# Quickstart — Managed Tenant Onboarding Wizard v1

## Goal
Add a tenant-plane onboarding wizard under the `/admin` panel that:
- renders DB-only (no outbound calls during render/mount)
- enqueues verification checks as `OperationRun` records
- supports resume via a persisted onboarding session

## Local dev
- Start containers: `vendor/bin/sail up -d`
- Run tests (targeted): `vendor/bin/sail artisan test --compact --filter=Onboarding`

## Key entrypoint
- Tenant-plane wizard URL shape:
  - `/admin/t/{tenant:external_id}/onboarding`

## Operational checks
- Wizard-triggered checks must create/dedupe `OperationRun` rows.
- The UI should poll/read DB state to display progress (no live Graph calls from render).

## RBAC semantics
- Non-member tenant access: 404 (deny-as-not-found)
- Member missing capability: 403 on server; UI shows disabled + tooltip via `UiEnforcement`