Restructure solution layout by module

src/Cartographer/StellaOps.Cartographer.sln

@@ -0,0 +1,179 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.0.31903.59
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Cartographer", "StellaOps.Cartographer\StellaOps.Cartographer.csproj", "{BD5B8D1C-C3C2-4ED5-B917-E5318CA3EF20}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Configuration", "..\__Libraries\StellaOps.Configuration\StellaOps.Configuration.csproj", "{A324A97D-60A2-4A5C-B882-11E08019EB80}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Authority.Plugins.Abstractions", "..\Authority\StellaOps.Authority\StellaOps.Authority.Plugins.Abstractions\StellaOps.Authority.Plugins.Abstractions.csproj", "{90295E53-CAE8-4A4D-9B6E-7F58583836B4}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Cryptography", "..\__Libraries\StellaOps.Cryptography\StellaOps.Cryptography.csproj", "{8559B69A-794A-4F22-A78C-1ED0B38D6B20}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Auth.Abstractions", "..\Authority\StellaOps.Authority\StellaOps.Auth.Abstractions\StellaOps.Auth.Abstractions.csproj", "{6E0F66B6-228D-41EE-B7FF-CC9D9AF19345}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.DependencyInjection", "..\__Libraries\StellaOps.DependencyInjection\StellaOps.DependencyInjection.csproj", "{8C0747BF-4F65-4238-863F-36D1E2E87355}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Policy.Engine", "..\Policy\StellaOps.Policy.Engine\StellaOps.Policy.Engine.csproj", "{288F9D27-634E-45EC-8F89-4EAC68175113}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Policy", "..\Policy\__Libraries\StellaOps.Policy\StellaOps.Policy.csproj", "{2117B457-836C-4F74-A8EB-B5F910B54524}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Auth.Client", "..\Authority\StellaOps.Authority\StellaOps.Auth.Client\StellaOps.Auth.Client.csproj", "{762B2F00-9917-4D77-8DF4-ECD8651A4C13}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Auth.ServerIntegration", "..\Authority\StellaOps.Authority\StellaOps.Auth.ServerIntegration\StellaOps.Auth.ServerIntegration.csproj", "{772D954B-0C2A-4377-B66F-329484EEB19F}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "__Tests", "__Tests", "{56BCE1BF-7CBA-7CE8-203D-A88051F1D642}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Cartographer.Tests", "__Tests\StellaOps.Cartographer.Tests\StellaOps.Cartographer.Tests.csproj", "{0AF757AA-BD1E-49A2-A7E9-C3F78DD09176}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|Any CPU = Release|Any CPU
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{BD5B8D1C-C3C2-4ED5-B917-E5318CA3EF20}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{BD5B8D1C-C3C2-4ED5-B917-E5318CA3EF20}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{BD5B8D1C-C3C2-4ED5-B917-E5318CA3EF20}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{BD5B8D1C-C3C2-4ED5-B917-E5318CA3EF20}.Debug|x64.Build.0 = Debug|Any CPU
+		{BD5B8D1C-C3C2-4ED5-B917-E5318CA3EF20}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{BD5B8D1C-C3C2-4ED5-B917-E5318CA3EF20}.Debug|x86.Build.0 = Debug|Any CPU
+		{BD5B8D1C-C3C2-4ED5-B917-E5318CA3EF20}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{BD5B8D1C-C3C2-4ED5-B917-E5318CA3EF20}.Release|Any CPU.Build.0 = Release|Any CPU
+		{BD5B8D1C-C3C2-4ED5-B917-E5318CA3EF20}.Release|x64.ActiveCfg = Release|Any CPU
+		{BD5B8D1C-C3C2-4ED5-B917-E5318CA3EF20}.Release|x64.Build.0 = Release|Any CPU
+		{BD5B8D1C-C3C2-4ED5-B917-E5318CA3EF20}.Release|x86.ActiveCfg = Release|Any CPU
+		{BD5B8D1C-C3C2-4ED5-B917-E5318CA3EF20}.Release|x86.Build.0 = Release|Any CPU
+		{A324A97D-60A2-4A5C-B882-11E08019EB80}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{A324A97D-60A2-4A5C-B882-11E08019EB80}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{A324A97D-60A2-4A5C-B882-11E08019EB80}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{A324A97D-60A2-4A5C-B882-11E08019EB80}.Debug|x64.Build.0 = Debug|Any CPU
+		{A324A97D-60A2-4A5C-B882-11E08019EB80}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{A324A97D-60A2-4A5C-B882-11E08019EB80}.Debug|x86.Build.0 = Debug|Any CPU
+		{A324A97D-60A2-4A5C-B882-11E08019EB80}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{A324A97D-60A2-4A5C-B882-11E08019EB80}.Release|Any CPU.Build.0 = Release|Any CPU
+		{A324A97D-60A2-4A5C-B882-11E08019EB80}.Release|x64.ActiveCfg = Release|Any CPU
+		{A324A97D-60A2-4A5C-B882-11E08019EB80}.Release|x64.Build.0 = Release|Any CPU
+		{A324A97D-60A2-4A5C-B882-11E08019EB80}.Release|x86.ActiveCfg = Release|Any CPU
+		{A324A97D-60A2-4A5C-B882-11E08019EB80}.Release|x86.Build.0 = Release|Any CPU
+		{90295E53-CAE8-4A4D-9B6E-7F58583836B4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{90295E53-CAE8-4A4D-9B6E-7F58583836B4}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{90295E53-CAE8-4A4D-9B6E-7F58583836B4}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{90295E53-CAE8-4A4D-9B6E-7F58583836B4}.Debug|x64.Build.0 = Debug|Any CPU
+		{90295E53-CAE8-4A4D-9B6E-7F58583836B4}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{90295E53-CAE8-4A4D-9B6E-7F58583836B4}.Debug|x86.Build.0 = Debug|Any CPU
+		{90295E53-CAE8-4A4D-9B6E-7F58583836B4}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{90295E53-CAE8-4A4D-9B6E-7F58583836B4}.Release|Any CPU.Build.0 = Release|Any CPU
+		{90295E53-CAE8-4A4D-9B6E-7F58583836B4}.Release|x64.ActiveCfg = Release|Any CPU
+		{90295E53-CAE8-4A4D-9B6E-7F58583836B4}.Release|x64.Build.0 = Release|Any CPU
+		{90295E53-CAE8-4A4D-9B6E-7F58583836B4}.Release|x86.ActiveCfg = Release|Any CPU
+		{90295E53-CAE8-4A4D-9B6E-7F58583836B4}.Release|x86.Build.0 = Release|Any CPU
+		{8559B69A-794A-4F22-A78C-1ED0B38D6B20}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{8559B69A-794A-4F22-A78C-1ED0B38D6B20}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{8559B69A-794A-4F22-A78C-1ED0B38D6B20}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{8559B69A-794A-4F22-A78C-1ED0B38D6B20}.Debug|x64.Build.0 = Debug|Any CPU
+		{8559B69A-794A-4F22-A78C-1ED0B38D6B20}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{8559B69A-794A-4F22-A78C-1ED0B38D6B20}.Debug|x86.Build.0 = Debug|Any CPU
+		{8559B69A-794A-4F22-A78C-1ED0B38D6B20}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{8559B69A-794A-4F22-A78C-1ED0B38D6B20}.Release|Any CPU.Build.0 = Release|Any CPU
+		{8559B69A-794A-4F22-A78C-1ED0B38D6B20}.Release|x64.ActiveCfg = Release|Any CPU
+		{8559B69A-794A-4F22-A78C-1ED0B38D6B20}.Release|x64.Build.0 = Release|Any CPU
+		{8559B69A-794A-4F22-A78C-1ED0B38D6B20}.Release|x86.ActiveCfg = Release|Any CPU
+		{8559B69A-794A-4F22-A78C-1ED0B38D6B20}.Release|x86.Build.0 = Release|Any CPU
+		{6E0F66B6-228D-41EE-B7FF-CC9D9AF19345}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{6E0F66B6-228D-41EE-B7FF-CC9D9AF19345}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{6E0F66B6-228D-41EE-B7FF-CC9D9AF19345}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{6E0F66B6-228D-41EE-B7FF-CC9D9AF19345}.Debug|x64.Build.0 = Debug|Any CPU
+		{6E0F66B6-228D-41EE-B7FF-CC9D9AF19345}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{6E0F66B6-228D-41EE-B7FF-CC9D9AF19345}.Debug|x86.Build.0 = Debug|Any CPU
+		{6E0F66B6-228D-41EE-B7FF-CC9D9AF19345}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{6E0F66B6-228D-41EE-B7FF-CC9D9AF19345}.Release|Any CPU.Build.0 = Release|Any CPU
+		{6E0F66B6-228D-41EE-B7FF-CC9D9AF19345}.Release|x64.ActiveCfg = Release|Any CPU
+		{6E0F66B6-228D-41EE-B7FF-CC9D9AF19345}.Release|x64.Build.0 = Release|Any CPU
+		{6E0F66B6-228D-41EE-B7FF-CC9D9AF19345}.Release|x86.ActiveCfg = Release|Any CPU
+		{6E0F66B6-228D-41EE-B7FF-CC9D9AF19345}.Release|x86.Build.0 = Release|Any CPU
+		{8C0747BF-4F65-4238-863F-36D1E2E87355}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{8C0747BF-4F65-4238-863F-36D1E2E87355}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{8C0747BF-4F65-4238-863F-36D1E2E87355}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{8C0747BF-4F65-4238-863F-36D1E2E87355}.Debug|x64.Build.0 = Debug|Any CPU
+		{8C0747BF-4F65-4238-863F-36D1E2E87355}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{8C0747BF-4F65-4238-863F-36D1E2E87355}.Debug|x86.Build.0 = Debug|Any CPU
+		{8C0747BF-4F65-4238-863F-36D1E2E87355}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{8C0747BF-4F65-4238-863F-36D1E2E87355}.Release|Any CPU.Build.0 = Release|Any CPU
+		{8C0747BF-4F65-4238-863F-36D1E2E87355}.Release|x64.ActiveCfg = Release|Any CPU
+		{8C0747BF-4F65-4238-863F-36D1E2E87355}.Release|x64.Build.0 = Release|Any CPU
+		{8C0747BF-4F65-4238-863F-36D1E2E87355}.Release|x86.ActiveCfg = Release|Any CPU
+		{8C0747BF-4F65-4238-863F-36D1E2E87355}.Release|x86.Build.0 = Release|Any CPU
+		{288F9D27-634E-45EC-8F89-4EAC68175113}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{288F9D27-634E-45EC-8F89-4EAC68175113}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{288F9D27-634E-45EC-8F89-4EAC68175113}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{288F9D27-634E-45EC-8F89-4EAC68175113}.Debug|x64.Build.0 = Debug|Any CPU
+		{288F9D27-634E-45EC-8F89-4EAC68175113}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{288F9D27-634E-45EC-8F89-4EAC68175113}.Debug|x86.Build.0 = Debug|Any CPU
+		{288F9D27-634E-45EC-8F89-4EAC68175113}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{288F9D27-634E-45EC-8F89-4EAC68175113}.Release|Any CPU.Build.0 = Release|Any CPU
+		{288F9D27-634E-45EC-8F89-4EAC68175113}.Release|x64.ActiveCfg = Release|Any CPU
+		{288F9D27-634E-45EC-8F89-4EAC68175113}.Release|x64.Build.0 = Release|Any CPU
+		{288F9D27-634E-45EC-8F89-4EAC68175113}.Release|x86.ActiveCfg = Release|Any CPU
+		{288F9D27-634E-45EC-8F89-4EAC68175113}.Release|x86.Build.0 = Release|Any CPU
+		{2117B457-836C-4F74-A8EB-B5F910B54524}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{2117B457-836C-4F74-A8EB-B5F910B54524}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{2117B457-836C-4F74-A8EB-B5F910B54524}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{2117B457-836C-4F74-A8EB-B5F910B54524}.Debug|x64.Build.0 = Debug|Any CPU
+		{2117B457-836C-4F74-A8EB-B5F910B54524}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{2117B457-836C-4F74-A8EB-B5F910B54524}.Debug|x86.Build.0 = Debug|Any CPU
+		{2117B457-836C-4F74-A8EB-B5F910B54524}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{2117B457-836C-4F74-A8EB-B5F910B54524}.Release|Any CPU.Build.0 = Release|Any CPU
+		{2117B457-836C-4F74-A8EB-B5F910B54524}.Release|x64.ActiveCfg = Release|Any CPU
+		{2117B457-836C-4F74-A8EB-B5F910B54524}.Release|x64.Build.0 = Release|Any CPU
+		{2117B457-836C-4F74-A8EB-B5F910B54524}.Release|x86.ActiveCfg = Release|Any CPU
+		{2117B457-836C-4F74-A8EB-B5F910B54524}.Release|x86.Build.0 = Release|Any CPU
+		{762B2F00-9917-4D77-8DF4-ECD8651A4C13}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{762B2F00-9917-4D77-8DF4-ECD8651A4C13}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{762B2F00-9917-4D77-8DF4-ECD8651A4C13}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{762B2F00-9917-4D77-8DF4-ECD8651A4C13}.Debug|x64.Build.0 = Debug|Any CPU
+		{762B2F00-9917-4D77-8DF4-ECD8651A4C13}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{762B2F00-9917-4D77-8DF4-ECD8651A4C13}.Debug|x86.Build.0 = Debug|Any CPU
+		{762B2F00-9917-4D77-8DF4-ECD8651A4C13}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{762B2F00-9917-4D77-8DF4-ECD8651A4C13}.Release|Any CPU.Build.0 = Release|Any CPU
+		{762B2F00-9917-4D77-8DF4-ECD8651A4C13}.Release|x64.ActiveCfg = Release|Any CPU
+		{762B2F00-9917-4D77-8DF4-ECD8651A4C13}.Release|x64.Build.0 = Release|Any CPU
+		{762B2F00-9917-4D77-8DF4-ECD8651A4C13}.Release|x86.ActiveCfg = Release|Any CPU
+		{762B2F00-9917-4D77-8DF4-ECD8651A4C13}.Release|x86.Build.0 = Release|Any CPU
+		{772D954B-0C2A-4377-B66F-329484EEB19F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{772D954B-0C2A-4377-B66F-329484EEB19F}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{772D954B-0C2A-4377-B66F-329484EEB19F}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{772D954B-0C2A-4377-B66F-329484EEB19F}.Debug|x64.Build.0 = Debug|Any CPU
+		{772D954B-0C2A-4377-B66F-329484EEB19F}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{772D954B-0C2A-4377-B66F-329484EEB19F}.Debug|x86.Build.0 = Debug|Any CPU
+		{772D954B-0C2A-4377-B66F-329484EEB19F}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{772D954B-0C2A-4377-B66F-329484EEB19F}.Release|Any CPU.Build.0 = Release|Any CPU
+		{772D954B-0C2A-4377-B66F-329484EEB19F}.Release|x64.ActiveCfg = Release|Any CPU
+		{772D954B-0C2A-4377-B66F-329484EEB19F}.Release|x64.Build.0 = Release|Any CPU
+		{772D954B-0C2A-4377-B66F-329484EEB19F}.Release|x86.ActiveCfg = Release|Any CPU
+		{772D954B-0C2A-4377-B66F-329484EEB19F}.Release|x86.Build.0 = Release|Any CPU
+		{0AF757AA-BD1E-49A2-A7E9-C3F78DD09176}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{0AF757AA-BD1E-49A2-A7E9-C3F78DD09176}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{0AF757AA-BD1E-49A2-A7E9-C3F78DD09176}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{0AF757AA-BD1E-49A2-A7E9-C3F78DD09176}.Debug|x64.Build.0 = Debug|Any CPU
+		{0AF757AA-BD1E-49A2-A7E9-C3F78DD09176}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{0AF757AA-BD1E-49A2-A7E9-C3F78DD09176}.Debug|x86.Build.0 = Debug|Any CPU
+		{0AF757AA-BD1E-49A2-A7E9-C3F78DD09176}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{0AF757AA-BD1E-49A2-A7E9-C3F78DD09176}.Release|Any CPU.Build.0 = Release|Any CPU
+		{0AF757AA-BD1E-49A2-A7E9-C3F78DD09176}.Release|x64.ActiveCfg = Release|Any CPU
+		{0AF757AA-BD1E-49A2-A7E9-C3F78DD09176}.Release|x64.Build.0 = Release|Any CPU
+		{0AF757AA-BD1E-49A2-A7E9-C3F78DD09176}.Release|x86.ActiveCfg = Release|Any CPU
+		{0AF757AA-BD1E-49A2-A7E9-C3F78DD09176}.Release|x86.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(NestedProjects) = preSolution
+		{0AF757AA-BD1E-49A2-A7E9-C3F78DD09176} = {56BCE1BF-7CBA-7CE8-203D-A88051F1D642}
+	EndGlobalSection
+EndGlobal

src/Cartographer/StellaOps.Cartographer/AGENTS.md

@@ -0,0 +1,18 @@
+# StellaOps.Cartographer — Agent Charter
+
+## Mission
+Build and operate the Cartographer service that materializes immutable SBOM property graphs, precomputes layout tiles, and hydrates policy/VEX overlays so other services (API, UI, CLI) can navigate and reason about dependency relationships with context.
+
+## Responsibilities
+- Ingest normalized SBOM projections (CycloneDX/SPDX) and generate versioned graph snapshots with tenant-aware storage.
+- Maintain overlay workers that merge Policy Engine effective findings and VEX metadata onto graph nodes/edges, including path relevance computation.
+- Serve graph APIs for viewport tiles, paths, filters, exports, simulation overlays, and diffing.
+- Coordinate with Policy Engine, Scheduler, Conseiller, Excitator, and Authority to keep overlays current, respect RBAC, and uphold determinism guarantees.
+- Deliver observability (metrics/traces/logs) and performance benchmarks for large graphs (≥50k nodes).
+
+## Expectations
+- Keep builds deterministic; snapshots are write-once and content-addressed.
+- Tenancy and scope enforcement must match Authority policies (`graph:*`, `sbom:read`, `findings:read`).
+- Update `TASKS.md`, `../../docs/implplan/SPRINTS.md` when status changes.
+- Provide fixtures and documentation so UI/CLI teams can simulate graphs offline.
+- Authority integration derives scope names from `StellaOps.Auth.Abstractions.StellaOpsScopes`; avoid hard-coded `graph:*` literals.

src/Cartographer/StellaOps.Cartographer/Options/CartographerAuthorityOptions.cs

@@ -0,0 +1,101 @@
+using System;
+using System.Collections.Generic;
+
+namespace StellaOps.Cartographer.Options;
+
+/// <summary>
+/// Configuration controlling Authority-backed authentication for the Cartographer service.
+/// </summary>
+public sealed class CartographerAuthorityOptions
+{
+    /// <summary>
+    /// Enables Authority-backed authentication for Cartographer endpoints.
+    /// </summary>
+    public bool Enabled { get; set; }
+
+    /// <summary>
+    /// Allows anonymous access when Authority integration is enabled (development only).
+    /// </summary>
+    public bool AllowAnonymousFallback { get; set; }
+
+    /// <summary>
+    /// Authority issuer URL exposed via OpenID discovery.
+    /// </summary>
+    public string Issuer { get; set; } = string.Empty;
+
+    /// <summary>
+    /// Whether HTTPS metadata is required when fetching Authority discovery documents.
+    /// </summary>
+    public bool RequireHttpsMetadata { get; set; } = true;
+
+    /// <summary>
+    /// Optional explicit metadata endpoint for Authority discovery.
+    /// </summary>
+    public string? MetadataAddress { get; set; }
+
+    /// <summary>
+    /// Timeout (seconds) applied to Authority back-channel HTTP calls.
+    /// </summary>
+    public int BackchannelTimeoutSeconds { get; set; } = 30;
+
+    /// <summary>
+    /// Allowed token clock skew (seconds) when validating Authority-issued tokens.
+    /// </summary>
+    public int TokenClockSkewSeconds { get; set; } = 60;
+
+    /// <summary>
+    /// Accepted audiences for Cartographer access tokens.
+    /// </summary>
+    public IList<string> Audiences { get; } = new List<string>();
+
+    /// <summary>
+    /// Scopes required for Cartographer operations.
+    /// </summary>
+    public IList<string> RequiredScopes { get; } = new List<string>();
+
+    /// <summary>
+    /// Tenants permitted to access Cartographer resources.
+    /// </summary>
+    public IList<string> RequiredTenants { get; } = new List<string>();
+
+    /// <summary>
+    /// Networks allowed to bypass authentication enforcement.
+    /// </summary>
+    public IList<string> BypassNetworks { get; } = new List<string>();
+
+    /// <summary>
+    /// Validates configured values and throws <see cref="InvalidOperationException"/> on failure.
+    /// </summary>
+    public void Validate()
+    {
+        if (!Enabled)
+        {
+            return;
+        }
+
+        if (string.IsNullOrWhiteSpace(Issuer))
+        {
+            throw new InvalidOperationException("Cartographer Authority issuer must be configured when Authority integration is enabled.");
+        }
+
+        if (!Uri.TryCreate(Issuer.Trim(), UriKind.Absolute, out var issuerUri))
+        {
+            throw new InvalidOperationException("Cartographer Authority issuer must be an absolute URI.");
+        }
+
+        if (RequireHttpsMetadata && !issuerUri.IsLoopback && !string.Equals(issuerUri.Scheme, Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase))
+        {
+            throw new InvalidOperationException("Cartographer Authority issuer must use HTTPS unless running on loopback.");
+        }
+
+        if (BackchannelTimeoutSeconds <= 0)
+        {
+            throw new InvalidOperationException("Cartographer Authority back-channel timeout must be greater than zero seconds.");
+        }
+
+        if (TokenClockSkewSeconds < 0 || TokenClockSkewSeconds > 300)
+        {
+            throw new InvalidOperationException("Cartographer Authority token clock skew must be between 0 and 300 seconds.");
+        }
+    }
+}

src/Cartographer/StellaOps.Cartographer/Options/CartographerAuthorityOptionsConfigurator.cs

@@ -0,0 +1,37 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using StellaOps.Auth.Abstractions;
+
+namespace StellaOps.Cartographer.Options;
+
+/// <summary>
+/// Applies Cartographer-specific defaults to <see cref="CartographerAuthorityOptions"/>.
+/// </summary>
+internal static class CartographerAuthorityOptionsConfigurator
+{
+    /// <summary>
+    /// Ensures required scopes are present and duplicates are removed case-insensitively.
+    /// </summary>
+    /// <param name="options">Target options.</param>
+    public static void ApplyDefaults(CartographerAuthorityOptions options)
+    {
+        ArgumentNullException.ThrowIfNull(options);
+
+        EnsureScope(options.RequiredScopes, StellaOpsScopes.GraphRead);
+        EnsureScope(options.RequiredScopes, StellaOpsScopes.GraphWrite);
+    }
+
+    private static void EnsureScope(ICollection<string> scopes, string scope)
+    {
+        ArgumentNullException.ThrowIfNull(scopes);
+        ArgumentException.ThrowIfNullOrEmpty(scope);
+
+        if (scopes.Any(existing => string.Equals(existing, scope, StringComparison.OrdinalIgnoreCase)))
+        {
+            return;
+        }
+
+        scopes.Add(scope);
+    }
+}

src/Cartographer/StellaOps.Cartographer/Program.cs

@@ -0,0 +1,39 @@
+using StellaOps.Cartographer.Options;
+
+var builder = WebApplication.CreateBuilder(args);
+
+builder.Configuration
+    .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
+    .AddEnvironmentVariables("CARTOGRAPHER_");
+
+builder.Services.AddOptions();
+builder.Services.AddLogging();
+
+var authoritySection = builder.Configuration.GetSection("Cartographer:Authority");
+var authorityOptions = new CartographerAuthorityOptions();
+authoritySection.Bind(authorityOptions);
+CartographerAuthorityOptionsConfigurator.ApplyDefaults(authorityOptions);
+authorityOptions.Validate();
+
+builder.Services.AddSingleton(authorityOptions);
+builder.Services.AddOptions<CartographerAuthorityOptions>()
+    .Bind(authoritySection)
+    .PostConfigure(CartographerAuthorityOptionsConfigurator.ApplyDefaults);
+
+// TODO: register Cartographer graph builders, overlay workers, and Authority client once implementations land.
+
+var app = builder.Build();
+
+if (!authorityOptions.Enabled)
+{
+    app.Logger.LogWarning("Cartographer Authority authentication is disabled; enable it before production deployments.");
+}
+else if (authorityOptions.AllowAnonymousFallback)
+{
+    app.Logger.LogWarning("Cartographer Authority allows anonymous fallback; disable fallback before production rollout.");
+}
+
+app.MapGet("/healthz", () => Results.Ok(new { status = "ok" }));
+app.MapGet("/readyz", () => Results.Ok(new { status = "warming" }));
+
+app.Run();

src/Cartographer/StellaOps.Cartographer/Properties/AssemblyInfo.cs

@@ -0,0 +1,3 @@
+using System.Runtime.CompilerServices;
+
+[assembly: InternalsVisibleTo("StellaOps.Cartographer.Tests")]

src/Cartographer/StellaOps.Cartographer/StellaOps.Cartographer.csproj

@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='utf-8'?>
+<Project Sdk="Microsoft.NET.Sdk.Web">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <LangVersion>preview</LangVersion>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <AspNetCoreHostingModel>InProcess</AspNetCoreHostingModel>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="../../__Libraries/StellaOps.Configuration/StellaOps.Configuration.csproj" />
+    <ProjectReference Include="../../__Libraries/StellaOps.DependencyInjection/StellaOps.DependencyInjection.csproj" />
+    <ProjectReference Include="../../Policy/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj" />
+    <ProjectReference Include="../../Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOps.Auth.Abstractions.csproj" />
+  </ItemGroup>
+</Project>

src/Cartographer/StellaOps.Cartographer/TASKS.md

@@ -0,0 +1,6 @@
+# Cartographer Task Board — Epic 3: Graph Explorer v1
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| CARTO-GRAPH-21-010 | DONE (2025-10-27) | Cartographer Guild | AUTH-GRAPH-21-001 | Replace hard-coded `graph:*` scope strings in Cartographer services/clients with `StellaOpsScopes` constants; document new dependency. | All scope checks reference `StellaOpsScopes`; documentation updated; unit tests adjusted if needed. |
+
+> 2025-10-26 — Note: awaiting Cartographer service bootstrap. Keep this task open until Cartographer routes exist so we can swap to `StellaOpsScopes` immediately.

src/Cartographer/__Tests/StellaOps.Cartographer.Tests/Options/CartographerAuthorityOptionsConfiguratorTests.cs

@@ -0,0 +1,51 @@
+using StellaOps.Auth.Abstractions;
+using StellaOps.Cartographer.Options;
+using Xunit;
+
+namespace StellaOps.Cartographer.Tests.Options;
+
+public class CartographerAuthorityOptionsConfiguratorTests
+{
+    [Fact]
+    public void ApplyDefaults_AddsGraphScopes()
+    {
+        var options = new CartographerAuthorityOptions();
+
+        CartographerAuthorityOptionsConfigurator.ApplyDefaults(options);
+
+        Assert.Contains(StellaOpsScopes.GraphRead, options.RequiredScopes);
+        Assert.Contains(StellaOpsScopes.GraphWrite, options.RequiredScopes);
+    }
+
+    [Fact]
+    public void ApplyDefaults_DoesNotDuplicateScopes()
+    {
+        var options = new CartographerAuthorityOptions();
+        options.RequiredScopes.Add("GRAPH:READ");
+        options.RequiredScopes.Add(StellaOpsScopes.GraphWrite);
+
+        CartographerAuthorityOptionsConfigurator.ApplyDefaults(options);
+
+        Assert.Equal(2, options.RequiredScopes.Count);
+    }
+
+    [Fact]
+    public void Validate_AllowsDisabledConfiguration()
+    {
+        var options = new CartographerAuthorityOptions();
+
+        options.Validate(); // should not throw when disabled
+    }
+
+    [Fact]
+    public void Validate_ThrowsForInvalidIssuer()
+    {
+        var options = new CartographerAuthorityOptions
+        {
+            Enabled = true,
+            Issuer = "invalid"
+        };
+
+        Assert.Throws<InvalidOperationException>(() => options.Validate());
+    }
+}

src/Cartographer/__Tests/StellaOps.Cartographer.Tests/StellaOps.Cartographer.Tests.csproj

@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='utf-8'?>
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <IsPackable>false</IsPackable>
+  </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.0" />
+    <PackageReference Include="xunit" Version="2.9.2" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2" />
+    <PackageReference Include="coverlet.collector" Version="6.0.4" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="../../StellaOps.Cartographer/StellaOps.Cartographer.csproj" />
+  </ItemGroup>
+</Project>