qa iteration 3

Fresh-DB bootstrap fixes enabling 25/25 pages zero HTTP errors:
- Fix shared.tenants schema mismatch (missing is_default column in init script 16)
- Align migration 000 column set with init script (superset for all modules)
- Seed Authority tenant + stella-ops-ui OAuth client in init script 04
- Widen Platform auth bypass to cover Docker (172.0.0.0/8) and localhost (127.0.0.0/8)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

devops/compose/postgres-init/04-authority-schema.sql

@@ -465,6 +465,14 @@ CREATE INDEX IF NOT EXISTS idx_verdict_digest
 
 COMMENT ON TABLE authority.verdict_manifests IS 'VEX verdict manifests for deterministic replay verification';
 
+-- ============================================================================
+-- SECTION 4b: Seed Default Tenant
+-- ============================================================================
+
+INSERT INTO authority.tenants (tenant_id, name, display_name, status)
+VALUES ('demo-prod', 'Production', 'Demo Production', 'active')
+ON CONFLICT (tenant_id) DO NOTHING;
+
 -- ============================================================================
 -- SECTION 5: Triggers
 -- ============================================================================
@@ -609,3 +617,46 @@ BEGIN
 END
 $$;
 
+-- ============================================================================
+-- SECTION 8: Demo Seed Data
+-- ============================================================================
+
+-- Roles for demo-prod tenant
+INSERT INTO authority.roles (id, tenant_id, name, display_name, description, is_system)
+VALUES
+    ('a0000002-0000-0000-0000-000000000001', 'demo-prod', 'admin', 'Administrator', 'Full platform access', true),
+    ('a0000002-0000-0000-0000-000000000002', 'demo-prod', 'operator', 'Operator', 'Release and deployment operations', true),
+    ('a0000002-0000-0000-0000-000000000003', 'demo-prod', 'viewer', 'Viewer', 'Read-only access', true)
+ON CONFLICT (tenant_id, name) DO NOTHING;
+
+-- OAuth Clients
+INSERT INTO authority.clients (id, client_id, display_name, description, enabled, redirect_uris, post_logout_redirect_uris, allowed_scopes, allowed_grant_types, require_client_secret, require_pkce, properties)
+VALUES
+    ('demo-client-ui', 'stella-ops-ui', 'Stella Ops Console', 'Web UI application', true,
+     ARRAY['https://stella-ops.local/auth/callback', 'https://stella-ops.local/auth/silent-refresh', 'https://127.1.0.1/auth/callback', 'https://127.1.0.1/auth/silent-refresh'],
+     ARRAY['https://stella-ops.local/', 'https://127.1.0.1/'],
+     ARRAY['openid', 'profile', 'email', 'offline_access',
+            'ui.read', 'ui.admin', 'ui.preferences.read', 'ui.preferences.write',
+            'authority:tenants.read', 'authority:users.read', 'authority:roles.read',
+            'authority:clients.read', 'authority:tokens.read', 'authority:branding.read',
+            'authority.audit.read',
+            'graph:read', 'sbom:read', 'scanner:read',
+            'policy:read', 'policy:simulate', 'policy:author', 'policy:review', 'policy:approve',
+            'policy:run', 'policy:activate', 'policy:audit', 'policy:edit', 'policy:operate', 'policy:publish',
+            'airgap:seal', 'airgap:status:read',
+            'orch:read', 'analytics.read', 'advisory:read', 'advisory-ai:view', 'advisory-ai:operate',
+            'vex:read', 'vexhub:read',
+            'exceptions:read', 'exceptions:approve', 'aoc:verify', 'findings:read',
+            'release:read', 'scheduler:read', 'scheduler:operate',
+            'notify.viewer', 'notify.operator', 'notify.admin', 'notify.escalate',
+            'evidence:read',
+            'export.viewer', 'export.operator', 'export.admin',
+            'vuln:view', 'vuln:investigate', 'vuln:operate', 'vuln:audit',
+            'platform.context.read', 'platform.context.write',
+            'doctor:run', 'doctor:admin', 'ops.health',
+            'integration:read', 'integration:write', 'integration:operate',
+            'timeline:read', 'timeline:write'],
+     ARRAY['authorization_code', 'refresh_token'],
+     false, true, '{"tenant": "demo-prod"}'::jsonb)
+ON CONFLICT (client_id) DO NOTHING;
+