# StellaOps Registry Token Service

The registry module issues scoped pull tokens for mirrored container registries while enforcing plan and licence constraints.

## Responsibilities
- Validate Authority-issued OpToks and tenant scopes before issuance.
- Mint time-bound registry tokens and record issuance ledgers.
- Expose revocation and audit endpoints for security teams.
- Integrate with Offline Kit for deterministic token manifests.

## Key components
- `StellaOps.Registry.TokenService` minimal API host.
- Mongo-backed issuance ledger.
- Tests under `src/Registry/__Tests`.

## Integrations & dependencies
- Authority for identity & scope verification.
- Export Center/Offline Kit for distribution.
- DevOps runbooks for deployment and rotation.

## Operational notes
- Operational guide at ./operations/token-service.md.
- Telemetry dashboards pending (see ../../TASKS.md).

## Related resources
- ./operations/token-service.md

## Backlog references
- DEVOPS-REGISTRY items in ../../TASKS.md (future work).
- Registry automation stories tracked in src/Registry/TASKS.md if present.

## Epic alignment
- **Epic 10 – Export Center:** provide signed, auditable registry token bundles for mirror distribution.
- **Epic 14 – Identity & Tenancy:** enforce tenant-aware scopes, PoE alignment, and revocation policies.