git.stella-ops.org/docs/modules/authority/gaps/2025-12-04-auth-gaps-au1-au10.md

Authority Gap Remediation · AU1–AU10 (31-Nov-2025 Findings)

Source: docs/product-advisories/31-Nov-2025 FINDINGS.md (AU1–AU10). Scope covers Authority scoping, crypto posture, and verifier/offline expectations.

Deliverables & Evidence Map

ID	Requirement (from advisory)	Authority deliverable	Evidence & location
AU1	Signed scope/role catalog + versioning	Canonical catalog gaps/artifacts/authority-scope-role-catalog.v1.json (versioned, semver, includes tenant/env fields, audience, role → scopes, precedence); DSSE envelope *.sigstore.json.	JSON + DSSE: docs/modules/authority/gaps/artifacts/authority-scope-role-catalog.v1.json and authority-scope-role-catalog.v1.sigstore.json (hashes appended to SHA256SUMS).
AU2	Audience/tenant/binding enforcement matrix	Matrix doc with per-flow enforcement (device-code, auth-code, client-cred) and binding mode (DPoP/mTLS) + nonce policy.	docs/modules/authority/gaps/authority-binding-matrix.md (deterministic tables; hash listed).
AU3	DPoP/mTLS nonce policy	Section in binding matrix defining nonce freshness, replay window, and required claims; include negative-path examples.	Same as AU2 (authority-binding-matrix.md).
AU4	Revocation/JWKS schema + freshness	JSON Schema for revocation events + JWKS metadata fields (kid, exp, rotated_at, tenant, freshness_seconds); hash-listed.	gaps/artifacts/authority-jwks-metadata.schema.json (+ DSSE).
AU5	Key rotation governance	Runbook updates for rotation cadence, dual-publish window, PQ toggle; link to operations/key-rotation.md.	operations/key-rotation.md addenda + summary in this doc; hash refresh noted in SHA256SUMS.
AU6	Crypto-profile registry	Registry listing allowed signing/MTLS/DPoP crypto profiles with status (active/deprecated), min versions, curves, PQ flags.	gaps/artifacts/crypto-profile-registry.v1.json (+ DSSE).
AU7	Offline verifier bundle	Offline kit manifest with verifier binary hashes, JWKS snapshot, scope/role catalog, crypto registry, policies.	Bundle manifest gaps/artifacts/authority-offline-verifier-bundle.v1.json (+ DSSE) referencing embedded files; verification script path recorded.
AU8	Delegation quotas/alerts	Policy doc + thresholds for tenant/service delegation, alerting rules, and metrics names.	gaps/authority-delegation-quotas.md (deterministic tables; hash-listed).
AU9	ABAC schema/precedence	ABAC rule schema with precedence relative to RBAC; includes tenant/env, conditions, obligations.	gaps/artifacts/authority-abac.schema.json (+ DSSE).
AU10	Auth conformance tests/metrics	Test matrix covering flows, bindings, revocation freshness, ABAC precedence; metrics/alerts enumerated.	gaps/authority-conformance-tests.md (tables + commands; hash-listed).

Action Plan (docs + artefact layout)

1. Author the matrix/markdown deliverables above (AU2, AU3, AU5, AU8, AU10) with deterministic tables and UTC timestamps; append SHA256 to docs/modules/authority/gaps/SHA256SUMS when generated.
2. Define JSON Schemas/registries (AU1, AU4, AU6, AU7, AU9) using stable ordering and schema_version fields; store under gaps/artifacts/ with DSSE envelopes once signed.
3. Update docs/modules/authority/README.md (Latest updates + Related resources) to point to this gap package; add links for implementers.
4. Coordinate signing via tools/cosign/sign-signals.sh analogue once Authority key is available (reuse DSSE conventions from signals). Until signed, mark envelopes TODO in SHA256SUMS.
5. Mirror status in sprint SPRINT_0314_0001_0001_docs_modules_authority.md and docs/modules/authority/TASKS.md (AUTH-GAPS-314-004).

Hashing & determinism

• Use sha256sum over normalized JSON/Markdown (no trailing spaces, LF line endings).
• Record hashes in docs/modules/authority/gaps/SHA256SUMS alongside DSSE bundle hashes when produced.
• Keep tables sorted by ID to avoid churn.

Offline posture

• All referenced artefacts must be ship-ready for Offline Kit inclusion (no remote fetches, include verifier script + instructions in bundle manifest once built).