Add StellaOps Authority planning artifacts and config templates

2025-10-10 06:52:41 +00:00
parent d0c95cf328
commit 3aed135fb5
14 changed files with 829 additions and 1 deletions
--- a/StellaOps.Authority.TODOS.Plugin.md
+++ b/StellaOps.Authority.TODOS.Plugin.md
@@ -0,0 +1,38 @@
+# StellaOps Authority — Plugin Workstream
+
+> **Read first:** `AGENTS.md`, `StellaOps.Authority.TODOS.md`, and this document. Sync status across all trackers.
+
+## Scope
+Deliver the plugin abstraction layer and the default Mongo-backed identity plugin (`StellaOps.Authority.Plugin.Standard`), plus lay groundwork for future LDAP integration.
+
+## Task Plan
+
+| Order | Task IDs | Description | Dependencies | Acceptance |
+|-------|----------|-------------|--------------|------------|
+| 1 | PLG1 | Implement plugin abstractions: `IIdentityProviderPlugin`, `IUserCredentialStore`, `IClaimsEnricher`, `IClientProvisioningStore`, result models, constants. | DevEx FND1 | **DONE** – Abstractions published with XML docs and unit tests covering success/failure factories. |
+| 2 | PLG2 | Integrate abstractions with plugin host (DI registration via `IAuthorityPluginRegistrar`). Emit diagnostics for load failures. | PLG1 | **DONE** – Authority host loads registrars, logs registration summary, and unit tests cover success/missing cases. |
+| 3 | PLG3 | Build Mongo-backed `Plugin.Standard` implementing password auth, lockout, claim enrichment, admin seeding. | CORE3 | **DONE** – Standard plugin binds options, enforces password policy/lockout, seeds bootstrap user, and ships integration/unit tests. |
+| 4 | PLG4 | Define capability metadata (supportsPassword, supportsMfa, supportsClientProvisioning). Update plugin registration to publish metadata. | PLG3 | **DONE (2025-10-10)** – Capability descriptors validated; Standard plugin enforces password flag and registry exposes aggregated metadata to the host. |
+| 5 | PLG5 (support) | Collaborate with DevEx on plugin config schema (`etc/authority.plugins/*.yaml`). Implement config parser + validation. | DevEx PLG5 | Provide typed options class + tests. |
+| 6 | PLG6 | Author plugin developer guide (structure, packaging, capability flags, logging expectations). | PLG1–PLG5 | **READY FOR DOCS REVIEW (2025-10-10)** – Guide finalised, includes capability metadata usage, ops alignment, and packaging checklist; handoff blocked only on Docs copy-edit + diagram export. |
+| 7 | PLG7 (backlog design) | Produce technical RFC for future `Plugin.Ldap` (data flows, dependencies, TODO list). | PLG1–PLG4 | **RFC DRAFTED (2025-10-10)** – `docs/rfcs/authority-plugin-ldap.md` outlines architecture, configuration schema, implementation plan; awaiting guild review & sign-off. |
+
+## Implementation Notes
+- Mongo plugin must support offline bootstrap: optional JSON file with initial users/clients hashed offline.  
+- Provide extensibility points for password hashing algorithm (allow Security team to swap Argon2).  
+- Ensure plugin logging leverages Authority logger, no console writes.  
+- Document expected configuration keys for plugin settings (`passwordPolicy`, `seedUsers`, etc.).  
+- Validate plugin configuration early at startup; fail fast with actionable errors.
+
+## Deliverables
+- `StellaOps.Authority.Plugins.Abstractions` project.  
+- `StellaOps.Authority.Plugin.Standard` project with tests + seed data sample.  
+- Plugin dev documentation + sample configuration files.  
+- Diagnostic logging verifying plugin load, capabilities, configuration.  
+- Future plugin RFC for LDAP integration.
+
+## Coordination
+- Coordinate with Authority Core for capability usage in handlers.  
+- Work with Security Guild on password hash settings/lockout thresholds.  
+- Notify DevEx when configuration schema changes.  
+- Review Docs PR for plugin developer guide.