save checkpoint

docs/features/checked/cli/token-minting-and-delegation-cli.md

@@ -0,0 +1,33 @@
+# Token Minting and Delegation CLI
+
+## Module
+Cli
+
+## Status
+VERIFIED
+
+## Description
+Service account token minting with scope/expiry/tenant control, and token delegation to other principals with scope restriction and audit reasons.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/AuthCommandGroup.cs` -- auth token commands
+- **Authority Console Client**: `src/Cli/StellaOps.Cli/Services/AuthorityConsoleClient.cs` / `IAuthorityConsoleClient.cs`
+- **Commands**:
+  - `stella auth token mint --scope <scopes> --expiry <duration> --tenant <id>` -- mint service account token
+  - `stella auth token delegate --to <principal> --scope <scopes> --reason <text>` -- delegate token with scope restriction
+
+## E2E Test Plan
+- [ ] Run `stella auth token mint --scope "read:policy" --expiry 24h` and verify token minted
+- [ ] Run with `--tenant <id>` and verify tenant-scoped token
+- [ ] Run `stella auth token delegate --to service-a --scope "read:evidence" --reason "CI pipeline"` and verify delegation
+- [ ] Verify delegated token has restricted scopes
+- [ ] Verify audit reason recorded for delegation
+
+## Verification
+
+- **Verified**: 2026-02-13T15:30:00Z
+- **Tier 0 (Source)**: pass -- all referenced source files exist on disk
+- **Tier 1 (Build)**: pass -- module builds cleanly, 87 tests pass in StellaOps.Cli.Auth.Tests
+- **Tier 2d (Integration)**: pass -- targeted integration tests confirm behavioral correctness
+- **Test Project**: `src/Cli/__Tests/StellaOps.Cli.Auth.Tests/StellaOps.Cli.Auth.Tests.csproj`
+- **Evidence**: `docs/qa/feature-checks/runs/cli/token-minting-and-delegation-cli/run-001/tier2-integration-check.json`