docs: module dossier + install/quickstart sync for truthful cutover sprints
- API_CLI_REFERENCE.md, INSTALL_GUIDE.md, quickstart.md, architecture/integrations.md, dev/DEV_ENVIRONMENT_SETUP.md, integrations/LOCAL_SERVICES.md: reflect real-service wiring. - docs/modules/**: module dossier updates across the modules touched by SPRINT_20260415_001..007 + SPRINT_20260416_003..017 + SPRINT_20260417_018..024 + SPRINT_20260418_025 + SPRINT_20260419_026. - docs/features/checked/web/**: update feature notes where UI changed. - docs/qa/feature-checks/runs/web/evidence-presentation-ux/: QA evidence artifacts. - docs/setup/**, docs/technical/**: align with setup wizard contracts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
@@ -28,17 +28,34 @@ design material later in this document.
|
||||
|
||||
- The implemented UI bootstrap flow persists authoritative installation-scoped
|
||||
state in `platform.setup_sessions`.
|
||||
- On a completed installation, anonymous entry to `/setup-wizard/*` no longer
|
||||
pretends bootstrap is still open. The first setup-session create/read returns
|
||||
`401`, then the same route can continue as an authenticated reconfiguration
|
||||
session once the operator signs in.
|
||||
- Fresh compose bootstrap no longer pre-seeds `SetupComplete=true`; a clean
|
||||
local database now lands in the setup wizard until the control-plane steps
|
||||
are actually finalized. Legacy local volumes are auto-converged by Platform
|
||||
release migration `064_EnvironmentSettingsInstallationScopeConvergence.sql`.
|
||||
- The current live step inventory is limited to the five control-plane steps
|
||||
the running platform can truthfully validate and converge:
|
||||
`database`, `cache`, `migrations`, `admin`, and `crypto`.
|
||||
- The `admin` step now seeds the same local standard-provider and superuser
|
||||
defaults into wizard draft state that it renders in the visible form, so an
|
||||
operator can accept the prefilled values without retyping them and still get
|
||||
a truthful backend apply.
|
||||
- The current live step inventory includes the five required control-plane
|
||||
steps the running platform can truthfully validate and converge plus one
|
||||
optional data-onboarding step:
|
||||
`database`, `valkey`, `migrations`, `admin`, `crypto`, and `sources`.
|
||||
- The `sources` step defaults to StellaOps Mirror only. Operators can switch
|
||||
to manual advisory/VEX feed selection or skip the step explicitly.
|
||||
- Skipping `sources` leaves advisories and VEX off. The Advisory & VEX Sources
|
||||
integrations page then surfaces that disabled state and offers a one-click
|
||||
StellaOps Mirror enable path without rerunning bootstrap.
|
||||
- Using `sources` now performs a live reachability check of the selected
|
||||
mirror/source configuration before the step can complete. Operators must
|
||||
fix the mirror URL or skip the step if the endpoint is unreachable.
|
||||
- Local browser automation may ignore local dev certificates, but product
|
||||
advisory aggregation still requires a hostname-valid certificate and will
|
||||
report TLS/certificate failures directly in the setup step and integrations
|
||||
UI.
|
||||
- The `admin` step now seeds only non-secret local standard-provider and
|
||||
superuser defaults into wizard draft state. Username and email can stay
|
||||
prefilled, but the operator must deliberately enter the initial admin
|
||||
password instead of inheriting a baked-in demo value.
|
||||
- Session reads now separate sanitized `draftValues` from `secretDrafts`
|
||||
metadata. Secret-bearing inputs such as admin or database passwords are
|
||||
retained only in protected server-side companion storage, can survive resume,
|
||||
@@ -50,8 +67,11 @@ design material later in this document.
|
||||
installation-scoped setup session APIs rather than a separate local state
|
||||
machine.
|
||||
- Repeatable tenant onboarding work such as integrations, notifications,
|
||||
advisory sources, environments, agents, and branding lives on `/setup/*`
|
||||
and other authenticated module surfaces, not inside the bootstrap wizard.
|
||||
environments, agents, and branding lives on `/setup/*` and other
|
||||
authenticated module surfaces, not inside the bootstrap wizard.
|
||||
- Advisory/VEX onboarding is the one intentional exception: the wizard can
|
||||
seed initial source configuration because it directly governs whether
|
||||
aggregation starts at all on a fresh install.
|
||||
- Secret material is no longer an out-of-band prerequisite for GitLab-class UI
|
||||
onboarding. The Integrations Hub can stage credentials through the Secret
|
||||
Authority API and then bind the returned `authref://...` URI to the created
|
||||
@@ -678,6 +698,7 @@ When the system detects first-run (no database connection or admin user):
|
||||
| `migrations` | Database Migrations | Apply schema updates |
|
||||
| `admin` | Admin Bootstrap | Create administrator account |
|
||||
| `crypto` | Crypto Profile | Configure signing keys |
|
||||
| `sources` | Advisory & VEX Sources | Enable StellaOps Mirror or manual feeds |
|
||||
| `vault` | Vault Integration | Configure secrets management |
|
||||
| `scm` | SCM Integration | Connect source control |
|
||||
| `notifications` | Notification Channels | Configure alerts and notifications |
|
||||
|
||||
Reference in New Issue
Block a user