Initial commit (history squashed)

src/StellaOps.Cryptography/AGENTS.md

@@ -0,0 +1,21 @@
+# Team 8 — Security Guild (Authority & Shared Crypto)
+
+## Role
+
+Team 8 owns the end-to-end security posture for StellaOps Authority and its consumers. That includes password hashing policy, audit/event hygiene, rate-limit & lockout rules, revocation distribution, and sovereign cryptography abstractions that allow alternative algorithm suites (e.g., GOST) without touching feature code.
+
+## Operational Boundaries
+
+- Primary workspace: `src/StellaOps.Cryptography`, `src/StellaOps.Authority.Plugin.Standard`, `src/StellaOps.Authority.Storage.Mongo`, and Authority host (`src/StellaOps.Authority/StellaOps.Authority`).  
+- Coordinate cross-module changes via TASKS.md updates and PR descriptions.  
+- Never bypass deterministic behaviour (sorted keys, stable timestamps).  
+- Tests live alongside owning projects (`*.Tests`). Extend goldens instead of rewriting.
+
+## Expectations
+
+- Default to Argon2id (Konscious) for password hashing; PBKDF2 only for legacy verification with transparent rehash on success.  
+- Emit structured security events with minimal PII and clear correlation IDs.  
+- Rate-limit `/token` and bootstrap endpoints once CORE8 hooks are available.  
+- Deliver offline revocation bundles signed with detached JWS and provide a verification script.  
+- Maintain `docs/security/authority-threat-model.md` and ensure mitigations are tracked.  
+- All crypto consumption flows through `StellaOps.Cryptography` abstractions to enable sovereign crypto providers.