Wire real telemetry into the dashboard (completed): plan still called out “next connect to live pipeline telemetry events” (docs/packaging-tools-plan.md:147), yet the GUI seeded fake data and the CLI used a console-only channel. The shared DashboardTelemetryStore now backs CLI/SDK/Avalonia, pipelines emit pipeline.completed/artifact events, and the GUI loads persisted snapshots so the dashboard reflects real jobs.
Deliver enterprise identity providers (completed): architecture docs expect Azure AD/Okta SSO and MFA (docs/identity/identity-architecture.md:1-56). Azure AD and Okta providers now back IdentityServiceFactory, tokens persist via the secure store, CLI (identity login) and Avalonia UI expose sign-in commands, and policy evaluation enforces required roles/identity presence.
Finish remote signing connectors promised for Windows (completed): Azure Key Vault signing now routes through AzureKeyVaultSigner with remote credential properties, CLI wizard surfaces the configuration, and integration tests cover the remote path.
Turn on the documented SBOM and vulnerability features (completed): Linux DI now registers CycloneDxSbomGenerator and TrivyVulnerabilityScanner, the pipeline selects generators via security.sbom.format/security.vuln.provider, and integration tests assert SBOM files and vulnerability findings are produced.
Bootstrap the plugin system that the vision leans on (completed): plugin contracts, loader, and adapters now register through a shared PluginManager. CLI/SDK probe defaults (%APPDATA%/PackagingTools/plugins, ./plugins), plugins.directories project metadata, run-option overrides, and the PACKAGINGTOOLS_PLUGIN_PATHS environment variable; the Avalonia workspace exposes an editor for project plugin paths. Integration tests assert manifests load in SDK flows, and refreshed docs cover manifest format and configuration knobs.