compose and authority fixes. finish sprints.

src/Policy/StellaOps.Policy.Engine/Endpoints/ProfileExportEndpoints.cs

@@ -2,6 +2,7 @@
 using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc;
 using StellaOps.Auth.Abstractions;
+using StellaOps.Auth.ServerIntegration;
 using StellaOps.Cryptography;
 using StellaOps.Policy.Engine.Services;
 using StellaOps.Policy.RiskProfile.Export;
@@ -15,7 +16,7 @@ internal static class ProfileExportEndpoints
     public static IEndpointRouteBuilder MapProfileExport(this IEndpointRouteBuilder endpoints)
     {
         var group = endpoints.MapGroup("/api/risk/profiles/export")
-            .RequireAuthorization()
+            .RequireAuthorization(policy => policy.Requirements.Add(new StellaOpsScopeRequirement(new[] { StellaOpsScopes.PolicyRead })))
             .WithTags("Profile Export/Import");
 
         group.MapPost("/", ExportProfiles)
@@ -30,7 +31,7 @@ internal static class ProfileExportEndpoints
             .Produces<FileContentHttpResult>(StatusCodes.Status200OK, contentType: "application/json");
 
         endpoints.MapPost("/api/risk/profiles/import", ImportProfiles)
-            .RequireAuthorization()
+            .RequireAuthorization(policy => policy.Requirements.Add(new StellaOpsScopeRequirement(new[] { StellaOpsScopes.PolicyEdit })))
             .WithName("ImportProfiles")
             .WithSummary("Import risk profiles from a signed bundle.")
             .WithTags("Profile Export/Import")
@@ -38,7 +39,7 @@ internal static class ProfileExportEndpoints
             .Produces<ProblemHttpResult>(StatusCodes.Status400BadRequest);
 
         endpoints.MapPost("/api/risk/profiles/verify", VerifyBundle)
-            .RequireAuthorization()
+            .RequireAuthorization(policy => policy.Requirements.Add(new StellaOpsScopeRequirement(new[] { StellaOpsScopes.PolicyRead })))
             .WithName("VerifyProfileBundle")
             .WithSummary("Verify the signature of a profile bundle without importing.")
             .WithTags("Profile Export/Import")

src/Policy/StellaOps.Policy.Engine/Endpoints/RiskProfileEndpoints.cs

@@ -2,6 +2,7 @@
 using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc;
 using StellaOps.Auth.Abstractions;
+using StellaOps.Auth.ServerIntegration;
 using StellaOps.Policy.Engine.Services;
 using StellaOps.Policy.RiskProfile.Lifecycle;
 using StellaOps.Policy.RiskProfile.Models;
@@ -15,7 +16,7 @@ internal static class RiskProfileEndpoints
     public static IEndpointRouteBuilder MapRiskProfiles(this IEndpointRouteBuilder endpoints)
     {
         var group = endpoints.MapGroup("/api/risk/profiles")
-            .RequireAuthorization()
+            .RequireAuthorization(policy => policy.Requirements.Add(new StellaOpsScopeRequirement(new[] { StellaOpsScopes.PolicyRead })))
             .WithTags("Risk Profiles");
 
         group.MapGet(string.Empty, ListProfiles)

src/Policy/StellaOps.Policy.Engine/Endpoints/RiskProfileSchemaEndpoints.cs

@@ -2,6 +2,8 @@
 using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Net.Http.Headers;
+using StellaOps.Auth.Abstractions;
+using StellaOps.Auth.ServerIntegration;
 using StellaOps.Policy.RiskProfile.Schema;
 using System.Text.Json;
 
@@ -19,14 +21,15 @@ internal static class RiskProfileSchemaEndpoints
             .WithTags("Schema Discovery")
             .Produces<string>(StatusCodes.Status200OK, contentType: JsonSchemaMediaType)
             .Produces(StatusCodes.Status304NotModified)
-            .RequireAuthorization();
+            .RequireAuthorization(policy => policy.Requirements.Add(new StellaOpsScopeRequirement(new[] { StellaOpsScopes.PolicyRead })));
 
         endpoints.MapPost("/api/risk/schema/validate", ValidateProfile)
             .WithName("ValidateRiskProfile")
             .WithSummary("Validate a risk profile document against the schema.")
             .WithTags("Schema Validation")
             .Produces<RiskProfileValidationResponse>(StatusCodes.Status200OK)
-            .Produces<ProblemHttpResult>(StatusCodes.Status400BadRequest);
+            .Produces<ProblemHttpResult>(StatusCodes.Status400BadRequest)
+            .RequireAuthorization(policy => policy.Requirements.Add(new StellaOpsScopeRequirement(new[] { StellaOpsScopes.PolicyRead })));
 
         return endpoints;
     }

src/Policy/StellaOps.Policy.Engine/Program.cs

@@ -1,5 +1,6 @@
 
 using Microsoft.AspNetCore.RateLimiting;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Options;
 using NetEscapades.Configuration.Yaml;
 using StellaOps.AirGap.Policy;
@@ -289,7 +290,29 @@ builder.Services.AddAuthorization();
 builder.Services.AddStellaOpsScopeHandler();
 builder.Services.AddStellaOpsResourceServerAuthentication(
     builder.Configuration,
-    configurationSection: $"{PolicyEngineOptions.SectionName}:ResourceServer");
+    configurationSection: $"{PolicyEngineOptions.SectionName}:ResourceServer",
+    configure: resourceOptions =>
+    {
+        // IConfiguration binder does not always clear default list values.
+        // When local compose sets Audiences to an empty value, explicitly clear
+        // the audience list so no-aud local tokens can be validated.
+        var audiences = builder.Configuration
+            .GetSection($"{PolicyEngineOptions.SectionName}:ResourceServer:Audiences")
+            .Get<string[]>();
+        if (audiences is null)
+        {
+            return;
+        }
+
+        resourceOptions.Audiences.Clear();
+        foreach (var audience in audiences)
+        {
+            if (!string.IsNullOrWhiteSpace(audience))
+            {
+                resourceOptions.Audiences.Add(audience.Trim());
+            }
+        }
+    });
 
 // Accept self-signed certificates when HTTPS metadata validation is disabled (dev/Docker)
 if (!bootstrap.Options.ResourceServer.RequireHttpsMetadata)