Finalize UI truthfulness and bootstrap hardening

docs/modules/cli/guides/commands/auth.md

@@ -11,11 +11,17 @@ Acquire and cache an access token using the configured Authority credentials.
 ```bash
 stella auth login
 stella auth login --force
+STELLAOPS_AUTHORITY_CLIENT_ID=stellaops-cli-automation \
+STELLAOPS_AUTHORITY_CLIENT_SECRET=stellaops-local-cli-automation-secret \
+stella auth login --json
 ```
 
 Notes:
 - `--force` ignores cached tokens and forces re-authentication.
 - Credential sources are configuration-driven (profile/env). This command does not accept raw tokens on the command line.
+- When no Authority client ID is configured, the CLI defaults to the seeded human client `stellaops-cli`.
+- In a fresh interactive local/dev shell, `auth login` prompts for username/password and uses the current password-grant bootstrap path on that human client.
+- For non-interactive automation, configure a confidential client such as the seeded local/dev `stellaops-cli-automation`.
 
 ### auth status / whoami / logout
 
@@ -82,4 +88,3 @@ Flags:
 ## Offline notes
 - `auth login` and token mint/delegate require connectivity to Authority.
 - `auth revoke verify`, `status`, `whoami`, and `logout` can operate using local cached state.
-

docs/modules/cli/guides/commands/reference.md

@@ -59,6 +59,42 @@ stella config integrations <command> [options]
 - `health` - Query connector health
 - `impact` - Show workflow impact summary
 - `discover` - Discover provider resources such as repositories, projects, jobs, pipelines, or tags
+- `bootstrap local` - Bootstrap the Stella-owned local compose fixture catalog end to end
+- `secrets targets` / `secrets upsert-bundle` - Stage authref-backed secret bundles against writable secret-authority targets
+
+### stella config integrations bootstrap local
+
+Bootstrap the owned local compose fixture lane without dropping into fixture-native APIs.
+
+**Usage:**
+```bash
+stella config integrations bootstrap local [--include-gitlab] [--include-gitlab-registry] [--format table|json]
+```
+
+**Options:**
+| Option | Description |
+|--------|-------------|
+| `--include-gitlab` | Add the local GitLab Server and GitLab CI fixtures. The CLI mints the owned local PAT and stages it into Vault automatically. |
+| `--include-gitlab-registry` | Add the optional local GitLab container registry fixture. Requires the heavy GitLab compose profile with `GITLAB_ENABLE_REGISTRY=true`. |
+| `--format <table\|json>` | Output format. `json` is machine-readable and exits non-zero when any selected integration is unhealthy. |
+
+**Examples:**
+```bash
+# Bootstrap the default 13-entry local compose fixture catalog
+stella config integrations bootstrap local
+
+# Add the owned local GitLab SCM and CI fixtures
+stella config integrations bootstrap local --include-gitlab
+
+# Add the full 16-entry local fixture catalog including GitLab registry
+stella config integrations bootstrap local --include-gitlab --include-gitlab-registry --format json
+```
+
+**Contract:**
+- This command is only for Stella-owned local compose fixtures.
+- Default mode creates or updates 13 deterministic local integrations and runs test plus health verification for each.
+- `--include-gitlab` stages the managed local GitLab PAT through Secret Authority and binds the resulting `authref://...` values to GitLab Server and GitLab CI.
+- Production and customer-managed third-party systems still use `secrets targets`, `secrets upsert-bundle`, and explicit `create` or `update` operations with operator-provided credentials.
 
 **Examples:**
 ```bash
@@ -95,6 +131,7 @@ stella config integrations create \
 
 **Notes:**
 - `providers` returns `isTestOnly`, `supportsDiscovery`, and `supportedResourceTypes`.
+- `bootstrap local` returns exit code `0` only when every selected integration tests healthy and reports healthy runtime status.
 - Deprecated `stella integrations *` routes are preserved as aliases and forward to `stella config integrations *`.
 - Unsupported discovery requests return a client error instead of silently falling back to sample data.
 
@@ -605,25 +642,27 @@ Authenticate with platform (interactive).
 
 **Usage:**
 ```bash
-stella auth login [--authority <url>] [--verbose]
+stella auth login [--force] [--verbose]
 ```
 
 **Example:**
 ```bash
-# Interactive login (opens browser)
+# Interactive login on the seeded human client
 stella auth login
 
-# Specify Authority URL
-stella auth login --authority https://auth.stellaops.example.com
+# Re-authenticate even when a cached token exists
+stella auth login --force
 ```
 
 **Output:**
 ```
-Opening browser for authentication...
-✅ Logged in as alice@example.com
-Token saved to ~/.stellaops/tokens.json
+Authority username: admin
+Authority password for admin:
+Login successful. Access token expires at 2026-04-16 12:00:00Z.
 ```
 
+When no Authority client ID is configured, the CLI defaults to the seeded human client `stellaops-cli` and prompts for username/password in an interactive shell. For automation, configure a confidential client such as `stellaops-cli-automation`.
+
 ---
 
 ### stella auth logout