Add unit tests for Router configuration and transport layers

- Implemented tests for RouterConfig, RoutingOptions, StaticInstanceConfig, and RouterConfigOptions to ensure default values are set correctly.
- Added tests for RouterConfigProvider to validate configurations and ensure defaults are returned when no file is specified.
- Created tests for ConfigValidationResult to check success and error scenarios.
- Developed tests for ServiceCollectionExtensions to verify service registration for RouterConfig.
- Introduced UdpTransportTests to validate serialization, connection, request-response, and error handling in UDP transport.
- Added scripts for signing authority gaps and hashing DevPortal SDK snippets.

docs/modules/authority/gaps/artifacts/authority-abac.schema.json

@@ -0,0 +1,30 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stellaops.example/authority-abac.schema.json",
+  "title": "Authority ABAC Rule",
+  "type": "object",
+  "required": ["rule_id", "tenant", "environment", "effect", "conditions", "precedence"],
+  "properties": {
+    "rule_id": {"type": "string"},
+    "tenant": {"type": "string"},
+    "environment": {"type": "string"},
+    "effect": {"type": "string", "enum": ["allow", "deny"]},
+    "precedence": {"type": "integer", "minimum": 0},
+    "conditions": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["attribute", "op", "value"],
+        "properties": {
+          "attribute": {"type": "string"},
+          "op": {"type": "string", "enum": ["eq", "neq", "in", "not_in", "contains"]},
+          "value": {}
+        }
+      }
+    },
+    "obligations": {
+      "type": "array",
+      "items": {"type": "string"}
+    }
+  }
+}

docs/modules/authority/gaps/artifacts/authority-jwks-metadata.schema.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stellaops.example/authority-jwks-metadata.schema.json",
+  "title": "Authority JWKS Metadata",
+  "type": "object",
+  "required": ["kid", "alg", "tenant", "environment", "rotated_at", "freshness_seconds"],
+  "properties": {
+    "kid": {"type": "string"},
+    "alg": {"type": "string", "enum": ["ES256", "EdDSA"]},
+    "tenant": {"type": "string"},
+    "environment": {"type": "string"},
+    "rotated_at": {"type": "string", "format": "date-time"},
+    "expires_at": {"type": "string", "format": "date-time"},
+    "freshness_seconds": {"type": "integer", "minimum": 0},
+    "jwks_uri": {"type": "string", "format": "uri"},
+    "status": {"type": "string", "enum": ["active", "retiring", "retired"]}
+  }
+}

docs/modules/authority/gaps/artifacts/authority-offline-verifier-bundle.v1.json

@@ -0,0 +1,23 @@
+{
+  "bundle_id": "authority-offline-verifier-bundle.v1",
+  "schema_version": "1.0.0",
+  "issued_at": "2025-12-04T00:00:00Z",
+  "tenant": "*",
+  "environment": "*",
+  "contents": {
+    "jwks_snapshot": "jwks/authority-jwks.json",
+    "scope_role_catalog": "authority-scope-role-catalog.v1.json",
+    "crypto_profile_registry": "crypto-profile-registry.v1.json",
+    "abac_schema": "authority-abac.schema.json",
+    "verifier_binary": "bin/authority-verifier",
+    "policies": ["policies/tenant-policy.json"]
+  },
+  "hashes": {
+    "algorithm": "sha256",
+    "files": {}
+  },
+  "signature": {
+    "status": "unsigned",
+    "expected_dsse": "authority-offline-verifier-bundle.v1.sigstore.json"
+  }
+}

docs/modules/authority/gaps/artifacts/authority-scope-role-catalog.v1.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.0.0",
+  "issued_at": "2025-12-04T00:00:00Z",
+  "tenant": "*",
+  "environment": "*",
+  "roles": [
+    {
+      "role": "service.reader",
+      "version": "1.0.0",
+      "audience": ["stellaops://services/*"],
+      "scopes": ["service.read"],
+      "precedence": 100,
+      "bindings": {
+        "binding": "dpop",
+        "nonce_ttl_seconds": 120
+      }
+    },
+    {
+      "role": "service.writer",
+      "version": "1.0.0",
+      "audience": ["stellaops://services/*"],
+      "scopes": ["service.write", "service.read"],
+      "precedence": 90,
+      "bindings": {
+        "binding": "mtls",
+        "nonce_ttl_seconds": 0
+      }
+    }
+  ],
+  "metadata": {
+    "catalog_id": "authority-scope-role-catalog",
+    "signature": {
+      "status": "unsigned",
+      "expected_dsse": "authority-scope-role-catalog.v1.sigstore.json"
+    }
+  }
+}

docs/modules/authority/gaps/artifacts/crypto-profile-registry.v1.json

@@ -0,0 +1,28 @@
+{
+  "registry_version": "1.0.0",
+  "issued_at": "2025-12-04T00:00:00Z",
+  "profiles": [
+    {
+      "id": "dpop-es256",
+      "type": "dpop",
+      "algorithms": ["ES256"],
+      "status": "active",
+      "min_version": "1.0.0",
+      "pq_dual_sign": false
+    },
+    {
+      "id": "mtls-ed25519",
+      "type": "mtls",
+      "algorithms": ["Ed25519"],
+      "status": "active",
+      "min_version": "1.0.0",
+      "pq_dual_sign": false
+    }
+  ],
+  "metadata": {
+    "signature": {
+      "status": "unsigned",
+      "expected_dsse": "crypto-profile-registry.v1.sigstore.json"
+    }
+  }
+}

docs/modules/authority/gaps/artifacts/rekor-receipt-bundle.v1.json

@@ -0,0 +1,18 @@
+{
+  "bundle_id": "rekor-receipt-bundle.v1",
+  "schema_version": "1.0.0",
+  "policy": "rekor-receipt-policy.v1.json",
+  "schema": "rekor-receipt.schema.json",
+  "transport_plan": "rekor-receipt-transport-plan.json",
+  "samples": [
+    "samples/receipt-example-01.json"
+  ],
+  "hashes": {
+    "algorithm": "sha256",
+    "files": {}
+  },
+  "signature": {
+    "status": "unsigned",
+    "expected_dsse": "rekor-receipt-bundle.v1.sigstore.json"
+  }
+}

docs/modules/authority/gaps/artifacts/rekor-receipt-policy.v1.json

@@ -0,0 +1,21 @@
+{
+  "policy_version": "1.0.0",
+  "rk1_enforceDsse": true,
+  "rk2_payloadMaxBytes": 1048576,
+  "rk3_routing": {
+    "public": "hashedrekord",
+    "private": "hashedrekord"
+  },
+  "rk4_shardCheckpoint": "per-tenant-per-day",
+  "rk5_idempotentKeys": true,
+  "rk6_sigstoreBundleIncluded": true,
+  "rk7_checkpointFreshnessSeconds": 900,
+  "rk8_pqDualSign": false,
+  "rk9_errorTaxonomy": "see rekor-receipt-error-taxonomy.md",
+  "rk10_annotations": ["policy_hash", "graph_context"],
+  "transport_plan": "rekor-receipt-transport-plan.json",
+  "signature": {
+    "status": "unsigned",
+    "expected_dsse": "rekor-receipt-policy.v1.sigstore.json"
+  }
+}

docs/modules/authority/gaps/artifacts/rekor-receipt.schema.json

@@ -0,0 +1,35 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stellaops.example/rekor-receipt.schema.json",
+  "title": "Rekor Receipt",
+  "type": "object",
+  "required": [
+    "tlog_url",
+    "tlog_key",
+    "checkpoint",
+    "inclusion_proof",
+    "bundle_hash",
+    "policy_hash",
+    "client_version",
+    "client_flags",
+    "tsa_chain",
+    "fulcio_chain",
+    "mirror_metadata",
+    "repro_inputs_hash"
+  ],
+  "properties": {
+    "tlog_url": {"type": "string", "format": "uri"},
+    "tlog_key": {"type": "string"},
+    "checkpoint": {"type": "string"},
+    "inclusion_proof": {"type": "string"},
+    "bundle_hash": {"type": "string"},
+    "policy_hash": {"type": "string"},
+    "client_version": {"type": "string"},
+    "client_flags": {"type": "array", "items": {"type": "string"}},
+    "tsa_chain": {"type": "array", "items": {"type": "string"}},
+    "fulcio_chain": {"type": "array", "items": {"type": "string"}},
+    "mirror_metadata": {"type": "object"},
+    "repro_inputs_hash": {"type": "string"},
+    "annotations": {"type": "object"}
+  }
+}