docs: module dossier + install/quickstart sync for truthful cutover sprints

- API_CLI_REFERENCE.md, INSTALL_GUIDE.md, quickstart.md, architecture/integrations.md, dev/DEV_ENVIRONMENT_SETUP.md, integrations/LOCAL_SERVICES.md: reflect real-service wiring.
- docs/modules/**: module dossier updates across the modules touched by SPRINT_20260415_001..007 + SPRINT_20260416_003..017 + SPRINT_20260417_018..024 + SPRINT_20260418_025 + SPRINT_20260419_026.
- docs/features/checked/web/**: update feature notes where UI changed.
- docs/qa/feature-checks/runs/web/evidence-presentation-ux/: QA evidence artifacts.
- docs/setup/**, docs/technical/**: align with setup wizard contracts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/modules/platform/platform-service.md

@@ -30,7 +30,7 @@ Provide a single, deterministic aggregation layer for cross-service UX workflows
 - GET `/api/v1/platform/health/incidents`
 - GET `/api/v1/platform/health/metrics`
 - `GET /api/v1/platform/health/readiness` is the canonical readiness contract for both setup gating and post-boot diagnostics.
-- Required setup-blocking dependencies currently include the five converged setup steps (`database`, `cache`, `migrations`, `admin-bootstrap`, `crypto-profile`) plus live `frontdoor` and `authority` probes.
+- Required setup-blocking dependencies currently include the five converged required setup steps (`database`, `valkey`, `migrations`, `admin-bootstrap`, `crypto-profile`) plus live `frontdoor` and `authority` probes.
 - Optional post-boot dependencies are discovered from configured `STELLAOPS_*_URL` endpoints and currently include `release-orchestrator`, `policy-engine`, `scanner`, `signals`, `notify`, `scheduler`, `registry-token`, `sbomservice`, `packsregistry`, and `advisoryai`.
 
 ### Quota aggregation
@@ -286,9 +286,20 @@ Current runtime behavior:
 - Setup secret protection key precedence is
   `Platform:Setup:SecretProtectionKey`,
   `STELLAOPS_SECRETS_ENCRYPTION_KEY`, then `STELLAOPS_BOOTSTRAP_KEY`.
-- The live wizard now owns only the five control-plane steps the running
-  control plane can truthfully validate and converge: `database`, `cache`,
-  `migrations`, `admin`, and `crypto`.
+- The live wizard now owns the five required control-plane steps the running
+  control plane can truthfully validate and converge plus one optional
+  advisory bootstrap step: `database`, `valkey`, `migrations`, `admin`,
+  `crypto`, and `sources`.
+- The optional `sources` step defaults to StellaOps Mirror, supports manual
+  advisory/VEX source selection, and preserves truthful skip semantics so a
+  fresh install can clearly show advisories as off until the operator enables
+  them.
+- The `sources` step now performs a real reachability check before it can
+  pass. Mirror/source connectivity failures stay on the setup step instead of
+  being downgraded to a background warning.
+- Certificate or hostname validation failures are surfaced directly. Local
+  browser automation may ignore local certs, but product advisory aggregation
+  still requires a hostname-valid certificate.
 - Tenant onboarding remains outside the bootstrap wizard. Integrations, feeds,
   notifications, environments, agents, branding, and related repeatable
   operations continue on `/setup/*` and module-owned authenticated APIs.
@@ -331,18 +342,18 @@ Session payloads distinguish:
 | Step ID | Title | Required | Depends On | Notes |
 |---------|-------|----------|------------|-------|
 | `database` | PostgreSQL Database | Yes | - | Probe verifies reachability. Apply records convergence against the current runtime connection. |
-| `cache` | Cache / Valkey | Yes | - | Probe verifies cache reachability. Apply records convergence against the current runtime connection. |
+| `valkey` | Valkey / Redis Setup | Yes | - | Probe verifies cache reachability. Apply records convergence against the current runtime connection. |
 | `migrations` | Database Migrations | Yes | `database` | Probe reports pending migration state. Apply runs the migration-admin path against the canonical `Platform` and `ReleaseOrchestrator` registry modules and re-validates convergence. |
 | `admin` | Admin Bootstrap | Yes | `migrations` | Probe validates bootstrap prerequisites. Apply ensures the bootstrap admin exists. |
 | `crypto` | Crypto Profile | Yes | `admin` | Probe validates the requested crypto profile. Apply records the converged profile selection. |
+| `sources` | Advisory & VEX Sources | No | `admin` | Probe validates mirror or manual source selections. Apply persists source enablement through Concelier and schedules initial aggregation for newly enabled sources. |
 
 Legacy aliases accepted during the compatibility window:
-- `valkey -> cache`
 - `authority -> admin`
 - `users -> admin`
 
-Former tenant-onboarding steps such as `vault`, `scm`, `registry`, `sources`,
-`notify`, `environments`, `agents`, `telemetry`, `llm`, and `settingsstore`
+Former tenant-onboarding steps such as `vault`, `scm`, `registry`, `notify`,
+`environments`, `agents`, `telemetry`, `llm`, and `settingsstore`
 are no longer valid setup targets. Platform returns explicit handoff guidance
 to the authenticated onboarding surfaces instead.
 
@@ -373,6 +384,10 @@ to the authenticated onboarding surfaces instead.
   to the installation scope without an authenticated caller.
 - After setup is marked complete, anonymous setup session reads and mutations
   return `401` and the normal authenticated `platform.setup.*` policies apply.
+- After setup is marked complete, an authenticated operator may still create a
+  new installation-scoped setup session for reconfiguration on the same
+  `/api/v1/setup/sessions` contract; the expected browser flow is anonymous
+  `401` followed by authenticated session creation after sign-in.
 - `Finalize` succeeds only after every required control-plane step has
   converged and the required readiness dependencies are not blocked.