Add authority bootstrap flows and Concelier ops runbooks

src/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StandardPluginOptions.cs

@@ -71,6 +71,41 @@ internal sealed class PasswordPolicyOptions
             throw new InvalidOperationException($"Standard plugin '{pluginName}' requires passwordPolicy.minimumLength to be greater than zero.");
         }
     }
+
+    public bool IsWeakerThan(PasswordPolicyOptions other)
+    {
+        if (other is null)
+        {
+            return false;
+        }
+
+        if (MinimumLength < other.MinimumLength)
+        {
+            return true;
+        }
+
+        if (!RequireUppercase && other.RequireUppercase)
+        {
+            return true;
+        }
+
+        if (!RequireLowercase && other.RequireLowercase)
+        {
+            return true;
+        }
+
+        if (!RequireDigit && other.RequireDigit)
+        {
+            return true;
+        }
+
+        if (!RequireSymbol && other.RequireSymbol)
+        {
+            return true;
+        }
+
+        return false;
+    }
 }
 
 internal sealed class LockoutOptions

src/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StandardPluginRegistrar.cs

@@ -51,6 +51,25 @@ internal sealed class StandardPluginRegistrar : IAuthorityPluginRegistrar
             var cryptoProvider = sp.GetRequiredService<ICryptoProvider>();
             var passwordHasher = new CryptoPasswordHasher(pluginOptions, cryptoProvider);
             var loggerFactory = sp.GetRequiredService<ILoggerFactory>();
+            var registrarLogger = loggerFactory.CreateLogger<StandardPluginRegistrar>();
+
+            var baselinePolicy = new PasswordPolicyOptions();
+            if (pluginOptions.PasswordPolicy.IsWeakerThan(baselinePolicy))
+            {
+                registrarLogger.LogWarning(
+                    "Standard plugin '{Plugin}' configured a weaker password policy (minLength={Length}, requireUpper={Upper}, requireLower={Lower}, requireDigit={Digit}, requireSymbol={Symbol}) than the baseline (minLength={BaseLength}, requireUpper={BaseUpper}, requireLower={BaseLower}, requireDigit={BaseDigit}, requireSymbol={BaseSymbol}).",
+                    pluginName,
+                    pluginOptions.PasswordPolicy.MinimumLength,
+                    pluginOptions.PasswordPolicy.RequireUppercase,
+                    pluginOptions.PasswordPolicy.RequireLowercase,
+                    pluginOptions.PasswordPolicy.RequireDigit,
+                    pluginOptions.PasswordPolicy.RequireSymbol,
+                    baselinePolicy.MinimumLength,
+                    baselinePolicy.RequireUppercase,
+                    baselinePolicy.RequireLowercase,
+                    baselinePolicy.RequireDigit,
+                    baselinePolicy.RequireSymbol);
+            }
 
             return new StandardUserCredentialStore(
                 pluginName,

src/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md

@@ -5,12 +5,14 @@
 | PLG6.DOC | DONE (2025-10-11) | BE-Auth Plugin, Docs Guild | PLG1–PLG5 | Final polish + diagrams for plugin developer guide (AUTHPLUG-DOCS-01-001). | Docs team delivers copy-edit + exported diagrams; PR merged. |
 | SEC1.PLG | DONE (2025-10-11) | Security Guild, BE-Auth Plugin | SEC1.A (StellaOps.Cryptography) | Swap Standard plugin hashing to Argon2id via `StellaOps.Cryptography` abstractions; keep PBKDF2 verification for legacy. | ✅ `StandardUserCredentialStore` uses `ICryptoProvider` to hash/check; ✅ Transparent rehash on success; ✅ Unit tests cover tamper + legacy rehash. |
 | SEC1.OPT | DONE (2025-10-11) | Security Guild | SEC1.PLG | Expose password hashing knobs in `StandardPluginOptions` (`memoryKiB`, `iterations`, `parallelism`, `algorithm`) with validation. | ✅ Options bound from YAML; ✅ Invalid configs throw; ✅ Docs include tuning guidance. |
-| SEC2.PLG | TODO | Security Guild, Storage Guild | SEC2.A (audit contract) | Emit audit events from password verification outcomes and persist via `IAuthorityLoginAttemptStore`. | ✅ Serilog events enriched with subject/client/IP/outcome; ✅ Mongo records written per attempt; ✅ Tests assert success/lockout/failure cases. |
-| SEC3.PLG | TODO | Security Guild, BE-Auth Plugin | CORE8, SEC3.A (rate limiter) | Ensure lockout responses and rate-limit metadata flow through plugin logs/events (include retry-after). | ✅ Audit record includes retry-after; ✅ Tests confirm lockout + limiter interplay. |
+| SEC2.PLG | DOING (2025-10-14) | Security Guild, Storage Guild | SEC2.A (audit contract) | Emit audit events from password verification outcomes and persist via `IAuthorityLoginAttemptStore`. | ✅ Serilog events enriched with subject/client/IP/outcome; ✅ Mongo records written per attempt; ✅ Tests assert success/lockout/failure cases. |
+| SEC3.PLG | DOING (2025-10-14) | Security Guild, BE-Auth Plugin | CORE8, SEC3.A (rate limiter) | Ensure lockout responses and rate-limit metadata flow through plugin logs/events (include retry-after). | ✅ Audit record includes retry-after; ✅ Tests confirm lockout + limiter interplay. |
 | SEC4.PLG | DONE (2025-10-12) | Security Guild | SEC4.A (revocation schema) | Provide plugin hooks so revoked users/clients write reasons for revocation bundle export. | ✅ Revocation exporter consumes plugin data; ✅ Tests cover revoked user/client output. |
-| SEC5.PLG | TODO | Security Guild | SEC5.A (threat model) | Address plugin-specific mitigations (bootstrap user handling, password policy docs) in threat model backlog. | ✅ Threat model lists plugin attack surfaces; ✅ Mitigation items filed. |
+| SEC5.PLG | DOING (2025-10-14) | Security Guild | SEC5.A (threat model) | Address plugin-specific mitigations (bootstrap user handling, password policy docs) in threat model backlog. | ✅ Threat model lists plugin attack surfaces; ✅ Mitigation items filed. |
 | PLG4-6.CAPABILITIES | BLOCKED (2025-10-12) | BE-Auth Plugin, Docs Guild | PLG1–PLG3 | Finalise capability metadata exposure, config validation, and developer guide updates; remaining action is Docs polish/diagram export. | ✅ Capability metadata + validation merged; ✅ Plugin guide updated with final copy & diagrams; ✅ Release notes mention new toggles. <br>⛔ Blocked awaiting Authority rate-limiter stream (CORE8/SEC3) to resume so doc updates reflect final limiter behaviour. |
 | PLG7.RFC | REVIEW | BE-Auth Plugin, Security Guild | PLG4 | Socialize LDAP plugin RFC (`docs/rfcs/authority-plugin-ldap.md`) and capture guild feedback. | ✅ Guild review sign-off recorded; ✅ Follow-up issues filed in module boards. |
 | PLG6.DIAGRAM | TODO | Docs Guild | PLG6.DOC | Export final sequence/component diagrams for the developer guide and add offline-friendly assets under `docs/assets/authority`. | ✅ Mermaid sources committed; ✅ Rendered SVG/PNG linked from Section 2 + Section 9; ✅ Docs build preview shared with Plugin + Docs guilds. |
 
 > Update statuses to DOING/DONE/BLOCKED as you make progress. Always run `dotnet test` for touched projects before marking DONE.
+
+> Remark (2025-10-13, PLG6.DOC/PLG6.DIAGRAM): Security Guild delivered `docs/security/rate-limits.md`; Docs team can lift Section 3 (tuning table + alerts) into the developer guide diagrams when rendering assets.