feat: Document completed tasks for KMS, Cryptography, and Plugin Libraries

- Added detailed task completion records for KMS interface implementation and CLI support for file-based keys. - Documented security enhancements including Argon2id password hashing, audit event contracts, and rate limiting configurations. - Included scoped service support and integration updates for the Plugin platform, ensuring proper DI handling and testing coverage.
2025-10-31 14:37:45 +02:00
parent 240e8ff25d
commit 15b4a1de6a
312 changed files with 6399 additions and 3319 deletions
--- a/docs/quickstart.md
+++ b/docs/quickstart.md
@@ -0,0 +1,93 @@
+# Quickstart – First Scan in Five Minutes
+
+> **Status:** public α image ships late 2025 (`registry.stella-ops.org/stella-ops/stella-ops:0.1.0-alpha`). Commands below are ready the moment the tag lands.
+
+## 0. Prerequisites (1 min)
+
+| Requirement | Minimum | Notes |
+|-------------|---------|-------|
+| OS | Ubuntu 22.04 LTS / Alma 9 | x86‑64 or arm64 |
+| Docker | Engine 25 + Compose v2 | `docker -v` |
+| Resources | 2 vCPU / 2 GiB RAM / 10 GiB SSD | Fits developer laptops |
+| TLS trust | Built-in self-signed or your own certs | Replace `/certs` before production |
+
+Keep Redis and MongoDB bundled unless you already operate managed instances.
+
+## 1. Download the signed bundles (1 min)
+
+```bash
+curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml
+curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml.sig
+curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml
+curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml.sig
+
+cosign verify-blob \
+  --key https://stella-ops.org/keys/cosign.pub \
+  --signature docker-compose.infrastructure.yml.sig \
+  docker-compose.infrastructure.yml
+
+cosign verify-blob \
+  --key https://stella-ops.org/keys/cosign.pub \
+  --signature docker-compose.stella-ops.yml.sig \
+  docker-compose.stella-ops.yml
+```
+
+*Air-gapped?* The [Offline Update Kit](24_OFFLINE_KIT.md) ships these files plus feeds and plug-ins.
+
+## 2. Configure `.env` (1 min)
+
+Create `.env` with the essentials:
+
+```dotenv
+STELLA_OPS_COMPANY_NAME="Acme Corp"
+STELLA_OPS_DEFAULT_ADMIN_USERNAME="admin"
+STELLA_OPS_DEFAULT_ADMIN_PASSWORD="change-me!"
+MONGO_INITDB_ROOT_USERNAME=stella_admin
+MONGO_INITDB_ROOT_PASSWORD=$(openssl rand -base64 18)
+MONGO_URL=mongodb
+REDIS_PASSWORD=$(openssl rand -base64 18)
+REDIS_URL=redis
+```
+
+Use existing Redis/Mongo endpoints by setting `MONGO_URL` and `REDIS_URL`. Keep credentials scoped to Stella Ops; Redis counters enforce the transparent quota (`{{ quota_token }}` scans/day).
+
+## 3. Launch services (1 min)
+
+```bash
+docker compose --env-file .env -f docker-compose.infrastructure.yml up -d
+docker compose --env-file .env -f docker-compose.stella-ops.yml up -d
+```
+
+- `StellaOps.Authority` issues short-lived OpToks for CLI/UI.
+- `StellaOps.Scanner` hosts `/scan`, queues work to Workers.
+- `StellaOps.Policy.Engine` and `StellaOps.Concelier` start with seeded policies, feeds sync in the background.
+
+## 4. Run your first scan (1 min)
+
+```bash
+stella auth login --device-code
+stella scan image \
+  --image registry.stella-ops.org/demo/juice-shop:latest \
+  --sbom-type cyclonedx-json
+```
+
+- Expect `<5 s` warm scans once the Delta SBOM cache is primed.
+- CLI exits non-zero if lattice policy blocks the image; use `stella policy explain --last` for context.
+- Headers `X-Stella-Quota-Remaining` and the UI banner keep quota usage transparent.
+
+## 5. Verify & explore (1 min)
+
+- Check the Console (`https://localhost:8443`) to view findings, VEX evidence, and deterministic replay manifests.
+- Export the DSSE bundle: `stella export run --format dsse`.
+- Capture evidence for audit: `stella attest bundle --output demo.dsse.json`.
+
+### Sovereign mode in one click
+
+- Import the Offline Update Kit (`stella offline-kit import ./stella-ouk-2025-alpha.tar.gz`) to replace every external feed.
+- Apply a CryptoProfile (`stella authority crypto apply ./profiles/fips.yaml`) to swap signing algorithms without rebuilding.
+
+### Next steps
+
+- Harden the deployment with [`17_SECURITY_HARDENING_GUIDE.md`](17_SECURITY_HARDENING_GUIDE.md).
+- Explore feature highlights in [`key-features.md`](key-features.md).
+- Plan the rollout using the [evaluation checklist](evaluate/checklist.md).