Finalize UI truthfulness and bootstrap hardening

devops/compose/README.md

@@ -290,38 +290,26 @@ docker compose -f docker-compose.integrations.yml ps gitea
 
 Register the default local-ready integration catalog once the stack is up:
 
-```powershell
-powershell -ExecutionPolicy Bypass -File scripts/register-local-integrations.ps1 `
-  -Tenant demo-prod
+```bash
+stella auth login
+stella config integrations bootstrap local
 ```
 
-The helper creates and verifies the 13 turnkey local providers on a fresh
-machine. GitLab server/CI and the GitLab registry remain opt-in because they
-require Vault-backed PAT material. The scripted local path is:
+The CLI creates and verifies the 13 turnkey local providers on a fresh
+machine. GitLab server/CI and the GitLab registry remain opt-in but stay inside
+the same first-party product flow:
 
-```powershell
-powershell -ExecutionPolicy Bypass -File scripts/bootstrap-local-gitlab-secrets.ps1 `
-  -VerifyRegistry
-
-powershell -ExecutionPolicy Bypass -File scripts/register-local-integrations.ps1 `
-  -Tenant demo-prod `
-  -IncludeGitLab
-
-powershell -ExecutionPolicy Bypass -File scripts/register-local-integrations.ps1 `
-  -Tenant demo-prod `
-  -IncludeGitLab `
-  -IncludeGitLabRegistry
+```bash
+stella config integrations bootstrap local --include-gitlab
+stella config integrations bootstrap local --include-gitlab --include-gitlab-registry
 ```
 
-Or run the GitLab-backed registration in one step:
-
-```powershell
-powershell -ExecutionPolicy Bypass -File scripts/register-local-integrations.ps1 `
-  -Tenant demo-prod `
-  -IncludeGitLab `
-  -IncludeGitLabRegistry `
-  -BootstrapGitLabSecrets
-```
+The local bootstrap command mints the owned local GitLab PAT against the
+compose fixture, stages the resulting `access-token` and `registry-basic`
+entries into the writable Vault target, binds the returned `authref://...`
+values to the GitLab integrations, and verifies health. The older PowerShell
+scripts remain available as compatibility helpers, but they are no longer the
+preferred product path for the Stella-owned local fixture lane.
 
 For a repeatable browser-driven proof of the Integrations Hub path itself, run:
 
@@ -387,15 +375,21 @@ Gitea is now bootstrapped by the compose service itself: a fresh `stellaops-gite
 For UI/CLI-first onboarding, the Integrations Secret Authority API can now
 stage GitLab-class credentials and return the generated `authref://...`
 bindings without a manual Vault write. The browser flow uses this inline, and
-the CLI exposes the same path through:
+the CLI exposes the owned local fixture path through:
+
+```bash
+stella config integrations bootstrap local --include-gitlab
+stella config integrations bootstrap local --include-gitlab --include-gitlab-registry
+```
+
+For production or customer-managed third-party systems, use the lower-level
+Secret Authority commands directly:
 
 ```bash
 stella config integrations secrets targets
 stella config integrations secrets upsert-bundle --bundle gitlab-server --target <vault-integration-id> --path gitlab/server --entry access-token=glpat-...
 ```
 
-For GitLab, `scripts/bootstrap-local-gitlab-secrets.ps1` is the preferred local bootstrap path. It reuses a valid `secret/gitlab` secret when possible and otherwise rotates the local `stella-local-integration` PAT, then writes `authref://vault/gitlab#access-token` plus `authref://vault/gitlab#registry-basic` into the dev Vault. When you enable the optional GitLab registry surface (`GITLAB_ENABLE_REGISTRY=true`), register it through the `GitLabContainerRegistry` provider with `authref://vault/gitlab#registry-basic`. The local Docker registry connector now follows the registry's Bearer challenge and exchanges that `username:personal-access-token` secret against `jwt/auth` before retrying catalog and tag probes.
-
 `docker-compose.testing.yml` is a separate infrastructure-test lane. It starts `postgres-test`, `valkey-test`, mocks, and an isolated Gitea profile on different ports; it does not start Consul or GitLab. Use `docker-compose.integrations.yml` only when you need real third-party providers for connector validation.
 
 **Backend connector plugins** (8 total, loaded in Integrations service):

devops/compose/docker-compose.stella-ops.legacy.yml

@@ -418,10 +418,10 @@ services:
       Platform__EnvironmentSettings__RedirectUri: "https://stella-ops.local/auth/callback"
       Platform__EnvironmentSettings__PostLogoutRedirectUri: "https://stella-ops.local/"
       Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:tenants.write authority:users.read authority:users.write authority:roles.read authority:roles.write authority:clients.read authority:clients.write authority:tokens.read authority:tokens.revoke authority:branding.read authority:branding.write authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read orch:operate orch:quota analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read release:write release:publish scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate packs.read packs.write packs.run packs.approve registry.admin timeline:read timeline:write trust:read trust:write trust:admin signer:read signer:sign signer:rotate signer:admin"
-      STELLAOPS_ROUTER_URL: "http://router.stella-ops.local"
+      STELLAOPS_ROUTER_URL: "http://router.stella-ops.local:8080"
       STELLAOPS_PLATFORM_URL: "http://platform.stella-ops.local"
       STELLAOPS_AUTHORITY_URL: "http://authority.stella-ops.local"
-      STELLAOPS_GATEWAY_URL: "http://router.stella-ops.local"
+      STELLAOPS_GATEWAY_URL: "http://router.stella-ops.local:8080"
       STELLAOPS_ATTESTOR_URL: "http://attestor.stella-ops.local"
       STELLAOPS_EVIDENCELOCKER_URL: "http://evidencelocker.stella-ops.local"
       STELLAOPS_SCANNER_URL: "http://scanner.stella-ops.local"
@@ -516,18 +516,6 @@ services:
       STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__Type: "standard"
       STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__AssemblyName: "StellaOps.Authority.Plugin.Standard"
       STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__Enabled: "true"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__TenantId: "demo-prod"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Username: "admin"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Password: "Admin@Stella2026!"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Roles__0: "admin"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__ClientId: "stella-ops-ui"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__DisplayName: "Stella Ops Console"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__AllowedGrantTypes: "authorization_code refresh_token"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__AllowedScopes: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:tenants.write authority:users.read authority:users.write authority:roles.read authority:roles.write authority:clients.read authority:clients.write authority:tokens.read authority:tokens.revoke authority:branding.read authority:branding.write authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read orch:operate orch:quota analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read release:write release:publish scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate packs.read packs.write packs.run packs.approve registry.admin timeline:read timeline:write trust:read trust:write trust:admin signer:read signer:sign signer:rotate signer:admin"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__RedirectUris: "https://stella-ops.local/auth/callback https://stella-ops.local/auth/silent-refresh https://127.1.0.1/auth/callback https://127.1.0.1/auth/silent-refresh"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__PostLogoutRedirectUris: "https://stella-ops.local/ https://127.1.0.1/"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__RequirePkce: "true"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__AllowPlainTextPkce: "false"
       STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__ID: "demo-prod"
       STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__DISPLAYNAME: "Demo Production"
       STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__STATUS: "active"
@@ -1415,8 +1403,9 @@ services:
       Authority__ResourceServer__Authority: "http://authority.stella-ops.local/"
       Authority__ResourceServer__RequireHttpsMetadata: "false"
       Authority__ResourceServer__Audiences__0: ""
-      Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
-      Authority__ResourceServer__BypassNetworks__1: "172.20.0.0/16"
+      Authority__ResourceServer__BypassNetworks__0: "172.16.0.0/12"
+      Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
+      Authority__ResourceServer__BypassNetworks__2: "::1/128"
       TIMELINE_Postgres__Timeline__ConnectionString: *postgres-connection
       Router__Enabled: "${TIMELINE_SERVICE_ROUTER_ENABLED:-true}"
       Router__Messaging__ConsumerGroup: "timeline"

devops/compose/docker-compose.stella-services.yml

@@ -254,10 +254,10 @@ services:
       Platform__EnvironmentSettings__RedirectUri: "https://stella-ops.local/auth/callback"
       Platform__EnvironmentSettings__PostLogoutRedirectUri: "https://stella-ops.local/"
       Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:tenants.write authority:users.read authority:users.write authority:roles.read authority:roles.write authority:clients.read authority:clients.write authority:tokens.read authority:tokens.revoke authority:branding.read authority:branding.write authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read orch:operate orch:quota analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read release:write release:publish scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate packs.read packs.write packs.run packs.approve registry.admin timeline:read timeline:write trust:read trust:write trust:admin signer:read signer:sign signer:rotate signer:admin"
-      STELLAOPS_ROUTER_URL: "http://router.stella-ops.local"
+      STELLAOPS_ROUTER_URL: "http://router.stella-ops.local:8080"
       STELLAOPS_PLATFORM_URL: "http://platform.stella-ops.local"
       STELLAOPS_AUTHORITY_URL: "http://authority.stella-ops.local"
-      STELLAOPS_GATEWAY_URL: "http://router.stella-ops.local"
+      STELLAOPS_GATEWAY_URL: "http://router.stella-ops.local:8080"
       STELLAOPS_ATTESTOR_URL: "http://attestor.stella-ops.local"
       STELLAOPS_EVIDENCELOCKER_URL: "http://evidencelocker.stella-ops.local"
       STELLAOPS_SCANNER_URL: "http://scanner.stella-ops.local"
@@ -347,18 +347,6 @@ services:
       STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__Type: "standard"
       STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__AssemblyName: "StellaOps.Authority.Plugin.Standard"
       STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__Enabled: "true"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__TenantId: "demo-prod"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Username: "admin"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Password: "Admin@Stella2026!"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Roles__0: "admin"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__ClientId: "stella-ops-ui"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__DisplayName: "Stella Ops Console"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__AllowedGrantTypes: "authorization_code refresh_token"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__AllowedScopes: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:tenants.write authority:users.read authority:users.write authority:roles.read authority:roles.write authority:clients.read authority:clients.write authority:tokens.read authority:tokens.revoke authority:branding.read authority:branding.write authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read orch:operate orch:quota analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read release:write release:publish scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate packs.read packs.write packs.run packs.approve registry.admin timeline:read timeline:write trust:read trust:write trust:admin signer:read signer:sign signer:rotate signer:admin"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__RedirectUris: "https://stella-ops.local/auth/callback https://stella-ops.local/auth/silent-refresh https://127.1.0.1/auth/callback https://127.1.0.1/auth/silent-refresh"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__PostLogoutRedirectUris: "https://stella-ops.local/ https://127.1.0.1/"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__RequirePkce: "true"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__AllowPlainTextPkce: "false"
       STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__ID: "demo-prod"
       STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__DISPLAYNAME: "Demo Production"
       STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__STATUS: "active"
@@ -1201,8 +1189,9 @@ services:
       Authority__ResourceServer__Authority: "http://authority.stella-ops.local/"
       Authority__ResourceServer__RequireHttpsMetadata: "false"
       Authority__ResourceServer__Audiences__0: ""
-      Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
-      Authority__ResourceServer__BypassNetworks__1: "172.20.0.0/16"
+      Authority__ResourceServer__BypassNetworks__0: "172.16.0.0/12"
+      Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
+      Authority__ResourceServer__BypassNetworks__2: "::1/128"
       TIMELINE_Postgres__Timeline__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
       Router__Enabled: "${TIMELINE_SERVICE_ROUTER_ENABLED:-true}"
       Router__Messaging__ConsumerGroup: "timeline"

devops/compose/setup.bootstrap.local.yaml

@@ -0,0 +1,21 @@
+version: "1"
+
+database:
+  host: db.stella-ops.local
+  port: 5432
+  database: stellaops_platform
+  user: stellaops
+  password: stellaops
+
+cache:
+  host: cache.stella-ops.local
+  port: 6379
+  database: 0
+
+custom:
+  users.superuser.username: admin
+  users.superuser.email: admin@stella-ops.local
+  users.superuser.password: Admin@Stella2026!
+  users.superuser.displayName: Stella Admin
+  authority.provider: standard
+  crypto.provider: default