up

etc/authority.plugins/standard.yaml

@@ -17,5 +17,6 @@ lockout:
 
 tokenSigning:
   # Path to the directory containing signing keys (relative paths resolve
-  # against this configuration file location).
+  # against the location of this manifest, environment variables are expanded,
+  # and the final value is normalised to an absolute path during startup.
   keyDirectory: "../keys"

etc/feedser.yaml.sample

@@ -38,6 +38,9 @@ telemetry:
 
 authority:
   enabled: false
+  # Temporary rollout flag. When true, Feedser logs anonymous access but does not fail requests
+  # without tokens. Set to false before 2025-12-31 UTC to enforce authentication fully.
+  allowAnonymousFallback: true
   # Issuer advertised by StellaOps Authority (e.g. https://authority.stella-ops.local).
   issuer: "https://authority.stella-ops.local"
   # Optional explicit metadata address; defaults to {issuer}/.well-known/openid-configuration.
@@ -49,6 +52,13 @@ authority:
     - "api://feedser"
   requiredScopes:
     - "feedser.jobs.trigger"
+  # Outbound credentials Feedser can use to call Authority (client credentials flow).
+  clientId: "feedser-jobs"
+  # Prefer storing the secret outside of the config file. Provide either clientSecret or clientSecretFile.
+  clientSecret: ""
+  clientSecretFile: ""
+  clientScopes:
+    - "feedser.jobs.trigger"
   # Networks allowed to bypass authentication (loopback by default for on-host cron jobs).
   bypassNetworks:
     - "127.0.0.1/32"