feat(rust): Implement RustCargoLockParser and RustFingerprintScanner

- Added RustCargoLockParser to parse Cargo.lock files and extract package information.
- Introduced RustFingerprintScanner to scan for Rust fingerprint records in JSON files.
- Created test fixtures for Rust language analysis, including Cargo.lock and fingerprint JSON files.
- Developed tests for RustLanguageAnalyzer to ensure deterministic output based on provided fixtures.
- Added expected output files for both simple and signed Rust applications.

docs/10_CONCELIER_CLI_QUICKSTART.md

@@ -56,8 +56,16 @@ runtime wiring, CLI usage) and leaves connector/internal customization for later
    - `GET /jobs` + `POST /jobs/{kind}` – inspect and trigger connector/export jobs
 
   > **Security note** – authentication now ships via StellaOps Authority. Keep
-  > `authority.allowAnonymousFallback: true` only during the staged rollout and
-  > disable it before **2025-12-31 UTC** so tokens become mandatory.
+  > `authority.allowAnonymousFallback: true` only during the staged rollout and
+  > disable it before **2025-12-31 UTC** so tokens become mandatory.
+
+Rollout checkpoints for the two Authority toggles:
+
+| Phase | `authority.enabled` | `authority.allowAnonymousFallback` | Goal | Observability focus |
+| ----- | ------------------- | ---------------------------------- | ---- | ------------------- |
+| **Validation (staging)** | `true` | `true` | Verify token issuance, CLI scopes, and audit log noise without breaking cron jobs. | Watch `Concelier.Authorization.Audit` for `bypass=True` events and scope gaps; confirm CLI `auth status` succeeds. |
+| **Cutover rehearsal** | `true` | `false` | Exercise production-style enforcement before the deadline; ensure only approved maintenance ranges remain in `bypassNetworks`. | Expect some HTTP 401s; verify `web.jobs.triggered` metrics flatten for unauthenticated calls and audit logs highlight missing tokens. |
+| **Enforced (steady state)** | `true` | `false` | Production baseline after the 2025-12-31 UTC cutoff. | Alert on new `bypass=True` entries and on repeated 401 bursts; correlate with Authority availability dashboards. |
 
 ### Authority companion configuration (preview)
 
@@ -243,10 +251,10 @@ a problem document.
 
 ---
 
-## 6 · Authority Integration
-
-- Concelier now authenticates callers through StellaOps Authority using OAuth 2.0
-  resource server flows. Populate the `authority` block in `concelier.yaml`:
+## 6 · Authority Integration
+
+- Concelier now authenticates callers through StellaOps Authority using OAuth 2.0
+  resource server flows. Populate the `authority` block in `concelier.yaml`:
 
   ```yaml
   authority:
@@ -282,8 +290,12 @@ a problem document.
   export CONCELIER_AUTHORITY__CLIENTSECRETFILE="/var/run/secrets/concelier/authority-client"
   ```
 
-- CLI commands already pass `Authorization` headers when credentials are supplied.
-  Configure the CLI with matching Authority settings (`docs/09_API_CLI_REFERENCE.md`)
-  so that automation can obtain tokens with the same client credentials. Concelier
-  logs every job request with the client ID, subject (if present), scopes, and
-  a `bypass` flag so operators can audit cron traffic.
+- CLI commands already pass `Authorization` headers when credentials are supplied.
+  Configure the CLI with matching Authority settings (`docs/09_API_CLI_REFERENCE.md`)
+  so that automation can obtain tokens with the same client credentials. Concelier
+  logs every job request with the client ID, subject (if present), scopes, and
+  a `bypass` flag so operators can audit cron traffic.
+- **Rollout checklist.**
+  1. Stage the integration with fallback enabled (`allowAnonymousFallback=true`) and confirm CLI/token issuance using `stella auth status`.
+  2. Follow the rehearsal pattern (`allowAnonymousFallback=false`) while monitoring `Concelier.Authorization.Audit` and `web.jobs.triggered`/`web.jobs.trigger.failed` metrics.
+  3. Lock in enforcement, review the audit runbook (`docs/ops/concelier-authority-audit-runbook.md`), and document the bypass CIDR approvals in your change log.