# Plugin SDK / Plugin architecture (CLI, Authority, Crypto)

## Module
Authority

## Status
IMPLEMENTED

## Description
Plugin architecture is implemented across CLI (manifest loader, module loader), Authority (identity provider plugins with OIDC/SAML/Standard), and Cryptography (HSM, SM crypto plugins). The Authority plugin SDK defines interfaces, registration context, and a standardized plugin lifecycle.

## Implementation Details
- **Plugin Abstractions (Authority SDK)**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/` -- the SDK package:
  - `AuthorityPluginContracts.cs` -- `IAuthorityPlugin`, `IAuthorityPluginRegistrar` interfaces defining the plugin lifecycle
  - `IdentityProviderContracts.cs` -- `IAuthorityIdentityProviderPlugin` for credential validation and claims enrichment
  - `AuthorityPluginRegistrationContext.cs` -- DI registration context passed to plugins at startup
  - `AuthorityCredentialAuditContext.cs` -- audit context for credential operations
  - `AuthoritySecretHasher.cs` -- pluggable password/secret hashing abstraction
  - `AuthorityClientMetadataKeys.cs` -- standardized metadata keys for client configuration
- **Plugin Loader**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginLoader.cs` -- assembly-based plugin discovery from `plugins/authority/` directory.
- **Plugin Registration Summary**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginRegistrationSummary.cs` -- diagnostic summary of loaded plugins.
- **Concrete Plugin Implementations**:
  - Standard: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StandardPluginRegistrar.cs`
  - LDAP: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/LdapPluginRegistrar.cs`
  - OIDC: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Oidc/OidcPluginRegistrar.cs`
  - SAML: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Saml/SamlPluginRegistrar.cs`
  - Unified: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Unified/AuthPluginAdapter.cs`
- **Plugin Binary Hosting**: `src/Authority/StellaOps.Authority.PluginBinaries/` -- pre-compiled plugin DLLs; `src/Authority/plugins/authority/` -- plugin directory structure.
- **Concelier Plugin Binaries**: `src/Authority/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Common/` -- connector plugin abstractions for Concelier module.
- **Tests**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/Plugins/AuthorityPluginLoaderTests.cs`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions.Tests/`

## E2E Test Plan
- [ ] Build a minimal plugin implementing `IAuthorityPluginRegistrar` and `IAuthorityIdentityProviderPlugin`, place the DLL in `plugins/authority/`, and verify `AuthorityPluginLoader` discovers and loads it
- [ ] Verify the plugin's `Register` method receives a valid `AuthorityPluginRegistrationContext` with access to DI services
- [ ] Verify `AuthorityPluginRegistrationSummary` includes the custom plugin with its reported capabilities
- [ ] Load multiple plugins simultaneously and verify they do not interfere with each other's DI registrations
- [ ] Remove a plugin DLL and restart; verify the system starts without the removed plugin and reports it as missing in the summary
- [ ] Verify `AuthoritySecretHasher` can be replaced by a plugin-provided implementation and verify password hashing uses the custom hasher