# StellaOps Policy Engine configuration template.
# Copy to ../etc/policy-engine.yaml (relative to the Policy Engine content root)
# and adjust values to fit your environment. Environment variables prefixed with
# STELLAOPS_POLICY_ENGINE_ override these values at runtime.

schemaVersion: 1

authority:
  enabled: true
  issuer: "https://authority.stella-ops.local"
  clientId: "policy-engine"
  clientSecret: "change-me"
  scopes: [ "policy:run", "findings:read", "effective:write" ]
  backchannelTimeoutSeconds: 30

storage:
  connectionString: "mongodb://localhost:27017/policy-engine"
  databaseName: "policy_engine"
  commandTimeoutSeconds: 30

workers:
  schedulerIntervalSeconds: 15
  maxConcurrentEvaluations: 4

activation:
  forceTwoPersonApproval: false
  defaultRequiresTwoPersonApproval: false
  emitAuditLogs: true

resourceServer:
  authority: "https://authority.stella-ops.local"
  requireHttpsMetadata: true
  audiences: [ "api://policy-engine" ]
  requiredScopes: [ "policy:run" ]
  requiredTenants: [ ]
  bypassNetworks:
    - "127.0.0.1/32"
    - "::1/128"

# Rate limiting for simulation endpoints (WEB-POLICY-20-004)
rateLimiting:
  enabled: true
  simulationPermitLimit: 100    # Maximum requests per window
  windowSeconds: 60             # Window duration in seconds
  queueLimit: 10                # Requests queued when limit reached
  tenantPartitioning: true      # Enable per-tenant rate limits