feat: Enhance Authority Identity Provider Registry with Bootstrap Capability

- Added support for bootstrap providers in AuthorityIdentityProviderRegistry.
- Introduced a new property for bootstrap providers and updated AggregateCapabilities.
- Updated relevant methods to handle bootstrap capabilities during provider registration.

feat: Introduce Sealed Mode Status in OpenIddict Handlers

- Added SealedModeStatusProperty to AuthorityOpenIddictConstants.
- Enhanced ValidateClientCredentialsHandler, ValidatePasswordGrantHandler, and ValidateRefreshTokenGrantHandler to validate sealed mode evidence.
- Implemented logic to handle airgap seal confirmation requirements.

feat: Update Program Configuration for Sealed Mode

- Registered IAuthoritySealedModeEvidenceValidator in Program.cs.
- Added logging for bootstrap capabilities in identity provider plugins.
- Implemented checks for bootstrap support in API endpoints.

chore: Update Tasks and Documentation

- Marked AUTH-MTLS-11-002 as DONE in TASKS.md.
- Updated documentation to reflect changes in sealed mode and bootstrap capabilities.

fix: Improve CLI Command Handlers Output

- Enhanced output formatting for command responses and prompts in CommandHandlers.cs.

feat: Extend Advisory AI Models

- Added Response property to AdvisoryPipelineOutputModel for better output handling.

fix: Adjust Concelier Web Service Authentication

- Improved JWT token handling in Concelier Web Service to ensure proper token extraction and logging.

test: Enhance Web Service Endpoints Tests

- Added detailed logging for authentication failures in WebServiceEndpointsTests.
- Enabled PII logging for better debugging of authentication issues.

feat: Introduce Air-Gap Configuration Options

- Added AuthorityAirGapOptions and AuthoritySealedModeOptions to StellaOpsAuthorityOptions.
- Implemented validation logic for air-gap configurations to ensure proper setup.

src/Concelier/StellaOps.Concelier.WebService/Program.cs

@@ -220,8 +220,9 @@ if (authorityConfigured)
     }
     else
     {
-        builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
-            .AddJwtBearer(options =>
+        builder.Services
+            .AddAuthentication(StellaOpsAuthenticationDefaults.AuthenticationScheme)
+            .AddJwtBearer(StellaOpsAuthenticationDefaults.AuthenticationScheme, options =>
             {
                 options.RequireHttpsMetadata = concelierOptions.Authority.RequireHttpsMetadata;
                 options.TokenValidationParameters = new TokenValidationParameters
@@ -237,6 +238,50 @@ if (authorityConfigured)
                     NameClaimType = StellaOpsClaimTypes.Subject,
                     RoleClaimType = ClaimTypes.Role
                 };
+                options.Events = new JwtBearerEvents
+                {
+                    OnMessageReceived = context =>
+                    {
+                        var logger = context.HttpContext.RequestServices.GetRequiredService<ILogger<Program>>();
+                        string? token = null;
+                        if (context.HttpContext.Request.Headers.TryGetValue("Authorization", out var authorizationValues))
+                        {
+                            var authorization = authorizationValues.ToString();
+                            if (!string.IsNullOrWhiteSpace(authorization) &&
+                                authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase) &&
+                                authorization.Length > 7)
+                            {
+                                token = authorization.Substring("Bearer ".Length).Trim();
+                            }
+                        }
+
+                        if (string.IsNullOrEmpty(token))
+                        {
+                            token = context.Token;
+                        }
+
+                        if (!string.IsNullOrWhiteSpace(token))
+                        {
+                            var parts = token.Split(' ', StringSplitOptions.RemoveEmptyEntries);
+                            if (parts.Length > 0)
+                            {
+                                token = parts[^1];
+                            }
+
+                            token = token.Trim().Trim('"');
+                        }
+
+                        if (string.IsNullOrWhiteSpace(token))
+                        {
+                            logger.LogWarning("JWT token missing from request to {Path}", context.HttpContext.Request.Path);
+                            return Task.CompletedTask;
+                        }
+
+                        context.Token = token;
+
+                        return Task.CompletedTask;
+                    }
+                };
             });
     }
 }
@@ -257,6 +302,8 @@ builder.Services.AddEndpointsApiExplorer();
 
 var app = builder.Build();
 
+app.Logger.LogWarning("Authority enabled: {AuthorityEnabled}, test signing secret configured: {HasTestSecret}", authorityConfigured, !string.IsNullOrWhiteSpace(concelierOptions.Authority?.TestSigningSecret));
+
 if (features.NoMergeEnabled)
 {
     app.Logger.LogWarning("Legacy merge module disabled via concelier:features:noMergeEnabled; Link-Not-Merge mode active.");