Restructure solution layout by module

src/Policy/StellaOps.Policy.Engine/Options/PolicyEngineOptions.cs

@@ -0,0 +1,168 @@
+using System.Collections.ObjectModel;
+using StellaOps.Auth.Abstractions;
+
+namespace StellaOps.Policy.Engine.Options;
+
+/// <summary>
+/// Root configuration for the Policy Engine host.
+/// </summary>
+public sealed class PolicyEngineOptions
+{
+    public const string SectionName = "PolicyEngine";
+
+    public PolicyEngineAuthorityOptions Authority { get; } = new();
+
+    public PolicyEngineStorageOptions Storage { get; } = new();
+
+    public PolicyEngineWorkerOptions Workers { get; } = new();
+
+    public PolicyEngineResourceServerOptions ResourceServer { get; } = new();
+
+    public void Validate()
+    {
+        Authority.Validate();
+        Storage.Validate();
+        Workers.Validate();
+        ResourceServer.Validate();
+    }
+}
+
+public sealed class PolicyEngineAuthorityOptions
+{
+    public bool Enabled { get; set; } = true;
+
+    public string Issuer { get; set; } = "https://authority.stella-ops.local";
+
+    public string ClientId { get; set; } = "policy-engine";
+
+    public string? ClientSecret { get; set; }
+
+    public IList<string> Scopes { get; } = new List<string>
+    {
+        StellaOpsScopes.PolicyRun,
+        StellaOpsScopes.FindingsRead,
+        StellaOpsScopes.EffectiveWrite
+    };
+
+    public int BackchannelTimeoutSeconds { get; set; } = 30;
+
+    public void Validate()
+    {
+        if (!Enabled)
+        {
+            return;
+        }
+
+        if (string.IsNullOrWhiteSpace(Issuer))
+        {
+            throw new InvalidOperationException("Policy Engine authority configuration requires an issuer.");
+        }
+
+        if (!Uri.TryCreate(Issuer, UriKind.Absolute, out var issuerUri) || !issuerUri.IsAbsoluteUri)
+        {
+            throw new InvalidOperationException("Policy Engine authority issuer must be an absolute URI.");
+        }
+
+        if (issuerUri.Scheme != Uri.UriSchemeHttps && !issuerUri.IsLoopback)
+        {
+            throw new InvalidOperationException("Policy Engine authority issuer must use HTTPS unless targeting loopback.");
+        }
+
+        if (string.IsNullOrWhiteSpace(ClientId))
+        {
+            throw new InvalidOperationException("Policy Engine authority configuration requires a clientId.");
+        }
+
+        if (Scopes.Count == 0)
+        {
+            throw new InvalidOperationException("Policy Engine authority configuration requires at least one scope.");
+        }
+
+        if (BackchannelTimeoutSeconds <= 0)
+        {
+            throw new InvalidOperationException("Policy Engine authority backchannel timeout must be greater than zero.");
+        }
+    }
+}
+
+public sealed class PolicyEngineStorageOptions
+{
+    public string ConnectionString { get; set; } = "mongodb://localhost:27017/policy-engine";
+
+    public string DatabaseName { get; set; } = "policy_engine";
+
+    public int CommandTimeoutSeconds { get; set; } = 30;
+
+    public void Validate()
+    {
+        if (string.IsNullOrWhiteSpace(ConnectionString))
+        {
+            throw new InvalidOperationException("Policy Engine storage configuration requires a MongoDB connection string.");
+        }
+
+        if (string.IsNullOrWhiteSpace(DatabaseName))
+        {
+            throw new InvalidOperationException("Policy Engine storage configuration requires a database name.");
+        }
+
+        if (CommandTimeoutSeconds <= 0)
+        {
+            throw new InvalidOperationException("Policy Engine storage command timeout must be greater than zero.");
+        }
+    }
+
+    public TimeSpan CommandTimeout => TimeSpan.FromSeconds(CommandTimeoutSeconds);
+}
+
+public sealed class PolicyEngineWorkerOptions
+{
+    public int SchedulerIntervalSeconds { get; set; } = 15;
+
+    public int MaxConcurrentEvaluations { get; set; } = 4;
+
+    public void Validate()
+    {
+        if (SchedulerIntervalSeconds <= 0)
+        {
+            throw new InvalidOperationException("Policy Engine worker interval must be greater than zero.");
+        }
+
+        if (MaxConcurrentEvaluations <= 0)
+        {
+            throw new InvalidOperationException("Policy Engine worker concurrency must be greater than zero.");
+        }
+    }
+}
+
+public sealed class PolicyEngineResourceServerOptions
+{
+    public string Authority { get; set; } = "https://authority.stella-ops.local";
+
+    public IList<string> Audiences { get; } = new List<string> { "api://policy-engine" };
+
+    public IList<string> RequiredScopes { get; } = new List<string> { StellaOpsScopes.PolicyRun };
+
+    public IList<string> RequiredTenants { get; } = new List<string>();
+
+    public IList<string> BypassNetworks { get; } = new List<string> { "127.0.0.1/32", "::1/128" };
+
+    public bool RequireHttpsMetadata { get; set; } = true;
+
+    public void Validate()
+    {
+        if (string.IsNullOrWhiteSpace(Authority))
+        {
+            throw new InvalidOperationException("Resource server configuration requires an Authority URL.");
+        }
+
+        if (!Uri.TryCreate(Authority.Trim(), UriKind.Absolute, out var uri))
+        {
+            throw new InvalidOperationException("Resource server Authority URL must be absolute.");
+        }
+
+        if (RequireHttpsMetadata && !uri.IsLoopback && !string.Equals(uri.Scheme, Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase))
+        {
+            throw new InvalidOperationException("Resource server Authority URL must use HTTPS when HTTPS metadata is required.");
+        }
+    }
+}