# Auth Security AGENTS

## Purpose & Scope
- Working directory: `src/__Libraries/StellaOps.Auth.Security/`.
- Roles: backend engineer, QA automation.
- Focus: DPoP proof validation, nonce issuance/consumption, replay cache strategies, and security primitives.

## Required Reading (treat as read before DOING)
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/authority/architecture.md`
- Relevant sprint files.

## Working Agreements
- Keep validation deterministic (TimeProvider) and avoid nondeterministic RNG in tests.
- Normalize inputs consistently across nonce stores; avoid mutable shared state.
- Respect offline/air-gap posture and keep secrets out of logs.
- Update `docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting or completing work.

## Testing
- Use xUnit + FluentAssertions + TestKit.
- Cover DPoP validation (algorithms, htm/htu/nonce, clock skew, replay), nonce stores, and replay cache behavior.