Resolve Concelier/Excititor merge conflicts

deploy/README.md

@@ -0,0 +1,20 @@
+# Deployment Profiles
+
+This directory contains deterministic deployment bundles for the core Stella Ops stack. All manifests reference immutable image digests and map 1:1 to the release manifests stored under `deploy/releases/`.
+
+## Structure
+
+- `releases/` – canonical release manifests (edge, stable, airgap) used to source image digests.
+- `compose/` – Docker Compose bundles for dev/stage/airgap targets plus `.env` seed files.
+- `compose/docker-compose.mirror.yaml` – managed mirror bundle for `*.stella-ops.org` with gateway cache and multi-tenant auth.
+- `helm/stellaops/` – multi-profile Helm chart with values files for dev/stage/airgap.
+- `tools/validate-profiles.sh` – helper that runs `docker compose config` and `helm lint/template` for every profile.
+
+## Workflow
+
+1. Update or add a release manifest under `releases/` with the new digests.
+2. Mirror the digests into the Compose and Helm profiles that correspond to that channel.
+3. Run `deploy/tools/validate-profiles.sh` (requires Docker CLI and Helm) to ensure the bundles lint and template cleanly.
+4. Commit the change alongside any documentation updates (e.g. install guide cross-links).
+
+Maintaining the digest linkage keeps offline/air-gapped installs reproducible and avoids tag drift between environments.

deploy/compose/README.md

@@ -0,0 +1,31 @@
+# Stella Ops Compose Profiles
+
+These Compose bundles ship the minimum services required to exercise the scanner pipeline plus control-plane dependencies. Every profile is pinned to immutable image digests sourced from `deploy/releases/*.yaml` and is linted via `docker compose config` in CI.
+
+## Layout
+
+| Path | Purpose |
+| ---- | ------- |
+| `docker-compose.dev.yaml` | Edge/nightly stack tuned for laptops and iterative work. |
+| `docker-compose.stage.yaml` | Stable channel stack mirroring pre-production clusters. |
+| `docker-compose.airgap.yaml` | Stable stack with air-gapped defaults (no outbound hostnames). |
+| `docker-compose.mirror.yaml` | Managed mirror topology for `*.stella-ops.org` distribution (Concelier + Excititor + CDN gateway). |
+| `env/*.env.example` | Seed `.env` files that document required secrets and ports per profile. |
+
+## Usage
+
+```bash
+cp env/dev.env.example dev.env
+docker compose --env-file dev.env -f docker-compose.dev.yaml config
+docker compose --env-file dev.env -f docker-compose.dev.yaml up -d
+```
+
+The stage and airgap variants behave the same way—swap the file names accordingly. All profiles expose 443/8443 for the UI and REST APIs, and they share a `stellaops` Docker network scoped to the compose project.
+
+### Updating to a new release
+
+1. Import the new manifest into `deploy/releases/` (see `deploy/README.md`).
+2. Update image digests in the relevant Compose file(s).
+3. Re-run `docker compose config` to confirm the bundle is deterministic.
+
+Keep digests synchronized between Compose, Helm, and the release manifest to preserve reproducibility guarantees. `deploy/tools/validate-profiles.sh` performs a quick audit.

deploy/compose/docker-compose.airgap.yaml

@@ -0,0 +1,204 @@
+x-release-labels: &release-labels
+  com.stellaops.release.version: "2025.09.2-airgap"
+  com.stellaops.release.channel: "airgap"
+  com.stellaops.profile: "airgap"
+
+networks:
+  stellaops:
+    driver: bridge
+
+volumes:
+  mongo-data:
+  minio-data:
+  concelier-jobs:
+  nats-data:
+
+services:
+  mongo:
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    command: ["mongod", "--bind_ip_all"]
+    restart: unless-stopped
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: "${MONGO_INITDB_ROOT_USERNAME}"
+      MONGO_INITDB_ROOT_PASSWORD: "${MONGO_INITDB_ROOT_PASSWORD}"
+    volumes:
+      - mongo-data:/data/db
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  minio:
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    command: ["server", "/data", "--console-address", ":9001"]
+    restart: unless-stopped
+    environment:
+      MINIO_ROOT_USER: "${MINIO_ROOT_USER}"
+      MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD}"
+    volumes:
+      - minio-data:/data
+    ports:
+      - "${MINIO_CONSOLE_PORT:-29001}:9001"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  nats:
+    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
+    command:
+      - "-js"
+      - "-sd"
+      - /data
+    restart: unless-stopped
+    ports:
+      - "${NATS_CLIENT_PORT:-24222}:4222"
+    volumes:
+      - nats-data:/data
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  authority:
+    image: registry.stella-ops.org/stellaops/authority@sha256:5551a3269b7008cd5aceecf45df018c67459ed519557ccbe48b093b926a39bcc
+    restart: unless-stopped
+    depends_on:
+      - mongo
+    environment:
+      STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
+      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
+      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
+    volumes:
+      - ../../etc/authority.yaml:/etc/authority.yaml:ro
+      - ../../etc/authority.plugins:/app/etc/authority.plugins:ro
+    ports:
+      - "${AUTHORITY_PORT:-8440}:8440"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  signer:
+    image: registry.stella-ops.org/stellaops/signer@sha256:ddbbd664a42846cea6b40fca6465bc679b30f72851158f300d01a8571c5478fc
+    restart: unless-stopped
+    depends_on:
+      - authority
+    environment:
+      SIGNER__AUTHORITY__BASEURL: "https://authority:8440"
+      SIGNER__POE__INTROSPECTURL: "${SIGNER_POE_INTROSPECT_URL}"
+      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    ports:
+      - "${SIGNER_PORT:-8441}:8441"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  attestor:
+    image: registry.stella-ops.org/stellaops/attestor@sha256:1ff0a3124d66d3a2702d8e421df40fbd98cc75cb605d95510598ebbae1433c50
+    restart: unless-stopped
+    depends_on:
+      - signer
+    environment:
+      ATTESTOR__SIGNER__BASEURL: "https://signer:8441"
+      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    ports:
+      - "${ATTESTOR_PORT:-8442}:8442"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:29e2e1a0972707e092cbd3d370701341f9fec2aa9316fb5d8100480f2a1c76b5
+    restart: unless-stopped
+    depends_on:
+      - mongo
+      - minio
+    environment:
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      CONCELIER__AUTHORITY__BASEURL: "https://authority:8440"
+      CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
+      CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}"
+    volumes:
+      - concelier-jobs:/var/lib/concelier/jobs
+    ports:
+      - "${CONCELIER_PORT:-8445}:8445"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  scanner-web:
+    image: registry.stella-ops.org/stellaops/scanner-web@sha256:3df8ca21878126758203c1a0444e39fd97f77ddacf04a69685cda9f1e5e94718
+    restart: unless-stopped
+    depends_on:
+      - concelier
+      - minio
+      - nats
+    environment:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+    ports:
+      - "${SCANNER_WEB_PORT:-8444}:8444"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  scanner-worker:
+    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:eea5d6cfe7835950c5ec7a735a651f2f0d727d3e470cf9027a4a402ea89c4fb5
+    restart: unless-stopped
+    depends_on:
+      - scanner-web
+      - nats
+    environment:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  notify-web:
+    image: ${NOTIFY_WEB_IMAGE:-registry.stella-ops.org/stellaops/notify-web:2025.09.2}
+    restart: unless-stopped
+    depends_on:
+      - mongo
+      - authority
+    environment:
+      DOTNET_ENVIRONMENT: Production
+    volumes:
+      - ../../etc/notify.prod.yaml:/app/etc/notify.yaml:ro
+    ports:
+      - "${NOTIFY_WEB_PORT:-9446}:8446"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:65c0ee13f773efe920d7181512349a09d363ab3f3e177d276136bd2742325a68
+    restart: unless-stopped
+    depends_on:
+      - concelier
+    environment:
+      EXCITITOR__CONCELIER__BASEURL: "https://concelier:8445"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  web-ui:
+    image: registry.stella-ops.org/stellaops/web-ui@sha256:bee9668011ff414572131dc777faab4da24473fe12c230893f161cabee092a1d
+    restart: unless-stopped
+    depends_on:
+      - scanner-web
+    environment:
+      STELLAOPS_UI__BACKEND__BASEURL: "https://scanner-web:8444"
+    ports:
+      - "${UI_PORT:-9443}:8443"
+    networks:
+      - stellaops
+    labels: *release-labels

deploy/compose/docker-compose.dev.yaml

@@ -0,0 +1,202 @@
+x-release-labels: &release-labels
+  com.stellaops.release.version: "2025.10.0-edge"
+  com.stellaops.release.channel: "edge"
+  com.stellaops.profile: "dev"
+
+networks:
+  stellaops:
+    driver: bridge
+
+volumes:
+  mongo-data:
+  minio-data:
+  concelier-jobs:
+  nats-data:
+
+services:
+  mongo:
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    command: ["mongod", "--bind_ip_all"]
+    restart: unless-stopped
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: "${MONGO_INITDB_ROOT_USERNAME}"
+      MONGO_INITDB_ROOT_PASSWORD: "${MONGO_INITDB_ROOT_PASSWORD}"
+    volumes:
+      - mongo-data:/data/db
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  minio:
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    command: ["server", "/data", "--console-address", ":9001"]
+    restart: unless-stopped
+    environment:
+      MINIO_ROOT_USER: "${MINIO_ROOT_USER}"
+      MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD}"
+    volumes:
+      - minio-data:/data
+    ports:
+      - "${MINIO_CONSOLE_PORT:-9001}:9001"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  nats:
+    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
+    command:
+      - "-js"
+      - "-sd"
+      - /data
+    restart: unless-stopped
+    ports:
+      - "${NATS_CLIENT_PORT:-4222}:4222"
+    volumes:
+      - nats-data:/data
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  authority:
+    image: registry.stella-ops.org/stellaops/authority@sha256:a8e8faec44a579aa5714e58be835f25575710430b1ad2ccd1282a018cd9ffcdd
+    restart: unless-stopped
+    depends_on:
+      - mongo
+    environment:
+      STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
+      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
+      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
+    volumes:
+      - ../../etc/authority.yaml:/etc/authority.yaml:ro
+      - ../../etc/authority.plugins:/app/etc/authority.plugins:ro
+    ports:
+      - "${AUTHORITY_PORT:-8440}:8440"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  signer:
+    image: registry.stella-ops.org/stellaops/signer@sha256:8bfef9a75783883d49fc18e3566553934e970b00ee090abee9cb110d2d5c3298
+    restart: unless-stopped
+    depends_on:
+      - authority
+    environment:
+      SIGNER__AUTHORITY__BASEURL: "https://authority:8440"
+      SIGNER__POE__INTROSPECTURL: "${SIGNER_POE_INTROSPECT_URL}"
+      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    ports:
+      - "${SIGNER_PORT:-8441}:8441"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  attestor:
+    image: registry.stella-ops.org/stellaops/attestor@sha256:5cc417948c029da01dccf36e4645d961a3f6d8de7e62fe98d845f07cd2282114
+    restart: unless-stopped
+    depends_on:
+      - signer
+    environment:
+      ATTESTOR__SIGNER__BASEURL: "https://signer:8441"
+      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    ports:
+      - "${ATTESTOR_PORT:-8442}:8442"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:dafef3954eb4b837e2c424dd2d23e1e4d60fa83794840fac9cd3dea1d43bd085
+    restart: unless-stopped
+    depends_on:
+      - mongo
+      - minio
+    environment:
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      CONCELIER__AUTHORITY__BASEURL: "https://authority:8440"
+    volumes:
+      - concelier-jobs:/var/lib/concelier/jobs
+    ports:
+      - "${CONCELIER_PORT:-8445}:8445"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  scanner-web:
+    image: registry.stella-ops.org/stellaops/scanner-web@sha256:e0dfdb087e330585a5953029fb4757f5abdf7610820a085bd61b457dbead9a11
+    restart: unless-stopped
+    depends_on:
+      - concelier
+      - minio
+      - nats
+    environment:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+    ports:
+      - "${SCANNER_WEB_PORT:-8444}:8444"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  scanner-worker:
+    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:92dda42f6f64b2d9522104a5c9ffb61d37b34dd193132b68457a259748008f37
+    restart: unless-stopped
+    depends_on:
+      - scanner-web
+      - nats
+    environment:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  notify-web:
+    image: ${NOTIFY_WEB_IMAGE:-registry.stella-ops.org/stellaops/notify-web:2025.10.0-edge}
+    restart: unless-stopped
+    depends_on:
+      - mongo
+      - authority
+    environment:
+      DOTNET_ENVIRONMENT: Development
+    volumes:
+      - ../../etc/notify.dev.yaml:/app/etc/notify.yaml:ro
+    ports:
+      - "${NOTIFY_WEB_PORT:-8446}:8446"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:d9bd5cadf1eab427447ce3df7302c30ded837239771cc6433b9befb895054285
+    restart: unless-stopped
+    depends_on:
+      - concelier
+    environment:
+      EXCITITOR__CONCELIER__BASEURL: "https://concelier:8445"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  web-ui:
+    image: registry.stella-ops.org/stellaops/web-ui@sha256:38b225fa7767a5b94ebae4dae8696044126aac429415e93de514d5dd95748dcf
+    restart: unless-stopped
+    depends_on:
+      - scanner-web
+    environment:
+      STELLAOPS_UI__BACKEND__BASEURL: "https://scanner-web:8444"
+    ports:
+      - "${UI_PORT:-8443}:8443"
+    networks:
+      - stellaops
+    labels: *release-labels

deploy/compose/docker-compose.mirror.yaml

@@ -0,0 +1,152 @@
+x-release-labels: &release-labels
+  com.stellaops.release.version: "2025.10.0-edge"
+  com.stellaops.release.channel: "edge"
+  com.stellaops.profile: "mirror-managed"
+
+networks:
+  mirror:
+    driver: bridge
+
+volumes:
+  mongo-data:
+  minio-data:
+  concelier-jobs:
+  concelier-exports:
+  excititor-exports:
+  nginx-cache:
+
+services:
+  mongo:
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    command: ["mongod", "--bind_ip_all"]
+    restart: unless-stopped
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: "${MONGO_INITDB_ROOT_USERNAME:-stellaops_mirror}"
+      MONGO_INITDB_ROOT_PASSWORD: "${MONGO_INITDB_ROOT_PASSWORD:-mirror-password}"
+    volumes:
+      - mongo-data:/data/db
+    networks:
+      - mirror
+    labels: *release-labels
+
+  minio:
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    command: ["server", "/data", "--console-address", ":9001"]
+    restart: unless-stopped
+    environment:
+      MINIO_ROOT_USER: "${MINIO_ROOT_USER:-stellaops-mirror}"
+      MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD:-mirror-minio-secret}"
+    volumes:
+      - minio-data:/data
+    networks:
+      - mirror
+    labels: *release-labels
+
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:dafef3954eb4b837e2c424dd2d23e1e4d60fa83794840fac9cd3dea1d43bd085
+    restart: unless-stopped
+    depends_on:
+      - mongo
+      - minio
+    environment:
+      ASPNETCORE_URLS: "http://+:8445"
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME:-stellaops_mirror}:${MONGO_INITDB_ROOT_PASSWORD:-mirror-password}@mongo:27017/concelier?authSource=admin"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER:-stellaops-mirror}"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD:-mirror-minio-secret}"
+      CONCELIER__TELEMETRY__SERVICENAME: "stellaops-concelier-mirror"
+      CONCELIER__MIRROR__ENABLED: "true"
+      CONCELIER__MIRROR__EXPORTROOT: "/exports/json"
+      CONCELIER__MIRROR__LATESTDIRECTORYNAME: "${CONCELIER_MIRROR_LATEST_SEGMENT:-latest}"
+      CONCELIER__MIRROR__MIRRORDIRECTORYNAME: "${CONCELIER_MIRROR_DIRECTORY_SEGMENT:-mirror}"
+      CONCELIER__MIRROR__REQUIREAUTHENTICATION: "${CONCELIER_MIRROR_REQUIRE_AUTH:-true}"
+      CONCELIER__MIRROR__MAXINDEXREQUESTSPERHOUR: "${CONCELIER_MIRROR_INDEX_BUDGET:-600}"
+      CONCELIER__MIRROR__DOMAINS__0__ID: "${CONCELIER_MIRROR_DOMAIN_PRIMARY_ID:-primary}"
+      CONCELIER__MIRROR__DOMAINS__0__DISPLAYNAME: "${CONCELIER_MIRROR_DOMAIN_PRIMARY_NAME:-Primary Mirror}"
+      CONCELIER__MIRROR__DOMAINS__0__REQUIREAUTHENTICATION: "${CONCELIER_MIRROR_DOMAIN_PRIMARY_AUTH:-true}"
+      CONCELIER__MIRROR__DOMAINS__0__MAXDOWNLOADREQUESTSPERHOUR: "${CONCELIER_MIRROR_DOMAIN_PRIMARY_DOWNLOAD_BUDGET:-3600}"
+      CONCELIER__MIRROR__DOMAINS__1__ID: "${CONCELIER_MIRROR_DOMAIN_SECONDARY_ID:-community}"
+      CONCELIER__MIRROR__DOMAINS__1__DISPLAYNAME: "${CONCELIER_MIRROR_DOMAIN_SECONDARY_NAME:-Community Mirror}"
+      CONCELIER__MIRROR__DOMAINS__1__REQUIREAUTHENTICATION: "${CONCELIER_MIRROR_DOMAIN_SECONDARY_AUTH:-false}"
+      CONCELIER__MIRROR__DOMAINS__1__MAXDOWNLOADREQUESTSPERHOUR: "${CONCELIER_MIRROR_DOMAIN_SECONDARY_DOWNLOAD_BUDGET:-1800}"
+      CONCELIER__AUTHORITY__ENABLED: "${CONCELIER_AUTHORITY_ENABLED:-true}"
+      CONCELIER__AUTHORITY__ALLOWANONYMOUSFALLBACK: "${CONCELIER_AUTHORITY_ALLOW_ANON:-false}"
+      CONCELIER__AUTHORITY__ISSUER: "${CONCELIER_AUTHORITY_ISSUER:-https://authority.stella-ops.org}"
+      CONCELIER__AUTHORITY__METADATAADDRESS: "${CONCELIER_AUTHORITY_METADATA:-}"
+      CONCELIER__AUTHORITY__CLIENTID: "${CONCELIER_AUTHORITY_CLIENT_ID:-stellaops-concelier-mirror}"
+      CONCELIER__AUTHORITY__CLIENTSECRETFILE: "/run/secrets/concelier-authority-client"
+      CONCELIER__AUTHORITY__CLIENTSCOPES__0: "${CONCELIER_AUTHORITY_SCOPE:-concelier.mirror.read}"
+      CONCELIER__AUTHORITY__AUDIENCES__0: "${CONCELIER_AUTHORITY_AUDIENCE:-api://concelier.mirror}"
+      CONCELIER__AUTHORITY__BYPASSNETWORKS__0: "10.0.0.0/8"
+      CONCELIER__AUTHORITY__BYPASSNETWORKS__1: "127.0.0.1/32"
+      CONCELIER__AUTHORITY__BYPASSNETWORKS__2: "::1/128"
+      CONCELIER__AUTHORITY__RESILIENCE__ENABLERETRIES: "true"
+      CONCELIER__AUTHORITY__RESILIENCE__RETRYDELAYS__0: "00:00:01"
+      CONCELIER__AUTHORITY__RESILIENCE__RETRYDELAYS__1: "00:00:02"
+      CONCELIER__AUTHORITY__RESILIENCE__RETRYDELAYS__2: "00:00:05"
+      CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
+      CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "00:10:00"
+    volumes:
+      - concelier-jobs:/var/lib/concelier/jobs
+      - concelier-exports:/exports/json
+      - ./mirror-secrets:/run/secrets:ro
+    networks:
+      - mirror
+    labels: *release-labels
+
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:d9bd5cadf1eab427447ce3df7302c30ded837239771cc6433b9befb895054285
+    restart: unless-stopped
+    depends_on:
+      - mongo
+    environment:
+      ASPNETCORE_URLS: "http://+:8448"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME:-stellaops_mirror}:${MONGO_INITDB_ROOT_PASSWORD:-mirror-password}@mongo:27017/excititor?authSource=admin"
+      EXCITITOR__STORAGE__MONGO__DATABASENAME: "${EXCITITOR_MONGO_DATABASE:-excititor}"
+      EXCITITOR__ARTIFACTS__FILESYSTEM__ROOT: "/exports"
+      EXCITITOR__ARTIFACTS__FILESYSTEM__OVERWRITEEXISTING: "${EXCITITOR_FILESYSTEM_OVERWRITE:-false}"
+      EXCITITOR__MIRROR__DOMAINS__0__ID: "${EXCITITOR_MIRROR_DOMAIN_PRIMARY_ID:-primary}"
+      EXCITITOR__MIRROR__DOMAINS__0__DISPLAYNAME: "${EXCITITOR_MIRROR_DOMAIN_PRIMARY_NAME:-Primary Mirror}"
+      EXCITITOR__MIRROR__DOMAINS__0__REQUIREAUTHENTICATION: "${EXCITITOR_MIRROR_DOMAIN_PRIMARY_AUTH:-true}"
+      EXCITITOR__MIRROR__DOMAINS__0__MAXINDEXREQUESTSPERHOUR: "${EXCITITOR_MIRROR_DOMAIN_PRIMARY_INDEX_BUDGET:-300}"
+      EXCITITOR__MIRROR__DOMAINS__0__MAXDOWNLOADREQUESTSPERHOUR: "${EXCITITOR_MIRROR_DOMAIN_PRIMARY_DOWNLOAD_BUDGET:-2400}"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__0__KEY: "${EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_KEY:-consensus-json}"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__0__FORMAT: "${EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_FORMAT:-json}"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__0__VIEW: "${EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_VIEW:-consensus}"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__1__KEY: "${EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_KEY:-consensus-openvex}"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__1__FORMAT: "${EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_FORMAT:-openvex}"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__1__VIEW: "${EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_VIEW:-consensus}"
+      EXCITITOR__MIRROR__DOMAINS__1__ID: "${EXCITITOR_MIRROR_DOMAIN_SECONDARY_ID:-community}"
+      EXCITITOR__MIRROR__DOMAINS__1__DISPLAYNAME: "${EXCITITOR_MIRROR_DOMAIN_SECONDARY_NAME:-Community Mirror}"
+      EXCITITOR__MIRROR__DOMAINS__1__REQUIREAUTHENTICATION: "${EXCITITOR_MIRROR_DOMAIN_SECONDARY_AUTH:-false}"
+      EXCITITOR__MIRROR__DOMAINS__1__MAXINDEXREQUESTSPERHOUR: "${EXCITITOR_MIRROR_DOMAIN_SECONDARY_INDEX_BUDGET:-120}"
+      EXCITITOR__MIRROR__DOMAINS__1__MAXDOWNLOADREQUESTSPERHOUR: "${EXCITITOR_MIRROR_DOMAIN_SECONDARY_DOWNLOAD_BUDGET:-600}"
+      EXCITITOR__MIRROR__DOMAINS__1__EXPORTS__0__KEY: "${EXCITITOR_MIRROR_SECONDARY_EXPORT_KEY:-community-consensus}"
+      EXCITITOR__MIRROR__DOMAINS__1__EXPORTS__0__FORMAT: "${EXCITITOR_MIRROR_SECONDARY_EXPORT_FORMAT:-json}"
+      EXCITITOR__MIRROR__DOMAINS__1__EXPORTS__0__VIEW: "${EXCITITOR_MIRROR_SECONDARY_EXPORT_VIEW:-consensus}"
+    volumes:
+      - excititor-exports:/exports
+      - ./mirror-secrets:/run/secrets:ro
+    expose:
+      - "8448"
+    networks:
+      - mirror
+    labels: *release-labels
+
+  mirror-gateway:
+    image: docker.io/library/nginx@sha256:208b70eefac13ee9be00e486f79c695b15cef861c680527171a27d253d834be9
+    restart: unless-stopped
+    depends_on:
+      - concelier
+      - excititor
+    ports:
+      - "${MIRROR_GATEWAY_HTTP_PORT:-8080}:80"
+      - "${MIRROR_GATEWAY_HTTPS_PORT:-9443}:443"
+    volumes:
+      - nginx-cache:/var/cache/nginx
+      - ./mirror-gateway/conf.d:/etc/nginx/conf.d:ro
+      - ./mirror-gateway/tls:/etc/nginx/tls:ro
+      - ./mirror-gateway/secrets:/etc/nginx/secrets:ro
+    networks:
+      - mirror
+    labels: *release-labels

deploy/compose/docker-compose.stage.yaml

@@ -0,0 +1,202 @@
+x-release-labels: &release-labels
+  com.stellaops.release.version: "2025.09.2"
+  com.stellaops.release.channel: "stable"
+  com.stellaops.profile: "stage"
+
+networks:
+  stellaops:
+    driver: bridge
+
+volumes:
+  mongo-data:
+  minio-data:
+  concelier-jobs:
+  nats-data:
+
+services:
+  mongo:
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    command: ["mongod", "--bind_ip_all"]
+    restart: unless-stopped
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: "${MONGO_INITDB_ROOT_USERNAME}"
+      MONGO_INITDB_ROOT_PASSWORD: "${MONGO_INITDB_ROOT_PASSWORD}"
+    volumes:
+      - mongo-data:/data/db
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  minio:
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    command: ["server", "/data", "--console-address", ":9001"]
+    restart: unless-stopped
+    environment:
+      MINIO_ROOT_USER: "${MINIO_ROOT_USER}"
+      MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD}"
+    volumes:
+      - minio-data:/data
+    ports:
+      - "${MINIO_CONSOLE_PORT:-9001}:9001"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  nats:
+    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
+    command:
+      - "-js"
+      - "-sd"
+      - /data
+    restart: unless-stopped
+    ports:
+      - "${NATS_CLIENT_PORT:-4222}:4222"
+    volumes:
+      - nats-data:/data
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  authority:
+    image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5
+    restart: unless-stopped
+    depends_on:
+      - mongo
+    environment:
+      STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
+      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
+      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
+    volumes:
+      - ../../etc/authority.yaml:/etc/authority.yaml:ro
+      - ../../etc/authority.plugins:/app/etc/authority.plugins:ro
+    ports:
+      - "${AUTHORITY_PORT:-8440}:8440"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  signer:
+    image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e
+    restart: unless-stopped
+    depends_on:
+      - authority
+    environment:
+      SIGNER__AUTHORITY__BASEURL: "https://authority:8440"
+      SIGNER__POE__INTROSPECTURL: "${SIGNER_POE_INTROSPECT_URL}"
+      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    ports:
+      - "${SIGNER_PORT:-8441}:8441"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  attestor:
+    image: registry.stella-ops.org/stellaops/attestor@sha256:0534985f978b0b5d220d73c96fddd962cd9135f616811cbe3bff4666c5af568f
+    restart: unless-stopped
+    depends_on:
+      - signer
+    environment:
+      ATTESTOR__SIGNER__BASEURL: "https://signer:8441"
+      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    ports:
+      - "${ATTESTOR_PORT:-8442}:8442"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5
+    restart: unless-stopped
+    depends_on:
+      - mongo
+      - minio
+    environment:
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      CONCELIER__AUTHORITY__BASEURL: "https://authority:8440"
+    volumes:
+      - concelier-jobs:/var/lib/concelier/jobs
+    ports:
+      - "${CONCELIER_PORT:-8445}:8445"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  scanner-web:
+    image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
+    restart: unless-stopped
+    depends_on:
+      - concelier
+      - minio
+      - nats
+    environment:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+    ports:
+      - "${SCANNER_WEB_PORT:-8444}:8444"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  scanner-worker:
+    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab
+    restart: unless-stopped
+    depends_on:
+      - scanner-web
+      - nats
+    environment:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  notify-web:
+    image: ${NOTIFY_WEB_IMAGE:-registry.stella-ops.org/stellaops/notify-web:2025.09.2}
+    restart: unless-stopped
+    depends_on:
+      - mongo
+      - authority
+    environment:
+      DOTNET_ENVIRONMENT: Production
+    volumes:
+      - ../../etc/notify.stage.yaml:/app/etc/notify.yaml:ro
+    ports:
+      - "${NOTIFY_WEB_PORT:-8446}:8446"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa
+    restart: unless-stopped
+    depends_on:
+      - concelier
+    environment:
+      EXCITITOR__CONCELIER__BASEURL: "https://concelier:8445"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  web-ui:
+    image: registry.stella-ops.org/stellaops/web-ui@sha256:10d924808c48e4353e3a241da62eb7aefe727a1d6dc830eb23a8e181013b3a23
+    restart: unless-stopped
+    depends_on:
+      - scanner-web
+    environment:
+      STELLAOPS_UI__BACKEND__BASEURL: "https://scanner-web:8444"
+    ports:
+      - "${UI_PORT:-8443}:8443"
+    networks:
+      - stellaops
+    labels: *release-labels

deploy/compose/env/airgap.env.example

@@ -0,0 +1,17 @@
+# Substitutions for docker-compose.airgap.yaml
+MONGO_INITDB_ROOT_USERNAME=stellaops
+MONGO_INITDB_ROOT_PASSWORD=airgap-password
+MINIO_ROOT_USER=stellaops-offline
+MINIO_ROOT_PASSWORD=airgap-minio-secret
+MINIO_CONSOLE_PORT=29001
+AUTHORITY_ISSUER=https://authority.airgap.local
+AUTHORITY_PORT=8440
+SIGNER_POE_INTROSPECT_URL=file:///offline/poe/introspect.json
+SIGNER_PORT=8441
+ATTESTOR_PORT=8442
+CONCELIER_PORT=8445
+SCANNER_WEB_PORT=8444
+UI_PORT=9443
+NATS_CLIENT_PORT=24222
+SCANNER_QUEUE_BROKER=nats://nats:4222
+AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:45:00

deploy/compose/env/dev.env.example

@@ -0,0 +1,16 @@
+# Substitutions for docker-compose.dev.yaml
+MONGO_INITDB_ROOT_USERNAME=stellaops
+MONGO_INITDB_ROOT_PASSWORD=dev-password
+MINIO_ROOT_USER=stellaops
+MINIO_ROOT_PASSWORD=dev-minio-secret
+MINIO_CONSOLE_PORT=9001
+AUTHORITY_ISSUER=https://authority.localtest.me
+AUTHORITY_PORT=8440
+SIGNER_POE_INTROSPECT_URL=https://licensing.svc.local/introspect
+SIGNER_PORT=8441
+ATTESTOR_PORT=8442
+CONCELIER_PORT=8445
+SCANNER_WEB_PORT=8444
+UI_PORT=8443
+NATS_CLIENT_PORT=4222
+SCANNER_QUEUE_BROKER=nats://nats:4222

deploy/compose/env/mirror.env.example

@@ -0,0 +1,57 @@
+# Managed mirror profile substitutions
+
+# Core infrastructure credentials
+MONGO_INITDB_ROOT_USERNAME=stellaops_mirror
+MONGO_INITDB_ROOT_PASSWORD=mirror-password
+MINIO_ROOT_USER=stellaops-mirror
+MINIO_ROOT_PASSWORD=mirror-minio-secret
+
+# Mirror HTTP listeners
+MIRROR_GATEWAY_HTTP_PORT=8080
+MIRROR_GATEWAY_HTTPS_PORT=9443
+
+# Concelier mirror configuration
+CONCELIER_MIRROR_LATEST_SEGMENT=latest
+CONCELIER_MIRROR_DIRECTORY_SEGMENT=mirror
+CONCELIER_MIRROR_REQUIRE_AUTH=true
+CONCELIER_MIRROR_INDEX_BUDGET=600
+CONCELIER_MIRROR_DOMAIN_PRIMARY_ID=primary
+CONCELIER_MIRROR_DOMAIN_PRIMARY_NAME=Primary Mirror
+CONCELIER_MIRROR_DOMAIN_PRIMARY_AUTH=true
+CONCELIER_MIRROR_DOMAIN_PRIMARY_DOWNLOAD_BUDGET=3600
+CONCELIER_MIRROR_DOMAIN_SECONDARY_ID=community
+CONCELIER_MIRROR_DOMAIN_SECONDARY_NAME=Community Mirror
+CONCELIER_MIRROR_DOMAIN_SECONDARY_AUTH=false
+CONCELIER_MIRROR_DOMAIN_SECONDARY_DOWNLOAD_BUDGET=1800
+
+# Authority integration (tokens issued by production Authority)
+CONCELIER_AUTHORITY_ENABLED=true
+CONCELIER_AUTHORITY_ALLOW_ANON=false
+CONCELIER_AUTHORITY_ISSUER=https://authority.stella-ops.org
+CONCELIER_AUTHORITY_METADATA=
+CONCELIER_AUTHORITY_CLIENT_ID=stellaops-concelier-mirror
+CONCELIER_AUTHORITY_SCOPE=concelier.mirror.read
+CONCELIER_AUTHORITY_AUDIENCE=api://concelier.mirror
+
+# Excititor mirror configuration
+EXCITITOR_MONGO_DATABASE=excititor
+EXCITITOR_FILESYSTEM_OVERWRITE=false
+EXCITITOR_MIRROR_DOMAIN_PRIMARY_ID=primary
+EXCITITOR_MIRROR_DOMAIN_PRIMARY_NAME=Primary Mirror
+EXCITITOR_MIRROR_DOMAIN_PRIMARY_AUTH=true
+EXCITITOR_MIRROR_DOMAIN_PRIMARY_INDEX_BUDGET=300
+EXCITITOR_MIRROR_DOMAIN_PRIMARY_DOWNLOAD_BUDGET=2400
+EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_KEY=consensus-json
+EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_FORMAT=json
+EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_VIEW=consensus
+EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_KEY=consensus-openvex
+EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_FORMAT=openvex
+EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_VIEW=consensus
+EXCITITOR_MIRROR_DOMAIN_SECONDARY_ID=community
+EXCITITOR_MIRROR_DOMAIN_SECONDARY_NAME=Community Mirror
+EXCITITOR_MIRROR_DOMAIN_SECONDARY_AUTH=false
+EXCITITOR_MIRROR_DOMAIN_SECONDARY_INDEX_BUDGET=120
+EXCITITOR_MIRROR_DOMAIN_SECONDARY_DOWNLOAD_BUDGET=600
+EXCITITOR_MIRROR_SECONDARY_EXPORT_KEY=community-consensus
+EXCITITOR_MIRROR_SECONDARY_EXPORT_FORMAT=json
+EXCITITOR_MIRROR_SECONDARY_EXPORT_VIEW=consensus

deploy/compose/env/stage.env.example

@@ -0,0 +1,16 @@
+# Substitutions for docker-compose.stage.yaml
+MONGO_INITDB_ROOT_USERNAME=stellaops
+MONGO_INITDB_ROOT_PASSWORD=stage-password
+MINIO_ROOT_USER=stellaops-stage
+MINIO_ROOT_PASSWORD=stage-minio-secret
+MINIO_CONSOLE_PORT=19001
+AUTHORITY_ISSUER=https://authority.stage.stella-ops.internal
+AUTHORITY_PORT=8440
+SIGNER_POE_INTROSPECT_URL=https://licensing.stage.stella-ops.internal/introspect
+SIGNER_PORT=8441
+ATTESTOR_PORT=8442
+CONCELIER_PORT=8445
+SCANNER_WEB_PORT=8444
+UI_PORT=8443
+NATS_CLIENT_PORT=4222
+SCANNER_QUEUE_BROKER=nats://nats:4222

deploy/compose/mirror-gateway/README.md

@@ -0,0 +1,13 @@
+# Mirror Gateway Assets
+
+This directory holds the reverse-proxy configuration and TLS material for the managed
+mirror profile:
+
+- `conf.d/*.conf` – nginx configuration shipped with the profile.
+- `tls/` – place environment-specific certificates and private keys
+  (`mirror-primary.{crt,key}`, `mirror-community.{crt,key}`, etc.).
+- `secrets/` – populate Basic Auth credential stores (`*.htpasswd`) that gate each
+  mirror domain. Generate with `htpasswd -B`.
+
+The Compose bundle mounts these paths read-only. Populate `tls/` with the actual
+certificates before invoking `docker compose config` or `docker compose up`.

deploy/compose/mirror-gateway/conf.d/mirror-locations.conf

@@ -0,0 +1,44 @@
+proxy_set_header Host              $host;
+proxy_set_header X-Real-IP         $remote_addr;
+proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_redirect                     off;
+
+add_header X-Cache-Status $upstream_cache_status always;
+
+location = /healthz {
+    default_type application/json;
+    return 200 '{"status":"ok"}';
+}
+
+location /concelier/exports/ {
+    proxy_pass http://concelier_backend/concelier/exports/;
+    proxy_cache mirror_cache;
+    proxy_cache_key $mirror_cache_key;
+    proxy_cache_valid 200 5m;
+    proxy_cache_valid 404 1m;
+    add_header Cache-Control "public, max-age=300, immutable" always;
+}
+
+location /concelier/ {
+    proxy_pass http://concelier_backend/concelier/;
+    proxy_cache off;
+}
+
+location /excititor/mirror/ {
+    proxy_pass http://excititor_backend/excititor/mirror/;
+    proxy_cache mirror_cache;
+    proxy_cache_key $mirror_cache_key;
+    proxy_cache_valid 200 5m;
+    proxy_cache_valid 404 1m;
+    add_header Cache-Control "public, max-age=300, immutable" always;
+}
+
+location /excititor/ {
+    proxy_pass http://excititor_backend/excititor/;
+    proxy_cache off;
+}
+
+location / {
+    return 404;
+}

deploy/compose/mirror-gateway/conf.d/mirror.conf

@@ -0,0 +1,51 @@
+proxy_cache_path /var/cache/nginx/mirror levels=1:2 keys_zone=mirror_cache:100m max_size=10g inactive=12h use_temp_path=off;
+
+map $request_uri $mirror_cache_key {
+    default $scheme$request_method$host$request_uri;
+}
+
+upstream concelier_backend {
+    server concelier:8445;
+    keepalive 32;
+}
+
+upstream excititor_backend {
+    server excititor:8448;
+    keepalive 32;
+}
+
+server {
+    listen 80;
+    server_name _;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name mirror-primary.stella-ops.org;
+
+    ssl_certificate     /etc/nginx/tls/mirror-primary.crt;
+    ssl_certificate_key /etc/nginx/tls/mirror-primary.key;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+
+    auth_basic "StellaOps Mirror – primary";
+    auth_basic_user_file /etc/nginx/secrets/mirror-primary.htpasswd;
+
+    include /etc/nginx/conf.d/mirror-locations.conf;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name mirror-community.stella-ops.org;
+
+    ssl_certificate     /etc/nginx/tls/mirror-community.crt;
+    ssl_certificate_key /etc/nginx/tls/mirror-community.key;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+
+    auth_basic "StellaOps Mirror – community";
+    auth_basic_user_file /etc/nginx/secrets/mirror-community.htpasswd;
+
+    include /etc/nginx/conf.d/mirror-locations.conf;
+}

deploy/helm/stellaops/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: stellaops
+description: Stella Ops core stack (authority, signing, scanner, UI) with infrastructure primitives.
+type: application
+version: 0.1.0
+appVersion: "2025.10.0"

deploy/helm/stellaops/templates/_helpers.tpl

@@ -0,0 +1,31 @@
+{{- define "stellaops.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "stellaops.fullname" -}}
+{{- $name := default .root.Chart.Name .root.Values.fullnameOverride -}}
+{{- printf "%s-%s" $name .name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "stellaops.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "stellaops.name" .root | quote }}
+app.kubernetes.io/instance: {{ .root.Release.Name | quote }}
+app.kubernetes.io/component: {{ .name | quote }}
+{{- if .svc.class }}
+app.kubernetes.io/part-of: {{ printf "stellaops-%s" .svc.class | quote }}
+{{- else }}
+app.kubernetes.io/part-of: "stellaops-core"
+{{- end }}
+{{- end -}}
+
+{{- define "stellaops.labels" -}}
+{{ include "stellaops.selectorLabels" . }}
+helm.sh/chart: {{ printf "%s-%s" .root.Chart.Name .root.Chart.Version | quote }}
+app.kubernetes.io/version: {{ .root.Values.global.release.version | quote }}
+app.kubernetes.io/managed-by: {{ .root.Release.Service | quote }}
+stellaops.release/channel: {{ .root.Values.global.release.channel | quote }}
+stellaops.profile: {{ .root.Values.global.profile | quote }}
+{{- range $k, $v := .root.Values.global.labels }}
+{{ $k }}: {{ $v | quote }}
+{{- end }}
+{{- end -}}

deploy/helm/stellaops/templates/configmap-release.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "stellaops.fullname" (dict "root" . "name" "release") }}
+  labels:
+    {{- include "stellaops.labels" (dict "root" . "name" "release" "svc" (dict "class" "meta")) | nindent 4 }}
+data:
+  version: {{ .Values.global.release.version | quote }}
+  channel: {{ .Values.global.release.channel | quote }}
+  manifestSha256: {{ default "" .Values.global.release.manifestSha256 | quote }}

deploy/helm/stellaops/templates/configmaps.yaml

@@ -0,0 +1,15 @@
+{{- $root := . -}}
+{{- range $name, $cfg := .Values.configMaps }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "stellaops.fullname" (dict "root" $root "name" $name) }}
+  labels:
+    {{- include "stellaops.labels" (dict "root" $root "name" $name "svc" (dict "class" "config")) | nindent 4 }}
+data:
+{{- range $fileName, $content := $cfg.data }}
+  {{ $fileName }}: |
+{{ $content | nindent 4 }}
+{{- end }}
+---
+{{- end }}

deploy/helm/stellaops/templates/core.yaml

@@ -0,0 +1,154 @@
+{{- $root := . -}}
+{{- range $name, $svc := .Values.services }}
+{{- $configMounts := (default (list) $svc.configMounts) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "stellaops.fullname" (dict "root" $root "name" $name) }}
+  labels:
+    {{- include "stellaops.labels" (dict "root" $root "name" $name "svc" $svc) | nindent 4 }}
+spec:
+  replicas: {{ default 1 $svc.replicas }}
+  selector:
+    matchLabels:
+      {{- include "stellaops.selectorLabels" (dict "root" $root "name" $name "svc" $svc) | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "stellaops.selectorLabels" (dict "root" $root "name" $name "svc" $svc) | nindent 8 }}
+      annotations:
+        stellaops.release/version: {{ $root.Values.global.release.version | quote }}
+        stellaops.release/channel: {{ $root.Values.global.release.channel | quote }}
+    spec:
+      containers:
+        - name: {{ $name }}
+          image: {{ $svc.image | quote }}
+          imagePullPolicy: {{ default $root.Values.global.image.pullPolicy $svc.imagePullPolicy }}
+{{- if $svc.command }}
+          command:
+{{- range $cmd := $svc.command }}
+            - {{ $cmd | quote }}
+{{- end }}
+{{- end }}
+{{- if $svc.args }}
+          args:
+{{- range $arg := $svc.args }}
+            - {{ $arg | quote }}
+{{- end }}
+{{- end }}
+{{- if $svc.env }}
+          env:
+{{- range $envName, $envValue := $svc.env }}
+            - name: {{ $envName }}
+              value: {{ $envValue | quote }}
+{{- end }}
+{{- end }}
+{{- if $svc.envFrom }}
+          envFrom:
+{{ toYaml $svc.envFrom | nindent 12 }}
+{{- end }}
+{{- if $svc.ports }}
+          ports:
+{{- range $port := $svc.ports }}
+            - name: {{ default (printf "%s-%v" $name $port.containerPort) $port.name | trunc 63 | trimSuffix "-" }}
+              containerPort: {{ $port.containerPort }}
+              protocol: {{ default "TCP" $port.protocol }}
+{{- end }}
+{{- else if and $svc.service (hasKey $svc.service "port") }}
+          {{- $svcService := $svc.service }}
+          ports:
+            - name: {{ printf "%s-http" $name | trunc 63 | trimSuffix "-" }}
+              containerPort: {{ default (index $svcService "port") (index $svcService "targetPort") }}
+              protocol: {{ default "TCP" (index $svcService "protocol") }}
+{{- end }}
+{{- if $svc.resources }}
+          resources:
+{{ toYaml $svc.resources | nindent 12 }}
+{{- end }}
+{{- if $svc.livenessProbe }}
+          livenessProbe:
+{{ toYaml $svc.livenessProbe | nindent 12 }}
+{{- end }}
+{{- if $svc.readinessProbe }}
+          readinessProbe:
+{{ toYaml $svc.readinessProbe | nindent 12 }}
+{{- end }}
+{{- if or $svc.volumeMounts $configMounts }}
+          volumeMounts:
+{{- if $svc.volumeMounts }}
+{{ toYaml $svc.volumeMounts | nindent 12 }}
+{{- end }}
+{{- range $mount := $configMounts }}
+            - name: {{ $mount.name }}
+              mountPath: {{ $mount.mountPath }}
+{{- if $mount.subPath }}
+              subPath: {{ $mount.subPath }}
+{{- end }}
+{{- if hasKey $mount "readOnly" }}
+              readOnly: {{ $mount.readOnly }}
+{{- else }}
+              readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+      {{- if or $svc.volumes (or $svc.volumeClaims $configMounts) }}
+      volumes:
+{{- if $svc.volumes }}
+{{ toYaml $svc.volumes | nindent 8 }}
+{{- end }}
+{{- if $svc.volumeClaims }}
+{{- range $claim := $svc.volumeClaims }}
+        - name: {{ $claim.name }}
+          persistentVolumeClaim:
+            claimName: {{ $claim.claimName }}
+{{- end }}
+{{- end }}
+{{- range $mount := $configMounts }}
+        - name: {{ $mount.name }}
+          configMap:
+            name: {{ include "stellaops.fullname" (dict "root" $root "name" $mount.configMap) }}
+{{- if $mount.items }}
+            items:
+{{ toYaml $mount.items | nindent 12 }}
+{{- else if $mount.subPath }}
+            items:
+              - key: {{ $mount.subPath }}
+                path: {{ $mount.subPath }}
+{{- end }}
+{{- end }}
+      {{- end }}
+      {{- if $svc.serviceAccount }}
+      serviceAccountName: {{ $svc.serviceAccount | quote }}
+      {{- end }}
+      {{- if $svc.nodeSelector }}
+      nodeSelector:
+{{ toYaml $svc.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if $svc.affinity }}
+      affinity:
+{{ toYaml $svc.affinity | nindent 8 }}
+      {{- end }}
+      {{- if $svc.tolerations }}
+      tolerations:
+{{ toYaml $svc.tolerations | nindent 8 }}
+      {{- end }}
+---
+{{- if $svc.service }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "stellaops.fullname" (dict "root" $root "name" $name) }}
+  labels:
+    {{- include "stellaops.labels" (dict "root" $root "name" $name "svc" $svc) | nindent 4 }}
+spec:
+  type: {{ default "ClusterIP" $svc.service.type }}
+  selector:
+    {{- include "stellaops.selectorLabels" (dict "root" $root "name" $name "svc" $svc) | nindent 4 }}
+  ports:
+    - name: {{ default "http" $svc.service.portName }}
+      port: {{ $svc.service.port }}
+      targetPort: {{ $svc.service.targetPort | default $svc.service.port }}
+      protocol: {{ default "TCP" $svc.service.protocol }}
+---
+{{- end }}
+{{- end }}

deploy/helm/stellaops/values-airgap.yaml

@@ -0,0 +1,187 @@
+global:
+  profile: airgap
+  release:
+    version: "2025.09.2-airgap"
+    channel: airgap
+    manifestSha256: "b787b833dddd73960c31338279daa0b0a0dce2ef32bd32ef1aaf953d66135f94"
+  image:
+    pullPolicy: IfNotPresent
+  labels:
+    stellaops.io/channel: airgap
+
+configMaps:
+  notify-config:
+    data:
+      notify.yaml: |
+        storage:
+          driver: mongo
+          connectionString: "mongodb://notify-mongo.prod.svc.cluster.local:27017"
+          database: "stellaops_notify"
+          commandTimeoutSeconds: 60
+
+        authority:
+          enabled: true
+          issuer: "https://authority.stella-ops.org"
+          metadataAddress: "https://authority.stella-ops.org/.well-known/openid-configuration"
+          requireHttpsMetadata: true
+          allowAnonymousFallback: false
+          backchannelTimeoutSeconds: 30
+          tokenClockSkewSeconds: 60
+          audiences:
+            - notify
+          readScope: notify.read
+          adminScope: notify.admin
+
+        api:
+          basePath: "/api/v1/notify"
+          internalBasePath: "/internal/notify"
+          tenantHeader: "X-StellaOps-Tenant"
+
+        plugins:
+          baseDirectory: "/var/opt/stellaops"
+          directory: "plugins/notify"
+          searchPatterns:
+            - "StellaOps.Notify.Connectors.*.dll"
+          orderedPlugins:
+            - StellaOps.Notify.Connectors.Slack
+            - StellaOps.Notify.Connectors.Teams
+            - StellaOps.Notify.Connectors.Email
+            - StellaOps.Notify.Connectors.Webhook
+
+        telemetry:
+          enableRequestLogging: true
+          minimumLogLevel: Warning
+services:
+  authority:
+    image: registry.stella-ops.org/stellaops/authority@sha256:5551a3269b7008cd5aceecf45df018c67459ed519557ccbe48b093b926a39bcc
+    service:
+      port: 8440
+    env:
+      STELLAOPS_AUTHORITY__ISSUER: "https://stellaops-authority:8440"
+      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+      STELLAOPS_AUTHORITY__ALLOWANONYMOUSFALLBACK: "false"
+  signer:
+    image: registry.stella-ops.org/stellaops/signer@sha256:ddbbd664a42846cea6b40fca6465bc679b30f72851158f300d01a8571c5478fc
+    service:
+      port: 8441
+    env:
+      SIGNER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+      SIGNER__POE__INTROSPECTURL: "file:///offline/poe/introspect.json"
+      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+  attestor:
+    image: registry.stella-ops.org/stellaops/attestor@sha256:1ff0a3124d66d3a2702d8e421df40fbd98cc75cb605d95510598ebbae1433c50
+    service:
+      port: 8442
+    env:
+      ATTESTOR__SIGNER__BASEURL: "https://stellaops-signer:8441"
+      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:29e2e1a0972707e092cbd3d370701341f9fec2aa9316fb5d8100480f2a1c76b5
+    service:
+      port: 8445
+    env:
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "stellaops-airgap"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "airgap-minio-secret"
+      CONCELIER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+      CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
+      CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "00:45:00"
+    volumeMounts:
+      - name: concelier-jobs
+        mountPath: /var/lib/concelier/jobs
+    volumeClaims:
+      - name: concelier-jobs
+        claimName: stellaops-concelier-jobs
+  scanner-web:
+    image: registry.stella-ops.org/stellaops/scanner-web@sha256:3df8ca21878126758203c1a0444e39fd97f77ddacf04a69685cda9f1e5e94718
+    service:
+      port: 8444
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-airgap"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "airgap-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+  scanner-worker:
+    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:eea5d6cfe7835950c5ec7a735a651f2f0d727d3e470cf9027a4a402ea89c4fb5
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-airgap"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "airgap-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+  notify-web:
+    image: registry.stella-ops.org/stellaops/notify-web:2025.09.2
+    service:
+      port: 8446
+    env:
+      DOTNET_ENVIRONMENT: Production
+    configMounts:
+      - name: notify-config
+        mountPath: /app/etc/notify.yaml
+        subPath: notify.yaml
+        configMap: notify-config
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:65c0ee13f773efe920d7181512349a09d363ab3f3e177d276136bd2742325a68
+    env:
+      EXCITITOR__CONCELIER__BASEURL: "https://stellaops-concelier:8445"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+  web-ui:
+    image: registry.stella-ops.org/stellaops/web-ui@sha256:bee9668011ff414572131dc777faab4da24473fe12c230893f161cabee092a1d
+    service:
+      port: 9443
+      targetPort: 8443
+    env:
+      STELLAOPS_UI__BACKEND__BASEURL: "https://stellaops-scanner-web:8444"
+  mongo:
+    class: infrastructure
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    service:
+      port: 27017
+    command:
+      - mongod
+      - --bind_ip_all
+    env:
+      MONGO_INITDB_ROOT_USERNAME: stellaops-airgap
+      MONGO_INITDB_ROOT_PASSWORD: stellaops-airgap
+    volumeMounts:
+      - name: mongo-data
+        mountPath: /data/db
+    volumeClaims:
+      - name: mongo-data
+        claimName: stellaops-mongo-data
+  minio:
+    class: infrastructure
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    service:
+      port: 9000
+    command:
+      - server
+      - /data
+      - --console-address
+      - :9001
+    env:
+      MINIO_ROOT_USER: stellaops-airgap
+      MINIO_ROOT_PASSWORD: airgap-minio-secret
+    volumeMounts:
+      - name: minio-data
+        mountPath: /data
+    volumeClaims:
+      - name: minio-data
+        claimName: stellaops-minio-data
+  nats:
+    class: infrastructure
+    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
+    service:
+      port: 4222
+    command:
+      - -js
+      - -sd
+      - /data
+    volumeMounts:
+      - name: nats-data
+        mountPath: /data
+    volumeClaims:
+      - name: nats-data
+        claimName: stellaops-nats-data

deploy/helm/stellaops/values-dev.yaml

@@ -0,0 +1,185 @@
+global:
+  profile: dev
+  release:
+    version: "2025.10.0-edge"
+    channel: edge
+    manifestSha256: "822f82987529ea38d2321dbdd2ef6874a4062a117116a20861c26a8df1807beb"
+  image:
+    pullPolicy: IfNotPresent
+  labels:
+    stellaops.io/channel: edge
+
+configMaps:
+  notify-config:
+    data:
+      notify.yaml: |
+        storage:
+          driver: mongo
+          connectionString: "mongodb://notify-mongo.dev.svc.cluster.local:27017"
+          database: "stellaops_notify_dev"
+          commandTimeoutSeconds: 30
+
+        authority:
+          enabled: true
+          issuer: "https://authority.dev.stella-ops.local"
+          metadataAddress: "https://authority.dev.stella-ops.local/.well-known/openid-configuration"
+          requireHttpsMetadata: false
+          allowAnonymousFallback: false
+          backchannelTimeoutSeconds: 30
+          tokenClockSkewSeconds: 60
+          audiences:
+            - notify.dev
+          readScope: notify.read
+          adminScope: notify.admin
+
+        api:
+          basePath: "/api/v1/notify"
+          internalBasePath: "/internal/notify"
+          tenantHeader: "X-StellaOps-Tenant"
+
+        plugins:
+          baseDirectory: "../"
+          directory: "plugins/notify"
+          searchPatterns:
+            - "StellaOps.Notify.Connectors.*.dll"
+          orderedPlugins:
+            - StellaOps.Notify.Connectors.Slack
+            - StellaOps.Notify.Connectors.Teams
+            - StellaOps.Notify.Connectors.Email
+            - StellaOps.Notify.Connectors.Webhook
+
+        telemetry:
+          enableRequestLogging: true
+          minimumLogLevel: Debug
+services:
+  authority:
+    image: registry.stella-ops.org/stellaops/authority@sha256:a8e8faec44a579aa5714e58be835f25575710430b1ad2ccd1282a018cd9ffcdd
+    service:
+      port: 8440
+    env:
+      STELLAOPS_AUTHORITY__ISSUER: "https://stellaops-authority:8440"
+      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
+      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
+  signer:
+    image: registry.stella-ops.org/stellaops/signer@sha256:8bfef9a75783883d49fc18e3566553934e970b00ee090abee9cb110d2d5c3298
+    service:
+      port: 8441
+    env:
+      SIGNER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+      SIGNER__POE__INTROSPECTURL: "https://licensing.svc.local/introspect"
+      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+  attestor:
+    image: registry.stella-ops.org/stellaops/attestor@sha256:5cc417948c029da01dccf36e4645d961a3f6d8de7e62fe98d845f07cd2282114
+    service:
+      port: 8442
+    env:
+      ATTESTOR__SIGNER__BASEURL: "https://stellaops-signer:8441"
+      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:dafef3954eb4b837e2c424dd2d23e1e4d60fa83794840fac9cd3dea1d43bd085
+    service:
+      port: 8445
+    env:
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "stellaops"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "dev-minio-secret"
+      CONCELIER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+    volumeMounts:
+      - name: concelier-jobs
+        mountPath: /var/lib/concelier/jobs
+    volumes:
+      - name: concelier-jobs
+        emptyDir: {}
+  scanner-web:
+    image: registry.stella-ops.org/stellaops/scanner-web@sha256:e0dfdb087e330585a5953029fb4757f5abdf7610820a085bd61b457dbead9a11
+    service:
+      port: 8444
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "dev-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+  scanner-worker:
+    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:92dda42f6f64b2d9522104a5c9ffb61d37b34dd193132b68457a259748008f37
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "dev-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+  notify-web:
+    image: registry.stella-ops.org/stellaops/notify-web:2025.10.0-edge
+    service:
+      port: 8446
+    env:
+      DOTNET_ENVIRONMENT: Development
+    configMounts:
+      - name: notify-config
+        mountPath: /app/etc/notify.yaml
+        subPath: notify.yaml
+        configMap: notify-config
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:d9bd5cadf1eab427447ce3df7302c30ded837239771cc6433b9befb895054285
+    env:
+      EXCITITOR__CONCELIER__BASEURL: "https://stellaops-concelier:8445"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+  web-ui:
+    image: registry.stella-ops.org/stellaops/web-ui@sha256:38b225fa7767a5b94ebae4dae8696044126aac429415e93de514d5dd95748dcf
+    service:
+      port: 8443
+    env:
+      STELLAOPS_UI__BACKEND__BASEURL: "https://stellaops-scanner-web:8444"
+  mongo:
+    class: infrastructure
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    service:
+      port: 27017
+    command:
+      - mongod
+      - --bind_ip_all
+    env:
+      MONGO_INITDB_ROOT_USERNAME: stellaops
+      MONGO_INITDB_ROOT_PASSWORD: stellaops
+    volumeMounts:
+      - name: mongo-data
+        mountPath: /data/db
+    volumes:
+      - name: mongo-data
+        emptyDir: {}
+  minio:
+    class: infrastructure
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    service:
+      port: 9000
+    command:
+      - server
+      - /data
+      - --console-address
+      - :9001
+    env:
+      MINIO_ROOT_USER: stellaops
+      MINIO_ROOT_PASSWORD: dev-minio-secret
+    volumeMounts:
+      - name: minio-data
+        mountPath: /data
+    volumes:
+      - name: minio-data
+        emptyDir: {}
+  nats:
+    class: infrastructure
+    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
+    service:
+      port: 4222
+    command:
+      - -js
+      - -sd
+      - /data
+    volumeMounts:
+      - name: nats-data
+        mountPath: /data
+    volumes:
+      - name: nats-data
+        emptyDir: {}

deploy/helm/stellaops/values-mirror.yaml

@@ -0,0 +1,282 @@
+global:
+  profile: mirror-managed
+  release:
+    version: "2025.10.0-edge"
+    channel: edge
+    manifestSha256: "822f82987529ea38d2321dbdd2ef6874a4062a117116a20861c26a8df1807beb"
+  image:
+    pullPolicy: IfNotPresent
+  labels:
+    stellaops.io/channel: edge
+
+configMaps:
+  mirror-gateway:
+    data:
+      mirror.conf: |
+        proxy_cache_path /var/cache/nginx/mirror levels=1:2 keys_zone=mirror_cache:100m max_size=10g inactive=12h use_temp_path=off;
+
+        map $request_uri $mirror_cache_key {
+            default $scheme$request_method$host$request_uri;
+        }
+
+        upstream concelier_backend {
+            server stellaops-concelier:8445;
+            keepalive 32;
+        }
+
+        upstream excititor_backend {
+            server stellaops-excititor:8448;
+            keepalive 32;
+        }
+
+        server {
+            listen 80;
+            server_name _;
+            return 301 https://$host$request_uri;
+        }
+
+        server {
+            listen 443 ssl http2;
+            server_name mirror-primary.stella-ops.org;
+
+            ssl_certificate     /etc/nginx/tls/mirror-primary.crt;
+            ssl_certificate_key /etc/nginx/tls/mirror-primary.key;
+            ssl_protocols       TLSv1.2 TLSv1.3;
+            ssl_prefer_server_ciphers on;
+
+            auth_basic "StellaOps Mirror – primary";
+            auth_basic_user_file /etc/nginx/secrets/mirror-primary.htpasswd;
+
+            include /etc/nginx/conf.d/mirror-locations.conf;
+        }
+
+        server {
+            listen 443 ssl http2;
+            server_name mirror-community.stella-ops.org;
+
+            ssl_certificate     /etc/nginx/tls/mirror-community.crt;
+            ssl_certificate_key /etc/nginx/tls/mirror-community.key;
+            ssl_protocols       TLSv1.2 TLSv1.3;
+            ssl_prefer_server_ciphers on;
+
+            auth_basic "StellaOps Mirror – community";
+            auth_basic_user_file /etc/nginx/secrets/mirror-community.htpasswd;
+
+            include /etc/nginx/conf.d/mirror-locations.conf;
+        }
+      mirror-locations.conf: |
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_redirect                     off;
+
+        add_header X-Cache-Status $upstream_cache_status always;
+
+        location = /healthz {
+            default_type application/json;
+            return 200 '{"status":"ok"}';
+        }
+
+        location /concelier/exports/ {
+            proxy_pass http://concelier_backend/concelier/exports/;
+            proxy_cache mirror_cache;
+            proxy_cache_key $mirror_cache_key;
+            proxy_cache_valid 200 5m;
+            proxy_cache_valid 404 1m;
+            add_header Cache-Control "public, max-age=300, immutable" always;
+        }
+
+        location /concelier/ {
+            proxy_pass http://concelier_backend/concelier/;
+            proxy_cache off;
+        }
+
+        location /excititor/mirror/ {
+            proxy_pass http://excititor_backend/excititor/mirror/;
+            proxy_cache mirror_cache;
+            proxy_cache_key $mirror_cache_key;
+            proxy_cache_valid 200 5m;
+            proxy_cache_valid 404 1m;
+            add_header Cache-Control "public, max-age=300, immutable" always;
+        }
+
+        location /excititor/ {
+            proxy_pass http://excititor_backend/excititor/;
+            proxy_cache off;
+        }
+
+        location / {
+            return 404;
+        }
+
+services:
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:dafef3954eb4b837e2c424dd2d23e1e4d60fa83794840fac9cd3dea1d43bd085
+    service:
+      port: 8445
+    env:
+      ASPNETCORE_URLS: "http://+:8445"
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops_mirror:mirror-password@stellaops-mongo:27017/concelier?authSource=admin"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "stellaops-mirror"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "mirror-minio-secret"
+      CONCELIER__TELEMETRY__SERVICENAME: "stellaops-concelier-mirror"
+      CONCELIER__MIRROR__ENABLED: "true"
+      CONCELIER__MIRROR__EXPORTROOT: "/exports/json"
+      CONCELIER__MIRROR__LATESTDIRECTORYNAME: "latest"
+      CONCELIER__MIRROR__MIRRORDIRECTORYNAME: "mirror"
+      CONCELIER__MIRROR__REQUIREAUTHENTICATION: "true"
+      CONCELIER__MIRROR__MAXINDEXREQUESTSPERHOUR: "600"
+      CONCELIER__MIRROR__DOMAINS__0__ID: "primary"
+      CONCELIER__MIRROR__DOMAINS__0__DISPLAYNAME: "Primary Mirror"
+      CONCELIER__MIRROR__DOMAINS__0__REQUIREAUTHENTICATION: "true"
+      CONCELIER__MIRROR__DOMAINS__0__MAXDOWNLOADREQUESTSPERHOUR: "3600"
+      CONCELIER__MIRROR__DOMAINS__1__ID: "community"
+      CONCELIER__MIRROR__DOMAINS__1__DISPLAYNAME: "Community Mirror"
+      CONCELIER__MIRROR__DOMAINS__1__REQUIREAUTHENTICATION: "false"
+      CONCELIER__MIRROR__DOMAINS__1__MAXDOWNLOADREQUESTSPERHOUR: "1800"
+      CONCELIER__AUTHORITY__ENABLED: "true"
+      CONCELIER__AUTHORITY__ALLOWANONYMOUSFALLBACK: "false"
+      CONCELIER__AUTHORITY__ISSUER: "https://authority.stella-ops.org"
+      CONCELIER__AUTHORITY__METADATAADDRESS: ""
+      CONCELIER__AUTHORITY__CLIENTID: "stellaops-concelier-mirror"
+      CONCELIER__AUTHORITY__CLIENTSECRETFILE: "/run/secrets/concelier-authority-client"
+      CONCELIER__AUTHORITY__CLIENTSCOPES__0: "concelier.mirror.read"
+      CONCELIER__AUTHORITY__AUDIENCES__0: "api://concelier.mirror"
+      CONCELIER__AUTHORITY__BYPASSNETWORKS__0: "10.0.0.0/8"
+      CONCELIER__AUTHORITY__BYPASSNETWORKS__1: "127.0.0.1/32"
+      CONCELIER__AUTHORITY__BYPASSNETWORKS__2: "::1/128"
+      CONCELIER__AUTHORITY__RESILIENCE__ENABLERETRIES: "true"
+      CONCELIER__AUTHORITY__RESILIENCE__RETRYDELAYS__0: "00:00:01"
+      CONCELIER__AUTHORITY__RESILIENCE__RETRYDELAYS__1: "00:00:02"
+      CONCELIER__AUTHORITY__RESILIENCE__RETRYDELAYS__2: "00:00:05"
+      CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
+      CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "00:10:00"
+    volumeMounts:
+      - name: concelier-jobs
+        mountPath: /var/lib/concelier/jobs
+      - name: concelier-exports
+        mountPath: /exports/json
+      - name: concelier-secrets
+        mountPath: /run/secrets
+        readOnly: true
+    volumes:
+      - name: concelier-jobs
+        persistentVolumeClaim:
+          claimName: concelier-mirror-jobs
+      - name: concelier-exports
+        persistentVolumeClaim:
+          claimName: concelier-mirror-exports
+      - name: concelier-secrets
+        secret:
+          secretName: concelier-mirror-auth
+
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:d9bd5cadf1eab427447ce3df7302c30ded837239771cc6433b9befb895054285
+    env:
+      ASPNETCORE_URLS: "http://+:8448"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops_mirror:mirror-password@stellaops-mongo:27017/excititor?authSource=admin"
+      EXCITITOR__STORAGE__MONGO__DATABASENAME: "excititor"
+      EXCITITOR__ARTIFACTS__FILESYSTEM__ROOT: "/exports"
+      EXCITITOR__ARTIFACTS__FILESYSTEM__OVERWRITEEXISTING: "false"
+      EXCITITOR__MIRROR__DOMAINS__0__ID: "primary"
+      EXCITITOR__MIRROR__DOMAINS__0__DISPLAYNAME: "Primary Mirror"
+      EXCITITOR__MIRROR__DOMAINS__0__REQUIREAUTHENTICATION: "true"
+      EXCITITOR__MIRROR__DOMAINS__0__MAXINDEXREQUESTSPERHOUR: "300"
+      EXCITITOR__MIRROR__DOMAINS__0__MAXDOWNLOADREQUESTSPERHOUR: "2400"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__0__KEY: "consensus-json"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__0__FORMAT: "json"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__0__VIEW: "consensus"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__1__KEY: "consensus-openvex"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__1__FORMAT: "openvex"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__1__VIEW: "consensus"
+      EXCITITOR__MIRROR__DOMAINS__1__ID: "community"
+      EXCITITOR__MIRROR__DOMAINS__1__DISPLAYNAME: "Community Mirror"
+      EXCITITOR__MIRROR__DOMAINS__1__REQUIREAUTHENTICATION: "false"
+      EXCITITOR__MIRROR__DOMAINS__1__MAXINDEXREQUESTSPERHOUR: "120"
+      EXCITITOR__MIRROR__DOMAINS__1__MAXDOWNLOADREQUESTSPERHOUR: "600"
+      EXCITITOR__MIRROR__DOMAINS__1__EXPORTS__0__KEY: "community-consensus"
+      EXCITITOR__MIRROR__DOMAINS__1__EXPORTS__0__FORMAT: "json"
+      EXCITITOR__MIRROR__DOMAINS__1__EXPORTS__0__VIEW: "consensus"
+    volumeMounts:
+      - name: excititor-exports
+        mountPath: /exports
+      - name: excititor-secrets
+        mountPath: /run/secrets
+        readOnly: true
+    volumes:
+      - name: excititor-exports
+        persistentVolumeClaim:
+          claimName: excititor-mirror-exports
+      - name: excititor-secrets
+        secret:
+          secretName: excititor-mirror-auth
+
+  mongo:
+    class: infrastructure
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    service:
+      port: 27017
+    command:
+      - mongod
+      - --bind_ip_all
+    env:
+      MONGO_INITDB_ROOT_USERNAME: "stellaops_mirror"
+      MONGO_INITDB_ROOT_PASSWORD: "mirror-password"
+    volumeMounts:
+      - name: mongo-data
+        mountPath: /data/db
+    volumeClaims:
+      - name: mongo-data
+        claimName: mirror-mongo-data
+
+  minio:
+    class: infrastructure
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    service:
+      port: 9000
+    command:
+      - server
+      - /data
+      - --console-address
+      - :9001
+    env:
+      MINIO_ROOT_USER: "stellaops-mirror"
+      MINIO_ROOT_PASSWORD: "mirror-minio-secret"
+    volumeMounts:
+      - name: minio-data
+        mountPath: /data
+    volumeClaims:
+      - name: minio-data
+        claimName: mirror-minio-data
+
+  mirror-gateway:
+    image: docker.io/library/nginx@sha256:208b70eefac13ee9be00e486f79c695b15cef861c680527171a27d253d834be9
+    service:
+      type: LoadBalancer
+      port: 443
+      portName: https
+      targetPort: 443
+    configMounts:
+      - name: mirror-gateway-conf
+        mountPath: /etc/nginx/conf.d
+        configMap: mirror-gateway
+    volumeMounts:
+      - name: mirror-gateway-tls
+        mountPath: /etc/nginx/tls
+        readOnly: true
+      - name: mirror-gateway-secrets
+        mountPath: /etc/nginx/secrets
+        readOnly: true
+      - name: mirror-cache
+        mountPath: /var/cache/nginx
+    volumes:
+      - name: mirror-gateway-tls
+        secret:
+          secretName: mirror-gateway-tls
+      - name: mirror-gateway-secrets
+        secret:
+          secretName: mirror-gateway-htpasswd
+      - name: mirror-cache
+        emptyDir: {}

deploy/helm/stellaops/values-stage.yaml

@@ -0,0 +1,186 @@
+global:
+  profile: stage
+  release:
+    version: "2025.09.2"
+    channel: stable
+    manifestSha256: "dc3c8fe1ab83941c838ccc5a8a5862f7ddfa38c2078e580b5649db26554565b7"
+  image:
+    pullPolicy: IfNotPresent
+  labels:
+    stellaops.io/channel: stable
+
+configMaps:
+  notify-config:
+    data:
+      notify.yaml: |
+        storage:
+          driver: mongo
+          connectionString: "mongodb://notify-mongo.stage.svc.cluster.local:27017"
+          database: "stellaops_notify_stage"
+          commandTimeoutSeconds: 45
+
+        authority:
+          enabled: true
+          issuer: "https://authority.stage.stella-ops.org"
+          metadataAddress: "https://authority.stage.stella-ops.org/.well-known/openid-configuration"
+          requireHttpsMetadata: true
+          allowAnonymousFallback: false
+          backchannelTimeoutSeconds: 30
+          tokenClockSkewSeconds: 60
+          audiences:
+            - notify
+          readScope: notify.read
+          adminScope: notify.admin
+
+        api:
+          basePath: "/api/v1/notify"
+          internalBasePath: "/internal/notify"
+          tenantHeader: "X-StellaOps-Tenant"
+
+        plugins:
+          baseDirectory: "/opt/stellaops"
+          directory: "plugins/notify"
+          searchPatterns:
+            - "StellaOps.Notify.Connectors.*.dll"
+          orderedPlugins:
+            - StellaOps.Notify.Connectors.Slack
+            - StellaOps.Notify.Connectors.Teams
+            - StellaOps.Notify.Connectors.Email
+            - StellaOps.Notify.Connectors.Webhook
+
+        telemetry:
+          enableRequestLogging: true
+          minimumLogLevel: Information
+services:
+  authority:
+    image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5
+    service:
+      port: 8440
+    env:
+      STELLAOPS_AUTHORITY__ISSUER: "https://stellaops-authority:8440"
+      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
+      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
+  signer:
+    image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e
+    service:
+      port: 8441
+    env:
+      SIGNER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+      SIGNER__POE__INTROSPECTURL: "https://licensing.stage.stella-ops.internal/introspect"
+      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+  attestor:
+    image: registry.stella-ops.org/stellaops/attestor@sha256:0534985f978b0b5d220d73c96fddd962cd9135f616811cbe3bff4666c5af568f
+    service:
+      port: 8442
+    env:
+      ATTESTOR__SIGNER__BASEURL: "https://stellaops-signer:8441"
+      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5
+    service:
+      port: 8445
+    env:
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "stellaops-stage"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "stage-minio-secret"
+      CONCELIER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+    volumeMounts:
+      - name: concelier-jobs
+        mountPath: /var/lib/concelier/jobs
+    volumeClaims:
+      - name: concelier-jobs
+        claimName: stellaops-concelier-jobs
+  scanner-web:
+    image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
+    service:
+      port: 8444
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-stage"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "stage-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+  scanner-worker:
+    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab
+    replicas: 2
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-stage"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "stage-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+  notify-web:
+    image: registry.stella-ops.org/stellaops/notify-web:2025.09.2
+    service:
+      port: 8446
+    env:
+      DOTNET_ENVIRONMENT: Production
+    configMounts:
+      - name: notify-config
+        mountPath: /app/etc/notify.yaml
+        subPath: notify.yaml
+        configMap: notify-config
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa
+    env:
+      EXCITITOR__CONCELIER__BASEURL: "https://stellaops-concelier:8445"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+  web-ui:
+    image: registry.stella-ops.org/stellaops/web-ui@sha256:10d924808c48e4353e3a241da62eb7aefe727a1d6dc830eb23a8e181013b3a23
+    service:
+      port: 8443
+    env:
+      STELLAOPS_UI__BACKEND__BASEURL: "https://stellaops-scanner-web:8444"
+  mongo:
+    class: infrastructure
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    service:
+      port: 27017
+    command:
+      - mongod
+      - --bind_ip_all
+    env:
+      MONGO_INITDB_ROOT_USERNAME: stellaops-stage
+      MONGO_INITDB_ROOT_PASSWORD: stellaops-stage
+    volumeMounts:
+      - name: mongo-data
+        mountPath: /data/db
+    volumeClaims:
+      - name: mongo-data
+        claimName: stellaops-mongo-data
+  minio:
+    class: infrastructure
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    service:
+      port: 9000
+    command:
+      - server
+      - /data
+      - --console-address
+      - :9001
+    env:
+      MINIO_ROOT_USER: stellaops-stage
+      MINIO_ROOT_PASSWORD: stage-minio-secret
+    volumeMounts:
+      - name: minio-data
+        mountPath: /data
+    volumeClaims:
+      - name: minio-data
+        claimName: stellaops-minio-data
+  nats:
+    class: infrastructure
+    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
+    service:
+      port: 4222
+    command:
+      - -js
+      - -sd
+      - /data
+    volumeMounts:
+      - name: nats-data
+        mountPath: /data
+    volumeClaims:
+      - name: nats-data
+        claimName: stellaops-nats-data

deploy/helm/stellaops/values.yaml

@@ -0,0 +1,10 @@
+global:
+  release:
+    version: ""
+    channel: ""
+    manifestSha256: ""
+  profile: ""
+  image:
+    pullPolicy: IfNotPresent
+  labels: {}
+services: {}

deploy/releases/2025.09-airgap.yaml

@@ -0,0 +1,29 @@
+release:
+  version: "2025.09.2-airgap"
+  channel: "airgap"
+  date: "2025-09-20T00:00:00Z"
+  calendar: "2025.09"
+  components:
+    - name: authority
+      image: registry.stella-ops.org/stellaops/authority@sha256:5551a3269b7008cd5aceecf45df018c67459ed519557ccbe48b093b926a39bcc
+    - name: signer
+      image: registry.stella-ops.org/stellaops/signer@sha256:ddbbd664a42846cea6b40fca6465bc679b30f72851158f300d01a8571c5478fc
+    - name: attestor
+      image: registry.stella-ops.org/stellaops/attestor@sha256:1ff0a3124d66d3a2702d8e421df40fbd98cc75cb605d95510598ebbae1433c50
+    - name: scanner-web
+      image: registry.stella-ops.org/stellaops/scanner-web@sha256:3df8ca21878126758203c1a0444e39fd97f77ddacf04a69685cda9f1e5e94718
+    - name: scanner-worker
+      image: registry.stella-ops.org/stellaops/scanner-worker@sha256:eea5d6cfe7835950c5ec7a735a651f2f0d727d3e470cf9027a4a402ea89c4fb5
+    - name: concelier
+      image: registry.stella-ops.org/stellaops/concelier@sha256:29e2e1a0972707e092cbd3d370701341f9fec2aa9316fb5d8100480f2a1c76b5
+    - name: excititor
+      image: registry.stella-ops.org/stellaops/excititor@sha256:65c0ee13f773efe920d7181512349a09d363ab3f3e177d276136bd2742325a68
+    - name: web-ui
+      image: registry.stella-ops.org/stellaops/web-ui@sha256:bee9668011ff414572131dc777faab4da24473fe12c230893f161cabee092a1d
+  infrastructure:
+    mongo:
+      image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    minio:
+      image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+  checksums:
+    releaseManifestSha256: b787b833dddd73960c31338279daa0b0a0dce2ef32bd32ef1aaf953d66135f94

deploy/releases/2025.09-stable.yaml

@@ -0,0 +1,29 @@
+release:
+  version: "2025.09.2"
+  channel: "stable"
+  date: "2025-09-20T00:00:00Z"
+  calendar: "2025.09"
+  components:
+    - name: authority
+      image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5
+    - name: signer
+      image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e
+    - name: attestor
+      image: registry.stella-ops.org/stellaops/attestor@sha256:0534985f978b0b5d220d73c96fddd962cd9135f616811cbe3bff4666c5af568f
+    - name: scanner-web
+      image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
+    - name: scanner-worker
+      image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab
+    - name: concelier
+      image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5
+    - name: excititor
+      image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa
+    - name: web-ui
+      image: registry.stella-ops.org/stellaops/web-ui@sha256:10d924808c48e4353e3a241da62eb7aefe727a1d6dc830eb23a8e181013b3a23
+  infrastructure:
+    mongo:
+      image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    minio:
+      image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+  checksums:
+    releaseManifestSha256: dc3c8fe1ab83941c838ccc5a8a5862f7ddfa38c2078e580b5649db26554565b7

deploy/releases/2025.10-edge.yaml

@@ -0,0 +1,29 @@
+release:
+  version: "2025.10.0-edge"
+  channel: "edge"
+  date: "2025-10-01T00:00:00Z"
+  calendar: "2025.10"
+  components:
+    - name: authority
+      image: registry.stella-ops.org/stellaops/authority@sha256:a8e8faec44a579aa5714e58be835f25575710430b1ad2ccd1282a018cd9ffcdd
+    - name: signer
+      image: registry.stella-ops.org/stellaops/signer@sha256:8bfef9a75783883d49fc18e3566553934e970b00ee090abee9cb110d2d5c3298
+    - name: attestor
+      image: registry.stella-ops.org/stellaops/attestor@sha256:5cc417948c029da01dccf36e4645d961a3f6d8de7e62fe98d845f07cd2282114
+    - name: scanner-web
+      image: registry.stella-ops.org/stellaops/scanner-web@sha256:e0dfdb087e330585a5953029fb4757f5abdf7610820a085bd61b457dbead9a11
+    - name: scanner-worker
+      image: registry.stella-ops.org/stellaops/scanner-worker@sha256:92dda42f6f64b2d9522104a5c9ffb61d37b34dd193132b68457a259748008f37
+    - name: concelier
+      image: registry.stella-ops.org/stellaops/concelier@sha256:dafef3954eb4b837e2c424dd2d23e1e4d60fa83794840fac9cd3dea1d43bd085
+    - name: excititor
+      image: registry.stella-ops.org/stellaops/excititor@sha256:d9bd5cadf1eab427447ce3df7302c30ded837239771cc6433b9befb895054285
+    - name: web-ui
+      image: registry.stella-ops.org/stellaops/web-ui@sha256:38b225fa7767a5b94ebae4dae8696044126aac429415e93de514d5dd95748dcf
+  infrastructure:
+    mongo:
+      image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    minio:
+      image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+  checksums:
+    releaseManifestSha256: 822f82987529ea38d2321dbdd2ef6874a4062a117116a20861c26a8df1807beb

deploy/tools/validate-profiles.sh

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+COMPOSE_DIR="$ROOT_DIR/compose"
+HELM_DIR="$ROOT_DIR/helm/stellaops"
+
+compose_profiles=(
+  "docker-compose.dev.yaml:env/dev.env.example"
+  "docker-compose.stage.yaml:env/stage.env.example"
+  "docker-compose.airgap.yaml:env/airgap.env.example"
+  "docker-compose.mirror.yaml:env/mirror.env.example"
+)
+
+docker_ready=false
+if command -v docker >/dev/null 2>&1; then
+  if docker compose version >/dev/null 2>&1; then
+    docker_ready=true
+  else
+    echo "⚠️  docker CLI present but Compose plugin unavailable; skipping compose validation" >&2
+  fi
+else
+  echo "⚠️  docker CLI not found; skipping compose validation" >&2
+fi
+
+if [[ "$docker_ready" == "true" ]]; then
+  for entry in "${compose_profiles[@]}"; do
+    IFS=":" read -r compose_file env_file <<<"$entry"
+    printf '→ validating %s with %s\n' "$compose_file" "$env_file"
+    docker compose \
+      --env-file "$COMPOSE_DIR/$env_file" \
+      -f "$COMPOSE_DIR/$compose_file" config >/dev/null
+  done
+fi
+
+helm_values=(
+  "$HELM_DIR/values-dev.yaml"
+  "$HELM_DIR/values-stage.yaml"
+  "$HELM_DIR/values-airgap.yaml"
+  "$HELM_DIR/values-mirror.yaml"
+)
+
+if command -v helm >/dev/null 2>&1; then
+  for values in "${helm_values[@]}"; do
+    printf '→ linting Helm chart with %s\n' "$(basename "$values")"
+    helm lint "$HELM_DIR" -f "$values"
+    helm template test-release "$HELM_DIR" -f "$values" >/dev/null
+  done
+else
+  echo "⚠️  helm CLI not found; skipping Helm lint/template" >&2
+fi
+
+printf 'Profiles validated (where tooling was available).\n'