%% Rate limit and lockout interplay for Standard plug-in (Mermaid)
sequenceDiagram
    autonumber
    participant Client as Client/App
    participant Host as Authority Host
    participant Limiter as Rate Limiter Middleware
    participant Plugin as Standard Plugin
    participant Store as Credential Store / Lockout State

    Client->>Host: POST /token (client_id, credentials)
    Host->>Limiter: Check quota (client_id + remote_ip)
    alt quota exceeded
        Limiter-->>Host: Reject (429, retryAfter)
        Host-->>Client: 429 Too Many Requests\nRetry-After header with limiter tags
    else quota ok
        Limiter-->>Host: Allow (remaining tokens)
        Host->>Plugin: VerifyCredentials(subject)
        Plugin->>Store: Load hashed password + lockout counters
        Store-->>Plugin: Credential result + deterministic counter
        alt lockout threshold reached
            Plugin-->>Host: Locked (retryAfter=lockoutWindow)
            Host-->>Client: 423 Locked\nRetry-After header + `authority.lockout` tag
        else valid credentials
            Plugin-->>Host: Success (issue tokens)
            Host-->>Client: 200 OK + tokens + limiter metadata
        end
    end