Add tests and implement StubBearer authentication for Signer endpoints

- Created SignerEndpointsTests to validate the SignDsse and VerifyReferrers endpoints.
- Implemented StubBearerAuthenticationDefaults and StubBearerAuthenticationHandler for token-based authentication.
- Developed ConcelierExporterClient for managing Trivy DB settings and export operations.
- Added TrivyDbSettingsPageComponent for UI interactions with Trivy DB settings, including form handling and export triggering.
- Implemented styles and HTML structure for Trivy DB settings page.
- Created NotifySmokeCheck tool for validating Redis event streams and Notify deliveries.

deploy/README.md

@@ -17,4 +17,21 @@ This directory contains deterministic deployment bundles for the core Stella Ops
 3. Run `deploy/tools/validate-profiles.sh` (requires Docker CLI and Helm) to ensure the bundles lint and template cleanly.
 4. Commit the change alongside any documentation updates (e.g. install guide cross-links).
 
-Maintaining the digest linkage keeps offline/air-gapped installs reproducible and avoids tag drift between environments.
+Maintaining the digest linkage keeps offline/air-gapped installs reproducible and avoids tag drift between environments.
+
+## CI smoke checks
+
+The `.gitea/workflows/build-test-deploy.yml` pipeline includes a `notify-smoke` stage that validates scanner event propagation after staging deployments. Configure the following repository secrets (or environment-level secrets) so the job can connect to Redis and the Notify API:
+
+- `NOTIFY_SMOKE_REDIS_DSN` – Redis connection string (`redis://user:pass@host:port/db`).
+- `NOTIFY_SMOKE_NOTIFY_BASEURL` – Base URL for the staging Notify WebService (e.g. `https://notify.stage.stella-ops.internal`).
+- `NOTIFY_SMOKE_NOTIFY_TOKEN` – OAuth bearer token (service account) with permission to read deliveries.
+- `NOTIFY_SMOKE_NOTIFY_TENANT` – Tenant identifier used for the smoke validation requests.
+- *(Optional)* `NOTIFY_SMOKE_NOTIFY_TENANT_HEADER` – Override for the tenant header name (defaults to `X-StellaOps-Tenant`).
+
+Define the following repository variables (or secrets) to drive the assertions performed by the smoke check:
+
+- `NOTIFY_SMOKE_EXPECT_KINDS` – Comma-separated event kinds the checker must observe (for example `scanner.report.ready,scanner.scan.completed`).
+- `NOTIFY_SMOKE_LOOKBACK_MINUTES` – Time window (in minutes) used when scanning the Redis stream for recent events (for example `30`).
+
+All of the above values are required—the workflow fails fast with a descriptive error if any are missing or empty. Provide the variables at the organisation or repository scope before enabling the smoke stage.

deploy/compose/README.md

@@ -20,12 +20,25 @@ docker compose --env-file dev.env -f docker-compose.dev.yaml config
 docker compose --env-file dev.env -f docker-compose.dev.yaml up -d
 ```
 
-The stage and airgap variants behave the same way—swap the file names accordingly. All profiles expose 443/8443 for the UI and REST APIs, and they share a `stellaops` Docker network scoped to the compose project.
-
-### Updating to a new release
-
-1. Import the new manifest into `deploy/releases/` (see `deploy/README.md`).
-2. Update image digests in the relevant Compose file(s).
-3. Re-run `docker compose config` to confirm the bundle is deterministic.
+The stage and airgap variants behave the same way—swap the file names accordingly. All profiles expose 443/8443 for the UI and REST APIs, and they share a `stellaops` Docker network scoped to the compose project.
+
+### Scanner event stream settings
+
+Scanner WebService can emit signed `scanner.report.*` events to Redis Streams when `SCANNER__EVENTS__ENABLED=true`. Each profile ships environment placeholders you can override in the `.env` file:
+
+- `SCANNER_EVENTS_ENABLED` – toggle emission on/off (defaults to `false`).
+- `SCANNER_EVENTS_DRIVER` – currently only `redis` is supported.
+- `SCANNER_EVENTS_DSN` – Redis endpoint; leave blank to reuse the queue DSN when it uses `redis://`.
+- `SCANNER_EVENTS_STREAM` – stream name (`stella.events` by default).
+- `SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS` – per-publish timeout window (defaults to `5`).
+- `SCANNER_EVENTS_MAX_STREAM_LENGTH` – max stream length before Redis trims entries (defaults to `10000`).
+
+Helm values mirror the same knobs under each service’s `env` map (see `deploy/helm/stellaops/values-*.yaml`).
+
+### Updating to a new release
+
+1. Import the new manifest into `deploy/releases/` (see `deploy/README.md`).
+2. Update image digests in the relevant Compose file(s).
+3. Re-run `docker compose config` to confirm the bundle is deterministic.
 
 Keep digests synchronized between Compose, Helm, and the release manifest to preserve reproducibility guarantees. `deploy/tools/validate-profiles.sh` performs a quick audit.

deploy/compose/docker-compose.airgap.yaml

@@ -136,10 +136,16 @@ services:
       - nats
     environment:
       SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
-      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
-      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
-      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
-      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+      SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-false}"
+      SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-redis}"
+      SCANNER__EVENTS__DSN: "${SCANNER_EVENTS_DSN:-}"
+      SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
+      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
+      SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
     ports:
       - "${SCANNER_WEB_PORT:-8444}:8444"
     networks:

deploy/compose/docker-compose.dev.yaml

@@ -134,10 +134,16 @@ services:
       - nats
     environment:
       SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
-      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
-      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
-      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
-      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+      SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-false}"
+      SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-redis}"
+      SCANNER__EVENTS__DSN: "${SCANNER_EVENTS_DSN:-}"
+      SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
+      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
+      SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
     ports:
       - "${SCANNER_WEB_PORT:-8444}:8444"
     networks:

deploy/compose/docker-compose.stage.yaml

@@ -134,10 +134,16 @@ services:
       - nats
     environment:
       SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
-      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
-      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
-      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
-      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+      SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-false}"
+      SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-redis}"
+      SCANNER__EVENTS__DSN: "${SCANNER_EVENTS_DSN:-}"
+      SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
+      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
+      SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
     ports:
       - "${SCANNER_WEB_PORT:-8444}:8444"
     networks:

deploy/compose/env/airgap.env.example

@@ -10,8 +10,15 @@ SIGNER_POE_INTROSPECT_URL=file:///offline/poe/introspect.json
 SIGNER_PORT=8441
 ATTESTOR_PORT=8442
 CONCELIER_PORT=8445
-SCANNER_WEB_PORT=8444
-UI_PORT=9443
-NATS_CLIENT_PORT=24222
-SCANNER_QUEUE_BROKER=nats://nats:4222
-AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:45:00
+SCANNER_WEB_PORT=8444
+UI_PORT=9443
+NATS_CLIENT_PORT=24222
+SCANNER_QUEUE_BROKER=nats://nats:4222
+AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:45:00
+SCANNER_EVENTS_ENABLED=false
+SCANNER_EVENTS_DRIVER=redis
+# Leave SCANNER_EVENTS_DSN empty to inherit the Redis queue DSN when SCANNER_QUEUE_BROKER uses redis://.
+SCANNER_EVENTS_DSN=
+SCANNER_EVENTS_STREAM=stella.events
+SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
+SCANNER_EVENTS_MAX_STREAM_LENGTH=10000

deploy/compose/env/dev.env.example

@@ -10,7 +10,14 @@ SIGNER_POE_INTROSPECT_URL=https://licensing.svc.local/introspect
 SIGNER_PORT=8441
 ATTESTOR_PORT=8442
 CONCELIER_PORT=8445
-SCANNER_WEB_PORT=8444
-UI_PORT=8443
-NATS_CLIENT_PORT=4222
-SCANNER_QUEUE_BROKER=nats://nats:4222
+SCANNER_WEB_PORT=8444
+UI_PORT=8443
+NATS_CLIENT_PORT=4222
+SCANNER_QUEUE_BROKER=nats://nats:4222
+SCANNER_EVENTS_ENABLED=false
+SCANNER_EVENTS_DRIVER=redis
+# Leave SCANNER_EVENTS_DSN empty to inherit the Redis queue DSN when SCANNER_QUEUE_BROKER uses redis://.
+SCANNER_EVENTS_DSN=
+SCANNER_EVENTS_STREAM=stella.events
+SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
+SCANNER_EVENTS_MAX_STREAM_LENGTH=10000

deploy/compose/env/stage.env.example

@@ -10,7 +10,14 @@ SIGNER_POE_INTROSPECT_URL=https://licensing.stage.stella-ops.internal/introspect
 SIGNER_PORT=8441
 ATTESTOR_PORT=8442
 CONCELIER_PORT=8445
-SCANNER_WEB_PORT=8444
-UI_PORT=8443
-NATS_CLIENT_PORT=4222
-SCANNER_QUEUE_BROKER=nats://nats:4222
+SCANNER_WEB_PORT=8444
+UI_PORT=8443
+NATS_CLIENT_PORT=4222
+SCANNER_QUEUE_BROKER=nats://nats:4222
+SCANNER_EVENTS_ENABLED=false
+SCANNER_EVENTS_DRIVER=redis
+# Leave SCANNER_EVENTS_DSN empty to inherit the Redis queue DSN when SCANNER_QUEUE_BROKER uses redis://.
+SCANNER_EVENTS_DSN=
+SCANNER_EVENTS_STREAM=stella.events
+SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
+SCANNER_EVENTS_MAX_STREAM_LENGTH=10000

deploy/helm/stellaops/values-airgap.yaml

@@ -97,20 +97,32 @@ services:
     image: registry.stella-ops.org/stellaops/scanner-web@sha256:3df8ca21878126758203c1a0444e39fd97f77ddacf04a69685cda9f1e5e94718
     service:
       port: 8444
-    env:
-      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
-      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
-      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-airgap"
-      SCANNER__STORAGE__S3__SECRETACCESSKEY: "airgap-minio-secret"
-      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-airgap"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "airgap-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+      SCANNER__EVENTS__ENABLED: "false"
+      SCANNER__EVENTS__DRIVER: "redis"
+      SCANNER__EVENTS__DSN: ""
+      SCANNER__EVENTS__STREAM: "stella.events"
+      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
+      SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
   scanner-worker:
     image: registry.stella-ops.org/stellaops/scanner-worker@sha256:eea5d6cfe7835950c5ec7a735a651f2f0d727d3e470cf9027a4a402ea89c4fb5
-    env:
-      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
-      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
-      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-airgap"
-      SCANNER__STORAGE__S3__SECRETACCESSKEY: "airgap-minio-secret"
-      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-airgap"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "airgap-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+      SCANNER__EVENTS__ENABLED: "false"
+      SCANNER__EVENTS__DRIVER: "redis"
+      SCANNER__EVENTS__DSN: ""
+      SCANNER__EVENTS__STREAM: "stella.events"
+      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
+      SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
   notify-web:
     image: registry.stella-ops.org/stellaops/notify-web:2025.09.2
     service:

deploy/helm/stellaops/values-dev.yaml

@@ -96,20 +96,32 @@ services:
     image: registry.stella-ops.org/stellaops/scanner-web@sha256:e0dfdb087e330585a5953029fb4757f5abdf7610820a085bd61b457dbead9a11
     service:
       port: 8444
-    env:
-      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
-      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
-      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops"
-      SCANNER__STORAGE__S3__SECRETACCESSKEY: "dev-minio-secret"
-      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "dev-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+      SCANNER__EVENTS__ENABLED: "false"
+      SCANNER__EVENTS__DRIVER: "redis"
+      SCANNER__EVENTS__DSN: ""
+      SCANNER__EVENTS__STREAM: "stella.events"
+      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
+      SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
   scanner-worker:
     image: registry.stella-ops.org/stellaops/scanner-worker@sha256:92dda42f6f64b2d9522104a5c9ffb61d37b34dd193132b68457a259748008f37
-    env:
-      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
-      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
-      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops"
-      SCANNER__STORAGE__S3__SECRETACCESSKEY: "dev-minio-secret"
-      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "dev-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+      SCANNER__EVENTS__ENABLED: "false"
+      SCANNER__EVENTS__DRIVER: "redis"
+      SCANNER__EVENTS__DSN: ""
+      SCANNER__EVENTS__STREAM: "stella.events"
+      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
+      SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
   notify-web:
     image: registry.stella-ops.org/stellaops/notify-web:2025.10.0-edge
     service:

deploy/helm/stellaops/values-stage.yaml

@@ -96,21 +96,33 @@ services:
     image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
     service:
       port: 8444
-    env:
-      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
-      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
-      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-stage"
-      SCANNER__STORAGE__S3__SECRETACCESSKEY: "stage-minio-secret"
-      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-stage"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "stage-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+      SCANNER__EVENTS__ENABLED: "false"
+      SCANNER__EVENTS__DRIVER: "redis"
+      SCANNER__EVENTS__DSN: ""
+      SCANNER__EVENTS__STREAM: "stella.events"
+      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
+      SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
   scanner-worker:
     image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab
     replicas: 2
-    env:
-      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
-      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
-      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-stage"
-      SCANNER__STORAGE__S3__SECRETACCESSKEY: "stage-minio-secret"
-      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-stage"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "stage-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+      SCANNER__EVENTS__ENABLED: "false"
+      SCANNER__EVENTS__DRIVER: "redis"
+      SCANNER__EVENTS__DSN: ""
+      SCANNER__EVENTS__STREAM: "stella.events"
+      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
+      SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
   notify-web:
     image: registry.stella-ops.org/stellaops/notify-web:2025.09.2
     service: