feat(rust): Implement RustCargoLockParser and RustFingerprintScanner

- Added RustCargoLockParser to parse Cargo.lock files and extract package information.
- Introduced RustFingerprintScanner to scan for Rust fingerprint records in JSON files.
- Created test fixtures for Rust language analysis, including Cargo.lock and fingerprint JSON files.
- Developed tests for RustLanguageAnalyzer to ensure deterministic output based on provided fixtures.
- Added expected output files for both simple and signed Rust applications.

docs/10_CONCELIER_CLI_QUICKSTART.md

@@ -56,8 +56,16 @@ runtime wiring, CLI usage) and leaves connector/internal customization for later
    - `GET /jobs` + `POST /jobs/{kind}` – inspect and trigger connector/export jobs
 
   > **Security note** – authentication now ships via StellaOps Authority. Keep
-  > `authority.allowAnonymousFallback: true` only during the staged rollout and
-  > disable it before **2025-12-31 UTC** so tokens become mandatory.
+  > `authority.allowAnonymousFallback: true` only during the staged rollout and
+  > disable it before **2025-12-31 UTC** so tokens become mandatory.
+
+Rollout checkpoints for the two Authority toggles:
+
+| Phase | `authority.enabled` | `authority.allowAnonymousFallback` | Goal | Observability focus |
+| ----- | ------------------- | ---------------------------------- | ---- | ------------------- |
+| **Validation (staging)** | `true` | `true` | Verify token issuance, CLI scopes, and audit log noise without breaking cron jobs. | Watch `Concelier.Authorization.Audit` for `bypass=True` events and scope gaps; confirm CLI `auth status` succeeds. |
+| **Cutover rehearsal** | `true` | `false` | Exercise production-style enforcement before the deadline; ensure only approved maintenance ranges remain in `bypassNetworks`. | Expect some HTTP 401s; verify `web.jobs.triggered` metrics flatten for unauthenticated calls and audit logs highlight missing tokens. |
+| **Enforced (steady state)** | `true` | `false` | Production baseline after the 2025-12-31 UTC cutoff. | Alert on new `bypass=True` entries and on repeated 401 bursts; correlate with Authority availability dashboards. |
 
 ### Authority companion configuration (preview)
 
@@ -243,10 +251,10 @@ a problem document.
 
 ---
 
-## 6 · Authority Integration
-
-- Concelier now authenticates callers through StellaOps Authority using OAuth 2.0
-  resource server flows. Populate the `authority` block in `concelier.yaml`:
+## 6 · Authority Integration
+
+- Concelier now authenticates callers through StellaOps Authority using OAuth 2.0
+  resource server flows. Populate the `authority` block in `concelier.yaml`:
 
   ```yaml
   authority:
@@ -282,8 +290,12 @@ a problem document.
   export CONCELIER_AUTHORITY__CLIENTSECRETFILE="/var/run/secrets/concelier/authority-client"
   ```
 
-- CLI commands already pass `Authorization` headers when credentials are supplied.
-  Configure the CLI with matching Authority settings (`docs/09_API_CLI_REFERENCE.md`)
-  so that automation can obtain tokens with the same client credentials. Concelier
-  logs every job request with the client ID, subject (if present), scopes, and
-  a `bypass` flag so operators can audit cron traffic.
+- CLI commands already pass `Authorization` headers when credentials are supplied.
+  Configure the CLI with matching Authority settings (`docs/09_API_CLI_REFERENCE.md`)
+  so that automation can obtain tokens with the same client credentials. Concelier
+  logs every job request with the client ID, subject (if present), scopes, and
+  a `bypass` flag so operators can audit cron traffic.
+- **Rollout checklist.**
+  1. Stage the integration with fallback enabled (`allowAnonymousFallback=true`) and confirm CLI/token issuance using `stella auth status`.
+  2. Follow the rehearsal pattern (`allowAnonymousFallback=false`) while monitoring `Concelier.Authorization.Audit` and `web.jobs.triggered`/`web.jobs.trigger.failed` metrics.
+  3. Lock in enforcement, review the audit runbook (`docs/ops/concelier-authority-audit-runbook.md`), and document the bypass CIDR approvals in your change log.

docs/TASKS.md

@@ -15,7 +15,7 @@
 | DOCS-EVENTS-09-004 | DONE (2025-10-19) | Docs Guild, Scanner WebService | SCANNER-EVENTS-15-201 | Refresh scanner event docs to mirror DSSE-backed report fields, document `scanner.scan.completed`, and capture canonical sample validation. | Schemas updated for new payload shape; README references DSSE reuse and validation test; samples align with emitted events. |
 | PLATFORM-EVENTS-09-401 | DONE (2025-10-21) | Platform Events Guild | DOCS-EVENTS-09-003 | Embed canonical event samples into contract/integration tests and ensure CI validates payloads against published schemas. | Notify models tests now run schema validation against `docs/events/*.json`, event schemas allow optional `attributes`, and docs capture the new validation workflow. |
 | RUNTIME-GUILD-09-402 | DONE (2025-10-19) | Runtime Guild | SCANNER-POLICY-09-107 | Confirm Scanner WebService surfaces `quietedFindingCount` and progress hints to runtime consumers; document readiness checklist. | Runtime verification run captures enriched payload; checklist/doc updates merged; stakeholders acknowledge availability. |
-| DOCS-CONCELIER-07-201 | TODO | Docs Guild, Concelier WebService | FEEDWEB-DOCS-01-001 | Final editorial review and publish pass for Concelier authority toggle documentation (Quickstart + operator guide). | Review feedback resolved, publish PR merged, release notes updated with documentation pointer. |
+| DOCS-CONCELIER-07-201 | DONE (2025-10-22) | Docs Guild, Concelier WebService | FEEDWEB-DOCS-01-001 | Final editorial review and publish pass for Concelier authority toggle documentation (Quickstart + operator guide). | Review feedback resolved, publish PR merged, release notes updated with documentation pointer. |
 | DOCS-RUNTIME-17-004 | TODO | Docs Guild, Runtime Guild | SCANNER-EMIT-17-701, ZASTAVA-OBS-17-005, DEVOPS-REL-17-002 | Document build-id workflows: SBOM exposure, runtime event payloads, debug-store layout, and operator guidance for symbol retrieval. | Architecture + operator docs updated with build-id sections, examples show `readelf` output + debuginfod usage, references linked from Offline Kit/Release guides. |
 
 > Update statuses (TODO/DOING/REVIEW/DONE/BLOCKED) as progress changes. Keep guides in sync with configuration samples under `etc/`.

docs/ops/concelier-authority-audit-runbook.md

@@ -1,14 +1,15 @@
 # Concelier Authority Audit Runbook
 
-_Last updated: 2025-10-12_
+_Last updated: 2025-10-22_
 
 This runbook helps operators verify and monitor the StellaOps Concelier ⇆ Authority integration. It focuses on the `/jobs*` surface, which now requires StellaOps Authority tokens, and the corresponding audit/metric signals that expose authentication and bypass activity.
 
 ## 1. Prerequisites
 
-- Authority integration is enabled in `concelier.yaml` (or via `CONCELIER_AUTHORITY__*` environment variables) with a valid `clientId`, secret, audience, and required scopes.
-- OTLP metrics/log exporters are configured (`concelier.telemetry.*`) or container stdout is shipped to your SIEM.
-- Operators have access to the Concelier job trigger endpoints via CLI or REST for smoke tests.
+- Authority integration is enabled in `concelier.yaml` (or via `CONCELIER_AUTHORITY__*` environment variables) with a valid `clientId`, secret, audience, and required scopes.
+- OTLP metrics/log exporters are configured (`concelier.telemetry.*`) or container stdout is shipped to your SIEM.
+- Operators have access to the Concelier job trigger endpoints via CLI or REST for smoke tests.
+- The rollout table in `docs/10_CONCELIER_CLI_QUICKSTART.md` has been reviewed so stakeholders align on the staged → enforced toggle timeline.
 
 ### Configuration snippet
 
@@ -112,9 +113,10 @@ Correlate audit logs with the following global meter exported via `Concelier.Sou
 
 ## 4. Rollout & Verification Procedure
 
-1. **Pre-checks**
-   - Confirm `allowAnonymousFallback` is `false` in production; keep `true` only during staged validation.
-   - Validate Authority issuer metadata is reachable from Concelier (`curl https://authority.internal/.well-known/openid-configuration` from the host).
+1. **Pre-checks**
+   - Align with the rollout phases documented in `docs/10_CONCELIER_CLI_QUICKSTART.md` (validation → rehearsal → enforced) and record the target dates in your change request.
+   - Confirm `allowAnonymousFallback` is `false` in production; keep `true` only during staged validation.
+   - Validate Authority issuer metadata is reachable from Concelier (`curl https://authority.internal/.well-known/openid-configuration` from the host).
 
 2. **Smoke test with valid token**
    - Obtain a token via CLI: `stella auth login --scope concelier.jobs.trigger`.

docs/updates/2025-10-22-docs-guild.md

@@ -0,0 +1,12 @@
+# Docs Guild Update — 2025-10-22
+
+**Subject:** Concelier Authority toggle rollout polish  
+**Audience:** Docs Guild, Concelier WebService Guild, Authority Core
+
+- Added a rollout phase table to `docs/10_CONCELIER_CLI_QUICKSTART.md`, clarifying how `authority.enabled` and `authority.allowAnonymousFallback` move from validation to enforced mode and highlighting the audit/metric signals to watch at each step.
+- Extended the Authority integration checklist in the same quickstart so operators tie CLI smoke tests to audit counters before flipping enforcement.
+- Refreshed `docs/ops/concelier-authority-audit-runbook.md` with the latest date stamp, prerequisites, and pre-check guidance that reference the quickstart timeline; keeps change-request templates aligned.
+
+Next steps:
+- Concelier WebService owners to link this update in the next deployment bulletin once FEEDWEB-DOCS-01-001 clears review.
+- Docs Guild to verify the Offline Kit doc bundle picks up the quickstart/runbook changes after the nightly build.