# StellaOps Registry Token Service

Registry Token Service issues short-lived Docker registry bearer tokens for private or mirrored registries.
It exchanges an Authority-issued access token for a registry-compatible JWT after enforcing plan/licence constraints.

## Responsibilities

- Validate Authority-issued caller identity and required scopes (default `registry.token.issue`).
- Authorize requested repository scopes against a local plan catalogue (`stellaops:plan` claim + configured rules).
- Block issuance for revoked licences (`stellaops:license` claim + configured deny list).
- Mint registry tokens with a bounded lifetime (default 5 minutes) signed by a local RSA key.

## Key endpoints

- `GET /token` - Docker registry token exchange endpoint.
- `GET /healthz` - liveness probe.

## Code locations

- Service: `src/Registry/StellaOps.Registry.TokenService`
- Tests: `src/Registry/__Tests/StellaOps.Registry.TokenService.Tests`

## Configuration

- File: `etc/registry-token.yaml`
- Environment variables: `REGISTRY_TOKEN_*`

## Implementation Status

### Current Objectives
- Maintain deterministic behaviour and offline parity across releases
- Keep documentation, telemetry, and runbooks aligned with latest sprint outcomes

### Epic Milestones
- Epic 10 – Export Center: signed registry token bundles for mirror/Offline Kit workflows (planned)
- Epic 14 – Identity & Tenancy: tenant-aware scope validation, revocation, audit trails (planned)

### Core Capabilities
- Docker registry token exchange with Authority validation
- Plan/license constraint enforcement via claims inspection
- Short-lived JWT tokens (default 5 minutes) signed by local RSA key
- Revocation support via deny list and stellaops:license claim

### Technical Decisions
- Token lifetime bounded to 5 minutes to minimize exposure window
- Local RSA key signing avoids external dependencies
- Plan catalogue enforcement ensures license compliance
- Integration with Authority for caller identity and scope validation

### Coordination Approach
- Review AGENTS.md before starting new work
- Sync with cross-cutting teams via docs/implplan/SPRINT_*.md
- Track follow-ups in ../../TASKS.md and src/Registry/TASKS.md

## Related docs

- Architecture: `docs/modules/registry/architecture.md`
- Operations: `docs/modules/registry/operations/token-service.md`