feat: Enhance Authority Identity Provider Registry with Bootstrap Capability

- Added support for bootstrap providers in AuthorityIdentityProviderRegistry.
- Introduced a new property for bootstrap providers and updated AggregateCapabilities.
- Updated relevant methods to handle bootstrap capabilities during provider registration.

feat: Introduce Sealed Mode Status in OpenIddict Handlers

- Added SealedModeStatusProperty to AuthorityOpenIddictConstants.
- Enhanced ValidateClientCredentialsHandler, ValidatePasswordGrantHandler, and ValidateRefreshTokenGrantHandler to validate sealed mode evidence.
- Implemented logic to handle airgap seal confirmation requirements.

feat: Update Program Configuration for Sealed Mode

- Registered IAuthoritySealedModeEvidenceValidator in Program.cs.
- Added logging for bootstrap capabilities in identity provider plugins.
- Implemented checks for bootstrap support in API endpoints.

chore: Update Tasks and Documentation

- Marked AUTH-MTLS-11-002 as DONE in TASKS.md.
- Updated documentation to reflect changes in sealed mode and bootstrap capabilities.

fix: Improve CLI Command Handlers Output

- Enhanced output formatting for command responses and prompts in CommandHandlers.cs.

feat: Extend Advisory AI Models

- Added Response property to AdvisoryPipelineOutputModel for better output handling.

fix: Adjust Concelier Web Service Authentication

- Improved JWT token handling in Concelier Web Service to ensure proper token extraction and logging.

test: Enhance Web Service Endpoints Tests

- Added detailed logging for authentication failures in WebServiceEndpointsTests.
- Enabled PII logging for better debugging of authentication issues.

feat: Introduce Air-Gap Configuration Options

- Added AuthorityAirGapOptions and AuthoritySealedModeOptions to StellaOpsAuthorityOptions.
- Implemented validation logic for air-gap configurations to ensure proper setup.

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/AuthorityPluginContracts.cs

@@ -112,15 +112,20 @@ public interface IAuthorityIdentityProviderRegistry
     /// </summary>
     IReadOnlyCollection<AuthorityIdentityProviderMetadata> MfaProviders { get; }
 
-    /// <summary>
-    /// Gets metadata for identity providers that advertise client provisioning support.
-    /// </summary>
-    IReadOnlyCollection<AuthorityIdentityProviderMetadata> ClientProvisioningProviders { get; }
-
-    /// <summary>
-    /// Aggregate capability flags across all registered providers.
-    /// </summary>
-    AuthorityIdentityProviderCapabilities AggregateCapabilities { get; }
+    /// <summary>
+    /// Gets metadata for identity providers that advertise client provisioning support.
+    /// </summary>
+    IReadOnlyCollection<AuthorityIdentityProviderMetadata> ClientProvisioningProviders { get; }
+
+    /// <summary>
+    /// Gets metadata for identity providers that advertise bootstrap flows (user/client).
+    /// </summary>
+    IReadOnlyCollection<AuthorityIdentityProviderMetadata> BootstrapProviders { get; }
+
+    /// <summary>
+    /// Aggregate capability flags across all registered providers.
+    /// </summary>
+    AuthorityIdentityProviderCapabilities AggregateCapabilities { get; }
 
     /// <summary>
     /// Attempts to resolve identity provider metadata by name.

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/IdentityProviderContracts.cs

@@ -12,11 +12,12 @@ namespace StellaOps.Authority.Plugins.Abstractions;
 /// <summary>
 /// Describes feature support advertised by an identity provider plugin.
 /// </summary>
-public sealed record AuthorityIdentityProviderCapabilities(
-    bool SupportsPassword,
-    bool SupportsMfa,
-    bool SupportsClientProvisioning)
-{
+public sealed record AuthorityIdentityProviderCapabilities(
+    bool SupportsPassword,
+    bool SupportsMfa,
+    bool SupportsClientProvisioning,
+    bool SupportsBootstrap)
+{
     /// <summary>
     /// Builds capabilities metadata from a list of capability identifiers.
     /// </summary>
@@ -24,7 +25,7 @@ public sealed record AuthorityIdentityProviderCapabilities(
     {
         if (capabilities is null)
         {
-            return new AuthorityIdentityProviderCapabilities(false, false, false);
+            return new AuthorityIdentityProviderCapabilities(false, false, false, false);
         }
 
         var seen = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
@@ -38,11 +39,12 @@ public sealed record AuthorityIdentityProviderCapabilities(
             seen.Add(entry.Trim());
         }
 
-        return new AuthorityIdentityProviderCapabilities(
-            SupportsPassword: seen.Contains(AuthorityPluginCapabilities.Password),
-            SupportsMfa: seen.Contains(AuthorityPluginCapabilities.Mfa),
-            SupportsClientProvisioning: seen.Contains(AuthorityPluginCapabilities.ClientProvisioning));
-    }
+        return new AuthorityIdentityProviderCapabilities(
+            SupportsPassword: seen.Contains(AuthorityPluginCapabilities.Password),
+            SupportsMfa: seen.Contains(AuthorityPluginCapabilities.Mfa),
+            SupportsClientProvisioning: seen.Contains(AuthorityPluginCapabilities.ClientProvisioning),
+            SupportsBootstrap: seen.Contains(AuthorityPluginCapabilities.Bootstrap));
+}
 }
 
 /// <summary>