feat: Enhance Authority Identity Provider Registry with Bootstrap Capability

- Added support for bootstrap providers in AuthorityIdentityProviderRegistry.
- Introduced a new property for bootstrap providers and updated AggregateCapabilities.
- Updated relevant methods to handle bootstrap capabilities during provider registration.

feat: Introduce Sealed Mode Status in OpenIddict Handlers

- Added SealedModeStatusProperty to AuthorityOpenIddictConstants.
- Enhanced ValidateClientCredentialsHandler, ValidatePasswordGrantHandler, and ValidateRefreshTokenGrantHandler to validate sealed mode evidence.
- Implemented logic to handle airgap seal confirmation requirements.

feat: Update Program Configuration for Sealed Mode

- Registered IAuthoritySealedModeEvidenceValidator in Program.cs.
- Added logging for bootstrap capabilities in identity provider plugins.
- Implemented checks for bootstrap support in API endpoints.

chore: Update Tasks and Documentation

- Marked AUTH-MTLS-11-002 as DONE in TASKS.md.
- Updated documentation to reflect changes in sealed mode and bootstrap capabilities.

fix: Improve CLI Command Handlers Output

- Enhanced output formatting for command responses and prompts in CommandHandlers.cs.

feat: Extend Advisory AI Models

- Added Response property to AdvisoryPipelineOutputModel for better output handling.

fix: Adjust Concelier Web Service Authentication

- Improved JWT token handling in Concelier Web Service to ensure proper token extraction and logging.

test: Enhance Web Service Endpoints Tests

- Added detailed logging for authentication failures in WebServiceEndpointsTests.
- Enabled PII logging for better debugging of authentication issues.

feat: Introduce Air-Gap Configuration Options

- Added AuthorityAirGapOptions and AuthoritySealedModeOptions to StellaOpsAuthorityOptions.
- Implemented validation logic for air-gap configurations to ensure proper setup.

src/Concelier/StellaOps.Concelier.WebService/Program.cs

@@ -220,8 +220,9 @@ if (authorityConfigured)
     }
     else
     {
-        builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
-            .AddJwtBearer(options =>
+        builder.Services
+            .AddAuthentication(StellaOpsAuthenticationDefaults.AuthenticationScheme)
+            .AddJwtBearer(StellaOpsAuthenticationDefaults.AuthenticationScheme, options =>
             {
                 options.RequireHttpsMetadata = concelierOptions.Authority.RequireHttpsMetadata;
                 options.TokenValidationParameters = new TokenValidationParameters
@@ -237,6 +238,50 @@ if (authorityConfigured)
                     NameClaimType = StellaOpsClaimTypes.Subject,
                     RoleClaimType = ClaimTypes.Role
                 };
+                options.Events = new JwtBearerEvents
+                {
+                    OnMessageReceived = context =>
+                    {
+                        var logger = context.HttpContext.RequestServices.GetRequiredService<ILogger<Program>>();
+                        string? token = null;
+                        if (context.HttpContext.Request.Headers.TryGetValue("Authorization", out var authorizationValues))
+                        {
+                            var authorization = authorizationValues.ToString();
+                            if (!string.IsNullOrWhiteSpace(authorization) &&
+                                authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase) &&
+                                authorization.Length > 7)
+                            {
+                                token = authorization.Substring("Bearer ".Length).Trim();
+                            }
+                        }
+
+                        if (string.IsNullOrEmpty(token))
+                        {
+                            token = context.Token;
+                        }
+
+                        if (!string.IsNullOrWhiteSpace(token))
+                        {
+                            var parts = token.Split(' ', StringSplitOptions.RemoveEmptyEntries);
+                            if (parts.Length > 0)
+                            {
+                                token = parts[^1];
+                            }
+
+                            token = token.Trim().Trim('"');
+                        }
+
+                        if (string.IsNullOrWhiteSpace(token))
+                        {
+                            logger.LogWarning("JWT token missing from request to {Path}", context.HttpContext.Request.Path);
+                            return Task.CompletedTask;
+                        }
+
+                        context.Token = token;
+
+                        return Task.CompletedTask;
+                    }
+                };
             });
     }
 }
@@ -257,6 +302,8 @@ builder.Services.AddEndpointsApiExplorer();
 
 var app = builder.Build();
 
+app.Logger.LogWarning("Authority enabled: {AuthorityEnabled}, test signing secret configured: {HasTestSecret}", authorityConfigured, !string.IsNullOrWhiteSpace(concelierOptions.Authority?.TestSigningSecret));
+
 if (features.NoMergeEnabled)
 {
     app.Logger.LogWarning("Legacy merge module disabled via concelier:features:noMergeEnabled; Link-Not-Merge mode active.");

src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/WebServiceEndpointsTests.cs

@@ -11,11 +11,13 @@ using System.Net.Http.Headers;
 using System.Security.Claims;
 using System.Text;
 using System.Text.Json;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Testing;
 using Microsoft.AspNetCore.TestHost;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.IdentityModel.Logging;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
@@ -577,6 +579,7 @@ public sealed class WebServiceEndpointsTests : IAsyncLifetime
     [Fact]
     public async Task AdvisoryIngestEndpoint_RejectsCrossTenantWhenAuthenticated()
     {
+        IdentityModelEventSource.ShowPII = true;
         var environment = new Dictionary<string, string?>
         {
             ["CONCELIER_AUTHORITY__ENABLED"] = "true",
@@ -604,11 +607,29 @@ public sealed class WebServiceEndpointsTests : IAsyncLifetime
             environment);
 
         using var client = factory.CreateClient();
+        var schemes = await factory.Services.GetRequiredService<IAuthenticationSchemeProvider>().GetAllSchemesAsync();
+        _output.WriteLine("Schemes => " + string.Join(',', schemes.Select(s => s.Name)));
         var token = CreateTestToken("tenant-auth", StellaOpsScopes.AdvisoryIngest);
+        _output.WriteLine("token => " + token);
         client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
         client.DefaultRequestHeaders.Add("X-Stella-Tenant", "tenant-auth");
 
         var ingestResponse = await client.PostAsJsonAsync("/ingest/advisory", BuildAdvisoryIngestRequest("sha256:auth-1", "GHSA-AUTH-001"));
+        if (ingestResponse.StatusCode != HttpStatusCode.Created)
+        {
+            var body = await ingestResponse.Content.ReadAsStringAsync();
+            _output.WriteLine($"ingestResponse => {(int)ingestResponse.StatusCode} {ingestResponse.StatusCode}: {body}");
+            var authLogs = factory.LoggerProvider.Snapshot("Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler");
+            foreach (var entry in authLogs)
+            {
+                _output.WriteLine($"authLog => {entry.Level}: {entry.Message} ({entry.Exception?.Message})");
+            }
+            var programLogs = factory.LoggerProvider.Snapshot("StellaOps.Concelier.WebService.Program");
+            foreach (var entry in programLogs)
+            {
+                _output.WriteLine($"programLog => {entry.Level}: {entry.Message}");
+            }
+        }
         Assert.Equal(HttpStatusCode.Created, ingestResponse.StatusCode);
 
         client.DefaultRequestHeaders.Remove("X-Stella-Tenant");