# StellaOps Authority — DevOps & Observability Team

> **Read first:** `AGENTS.md`, `StellaOps.Authority.TODOS.md`, and this plan. Reflect status changes in both TODO trackers.

## Mission
Deliver deployable artefacts, CI/CD automation, runtime observability, and operational runbooks for StellaOps Authority.

## Task Matrix

| Order | Task IDs | Description | Dependencies | Acceptance |
|-------|----------|-------------|--------------|------------|
| 1 | OPS1 | Author distroless Dockerfile + docker-compose sample (Authority + Mongo + optional Redis). | FND4, CORE1 | **DONE (DevEx scaffold)** – see `ops/authority/` Dockerfile + compose; verify with production secrets before release. |
| 2 | OPS2 | Extend CI workflows (build/test/publish) for Authority + auth libraries (dotnet build/test, docker build, artefact publish). | OPS1 | **DONE** – Authority build/test/publish integrated into `.gitea/workflows/build-test-deploy.yml`. |
| 3 | OPS3 | Implement key rotation script/CLI and wire pipeline job (manual trigger) to rotate signing keys + update JWKS. | CORE10 | Document rotation process + store secrets securely. |
| 4 | OPS4 | Document backup/restore for Authority Mongo collections, plugin configs, key material. | CORE3 | Produce runbook in `/docs/ops`. |
| 5 | OPS5 | Define monitoring metrics/alerts (token issuance failure rate, lockout spikes, bypass usage). Provide dashboards (Prometheus/Otel). | CORE7 | Share Grafana JSON or equivalent. |
| 6 | SUPPORT | Assist other teams with docker-compose variations for integration tests (Feedser, CLI). | OPS1, FSR5 | Provide templates + guidance. |

## Implementation Notes
- Container image must remain offline-friendly (no package installs at runtime).  
- Compose sample should include environment variable settings referencing `etc/authority.yaml`.  
- Store key rotation artefacts in secure storage (vault/secrets).  
- Align metrics naming with existing StellaOps conventions.  
- Provide fallback instructions for air-gapped deployments (manual image load, offline key rotation).

## Deliverables
- Dockerfile(s), compose stack, and documentation.  
- Updated CI pipeline definitions.  
- Runbooks for rotation, backup, restore.  
- Monitoring/alerting templates.

## Coordination
- Sync with DevEx on configuration paths + plugin directories.  
- Coordinate with Authority Core regarding key management endpoints.  
- Work with Feedser Integration + CLI teams on integration test environments.  
- Engage Security Guild to review key rotation + secret storage approach.