Adds provider management control plane for Excititor: contracts, service,
endpoint group, focused tests. Matching plan shipped as
SPRINT_20260422_004_Concelier_full_connector_control_plane.md.
- VexProviderManagementContracts: request/response shapes
- ProviderManagementEndpoints: REST surface under the Excititor WebService
- VexProviderManagementService: business logic + persistence hooks
- ProviderManagementEndpointsTests: focused coverage
- TestAuthentication + csproj wiring updates for the new test surface
Work picked up mid-session; code was already on disk when this commit
series started. Bundling under the new sprint's plan here so the history
shows a coherent feature rather than a stray dirty diff.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes SPRINT_20260421_007 — all 4 tasks DONE. Full Tier 2c behavioral
verification per docs/qa/feature-checks/FLOW.md. 34 assertions, 0 fail,
0 deferred.
FE-QA-EVID-001 — Evidence: 7/7 PASS
/evidence/{overview, audit-log, verify-replay, exports, capsules, proofs,
bundles}. Alias chains to /ops/operations/audit confirmed intentional per
evidence.routes.ts.
FE-QA-OPS-002 — Ops: 8/8 PASS
/ops/operations/{jobengine, feeds-airgap, doctor, audit, notifications,
health-slo, watchlist} + /ops/scripts. Doctor full diagnostics grid
rendered with real data.
FE-QA-SETUP-003 — Setup + Admin: 12 + 7 PASS
Setup: /setup{, /integrations, /trust-signing (+ issuers/keys/certificates
/audit sub-tabs aliased correctly), /identity-providers, /tenant-branding,
/workflows, /ai-preferences, /topology}.
Admin: all /console-admin/{tenants, users, roles, clients, audit, branding,
assistant} preserved console origin under "Console Administration" heading.
FE-QA-EVIDOPS-004 — Retention coverage:
New e2e/routes/sprint-007-evidence-ops-setup-admin.e2e.spec.ts with 27
Playwright assertions covering origin, canonical-or-alias URL, and
identity-matching body text. Uses the existing auth.fixture.ts pattern.
Evidence: docs/qa/feature-checks/runs/web/sprint-007-evidence-ops-setup-admin/
run-001/ (EVIDENCE.md + tier2-ui-check.json + 36 screenshots + verify.mjs).
Authority default-tenant gap (same as FE-QA-REL-001 discovery):
stellaops_authority had zero tenants and zero users; setup wizard admin
bootstrap failed with users_tenant_id_fkey FK violation. Worked around
in-session by inserting `installation` + `default` tenants and calling
POST /api/v1/setup/sessions/{id}/steps/admin/execute. This is the same
bug two parallel agents independently hit — needs a real Authority sprint
to seed `default` through migrations or StandardPluginRegistrar init.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes SPRINT_20260421_006 — all 4 tasks DONE. Full Tier 2c behavioral
verification per docs/qa/feature-checks/FLOW.md. Evidence directories
include per-route screenshots + tier2-ui-check JSON with PASS/FAIL/DEFERRED
assertions.
FE-QA-REL-001 — Release Control: 9/9 PASS
/environments/overview, /releases, /releases/deployments, /releases/bundles,
/releases/promotions, /releases/approvals, /releases/hotfixes,
/releases/investigation/timeline, /releases/workflows
FE-QA-REL-002 — Release Policy: 7/9 PASS, 2 DEFERRED
/ops/policy/{packs, governance, vex, simulation, governance/budget,
governance/profiles, vex/exceptions} — all PASS.
DEFERRED: /ops/policy/governance/audit (redirects to sprint-007-owned
/ops/operations/audit — scope lock), /ops/policy/governance/trust-weights
(tab URL doesn't persist — flagged as follow-up).
FE-QA-SEC-003 — Security: 10/10 effective PASS
Direct PASS: /security{,/images,/risk,/advisory-sources,/findings,
/vulnerabilities,/reachability}
Redirect PASS matching SEC-005/006/007 consolidation contracts:
/security/vex → /ops/policy/vex, /security/artifacts → /triage/artifacts,
/security/exceptions → /ops/policy/vex/exceptions.
FE-QA-RELSEC-004 — Retention coverage:
New e2e/routes/release-security-identity.e2e.spec.ts with 24 route-identity
assertions + 1 Release interaction guard. Uses auth.fixture.ts test-session
so CI does not require live Authority credentials.
Environmental gap surfaced (worked around in-session, NOT a code fix here):
stellaops_authority was missing the `default` tenant row, breaking setup-
wizard Admin bootstrap with FK users_tenant_id_fkey=(default) and causing
admin login to return invalid_grant. Manually seeded `default` into
authority.tenants and finalized the setup session via Platform Setup API.
Should be addressed in a follow-up Authority sprint — the default tenant
seed needs to land in startup migrations or StandardPluginRegistrar init.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the last open task in SPRINT_20260422_003. Persisted operator
enablement is now separated from runtime readiness so credential-gated
sources can show an explicit blocked state instead of collapsing into a
generic failed/disabled shape.
Readiness model:
- new SourceReadiness constants class: Disabled | Unsupported | Blocked | Ready
- ConfiguredAdvisorySourceStatus gains Readiness + BlockedReason alongside
existing SyncState (kept as backward-compatible alias)
- enabled = persisted operator intent (untouched)
- readiness = blocked when persisted-enabled and credentials/URIs missing
- blockedReason = free-form list of missing fields
- blockingReason.errorCode = SOURCE_CONFIG_REQUIRED for structured drill-down
Endpoint propagation:
- /status: persisted enabled=true kept; readiness=blocked; readyForSync=false
- /{id}/enable: 200 with readiness=blocked; sourceRegistry left disabled
until credentials land (pre-existing behaviour retained)
- /{id}/sync: 422 readiness=blocked + SOURCE_CONFIG_REQUIRED;
**connector never invoked**, no job run created
- /sync (batch): per-result outcome=blocked with readiness/errorCode/
blockedReason; excluded from totalTriggered; other sources proceed
- Transition: PUT /{id}/configuration with missing credential →
runtimeOptionsInvalidator.Invalidate → next /status flips to ready.
No disable/re-enable cycle needed.
Tests: 8 targeted xUnit methods via scripts/test-targeted-xunit.ps1,
8/8 pass. Includes: blocked status exposure, blocked-to-ready transition
on persisted credential, connector-not-invoked-when-blocked, plus 4
pre-existing SRC-CREDS-002 regression tests.
Docs:
- docs/modules/concelier/connectors.md — new "Blocked / sleeping
readiness state" section with field contract, per-endpoint behaviour
table, UI/CLI rendering guidance, resolution flow
- docs/modules/cli/guides/commands/db.md — short note under
`db connectors configure` cross-linking the connectors.md contract
Sprint SPRINT_20260422_003 archived — all 5 tasks DONE.
New fields are additive; existing UI types in
source-management.api.ts ignore unknown fields so no UI breakage. A
future FE pass can wire explicit readiness/blockedReason rendering.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SPRINT_20260422_001 (Notify compat surface restoration) — closes
NOTIFY-COMPAT-003 final criterion. notify-web rebuilt, 7/7 gateway probes
green post-rebuild (8th returns contracted 501 notify_overrides_not_supported).
Browser replay via direct Node+Playwright driver (MCP bridge rejected the
self-signed cert) confirmed Dashboard/Channels/Quiet Hours/Overrides/
Escalation/Throttle tabs render without runtime-unavailable banners. All 3
tasks DONE.
SPRINT_20260421_003 (Concelier advisory connector runtime alignment) —
all 7 tasks were already DONE before this session; archival is purely
administrative.
Evidence bundle at docs/qa/notify-compat-20260422/ includes EVIDENCE.md,
verify.mjs + verify_with_token.mjs, verify-results.json, and screenshots
for each verified tab.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. Execution log entry for the SbomService
backfill + Notifier wave E coverage extensions.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. Every per-service audit LIST endpoint
now advertises the Timeline successor link and Sunset 2027-10-19.
Remaining AUDIT-005 criteria (Timeline as SoT, no-data-loss) stay
gated on the 30-day production verification window.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. Audit dashboard now renders the retention
tile and the log table shows classification / hold / redaction pills
alongside each event. All three criteria checked.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. AUDIT-006 flipped TODO → DOING with the
model + client layer complete for all three criteria (module filter,
classification visibility, retention display). Angular component
renders (badges, overview tile) are a component follow-up since they
live in separate component templates the background agent owns.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. First criterion of AUDIT-005 met: two
per-service audit list endpoints now advertise Sunset/Deprecation/Link
headers pointing at Timeline's unified endpoint. Remaining two criteria
are gated on the 30-day production verification window.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. 2 of 3 criteria DONE: Timeline event pull
and chain-verification certificate are now included in AuditBundles.
DSSE manifest signing deferred as a follow-up (cross-service signer
handshake scope).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-004 reaches DONE with migration 005,
AuditDataClassifier (16 tests), RedactActorPiiAsync + DELETE endpoint,
AuditRetentionPurgeService, docs/modules/timeline/audit-retention.md,
and the new TimelineAuditRetentionCheck Doctor plugin all shipped.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-004 documentation criterion.
docs/modules/timeline/audit-retention.md covers:
- Four-rung classification ladder and the "narrowest wins" rule
- Retention table structure, platform defaults, per-tenant overrides,
and legal holds via compliance_hold
- AuditRetentionPurgeService config + operator recommendations
- Right-to-erasure endpoint contract, hash-chain integrity guarantees,
and the idempotency semantics via pii_redacted_at
- Sequence-chain gap behaviour after purge and how chain verification
should window its checks
- Compliance checklist for operators
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. AUDIT-004 flipped TODO → DOING with the
first three completion criteria checked. Migration 005, classifier,
retention purge host, and right-to-erasure endpoint all shipped across
commits 44c0e2b34..AUDIT-004 (migration + store + endpoint) and the
purge background host. Docs dossier + Doctor check deferred.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. After AUDIT-002 wired Emission in all 14+
priority services, the original AUDIT-003 scope of "add more polling
targets" is no longer load-bearing. The remaining candidate modules
(Scanner, Scheduler, Integrations, Attestor) do not expose HTTP audit
endpoints — they rely on Emission. SbomService's ledger audit endpoint
is artifact-specific and does not fit the unified polling contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 execution log entry for the 26+ new
.Audited() decorations across Graph, SbomService, Policy.Gateway,
Notifier, Concelier, Excititor (commits 4cbe58fc8 + 6c3ebff9d).
Combined with pre-existing decoration in Authority/Scanner/Policy.Engine/
Notify/JobEngine/Integrations/AdvisoryAI/EvidenceLocker/Attestor, the
codebase now has ~240 .Audited() call sites.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. First completion criterion of AUDIT-002
("AddAuditEmission() called in all 14+ service Program.cs files") is
now DONE after waves A (commit b2b0c905b) + B (commit 981f4459a).
Remaining: endpoint-level AuditActionAttribute decoration, runtime
verification at /api/v1/audit/events, startup-time regression check.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
test-targeted-xunit.ps1 verified end-to-end against
SchedulerStorageConfigurationTests (3/3 pass via direct DLL exec).
QA flow + testing-practices docs updated.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SchedulerStorageConfiguration ResolveConnectionString supports flat,
compose-nested, and legacy keys; web host fails fast with a clear
message listing all three. Targeted xUnit run of
SchedulerStorageConfigurationTests passes 3/3.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
All three tasks are now DONE per the 2026-04-19 execution log:
- ADV-SETUP-006 setup source probe/apply reflects real connectivity
- ADV-SETUP-007 enabled-but-broken advisory warning + auth helper
- ADV-SETUP-008 targeted Platform + Concelier xUnit verification
passed via the direct xUnit runner workflow.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Follow-up to SPRINT_20260419_028 TEST-RUNNER-001.
- scripts/test-targeted-xunit.ps1: refinements to the helper.
- docs/code-of-conduct/TESTING_PRACTICES.md: default targeted xUnit v3
verification to the new helper.
- docs/qa/feature-checks/FLOW.md: call out Microsoft Testing Platform
filter-ignore behaviour and point to the helper.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260419_028_Tools_targeted_xunit_runner_workflow
(TEST-RUNNER-001 DOING — sprint remains active).
- scripts/test-targeted-xunit.ps1: rebuild-and-invoke xUnit v3 in-process
runner directly so targeted filters work under Microsoft Testing Platform
(dotnet test --filter is ignored there).
- Register sprint file in implplan.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260415_001 — track execution across the cutover
sub-sprints and record per-module evidence.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds SPRINT_20260415_001_DOCS_real_service_cutover_plan tracking the doc
work needed to finalize the no-mocks / real-service migration.
Archives SPRINT_20260415_002_FE_integration_hub_truthful_status_and_button_styling
— both tasks complete (truthful integration status + button styling fix
landed in the earlier Web UI commit).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Closes SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge via Option B:
- Phase 1 (VXPM-001..005) marked OBSOLETE. The separate vulnexplorer
schema was superseded by commit 6b15d9827 (direct merger into Findings
Ledger); there is no separate Postgres schema to build.
- Phase 2 corrections: VXLM-003/004/005 flipped to DONE. The adapter
ConcurrentDictionary pattern is accepted as the VXLM-003 closure — these
are read-side projections over Ledger events; durability comes from the
append-only event log, not from the adapter. Two follow-ups logged in
Decisions & Risks (FOLLOW-A: write-through Ledger event emission;
FOLLOW-B: /api/v1/vulnerabilities gateway route alignment).
- Deletes stale VulnExplorer project trees:
- src/Findings/StellaOps.VulnExplorer.Api/ (entire service)
- src/Findings/StellaOps.VulnExplorer.WebService/ (shell + migrated contracts)
- src/Findings/__Tests/StellaOps.VulnExplorer.Api.Tests/ (tests targeted
SampleData IDs that no longer exist under Ledger)
- src/Findings/StellaOps.Findings.Ledger.WebService/Services/
VulnExplorerRepositories.cs (33-line placeholder with a misleading
header comment; the actual Postgres path was never wired)
- Updates StellaOps.sln and Findings.sln to drop the removed project GUIDs
and their 24 configuration entries. dotnet build
src/Findings/StellaOps.Findings.sln passes 0 warnings / 0 errors.
Also archives the 4 previously-closed sprints:
- SPRINT_20260408_002 Findings VulnExplorer merger (above)
- SPRINT_20260410_001 Web runtime no-mocks (21/21 tasks done via earlier
Postgres persistence commits)
- SPRINT_20260413_002 Integrations GitLab bootstrap automation
- SPRINT_20260413_003 Web UI-driven local setup rerun
- SPRINT_20260413_004 Platform UI-only setup bootstrap closure
Active sprints reduced to 2: SPRINT_20260408_004 Timeline unified audit
sink (15-25hr breadth work) and SPRINT_20260408_005 Audit endpoint filters
deprecation (mandatory 30/90-day verification windows).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
devops/compose: docker-compose.stella-ops.legacy.yml +
docker-compose.stella-services.yml receive small service wiring updates.
Playwright: refreshed auth-state/report fixtures from the latest
integrations + setup-wizard + policy-runtime live runs. Includes a new
playwright-report-integrations/ bundle.
Docs: SPRINT_20260410_001 (runtime no-mocks) significantly expanded with
additional NOMOCK tasks reflecting the Postgres-backed work shipped across
Policy, Graph, Excititor, VexLens, Scanner, VexHub. SPRINT_20260413_004
(UI-only setup bootstrap closure) log updates.
Gitignore: narrow the earlier `output/` rule to `/output/` so the tracked
src/Web/StellaOps.Web/output/playwright fixtures continue to be picked up.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Authority: StellaOpsLocalHostnameExtensions gains additional local aliases
for the IssuerDirectory service; new StellaOpsLocalHostnameExtensionsTests
cover the alias table. IssuerDirectory.WebService Program.cs wires the
IssuerDirectory host against the shared auth integration.
Scanner: WebService swaps in-memory score replay tracking for
PersistedScoreReplayRepositories (Postgres-backed) in Program.cs.
Docs: scanner architecture page updated.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Excititor: new migration 003_vex_claim_store.sql and PostgresVexClaimStore
replace the in-memory claim tracking. ExcititorPersistenceExtensions wires
the store; ExcititorMigrationTests updated. Archives S001 demo seed.
VexLens: new migration 002_noise_gating_state.sql with
PostgresGatingStatisticsStore, PostgresSnapshotStore, and
PostgresNoiseGatingJson bring noise-gating state onto disk. New
VexLensRuntimeDatabaseOptions + AuthorityIssuerDirectoryAdapter +
VexHubStatementProvider provide the runtime wiring. WebService tests cover
the persistence, the issuer-directory adapter, and the statement provider.
VexHub: WebService Program, endpoints, middleware, models, and policies
tightened; VexExportCompatibilityTests exercise the Concelier↔VexHub export
contract.
Docs: excititor, vex-hub (architecture + integration guide), and vex-lens
architecture pages updated to match the new persistence and verification
paths.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduces IGraphRuntimeRepository + PostgresGraphRuntimeRepository that back
runtime-path graph reads with real persistence. Graph.Api Program.cs wires
the new repository into the DI graph. InMemory* services get small cleanups
so they remain viable for tests and local dev.
CompatibilityEndpoints: extends the integration-test surface.
Tests: GraphPostgresRuntimeIntegrationTests,
GraphRuntimeRepositoryRegistrationTests, expanded
GraphCompatibilityEndpointsIntegrationTests.
Docs: graph architecture page updated.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
docs/modules/workflow/analyzer.md — user-facing reference for
WF001-WF006 + WF010: one section per rule with a "bad" example and
the canonical fix. Covers activation, scope (Spec property is the
entry point; helpers walked transitively), trusted-assembly prefix
rule, cross-project WF010 indirection, and non-goals (no source
generator, no severity config, no escape hatch).
The DiagnosticDescriptors' HelpLinkUri already points at sections in
this doc (e.g., #wf005), so users who hit a build error can click
through to the exact rule explanation.
Golden tests (GoldenWorkflowShapeTests) exercise three patterns
lifted from the Bulstrad corpus:
1. static readonly LegacyRabbitAddress fields + nested
WhenExpression(Gt, Len, ...) + .Call + OnComplete with
WhenExpression(Eq, ...) + ActivateTask/Complete
2. SetBusinessReference(new WorkflowBusinessReferenceDeclaration
{ KeyExpression, Parts = new WorkflowNamedExpressionDefinition[] { ... } })
3. WorkflowExpr.Func("bulstrad.normalizeCustomer", path)
— custom runtime function dispatch
Each asserts zero WF* diagnostics. A regression that rejects these
patterns would break the entire Serdica corpus.
30/30 tests pass.
Integration hub: extends integration.models with fields needed by the wizard
(capabilities, credentials, readiness), updates the shell and list components,
adds routing for the new hub flow, and broadens the integration-list spec.
Integration wizard: new integrations-hub.component, extended wizard with
capability/credential handling, updated template + type models, and broader
spec coverage.
Sprint docs: SPRINT_20260413_003 (UI-driven local setup rerun) updated with
wiring notes; SPRINT_20260410_001 (no-mocks) adjusted. ReleaseOrchestrator
architecture doc gets a minor clarification.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- SPRINT_20260408_005_Audit_endpoint_filters_deprecation: FILTER-004, -006,
-008 marked DONE with commit 54e7f871a; FILTER-005, -007 DONE with
d4d75200c; FILTER-010 DONE with 665bd6db4. DEPRECATE-001/002/003 still
TODO with mandatory 30-day + 90-day wait windows; CAPSULE-001 stays
BLOCKED. Sprint cannot be archived until the verification windows pass.
- SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge: corrected VXLM-003
and VXLM-004 from DONE → DOING. Adapters still back VEX decisions,
fix verifications, and audit bundles with ConcurrentDictionary; the
VulnExplorer.Api and VulnExplorer.WebService project directories were not
deleted; migration 010 is present but unused. Execution log records the
finding; commit 414049ef8 message was misleading.
- SPRINT_20260408_004_Timeline_unified_audit_sink: scope confirmation logged.
AUDIT-002 through AUDIT-007 remain TODO (~15–25 hr breadth work); too
large for a single session. Sprint stays active.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
TASK-013: SchedulerPersistenceExtensions now calls AddStartupMigrations so
the embedded SQL files (including 007 job_kind + 008 doctor_trends) run on
every cold start. Deletes duplicate migrations 007_add_job_kind_plugin_config
(kept 007_add_schedule_job_kind.sql with tenant-scoped index) and
008_doctor_trends_table (kept 008_add_doctor_trends.sql with RLS + BRIN
time-series index).
TASK-010: Doctor UI trend service now calls
/api/v1/scheduler/doctor/trends/categories/{category} (was
/api/v1/doctor/scheduler/...) so it routes through the scheduler plugin
endpoints rather than the deprecated standalone doctor-scheduler path.
TASK-009: New DoctorJobPluginTests exercises plugin lifecycle: identity,
config validation for full/quick/categories/plugins modes, plan creation,
JSON schema shape, and PluginConfig round-trip (including alerts). 10 tests
added, all pass (26/26 in Plugin.Tests project).
Archives the sprint — all 13 tasks now DONE — and archives the platform
retest sprint (SPRINT_20260409_002) whose RETEST-008 completed via the
earlier feed-mirror cleanup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds PowerShell helpers to seed the local Stella Ops stack with a working
GitLab + integrations configuration:
- bootstrap-local-gitlab-secrets.ps1 provisions GitLab's JWT signing secret
and admin PAT into Vault/Authority.
- register-local-integrations.ps1 POSTs the canonical integration records
(GitLab, Jenkins, Harbor, Gitea, Nexus, etc.) against the Integrations
service for first-run local environments.
Docs: INSTALL_GUIDE.md + integrations/LOCAL_SERVICES.md document the new
helpers. devops/compose README and router-gateway-local.json get the
corresponding route wiring. Two new sprint files track the follow-on work
(SPRINT_20260413_002, SPRINT_20260413_003).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
