docs(slice-5): PROGRESS.md + README refresh for v1.7.0 release

README.md

@@ -201,10 +201,14 @@ Full diagram: [`docs/architecture/reference.md`](docs/architecture/reference.md)
 | `v1.1` | **Polish — shipped** | Banner, full Helm chart (runner StatefulSet, Ingress, NetworkPolicy, Postgres subchart), 3 example targets (Bun, Next.js, Laravel) |
 | `v1.2` | **Admin SPA wired — shipped** | Tailwind 4 + TanStack Router + Query + 12 screens, audit-chain verification in-browser via Web Crypto |
 | `v1.3` | **Quality batch — shipped** | Admin server↔UI mapping, 6 detail routes, 12 new admin tests, CLI E2E smoke gate, threat-model expansion, CHANGELOG backfill |
+| `v1.4` | **API surface — shipped** | 28 admin server routes, `MemoryStore` full coverage, multi-tenant via `x-aqa-org`/`x-aqa-project` headers |
+| `v1.5` | **Admin design integration — shipped** | 30-screen hi-fi prototype bundled, Playwright E2E gate, theme + palette + Findings kanban |
+| `v1.6` | **`aqa run` + bundled packs — shipped** | Three-tier pack discovery, atomic run-dir, applies_when filtering, agent-mode rejection until driver lands |
+| `v1.7` | **Pack authoring + admin CRUD — shipped** | `PACK-AUTHORING.md`, `aqa pack new`, admin Create-pack/Import-manifest wizards, full Profile/Risk/Scenario CRUD (Delete/Edit/Clone), Agents wired to `/api/agents`, Operations + Admin pages wired to `/api/audit` / `/api/cost/summary` / `/api/queue` / `/api/notifications` / `/api/tokens` / `/api/orgs`, scenario YAML editor, schema-conforming mock-id migration, `Agent` schema, `agents:read`/`agents:edit` permissions, atomic `Store.createProfile/createScenario` |
 
 ## Status
 
-**GA (`v1.0` shipped, `v1.3` current).** The full 24-task roadmap is closed:
+**GA (`v1.0` shipped, `v1.7` current).** The full 24-task roadmap is closed:
 schemas, CLI (`@aqa/kit`), 5 baseline packs, multi-agent adapters
 (Claude/Codex/Gemini/Copilot), runner with hash-chained audit, reporter
 with 3-level replay, admin panel, server + runner fleet, on-prem LLM

docs/PROGRESS.md

@@ -9,6 +9,15 @@
 - Each bullet states **what changed**, **why**, and **what's next** where relevant.
 - After a session interruption, the last bullet of the latest day is the resume point.
 
+## 2026-05-20
+
+- **v1.7 slice 4f closed — Admin section pages wired to existing endpoints.** PR #40 (`4c93bb7`). PageTokens fetches `GET /api/tokens` with `x-aqa-org` (adapts `@aqa/schemas` ApiToken to the page's fixture shape: `display_name → name`, `last_used_at → last_used`, owner-prefix heuristic for `kind`). PageOrg fetches `GET /api/orgs` and joins live slugs into the subtitle. PageAdminAudit shares the slice 4e `/api/audit` wire with admin-view copy via a new `normalizeAuditEventsForViewer` helper. `fmtDate`/`fmtDateTime` made null-safe (em-dash for missing dates). Create-token modal scope chips switched from pre-schema `runs:write`/`packs:install`/`admin` to the actual `ApiTokenScope` enum. **Users/Roles/SSO deferred** — no server scaffolding exists; out of scope. 4 new e2e tests in `admin-section.e2e.ts`. 6 Copilot review iterations.
+- **v1.7 slice 4e closed — Operations admin pages wired.** PR #39 (`99633d5`). PageAudit/PageQueue/PageCost/PageNotifications now read from existing `/api/audit`, `/api/queue`, `/api/cost/summary`, `/api/notifications` with graceful fixture fallback. Schema-true normalizers (server EnqueuedJob → UI job shape, Event → AuditChainViewer demo shape, Notification → fixture title/body/unread). Cost passes explicit `from`/`to` for MTD bounds. SELF resolves from SESSION_USER.id. Notifications filter list derives from server `NotificationKind` enum. 5 new e2e tests in `operations.e2e.ts`. 7 Copilot iterations.
+- **v1.7 slice 4d closed — Agents page refactored around real data.** PR #38 (`d97720a`). New `@aqa/schemas Agent`, new `agents:read`/`agents:edit` permissions (legacy `agents:install` aliased), new server CRUD (`GET /api/agents`, `GET /api/agents/:id`, `POST /api/agents/:id/install`, `POST /api/agents/:id/uninstall`), new `Store.listAgents/loadAgent/installAgent/uninstallAgent` (Memory implements + `__test_seedAgent` test-only; Postgres scaffold notImpl). PageAgents fetches the live list with fixture fallback; install/uninstall buttons call real endpoints with in-flight guard + toasts. `Agent.files` validated as `SafeRepoPath` (rejects leading `/`, drive letters, `..` segments, UNC roots). Empty server list is authoritative. Header counts sourced from state. 5 new e2e tests in `agents.e2e.ts`. 7 Copilot iterations.
+- **v1.7 slice 4c.7+4c.8 admin closed — Scenario edit/clone YAML wizard.** PR #37 (`a1a0d0a`). Shared `ScenarioYamlWizard` (`mode: 'edit' | 'clone'`) with a YAML textarea seeded from a schema-conforming stub (or, in edit mode, the persisted override / created body). Client parses YAML via the new `yaml` admin dep; debounced 150ms with sync-on-seed. UX errors block submit: parse error, body-not-an-object, missing/non-string id, Slug-regex violation (matches `@aqa/schemas` Slug), clone-empty/clone-same-as-source/collision, edit path/body id mismatch. App-level `updatedScenarios` + `createdScenarios` Maps + `aqa:scenario-updated/-created` events with prototype-pollution guard (`safeMergeObject` strips `__proto__`/`constructor`/`prototype`). Scenario fixtures migrated from dotted ids (`api.tenant.cross_tenant_search`) to dashed Slug-compliant ids; tree grouping switched to explicit `category` field. Spec preview re-renders from override via `__aqaYamlStringify`. 10 e2e tests in `scenario-yaml.e2e.ts`. 8 Copilot iterations.
+- **v1.7 slices 4c.1 through 4c.8 closed.** Profile Delete/Edit/Clone (PRs #29/#30/#31), Risk Delete/Edit (PRs #32/#33), Scenario Delete (PR #34), Scenario Edit/Clone server-side hardening (PRs #35/#36). All 8 micro-PRs squash-merged; the architecture lessons (`inFlightRef` synchronous guard, captured-submittedId stale-submit guard, render-time refs not effect-time, modal close-affordance inertness during submit, App-level lifted state with `aqa:*` CustomEvents, atomic `createX` in Store, mock-id migration to schema-conforming Slug) carried through every later slice.
+- **Final v1.7 closing step.** Tag `v1.7.0`, GitHub release notes covering the full slice 4 surface (Operations + Admin sections wired to existing routes, Agents fully end-to-end, Scenario admin via YAML, Profile/Risk/Scenario CRUD complete).
+
 ## 2026-05-17
 
 - Started `task/bootstrap-governance` from `main` (commit `c25dd4e` = initial). Goal: stand up the process governance — branch strategy, validation loop, Copilot review automation, docs scaffolding, repo tooling — **before** any product code is written.