# StellaOps Policy Engine configuration template.
# Copy to ../etc/policy-engine.yaml (relative to the Policy Engine content root)
# and adjust values to fit your environment. Environment variables prefixed with
# STELLAOPS_POLICY_ENGINE_ override these values at runtime.

schemaVersion: 1

authority:
  enabled: true
  issuer: "https://authority.stella-ops.local"
  clientId: "policy-engine"
  clientSecret: "change-me"
  scopes: [ "policy:run", "findings:read", "effective:write" ]
  backchannelTimeoutSeconds: 30

storage:
  connectionString: "mongodb://localhost:27017/policy-engine"
  databaseName: "policy_engine"
  commandTimeoutSeconds: 30

workers:
  schedulerIntervalSeconds: 15
  maxConcurrentEvaluations: 4

activation:
  forceTwoPersonApproval: false
  defaultRequiresTwoPersonApproval: false
  emitAuditLogs: true

resourceServer:
  authority: "https://authority.stella-ops.local"
  requireHttpsMetadata: true
  audiences: [ "api://policy-engine" ]
  requiredScopes: [ "policy:run" ]
  requiredTenants: [ ]
  bypassNetworks:
    - "127.0.0.1/32"
    - "::1/128"

# Rate limiting for simulation endpoints (WEB-POLICY-20-004)
rateLimiting:
  enabled: true
  simulationPermitLimit: 100    # Maximum requests per window
  windowSeconds: 60             # Window duration in seconds
  queueLimit: 10                # Requests queued when limit reached
  tenantPartitioning: true      # Enable per-tenant rate limits

# Unknown budget configuration (SPRINT_4300_0002_0001)
# Controls enforcement of unknown thresholds by environment.
UnknownBudgets:
  enforceBudgets: true  # Set to false to log warnings only

  budgets:
    # Production: Strict limits, block on exceed
    production:
      environment: "production"
      totalLimit: 5
      reasonLimits:
        Reachability: 0         # No reachability unknowns allowed
        Identity: 2             # Max 2 identity unknowns
        Provenance: 2           # Max 2 provenance unknowns
        VexConflict: 0          # No VEX conflicts allowed
        FeedGap: 5              # Some feed gaps tolerated
        ConfigUnknown: 3        # Some config unknowns allowed
        AnalyzerLimit: 5        # Analyzer limits are less critical
      action: Block
      exceededMessage: "Production deployment blocked: unknown budget exceeded."

    # Staging: Moderate limits, warn on exceed
    staging:
      environment: "staging"
      totalLimit: 20
      reasonLimits:
        Reachability: 5
        Identity: 10
        Provenance: 10
        VexConflict: 5
        FeedGap: 15
        ConfigUnknown: 10
        AnalyzerLimit: 15
      action: Warn
      exceededMessage: "Staging warning: unknown budget exceeded."

    # Development: Permissive limits
    development:
      environment: "development"
      totalLimit: 100
      reasonLimits:
        Reachability: 25
        Identity: 50
        Provenance: 50
        VexConflict: 25
        FeedGap: 50
        ConfigUnknown: 50
        AnalyzerLimit: 50
      action: Warn
      exceededMessage: "Development environment unknown budget exceeded."

    # Default: Fallback for unknown environments
    default:
      environment: "default"
      totalLimit: 50
      action: Warn
      exceededMessage: "Unknown budget exceeded."