docs: add RFC references for AuthBridge security standards

Add offline copies of RFCs that define the token exchange flow:
- RFC 7515 (JWS), RFC 7519 (JWT), RFC 8693 (Token Exchange),
  RFC 8705 (mTLS Client Auth), RFC 9068 (JWT Access Token Profile)

Also:
- Add RFC summary table to CLAUDE.md
- Exclude zt-monitor/ and docs/ from CI build triggers

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>

Author: pavelanni

.github/workflows/build-push.yaml

@@ -10,6 +10,8 @@ on:
       - "go.sum"
       - "opa-service/policies/**"
       - ".github/workflows/build-push.yaml"
+      - "!zt-monitor/**"
+      - "!docs/**"
 
 env:
   REGISTRY: ghcr.io

CLAUDE.md

@@ -252,6 +252,19 @@ Common flags:
 - **SPIFFE/SPIRE** - Workload identity (mock mode for local dev)
 - **SSE (Server-Sent Events)** - Real-time dashboard updates
 
+## Security Standards (RFCs)
+
+The AuthBridge token exchange flow is built on these standards
+(offline copies in `docs/references/`):
+
+| RFC | Title | Used for |
+| --- | ----- | -------- |
+| RFC 7515 | JSON Web Signature (JWS) | JWT signature verification via JWKS |
+| RFC 7519 | JSON Web Token (JWT) | Access token format (Keycloak-issued) |
+| RFC 8693 | OAuth 2.0 Token Exchange | Ext-proc token swap between services |
+| RFC 8705 | OAuth 2.0 Mutual-TLS | SPIFFE SVID client authentication |
+| RFC 9068 | JWT Profile for Access Tokens | Standardized JWT access token structure |
+
 ## Development Notes
 
 ### Adding a New Document

docs/references/README.md

@@ -0,0 +1,28 @@
+# RFC References
+
+This directory contains offline copies of RFCs that define the security
+standards used in this project's AuthBridge token exchange flow.
+
+## RFCs
+
+| RFC | Title | Relevance |
+| --- | ----- | --------- |
+| [RFC 7515](rfc7515.html) | JSON Web Signature (JWS) | Foundation for JWT signature verification; used by `pkg/auth/jwt.go` to validate access tokens via JWKS |
+| [RFC 7519](rfc7519.html) | JSON Web Token (JWT) | Core token format for access tokens issued by Keycloak; claims structure used throughout the demo |
+| [RFC 8693](rfc8693.xml) | OAuth 2.0 Token Exchange | Defines the token exchange grant type used by AuthBridge's ext-proc to swap tokens between services |
+| [RFC 8705](rfc8705.xml) | OAuth 2.0 Mutual-TLS Client Authentication | mTLS-based client authentication; relates to SPIFFE X509-SVIDs used as client certificates |
+| [RFC 9068](rfc9068.xml) | JWT Profile for OAuth 2.0 Access Tokens | Standardizes JWT access token format; Keycloak issues tokens following this profile |
+
+## How these RFCs fit together
+
+The AuthBridge flow uses these standards in sequence:
+
+1. A user authenticates with Keycloak and receives a **JWT access token**
+   (RFC 7519, RFC 9068)
+2. The token is **signed** using JWS (RFC 7515); services verify signatures
+   via Keycloak's JWKS endpoint
+3. When a service calls another service, the Envoy ext-proc performs
+   **token exchange** (RFC 8693) to obtain a new token scoped to the
+   target service's audience
+4. Services authenticate to Keycloak using **mTLS with SPIFFE SVIDs**
+   as client certificates (RFC 8705)