Much work.

config/cache.yml

@@ -6,6 +6,7 @@ default: &default
     namespace: <%= Rails.env %>
 
 development:
+  database: cache
   <<: *default
 
 test:

config/database.yml

@@ -10,8 +10,21 @@ default: &default
   timeout: 5000
 
 development:
-  <<: *default
-  database: storage/development.sqlite3
+  primary:
+    <<: *default
+    database: storage/development.sqlite3
+  cache:
+    <<: *default
+    database: storage/development_cache.sqlite3
+    migrations_paths: db/cache_migrate
+  queue:
+    <<: *default
+    database: storage/development_queue.sqlite3
+    migrations_paths: db/queue_migrate
+  cable:
+    <<: *default
+    database: storage/development_cable.sqlite3
+    migrations_paths: db/cable_migrate
 
 # Warning: The database defined as "test" will be erased and
 # re-generated from your development database when you run "rake".

config/environments/production.rb

@@ -87,4 +87,18 @@ Rails.application.configure do
   #
   # Skip DNS rebinding protection for the default health check endpoint.
   # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
+
+  # Docker Compose friendly settings
+  config.log_level = :info
+  config.log_tags = [ :request_id ]
+
+  # Log to stdout for Docker container logging
+  if ENV["RAILS_LOG_TO_STDOUT"].present?
+    logger           = ActiveSupport::Logger.new(STDOUT)
+    logger.formatter = config.log_formatter
+    config.logger    = ActiveSupport::TaggedLogging.new(logger)
+  end
+
+  # Serve static files (Docker Compose deployments typically don't have a separate web server)
+  config.public_file_server.enabled = true
 end

config/initializers/omniauth.rb

@@ -0,0 +1,29 @@
+Rails.application.config.middleware.use OmniAuth::Builder do
+  # Only configure OIDC if environment variables are present
+  if ENV['OIDC_DISCOVERY_URL'].present? && ENV['OIDC_CLIENT_ID'].present? && ENV['OIDC_CLIENT_SECRET'].present?
+    provider :openid_connect, {
+      name: :oidc,
+      scope: [:openid, :email, :groups],
+      response_type: :code,
+      client_options: {
+        identifier: ENV['OIDC_CLIENT_ID'],
+        secret: ENV['OIDC_CLIENT_SECRET'],
+        redirect_uri: ENV['OIDC_REDIRECT_URI'] || "#{Rails.application.routes.url_helpers.root_url}auth/oidc/callback",
+        discovery: true,
+        authorization_endpoint: nil,
+        token_endpoint: nil,
+        userinfo_endpoint: nil,
+        jwks_uri: nil
+      },
+      discovery_document: {
+        issuer: ENV['OIDC_ISSUER'] # Optional, defaults to discovery URL issuer
+      }
+    }
+  end
+end
+
+# Disable OmniAuth logging in production
+OmniAuth.config.logger = Rails.logger if Rails.env.production?
+
+# Set OmniAuth failure mode
+OmniAuth.config.failure_raise_out_environments = %w[development test]

config/routes.rb

@@ -1,4 +1,16 @@
 Rails.application.routes.draw do
+  # Registration only allowed when no users exist
+  resource :registration, only: [:new, :create]
+  resource :session
+  resources :passwords, param: :token
+
+  # OIDC authentication routes
+  get "/auth/failure", to: "omniauth_callbacks#failure"
+  get "/auth/:provider/callback", to: "omniauth_callbacks#oidc"
+
+  # Admin user management (admin only)
+  resources :users, only: [:index, :show, :edit, :update]
+
   # Define your application routes per the DSL in https://guides.rubyonrails.org/routing.html
 
   # Reveal health status on /up that returns 200 if the app boots with no exceptions, otherwise 500.
@@ -7,10 +19,11 @@ Rails.application.routes.draw do
 
   # WAF API
   namespace :api, defaults: { format: :json } do
-    # Event ingestion
+    # Event ingestion (PRIMARY method - includes rule updates in response)
     post ":project_id/events", to: "events#create"
 
-    # Rule synchronization
+    # Rule synchronization (SECONDARY - for admin/debugging only)
+    # Note: Agents should use event responses for rule synchronization
     get ":public_key/rules/version", to: "rules#version"
     get ":public_key/rules", to: "rules#index"
   end