Finalize UI truthfulness and bootstrap hardening

2026-04-16 16:23:54 +03:00
parent 4799aa2402
commit bc6b1c5959
145 changed files with 10503 additions and 9837 deletions
--- a/devops/compose/docker-compose.stella-ops.legacy.yml
+++ b/devops/compose/docker-compose.stella-ops.legacy.yml
@@ -418,10 +418,10 @@ services:
      Platform__EnvironmentSettings__RedirectUri: "https://stella-ops.local/auth/callback"
      Platform__EnvironmentSettings__PostLogoutRedirectUri: "https://stella-ops.local/"
      Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:tenants.write authority:users.read authority:users.write authority:roles.read authority:roles.write authority:clients.read authority:clients.write authority:tokens.read authority:tokens.revoke authority:branding.read authority:branding.write authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read orch:operate orch:quota analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read release:write release:publish scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate packs.read packs.write packs.run packs.approve registry.admin timeline:read timeline:write trust:read trust:write trust:admin signer:read signer:sign signer:rotate signer:admin"
-      STELLAOPS_ROUTER_URL: "http://router.stella-ops.local"
+      STELLAOPS_ROUTER_URL: "http://router.stella-ops.local:8080"
      STELLAOPS_PLATFORM_URL: "http://platform.stella-ops.local"
      STELLAOPS_AUTHORITY_URL: "http://authority.stella-ops.local"
-      STELLAOPS_GATEWAY_URL: "http://router.stella-ops.local"
+      STELLAOPS_GATEWAY_URL: "http://router.stella-ops.local:8080"
      STELLAOPS_ATTESTOR_URL: "http://attestor.stella-ops.local"
      STELLAOPS_EVIDENCELOCKER_URL: "http://evidencelocker.stella-ops.local"
      STELLAOPS_SCANNER_URL: "http://scanner.stella-ops.local"
@@ -516,18 +516,6 @@ services:
      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__Type: "standard"
      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__AssemblyName: "StellaOps.Authority.Plugin.Standard"
      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__Enabled: "true"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__TenantId: "demo-prod"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Username: "admin"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Password: "Admin@Stella2026!"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Roles__0: "admin"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__ClientId: "stella-ops-ui"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__DisplayName: "Stella Ops Console"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__AllowedGrantTypes: "authorization_code refresh_token"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__AllowedScopes: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:tenants.write authority:users.read authority:users.write authority:roles.read authority:roles.write authority:clients.read authority:clients.write authority:tokens.read authority:tokens.revoke authority:branding.read authority:branding.write authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read orch:operate orch:quota analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read release:write release:publish scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate packs.read packs.write packs.run packs.approve registry.admin timeline:read timeline:write trust:read trust:write trust:admin signer:read signer:sign signer:rotate signer:admin"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__RedirectUris: "https://stella-ops.local/auth/callback https://stella-ops.local/auth/silent-refresh https://127.1.0.1/auth/callback https://127.1.0.1/auth/silent-refresh"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__PostLogoutRedirectUris: "https://stella-ops.local/ https://127.1.0.1/"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__RequirePkce: "true"
-      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__AllowPlainTextPkce: "false"
      STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__ID: "demo-prod"
      STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__DISPLAYNAME: "Demo Production"
      STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__STATUS: "active"
@@ -1415,8 +1403,9 @@ services:
      Authority__ResourceServer__Authority: "http://authority.stella-ops.local/"
      Authority__ResourceServer__RequireHttpsMetadata: "false"
      Authority__ResourceServer__Audiences__0: ""
-      Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
-      Authority__ResourceServer__BypassNetworks__1: "172.20.0.0/16"
+      Authority__ResourceServer__BypassNetworks__0: "172.16.0.0/12"
+      Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
+      Authority__ResourceServer__BypassNetworks__2: "::1/128"
      TIMELINE_Postgres__Timeline__ConnectionString: *postgres-connection
      Router__Enabled: "${TIMELINE_SERVICE_ROUTER_ENABLED:-true}"
      Router__Messaging__ConsumerGroup: "timeline"