semi implemented and features implemented save checkpoint

2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
--- a/docs/features/unchecked/authority/authority-identity-provider-registry.md
+++ b/docs/features/unchecked/authority/authority-identity-provider-registry.md
@@ -0,0 +1,31 @@
+# Authority Identity Provider Registry (Plugin Resolution)
+
+## Module
+Authority
+
+## Status
+IMPLEMENTED
+
+## Description
+Runtime metadata/handle pattern for resolving identity providers through a registry. Handlers use `IAuthorityIdentityProviderRegistry.AcquireAsync` with metadata (`AuthorityIdentityProviderMetadata`) for capability checks, enabling deterministic and capability-gated provider resolution.
+
+## Implementation Details
+- **Modules**: `src/Authority/StellaOps.Authority/StellaOps.Authority/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/`
+- **Key Classes**:
+  - `AuthorityIdentityProviderRegistry` (`src/Authority/StellaOps.Authority/StellaOps.Authority/AuthorityIdentityProviderRegistry.cs`) - runtime registry that resolves identity providers by metadata capabilities; exposes `AcquireAsync` for deterministic provider selection
+  - `AuthorityIdentityProviderSelector` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthorityIdentityProviderSelector.cs`) - selects the appropriate identity provider plugin during OpenIddict authentication flows based on request context
+  - `AuthorityPluginRegistry` (`src/Authority/StellaOps.Authority/StellaOps.Authority/AuthorityPluginRegistry.cs`) - manages the lifecycle and registration of all authority plugins
+  - `IdentityProviderContracts` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/IdentityProviderContracts.cs`) - defines `IAuthorityIdentityProviderPlugin`, `AuthorityIdentityProviderMetadata`, and capability contracts
+  - `AuthorityPluginRegistrationContext` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/AuthorityPluginRegistrationContext.cs`) - context object passed to plugins during registration
+  - `AuthorityPluginLoader` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginLoader.cs`) - loads plugin assemblies from disk and registers them with the plugin registry
+  - `AuthorityPluginRegistrationSummary` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginRegistrationSummary.cs`) - captures registration outcome (loaded plugins, errors, capabilities)
+- **Interfaces**: `IAuthorityIdentityProviderPlugin`, `IAuthorityPluginRegistrar` (defined in `IdentityProviderContracts.cs` and `AuthorityPluginContracts.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Register two identity provider plugins (Standard and LDAP) and verify `AuthorityIdentityProviderRegistry` resolves each by capability metadata
+- [ ] Call `AcquireAsync` with metadata requesting LDAP capabilities and verify the LDAP provider is returned
+- [ ] Call `AcquireAsync` with metadata requesting capabilities not supported by any provider and verify a clear error is returned
+- [ ] Verify `AuthorityIdentityProviderSelector` routes authentication to the correct provider based on the client's `identity_provider` metadata during an OAuth2 token request
+- [ ] Register a plugin at runtime and verify the registry reflects the new provider without restart
+- [ ] Verify `AuthorityPluginRegistrationSummary` reports all registered providers with their capabilities
--- a/docs/features/unchecked/authority/authority-module-with-oidc-oauth2-dpop-mtls.md
+++ b/docs/features/unchecked/authority/authority-module-with-oidc-oauth2-dpop-mtls.md
@@ -0,0 +1,39 @@
+# Authority Module with OIDC/OAuth2, DPoP, mTLS
+
+## Module
+Authority
+
+## Status
+IMPLEMENTED
+
+## Description
+Full Authority module with OIDC/OAuth2 flows, DPoP (Demonstration of Proof-of-Possession) handlers, mTLS support, and plugin-based identity provider architecture.
+
+## Implementation Details
+- **Modules**: `src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/`, `src/Authority/StellaOps.Authority/StellaOps.Authority/Security/`
+- **Key Classes**:
+  - `ClientCredentialsHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/ClientCredentialsHandlers.cs`) - client credentials grant with audit logging via `ClientCredentialsAuditHelper.cs`
+  - `PasswordGrantHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/PasswordGrantHandlers.cs`) - resource owner password credentials grant
+  - `RefreshTokenHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/RefreshTokenHandlers.cs`) - refresh token rotation and validation
+  - `DpopHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DpopHandlers.cs`) - DPoP proof-of-possession validation (RFC 9449)
+  - `RevocationHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/RevocationHandlers.cs`) - token revocation (RFC 7009)
+  - `DiscoveryHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DiscoveryHandlers.cs`) - OpenID Connect discovery metadata
+  - `TokenPersistenceHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/TokenPersistenceHandlers.cs`) - persists issued tokens to storage
+  - `TokenValidationHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/TokenValidationHandlers.cs`) - validates token integrity and binding
+  - `AuthoritySenderConstraintHelper` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthoritySenderConstraintHelper.cs`) - validates DPoP proof JWTs and sender-constrained tokens
+  - `AuthorityClientCertificateValidator` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Security/AuthorityClientCertificateValidator.cs`) - validates client certificates for mTLS-bound tokens
+  - `TokenRequestTamperInspector` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/TokenRequestTamperInspector.cs`) - detects tampered token requests
+  - `AuthorityTokenKinds` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthorityTokenKinds.cs`) - enumerates supported token types
+  - `AuthoritySenderConstraintKinds` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Security/AuthoritySenderConstraintKinds.cs`) - constraint types (DPoP, mTLS)
+- **Interfaces**: `IAuthorityClientCertificateValidator` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Security/IAuthorityClientCertificateValidator.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Request an access token via `ClientCredentialsHandlers` and verify a valid JWT is returned with correct claims and scopes
+- [ ] Request an access token with a DPoP proof header and verify `DpopHandlers` returns a DPoP-bound token (`token_type: DPoP`)
+- [ ] Attempt to use a DPoP-bound token without the proof header and verify the request is rejected with 401
+- [ ] Present a valid client certificate and request an mTLS-bound token; verify `AuthorityClientCertificateValidator` validates it and the `cnf` claim contains the certificate thumbprint
+- [ ] Verify token refresh via `RefreshTokenHandlers`: obtain a refresh token, exchange it for a new access token, and verify the old refresh token is rotated
+- [ ] Revoke a token via `RevocationHandlers` and verify it is no longer accepted
+- [ ] Query the OpenID Connect discovery endpoint and verify `DiscoveryHandlers` returns DPoP and mTLS metadata
+- [ ] Submit a tampered token request and verify `TokenRequestTamperInspector` rejects it
--- a/docs/features/unchecked/authority/authority-plugin-system.md
+++ b/docs/features/unchecked/authority/authority-plugin-system.md
@@ -0,0 +1,38 @@
+# Authority Plugin System (LDAP, SAML, Custom Providers)
+
+## Module
+Authority
+
+## Status
+IMPLEMENTED
+
+## Description
+Extensible authentication with pluggable identity providers loaded at startup, supporting multiple authentication methods including Standard (username/password), LDAP, OIDC, SAML, and a Unified adapter.
+
+## Implementation Details
+- **Modules**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Oidc/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Saml/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Unified/`
+- **Key Classes**:
+  - `AuthorityPluginLoader` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginLoader.cs`) - discovers and loads plugin assemblies from disk at startup
+  - `AuthorityPluginRegistrationSummary` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginRegistrationSummary.cs`) - captures loaded plugins, errors, and capabilities
+  - `AuthorityPluginContracts` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/AuthorityPluginContracts.cs`) - `IAuthorityPlugin`, `IAuthorityPluginRegistrar` interfaces
+  - `IdentityProviderContracts` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/IdentityProviderContracts.cs`) - `IAuthorityIdentityProviderPlugin`, credential validation, claims enrichment
+  - `AuthoritySecretHasher` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/AuthoritySecretHasher.cs`) - pluggable secret hashing
+  - `StandardIdentityProviderPlugin` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StandardIdentityProviderPlugin.cs`) - built-in username/password plugin
+  - `StandardPluginRegistrar` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StandardPluginRegistrar.cs`) - Standard plugin registration
+  - `StandardPluginBootstrapper` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/Bootstrap/StandardPluginBootstrapper.cs`) - bootstraps initial admin user
+  - `StandardCredentialAuditLogger` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/Security/StandardCredentialAuditLogger.cs`) - audit logging for credential operations
+  - `LdapIdentityProviderPlugin` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/LdapIdentityProviderPlugin.cs`) - LDAP identity provider
+  - `OidcIdentityProviderPlugin` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Oidc/OidcIdentityProviderPlugin.cs`) - OIDC identity provider
+  - `SamlIdentityProviderPlugin` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Saml/SamlIdentityProviderPlugin.cs`) - SAML identity provider
+  - `AuthPluginAdapter` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Unified/AuthPluginAdapter.cs`) - unified adapter for multiple plugin types
+- **Interfaces**: `IAuthorityPlugin`, `IAuthorityPluginRegistrar`, `IAuthorityIdentityProviderPlugin` (in `AuthorityPluginContracts.cs`, `IdentityProviderContracts.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Start the Authority server with Standard and LDAP plugins and verify `AuthorityPluginRegistrationSummary` shows both loaded successfully
+- [ ] Authenticate via `StandardIdentityProviderPlugin` using username/password and verify a token is issued
+- [ ] Remove a plugin from the plugins directory, restart, and verify `AuthorityPluginLoader` reports it as missing without crashing
+- [ ] Register a custom plugin implementing `IAuthorityIdentityProviderPlugin` and verify it is discovered and callable
+- [ ] Verify each plugin's `IAuthorityPluginRegistrar.Register` is called with the correct `AuthorityPluginRegistrationContext`
+- [ ] Verify credential audit: authenticate via Standard plugin and verify `StandardCredentialAuditLogger` records the login event
+- [ ] Load OIDC and SAML plugins simultaneously and verify each handles its respective protocol flow independently
--- a/docs/features/unchecked/authority/authority-sealed-mode-evidence-validator.md
+++ b/docs/features/unchecked/authority/authority-sealed-mode-evidence-validator.md
@@ -0,0 +1,32 @@
+# Authority Sealed-Mode Evidence Validator
+
+## Module
+Authority
+
+## Status
+IMPLEMENTED
+
+## Description
+Evidence validator for Authority module in sealed/air-gap mode that verifies DSSE attestations without external connectivity, enabling offline identity verification for CI gating scenarios.
+
+## Implementation Details
+- **Modules**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Airgap/`, `src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/`
+- **Key Classes**:
+  - `AuthoritySealedModeEvidenceValidator` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Airgap/AuthoritySealedModeEvidenceValidator.cs`) - validates DSSE-signed attestation evidence without external network calls; verifies signatures using locally stored trust anchors
+  - `AuthorityAirgapAuditService` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Airgap/AuthorityAirgapAuditService.cs`) - records audit events for all sealed-mode operations
+  - `AirgapAuditEndpointExtensions` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Airgap/AirgapAuditEndpointExtensions.cs`) - REST endpoints for querying airgap audit logs
+  - `PostgresAirgapAuditStore` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Storage/Postgres/PostgresAirgapAuditStore.cs`) - persists airgap audit records to PostgreSQL
+  - `AirgapAuditRepository` (`src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Repositories/AirgapAuditRepository.cs`) - data access for airgap audit entities
+  - `AirgapAuditEntity` (`src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Models/AirgapAuditEntity.cs`) - database entity for airgap audit records
+  - `OfflineKitAuditRepository` (`src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Repositories/OfflineKitAuditRepository.cs`) - audit tracking for offline kit operations
+  - `OfflineKitAuditEmitter` (`src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Repositories/OfflineKitAuditEmitter.cs`) - emits audit events for offline kit operations
+- **Interfaces**: `IAirgapAuditRepository` (`src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Repositories/IAirgapAuditRepository.cs`), `IOfflineKitAuditRepository` (`src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Repositories/IOfflineKitAuditRepository.cs`), `IOfflineKitAuditEmitter` (`src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Repositories/IOfflineKitAuditEmitter.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Submit a DSSE-signed attestation to `AuthoritySealedModeEvidenceValidator` and verify positive validation when the signing key matches a locally stored trust anchor
+- [ ] Submit an attestation signed by an unknown key and verify the validator rejects it with a clear error
+- [ ] Submit a tampered attestation (modified payload with valid signature format) and verify signature verification fails
+- [ ] Verify airgap audit: validate an attestation and query `AirgapAuditEndpointExtensions` to confirm the validation event is recorded with timestamp, subject, and outcome
+- [ ] Run the validator with no network access and verify it completes without attempting external calls
+- [ ] Verify offline kit audit: perform an offline kit operation and confirm `OfflineKitAuditEmitter` records the event in PostgreSQL via `OfflineKitAuditRepository`
--- a/docs/features/unchecked/authority/cli-dpop-bound-authentication.md
+++ b/docs/features/unchecked/authority/cli-dpop-bound-authentication.md
@@ -0,0 +1,34 @@
+# CLI DPoP-Bound Authentication
+
+## Module
+Authority
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI supports DPoP-bound token authentication for secure API communication. DPoP (Demonstration of Proof-of-Possession, RFC 9449) prevents token replay attacks by binding tokens to the client's cryptographic key.
+
+## Implementation Details
+- **Modules**: `src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/`, `src/Authority/StellaOps.Authority/StellaOps.Auth.Client/`
+- **Key Classes**:
+  - `DpopHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DpopHandlers.cs`) - server-side OpenIddict handler validating DPoP proof JWTs on token requests and API calls
+  - `AuthoritySenderConstraintHelper` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthoritySenderConstraintHelper.cs`) - validates sender-constrained tokens by checking `jkt` (JWK thumbprint) claim against DPoP proof
+  - `AuthoritySenderConstraintKinds` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Security/AuthoritySenderConstraintKinds.cs`) - enumerates constraint types: DPoP, mTLS
+  - `StellaOpsTokenClient` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsTokenClient.cs`) - token client used by CLI handling DPoP proof generation and token acquisition
+  - `StellaOpsBearerTokenHandler` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsBearerTokenHandler.cs`) - HTTP delegating handler attaching DPoP proof headers to outgoing API requests
+  - `FileTokenCache` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/FileTokenCache.cs`) - file-based token cache for CLI profiles
+  - `InMemoryTokenCache` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/InMemoryTokenCache.cs`) - in-memory token cache
+  - `MessagingTokenCache` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/MessagingTokenCache.cs`) - messaging-backed token cache
+  - `StellaOpsAuthClientOptions` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsAuthClientOptions.cs`) - configuration for DPoP key material, Authority URL, client credentials
+  - `StellaOpsApiAuthMode` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsApiAuthMode.cs`) - authentication modes (Bearer, DPoP, mTLS)
+- **Interfaces**: `IStellaOpsTokenClient` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/IStellaOpsTokenClient.cs`), `IStellaOpsTokenCache` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/IStellaOpsTokenCache.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Configure the CLI with DPoP auth mode via `StellaOpsAuthClientOptions` and request a token; verify the response includes `token_type: DPoP` with a `jkt` claim
+- [ ] Use `StellaOpsBearerTokenHandler` to make an API call with a DPoP-bound token and verify `DpopHandlers` accepts it after proof validation
+- [ ] Attempt to replay a DPoP-bound token without the matching DPoP proof and verify `AuthoritySenderConstraintHelper` rejects with 401
+- [ ] Verify the DPoP proof includes the `ath` (access token hash) claim and the server validates it matches
+- [ ] Verify `FileTokenCache` persists the DPoP-bound token and the CLI can resume without re-authentication
+- [ ] Switch `StellaOpsApiAuthMode` from DPoP to Bearer and verify the CLI falls back to standard bearer token flow
--- a/docs/features/unchecked/authority/ldap-plugin-with-claims-enrichment-and-client-provisioning.md
+++ b/docs/features/unchecked/authority/ldap-plugin-with-claims-enrichment-and-client-provisioning.md
@@ -0,0 +1,36 @@
+# LDAP Plugin with Claims Enrichment and Client Provisioning
+
+## Module
+Authority
+
+## Status
+IMPLEMENTED
+
+## Description
+Full LDAP identity provider plugin with claims enrichment (mapping LDAP attributes to OAuth claims), client provisioning (auto-creating OAuth clients from LDAP entries), capability probing, credential store, and messaging-backed claims cache.
+
+## Implementation Details
+- **LDAP Plugin Entry Point**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/LdapIdentityProviderPlugin.cs` -- implements `IAuthorityIdentityProviderPlugin`; authenticates users against LDAP directories.
+- **Plugin Registrar**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/LdapPluginRegistrar.cs` -- registers LDAP plugin services in the DI container.
+- **Plugin Options**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/LdapPluginOptions.cs` -- configuration: LDAP server URL, base DN, search filters, attribute mappings, TLS settings.
+- **Claims Enrichment**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Claims/LdapClaimsEnricher.cs` -- maps LDAP attributes (group memberships, department, title) to OAuth2 claims.
+- **Claims Cache**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Claims/ILdapClaimsCache.cs`, `InMemoryLdapClaimsCache.cs`, `MessagingLdapClaimsCache.cs` -- caches enriched claims with in-memory and messaging-backed (distributed) implementations.
+- **Client Provisioning**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/ClientProvisioning/LdapClientProvisioningStore.cs` -- auto-creates OAuth2 clients from LDAP entries (service accounts).
+- **Capability Probe**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/ClientProvisioning/LdapCapabilityProbe.cs` -- probes LDAP server capabilities (supported controls, extensions, schema).
+- **Capability Snapshot Cache**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/ClientProvisioning/LdapCapabilitySnapshotCache.cs` -- caches capability probe results to avoid repeated probes.
+- **DN Helper**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/ClientProvisioning/LdapDistinguishedNameHelper.cs` -- parses and manipulates LDAP distinguished names.
+- **Connection Factory**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Connections/DirectoryServicesLdapConnectionFactory.cs` (implements `ILdapConnectionFactory`) -- creates LDAP connections with TLS.
+- **Credential Store**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Credentials/LdapCredentialStore.cs` -- manages LDAP bind credentials.
+- **Security**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Security/LdapSecretResolver.cs` -- resolves LDAP secrets from secure storage.
+- **Metrics**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Monitoring/LdapMetrics.cs` -- OpenTelemetry metrics for LDAP operations (bind latency, search duration, error rates).
+- **Tests**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap.Tests/` -- comprehensive tests across Claims/, ClientProvisioning/, Credentials/, Resilience/, Security/, Snapshots/ subdirectories.
+
+## E2E Test Plan
+- [ ] Configure the LDAP plugin with a test LDAP server and authenticate a user; verify the token contains enriched claims from LDAP attributes (e.g., `groups`, `department`)
+- [ ] Verify claims caching: authenticate the same user twice and verify the second call uses cached claims from `InMemoryLdapClaimsCache`
+- [ ] Verify client provisioning: configure auto-provisioning from an LDAP OU and verify an OAuth2 client is created for each service account entry
+- [ ] Run `LdapCapabilityProbe` against the LDAP server and verify it reports supported controls and extensions
+- [ ] Verify DN helper: parse a complex distinguished name (e.g., `CN=John Doe,OU=Users,DC=example,DC=com`) and verify each component is extracted correctly
+- [ ] Verify LDAP connection TLS: configure TLS and verify `DirectoryServicesLdapConnectionFactory` establishes a secure connection
+- [ ] Simulate an LDAP server failure and verify the plugin returns an authentication error without leaking internal details
+- [ ] Verify `LdapMetrics` records bind latency and search duration via OpenTelemetry
--- a/docs/features/unchecked/authority/local-rbac-policy-fallback-with-break-glass-access.md
+++ b/docs/features/unchecked/authority/local-rbac-policy-fallback-with-break-glass-access.md
@@ -0,0 +1,31 @@
+# Local RBAC Policy Fallback with Break-Glass Access
+
+## Module
+Authority
+
+## Status
+IMPLEMENTED
+
+## Description
+File-based RBAC policy store providing authorization fallback when the database is unavailable, with break-glass session management enabling emergency admin access with auditable time-limited sessions.
+
+## Implementation Details
+- **File-Based Policy Store**: `src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/FileBasedPolicyStore.cs` -- implements `ILocalPolicyStore`; reads RBAC policies from JSON files on disk; used as fallback when the Postgres policy store is unavailable.
+- **Policy Store Interface**: `src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/ILocalPolicyStore.cs` -- interface for local policy lookups (roles, permissions, scope bundles).
+- **Policy Store Fallback**: `src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/PolicyStoreFallback.cs` -- orchestrates fallback: attempts database-backed policy store first, falls back to `FileBasedPolicyStore` on failure.
+- **Break-Glass Session Manager**: `src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/BreakGlassSessionManager.cs` -- manages time-limited emergency admin sessions; creates auditable break-glass tokens with configurable TTL and scope restrictions.
+- **Local Policy Models**: `src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/LocalPolicyModels.cs` -- data models for roles, permissions, and break-glass session records.
+- **Policy Store Options**: `src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/LocalPolicyStoreOptions.cs` -- configuration: policy file path, fallback enabled flag, break-glass TTL.
+- **Role Repository (Postgres primary)**: `src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Repositories/RoleRepository.cs` (implements `IRoleRepository`) -- primary RBAC store in PostgreSQL.
+- **Permission Repository**: `src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Repositories/PermissionRepository.cs` (implements `IPermissionRepository`) -- permission grants in PostgreSQL.
+- **Role Entity**: `src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Models/RoleEntity.cs` -- database entity for roles.
+- **Tests**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/LocalPolicy/FileBasedPolicyStoreTests.cs`, `FallbackPolicyStoreIntegrationTests.cs`; `src/Authority/__Tests/StellaOps.Authority.Persistence.Tests/RoleBasedAccessTests.cs`, `RoleRepositoryTests.cs`, `PermissionRepositoryTests.cs`
+
+## E2E Test Plan
+- [ ] Configure `FileBasedPolicyStore` with a JSON policy file defining three roles (viewer, operator, admin) and verify each role's permissions are correctly loaded
+- [ ] Simulate database unavailability and verify `PolicyStoreFallback` switches to the file-based store and authorization continues to work
+- [ ] Restore the database and verify the fallback returns to the primary Postgres store
+- [ ] Initiate a break-glass session via `BreakGlassSessionManager` and verify a time-limited admin token is issued with audit metadata
+- [ ] Verify break-glass TTL: wait for the session to expire and verify the token is rejected
+- [ ] Verify break-glass audit: check that the session creation, actions during the session, and session expiry are all recorded in the audit log
+- [ ] Modify the local policy JSON file and verify the `FileBasedPolicyStore` reflects the changes without restart
--- a/docs/features/unchecked/authority/multi-tenant-scope-based-authorization.md
+++ b/docs/features/unchecked/authority/multi-tenant-scope-based-authorization.md
@@ -0,0 +1,33 @@
+# Multi-Tenant Scope-Based Authorization
+
+## Module
+Authority
+
+## Status
+IMPLEMENTED
+
+## Description
+Multi-tenant authorization with scope-based access control integrated across modules. Tenants are isolated via tenant-scoped OAuth2 scopes and authorization policies.
+
+## Implementation Details
+- **Tenant Catalog**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Tenants/AuthorityTenantCatalog.cs` -- manages tenant registration, metadata, and tenant-scoped configuration.
+- **Tenant Header Filter**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Console/TenantHeaderFilter.cs` -- extracts the tenant identifier from HTTP headers and sets the tenant context for the request.
+- **Tenancy Defaults**: `src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsTenancyDefaults.cs` -- defines default tenant header name, claim types, and tenancy constants.
+- **Scopes**: `src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsScopes.cs` -- enumerates all OAuth2 scopes (module-level, resource-level, admin) used across the platform.
+- **Scope Authorization Handler**: `src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsScopeAuthorizationHandler.cs` -- ASP.NET authorization handler that evaluates scope requirements against the user's token scopes.
+- **Scope Requirement**: `src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsScopeRequirement.cs` -- authorization requirement specifying required scopes.
+- **Resource Server Policies**: `src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsResourceServerPolicies.cs` -- pre-defined authorization policies for each module (Scanner, Attestor, Policy, etc.) using scope-based requirements.
+- **Authorization Policy Builder Extensions**: `src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsAuthorizationPolicyBuilderExtensions.cs` -- extension methods for adding scope policies: `RequireScope`, `RequireAnyScope`.
+- **Resource Server Options**: `src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsResourceServerOptions.cs` -- configuration for resource server authentication (Authority URL, audience, required scopes).
+- **Tenant Entity**: `src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Models/TenantEntity.cs` -- database entity for tenants.
+- **Tenant Repository**: `src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Repositories/TenantRepository.cs` (implements `ITenantRepository`) -- CRUD for tenant records.
+- **Tests**: `src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration.Tests/`
+
+## E2E Test Plan
+- [ ] Create two tenants (tenant-a, tenant-b) via `AuthorityTenantCatalog` and verify each is persisted with isolated configuration
+- [ ] Request a token with tenant-a scopes and attempt to access tenant-b resources; verify access is denied with 403
+- [ ] Request a token with `scanner:read` scope and verify `StellaOpsScopeAuthorizationHandler` allows access to Scanner read endpoints but denies write endpoints
+- [ ] Verify `TenantHeaderFilter` extracts the tenant ID from the `X-Tenant-Id` header and sets the correct tenant context
+- [ ] Configure `StellaOpsResourceServerPolicies` for a module and verify all endpoints enforce the correct scope policies
+- [ ] Request a token with admin scopes and verify it grants cross-tenant access when configured
+- [ ] Verify `StellaOpsScopes` enumerations match the scopes registered in the OpenIddict server configuration
--- a/docs/features/unchecked/authority/pack-rbac-roles-and-cli-profiles.md
+++ b/docs/features/unchecked/authority/pack-rbac-roles-and-cli-profiles.md
@@ -0,0 +1,30 @@
+# Pack RBAC Roles and CLI Profiles
+
+## Module
+Authority
+
+## Status
+IMPLEMENTED
+
+## Description
+Five Task Pack RBAC roles (pack-viewer, pack-operator, pack-publisher, pack-approver, pack-admin) with deterministic scope bundles, authorization policy helper (`AddPacksResourcePolicies`), and CLI profiles for role-based token acquisition.
+
+## Implementation Details
+- **Resource Server Policies**: `src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsResourceServerPolicies.cs` -- includes `AddPacksResourcePolicies` that registers authorization policies for each Pack RBAC role with deterministic scope bundles.
+- **Authorization Policy Builder Extensions**: `src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsAuthorizationPolicyBuilderExtensions.cs` -- `RequireScope` and `RequireAnyScope` extension methods used by pack policies.
+- **Scopes**: `src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsScopes.cs` -- defines pack-specific scopes (`packs:read`, `packs:execute`, `packs:publish`, `packs:approve`, `packs:admin`).
+- **Claim Types**: `src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsClaimTypes.cs` -- custom claim types including pack role claims.
+- **Auth Client (CLI Profiles)**: `src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsAuthClientOptions.cs` -- CLI profile configuration specifying the scope bundle for each role.
+- **Token Client**: `src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsTokenClient.cs` -- acquires tokens with the correct scope bundle for the configured CLI profile/role.
+- **File Token Cache**: `src/Authority/StellaOps.Authority/StellaOps.Auth.Client/FileTokenCache.cs` -- persists per-profile tokens to disk for CLI session continuity.
+- **Role Repository**: `src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Repositories/RoleRepository.cs` -- stores role definitions including pack roles.
+- **Tests**: `src/Authority/__Tests/StellaOps.Authority.Persistence.Tests/RoleBasedAccessTests.cs`, `RoleRepositoryTests.cs`
+
+## E2E Test Plan
+- [ ] Register the five pack RBAC roles and verify each has the correct deterministic scope bundle (e.g., pack-viewer gets `packs:read` only)
+- [ ] Authenticate as pack-viewer and attempt to publish a pack; verify access is denied with 403
+- [ ] Authenticate as pack-publisher and verify publishing is allowed but approval is denied
+- [ ] Authenticate as pack-admin and verify all pack operations are allowed
+- [ ] Configure a CLI profile with the pack-operator role and verify `StellaOpsTokenClient` requests the correct scope set
+- [ ] Verify `FileTokenCache` stores the profile-specific token and a different profile does not reuse it
+- [ ] Verify the `AddPacksResourcePolicies` helper registers all five policies in the ASP.NET authorization system
--- a/docs/features/unchecked/authority/plugin-sdk-plugin-architecture.md
+++ b/docs/features/unchecked/authority/plugin-sdk-plugin-architecture.md
@@ -0,0 +1,38 @@
+# Plugin SDK / Plugin architecture (CLI, Authority, Crypto)
+
+## Module
+Authority
+
+## Status
+IMPLEMENTED
+
+## Description
+Plugin architecture is implemented across CLI (manifest loader, module loader), Authority (identity provider plugins with OIDC/SAML/Standard), and Cryptography (HSM, SM crypto plugins). The Authority plugin SDK defines interfaces, registration context, and a standardized plugin lifecycle.
+
+## Implementation Details
+- **Plugin Abstractions (Authority SDK)**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/` -- the SDK package:
+  - `AuthorityPluginContracts.cs` -- `IAuthorityPlugin`, `IAuthorityPluginRegistrar` interfaces defining the plugin lifecycle
+  - `IdentityProviderContracts.cs` -- `IAuthorityIdentityProviderPlugin` for credential validation and claims enrichment
+  - `AuthorityPluginRegistrationContext.cs` -- DI registration context passed to plugins at startup
+  - `AuthorityCredentialAuditContext.cs` -- audit context for credential operations
+  - `AuthoritySecretHasher.cs` -- pluggable password/secret hashing abstraction
+  - `AuthorityClientMetadataKeys.cs` -- standardized metadata keys for client configuration
+- **Plugin Loader**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginLoader.cs` -- assembly-based plugin discovery from `plugins/authority/` directory.
+- **Plugin Registration Summary**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginRegistrationSummary.cs` -- diagnostic summary of loaded plugins.
+- **Concrete Plugin Implementations**:
+  - Standard: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StandardPluginRegistrar.cs`
+  - LDAP: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/LdapPluginRegistrar.cs`
+  - OIDC: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Oidc/OidcPluginRegistrar.cs`
+  - SAML: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Saml/SamlPluginRegistrar.cs`
+  - Unified: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Unified/AuthPluginAdapter.cs`
+- **Plugin Binary Hosting**: `src/Authority/StellaOps.Authority.PluginBinaries/` -- pre-compiled plugin DLLs; `src/Authority/plugins/authority/` -- plugin directory structure.
+- **Concelier Plugin Binaries**: `src/Authority/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Common/` -- connector plugin abstractions for Concelier module.
+- **Tests**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/Plugins/AuthorityPluginLoaderTests.cs`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions.Tests/`
+
+## E2E Test Plan
+- [ ] Build a minimal plugin implementing `IAuthorityPluginRegistrar` and `IAuthorityIdentityProviderPlugin`, place the DLL in `plugins/authority/`, and verify `AuthorityPluginLoader` discovers and loads it
+- [ ] Verify the plugin's `Register` method receives a valid `AuthorityPluginRegistrationContext` with access to DI services
+- [ ] Verify `AuthorityPluginRegistrationSummary` includes the custom plugin with its reported capabilities
+- [ ] Load multiple plugins simultaneously and verify they do not interfere with each other's DI registrations
+- [ ] Remove a plugin DLL and restart; verify the system starts without the removed plugin and reports it as missing in the summary
+- [ ] Verify `AuthoritySecretHasher` can be replaced by a plugin-provided implementation and verify password hashing uses the custom hasher
--- a/docs/features/unchecked/authority/postgres-backend-store-prototype-for-authority-tokens.md
+++ b/docs/features/unchecked/authority/postgres-backend-store-prototype-for-authority-tokens.md
@@ -0,0 +1,37 @@
+# Postgres Backend Store Prototype for Authority.Tokens
+
+## Module
+Authority
+
+## Status
+IMPLEMENTED
+
+## Description
+A PostgresTokenStore implementing IAuthorityTokenStore and IAuthorityRefreshTokenStore exists, is registered in DI, and has tests. The Authority module also has InMemory store implementations behind interfaces (IAuthorityStores). This provides a Postgres-friendly facade behind a store interface.
+
+## Implementation Details
+- **Postgres Token Store**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Storage/Postgres/PostgresTokenStore.cs` -- implements token CRUD against PostgreSQL; handles access token and refresh token persistence, lookup, and expiry.
+- **Postgres Client Store**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Storage/Postgres/PostgresClientStore.cs` -- OAuth2 client registration and lookup in PostgreSQL.
+- **Postgres Service Account Store**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Storage/Postgres/PostgresServiceAccountStore.cs` -- service account management in PostgreSQL.
+- **Postgres Login Attempt Store**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Storage/Postgres/PostgresLoginAttemptStore.cs` -- tracks login attempts for brute-force protection.
+- **Postgres Bootstrap Invite Store**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Storage/Postgres/PostgresBootstrapInviteStore.cs` -- manages bootstrap invites for initial setup.
+- **Postgres Revocation Store**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Storage/Postgres/PostgresRevocationStore.cs` -- token revocation records.
+- **Postgres Revocation Export State Store**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Storage/Postgres/PostgresRevocationExportStateStore.cs` -- tracks revocation export state for air-gap bundles.
+- **Token Repository (Persistence Layer)**: `src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Repositories/TokenRepository.cs` (implements `ITokenRepository`) -- low-level data access for tokens.
+- **OIDC Token Repository**: `src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Repositories/OidcTokenRepository.cs` (implements `IOidcTokenRepository`) -- OpenIddict-specific token storage.
+- **Token Entity**: `src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Models/TokenEntity.cs`, `OidcTokenEntity.cs` -- database entities.
+- **InMemory Stores**: `src/Authority/__Libraries/StellaOps.Authority.Persistence/InMemory/Stores/InMemoryStores.cs` (implements `IAuthorityStores`) -- in-memory alternative for development/testing.
+- **EF Core Context**: `src/Authority/__Libraries/StellaOps.Authority.Persistence/EfCore/Context/AuthorityDbContext.cs` -- Entity Framework Core context for Authority database.
+- **Migrations**: `src/Authority/__Libraries/StellaOps.Authority.Persistence/Migrations/` -- EF Core migrations for schema evolution.
+- **ID Generator**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Storage/AuthorityIdGenerator.cs` -- generates unique IDs for authority entities.
+- **Tests**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/Storage/PostgresAdapterTests.cs`, `src/Authority/__Tests/StellaOps.Authority.Persistence.Tests/TokenRepositoryTests.cs`, `RefreshTokenRepositoryTests.cs`, `InMemoryStoreTests.cs`, `SessionRepositoryTests.cs`
+
+## E2E Test Plan
+- [ ] Issue a token via the client credentials grant and verify `PostgresTokenStore` persists it to PostgreSQL
+- [ ] Look up the token by its reference ID and verify all properties (scopes, expiry, client_id) are preserved
+- [ ] Issue a refresh token and exchange it; verify the old token is rotated and the new one is stored
+- [ ] Revoke a token via `PostgresRevocationStore` and verify it is no longer retrievable as valid
+- [ ] Verify `InMemoryStores` provides the same interface (`IAuthorityStores`) and passes the same tests as the Postgres implementation
+- [ ] Run EF Core migrations on an empty database and verify the schema is created correctly
+- [ ] Verify expired tokens are not returned by the store's lookup methods
+- [ ] Verify concurrent token issuance does not cause duplicate key violations
--- a/docs/features/unchecked/authority/trust-root-and-certificate-chain-verification.md
+++ b/docs/features/unchecked/authority/trust-root-and-certificate-chain-verification.md
@@ -0,0 +1,35 @@
+# Trust Root and Certificate Chain Verification
+
+## Module
+Authority
+
+## Status
+IMPLEMENTED
+
+## Description
+Certificate chain validation checks, TSA certificate expiry monitoring, and timestamp token verification with configurable trust anchors and verification options.
+
+## Implementation Details
+- **Timestamp Token Verifier**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/TimeStampTokenVerifier.cs` (with partials `.CertificateChain.cs`, `.Signature.cs`, `.Validation.cs`, `.Warnings.cs`) -- verifies RFC 3161 timestamp tokens including certificate chain validation, signature verification, and trust anchor checks.
+- **TSA Client**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/HttpTsaClient.cs` (with partials `.GetTimeStamp.cs`, `.ProviderOrdering.cs`, `.ProviderRequest.cs`, `.Verification.cs`) -- HTTP client for TSA servers implementing `ITimeStampAuthorityClient`.
+- **TSA Provider Registry**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/TsaProviderRegistry.cs` (with partials `.HealthCheck.cs`, `.ProviderState.cs`, `.Providers.cs`, `.Reporting.cs`, `.Stats.cs`) -- manages TSA providers with health monitoring and failover.
+- **Verification Options**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping.Abstractions/TimeStampVerificationOptions.cs` -- configurable trust anchors, allowed algorithms, certificate policies.
+- **Verification Result**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping.Abstractions/TimeStampVerificationResult.cs` -- detailed result with errors and warnings.
+- **Verification Error/Warning Codes**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping.Abstractions/VerificationError.cs`, `VerificationErrorCode.cs`, `VerificationWarning.cs`, `VerificationWarningCode.cs`, `VerificationStatus.cs`.
+- **TSA Health**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/TsaProviderHealth.cs`, `TsaHealthStatus.cs` -- health check types for TSA certificate expiry monitoring.
+- **Signing Key Management**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Signing/AuthoritySigningKeyManager.cs` -- manages authority signing keys with rotation; `AuthoritySigningKeyStatus.cs` tracks key health.
+- **JWKS Service**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Signing/AuthorityJwksService.cs` -- serves the JSON Web Key Set for public key distribution.
+- **DSSE Statement Signer**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Signing/AuthorityDsseStatementSigner.cs` -- signs in-toto/DSSE statements using authority keys.
+- **KMS Key Source**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Signing/KmsAuthoritySigningKeySource.cs` -- resolves signing keys from a Key Management Service.
+- **File Key Source**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Signing/FileAuthoritySigningKeySource.cs` -- resolves signing keys from local files.
+- **Tests**: `src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/TimeStampTokenVerifierTests.cs`, `TsaProviderRegistryTests.cs`; `src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/Signing/AuthorityJwksServiceTests.cs`, `AuthoritySigningKeyManagerTests.cs`, `KmsAuthoritySigningKeySourceTests.cs`, `TokenSignVerifyRoundtripTests.cs`
+
+## E2E Test Plan
+- [ ] Submit a timestamp request to a TSA server via `HttpTsaClient` and verify the returned timestamp token passes `TimeStampTokenVerifier` validation
+- [ ] Verify certificate chain: provide a timestamp token with a valid chain and verify `TimeStampTokenVerifier.CertificateChain` validates each certificate up to the trust anchor
+- [ ] Provide a timestamp token signed by an untrusted CA and verify the verifier rejects it with `VerificationErrorCode.UntrustedCertificate`
+- [ ] Configure `TimeStampVerificationOptions` to reject weak algorithms (e.g., SHA-1) and verify tokens using SHA-1 are rejected
+- [ ] Verify TSA health monitoring: register a TSA provider and verify `TsaProviderRegistry.HealthCheck` detects certificate expiry within the warning threshold
+- [ ] Verify signing key rotation: rotate the authority signing key via `AuthoritySigningKeyManager` and verify the JWKS endpoint reflects the new key while the old key remains for validation
+- [ ] Verify DSSE signing: sign a statement via `AuthorityDsseStatementSigner` and verify the signature can be validated using the JWKS public key
+- [ ] Verify KMS key source: configure `KmsAuthoritySigningKeySource` and verify signing operations use the KMS-managed key