Add Ruby language analyzer and related functionality

- Introduced global usings for Ruby analyzer.
- Implemented RubyLockData, RubyLockEntry, and RubyLockParser for handling Gemfile.lock files.
- Created RubyPackage and RubyPackageCollector to manage Ruby packages and vendor cache.
- Developed RubyAnalyzerPlugin and RubyLanguageAnalyzer for analyzing Ruby projects.
- Added tests for Ruby language analyzer with sample Gemfile.lock and expected output.
- Included necessary project files and references for the Ruby analyzer.
- Added third-party licenses for tree-sitter dependencies.

docs/security/authority-scopes.md

@@ -285,6 +285,31 @@ clients:
       serviceIdentity: cartographer
 ```
 
+### 3.3 Delegated service accounts
+
+Add delegated service accounts when automation needs scoped tokens with shorter lifetimes:
+
+```yaml
+delegation:
+  quotas:
+    maxActiveTokens: 50
+  serviceAccounts:
+    - accountId: "svc-observer"
+      tenant: "tenant-default"
+      allowedScopes: [ "jobs:read", "findings:read" ]
+      authorizedClients: [ "export-center-worker" ]
+
+tenants:
+  - name: "tenant-default"
+    delegation:
+      maxActiveTokens: 25
+```
+
+- Clients request delegated tokens by supplying `service_account=<accountId>` (and optional `delegation_actor`) alongside the usual client-credentials payload.
+- Authority enforces both tenant and service-account quotas. Exceeding either returns `invalid_request` and records `delegation.quota.exceeded` in audit events.
+- Only scopes listed in `allowedScopes` are granted; `authorizedClients` restricts which OAuth clients may impersonate the delegate.
+- Delegated tokens include `stellaops:service_account` and an `act` claim. The token store persists `tokenKind = "service_account"`, `serviceAccountId`, and the normalized actor chain for offline auditing.
+
 ---
 
 ## 4 · Operational safeguards
@@ -323,10 +348,12 @@ clients:
 - [ ] Claim transforms enforce `serviceIdentity` for `effective:write`.
 - [ ] Claim transforms enforce `serviceIdentity` for `graph:write`.
 - [ ] Concelier/Excititor smoke tests cover missing tenant rejection.
+- [ ] Delegation quotas configured (`delegation.quotas.maxActiveTokens`, `tenants[].delegation.maxActiveTokens` where required).
+- [ ] Service account seeds (`delegation.serviceAccounts`) reviewed for allowed scopes and authorized clients; audit dashboards show `delegation.service_account` usage.
 - [ ] Offline kit credentials reviewed for least privilege.
 - [ ] Audit/monitoring guidance validated with Observability Guild.
 - [ ] Authority Core sign-off recorded (owner: @authority-core, due 2025-10-28).
 
 ---
 
-*Last updated: 2025-10-27 (Sprint 19).* 
+*Last updated: 2025-11-02 (Sprint 19).*