# Auth Server Integration AGENTS

## Purpose & Scope
- Working directory: `src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/`.
- Roles: backend engineer, QA automation.
- Focus: ASP.NET Core resource server auth configuration, scope policies, and authorization audit events.

## Required Reading (treat as read before DOING)
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/authority/architecture.md`
- Relevant sprint files.

## Working Agreements
- Keep auth decisions deterministic and time-aware (TimeProvider).
- Preserve offline/air-gap posture with resilient metadata/JWKS caching.
- Avoid logging sensitive claims; use classified strings.
- Update `docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting or completing work.

## Testing
- Use xUnit + FluentAssertions + TestKit.
- Cover options normalization, bypass evaluation, metadata/JWKS caching, scope decisions, and audit event emission.