docs: module dossier + install/quickstart sync for truthful cutover sprints
- API_CLI_REFERENCE.md, INSTALL_GUIDE.md, quickstart.md, architecture/integrations.md, dev/DEV_ENVIRONMENT_SETUP.md, integrations/LOCAL_SERVICES.md: reflect real-service wiring. - docs/modules/**: module dossier updates across the modules touched by SPRINT_20260415_001..007 + SPRINT_20260416_003..017 + SPRINT_20260417_018..024 + SPRINT_20260418_025 + SPRINT_20260419_026. - docs/features/checked/web/**: update feature notes where UI changed. - docs/qa/feature-checks/runs/web/evidence-presentation-ux/: QA evidence artifacts. - docs/setup/**, docs/technical/**: align with setup wizard contracts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -30,7 +30,7 @@ Provide a single, deterministic aggregation layer for cross-service UX workflows
|
||||
- GET `/api/v1/platform/health/incidents`
|
||||
- GET `/api/v1/platform/health/metrics`
|
||||
- `GET /api/v1/platform/health/readiness` is the canonical readiness contract for both setup gating and post-boot diagnostics.
|
||||
- Required setup-blocking dependencies currently include the five converged setup steps (`database`, `cache`, `migrations`, `admin-bootstrap`, `crypto-profile`) plus live `frontdoor` and `authority` probes.
|
||||
- Required setup-blocking dependencies currently include the five converged required setup steps (`database`, `valkey`, `migrations`, `admin-bootstrap`, `crypto-profile`) plus live `frontdoor` and `authority` probes.
|
||||
- Optional post-boot dependencies are discovered from configured `STELLAOPS_*_URL` endpoints and currently include `release-orchestrator`, `policy-engine`, `scanner`, `signals`, `notify`, `scheduler`, `registry-token`, `sbomservice`, `packsregistry`, and `advisoryai`.
|
||||
|
||||
### Quota aggregation
|
||||
@@ -286,9 +286,20 @@ Current runtime behavior:
|
||||
- Setup secret protection key precedence is
|
||||
`Platform:Setup:SecretProtectionKey`,
|
||||
`STELLAOPS_SECRETS_ENCRYPTION_KEY`, then `STELLAOPS_BOOTSTRAP_KEY`.
|
||||
- The live wizard now owns only the five control-plane steps the running
|
||||
control plane can truthfully validate and converge: `database`, `cache`,
|
||||
`migrations`, `admin`, and `crypto`.
|
||||
- The live wizard now owns the five required control-plane steps the running
|
||||
control plane can truthfully validate and converge plus one optional
|
||||
advisory bootstrap step: `database`, `valkey`, `migrations`, `admin`,
|
||||
`crypto`, and `sources`.
|
||||
- The optional `sources` step defaults to StellaOps Mirror, supports manual
|
||||
advisory/VEX source selection, and preserves truthful skip semantics so a
|
||||
fresh install can clearly show advisories as off until the operator enables
|
||||
them.
|
||||
- The `sources` step now performs a real reachability check before it can
|
||||
pass. Mirror/source connectivity failures stay on the setup step instead of
|
||||
being downgraded to a background warning.
|
||||
- Certificate or hostname validation failures are surfaced directly. Local
|
||||
browser automation may ignore local certs, but product advisory aggregation
|
||||
still requires a hostname-valid certificate.
|
||||
- Tenant onboarding remains outside the bootstrap wizard. Integrations, feeds,
|
||||
notifications, environments, agents, branding, and related repeatable
|
||||
operations continue on `/setup/*` and module-owned authenticated APIs.
|
||||
@@ -331,18 +342,18 @@ Session payloads distinguish:
|
||||
| Step ID | Title | Required | Depends On | Notes |
|
||||
|---------|-------|----------|------------|-------|
|
||||
| `database` | PostgreSQL Database | Yes | - | Probe verifies reachability. Apply records convergence against the current runtime connection. |
|
||||
| `cache` | Cache / Valkey | Yes | - | Probe verifies cache reachability. Apply records convergence against the current runtime connection. |
|
||||
| `valkey` | Valkey / Redis Setup | Yes | - | Probe verifies cache reachability. Apply records convergence against the current runtime connection. |
|
||||
| `migrations` | Database Migrations | Yes | `database` | Probe reports pending migration state. Apply runs the migration-admin path against the canonical `Platform` and `ReleaseOrchestrator` registry modules and re-validates convergence. |
|
||||
| `admin` | Admin Bootstrap | Yes | `migrations` | Probe validates bootstrap prerequisites. Apply ensures the bootstrap admin exists. |
|
||||
| `crypto` | Crypto Profile | Yes | `admin` | Probe validates the requested crypto profile. Apply records the converged profile selection. |
|
||||
| `sources` | Advisory & VEX Sources | No | `admin` | Probe validates mirror or manual source selections. Apply persists source enablement through Concelier and schedules initial aggregation for newly enabled sources. |
|
||||
|
||||
Legacy aliases accepted during the compatibility window:
|
||||
- `valkey -> cache`
|
||||
- `authority -> admin`
|
||||
- `users -> admin`
|
||||
|
||||
Former tenant-onboarding steps such as `vault`, `scm`, `registry`, `sources`,
|
||||
`notify`, `environments`, `agents`, `telemetry`, `llm`, and `settingsstore`
|
||||
Former tenant-onboarding steps such as `vault`, `scm`, `registry`, `notify`,
|
||||
`environments`, `agents`, `telemetry`, `llm`, and `settingsstore`
|
||||
are no longer valid setup targets. Platform returns explicit handoff guidance
|
||||
to the authenticated onboarding surfaces instead.
|
||||
|
||||
@@ -373,6 +384,10 @@ to the authenticated onboarding surfaces instead.
|
||||
to the installation scope without an authenticated caller.
|
||||
- After setup is marked complete, anonymous setup session reads and mutations
|
||||
return `401` and the normal authenticated `platform.setup.*` policies apply.
|
||||
- After setup is marked complete, an authenticated operator may still create a
|
||||
new installation-scoped setup session for reconfiguration on the same
|
||||
`/api/v1/setup/sessions` contract; the expected browser flow is anonymous
|
||||
`401` followed by authenticated session creation after sign-in.
|
||||
- `Finalize` succeeds only after every required control-plane step has
|
||||
converged and the required readiness dependencies are not blocked.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user