Bootstrap

Phase	Script	What it does
00	`00-preflight.ts`	Check Docker, just, bun, port availability; abort if missing.
01	`01-clone.ts`	If `target_env` is set + dir doesn't exist, clone `/opt/asd-pma/` to `/opt/pma-<target_env>/` and re-exec there.
02	`02-discover-services.ts`	Read `services.yaml` + profile; produce list of active services.
03	`03-configure-env.ts`	Walk each active package's `tpl.env`; populate `.env` (expand `{{random:N}}`, `{{service-url}}` patterns).
04	`04-pull-images.ts`	`docker pull` every image declared in `packages/*/manifest.yaml`.
05	`05-net-apply.ts`	`just mcp-asd net apply --tunnel --caddy` — set up routes + tunnel + Caddy.
06	`06-start-services.ts`	For each service (in `startup_priority` order): pre_start_init → docker compose up → poll health → post_start_init.
07	`07-sso-config.ts`	For each `sso.configured: false` service: dispatch to `scripts/sso/setup-<type>.py`.
07b	`07b-populate-api-keys.ts`	Some services need their API keys populated AFTER they're up + SSO is wired (Redmine, n8n).
08	`08-verify.ts`	Health-check every service. Run E2E tests. Take initial backup.

Sub-flow	Owner	What
`bootstrap-env`	phase 03	Pure env-var expansion
`bootstrap-sso`	phase 07	Dispatch SSO setup per `sso.type`
`bootstrap-api-keys`	phase 07b	Pull API keys from running services
`bootstrap-verify`	phase 08	Health + E2E + backup

Where it failed	First action
Phase 00 preflight	Install the missing dependency, re-run from phase 0
Phase 04 pull-images	Check Docker Hub credentials / network; re-run from phase 4
Phase 06 start-services	Look at `just logs <svc>` for the failing service; fix root cause; re-run phase 6
Phase 07 sso-config	Check Authentik is healthy; `just sso-fix <svc>`; re-run phase 7
Phase 08 verify	Address what verify flagged; re-run phase 8 (verify)

¶ Bootstrap