prep docs and service updates

2025-11-21 06:56:36 +00:00
parent ca35db9ef4
commit d519782a8f
242 changed files with 17293 additions and 13367 deletions
--- a/docs/modules/excititor/operations/tenant-authority-client.md
+++ b/docs/modules/excititor/operations/tenant-authority-client.md
@@ -0,0 +1,39 @@
+# Excititor Tenant Authority Client (AOC-19-013)
+
+- **Date:** 2025-11-21
+- **Scope:** EXCITITOR-CORE-AOC-19-013
+- **Files:** `src/Excititor/StellaOps.Excititor.Worker/Auth/TenantAuthorityClientFactory.cs`
+
+## Contract
+- Every outbound Authority call must carry `X-Tenant` header and use tenant-specific base URL.
+- Base URLs and optional client credentials are configured under `Excititor:Authority:` with per-tenant keys.
+- Factory throws when tenant is missing or not configured to prevent cross-tenant leakage.
+
+## Configuration shape
+```json
+{
+  "Excititor": {
+    "Authority": {
+      "BaseUrls": {
+        "alpha": "https://authority.alpha.local/",
+        "bravo": "https://authority.bravo.local/"
+      },
+      "ClientIds": {
+        "alpha": "alpha-client-id"
+      },
+      "ClientSecrets": {
+        "alpha": "alpha-secret"
+      }
+    }
+  }
+}
+```
+
+## Implementation notes
+- `TenantAuthorityClientFactory` (worker) enforces tenant presence and configured base URL; adds `Accept: application/json` and `X-Tenant` headers.
+- Registered in DI via `Program.cs` with options binding to `Excititor:Authority`.
+- Intended to be reused by WebService/Worker components once disk space block is resolved.
+
+## Next steps
+- Wire factory into services that call Authority (WebService + Worker jobs), replacing any tenant-agnostic HttpClient usages.
+- Add integration tests to ensure cross-tenant calls reject when config missing or header mismatched.