# Authority Identity Provider Registry (Plugin Resolution)

## Module
Authority

## Status
IMPLEMENTED

## Description
Runtime metadata/handle pattern for resolving identity providers through a registry. Handlers use `IAuthorityIdentityProviderRegistry.AcquireAsync` with metadata (`AuthorityIdentityProviderMetadata`) for capability checks, enabling deterministic and capability-gated provider resolution.

## Implementation Details
- **Modules**: `src/Authority/StellaOps.Authority/StellaOps.Authority/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/`
- **Key Classes**:
  - `AuthorityIdentityProviderRegistry` (`src/Authority/StellaOps.Authority/StellaOps.Authority/AuthorityIdentityProviderRegistry.cs`) - runtime registry that resolves identity providers by metadata capabilities; exposes `AcquireAsync` for deterministic provider selection
  - `AuthorityIdentityProviderSelector` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthorityIdentityProviderSelector.cs`) - selects the appropriate identity provider plugin during OpenIddict authentication flows based on request context
  - `AuthorityPluginRegistry` (`src/Authority/StellaOps.Authority/StellaOps.Authority/AuthorityPluginRegistry.cs`) - manages the lifecycle and registration of all authority plugins
  - `IdentityProviderContracts` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/IdentityProviderContracts.cs`) - defines `IAuthorityIdentityProviderPlugin`, `AuthorityIdentityProviderMetadata`, and capability contracts
  - `AuthorityPluginRegistrationContext` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/AuthorityPluginRegistrationContext.cs`) - context object passed to plugins during registration
  - `AuthorityPluginLoader` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginLoader.cs`) - loads plugin assemblies from disk and registers them with the plugin registry
  - `AuthorityPluginRegistrationSummary` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginRegistrationSummary.cs`) - captures registration outcome (loaded plugins, errors, capabilities)
- **Interfaces**: `IAuthorityIdentityProviderPlugin`, `IAuthorityPluginRegistrar` (defined in `IdentityProviderContracts.cs` and `AuthorityPluginContracts.cs`)
- **Source**: Feature matrix scan

## E2E Test Plan
- [ ] Register two identity provider plugins (Standard and LDAP) and verify `AuthorityIdentityProviderRegistry` resolves each by capability metadata
- [ ] Call `AcquireAsync` with metadata requesting LDAP capabilities and verify the LDAP provider is returned
- [ ] Call `AcquireAsync` with metadata requesting capabilities not supported by any provider and verify a clear error is returned
- [ ] Verify `AuthorityIdentityProviderSelector` routes authentication to the correct provider based on the client's `identity_provider` metadata during an OAuth2 token request
- [ ] Register a plugin at runtime and verify the registry reflects the new provider without restart
- [ ] Verify `AuthorityPluginRegistrationSummary` reports all registered providers with their capabilities