schemaVersion: 1
issuer: http://authority.sealed-ci.local
accessTokenLifetime: 00:02:00
refreshTokenLifetime: 01:00:00
identityTokenLifetime: 00:05:00
authorizationCodeLifetime: 00:05:00
deviceCodeLifetime: 00:15:00
pluginDirectories:
  - /app
plugins:
  configurationDirectory: /app/plugins
  descriptors:
    standard:
      type: standard
      assemblyName: StellaOps.Authority.Plugin.Standard
      enabled: true
      configFile: standard.yaml
storage:
  connectionString: mongodb://sealedci:sealedci@mongo:27017/authority?authSource=admin
  databaseName: authority
  commandTimeout: 00:00:30
signing:
  enabled: true
  activeKeyId: sealed-ci
  keyPath: /certificates/authority-signing-dev.pem
  algorithm: ES256
  keySource: file
bootstrap:
  enabled: false
crypto:
  providers: []
security:
  senderConstraints:
    dpop:
      enabled: true
      proofLifetime: 00:02:00
      replayWindow: 00:05:00
      nonce:
        enabled: false
    mtls:
      enabled: false
airGap:
  egress:
    mode: Sealed
    allowLoopback: true
    allowPrivateNetworks: true
    remediationDocumentationUrl: https://docs.stella-ops.org/airgap/sealed-ci
    supportContact: airgap-ops@stella-ops.org
  sealedMode:
    enforcementEnabled: true
    evidencePath: /artifacts/sealed-mode-ci/latest/authority-sealed-ci.json
    maxEvidenceAge: 00:30:00
    cacheLifetime: 00:01:00
    requireAuthorityHealthPass: true
    requireSignerHealthPass: true
    requireAttestorHealthPass: true
    requireEgressProbePass: true
tenants:
  - name: sealed-ci
    roles:
      operators:
        scopes:
          - policy:read