up

docs/modules/authority/implementation_plan.md

@@ -20,3 +20,77 @@
 - Review ./AGENTS.md before picking up new work.
 - Sync with cross-cutting teams noted in `/docs/implplan/SPRINT_*.md`.
 - Update this plan whenever scope, dependencies, or guardrails change.
+
+---
+
+## Sprint readiness tracker
+
+> Last updated: 2025-11-27 (AUTHORITY-ENG-0001)
+
+This section maps epic milestones to implementation sprints and tracks readiness checkpoints.
+
+### Epic 1 — AOC enforcement
+| Task ID | Status | Sprint | Notes |
+|---------|--------|--------|-------|
+| AUTH-SIG-26-001 | ✅ DONE (2025-10-29) | SPRINT_0143_0000_0001_signals | Signals scopes + AOC role templates; propagation validation complete. |
+| AUTH-AIRGAP-57-001 | ✅ DONE (2025-11-08) | SPRINT_100_identity_signing | Sealed-mode CI gating; refuses tokens when sealed install lacks confirmation. |
+
+**Checkpoint:** AOC enforcement operational with guardrails and scope policies in place.
+
+### Epic 2 — Policy Engine & Editor
+| Task ID | Status | Sprint | Notes |
+|---------|--------|--------|-------|
+| AUTH-DPOP-11-001 | ✅ DONE (2025-11-08) | SPRINT_100_identity_signing | DPoP validation on `/token` grants; interactive tokens inherit `cnf.jkt`. |
+| AUTH-MTLS-11-002 | ✅ DONE (2025-11-08) | SPRINT_100_identity_signing | Refresh grants enforce original client cert; `x5t#S256` metadata persisted. |
+
+**Checkpoint:** DPoP and mTLS sender-constraint flows operational.
+
+### Epic 4 — Policy Studio
+| Task ID | Status | Sprint | Notes |
+|---------|--------|--------|-------|
+| AUTH-PACKS-43-001 | ✅ DONE (2025-11-09) | SPRINT_100_identity_signing | Pack signing policies, approval RBAC, CLI CI token scopes, audit logging. |
+
+**Checkpoint:** Pack signing and approval flows with fresh-auth prompts complete.
+
+### Epic 14 — Identity & Tenancy
+| Task ID | Status | Sprint | Notes |
+|---------|--------|--------|-------|
+| AUTH-TEN-47-001 | ✅ Contract published | SPRINT_0115_0001_0004_concelier_iv | Tenant-scope contract at `docs/modules/authority/tenant-scope-47-001.md`. |
+| AUTH-CRYPTO-90-001 | 🔄 DOING | SPRINT_0514_0001_0001_sovereign_crypto | Sovereign signing provider; key-loading path migration in progress. |
+
+**Checkpoint:** Tenancy contract published; sovereign crypto provider integration in progress.
+
+### Future tasks
+| Task ID | Status | Sprint | Notes |
+|---------|--------|--------|-------|
+| AUTH-REACH-401-005 | 📝 TODO | SPRINT_0401_0001_0001_reachability_evidence_chain | DSSE predicate types for SBOM/Graph/VEX/Replay; blocked on predicate definitions. |
+| AUTH-VERIFY-186-007 | 📝 TODO | SPRINT_186_record_deterministic_execution | Verification helper for DSSE signatures and Rekor proofs; awaits provenance harness. |
+
+**Checkpoint:** Attestation predicate support and verification helpers pending upstream dependencies.
+
+---
+
+### Overall readiness summary
+
+| Epic | Status | Blocking items |
+|------|--------|----------------|
+| **1 – AOC enforcement** | ✅ Complete | — |
+| **2 – Policy Engine & Editor** | ✅ Complete | — |
+| **4 – Policy Studio** | ✅ Complete | — |
+| **14 – Identity & Tenancy** | 🔄 In progress | AUTH-CRYPTO-90-001 provider contract |
+| **Future (Attestation)** | 📝 Not started | DSSE predicate schema; provenance harness |
+
+### Cross-module dependencies
+
+| Dependency | Required by | Status |
+|------------|-------------|--------|
+| Signals scope propagation | AUTH-SIG-26-001 | ✅ Validated |
+| Sealed-mode CI evidence | AUTH-AIRGAP-57-001 | ✅ Implemented |
+| DSSE predicate definitions | AUTH-REACH-401-005 | Schema draft pending |
+| Provenance harness (PROB0101) | AUTH-VERIFY-186-007 | In progress |
+| Sovereign crypto keystore plan | AUTH-CRYPTO-90-001 | ✅ Prep published |
+
+### Next actions
+1. Complete AUTH-CRYPTO-90-001 provider registry wiring (Sprint 0514).
+2. Coordinate DSSE predicate schema with Signer guild for AUTH-REACH-401-005 (Sprint 0401).
+3. Monitor PROB0101 provenance harness for AUTH-VERIFY-186-007 (Sprint 186).