From 2079bd30ea257dab95deaedb4a9dbf038fd8b553 Mon Sep 17 00:00:00 2001
From: master <contact@stella-ops.org>
Date: Wed, 15 Oct 2025 10:05:17 +0300
Subject: [PATCH] Tighten authority signing tests and update CLI tasks

---
 .../Signing/AuthoritySigningKeyManagerTests.cs                | 4 ++--
 src/StellaOps.Cli/TASKS.md                                    | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/StellaOps.Authority/StellaOps.Authority.Tests/Signing/AuthoritySigningKeyManagerTests.cs b/src/StellaOps.Authority/StellaOps.Authority.Tests/Signing/AuthoritySigningKeyManagerTests.cs
index b2ab68b7..44967cc3 100644
--- a/src/StellaOps.Authority/StellaOps.Authority.Tests/Signing/AuthoritySigningKeyManagerTests.cs
+++ b/src/StellaOps.Authority/StellaOps.Authority.Tests/Signing/AuthoritySigningKeyManagerTests.cs
@@ -74,10 +74,10 @@ public sealed class AuthoritySigningKeyManagerTests
             var afterRotation = jwksService.Build();
             Assert.Equal(2, afterRotation.Keys.Count);
 
-            var activeEntry = Assert.Single(afterRotation.Keys.Where(key => key.Status == AuthoritySigningKeyStatus.Active));
+            var activeEntry = Assert.Single(afterRotation.Keys, key => key.Status == AuthoritySigningKeyStatus.Active);
             Assert.Equal("key-2", activeEntry.Kid);
 
-            var retiredEntry = Assert.Single(afterRotation.Keys.Where(key => key.Status == AuthoritySigningKeyStatus.Retired));
+            var retiredEntry = Assert.Single(afterRotation.Keys, key => key.Status == AuthoritySigningKeyStatus.Retired);
             Assert.Equal("key-1", retiredEntry.Kid);
         }
         finally
diff --git a/src/StellaOps.Cli/TASKS.md b/src/StellaOps.Cli/TASKS.md
index 47718e33..aa179901 100644
--- a/src/StellaOps.Cli/TASKS.md
+++ b/src/StellaOps.Cli/TASKS.md
@@ -12,3 +12,4 @@
 |Authority whoami command|DevEx/CLI|Authority auth commands|**DONE (2025-10-10)** – Added `auth whoami` verb that displays subject/audience/expiry from cached tokens and handles opaque tokens gracefully.|
 |Expose auth client resilience settings|DevEx/CLI|Auth libraries LIB5|**DONE (2025-10-10)** – CLI options now bind resilience knobs, `AddStellaOpsAuthClient` honours them, and tests cover env overrides.|
 |Document advanced Authority tuning|Docs/CLI|Expose auth client resilience settings|**DONE (2025-10-10)** – docs/09 and docs/10 describe retry/offline settings with env examples and point to the integration guide.|
+|Surface password policy diagnostics in CLI output|DevEx/CLI, Security Guild|AUTHSEC-CRYPTO-02-004|**TODO** – Bubble analyzer warnings during CLI startup (plugin load) and add tests/docs guiding operators to remediate weakened policies.|