ConnectionStrings__Default: *postgres-connection
+        ConnectionStrings__Redis: "cache.stella-ops.local:6379"
+        Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
+        Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
+        Authority__ResourceServer__RequireHttpsMetadata: "false"
+        Authority__ResourceServer__Audiences__0: ""
+        Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
+        Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
+        Authority__ResourceServer__BypassNetworks__2: "::1/128"
+        Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
+        Authority__ResourceServer__BypassNetworks__4: "::/0"
+        Router__Enabled: "${VEXLENS_ROUTER_ENABLED:-true}"
+        Router__Messaging__ConsumerGroup: "vexlens"
     volumes:
       - *cert-volume
     ports:

devops/compose/docker-compose.stella-services.yml

@@ -300,6 +300,7 @@ services:
       STELLAOPS_SIGNALS_URL: "http://signals.stella-ops.local"
       STELLAOPS_ADVISORYAI_URL: "http://advisoryai.stella-ops.local"
       STELLAOPS_UNKNOWNS_URL: "http://unknowns.stella-ops.local"
+      STELLAOPS_BOOTSTRAP_KEY: "${AUTHORITY_BOOTSTRAP_APIKEY:-stellaops-dev-bootstrap-key}"
       Router__Enabled: "${PLATFORM_ROUTER_ENABLED:-true}"
       Router__Messaging__ConsumerGroup: "platform"
     volumes:
@@ -768,6 +769,9 @@ services:
       ConnectionStrings__Redis: "cache.stella-ops.local:6379"
       Postgres__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
       Postgres__SchemaName: "vexhub"
+      Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
+      Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
+      Authority__ResourceServer__RequireHttpsMetadata: "false"
       Router__Enabled: "${VEXHUB_ROUTER_ENABLED:-true}"
       Router__Messaging__ConsumerGroup: "vexhub"
     volumes:
@@ -795,6 +799,15 @@ services:
       <<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
       ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
       ConnectionStrings__Redis: "cache.stella-ops.local:6379"
+      Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
+      Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
+      Authority__ResourceServer__RequireHttpsMetadata: "false"
+      Authority__ResourceServer__Audiences__0: ""
+      Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
+      Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
+      Authority__ResourceServer__BypassNetworks__2: "::1/128"
+      Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
+      Authority__ResourceServer__BypassNetworks__4: "::/0"
       Router__Enabled: "${VEXLENS_ROUTER_ENABLED:-true}"
       Router__Messaging__ConsumerGroup: "vexlens"
     volumes:

devops/compose/postgres-init/14-platform-environment-settings.sql

@@ -1,20 +1,13 @@
--- Platform environment_settings table for setup state and runtime config overrides.
--- Used by SetupStateDetector to determine if setup wizard has been completed.
+-- Platform environment_settings table for installation-scoped runtime config overrides.
+-- Fresh compose databases should start without a SetupComplete marker so the
+-- truthful bootstrap wizard can own first-run convergence.
 -- This is idempotent and safe to run on new compose databases.
 
 CREATE SCHEMA IF NOT EXISTS platform;
 
 CREATE TABLE IF NOT EXISTS platform.environment_settings (
-    key         VARCHAR(256) NOT NULL,
-    value       TEXT         NOT NULL,
-    tenant_id   VARCHAR(128) NOT NULL DEFAULT '_system',
-    updated_by  VARCHAR(256) NOT NULL DEFAULT 'system',
-    updated_at  TIMESTAMPTZ  NOT NULL DEFAULT now(),
-    PRIMARY KEY (tenant_id, key)
+    key         TEXT        PRIMARY KEY,
+    value       TEXT        NOT NULL,
+    updated_at  TIMESTAMPTZ NOT NULL DEFAULT now(),
+    updated_by  TEXT        NOT NULL DEFAULT 'system'
 );
-
--- Mark setup as complete for fresh installs (docker-compose local dev).
--- The setup wizard can re-run and overwrite this if needed.
-INSERT INTO platform.environment_settings (key, value, tenant_id, updated_by)
-VALUES ('SetupComplete', 'true', '_system', 'postgres-init')
-ON CONFLICT (tenant_id, key) DO NOTHING;