Frontend gaps fill work. Testing fixes work. Auditing in progress.

src/Registry/StellaOps.Registry.TokenService/Program.cs

@@ -16,6 +16,7 @@ using StellaOps.Auth.ServerIntegration;
 using StellaOps.Configuration;
 using StellaOps.Telemetry.Core;
 using StellaOps.Registry.TokenService;
+using StellaOps.Registry.TokenService.Admin;
 using StellaOps.Registry.TokenService.Observability;
 
 var builder = WebApplication.CreateBuilder(args);
@@ -57,6 +58,10 @@ builder.Services.AddSingleton<PlanRegistry>(sp =>
 });
 builder.Services.AddSingleton<RegistryTokenIssuer>();
 
+// Plan Admin API dependencies
+builder.Services.AddSingleton<IPlanRuleStore, InMemoryPlanRuleStore>();
+builder.Services.AddSingleton<PlanValidator>();
+
 builder.Services.AddHealthChecks().AddCheck("self", () => Microsoft.Extensions.Diagnostics.HealthChecks.HealthCheckResult.Healthy());
 
 builder.Services.AddAirGapEgressPolicy(builder.Configuration);
@@ -102,6 +107,14 @@ builder.Services.AddAuthorization(options =>
         policy.Requirements.Add(new StellaOpsScopeRequirement(scopes));
         policy.AddAuthenticationSchemes(StellaOpsAuthenticationDefaults.AuthenticationScheme);
     });
+
+    // Admin policy for plan management
+    options.AddPolicy("registry.admin", policy =>
+    {
+        policy.RequireAuthenticatedUser();
+        policy.Requirements.Add(new StellaOpsScopeRequirement(["registry.admin"]));
+        policy.AddAuthenticationSchemes(StellaOpsAuthenticationDefaults.AuthenticationScheme);
+    });
 });
 
 var app = builder.Build();
@@ -112,6 +125,9 @@ app.UseAuthorization();
 
 app.MapHealthChecks("/healthz");
 
+// Plan Admin API endpoints
+app.MapPlanAdminEndpoints();
+
 app.MapGet("/token", (
     HttpContext context,
     [FromServices] IOptions<RegistryTokenServiceOptions> options,