# StellaOps Policy Gateway configuration template.
# Copy to ../etc/policy-gateway.yaml (relative to the gateway content root)
# and adjust values to fit your environment. Environment variables prefixed with
# STELLAOPS_POLICY_GATEWAY_ override these values at runtime.

schemaVersion: 1

telemetry:
  minimumLogLevel: Information

resourceServer:
  authority: "https://authority.stella-ops.local"
  metadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
  audiences: [ "api://policy-gateway" ]
  requiredScopes: [ "policy:read", "policy:author", "policy:review", "policy:approve", "policy:operate", "policy:simulate", "policy:run", "policy:activate" ]
  requiredTenants: [ ]
  bypassNetworks:
    - "127.0.0.1/32"
    - "::1/128"
  requireHttpsMetadata: true
  backchannelTimeoutSeconds: 30
  tokenClockSkewSeconds: 60

policyEngine:
  baseAddress: "https://policy-engine.stella-ops.local"
  audience: "api://policy-engine"
  clientCredentials:
    enabled: true
    clientId: "policy-gateway"
    clientSecret: "change-me"
    scopes: [ "policy:read", "policy:author", "policy:review", "policy:approve", "policy:operate", "policy:simulate", "policy:run", "policy:activate" ]
    backchannelTimeoutSeconds: 30
  dpop:
    enabled: false
    keyPath: "../etc/policy-gateway-dpop.pem"
    keyPassphrase: ""
    algorithm: "ES256"
    proofLifetime: "00:02:00"
    clockSkew: "00:00:30"