Add Ruby language analyzer and related functionality

- Introduced global usings for Ruby analyzer.
- Implemented RubyLockData, RubyLockEntry, and RubyLockParser for handling Gemfile.lock files.
- Created RubyPackage and RubyPackageCollector to manage Ruby packages and vendor cache.
- Developed RubyAnalyzerPlugin and RubyLanguageAnalyzer for analyzing Ruby projects.
- Added tests for Ruby language analyzer with sample Gemfile.lock and expected output.
- Included necessary project files and references for the Ruby analyzer.
- Added third-party licenses for tree-sitter dependencies.

docs/11_AUTHORITY.md

@@ -423,6 +423,61 @@ curl -u orch-admin:s3cr3t! \
 
 CLI clients configure these values via `Authority.BackfillReason` / `Authority.BackfillTicket` (environment variables `STELLAOPS_ORCH_BACKFILL_REASON` and `STELLAOPS_ORCH_BACKFILL_TICKET`). Tokens missing either field are rejected with `invalid_request`; audit events store the supplied values as `backfill.reason` and `backfill.ticket`.
 
+### 7.4 Delegated service accounts
+
+StellaOps Authority issues short-lived delegated tokens for service accounts so automation can operate on behalf of a tenant without sharing the underlying client identity.
+
+**Configuration summary**
+
+```yaml
+delegation:
+  quotas:
+    maxActiveTokens: 50
+  serviceAccounts:
+    - accountId: "svc-observer"
+      tenant: "tenant-default"
+      displayName: "Observability Exporter"
+      description: "Delegated identity used by Export Center to read findings."
+      enabled: true
+      allowedScopes: [ "jobs:read", "findings:read" ]
+      authorizedClients: [ "export-center-worker" ]
+
+tenants:
+  - name: "tenant-default"
+    delegation:
+      maxActiveTokens: 25
+```
+
+* `delegation.quotas.maxActiveTokens` caps concurrent delegated tokens per tenant. Authority enforces both a tenant-wide ceiling and a per-account ceiling (the same value by default).  
+* `serviceAccounts[].allowedScopes` lists scopes that the delegate may request. Requests for scopes outside this set return `invalid_scope`.  
+* `serviceAccounts[].authorizedClients` restricts which OAuth clients may assume the delegate. Leave empty to allow any tenant client.  
+* `tenants[].delegation.maxActiveTokens` optionally overrides the quota for a specific tenant.
+
+**Requesting a delegated token**
+
+```bash
+curl -u export-center-worker:s3cr3t \
+  -d 'grant_type=client_credentials' \
+  -d 'scope=jobs:read findings:read' \
+  -d 'service_account=svc-observer' \
+  https://authority.example.com/token
+```
+
+Optional `delegation_actor` metadata appends an identity to the actor chain:
+
+```bash
+-d 'delegation_actor=pipeline://exporter/step/42'
+```
+
+**Token shape & observability**
+
+* Access tokens include `stellaops:service_account` and an `act` claim describing the caller hierarchy (`client_id` ⇒ optional `delegation_actor`).  
+* `authority_tokens` records `tokenKind = "service_account"`, the `serviceAccountId`, and the normalized `actorChain[]`.  
+* Audit events (`authority.client_credentials.grant`) emit `delegation.service_account`, `delegation.actor`, and quota outcomes (`delegation.quota.exceeded = true/false`).  
+* When quota limits are exceeded Authority returns `invalid_request` (`Delegation token quota exceeded for tenant/service account`) and annotates the audit log.
+
+Delegated tokens still honour scope validation, tenant enforcement, sender constraints (DPoP/mTLS), and fresh-auth checks.
+
 ## 8. Offline & Sovereign Operation
 - **No outbound dependencies:** Authority only contacts MongoDB and local plugins. Discovery and JWKS are cached by clients with offline tolerances (`AllowOfflineCacheFallback`, `OfflineCacheTolerance`). Operators should mirror these responses for air-gapped use.
 - **Structured logging:** Every revocation export, signing rotation, bootstrap action, and token issuance emits structured logs with `traceId`, `client_id`, `subjectId`, and `network.remoteIp` where applicable. Mirror logs to your SIEM to retain audit trails without central connectivity.