# 2025-11-01 · Authority adds Orch.Admin quota controls

**What changed**

- Introduced new `orch:quota` scope and expanded `Orch.Admin` role for Orchestrator quota, burst, and historical backfill adjustments.
- Client credential requests for `orch:quota` now require `quota_reason` (≤256 chars) and accept optional `quota_ticket` (≤128 chars). Authority records both values under `quota.reason` / `quota.ticket` audit properties.
- Added dedicated `orch:backfill` scope. Tokens must include `backfill_reason` (≤256 chars) and `backfill_ticket` (≤128 chars); Authority persists them as `backfill.reason` / `backfill.ticket` claims and audit properties alongside operator metadata.
- Tokens embedding `orch:quota` or `orch:backfill` expose the corresponding reason/ticket claims so downstream services and audit tooling can trace quota increases or emergency backfills.
- Console, CLI, and configuration samples include the updated role plus environment variables (`STELLAOPS_ORCH_QUOTA_REASON`, `STELLAOPS_ORCH_QUOTA_TICKET`, `STELLAOPS_ORCH_BACKFILL_REASON`, `STELLAOPS_ORCH_BACKFILL_TICKET`) for automation.

**Why**

Quotas and replay backfills materially affect tenant isolation and platform capacity. Capturing explicit operator intent keeps change windows reviewable and aligns with platform audit requirements.

**Actions**

1. Update Authority configuration/offline bundles to seed `Orch.Admin` role for the handful of ops identities that manage quotas.
2. Adjust automation to pass `quota_reason`/`quota_ticket` when exchanging tokens for `orch:quota` and `backfill_reason`/`backfill_ticket` for `orch:backfill`.
3. Monitor `authority.client_credentials.grant` records for the new `quota.*` and `backfill.*` audit properties when reviewing change windows.