git.stella-ops.org/docs/qa/feature-checks/state/authority.json

{
  "module": "authority",
  "lastUpdated": "2026-02-13T00:00:00Z",
  "featureCount": 13,
  "summary": {
    "passed": 13,
    "failed": 0,
    "blocked": 0,
    "done": 13
  },
  "buildNote": "Baseline: 14 test projects, 861 total tests (Authority.Core.Tests=46, Authority.Persistence.Tests=75, Authority.Timestamping.Tests=16, Authority.Timestamping.Abstractions.Tests=16, Authority.ConfigDiff.Tests=5, Authority.Tests=317, Auth.Abstractions.Tests=103, Auth.Client.Tests=28, Auth.ServerIntegration.Tests=27, Authority.Plugin.Ldap.Tests=75, Authority.Plugin.Oidc.Tests=44, Authority.Plugin.Saml.Tests=38, Authority.Plugin.Standard.Tests=39, Authority.Plugins.Abstractions.Tests=32). All 861 tests pass.",
  "features": [
    {
      "name": "authority-identity-provider-registry",
      "slug": "authority-identity-provider-registry",
      "status": "passed",
      "tier": "tier2d",
      "evidence": "docs/qa/feature-checks/runs/authority/authority-identity-provider-registry/run-001/tier2-integration-check.json",
      "notes": "Registry indexes providers, aggregates capabilities, AcquireAsync returns scoped instances, duplicate handling, selector routes by parameter. 7 targeted tests all pass."
    },
    {
      "name": "authority-module-with-oidc-oauth2-dpop-mtls",
      "slug": "authority-module-with-oidc-oauth2-dpop-mtls",
      "status": "passed",
      "tier": "tier2d",
      "evidence": "docs/qa/feature-checks/runs/authority/authority-module-with-oidc-oauth2-dpop-mtls/run-001/tier2-integration-check.json",
      "notes": "Full OIDC/OAuth2 flows with DPoP, mTLS, client credentials, password grant, refresh tokens, revocation, discovery, tamper inspection. 50+ targeted tests."
    },
    {
      "name": "authority-plugin-system",
      "slug": "authority-plugin-system",
      "status": "passed",
      "tier": "tier2d",
      "evidence": "docs/qa/feature-checks/runs/authority/authority-plugin-system/run-001/tier2-integration-check.json",
      "notes": "Plugin loader, 5 concrete plugins (Standard=39, LDAP=75, OIDC=44, SAML=38 tests), assembly discovery, registration lifecycle. 196+ tests."
    },
    {
      "name": "authority-sealed-mode-evidence-validator",
      "slug": "authority-sealed-mode-evidence-validator",
      "status": "passed",
      "tier": "tier2d",
      "evidence": "docs/qa/feature-checks/runs/authority/authority-sealed-mode-evidence-validator/run-001/tier2-integration-check.json",
      "notes": "Evidence freshness validation, missing file handling, stale evidence detection, airgap audit endpoints, offline kit audit. Meaningful assertions with specific failure codes."
    },
    {
      "name": "cli-dpop-bound-authentication",
      "slug": "cli-dpop-bound-authentication",
      "status": "passed",
      "tier": "tier2d",
      "evidence": "docs/qa/feature-checks/runs/authority/cli-dpop-bound-authentication/run-001/tier2-integration-check.json",
      "notes": "28 Auth.Client tests cover DPoP proof generation, token binding, file/inmemory/messaging caches, bearer token handler, auth modes. Server-side DPoP validation in Authority.Tests."
    },
    {
      "name": "ldap-plugin-with-claims-enrichment-and-client-provisioning",
      "slug": "ldap-plugin-with-claims-enrichment-and-client-provisioning",
      "status": "passed",
      "tier": "tier2d",
      "evidence": "docs/qa/feature-checks/runs/authority/ldap-plugin-with-claims-enrichment-and-client-provisioning/run-001/tier2-integration-check.json",
      "notes": "75 dedicated LDAP plugin tests: claims enrichment, client provisioning, capability probing, DN parsing, credential store, TLS, resilience, security, metrics."
    },
    {
      "name": "local-rbac-policy-fallback-with-break-glass-access",
      "slug": "local-rbac-policy-fallback-with-break-glass-access",
      "status": "passed",
      "tier": "tier2d",
      "evidence": "docs/qa/feature-checks/runs/authority/local-rbac-policy-fallback-with-break-glass-access/run-001/tier2-integration-check.json",
      "notes": "File-based policy store, role inheritance, subject lifecycle, break-glass configuration, fallback mode transitions, Postgres-backed primary store."
    },
    {
      "name": "multi-tenant-scope-based-authorization",
      "slug": "multi-tenant-scope-based-authorization",
      "status": "passed",
      "tier": "tier2d",
      "evidence": "docs/qa/feature-checks/runs/authority/multi-tenant-scope-based-authorization/run-001/tier2-integration-check.json",
      "notes": "130+ tests: scope definitions, authorization policies, tenant header filter, tenant catalog, tenant repository. 103 abstractions + 27 server integration tests."
    },
    {
      "name": "pack-rbac-roles-and-cli-profiles",
      "slug": "pack-rbac-roles-and-cli-profiles",
      "status": "passed",
      "tier": "tier2d",
      "evidence": "docs/qa/feature-checks/runs/authority/pack-rbac-roles-and-cli-profiles/run-001/tier2-integration-check.json",
      "notes": "Pack scope definitions, AddPacksResourcePolicies, RequireScope/RequireAnyScope extensions, CLI profile configuration, per-profile token caching."
    },
    {
      "name": "plugin-sdk-plugin-architecture",
      "slug": "plugin-sdk-plugin-architecture",
      "status": "passed",
      "tier": "tier2d",
      "evidence": "docs/qa/feature-checks/runs/authority/plugin-sdk-plugin-architecture/run-001/tier2-integration-check.json",
      "notes": "32 SDK abstractions tests + plugin loader tests. Plugin contracts, registration context, credential audit, secret hasher, client metadata keys. 5 concrete registrars."
    },
    {
      "name": "postgres-backend-store-prototype-for-authority-tokens",
      "slug": "postgres-backend-store-prototype-for-authority-tokens",
      "status": "passed",
      "tier": "tier2d",
      "evidence": "docs/qa/feature-checks/runs/authority/postgres-backend-store-prototype-for-authority-tokens/run-001/tier2-integration-check.json",
      "notes": "75 persistence tests + adapter tests. Token CRUD, refresh token rotation, InMemory parity, session persistence, EF Core migrations, ID generation, clock integration."
    },
    {
      "name": "rfc-3161-tsa-client-for-ci-cd-timestamping",
      "slug": "rfc-3161-tsa-client-for-ci-cd-timestamping",
      "status": "passed",
      "tier": "tier2d",
      "evidence": "docs/qa/feature-checks/runs/authority/rfc-3161-tsa-client-for-ci-cd-timestamping/run-001/tier2-integration-check.json",
      "notes": "32 tests: ASN.1 encoding/decoding, token verification, provider registry with priority/health, response caching, abstraction contracts. CI/CD hooks documented as planned enhancements."
    },
    {
      "name": "trust-root-and-certificate-chain-verification",
      "slug": "trust-root-and-certificate-chain-verification",
      "status": "passed",
      "tier": "tier2d",
      "evidence": "docs/qa/feature-checks/runs/authority/trust-root-and-certificate-chain-verification/run-001/tier2-integration-check.json",
      "notes": "Token verifier with imprint/nonce mismatch detection, key rotation with JWKS continuity, RSA sign/verify roundtrip, KMS and file key sources, DSSE signing."
    }
  ]
}