docs(mission-control): show new chatty enroll output in Chapter 5

emrul · emrul · commit 8a1e1b0c925b · 2026-04-10T21:23:51.000+01:00
The Python QA agent's Day 0 report flagged 'aster enroll' as the
first painful moment in the walkthrough. The CLI now prints a rich
explanatory summary by default; the guide shows that output inline
so users know what the credential file is and how to use it.

Added:
- Sample output block from `aster enroll node`
- Tip callout explaining the [node] + [[peers]] TOML structure
- Note about the new --quiet/-q flag for scripts/CI
diff --git a/docs/quickstart/mission-control.mdx b/docs/quickstart/mission-control.mdx
@@ -848,14 +848,65 @@ await server.serve();
 # Edge agent — status and ingest only
 aster enroll node --role consumer --name "edge-node-7" \
     --capabilities ops.status,ops.ingest \
-    --root-key ~/.aster/root.key
+    --root-key ~/.aster/root.key \
+    --out edge-node-7.cred
+```
+
+`aster enroll node` will print a summary like this:
+
+```
+✓ Enrollment credential created
+
+  File:         /home/you/work/edge-node-7.cred
+  Format:       TOML (.aster-identity) with [node] + [[peers]] sections
+
+  Peer:         edge-node-7
+  Role:         consumer (policy)
+  Capabilities: ops.status,ops.ingest
+  Endpoint ID:  142179f10b7bc606...
+  Trust root:   cd948e4c1456cdbe...
+  Expires:      2026-05-10T20:20:12+00:00
+
+  This file lets a consumer connect to your trusted-mode servers.
+  It contains a node identity (secret key) AND a signed enrollment
+  credential. The server validates the credential and grants the
+  capabilities listed below.
+
+  Use it:
+  aster shell <peer-addr> --rcan edge-node-7.cred
+  aster call <peer-addr> Service.method '<json>' --rcan edge-node-7.cred
 
+  ⚠  Keep this file secret -- it is both an identity AND a credential.
+```
+
+:::tip What's in the file?
+Despite the `.cred` extension, it's a regular `.aster-identity` TOML
+file with two sections:
+
+- **`[node]`** — the consumer's secret key + endpoint ID. Used by
+  the QUIC layer to prove the consumer's identity.
+- **`[[peers]]`** — the signed enrollment credential. Presented to
+  servers to claim capabilities.
+
+Both sections live in the same file because they're paired: the
+server checks that the QUIC peer ID matches the credential's
+`endpoint_id`. If they don't match, admission fails.
+:::
+
+```bash
 # Operator — full access including admin
 aster enroll node --role consumer --name "ops-team" \
     --capabilities ops.status,ops.logs,ops.admin,ops.ingest \
-    --root-key ~/.aster/root.key
+    --root-key ~/.aster/root.key \
+    --out ops-team.cred
 ```
 
+:::note Quiet mode for scripts
+Pass `--quiet` (or `-q`) to suppress the educational output. The
+command prints exactly one line: `<path> <endpoint_id> <expires_iso>`
+on success and exits non-zero on failure. Easy to parse from CI.
+:::
+
 ### Step 5: Connect with credentials
 
 <LanguageTabs>
