more audit work

src/Signer/StellaOps.Signer/StellaOps.Signer.WebService/Program.cs

@@ -1,6 +1,8 @@
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.EntityFrameworkCore;
 using StellaOps.Signer.Infrastructure;
 using StellaOps.Signer.Infrastructure.Options;
+using StellaOps.Signer.KeyManagement;
 using StellaOps.Signer.WebService.Endpoints;
 using StellaOps.Signer.WebService.Security;
 using StellaOps.Cryptography.DependencyInjection;
@@ -14,13 +16,31 @@ builder.Services.AddAuthentication(StubBearerAuthenticationDefaults.Authenticati
         StubBearerAuthenticationDefaults.AuthenticationScheme,
         _ => { });
 
-builder.Services.AddAuthorization();
+builder.Services.AddAuthorization(options =>
+{
+    options.AddPolicy("KeyManagement", policy => policy.RequireAuthenticatedUser());
+});
 
 builder.Services.AddSignerPipeline();
 
 // Configure TimeProvider for deterministic testing support
 builder.Services.AddSingleton(TimeProvider.System);
 
+var keyManagementConnection = builder.Configuration.GetConnectionString("KeyManagement");
+if (string.IsNullOrWhiteSpace(keyManagementConnection))
+{
+    builder.Services.AddDbContext<KeyManagementDbContext>(options =>
+        options.UseInMemoryDatabase("SignerKeyManagement"));
+}
+else
+{
+    builder.Services.AddDbContext<KeyManagementDbContext>(options =>
+        options.UseNpgsql(keyManagementConnection));
+}
+
+builder.Services.AddScoped<IKeyRotationService, KeyRotationService>();
+builder.Services.AddScoped<ITrustAnchorManager, TrustAnchorManager>();
+
 builder.Services.Configure<SignerEntitlementOptions>(options =>
 {
     // Note: Using 1-hour expiry for demo/test tokens. 
@@ -56,6 +76,7 @@ app.TryUseStellaRouter(routerOptions);
 
 app.MapGet("/", () => Results.Ok("StellaOps Signer service ready."));
 app.MapSignerEndpoints();
+app.MapKeyRotationEndpoints();
 
 // Refresh Router endpoint cache
 app.TryRefreshStellaRouterEndpoints(routerOptions);