# Authority Gap Remediation · AU1–AU10 (31-Nov-2025 Findings)

Source: `docs/product-advisories/31-Nov-2025 FINDINGS.md` (AU1–AU10). Scope covers Authority scoping, crypto posture, and verifier/offline expectations.

## Deliverables & Evidence Map
| ID | Requirement (from advisory) | Authority deliverable | Evidence & location |
| --- | --- | --- | --- |
| AU1 | Signed scope/role catalog + versioning | Canonical catalog `gaps/artifacts/authority-scope-role-catalog.v1.json` (versioned, semver, includes tenant/env fields, audience, role → scopes, precedence); DSSE envelope `*.sigstore.json`. | JSON + DSSE: `docs/modules/authority/gaps/artifacts/authority-scope-role-catalog.v1.json` and `authority-scope-role-catalog.v1.sigstore.json` (hashes appended to `SHA256SUMS`). |
| AU2 | Audience/tenant/binding enforcement matrix | Matrix doc with per-flow enforcement (device-code, auth-code, client-cred) and binding mode (DPoP/mTLS) + nonce policy. | `docs/modules/authority/gaps/authority-binding-matrix.md` (deterministic tables; hash listed). |
| AU3 | DPoP/mTLS nonce policy | Section in binding matrix defining nonce freshness, replay window, and required claims; include negative-path examples. | Same as AU2 (`authority-binding-matrix.md`). |
| AU4 | Revocation/JWKS schema + freshness | JSON Schema for revocation events + JWKS metadata fields (`kid`, `exp`, `rotated_at`, `tenant`, `freshness_seconds`); hash-listed. | `gaps/artifacts/authority-jwks-metadata.schema.json` (+ DSSE). |
| AU5 | Key rotation governance | Runbook updates for rotation cadence, dual-publish window, PQ toggle; link to operations/key-rotation.md. | `operations/key-rotation.md` addenda + summary in this doc; hash refresh noted in `SHA256SUMS`. |
| AU6 | Crypto-profile registry | Registry listing allowed signing/MTLS/DPoP crypto profiles with status (active/deprecated), min versions, curves, PQ flags. | `gaps/artifacts/crypto-profile-registry.v1.json` (+ DSSE). |
| AU7 | Offline verifier bundle | Offline kit manifest with verifier binary hashes, JWKS snapshot, scope/role catalog, crypto registry, policies. | Bundle manifest `gaps/artifacts/authority-offline-verifier-bundle.v1.json` (+ DSSE) referencing embedded files; verification script path recorded. |
| AU8 | Delegation quotas/alerts | Policy doc + thresholds for tenant/service delegation, alerting rules, and metrics names. | `gaps/authority-delegation-quotas.md` (deterministic tables; hash-listed). |
| AU9 | ABAC schema/precedence | ABAC rule schema with precedence relative to RBAC; includes tenant/env, conditions, obligations. | `gaps/artifacts/authority-abac.schema.json` (+ DSSE). |
| AU10 | Auth conformance tests/metrics | Test matrix covering flows, bindings, revocation freshness, ABAC precedence; metrics/alerts enumerated. | `gaps/authority-conformance-tests.md` (tables + commands; hash-listed). |

## Action Plan (docs + artefact layout)
1) Author the matrix/markdown deliverables above (AU2, AU3, AU5, AU8, AU10) with deterministic tables and UTC timestamps; append SHA256 to `docs/modules/authority/gaps/SHA256SUMS` when generated.
2) Define JSON Schemas/registries (AU1, AU4, AU6, AU7, AU9) using stable ordering and `schema_version` fields; store under `gaps/artifacts/` with DSSE envelopes once signed.
3) Update `docs/modules/authority/README.md` (Latest updates + Related resources) to point to this gap package; add links for implementers.
4) Coordinate signing via `tools/cosign/sign-signals.sh` analogue once Authority key is available (reuse DSSE conventions from signals). Until signed, mark envelopes TODO in SHA256SUMS.
5) Mirror status in sprint `SPRINT_0314_0001_0001_docs_modules_authority.md` and `docs/modules/authority/TASKS.md` (AUTH-GAPS-314-004).

## Hashing & determinism
- Use `sha256sum` over normalized JSON/Markdown (no trailing spaces, LF line endings).
- Record hashes in `docs/modules/authority/gaps/SHA256SUMS` alongside DSSE bundle hashes when produced.
- Keep tables sorted by ID to avoid churn.

## Offline posture
- All referenced artefacts must be ship-ready for Offline Kit inclusion (no remote fetches, include verifier script + instructions in bundle manifest once built).