save changes

src/Findings/StellaOps.Findings.Ledger.WebService/Program.cs

@@ -143,6 +143,13 @@ builder.Services.AddAuthorization(options =>
         ? bootstrapOptions.Authority.RequiredScopes.ToArray()
         : new[] { StellaOpsScopes.VulnOperate };
 
+    // Default policy uses StellaOpsScopeRequirement so bypass evaluator can grant
+    // access for requests from trusted networks (BypassNetworks) without a JWT.
+    options.DefaultPolicy = new Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder()
+        .AddAuthenticationSchemes(StellaOpsAuthenticationDefaults.AuthenticationScheme)
+        .AddRequirements(new StellaOpsScopeRequirement(scopes))
+        .Build();
+
     options.AddPolicy(LedgerWritePolicy, policy =>
     {
         policy.RequireAuthenticatedUser();