Add authority bootstrap flows and Concelier ops runbooks

docs/security/audit-events.md

@@ -15,7 +15,7 @@ Audit events share the `StellaOps.Cryptography.Audit.AuthEventRecord` contract.
 - `Client` — `AuthEventClient` with client identifier, display name, and originating provider/plugin.
 - `Scopes` — granted or requested OAuth scopes (sorted before emission).
 - `Network` — `AuthEventNetwork` with remote address, forwarded headers, and user agent string (all treated as PII).
-- `Properties` — additional `AuthEventProperty` entries for context-specific details (lockout durations, policy decisions, retries, etc.).
+- `Properties` — additional `AuthEventProperty` entries for context-specific details (lockout durations, policy decisions, retries, `request.tampered`/`request.unexpected_parameter`, `bootstrap.invite_token`, etc.).
 
 ## Data Classifications
 
@@ -33,7 +33,13 @@ Event names follow dotted notation:
 
 - `authority.password.grant` — password grant handled by OpenIddict.
 - `authority.client_credentials.grant` — client credential grant handling.
+- `authority.token.tamper` — suspicious `/token` request detected (unexpected parameters or manipulated payload).
 - `authority.bootstrap.user` and `authority.bootstrap.client` — bootstrap API operations.
+- `authority.bootstrap.invite.created` — operator created a bootstrap invite.
+- `authority.bootstrap.invite.consumed` — invite consumed during user/client provisioning.
+- `authority.bootstrap.invite.expired` — invite expired without being used.
+- `authority.bootstrap.invite.rejected` — invite was rejected (invalid, mismatched provider/target, or already consumed).
+- `authority.token.replay.suspected` — replay heuristics detected a token being used from a new device fingerprint.
 - Future additions should preserve the `authority.<surface>.<action>` pattern to keep filtering deterministic.
 
 ## Persistence