Switch Duende to CompositeClientStore + WebApplicationFactory tests

Phase D-1 step 2h. Fixes a latent ordering bug and adds a live
integration smoke-test harness.

The bug: Program.cs was eagerly calling WorkerClientRegistry.Seed()
from the top-level before the host builder finalized its
configuration sources, so WebApplicationFactory tests that inject
in-memory WorkerClients via ConfigureAppConfiguration saw an empty
registry. Fixed by registering WorkerClientRegistry as a DI
factory singleton that reads IConfiguration at resolution time.

The new CompositeClientStore replaces AddInMemoryClients with an
IClientStore implementation that queries WorkerClientRegistry
live on every FindClientByIdAsync call. This also makes admin
secret rotations propagate to the Duende token endpoint
immediately — the previous AddInMemoryClients snapshot missed
them because the list was captured at service registration time.

WorkerClientRegistry.BuildDuendeClient extracted as a public
static so CompositeClientStore can produce a single client from a
registry entry without going through the ToDuendeClients
enumerator.

Tests:
- New CoordinatorEndpointTests uses
  WebApplicationFactory<CoordinatorHostMarker> (a marker class
  added to Program.cs to disambiguate from the Worker project's
  Program) with an in-memory configuration source that supplies
  admin credentials, worker client credentials, and a temp SQLite
  database path. Five xunit cases lock:
    /health returns ok + phase D-1
    /status returns worker+task count shape including the
      configured WorkerClient the test injected
    /register without JWT → auth challenge (401/302/403)
    /work without JWT → auth challenge (401/302/403)
    /admin/api-keys without cookie → 302 redirect to login
- Microsoft.AspNetCore.Mvc.Testing 10.0.4 package reference
  added to the tests project, gated on net10.0 so the net9
  multi-target slice stays lean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sharpninja

src/BitNetSharp.Distributed.Coordinator/Identity/CompositeClientStore.cs

@@ -0,0 +1,71 @@
+using System.Threading.Tasks;
+using BitNetSharp.Distributed.Coordinator.Configuration;
+using Duende.IdentityServer.Models;
+using Duende.IdentityServer.Stores;
+using Microsoft.Extensions.Options;
+
+namespace BitNetSharp.Distributed.Coordinator.Identity;
+
+/// <summary>
+/// Duende <see cref="IClientStore"/> that resolves <see cref="Client"/>
+/// lookups against two sources:
+///
+/// <list type="number">
+///   <item>
+///     The mutable <see cref="WorkerClientRegistry"/> — each entry is
+///     rebuilt into a fresh Duende <see cref="Client"/> on every call
+///     so admin rotations take effect immediately even for tokens
+///     issued via /connect/token.
+///   </item>
+///   <item>
+///     The single static admin UI client built on demand from
+///     <see cref="IdentityServerResources.BuildAdminUiClient"/>
+///     using the current <see cref="CoordinatorOptions.BaseUrl"/>.
+///   </item>
+/// </list>
+///
+/// <para>
+/// Using a custom IClientStore is the recommended path in Duende
+/// when the client set can change at runtime; the built-in
+/// <c>AddInMemoryClients</c> captures its list at registration time
+/// and would miss admin-rotate secret bumps.
+/// </para>
+/// </summary>
+public sealed class CompositeClientStore : IClientStore
+{
+    private readonly WorkerClientRegistry _registry;
+    private readonly IOptionsMonitor<CoordinatorOptions> _options;
+
+    public CompositeClientStore(
+        WorkerClientRegistry registry,
+        IOptionsMonitor<CoordinatorOptions> options)
+    {
+        _registry = registry;
+        _options = options;
+    }
+
+    public Task<Client?> FindClientByIdAsync(string clientId)
+    {
+        if (string.IsNullOrWhiteSpace(clientId))
+        {
+            return Task.FromResult<Client?>(null);
+        }
+
+        if (clientId == IdentityServerResources.AdminUiClientId)
+        {
+            var coord = _options.CurrentValue;
+            return Task.FromResult<Client?>(
+                IdentityServerResources.BuildAdminUiClient(coord.BaseUrl));
+        }
+
+        var entry = _registry.Find(clientId);
+        if (entry is null)
+        {
+            return Task.FromResult<Client?>(null);
+        }
+
+        var lifetime = _options.CurrentValue.AccessTokenLifetimeSeconds;
+        return Task.FromResult<Client?>(
+            WorkerClientRegistry.BuildDuendeClient(entry, lifetime));
+    }
+}

src/BitNetSharp.Distributed.Coordinator/Identity/WorkerClientRegistry.cs

@@ -103,33 +103,46 @@ public string Rotate(string clientId)
     /// <see cref="Client"/> model consumed by the in-memory client
     /// store. Each worker client is configured for the OAuth 2.0
     /// client-credentials grant and the <c>bitnet-worker</c> API scope.
+    /// Re-evaluated on every call so consumers always see the latest
+    /// registry state (important for admin-rotate support).
     /// </summary>
     public IEnumerable<Client> ToDuendeClients(int accessTokenLifetimeSeconds)
     {
         foreach (var entry in _clients.Values)
         {
-            yield return new Client
-            {
-                ClientId = entry.ClientId,
-                ClientName = entry.DisplayName,
-                AllowedGrantTypes = GrantTypes.ClientCredentials,
-                ClientSecrets =
-                {
-                    new Secret(Sha256Hex(entry.PlainTextSecret))
-                },
-                AllowedScopes = { IdentityServerResources.WorkerScopeName },
-                AccessTokenLifetime = accessTokenLifetimeSeconds,
-                AccessTokenType = AccessTokenType.Jwt,
-                AllowOfflineAccess = false,
-                RequireClientSecret = true,
-                Claims =
-                {
-                    new ClientClaim("worker_display_name", entry.DisplayName)
-                }
-            };
+            yield return BuildDuendeClient(entry, accessTokenLifetimeSeconds);
         }
     }
 
+    /// <summary>
+    /// Builds the Duende <see cref="Client"/> that corresponds to a
+    /// single registry entry. Exposed as a static so
+    /// <see cref="CompositeClientStore"/> can reuse the exact same
+    /// shape when it is asked for a client by id.
+    /// </summary>
+    public static Client BuildDuendeClient(WorkerClientEntry entry, int accessTokenLifetimeSeconds)
+    {
+        return new Client
+        {
+            ClientId = entry.ClientId,
+            ClientName = entry.DisplayName,
+            AllowedGrantTypes = GrantTypes.ClientCredentials,
+            ClientSecrets =
+            {
+                new Secret(Sha256Hex(entry.PlainTextSecret))
+            },
+            AllowedScopes = { IdentityServerResources.WorkerScopeName },
+            AccessTokenLifetime = accessTokenLifetimeSeconds,
+            AccessTokenType = AccessTokenType.Jwt,
+            AllowOfflineAccess = false,
+            RequireClientSecret = true,
+            Claims =
+            {
+                new ClientClaim("worker_display_name", entry.DisplayName)
+            }
+        };
+    }
+
     /// <summary>
     /// Returns true if the registry currently contains no workers.
     /// Used by Program.cs to log a warning at startup when the pool
@@ -159,7 +172,7 @@ private static string GenerateSecret()
     /// internal and deliberately simple so we don't take a dep on
     /// IdentityModel just for its <c>ToSha256</c> extension method.
     /// </summary>
-    private static string Sha256Hex(string value)
+    internal static string Sha256Hex(string value)
     {
         var bytes = Encoding.UTF8.GetBytes(value);
         var hash = SHA256.HashData(bytes);

src/BitNetSharp.Distributed.Coordinator/Program.cs

@@ -91,21 +91,32 @@
 });
 
 // ── Worker client registry + Duende IdentityServer ────────────────
-var workerRegistry = new WorkerClientRegistry();
-workerRegistry.Seed(builder.Configuration
-    .GetSection($"{CoordinatorOptions.SectionName}:WorkerClients")
-    .Get<List<WorkerClientOptions>>() ?? new List<WorkerClientOptions>());
-builder.Services.AddSingleton(workerRegistry);
+// Registry is seeded lazily from IConfiguration so WebApplicationFactory
+// integration tests can inject in-memory WorkerClients via
+// ConfigureAppConfiguration and have them picked up by the registry.
+// The top-level snapshot below is ONLY used for startup-time knobs like
+// the JWT authority URL; the real client list lives behind a
+// CompositeClientStore that the Duende client lookup consults on every
+// request.
+builder.Services.AddSingleton<WorkerClientRegistry>(sp =>
+{
+    var configuration = sp.GetRequiredService<IConfiguration>();
+    var section = configuration.GetSection($"{CoordinatorOptions.SectionName}:WorkerClients");
+    var clients = section.Get<List<WorkerClientOptions>>() ?? new List<WorkerClientOptions>();
+    var registry = new WorkerClientRegistry();
+    registry.Seed(clients);
+    return registry;
+});
 
 var coordinatorSnapshot = builder.Configuration
     .GetSection(CoordinatorOptions.SectionName)
     .Get<CoordinatorOptions>() ?? new CoordinatorOptions();
-var accessTokenLifetimeSeconds = coordinatorSnapshot.AccessTokenLifetimeSeconds;
 var coordinatorBaseUrl = coordinatorSnapshot.BaseUrl.TrimEnd('/');
 
 // Duende TestUsers — seeded with the single admin account read from
-// CoordinatorOptions.Admin. The cookie-based IS login flow validates
-// credentials against this list via the default ResourceOwnerPasswordValidator.
+// CoordinatorOptions.Admin. If the admin credentials are empty at
+// startup, an empty list goes in and the login page cannot succeed;
+// operators see a log warning on first /admin/api-keys hit.
 var adminTestUsers = new List<TestUser>();
 if (!string.IsNullOrWhiteSpace(coordinatorSnapshot.Admin.Username) &&
     !string.IsNullOrWhiteSpace(coordinatorSnapshot.Admin.Password))
@@ -123,11 +134,6 @@
     });
 }
 
-// Merge worker clients + admin UI client into the Duende client list.
-var duendeClients = new List<Client>();
-duendeClients.AddRange(workerRegistry.ToDuendeClients(accessTokenLifetimeSeconds));
-duendeClients.Add(IdentityServerResources.BuildAdminUiClient(coordinatorBaseUrl));
-
 builder.Services.AddIdentityServer(options =>
     {
         options.Events.RaiseErrorEvents = true;
@@ -144,7 +150,7 @@
     .AddInMemoryIdentityResources(IdentityServerResources.IdentityResources)
     .AddInMemoryApiScopes(IdentityServerResources.ApiScopes)
     .AddInMemoryApiResources(IdentityServerResources.ApiResources)
-    .AddInMemoryClients(duendeClients)
+    .AddClientStore<CompositeClientStore>()
     .AddTestUsers(adminTestUsers)
     .AddDeveloperSigningCredential(persistKey: false);
 
@@ -552,3 +558,16 @@ static string BuildConnectionString(CoordinatorOptions coord) =>
 /// discriminate the assembly entry point.
 /// </summary>
 public partial class Program;
+
+namespace BitNetSharp.Distributed.Coordinator
+{
+    /// <summary>
+    /// Named marker class that exists only so the tests project can
+    /// say <c>WebApplicationFactory&lt;CoordinatorHostMarker&gt;</c>
+    /// without colliding with the Worker project's top-level
+    /// <see cref="Program"/> class. WebApplicationFactory uses the
+    /// type parameter only to locate the assembly to bootstrap; any
+    /// type in the coordinator assembly works.
+    /// </summary>
+    public sealed class CoordinatorHostMarker;
+}

tests/BitNetSharp.Tests/BitNetSharp.Tests.csproj

@@ -19,6 +19,15 @@
     <PackageReference Include="xunit" Version="2.9.3" />
     <PackageReference Include="xunit.runner.visualstudio" Version="3.1.4" />
   </ItemGroup>
+  <ItemGroup Condition="'$(TargetFramework)' == 'net10.0'">
+    <!--
+      WebApplicationFactory is only needed for the coordinator
+      integration tests which run exclusively on the net10 slice.
+      Pinning this to the net10 conditional keeps the net9 compile
+      of the test project free of ASP.NET Core 10 transitive deps.
+    -->
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.4" />
+  </ItemGroup>
 
   <ItemGroup>
     <Using Include="Xunit" />