feat: Enhance Authority Identity Provider Registry with Bootstrap Capability

- Added support for bootstrap providers in AuthorityIdentityProviderRegistry.
- Introduced a new property for bootstrap providers and updated AggregateCapabilities.
- Updated relevant methods to handle bootstrap capabilities during provider registration.

feat: Introduce Sealed Mode Status in OpenIddict Handlers

- Added SealedModeStatusProperty to AuthorityOpenIddictConstants.
- Enhanced ValidateClientCredentialsHandler, ValidatePasswordGrantHandler, and ValidateRefreshTokenGrantHandler to validate sealed mode evidence.
- Implemented logic to handle airgap seal confirmation requirements.

feat: Update Program Configuration for Sealed Mode

- Registered IAuthoritySealedModeEvidenceValidator in Program.cs.
- Added logging for bootstrap capabilities in identity provider plugins.
- Implemented checks for bootstrap support in API endpoints.

chore: Update Tasks and Documentation

- Marked AUTH-MTLS-11-002 as DONE in TASKS.md.
- Updated documentation to reflect changes in sealed mode and bootstrap capabilities.

fix: Improve CLI Command Handlers Output

- Enhanced output formatting for command responses and prompts in CommandHandlers.cs.

feat: Extend Advisory AI Models

- Added Response property to AdvisoryPipelineOutputModel for better output handling.

fix: Adjust Concelier Web Service Authentication

- Improved JWT token handling in Concelier Web Service to ensure proper token extraction and logging.

test: Enhance Web Service Endpoints Tests

- Added detailed logging for authentication failures in WebServiceEndpointsTests.
- Enabled PII logging for better debugging of authentication issues.

feat: Introduce Air-Gap Configuration Options

- Added AuthorityAirGapOptions and AuthoritySealedModeOptions to StellaOpsAuthorityOptions.
- Implemented validation logic for air-gap configurations to ensure proper setup.

src/__Libraries/StellaOps.Configuration/StellaOpsAuthorityOptions.cs

@@ -104,6 +104,11 @@ public sealed class StellaOpsAuthorityOptions
     /// </summary>
     public AuthorityNotificationsOptions Notifications { get; } = new();
 
+    /// <summary>
+    /// Air-gap/sealed mode configuration for Authority.
+    /// </summary>
+    public AuthorityAirGapOptions AirGap { get; } = new();
+
     /// <summary>
     /// Vulnerability explorer integration configuration (workflow CSRF tokens, attachments).
     /// </summary>
@@ -168,6 +173,7 @@ public sealed class StellaOpsAuthorityOptions
         AdvisoryAi.Normalize();
         AdvisoryAi.Validate();
         Notifications.Validate();
+        AirGap.Validate();
         VulnerabilityExplorer.Validate();
         ApiLifecycle.Validate();
         Signing.Validate();
@@ -236,6 +242,70 @@ public sealed class StellaOpsAuthorityOptions
     }
 }
 
+public sealed class AuthorityAirGapOptions
+{
+    public AuthoritySealedModeOptions SealedMode { get; } = new();
+
+    internal void Validate()
+    {
+        SealedMode.Validate();
+    }
+}
+
+public sealed class AuthoritySealedModeOptions
+{
+    private static readonly TimeSpan DefaultMaxEvidenceAge = TimeSpan.FromHours(6);
+    private static readonly TimeSpan DefaultCacheLifetime = TimeSpan.FromMinutes(1);
+
+    /// <summary>
+    /// Enables sealed-mode enforcement for clients that declare the requirement.
+    /// </summary>
+    public bool EnforcementEnabled { get; set; }
+
+    /// <summary>
+    /// Path to the latest authority-sealed-ci.json artefact emitted by sealed-mode CI.
+    /// </summary>
+    public string EvidencePath { get; set; } = "artifacts/sealed-mode-ci/latest/authority-sealed-ci.json";
+
+    /// <summary>
+    /// Maximum age accepted for the sealed evidence document.
+    /// </summary>
+    public TimeSpan MaxEvidenceAge { get; set; } = DefaultMaxEvidenceAge;
+
+    /// <summary>
+    /// Cache lifetime for parsed evidence to avoid re-reading the artefact on every request.
+    /// </summary>
+    public TimeSpan CacheLifetime { get; set; } = DefaultCacheLifetime;
+
+    public bool RequireAuthorityHealthPass { get; set; } = true;
+    public bool RequireSignerHealthPass { get; set; } = true;
+    public bool RequireAttestorHealthPass { get; set; } = true;
+    public bool RequireEgressProbePass { get; set; } = true;
+
+    internal void Validate()
+    {
+        if (!EnforcementEnabled)
+        {
+            return;
+        }
+
+        if (string.IsNullOrWhiteSpace(EvidencePath))
+        {
+            throw new InvalidOperationException("AirGap.SealedMode.EvidencePath must be provided when enforcement is enabled.");
+        }
+
+        if (MaxEvidenceAge <= TimeSpan.Zero || MaxEvidenceAge > TimeSpan.FromDays(7))
+        {
+            throw new InvalidOperationException("AirGap.SealedMode.MaxEvidenceAge must be between 00:00:01 and 7.00:00:00.");
+        }
+
+        if (CacheLifetime <= TimeSpan.Zero || CacheLifetime > MaxEvidenceAge)
+        {
+            throw new InvalidOperationException("AirGap.SealedMode.CacheLifetime must be greater than zero and less than or equal to AirGap.SealedMode.MaxEvidenceAge.");
+        }
+    }
+}
+
 public sealed class AuthoritySecurityOptions
 {
     /// <summary>