feat: rename rails/ to tools/ and add service tool suites (#4)

Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>

guides/AUTHENTICATION.md

@@ -1,7 +1,7 @@
 # Authentication & Authorization Guide
 
 ## Before Starting
-1. Check assigned issue: `~/.config/mosaic/rails/git/issue-list.sh -a @me`
+1. Check assigned issue: `~/.config/mosaic/tools/git/issue-list.sh -a @me`
 2. Review existing auth implementation in codebase
 3. Review Vault secrets structure: `docs/vault-secrets-structure.md`
 
@@ -115,6 +115,41 @@ class TestAuthentication:
         pass
 ```
 
+## Authentik SSO Administration
+
+Authentik is the identity provider for the Mosaic Stack. Use the Authentik tool suite for administration.
+
+### Tool Suite
+
+```bash
+# System health
+~/.config/mosaic/tools/authentik/admin-status.sh
+
+# User management
+~/.config/mosaic/tools/authentik/user-list.sh
+~/.config/mosaic/tools/authentik/user-create.sh -u <username> -n <name> -e <email>
+
+# Group and app management
+~/.config/mosaic/tools/authentik/group-list.sh
+~/.config/mosaic/tools/authentik/app-list.sh
+~/.config/mosaic/tools/authentik/flow-list.sh
+```
+
+### Registering an OAuth Application
+
+1. Create an OAuth2 provider in Authentik admin (Applications > Providers)
+2. Create an application linked to the provider (Applications > Applications)
+3. Configure redirect URIs for the application
+4. Store client_id and client_secret in Vault: `secret-{env}/{service}/oauth/authentik/`
+5. Verify with: `~/.config/mosaic/tools/authentik/app-list.sh`
+
+### API Reference
+
+- Base URL: `https://auth.diversecanvas.com`
+- API prefix: `/api/v3/`
+- OpenAPI schema: `/api/v3/schema/`
+- Auth: Bearer token (obtained via `auth-token.sh`)
+
 ## Common Vulnerabilities to Avoid
 
 1. **Broken Authentication**