# StellaOps Authority configuration (dev profile) # Derived from etc/authority.yaml.sample; trimmed to the services needed for local # stacks and kept under version control so compose/helm bundles mount a working config. schemaVersion: 1 issuer: "https://authority.localtest.me" accessTokenLifetime: "00:15:00" refreshTokenLifetime: "30.00:00:00" identityTokenLifetime: "00:05:00" authorizationCodeLifetime: "00:05:00" deviceCodeLifetime: "00:15:00" storage: connectionString: "mongodb://stellaops:stellaops@mongo:27017/stellaops_authority" databaseName: "stellaops_authority" commandTimeout: "00:00:30" signing: enabled: true activeKeyId: "authority-signing-dev" keyPath: "../certificates/authority-signing-dev.pem" algorithm: "ES256" keySource: "file" bootstrap: enabled: false apiKey: "change-me" defaultIdentityProvider: "standard" pluginDirectories: - "../StellaOps.Authority.PluginBinaries" plugins: configurationDirectory: "../etc/authority.plugins" descriptors: standard: type: "standard" assemblyName: "StellaOps.Authority.Plugin.Standard" enabled: true configFile: "standard.yaml" capabilities: - password - bootstrap - clientProvisioning metadata: defaultRole: "operators" clients: - clientId: "policy-engine" displayName: "Policy Engine Service" grantTypes: [ "client_credentials" ] audiences: [ "api://policy-engine" ] scopes: [ "policy:run", "findings:read", "effective:write" ] tenant: "tenant-default" properties: serviceIdentity: "policy-engine" senderConstraint: "dpop" auth: type: "client_secret" secretFile: "../secrets/policy-engine.secret" - clientId: "cartographer-service" displayName: "Cartographer Service" grantTypes: [ "client_credentials" ] audiences: [ "api://cartographer" ] scopes: [ "graph:write", "graph:read" ] tenant: "tenant-default" properties: serviceIdentity: "cartographer" senderConstraint: "dpop" auth: type: "client_secret" secretFile: "../secrets/cartographer-service.secret" - clientId: "graph-api" displayName: "Graph API Gateway" grantTypes: [ "client_credentials" ] audiences: [ "api://graph-api" ] scopes: [ "graph:read", "graph:export", "graph:simulate" ] tenant: "tenant-default" senderConstraint: "dpop" auth: type: "client_secret" secretFile: "../secrets/graph-api.secret" - clientId: "concelier-ingest" displayName: "Concelier Ingestion" grantTypes: [ "client_credentials" ] audiences: [ "api://concelier" ] scopes: [ "advisory:ingest", "advisory:read" ] tenant: "tenant-default" senderConstraint: "dpop" auth: type: "client_secret" secretFile: "../secrets/concelier-ingest.secret" - clientId: "excitor-ingest" displayName: "Excititor VEX Ingestion" grantTypes: [ "client_credentials" ] audiences: [ "api://excitor" ] scopes: [ "vex:ingest", "vex:read" ] tenant: "tenant-default" senderConstraint: "dpop" auth: type: "client_secret" secretFile: "../secrets/excitor-ingest.secret" - clientId: "graph-api-cli" displayName: "Graph Explorer CLI" grantTypes: [ "client_credentials" ] audiences: [ "api://graph-api" ] scopes: [ "graph:read", "graph:export" ] tenant: "tenant-default" senderConstraint: "dpop" auth: type: "client_secret" secretFile: "../secrets/graph-api-cli.secret" security: rateLimiting: token: enabled: true permitLimit: 30 window: "00:01:00" queueLimit: 0 authorize: enabled: true permitLimit: 60 window: "00:01:00" queueLimit: 10 passwordHashing: algorithm: "Argon2id" memorySizeInKib: 19456 iterations: 2 parallelism: 1 senderConstraints: dpop: enabled: true proofLifetime: "00:05:00" allowedClockSkew: "00:00:10" replayWindow: "00:10:00" nonce: enabled: false mtls: enabled: false bypassNetworks: - "127.0.0.1/32" - "::1/128"