compose and authority fixes. finish sprints.

2026-02-17 21:59:47 +02:00
parent fb46a927ad
commit 49cdebe2f1
187 changed files with 23189 additions and 1439 deletions
--- a/src/Policy/StellaOps.Policy.Gateway/Program.cs
+++ b/src/Policy/StellaOps.Policy.Gateway/Program.cs
@@ -1,6 +1,7 @@

 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@@ -26,6 +27,7 @@ using StellaOps.Policy.Snapshots;
 using StellaOps.Policy.ToolLattice;
 using System;
 using System.Diagnostics;
+using System.Globalization;
 using System.IO;
 using System.Net;
 using System.Net.Http;
@@ -200,7 +202,29 @@ builder.Services.AddSingleton<IToolAccessEvaluator, ToolAccessEvaluator>();

 builder.Services.AddStellaOpsResourceServerAuthentication(
    builder.Configuration,
-    configurationSection: $"{PolicyGatewayOptions.SectionName}:ResourceServer");
+    configurationSection: $"{PolicyGatewayOptions.SectionName}:ResourceServer",
+    configure: resourceOptions =>
+    {
+        // IConfiguration binder does not always clear default list values.
+        // When local compose sets Audiences to an empty value, explicitly clear
+        // the audience list so no-aud local tokens can be validated.
+        var audiences = builder.Configuration
+            .GetSection($"{PolicyGatewayOptions.SectionName}:ResourceServer:Audiences")
+            .Get<string[]>();
+        if (audiences is null)
+        {
+            return;
+        }
+
+        resourceOptions.Audiences.Clear();
+        foreach (var audience in audiences)
+        {
+            if (!string.IsNullOrWhiteSpace(audience))
+            {
+                resourceOptions.Audiences.Add(audience.Trim());
+            }
+        }
+    });

 // Accept self-signed certificates when HTTPS metadata validation is disabled (dev/Docker)
 if (!bootstrap.Options.ResourceServer.RequireHttpsMetadata)
@@ -258,6 +282,11 @@ if (bootstrap.Options.PolicyEngine.ClientCredentials.Enabled)
    .AddPolicyHandler(static (provider, _) => CreateAuthorityRetryPolicy(provider))
    .AddHttpMessageHandler<PolicyGatewayDpopHandler>();
 }
+else
+{
+    // Keep DI graph valid when client credentials are disabled.
+    builder.Services.AddSingleton<IStellaOpsTokenClient, DisabledStellaOpsTokenClient>();
+}

 builder.Services.AddHttpClient<IPolicyEngineClient, PolicyEngineClient>((serviceProvider, client) =>
 {
@@ -295,6 +324,23 @@ app.MapGet("/readyz", () => Results.Ok(new { status = "ready" }))

 app.MapGet("/", () => Results.Redirect("/healthz"));

+app.MapGet("/api/policy/quota", ([FromServices] TimeProvider timeProvider) =>
+    {
+        var now = timeProvider.GetUtcNow();
+        var resetAt = now.Date.AddDays(1).ToString("O", CultureInfo.InvariantCulture);
+        return Results.Ok(new
+        {
+            simulationsPerDay = 1000,
+            simulationsUsed = 0,
+            evaluationsPerDay = 5000,
+            evaluationsUsed = 0,
+            resetAt
+        });
+    })
+    .WithTags("Policy Quota")
+    .WithName("PolicyQuota.Get")
+    .RequireAuthorization(policy => policy.RequireStellaOpsScopes(StellaOpsScopes.PolicyRead));
+
 var policyPacks = app.MapGroup("/api/policy/packs")
    .WithTags("Policy Packs");