docs: module dossier + install/quickstart sync for truthful cutover sprints

- API_CLI_REFERENCE.md, INSTALL_GUIDE.md, quickstart.md, architecture/integrations.md, dev/DEV_ENVIRONMENT_SETUP.md, integrations/LOCAL_SERVICES.md: reflect real-service wiring.
- docs/modules/**: module dossier updates across the modules touched by SPRINT_20260415_001..007 + SPRINT_20260416_003..017 + SPRINT_20260417_018..024 + SPRINT_20260418_025 + SPRINT_20260419_026.
- docs/features/checked/web/**: update feature notes where UI changed.
- docs/qa/feature-checks/runs/web/evidence-presentation-ux/: QA evidence artifacts.
- docs/setup/**, docs/technical/**: align with setup wizard contracts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/modules/authority/AUTHORITY.md

@@ -402,7 +402,7 @@ Authority now understands two flavours of sender-constrained OAuth clients:
   - `security.senderConstraints.dpop.allowTemporaryBypass` toggles an emergency-only bypass for sealed drills. When set to `true`, Authority logs `authority.dpop.proof.bypass`, tags `authority.dpop_result=bypass`, and issues tokens without a DPoP `cnf` claim so downstream servers know sender constraints are disabled. **Reset to `false` immediately after the exercise.**
   - `security.senderConstraints.dpop.nonce.enabled` enables nonce challenges for high-value audiences (`requiredAudiences`, normalised to case-insensitive strings). When a nonce is required but missing or expired, `/token` replies with `WWW-Authenticate: DPoP error="use_dpop_nonce"` (and, when available, a fresh `DPoP-Nonce` header). Clients must retry with the issued nonce embedded in the proof.
   - Refresh-token requests honour the original sender constraint (DPoP or mTLS). `/token` revalidates the proof/certificate, enforces the recorded thumbprint/JKT, and reuses that metadata so the new access/refresh tokens remain bound to the same key.
-  - `security.senderConstraints.dpop.nonce.store` selects `memory` (default) or `redis` (Valkey-backed). When `redis` is configured, set `security.senderConstraints.dpop.nonce.redisConnectionString` so replicas share nonce issuance and high-value clients avoid replay gaps during failover.
+  - `security.senderConstraints.dpop.nonce.store` is `redis`/Valkey-backed for non-testing DPoP-enabled runtime. `memory` remains a testing-only mode so live Authority replicas never boot fake replay/nonce state. When `redis` is configured, set `security.senderConstraints.dpop.nonce.redisConnectionString` so replicas share nonce issuance and high-value clients avoid replay gaps during failover.
   - Telemetry: every nonce challenge increments `authority_dpop_nonce_miss_total{reason=...}` while mTLS mismatches increment `authority_mtls_mismatch_total{reason=...}`.
   - Example (enabling Valkey-backed nonces; adjust audiences per deployment):
     ```yaml

docs/modules/authority/README.md

@@ -1,8 +1,9 @@
 # StellaOps Authority
 
-Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool.
-
-## Latest updates (2025-12-04)
+Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool.
+
+## Latest updates (2026-04-16)
+- Authority no longer uses live in-memory DPoP replay or nonce state outside `Testing`; non-testing DPoP-enabled runtime now requires durable Valkey-backed state and restart-survival proof exists in `AuthorityDpopRuntimeTests`.
 - Added gap remediation package for AU1–AU10 and RR1–RR10 (31-Nov-2025 FINDINGS) under `docs/modules/authority/gaps/`; includes deliverable map + evidence layout.
 - Sprint tracker `docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md` and module `TASKS.md` mirror status.
 - Monitoring/observability references consolidated; Grafana JSON remains offline import (`operations/grafana-dashboard.json`).
@@ -26,7 +27,7 @@ Authority is the platform OIDC/OAuth2 control plane that mints short-lived, send
 
 ## Operational notes
 - PostgreSQL (schema `authority`) for tenant, client, and token state.
-- Standard plugin bootstrap provisioning retries transient storage failures during startup so seeded local users/clients converge after PostgreSQL becomes reachable.
+- Standard plugin bootstrap provisioning retries transient storage failures during startup so first-party local clients converge after PostgreSQL becomes reachable; the first human admin is created through setup, not pre-seeded.
 - Key material in KMS/HSM with rotation runbooks (`operations/key-rotation.md`).
 - Monitoring runbook (`operations/monitoring.md`) and offline-import Grafana JSON (`operations/grafana-dashboard.json`).
 

docs/modules/authority/architecture.md

@@ -33,8 +33,10 @@
   * **Device Code** (CLI login on headless agents; optional when enabled by the deployment profile)
   * **Authorization Code + PKCE** (browser login for UI and future human CLI flows; optional)
   * **Password** (current local/dev bootstrap compatibility path for human CLI login; not the target long-term operator flow)
-* **Current local/dev standard-plugin seed** (`etc/authority/plugins/standard.yaml`):
+* **Current local/dev standard-plugin bootstrap** (`etc/authority/plugins/standard.yaml`):
 
+  * generic tenant anchor: `default`
+  * no pre-seeded human admin user; the first administrator is created through the setup wizard
   * `stella-ops-ui`: `authorization_code refresh_token`
   * `stellaops-cli`: public human client with `authorization_code password refresh_token`; localhost redirect URIs are PKCE-required, and the CLI currently uses this client for fresh-shell interactive username/password login
   * `stellaops-cli-automation`: confidential automation client with `client_credentials`
@@ -153,7 +155,7 @@ plan?        = <plan name>              // optional hint for UIs; not used for e
 * `POST /revoke` → revokes refresh tokens or opaque access tokens.
 
 > Requests targeting the legacy `/oauth/{introspect|revoke}` paths receive deprecation headers and are scheduled for removal after 1 May 2026.
-* **Replay prevention**: maintain **DPoP `jti` cache** (TTL ≤ 10 min) to reject duplicate proofs when services supply DPoP nonces (Signer requires nonce for high‑value operations).
+* **Replay prevention**: maintain **DPoP `jti` cache** (TTL ≤ 10 min) to reject duplicate proofs when services supply DPoP nonces (Signer requires nonce for high‑value operations). In non-testing Authority runtime, this replay/nonce state must be durable and shared (Valkey-backed); in-memory state is reserved for `Testing` only.
 
 ### 3.4 UserInfo (optional for UI)
 
@@ -556,6 +558,8 @@ Manages trusted VEX/CSAF publisher metadata. Owns:
 
 **Compiled models:** IssuerDirectoryDbContext also uses EF Core compiled models. The `<Compile Remove>` directive for `EfCore/CompiledModels/IssuerDirectoryDbContextAssemblyAttributes.cs` lives in `src/Authority/__Libraries/StellaOps.IssuerDirectory.Persistence/StellaOps.IssuerDirectory.Persistence.csproj` (relocated from `src/IssuerDirectory/` by Sprint 216).
 
+Non-testing IssuerDirectory web runtime now requires PostgreSQL persistence; in-memory repositories remain a testing-only path.
+
 ### 21.3 No-merge security rationale
 
 **Decision:** Schemas remain permanently separate. No cross-schema DB merge.