# StellaOps Authority — Core Service Team

> **Read first:** `AGENTS.md`, `StellaOps.Authority.TODOS.md`, and this plan. Update status in both TODO trackers.

## Mission
Design and implement the Authority host (OpenIddict server, token lifecycles, administrative endpoints) on top of the DevEx scaffold, coordinating with Plugin, Library, and Security teams.

## Work Breakdown

| Order | Task IDs | Description | Dependencies | Acceptance |
|-------|----------|-------------|--------------|------------|
| 1 | CORE1 | Wire minimal API host with configuration, logging, plugin discovery, `/health` + `/ready`. | DevEx FND1–FND5 | Manual smoke: `dotnet run` returns healthy responses. |
| 2 | CORE2 | Configure OpenIddict server endpoints & flows (password, client credentials, refresh, jwks). | CORE1 | Supports HTTPS enforcement toggle via options. |
| 3 | CORE3 | Implement Mongo repositories for users/clients/scopes/tokens/login attempts. | CORE1 | Collections + indices documented; unit tests for CRUD. |
| 4 | CORE4 | Integrate plugin contracts (`IIdentityProviderPlugin`, etc.) into DI; load capabilities. | PLG1 | Plugins registered through host on startup. |
| 5 | CORE5 | Port/customize OpenIddict handlers (password/client creds validation) to use plugin contracts. | CORE4 | Unit tests for success/failure scenarios. |
| 5a | CORE5A | Add integration tests covering token persistence & revocation via `IAuthorityTokenStore`. | CORE5 | Ensure revoked tokens denied + fixtures for access/reference tokens. |
| 5b | CORE5B | Document token persistence & enrichment flows for resource servers/plugins. | CORE5 | Docs updated with claim expectations + revocation sync guidance. |
| 6 | CORE6 | Implement bootstrap admin endpoints (`/internal/users`, `/internal/clients`) secured via bootstrap API key. | CORE5 | Add rate limiting + audit logs. |
| 7 | CORE7 & CORE8 | Add structured logging, OTEL spans, and ASP.NET rate limiting for `/token`, `/authorize`. | CORE5 | Verify via integration tests, metrics exported. |
| 8 | CORE9 | Implement token revocation + signed offline revocation manifest generation hooks. | CORE5 | CLI call returns signed JSON; tests confirm revoked tokens denied. |
| 9 | CORE10 | Configure signing/encryption key rotation, JWKS publishing, certificate loader. | CORE5 | Document rotation steps; integration test covers key rollover. |

## Implementation Notes
- All Mongo repositories must align with offline-first design (no TTL for critical data unless configurable).  
- Expose metrics counters (issued tokens, failed attempts) for DevOps consumption.  
- Coordinate with Security Guild for password hashing options (Argon2 vs PBKDF2), lockout thresholds.  
- Ensure plugin capability metadata is honored (e.g., if plugin lacks password support, reject password grants gracefully).  
- Provide integration hooks for future LDAP plugin (capability flag + TODO comment).

## Status

- [x] CORE1 – Completed 2025-10-09. Minimal API host loads validated configuration, configures Serilog, registers plugins, and exposes `/health` + `/ready`.
- [x] CORE2 – Completed 2025-10-09. OpenIddict server configured with required endpoints, token lifetimes, sliding refresh tokens, and Development-only HTTPS relaxation.
- [x] CORE3 – Completed 2025-10-09. Mongo storage project created with indexed Authority collections, repositories, and bootstrap migration runner.
- [ ] CORE4 – Not started.
- [x] CORE5 – Completed 2025-10-10 with client-credentials validation, token validation handlers, and token persistence wired through plugin contracts.
- [ ] CORE5A – Pending integration tests for token persistence/revocation behaviour (QA + BE-Auth pairing).
- [ ] CORE5B – Pending documentation refresh covering claims enrichment + token store expectations.
- [x] CORE6 – Completed 2025-10-10. Bootstrap admin APIs behind API key provison users and clients through plugin stores.
- [ ] CORE7 – Not started.
- [ ] CORE8 – Not started.
- [ ] CORE9 – Not started.
- [ ] CORE10 – Not started.

## Deliverables
- `StellaOps.Authority` project with tested endpoints and handlers.  
- Repository docs summarizing API responses (shared with Docs team).  
- Integration tests (Authority-only) verifying token issuance + revocation.  
- Audit logging implemented (structured with trace IDs).

## Coordination
- Daily stand-up with Plugin + Libraries teams until CORE5 complete (met objective 2025-10-10).  
- Notify DevOps when `/token` contract stabilizes (OPS pipeline).  
- Work with Docs to capture endpoint behavior for `docs/11_AUTHORITY.md`.  
- Review PRs from Plugin & Libraries teams affecting Authority host.