git.stella-ops.org/etc/authority.yaml

# StellaOps Authority configuration (dev profile)
# Derived from etc/authority.yaml.sample; trimmed to the services needed for local
# stacks and kept under version control so compose/helm bundles mount a working config.

schemaVersion: 1

issuer: "https://authority.localtest.me"

accessTokenLifetime: "00:15:00"
refreshTokenLifetime: "30.00:00:00"
identityTokenLifetime: "00:05:00"
authorizationCodeLifetime: "00:05:00"
deviceCodeLifetime: "00:15:00"

storage:
  connectionString: "mongodb://stellaops:stellaops@mongo:27017/stellaops_authority"
  databaseName: "stellaops_authority"
  commandTimeout: "00:00:30"

signing:
  enabled: true
  activeKeyId: "authority-signing-dev"
  keyPath: "../certificates/authority-signing-dev.pem"
  algorithm: "ES256"
  keySource: "file"

bootstrap:
  enabled: false
  apiKey: "change-me"
  defaultIdentityProvider: "standard"

pluginDirectories:
  - "../StellaOps.Authority.PluginBinaries"

plugins:
  configurationDirectory: "../etc/authority.plugins"
  descriptors:
    standard:
      type: "standard"
      assemblyName: "StellaOps.Authority.Plugin.Standard"
      enabled: true
      configFile: "standard.yaml"
      capabilities:
        - password
        - bootstrap
        - clientProvisioning
      metadata:
        defaultRole: "operators"

clients:
  - clientId: "policy-engine"
    displayName: "Policy Engine Service"
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://policy-engine" ]
    scopes: [ "policy:run", "findings:read", "effective:write" ]
    tenant: "tenant-default"
    properties:
      serviceIdentity: "policy-engine"
    senderConstraint: "dpop"
    auth:
      type: "client_secret"
      secretFile: "../secrets/policy-engine.secret"

  - clientId: "cartographer-service"
    displayName: "Cartographer Service"
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://cartographer" ]
    scopes: [ "graph:write", "graph:read" ]
    tenant: "tenant-default"
    properties:
      serviceIdentity: "cartographer"
    senderConstraint: "dpop"
    auth:
      type: "client_secret"
      secretFile: "../secrets/cartographer-service.secret"

  - clientId: "graph-api"
    displayName: "Graph API Gateway"
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://graph-api" ]
    scopes: [ "graph:read", "graph:export", "graph:simulate" ]
    tenant: "tenant-default"
    senderConstraint: "dpop"
    auth:
      type: "client_secret"
      secretFile: "../secrets/graph-api.secret"

  - clientId: "concelier-ingest"
    displayName: "Concelier Ingestion"
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://concelier" ]
    scopes: [ "advisory:ingest", "advisory:read" ]
    tenant: "tenant-default"
    senderConstraint: "dpop"
    auth:
      type: "client_secret"
      secretFile: "../secrets/concelier-ingest.secret"

  - clientId: "excitor-ingest"
    displayName: "Excititor VEX Ingestion"
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://excitor" ]
    scopes: [ "vex:ingest", "vex:read" ]
    tenant: "tenant-default"
    senderConstraint: "dpop"
    auth:
      type: "client_secret"
      secretFile: "../secrets/excitor-ingest.secret"

  - clientId: "graph-api-cli"
    displayName: "Graph Explorer CLI"
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://graph-api" ]
    scopes: [ "graph:read", "graph:export" ]
    tenant: "tenant-default"
    senderConstraint: "dpop"
    auth:
      type: "client_secret"
      secretFile: "../secrets/graph-api-cli.secret"

security:
  rateLimiting:
    token:
      enabled: true
      permitLimit: 30
      window: "00:01:00"
      queueLimit: 0
    authorize:
      enabled: true
      permitLimit: 60
      window: "00:01:00"
      queueLimit: 10
  passwordHashing:
    algorithm: "Argon2id"
    memorySizeInKib: 19456
    iterations: 2
    parallelism: 1
  senderConstraints:
    dpop:
      enabled: true
      proofLifetime: "00:05:00"
      allowedClockSkew: "00:00:10"
      replayWindow: "00:10:00"
      nonce:
        enabled: false
    mtls:
      enabled: false

bypassNetworks:
  - "127.0.0.1/32"
  - "::1/128"