# AGENTS - Authority Module

## Working Directory
- `src/Authority/**` (Authority service, libraries, plugins, tests).
- `src/Authority/StellaOps.IssuerDirectory/**` (IssuerDirectory service, relocated by Sprint 216).
- `src/Authority/__Libraries/StellaOps.IssuerDirectory.Client/` (shared client library).
- `src/Authority/__Libraries/StellaOps.IssuerDirectory.Persistence/` (persistence layer, separate DbContext/schema).
- `src/Authority/__Tests/StellaOps.IssuerDirectory.Persistence.Tests/` (persistence tests).

## Required Reading
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/authority/architecture.md`
- `docs/modules/authority/README.md`

## Engineering Rules
- Enforce authn/authz on every surface; default-deny for new endpoints.
- Preserve determinism for token/evidence workflows (stable ordering, UTC timestamps).
- No plaintext secrets in logs or storage.

## Testing & Verification
- Authority tests live in `src/Authority/__Tests/**`.
- IssuerDirectory tests live in `src/Authority/__Tests/StellaOps.IssuerDirectory.Persistence.Tests/**` and `src/Authority/StellaOps.IssuerDirectory/StellaOps.IssuerDirectory.Core.Tests/**`.
- Cover authz policies, error handling, issuer resolution, caching, and offline behavior.

## Sprint Discipline
- Record decisions and risks for security-sensitive changes in the sprint file.

## Service Endpoints
- Development: https://localhost:10020, http://localhost:10021
- Local alias: https://authority.stella-ops.local, http://authority.stella-ops.local
- Env var: STELLAOPS_AUTHORITY_URL