[PATCH 7/8] docs: add subscription registry chapter

[Thomas Lamprecht <t.lamprecht@proxmox.com>]

Cover the new top-level feature: key pool, node status view, manual
assignment versus auto-assign, the pending/apply/clear lifecycle, and
the privilege model that gates mutation on per-remote resource
privileges in addition to system-scope MODIFY.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 docs/index.rst                 |  1 +
 docs/subscription-registry.rst | 50 ++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 docs/subscription-registry.rst

diff --git a/docs/index.rst b/docs/index.rst
index 2fc8a5d..2aaf86e 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -27,6 +27,7 @@ in the section entitled "GNU Free Documentation License".
    remotes.rst
    automated-installations.rst
    views.rst
+   subscription-registry.rst
    access-control.rst
    sysadmin.rst
    faq.rst
diff --git a/docs/subscription-registry.rst b/docs/subscription-registry.rst
new file mode 100644
index 0000000..95c2cd4
--- /dev/null
+++ b/docs/subscription-registry.rst
@@ -0,0 +1,49 @@
+Subscription Registry
+=====================
+
+The subscription registry maintains a central pool of Proxmox Enterprise subscriptions keys and
+lets an administrator assign them to remote nodes from a single place, without having to select
+and configure a key for all remote nodes individually.
+
+Key Pool
+--------
+
+The pool accepts Proxmox VE and Proxmox Backup Server keys and each entry records its origin and
+ the optional remote node it has been assigned to.
+
+Keys can be added in bulk from the web interface or with the ``proxmox-datacenter-client
+subscriptions add-keys`` command. The Add dialog takes multiple keys, separated by newlines or
+commas, and validates the whole batch atomically.
+
+Node Status
+-----------
+
+The Node Status panel shows the live subscription state of every node behind a configured remote
+alongside any pending plan from the pool. Nodes that already hold a key the registry assigned appear
+with the current status; nodes with a pending pool assignment show a clock icon until the change is
+pushed to the remote.
+
+From this view an operator can clear a pending assignment or remove the key from the pool entirely,
+which is convenient when a node is known to be wrong without first having to find the matching entry
+on the key list.
+
+Assignment
+----------
+
+A key can be assigned to a single node manually.
+
+The Auto-Assign action proposes a plan that fills unsubscribed nodes from free pool keys. For
+Proxmox VE, the smallest covering key by socket count is chosen, so a 4-socket key is not used on a
+2-socket host while a larger host stays unsubscribed.
+
+The proposed plan can be inspected before it is applied. Apply Pending pushes the queued keys to
+their target nodes; if a push fails the remaining queue is kept intact for retry. Clear Pending
+drops the queue without touching any remote.
+
+Permissions
+-----------
+
+Listing the pool and the node status view follows the regular audit privileges on each affected
+remote. Mutating an assignment requires the matching resource privilege on the target remote in
+addition to the SYS_MODIFY privilege, so an operator with global system access alone cannot push
+keys to remotes they have no other authority on.
-- 
2.47.3