# Feedser configuration template for StellaOps deployments.
# Copy to ../etc/feedser.yaml (relative to the web service content root)
# and adjust the values to match your environment. Environment variables
# (prefixed with FEEDSER_) override these settings at runtime.

storage:
  driver: mongo
  # Mongo connection string. Use SRV URI or standard connection string.
  dsn: "mongodb://feedser:feedser@mongo:27017/feedser?authSource=admin"
  # Optional database name; defaults to the name embedded in the DSN or 'feedser'.
  database: "feedser"
  # Mongo command timeout in seconds.
  commandTimeoutSeconds: 30

plugins:
  # Feedser resolves plug-ins relative to the content root; override as needed.
  baseDirectory: ".."
  directory: "PluginBinaries"
  searchPatterns:
    - "StellaOps.Feedser.Plugin.*.dll"

telemetry:
  enabled: true
  enableTracing: false
  enableMetrics: false
  enableLogging: true
  minimumLogLevel: "Information"
  serviceName: "stellaops-feedser"
  # Configure OTLP endpoint when shipping traces/metrics/logs out-of-band.
  otlpEndpoint: ""
  # Optional headers for OTLP exporters, for example authentication tokens.
  otlpHeaders: {}
  # Attach additional resource attributes to telemetry exports.
  resourceAttributes:
    deployment.environment: "local"
  # Emit console exporters for local debugging.
  exportConsole: true

authority:
  enabled: false
  # Temporary rollout flag. When true, Feedser logs anonymous access but does not fail requests
  # without tokens. Set to false before 2025-12-31 UTC to enforce authentication fully.
  allowAnonymousFallback: true
  # Issuer advertised by StellaOps Authority (e.g. https://authority.stella-ops.local).
  issuer: "https://authority.stella-ops.local"
  # Optional explicit metadata address; defaults to {issuer}/.well-known/openid-configuration.
  metadataAddress: ""
  requireHttpsMetadata: true
  backchannelTimeoutSeconds: 30
  tokenClockSkewSeconds: 60
  audiences:
    - "api://feedser"
  requiredScopes:
    - "feedser.jobs.trigger"
  # Outbound credentials Feedser can use to call Authority (client credentials flow).
  clientId: "feedser-jobs"
  # Prefer storing the secret outside of the config file. Provide either clientSecret or clientSecretFile.
  clientSecret: ""
  clientSecretFile: ""
  clientScopes:
    - "feedser.jobs.trigger"
  resilience:
    # Enable deterministic retry/backoff when Authority is briefly unavailable.
    enableRetries: true
    retryDelays:
      - "00:00:01"
      - "00:00:02"
      - "00:00:05"
    # Allow stale discovery/JWKS responses when Authority is offline (extend tolerance as needed for air-gapped mirrors).
    allowOfflineCacheFallback: true
    offlineCacheTolerance: "00:10:00"
  # Networks allowed to bypass authentication (loopback by default for on-host cron jobs).
  bypassNetworks:
    - "127.0.0.1/32"
    - "::1/128"

sources:
  ghsa:
    apiToken: "${GITHUB_PAT}"
    pageSize: 50
    maxPagesPerFetch: 5
    requestDelay: "00:00:00.200"
    failureBackoff: "00:05:00"
    rateLimitWarningThreshold: 500
    secondaryRateLimitBackoff: "00:02:00"
  cve:
    baseEndpoint: "https://cveawg.mitre.org/api/"
    apiOrg: ""
    apiUser: ""
    apiKey: ""
    # Optional mirror used when credentials are unavailable.
    seedDirectory: "./seed-data/cve"
    pageSize: 200
    maxPagesPerFetch: 5
    initialBackfill: "30.00:00:00"
    requestDelay: "00:00:00.250"
    failureBackoff: "00:10:00"