# StellaOps Authority — Plugin Workstream

> **Read first:** `AGENTS.md`, `StellaOps.Authority.TODOS.md`, and this document. Sync status across all trackers.

## Scope
Deliver the plugin abstraction layer and the default Mongo-backed identity plugin (`StellaOps.Authority.Plugin.Standard`), plus lay groundwork for future LDAP integration.

## Task Plan

| Order | Task IDs | Description | Dependencies | Acceptance |
|-------|----------|-------------|--------------|------------|
| 1 | PLG1 | Implement plugin abstractions: `IIdentityProviderPlugin`, `IUserCredentialStore`, `IClaimsEnricher`, `IClientProvisioningStore`, result models, constants. | DevEx FND1 | **DONE** – Abstractions published with XML docs and unit tests covering success/failure factories. |
| 2 | PLG2 | Integrate abstractions with plugin host (DI registration via `IAuthorityPluginRegistrar`). Emit diagnostics for load failures. | PLG1 | **DONE** – Authority host loads registrars, logs registration summary, and unit tests cover success/missing cases. |
| 3 | PLG3 | Build Mongo-backed `Plugin.Standard` implementing password auth, lockout, claim enrichment, admin seeding. | CORE3 | **DONE** – Standard plugin binds options, enforces password policy/lockout, seeds bootstrap user, and ships integration/unit tests. |
| 4 | PLG4 | Define capability metadata (supportsPassword, supportsMfa, supportsClientProvisioning). Update plugin registration to publish metadata. | PLG3 | **DONE (2025-10-10)** – Capability descriptors validated; Standard plugin enforces password flag and registry exposes aggregated metadata to the host. |
| 5 | PLG5 (support) | Collaborate with DevEx on plugin config schema (`etc/authority.plugins/*.yaml`). Implement config parser + validation. | DevEx PLG5 | Provide typed options class + tests. |
| 6 | PLG6 | Author plugin developer guide (structure, packaging, capability flags, logging expectations). | PLG1–PLG5 | **READY FOR DOCS REVIEW (2025-10-10)** – Guide finalised, includes capability metadata usage, ops alignment, and packaging checklist; handoff blocked only on Docs copy-edit + diagram export. |
| 7 | PLG7 (backlog design) | Produce technical RFC for future `Plugin.Ldap` (data flows, dependencies, TODO list). | PLG1–PLG4 | **RFC DRAFTED (2025-10-10)** – `docs/rfcs/authority-plugin-ldap.md` outlines architecture, configuration schema, implementation plan; awaiting guild review & sign-off. |

## Implementation Notes
- Mongo plugin must support offline bootstrap: optional JSON file with initial users/clients hashed offline.  
- Provide extensibility points for password hashing algorithm (allow Security team to swap Argon2).  
- Ensure plugin logging leverages Authority logger, no console writes.  
- Document expected configuration keys for plugin settings (`passwordPolicy`, `seedUsers`, etc.).  
- Validate plugin configuration early at startup; fail fast with actionable errors.

## Deliverables
- `StellaOps.Authority.Plugins.Abstractions` project.  
- `StellaOps.Authority.Plugin.Standard` project with tests + seed data sample.  
- Plugin dev documentation + sample configuration files.  
- Diagnostic logging verifying plugin load, capabilities, configuration.  
- Future plugin RFC for LDAP integration.

## Coordination
- Coordinate with Authority Core for capability usage in handlers.  
- Work with Security Guild on password hash settings/lockout thresholds.  
- Notify DevEx when configuration schema changes.  
- Review Docs PR for plugin developer guide.