git.stella-ops.org/etc/authority.yaml

# StellaOps Authority configuration (dev profile)
# Derived from etc/authority.yaml.sample; trimmed to the services needed for local
# stacks and kept under version control so compose/helm bundles mount a working config.

schemaVersion: 1

issuer: "https://authority.localtest.me"

accessTokenLifetime: "00:02:00"
refreshTokenLifetime: "30.00:00:00"
identityTokenLifetime: "00:05:00"
authorizationCodeLifetime: "00:05:00"
deviceCodeLifetime: "00:15:00"

storage:
  connectionString: "mongodb://stellaops:stellaops@mongo:27017/stellaops_authority"
  databaseName: "stellaops_authority"
  commandTimeout: "00:00:30"

signing:
  enabled: true
  activeKeyId: "authority-signing-dev"
  keyPath: "../certificates/authority-signing-dev.pem"
  algorithm: "ES256"
  keySource: "file"
  jwksCacheLifetime: "00:05:00"

bootstrap:
  enabled: false
  apiKey: "change-me"
  defaultIdentityProvider: "standard"

pluginDirectories:
  - "../StellaOps.Authority.PluginBinaries"

plugins:
  configurationDirectory: "../etc/authority.plugins"
  descriptors:
    standard:
      type: "standard"
      assemblyName: "StellaOps.Authority.Plugin.Standard"
      enabled: true
      configFile: "standard.yaml"
      capabilities:
        - password
        - bootstrap
        - clientProvisioning
      metadata:
        defaultRole: "operators"

clients:
  - clientId: "policy-engine"
    displayName: "Policy Engine Service"
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://policy-engine" ]
    scopes: [ "policy:run", "findings:read", "effective:write" ]
    tenant: "tenant-default"
    properties:
      serviceIdentity: "policy-engine"
    senderConstraint: "dpop"
    auth:
      type: "client_secret"
      secretFile: "../secrets/policy-engine.secret"

  - clientId: "policy-cli"
    displayName: "Policy Automation CLI"
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://policy-engine" ]
    scopes: [ "policy:read", "policy:author", "policy:review", "policy:simulate", "findings:read" ]
    tenant: "tenant-default"
    senderConstraint: "dpop"
    auth:
      type: "client_secret"
      secretFile: "../secrets/policy-cli.secret"

  - clientId: "cartographer-service"
    displayName: "Cartographer Service"
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://cartographer" ]
    scopes: [ "graph:write", "graph:read" ]
    tenant: "tenant-default"
    properties:
      serviceIdentity: "cartographer"
    senderConstraint: "dpop"
    auth:
      type: "client_secret"
      secretFile: "../secrets/cartographer-service.secret"

  - clientId: "graph-api"
    displayName: "Graph API Gateway"
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://graph-api" ]
    scopes: [ "graph:read", "graph:export", "graph:simulate" ]
    tenant: "tenant-default"
    senderConstraint: "dpop"
    auth:
      type: "client_secret"
      secretFile: "../secrets/graph-api.secret"
  - clientId: "export-center-operator"
    displayName: "Export Center Operator"
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://export-center" ]
    scopes: [ "export.viewer", "export.operator" ]
    tenant: "tenant-default"
    senderConstraint: "dpop"
    auth:
      type: "client_secret"
      secretFile: "../secrets/export-center-operator.secret"
  - clientId: "export-center-admin"
    displayName: "Export Center Admin"
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://export-center" ]
    scopes: [ "export.viewer", "export.operator", "export.admin" ]
    tenant: "tenant-default"
    senderConstraint: "dpop"
    auth:
      type: "client_secret"
      secretFile: "../secrets/export-center-admin.secret"

  - clientId: "concelier-ingest"
    displayName: "Concelier Ingestion"
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://concelier" ]
    scopes: [ "advisory:ingest", "advisory:read" ]
    tenant: "tenant-default"
    senderConstraint: "dpop"
    auth:
      type: "client_secret"
      secretFile: "../secrets/concelier-ingest.secret"

  - clientId: "excitor-ingest"
    displayName: "Excititor VEX Ingestion"
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://excitor" ]
    scopes: [ "vex:ingest", "vex:read" ]
    tenant: "tenant-default"
    senderConstraint: "dpop"
    auth:
      type: "client_secret"
      secretFile: "../secrets/excitor-ingest.secret"

  - clientId: "graph-api-cli"
    displayName: "Graph Explorer CLI"
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://graph-api" ]
    scopes: [ "graph:read", "graph:export" ]
    tenant: "tenant-default"
    senderConstraint: "dpop"
    auth:
      type: "client_secret"
      secretFile: "../secrets/graph-api-cli.secret"

tenants:
  - name: "tenant-default"
    roles:
      orch-viewer:
        scopes: [ "orch:read" ]
      orch-operator:
        scopes: [ "orch:read", "orch:operate" ]
      orch-admin:
        scopes: [ "orch:read", "orch:operate", "orch:quota" ]
      export-viewer:
        scopes: [ "export.viewer" ]
      export-operator:
        scopes: [ "export.viewer", "export.operator" ]
      export-admin:
        scopes: [ "export.viewer", "export.operator", "export.admin" ]
      policy-author:
        scopes: [ "policy:author", "policy:read", "policy:simulate", "findings:read" ]
      policy-reviewer:
        scopes: [ "policy:review", "policy:read", "policy:simulate", "findings:read" ]
      policy-approver:
        scopes: [ "policy:approve", "policy:review", "policy:read", "policy:simulate", "findings:read" ]
      policy-operator:
        scopes: [ "policy:operate", "policy:run", "policy:activate", "policy:read", "policy:simulate", "findings:read" ]
      policy-auditor:
        scopes: [ "policy:audit", "policy:read", "policy:simulate", "findings:read" ]
      advisory-ai-viewer:
        scopes: [ "advisory-ai:view" ]
      advisory-ai-operator:
        scopes: [ "advisory-ai:view", "advisory-ai:operate" ]
      advisory-ai-admin:
        scopes: [ "advisory-ai:view", "advisory-ai:operate", "advisory-ai:admin" ]
      observability-viewer:
        scopes: [ "obs:read", "timeline:read", "evidence:read", "attest:read" ]
      observability-investigator:
        scopes: [ "obs:read", "timeline:read", "timeline:write", "evidence:read", "evidence:create", "attest:read" ]
      observability-legal:
        scopes: [ "evidence:read", "evidence:hold" ]
      observability-incident-commander:
        scopes: [ "obs:read", "obs:incident", "timeline:read", "timeline:write", "evidence:create", "evidence:read", "attest:read" ]

security:
  rateLimiting:
    token:
      enabled: true
      permitLimit: 30
      window: "00:01:00"
      queueLimit: 0
    authorize:
      enabled: true
      permitLimit: 60
      window: "00:01:00"
      queueLimit: 10
  passwordHashing:
    algorithm: "Argon2id"
    memorySizeInKib: 19456
    iterations: 2
    parallelism: 1
  senderConstraints:
    dpop:
      enabled: true
      proofLifetime: "00:05:00"
      allowedClockSkew: "00:00:10"
      replayWindow: "00:10:00"
      nonce:
        enabled: false
    mtls:
      enabled: false

advisoryAi:
  remoteInference:
    enabled: false
    requireTenantConsent: true
    allowedProfiles: []

bypassNetworks:
  - "127.0.0.1/32"
  - "::1/128"