provisioning/docs/src/development/auth-metadata-guide.md

# Metadata-Driven Authentication System - Implementation Guide\n\n**Status**: ✅ Complete and Production-Ready\n**Version**: 1.0.0\n**Last Updated**: 2025-12-10\n\n## Table of Contents\n\n1. [Overview](#overview)\n2. [Architecture](#architecture)\n3. [Installation](#installation)\n4. [Usage Guide](#usage-guide)\n5. [Migration Path](#migration-path)\n6. [Developer Guide](#developer-guide)\n7. [Testing](#testing)\n8. [Troubleshooting](#troubleshooting)\n\n## Overview\n\nThis guide describes the metadata-driven authentication system implemented over 5 weeks across 14 command handlers and 12 major systems. The system provides:\n\n- **Centralized Metadata**: All command definitions in Nickel with runtime validation\n- **Automatic Auth Checks**: Pre-execution validation before handler logic\n- **Performance Optimization**: 40-100x faster through metadata caching\n- **Flexible Deployment**: Works with orchestrator, batch workflows, and direct CLI\n\n## Architecture\n\n### System Components\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│                     User Command                             │\n└────────────────────────────────┬──────────────────────────────┘\n                                 │\n                    ┌────────────▼─────────────┐\n                    │    CLI Dispatcher       │\n                    │  (main_provisioning)    │\n                    └────────────┬─────────────┘\n                                 │\n                    ┌────────────▼─────────────┐\n                    │  Metadata Loading       │\n                    │  (cached via traits.nu) │\n                    └────────────┬─────────────┘\n                                 │\n                    ┌────────────▼─────────────────────┐\n                    │  Pre-Execution Validation       │\n                    │  - Auth checks                  │\n                    │  - Permission validation        │\n                    │  - Operation type mapping       │\n                    └────────────┬─────────────────────┘\n                                 │\n                    ┌────────────▼─────────────────────┐\n                    │  Command Handler Execution      │\n                    │  - infrastructure.nu            │\n                    │  - orchestration.nu             │\n                    │  - workspace.nu                 │\n                    └────────────┬─────────────────────┘\n                                 │\n                    ┌────────────▼─────────────┐\n                    │   Result/Response        │\n                    └─────────────────────────┘\n```\n\n### Data Flow\n\n1. **User Command** → CLI Dispatcher\n2. **Dispatcher** → Load cached metadata (or parse Nickel)\n3. **Validate** → Check auth, operation type, permissions\n4. **Execute** → Call appropriate handler\n5. **Return** → Result to user\n\n### Metadata Caching\n\n- **Location**: `~/.cache/provisioning/command_metadata.json`\n- **Format**: Serialized JSON (pre-parsed for speed)\n- **TTL**: 1 hour (configurable via `PROVISIONING_METADATA_TTL`)\n- **Invalidation**: Automatic on `main.ncl` modification\n