# Sprint 100 - Identity & Signing

_Last updated: November 8, 2025. Implementation order is DOING → TODO → BLOCKED._

Sprint 100 tracks Identity & Signing readiness; sections below list only in-flight tasks.

## 100.B) Authority.I
Dependency: None specified; follow module prerequisites.
Focus: Identity & Signing focus on Authority (phase I).

| # | Task ID & handle | State | Key dependency / next step | Owners |
| --- | --- | --- | --- | --- |
| 1 | AUTH-AIRGAP-57-001 | DONE (2025-11-08) | Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. (Deps: AUTH-AIRGAP-56-001, DEVOPS-AIRGAP-57-002.) | Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority) |
| 2 | AUTH-PACKS-43-001 | BLOCKED (2025-10-27) | Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. (Deps: AUTH-PACKS-41-001, TASKRUN-42-001, ORCH-SVC-42-101.) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) |

## 100.B) Authority.II
Dependency: None specified; follow module prerequisites.
Focus: Identity & Signing focus on Authority (phase II).

| # | Task ID & handle | State | Key dependency / next step | Owners |
| --- | --- | --- | --- | --- |
| 1 | AUTH-DPOP-11-001 | DONE (2025-11-08) | DPoP validation now runs for every `/token` grant, interactive tokens inherit `cnf.jkt`/sender claims, and docs/tests document the expanded coverage. (Deps: AUTH-AOC-19-002.) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) |
| 2 | AUTH-MTLS-11-002 | DONE (2025-11-08) | Refresh grants now enforce the original client certificate, tokens persist `x5t#S256`/hex metadata via shared helper, and docs/JWKS guidance call out the mTLS binding expectations. (Deps: AUTH-DPOP-11-001.) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) |
| 3 | PLG4-6.CAPABILITIES | DONE (2025-11-08) | Finalise capability metadata exposure, config validation, and developer guide updates; remaining action is Docs polish/diagram export. | BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
| 4 | PLG6.DIAGRAM | DONE (2025-11-03) | Component + sequence diagrams rendered (Mermaid + SVG) and offline assets published under `docs/assets/authority`; dev guide now references final exports. | Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
| 5 | PLG7.RFC | DONE (2025-11-03) | LDAP plugin RFC reviewed; guild sign-off captured and follow-up implementation issues filed per review notes. | BE-Auth Plugin, Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
| 6 | SEC2.PLG | DONE (2025-11-09) | StandardCredentialAuditLogger now pushes `authority.plugin.standard.password_verification` events via `IAuthEventSink`, pulling client/tenant/network metadata from `AuthorityCredentialAuditContextAccessor`; success/failure/lockout scenarios are covered by new unit tests. | Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
| 7 | SEC3.PLG | DONE (2025-11-09) | Lockout/rate-limit telemetry emits deterministic `plugin.retry_after_seconds` + `plugin.lockout_until` properties, maps failure codes to the extended `AuthEventOutcome` set, and is validated by updated credential store/audit logger tests. | Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
| 8 | SEC5.PLG | DONE (2025-11-09) | Plugin guide + threat model document bootstrap safeguards, Argon2 password policy expectations, and the credential audit contract (`plugin.*` properties) so SOC/offline reviewers can trace mitigations end-to-end. | Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
| 9 | PLG7.IMPL-003 | DONE (2025-11-09) | Claims enricher ships with DN map + regex substitutions, Mongo claims cache (TTL + capacity enforcement) wired through DI, plus unit tests covering enrichment + cache eviction. | BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
| 10 | PLG7.IMPL-004 | DONE (2025-11-09) | LDAP plug-in now ships `clientProvisioning.*` options, a Mongo-audited `LdapClientProvisioningStore`, capability gating, and docs/tests covering LDAP writes + cache shims. | BE-Auth Plugin, DevOps Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap) |
| 11 | PLG7.IMPL-005 | DONE (2025-11-09) | LDAP plug-in docs refreshed (mutual TLS, regex mappings, cache/audit mirror guidance), sample manifest updated, Offline Kit + release notes now reference the bundled plug-in assets. | BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |

- 2025-11-08: PLG4-6.CAPABILITIES marked DONE – bootstrap capability surfaced in code/docs, registry logs updated, and bootstrap APIs now gate on providers that advertise it (`dotnet test` across plugins + Authority core).
- 2025-11-08: AUTH-AIRGAP-57-001 landed — new `airGap.sealedMode` options, file-backed evidence ingestion, client metadata gating, docs/tests, and audit telemetry ensure sealed tenants cannot mint tokens until `authority-sealed-ci.json` passes.
- 2025-11-09: PLG7.IMPL-003 + PLG7.IMPL-004 complete — LDAP claims enricher/cache + client provisioning store with audit mirror, LDAP DN escapes, DI wiring, and plugin docs/tests refreshed.
- 2025-11-09: PLG7.IMPL-003 complete — LDAP claims enricher + Mongo cache wired (DI + tests), regex placeholder compatibility finalised, sample config/docs updated, and plugin tests green (`StellaOps.Authority.Plugin.Ldap.Tests`).
- 2025-11-09: PLG7.IMPL-005 complete — Developer guide, sample manifest, Offline Kit notes, and release updates now cover LDAP mutual TLS, regex mappings, caching, and the audit mirror workflow.

## 100.D) __Libraries
Dependency: None specified; follow module prerequisites.
Focus: Identity & Signing focus on __Libraries.

| # | Task ID & handle | State | Key dependency / next step | Owners |
| --- | --- | --- | --- | --- |
| 1 | KMS-73-001 | DONE (2025-11-03) | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) |
| 2 | KMS-73-002 | DONE (2025-11-03) | PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) |