Finalize UI truthfulness and bootstrap hardening

docs/integrations/LOCAL_SERVICES.md

@@ -110,11 +110,14 @@ node src/Web/StellaOps.Web/scripts/live-integrations-ui-bootstrap.mjs
   `STELLAOPS_BOOTSTRAP_KEY` that Authority exposes through
   `AUTHORITY_BOOTSTRAP_APIKEY`.
 
-Scripted convergence path:
+CLI convergence path:
 
-```powershell
-powershell -ExecutionPolicy Bypass -File scripts/register-local-integrations.ps1 `
-  -Tenant demo-prod
+```bash
+# Authenticate into the target tenant first if needed
+stella auth login
+
+# Bootstrap the default 13-entry local fixture catalog
+stella config integrations bootstrap local
 ```
 
 This converges the default local-ready lane to 13 healthy entries:
@@ -132,33 +135,24 @@ This converges the default local-ready lane to 13 healthy entries:
 - NVD mirror
 - OSV mirror
 
-Optional GitLab providers require Vault-backed credentials. The recommended
-local flow is:
+Optional GitLab providers are part of the same product-owned local bootstrap flow:
 
-```powershell
-# Reuse or rotate the local GitLab bootstrap PAT and write it to Vault.
-powershell -ExecutionPolicy Bypass -File scripts/bootstrap-local-gitlab-secrets.ps1 `
-  -VerifyRegistry
+```bash
+# Add the owned local GitLab SCM and CI fixtures
+stella config integrations bootstrap local --include-gitlab
 
-# Register SCM + CI using the bootstrapped authref://vault/gitlab#access-token
-powershell -ExecutionPolicy Bypass -File scripts/register-local-integrations.ps1 `
-  -Tenant demo-prod `
-  -IncludeGitLab
-
-# Also requires GitLab registry enabled; uses authref://vault/gitlab#registry-basic
-powershell -ExecutionPolicy Bypass -File scripts/register-local-integrations.ps1 `
-  -Tenant demo-prod `
-  -IncludeGitLab `
-  -IncludeGitLabRegistry
-
-# Or do the GitLab-backed registration in one step
-powershell -ExecutionPolicy Bypass -File scripts/register-local-integrations.ps1 `
-  -Tenant demo-prod `
-  -IncludeGitLab `
-  -IncludeGitLabRegistry `
-  -BootstrapGitLabSecrets
+# Also add the optional local GitLab registry surface
+stella config integrations bootstrap local --include-gitlab --include-gitlab-registry
 ```
 
+The CLI owns the local GitLab bootstrap contract:
+- it mints the owned local `stella-local-integration` PAT against the compose fixture
+- it stages the resulting `access-token` and `registry-basic` entries into the writable Vault secret-authority target
+- it binds the returned `authref://vault/gitlab#...` values to the GitLab integrations and verifies health
+
+Legacy compatibility note:
+- `scripts/register-local-integrations.ps1` and `scripts/bootstrap-local-gitlab-secrets.ps1` remain available for compatibility and debugging, but they are no longer the preferred product path for the local compose fixture lane
+
 For a repeatable browser-driven proof of the same Integrations Hub path, run:
 
 ```powershell
@@ -295,7 +289,15 @@ vault kv put secret/gitlab access-token="glpat-your-token" registry-basic="root:
 ```
 
 Inline secret staging no longer requires a manual Vault write for GitLab-class
-providers:
+providers. For the Stella-owned local compose fixture lane, use:
+
+```bash
+stella config integrations bootstrap local --include-gitlab
+stella config integrations bootstrap local --include-gitlab --include-gitlab-registry
+```
+
+For production or customer-managed third-party systems, use the lower-level
+Secret Authority commands directly:
 
 ```bash
 stella config integrations secrets targets
@@ -418,14 +420,14 @@ GITLAB_ENABLE_REGISTRY=true GITLAB_ENABLE_PACKAGES=true \
 **Stella Ops integration config (SCM / CI):**
 - Endpoint: `http://gitlab.stella-ops.local:8929`
 - AuthRef: `authref://vault/gitlab#access-token`
-- Bootstrap helper: `powershell -ExecutionPolicy Bypass -File scripts/bootstrap-local-gitlab-secrets.ps1`
+- Local fixture bootstrap: `stella config integrations bootstrap local --include-gitlab`
 
 **Stella Ops integration config (Registry):**
 - Endpoint: `http://gitlab.stella-ops.local:5050`
 - AuthRef: `authref://vault/gitlab#registry-basic`
 - Secret format: `username:personal-access-token` (local default: `root:<token>`)
 - The Docker registry connector follows GitLab's `WWW-Authenticate: Bearer` challenge and exchanges this basic secret against `/jwt/auth` before retrying catalog and tag probes.
-- `scripts/bootstrap-local-gitlab-secrets.ps1 -VerifyRegistry` reuses a valid local Vault secret when possible and otherwise rotates the local `stella-local-integration` PAT before writing both authrefs.
+- Add registry coverage through `stella config integrations bootstrap local --include-gitlab --include-gitlab-registry` after enabling the heavy GitLab compose profile with registry support.
 
 ---