feat(properties): simplify properties configuration

[fudaiyf]

Description

This PR introduces Role Profile & Peer Configuration to dramatically simplify role-based properties configuration, along with GitHub CI/CD workflows for automated testing.

Motivation

Previously, each sample service required extensive manual YAML configuration for key management, JWKS consumers, and service discovery — often 50+ lines of boilerplate per service. This PR introduces a convention-over-configuration approach where enabling a role (e.g., authorization-server) automatically infers all required infrastructure settings through Role Profiles and Peer Configurations.

Key Concepts

• Role Profile: Defines what infrastructure a role needs (signing keys, verification keys, decryption keys, JWKS provider, capabilities)
• Peer Configuration: Declares relationships between services (e.g., Agent's peers include agent-idp, agent-user-idp, authorization-server) with their issuer URLs
• RoleAwareEnvironmentPostProcessor: Injects inferred properties into the Spring Environment before bean creation, ensuring @Conditional annotations work correctly

Type of Change

• New feature
• Code refactoring
• Test additions or updates
• Documentation update

Changes Made

Core — Role Profile & Peer Configuration System

• RoleProfile: Immutable value object defining a role's infrastructure requirements (signing keys, verification keys, decryption keys, JWKS provider flag, required capabilities)
• RoleProfileRegistry: Registry of all built-in role profiles (agent, agent-idp, agent-user-idp, as-user-idp, authorization-server, resource-server)
• PeerProperties: Configuration for declaring peer service relationships with issuer URLs
• RoleAwareEnvironmentPostProcessor: Spring EnvironmentPostProcessor that infers key management, JWKS consumers, and service discovery properties from enabled roles and their peers
• PeerConfigurationDiscoveryClient: Service discovery client that resolves peer base URLs

AutoConfiguration Enhancements

• JweEncryptionAutoConfiguration: Enhanced DecryptionKeyAvailableCondition with Strategy 3 (role profile inference) and fixed resolveEncryptionKey to use local key generation
• CoreAutoConfiguration: Added OaaConfigurationController bean registration for runtime configuration metadata endpoint
• AgentAutoConfiguration: Refactored to use ConfigConstants and improved conditional bean creation

Configuration Simplification (Sample Services)

• All 6 sample services: Reduced YAML configuration by ~60% by leveraging peer configurations instead of explicit key/JWKS/service-discovery declarations
• Example: Authorization Server YAML reduced from ~130 lines to ~50 lines

API & Observability

• OaaConfigurationController: New REST endpoint exposing runtime configuration metadata (enabled roles, capabilities, peers, key management)
• OaaConfigurationMetadata: Response model for configuration introspection

CI/CD

• .github/workflows/ci.yml: Unit test CI workflow (JDK 17, Maven cache)
• .github/workflows/e2e.yml: E2E integration test workflow using run-e2e-tests.sh with Chromium, 10-minute timeout
• .github/workflows/codeql.yml: CodeQL static analysis (weekly)
• .github/workflows/dependency-review.yml: Dependency security review on PRs

Documentation

• docs/architecture/README.md: Architecture documentation

Testing

• Unit tests added/updated
• Integration tests added/updated
• All existing tests pass

New Test Classes:

• RoleProfileTest — 206 lines, validates role profile immutability and builder
• RoleProfileRegistryTest — 195 lines, validates all built-in profiles
• PeerPropertiesTest — 76 lines, validates peer configuration binding
• RoleAwareEnvironmentPostProcessorTest — 300 lines, validates environment inference logic
• OpenAgentAuthPropertiesTest — expanded with peer configuration tests
• JweEncryptionAutoConfigurationTest — expanded with DecryptionKeyAvailableCondition Strategy 3 tests
• AgentAutoConfigurationTest — 64 lines, new test class
• CoreAutoConfigurationTest — expanded with JwksController null-bean test fix
• OaaConfigurationMetadataTest — 198 lines, validates configuration metadata model

Test Instructions:

# Run all unit tests (JDK 17)
mvn test -pl open-agent-auth-spring-boot-starter

# Run E2E integration tests (requires all sample services)
cd open-agent-auth-integration-tests
./scripts/run-e2e-tests.sh

Checklist

• Code follows coding standards
• Self-review performed
• Documentation updated
• No new warnings
• Tests added/updated
• All tests pass locally (797 unit tests, JDK 17)
• CHANGELOG.md updated

Breaking Changes

• RolesProperties: Added peers field to role configuration. Existing configurations without peers continue to work — peers are optional and only used for inference.
• Sample YAML files: Simplified configurations remove explicit key/JWKS/service-discovery entries that are now auto-inferred. Users upgrading should review their YAML files if they have customized these sections.

Migration Path:

1. Add peers configuration under each role to enable auto-inference:

   open-agent-auth:
     roles:
       agent:
         enabled: true
         peers:
           agent-idp:
             issuer: http://localhost:8082
           authorization-server:
             issuer: http://localhost:8085

2. Remove redundant explicit key-management, JWKS consumer, and service-discovery entries (they will be auto-inferred from peers)
3. Explicit configurations always take precedence over inferred values

Additional Context

Architecture Diagram:

┌─────────────────────────────────────────────────┐
│              RoleProfileRegistry                │
│  ┌──────────┐ ┌──────────┐ ┌──────────────────┐ │
│  │  agent   │ │ agent-idp│ │authorization-srv │ │
│  │ Profile  │ │ Profile  │ │    Profile       │ │
│  └──────────┘ └──────────┘ └──────────────────┘ │
└─────────────────────┬───────────────────────────┘
                      │ consulted by
┌─────────────────────▼───────────────────────────┐
│     RoleAwareEnvironmentPostProcessor           │
│  • Infers key-management keys                   │
│  • Infers JWKS consumers                        │
│  • Infers service-discovery entries             │
│  • Injects into Spring Environment              │
└─────────────────────┬───────────────────────────┘
                      │ properties available to
┌─────────────────────▼───────────────────────────┐
│         @Conditional / @Bean methods            │
│  • DecryptionKeyAvailableCondition (Strategy 3) │
│  • JwksController (null-bean pattern)           │
└─────────────────────────────────────────────────┘

Stats: 42 files changed, 3611 insertions(+), 394 deletions(-)

[github-actions]

Code Coverage Report

Overall Project	83.15% -1.71%	🍏
Files changed	67.64%	🍏

Module	Coverage
open-agent-auth-spring-boot-starter	85.19% -6.02%	🍏
open-agent-auth-spring-boot-starter	85.19% -6.02%	🍏
open-agent-auth-spring-boot-starter	85.19% -6.02%	🍏
open-agent-auth-spring-boot-starter	85.19% -6.02%	🍏
open-agent-auth-spring-boot-starter	85.19% -6.02%	🍏
open-agent-auth-spring-boot-starter	85.19% -6.02%	🍏

Files

Module	File	Coverage
open-agent-auth-spring-boot-starter	OaaConfigurationMetadata.java	100%	🍏
	RoleProfileRegistry.java	100%	🍏
	RoleProfile.java	100%	🍏
	OpenAgentAuthProperties.java	100%	🍏
	RolesProperties.java	100%	🍏
	PeerProperties.java	100%	🍏
	InfrastructureProperties.java	100%	🍏
	KeyManagementProperties.java	100%	🍏
	JwksInfrastructureProperties.java	100%	🍏
	ServiceDiscoveryProperties.java	100%	🍏
	RoleAwareEnvironmentPostProcessor.java	97.81% -2.19%	🍏
	JweEncryptionAutoConfiguration.java	91.03% -8.65%	🍏
	CoreAutoConfiguration.java	87.96%	🍏
	JwksController.java	77.62%	🍏
	AgentAutoConfiguration.java	68.99% -2.93%	🍏
	OaaConfigurationController.java	0%	❌
	PeerConfigurationDiscoveryClient.java	0%	❌
	ConfigConstants.java	0%	🍏
open-agent-auth-spring-boot-starter	OaaConfigurationMetadata.java	100%	🍏
	RoleProfileRegistry.java	100%	🍏
	RoleProfile.java	100%	🍏
	OpenAgentAuthProperties.java	100%	🍏
	RolesProperties.java	100%	🍏
	PeerProperties.java	100%	🍏
	InfrastructureProperties.java	100%	🍏
	KeyManagementProperties.java	100%	🍏
	JwksInfrastructureProperties.java	100%	🍏
	ServiceDiscoveryProperties.java	100%	🍏
	RoleAwareEnvironmentPostProcessor.java	97.81% -2.19%	🍏
	JweEncryptionAutoConfiguration.java	91.03% -8.65%	🍏
	CoreAutoConfiguration.java	87.96%	🍏
	JwksController.java	77.62%	🍏
	AgentAutoConfiguration.java	68.99% -2.93%	🍏
	OaaConfigurationController.java	0%	❌
	PeerConfigurationDiscoveryClient.java	0%	❌
	ConfigConstants.java	0%	🍏
open-agent-auth-spring-boot-starter	OaaConfigurationMetadata.java	100%	🍏
	RoleProfileRegistry.java	100%	🍏
	RoleProfile.java	100%	🍏
	OpenAgentAuthProperties.java	100%	🍏
	RolesProperties.java	100%	🍏
	PeerProperties.java	100%	🍏
	InfrastructureProperties.java	100%	🍏
	KeyManagementProperties.java	100%	🍏
	JwksInfrastructureProperties.java	100%	🍏
	ServiceDiscoveryProperties.java	100%	🍏
	RoleAwareEnvironmentPostProcessor.java	97.81% -2.19%	🍏
	JweEncryptionAutoConfiguration.java	91.03% -8.65%	🍏
	CoreAutoConfiguration.java	87.96%	🍏
	JwksController.java	77.62%	🍏
	AgentAutoConfiguration.java	68.99% -2.93%	🍏
	OaaConfigurationController.java	0%	❌
	PeerConfigurationDiscoveryClient.java	0%	❌
	ConfigConstants.java	0%	🍏
open-agent-auth-spring-boot-starter	OaaConfigurationMetadata.java	100%	🍏
	RoleProfileRegistry.java	100%	🍏
	RoleProfile.java	100%	🍏
	OpenAgentAuthProperties.java	100%	🍏
	RolesProperties.java	100%	🍏
	PeerProperties.java	100%	🍏
	InfrastructureProperties.java	100%	🍏
	KeyManagementProperties.java	100%	🍏
	JwksInfrastructureProperties.java	100%	🍏
	ServiceDiscoveryProperties.java	100%	🍏
	RoleAwareEnvironmentPostProcessor.java	97.81% -2.19%	🍏
	JweEncryptionAutoConfiguration.java	91.03% -8.65%	🍏
	CoreAutoConfiguration.java	87.96%	🍏
	JwksController.java	77.62%	🍏
	AgentAutoConfiguration.java	68.99% -2.93%	🍏
	OaaConfigurationController.java	0%	❌
	PeerConfigurationDiscoveryClient.java	0%	❌
	ConfigConstants.java	0%	🍏
open-agent-auth-spring-boot-starter	OaaConfigurationMetadata.java	100%	🍏
	RoleProfileRegistry.java	100%	🍏
	RoleProfile.java	100%	🍏
	OpenAgentAuthProperties.java	100%	🍏
	RolesProperties.java	100%	🍏
	PeerProperties.java	100%	🍏
	InfrastructureProperties.java	100%	🍏
	KeyManagementProperties.java	100%	🍏
	JwksInfrastructureProperties.java	100%	🍏
	ServiceDiscoveryProperties.java	100%	🍏
	RoleAwareEnvironmentPostProcessor.java	97.81% -2.19%	🍏
	JweEncryptionAutoConfiguration.java	91.03% -8.65%	🍏
	CoreAutoConfiguration.java	87.96%	🍏
	JwksController.java	77.62%	🍏
	AgentAutoConfiguration.java	68.99% -2.93%	🍏
	OaaConfigurationController.java	0%	❌
	PeerConfigurationDiscoveryClient.java	0%	❌
	ConfigConstants.java	0%	🍏
open-agent-auth-spring-boot-starter	OaaConfigurationMetadata.java	100%	🍏
	RoleProfileRegistry.java	100%	🍏
	RoleProfile.java	100%	🍏
	OpenAgentAuthProperties.java	100%	🍏
	RolesProperties.java	100%	🍏
	PeerProperties.java	100%	🍏
	InfrastructureProperties.java	100%	🍏
	KeyManagementProperties.java	100%	🍏
	JwksInfrastructureProperties.java	100%	🍏
	ServiceDiscoveryProperties.java	100%	🍏
	RoleAwareEnvironmentPostProcessor.java	97.81% -2.19%	🍏
	JweEncryptionAutoConfiguration.java	91.03% -8.65%	🍏
	CoreAutoConfiguration.java	87.96%	🍏
	JwksController.java	77.62%	🍏
	AgentAutoConfiguration.java	68.99% -2.93%	🍏
	OaaConfigurationController.java	0%	❌
	PeerConfigurationDiscoveryClient.java	0%	❌
	ConfigConstants.java	0%	🍏