Closes Phase 15 of cowork/auth-bundle-2-prompt.md. Ships a single
operator-facing doc that lists every RFC the auth bundles implement
and every CWE class the implementation closes, with concrete file
paths + test anchors per row.
Files
=====
docs/reference/auth-standards-implemented.md (NEW):
* Table 1: 13 RFCs / standards rows (RFC 6749, 7636, 7519, 7517,
OIDC Core 1.0, OIDC BCL 1.0, RFC 6265, RFC 9700, RFC 8414,
RFC 7633, RFC 8555, RFC 7515 plus the OIDC Core §5.3.2 UserInfo
endpoint). Every row has a concrete source file path + a
negative-test anchor.
* Table 2: 14 CWE rows (CWE-287, 352, 384, 294, 916/329, 307,
345, 200, 770, 330, 311, 326, 1004, 614, 1275). Every row
points at where the defense lives + where it is pinned.
* Bundle 1 RBAC standards covered separately at the end with
CWE-285, 862, 863, 732 pointers into Bundle 1's surface.
* Explicit 'What this document is NOT' section preserving the
operator's 2026-05-05 retired-compliance-docs decision: the
doc is an evidence list, NOT a SOC 2 / PCI-DSS / HIPAA /
NIST SP 800-53 / NIST SSDF / FedRAMP framework-mapping doc.
Framework name-drops appear ONLY inside the explicit
'this is NOT' disclaimer paragraphs; no marketing-flavored
prose claims certctl 'satisfies CC6.1' or similar.
docs/README.md (MODIFIED):
* Adds the auth-standards-implemented.md doc to the Reference
section nav table between intermediate-ca-hierarchy.md and
the deployment-model.md entry, with a one-line description
flagging it as RFC + CWE evidence (NOT a compliance-mapping
doc).
Verification
============
* Last-reviewed header: 2026-05-10.
* Internal-link sweep: every relative link resolves cleanly.
* Framework-name grep: SOC 2 / PCI-DSS / HIPAA / NIST SSDF /
FedRAMP appear ONLY inside the 'this is NOT a compliance-
mapping doc' disclaimer paragraphs (lines 7 and 66 of the
new doc). No marketing-flavored claims.
* No Go-side impact; pure docs commit, make verify gate
unchanged.
shankar0123