Implement InMemory Transport Layer for StellaOps Router

- Added InMemoryTransportOptions class for configuration settings including timeouts and latency.
- Developed InMemoryTransportServer class to handle connections, frame processing, and event management.
- Created ServiceCollectionExtensions for easy registration of InMemory transport services.
- Established project structure and dependencies for InMemory transport library.
- Implemented comprehensive unit tests for endpoint discovery, connection management, request/response flow, and streaming capabilities.
- Ensured proper handling of cancellation, heartbeat, and hello frames within the transport layer.

docs/modules/authority/README.md

@@ -2,8 +2,9 @@
 
 Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool.
 
-## Latest updates (2025-11-30)
-- Sprint tracker `docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md` and module `TASKS.md` added to mirror status.
+## Latest updates (2025-12-04)
+- Added gap remediation package for AU1–AU10 and RR1–RR10 (31-Nov-2025 FINDINGS) under `docs/modules/authority/gaps/`; includes deliverable map + evidence layout.
+- Sprint tracker `docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md` and module `TASKS.md` mirror status.
 - Monitoring/observability references consolidated; Grafana JSON remains offline import (`operations/grafana-dashboard.json`).
 - Prior content retained: OpTok/DPoP/mTLS responsibilities, backup/restore, key rotation.
 
@@ -33,6 +34,8 @@ Authority is the platform OIDC/OAuth2 control plane that mints short-lived, send
 - ./operations/key-rotation.md
 - ./operations/monitoring.md
 - ./operations/grafana-dashboard.json
+- ./gaps/2025-12-04-auth-gaps-au1-au10.md
+- ./gaps/2025-12-04-rekor-receipt-gaps-rr1-rr10.md
 - Sprint/status mirrors: `docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md`, `docs/modules/authority/TASKS.md`
 
 ## Backlog references

docs/modules/authority/gaps/2025-12-04-auth-gaps-au1-au10.md

@@ -0,0 +1,33 @@
+# Authority Gap Remediation · AU1–AU10 (31-Nov-2025 Findings)
+
+Source: `docs/product-advisories/31-Nov-2025 FINDINGS.md` (AU1–AU10). Scope covers Authority scoping, crypto posture, and verifier/offline expectations.
+
+## Deliverables & Evidence Map
+| ID | Requirement (from advisory) | Authority deliverable | Evidence & location |
+| --- | --- | --- | --- |
+| AU1 | Signed scope/role catalog + versioning | Canonical catalog `gaps/artifacts/authority-scope-role-catalog.v1.json` (versioned, semver, includes tenant/env fields, audience, role → scopes, precedence); DSSE envelope `*.sigstore.json`. | JSON + DSSE: `docs/modules/authority/gaps/artifacts/authority-scope-role-catalog.v1.json` and `authority-scope-role-catalog.v1.sigstore.json` (hashes appended to `SHA256SUMS`). |
+| AU2 | Audience/tenant/binding enforcement matrix | Matrix doc with per-flow enforcement (device-code, auth-code, client-cred) and binding mode (DPoP/mTLS) + nonce policy. | `docs/modules/authority/gaps/authority-binding-matrix.md` (deterministic tables; hash listed). |
+| AU3 | DPoP/mTLS nonce policy | Section in binding matrix defining nonce freshness, replay window, and required claims; include negative-path examples. | Same as AU2 (`authority-binding-matrix.md`). |
+| AU4 | Revocation/JWKS schema + freshness | JSON Schema for revocation events + JWKS metadata fields (`kid`, `exp`, `rotated_at`, `tenant`, `freshness_seconds`); hash-listed. | `gaps/artifacts/authority-jwks-metadata.schema.json` (+ DSSE). |
+| AU5 | Key rotation governance | Runbook updates for rotation cadence, dual-publish window, PQ toggle; link to operations/key-rotation.md. | `operations/key-rotation.md` addenda + summary in this doc; hash refresh noted in `SHA256SUMS`. |
+| AU6 | Crypto-profile registry | Registry listing allowed signing/MTLS/DPoP crypto profiles with status (active/deprecated), min versions, curves, PQ flags. | `gaps/artifacts/crypto-profile-registry.v1.json` (+ DSSE). |
+| AU7 | Offline verifier bundle | Offline kit manifest with verifier binary hashes, JWKS snapshot, scope/role catalog, crypto registry, policies. | Bundle manifest `gaps/artifacts/authority-offline-verifier-bundle.v1.json` (+ DSSE) referencing embedded files; verification script path recorded. |
+| AU8 | Delegation quotas/alerts | Policy doc + thresholds for tenant/service delegation, alerting rules, and metrics names. | `gaps/authority-delegation-quotas.md` (deterministic tables; hash-listed). |
+| AU9 | ABAC schema/precedence | ABAC rule schema with precedence relative to RBAC; includes tenant/env, conditions, obligations. | `gaps/artifacts/authority-abac.schema.json` (+ DSSE). |
+| AU10 | Auth conformance tests/metrics | Test matrix covering flows, bindings, revocation freshness, ABAC precedence; metrics/alerts enumerated. | `gaps/authority-conformance-tests.md` (tables + commands; hash-listed). |
+
+## Action Plan (docs + artefact layout)
+1) Author the matrix/markdown deliverables above (AU2, AU3, AU5, AU8, AU10) with deterministic tables and UTC timestamps; append SHA256 to `docs/modules/authority/gaps/SHA256SUMS` when generated.
+2) Define JSON Schemas/registries (AU1, AU4, AU6, AU7, AU9) using stable ordering and `schema_version` fields; store under `gaps/artifacts/` with DSSE envelopes once signed.
+3) Update `docs/modules/authority/README.md` (Latest updates + Related resources) to point to this gap package; add links for implementers.
+4) Coordinate signing via `tools/cosign/sign-signals.sh` analogue once Authority key is available (reuse DSSE conventions from signals). Until signed, mark envelopes TODO in SHA256SUMS.
+5) Mirror status in sprint `SPRINT_0314_0001_0001_docs_modules_authority.md` and `docs/modules/authority/TASKS.md` (AUTH-GAPS-314-004).
+
+## Hashing & determinism
+- Use `sha256sum` over normalized JSON/Markdown (no trailing spaces, LF line endings).
+- Record hashes in `docs/modules/authority/gaps/SHA256SUMS` alongside DSSE bundle hashes when produced.
+- Keep tables sorted by ID to avoid churn.
+
+## Offline posture
+- All referenced artefacts must be ship-ready for Offline Kit inclusion (no remote fetches, include verifier script + instructions in bundle manifest once built).
+

docs/modules/authority/gaps/2025-12-04-rekor-receipt-gaps-rr1-rr10.md

@@ -0,0 +1,35 @@
+# Rekor Receipt Remediation · RR1–RR10 (Authority/Attestor/Sbomer)
+
+Source: `docs/product-advisories/31-Nov-2025 FINDINGS.md` (RR1–RR10). Scope is Rekor receipt schema/catalog and offline verification path consumed by Authority + Sbomer + Attestor.
+
+## Deliverables & Evidence Map
+| ID | Requirement | Deliverable | Evidence & location |
+| --- | --- | --- | --- |
+| RR1 | DSSE/hashedrekord only | Policy flag `rk1_enforceDsse=true` and routing to hashedrekord recorded in mirror/receipt policy. | `gaps/artifacts/rekor-receipt-policy.v1.json` (+ DSSE). |
+| RR2 | Payload size preflight + chunks | `rk2_payloadMaxBytes=1048576` with chunk guidance; embed in policy. | Same policy JSON (rk2 fields) + example `transport-plan` snippet. |
+| RR3 | Public/private routing | `rk3_routing` map per shard/tenant documented. | Policy JSON. |
+| RR4 | Shard-aware checkpoints | `rk4_shardCheckpoint="per-tenant-per-day"` + freshness fields. | Policy JSON + checklist section. |
+| RR5 | Idempotent submission keys | `rk5_idempotentKeys=true`; include sample request header/claim mapping. | Policy JSON + doc section. |
+| RR6 | Sigstore bundles in kits | `rk6_sigstoreBundleIncluded=true` + bundle manifest entry for receipts. | Policy JSON + bundle manifest path `gaps/artifacts/rekor-receipt-bundle.v1.json`. |
+| RR7 | Checkpoint freshness bounds | `rk7_checkpointFreshnessSeconds` aligned with mirror/transport budgets. | Policy JSON + metrics note. |
+| RR8 | PQ dual-sign options | `rk8_pqDualSign` toggle captured with allowed algorithms. | Policy JSON + crypto profile reference. |
+| RR9 | Error taxonomy/backoff | `rk9_errorTaxonomy` and retry rules; deterministic table. | `gaps/rekor-receipt-error-taxonomy.md`. |
+| RR10 | Policy/graph annotations | `rk10_annotations` fields for policy hash + graph context inside receipts. | Policy JSON + schema doc. |
+
+## Schema & bundle layout
+- Receipt schema: `gaps/artifacts/rekor-receipt.schema.json` (includes required fields: tlog URL/key, checkpoint, inclusion proof, bundle hash, policy hash, client version/flags, TSA/Fulcio chain, mirror metadata, repro inputs hash).
+- Bundle manifest: `gaps/artifacts/rekor-receipt-bundle.v1.json` referencing schema, policy, transport plan, and sample receipts; DSSE envelope `rekor-receipt-bundle.v1.sigstore.json` when signed.
+- Hash index: `docs/modules/authority/gaps/SHA256SUMS` collects schema/policy/bundle hashes and (once signed) DSSE bundle hashes.
+
+## Action Plan
+1) Draft `rekor-receipt-policy.v1.json` with rk1–rk10 flags and shard/routing/size constraints; keep keys sorted.
+2) Author schema `rekor-receipt.schema.json` with canonical field order and example; ensure inclusion proof + policy hash fields are mandatory.
+3) Add error taxonomy markdown `rekor-receipt-error-taxonomy.md` with deterministic table (code, classification, retry policy).
+4) Define bundle manifest `rekor-receipt-bundle.v1.json` (hashes will be appended to SHA256SUMS once generated) and note DSSE envelope requirement.
+5) Mirror status in sprint `SPRINT_0314_0001_0001_docs_modules_authority.md` (REKOR-RECEIPT-GAPS-314-005) and Authority TASKS.
+
+## Determinism & offline
+- Use `sha256sum` over normalized JSON and markdown; store in `gaps/SHA256SUMS`.
+- No network dependencies; examples should reference local bundle paths.
+- Signing to follow Authority key once available; until then envelopes remain TODO but paths are fixed.
+

docs/modules/authority/gaps/SHA256SUMS

@@ -0,0 +1,2 @@
+# Hash index for authority gap artefacts (AU1–AU10, RR1–RR10)
+# Append lines: "<sha256>  <relative-path>"