Finalize UI truthfulness and bootstrap hardening

docs/API_CLI_REFERENCE.md

@@ -301,7 +301,7 @@ stella setup validate --config <path>
 | `--dry-run` | `run` only. Probe without applying. |
 | `--force`, `-f` | `run` starts a fresh session; `reset --all` skips confirmation. |
 | `--session` | `resume`/`status` only. Use an explicit session id. |
-| `--json` | `status` only. Emit machine-readable session state. |
+| `--json` | `status` only. Emit machine-readable session state with sanitized `draftValues` and retained-secret `secretDrafts` metadata. |
 | `--verbose`, `-v` | Enable verbose output. |
 
 ### Available Steps
@@ -341,6 +341,11 @@ stella setup reset --all --force
 After `stella setup`, use the authenticated integration/onboarding surfaces instead of more setup steps:
 
 ```bash
+stella config integrations bootstrap local
+stella config integrations bootstrap local --include-gitlab
+stella config integrations bootstrap local --include-gitlab --include-gitlab-registry
+
+# Production or customer-managed systems still use BYO-secret onboarding
 stella config integrations secrets targets
 stella config integrations secrets upsert-bundle \
   --bundle gitlab-server \
@@ -349,6 +354,51 @@ stella config integrations secrets upsert-bundle \
   --entry access-token=glpat-...
 ```
 
+Setup-session secret handling:
+- Session reads never return plaintext secret values.
+- Retained setup secrets surface only as `secretDrafts` metadata and are reused server-side during resume/apply.
+
+## stella config integrations bootstrap local
+
+Bootstrap the Stella-owned local compose fixture catalog from the CLI.
+
+### Synopsis
+
+```bash
+stella config integrations bootstrap local [--include-gitlab] [--include-gitlab-registry] [--format table|json]
+```
+
+### Options
+
+| Option | Description |
+| --- | --- |
+| `--include-gitlab` | Include the owned local GitLab Server and GitLab CI fixtures. The CLI mints and stages the local PAT into Vault automatically. |
+| `--include-gitlab-registry` | Include the optional local GitLab container registry fixture. Requires the heavy GitLab compose profile with `GITLAB_ENABLE_REGISTRY=true`. |
+| `--format` | Output format: `table` or `json` (default: `table`). |
+| `--verbose`, `-v` | Enable verbose output. |
+
+### Examples
+
+```bash
+# Default 13-entry local fixture catalog
+stella config integrations bootstrap local
+
+# Add GitLab Server and GitLab CI
+stella config integrations bootstrap local --include-gitlab
+
+# Add the optional GitLab registry and emit machine-readable results
+stella config integrations bootstrap local --include-gitlab --include-gitlab-registry --format json
+```
+
+### Contract
+
+- This command is for Stella-owned local compose fixtures only.
+- Default mode creates or updates 13 deterministic local integrations and verifies both connector test and runtime health for each selected entry.
+- `--include-gitlab` stages the owned local GitLab PAT through Secret Authority and binds the returned `authref://vault/gitlab#access-token` value to GitLab Server and GitLab CI.
+- `--include-gitlab-registry` stages and binds `authref://vault/gitlab#registry-basic` for the optional local GitLab registry surface, which must be started with `GITLAB_ENABLE_REGISTRY=true`.
+- Exit code `0` means every selected integration tested healthy and reported healthy runtime status. Exit code `1` means bootstrap or verification failed.
+- For production or customer-managed systems, use `stella config integrations secrets targets`, `stella config integrations secrets upsert-bundle`, and explicit `create` or `update` operations with operator-provided credentials.
+
 ## stella advise ask
 
 Ask questions to the AdvisoryAI assistant.