semi implemented and features implemented save checkpoint

docs/features/unchecked/authority/plugin-sdk-plugin-architecture.md

@@ -0,0 +1,38 @@
+# Plugin SDK / Plugin architecture (CLI, Authority, Crypto)
+
+## Module
+Authority
+
+## Status
+IMPLEMENTED
+
+## Description
+Plugin architecture is implemented across CLI (manifest loader, module loader), Authority (identity provider plugins with OIDC/SAML/Standard), and Cryptography (HSM, SM crypto plugins). The Authority plugin SDK defines interfaces, registration context, and a standardized plugin lifecycle.
+
+## Implementation Details
+- **Plugin Abstractions (Authority SDK)**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/` -- the SDK package:
+  - `AuthorityPluginContracts.cs` -- `IAuthorityPlugin`, `IAuthorityPluginRegistrar` interfaces defining the plugin lifecycle
+  - `IdentityProviderContracts.cs` -- `IAuthorityIdentityProviderPlugin` for credential validation and claims enrichment
+  - `AuthorityPluginRegistrationContext.cs` -- DI registration context passed to plugins at startup
+  - `AuthorityCredentialAuditContext.cs` -- audit context for credential operations
+  - `AuthoritySecretHasher.cs` -- pluggable password/secret hashing abstraction
+  - `AuthorityClientMetadataKeys.cs` -- standardized metadata keys for client configuration
+- **Plugin Loader**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginLoader.cs` -- assembly-based plugin discovery from `plugins/authority/` directory.
+- **Plugin Registration Summary**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginRegistrationSummary.cs` -- diagnostic summary of loaded plugins.
+- **Concrete Plugin Implementations**:
+  - Standard: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StandardPluginRegistrar.cs`
+  - LDAP: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/LdapPluginRegistrar.cs`
+  - OIDC: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Oidc/OidcPluginRegistrar.cs`
+  - SAML: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Saml/SamlPluginRegistrar.cs`
+  - Unified: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Unified/AuthPluginAdapter.cs`
+- **Plugin Binary Hosting**: `src/Authority/StellaOps.Authority.PluginBinaries/` -- pre-compiled plugin DLLs; `src/Authority/plugins/authority/` -- plugin directory structure.
+- **Concelier Plugin Binaries**: `src/Authority/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Common/` -- connector plugin abstractions for Concelier module.
+- **Tests**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/Plugins/AuthorityPluginLoaderTests.cs`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions.Tests/`
+
+## E2E Test Plan
+- [ ] Build a minimal plugin implementing `IAuthorityPluginRegistrar` and `IAuthorityIdentityProviderPlugin`, place the DLL in `plugins/authority/`, and verify `AuthorityPluginLoader` discovers and loads it
+- [ ] Verify the plugin's `Register` method receives a valid `AuthorityPluginRegistrationContext` with access to DI services
+- [ ] Verify `AuthorityPluginRegistrationSummary` includes the custom plugin with its reported capabilities
+- [ ] Load multiple plugins simultaneously and verify they do not interfere with each other's DI registrations
+- [ ] Remove a plugin DLL and restart; verify the system starts without the removed plugin and reports it as missing in the summary
+- [ ] Verify `AuthoritySecretHasher` can be replaced by a plugin-provided implementation and verify password hashing uses the custom hasher