docs consolidation work

2025-12-25 18:48:11 +02:00
parent 2a06f780cf
commit 82a49f6743
102 changed files with 3550 additions and 1679 deletions
--- a/etc/authority.yaml
+++ b/etc/authority.yaml
@@ -13,17 +13,17 @@ authorizationCodeLifetime: "00:05:00"
 deviceCodeLifetime: "00:15:00"

 storage:
-  connectionString: "mongodb://stellaops:stellaops@mongo:27017/stellaops_authority"
-  databaseName: "stellaops_authority"
+  driver: "postgres"
+  connectionString: "Host=postgres;Port=5432;Database=stellaops_platform;Username=stellaops;Password=stellaops"
  commandTimeout: "00:00:30"

-signing:
-  enabled: true
-  activeKeyId: "authority-signing-dev"
-  keyPath: "../certificates/authority-signing-dev.pem"
-  algorithm: "ES256"
-  keySource: "file"
-  jwksCacheLifetime: "00:05:00"
+signing:
+  enabled: true
+  activeKeyId: "authority-signing-dev"
+  keyPath: "../certificates/authority-signing-dev.pem"
+  algorithm: "ES256"
+  keySource: "file"
+  jwksCacheLifetime: "00:05:00"

 bootstrap:
  enabled: false
@@ -152,15 +152,15 @@ clients:

 tenants:
  - name: "tenant-default"
-    roles:
-      orch-viewer:
-        scopes: [ "orch:read" ]
-      orch-operator:
-        scopes: [ "orch:read", "orch:operate" ]
-      orch-admin:
-        scopes: [ "orch:read", "orch:operate", "orch:quota", "orch:backfill" ]
-      export-viewer:
-        scopes: [ "export.viewer" ]
+    roles:
+      orch-viewer:
+        scopes: [ "orch:read" ]
+      orch-operator:
+        scopes: [ "orch:read", "orch:operate" ]
+      orch-admin:
+        scopes: [ "orch:read", "orch:operate", "orch:quota", "orch:backfill" ]
+      export-viewer:
+        scopes: [ "export.viewer" ]
      export-operator:
        scopes: [ "export.viewer", "export.operator" ]
      export-admin:
@@ -171,34 +171,34 @@ tenants:
        scopes: [ "policy:review", "policy:read", "policy:simulate", "findings:read" ]
      policy-approver:
        scopes: [ "policy:approve", "policy:review", "policy:read", "policy:simulate", "findings:read" ]
-      policy-operator:
-        scopes: [ "policy:operate", "policy:run", "policy:activate", "policy:read", "policy:simulate", "findings:read" ]
-      policy-auditor:
-        scopes: [ "policy:audit", "policy:read", "policy:simulate", "findings:read" ]
-      pack-viewer:
-        scopes: [ "packs.read" ]
-      pack-operator:
-        scopes: [ "packs.read", "packs.run" ]
-      pack-publisher:
-        scopes: [ "packs.read", "packs.write" ]
-      pack-approver:
-        scopes: [ "packs.read", "packs.approve" ]
-      pack-admin:
-        scopes: [ "packs.read", "packs.write", "packs.run", "packs.approve" ]
-      advisory-ai-viewer:
-        scopes: [ "advisory-ai:view" ]
-      advisory-ai-operator:
-        scopes: [ "advisory-ai:view", "advisory-ai:operate" ]
-      advisory-ai-admin:
-        scopes: [ "advisory-ai:view", "advisory-ai:operate", "advisory-ai:admin" ]
-      observability-viewer:
-        scopes: [ "obs:read", "timeline:read", "evidence:read", "attest:read" ]
-      observability-investigator:
-        scopes: [ "obs:read", "timeline:read", "timeline:write", "evidence:read", "evidence:create", "attest:read" ]
-      observability-legal:
-        scopes: [ "evidence:read", "evidence:hold" ]
-      observability-incident-commander:
-        scopes: [ "obs:read", "obs:incident", "timeline:read", "timeline:write", "evidence:create", "evidence:read", "attest:read" ]
+      policy-operator:
+        scopes: [ "policy:operate", "policy:run", "policy:activate", "policy:read", "policy:simulate", "findings:read" ]
+      policy-auditor:
+        scopes: [ "policy:audit", "policy:read", "policy:simulate", "findings:read" ]
+      pack-viewer:
+        scopes: [ "packs.read" ]
+      pack-operator:
+        scopes: [ "packs.read", "packs.run" ]
+      pack-publisher:
+        scopes: [ "packs.read", "packs.write" ]
+      pack-approver:
+        scopes: [ "packs.read", "packs.approve" ]
+      pack-admin:
+        scopes: [ "packs.read", "packs.write", "packs.run", "packs.approve" ]
+      advisory-ai-viewer:
+        scopes: [ "advisory-ai:view" ]
+      advisory-ai-operator:
+        scopes: [ "advisory-ai:view", "advisory-ai:operate" ]
+      advisory-ai-admin:
+        scopes: [ "advisory-ai:view", "advisory-ai:operate", "advisory-ai:admin" ]
+      observability-viewer:
+        scopes: [ "obs:read", "timeline:read", "evidence:read", "attest:read" ]
+      observability-investigator:
+        scopes: [ "obs:read", "timeline:read", "timeline:write", "evidence:read", "evidence:create", "attest:read" ]
+      observability-legal:
+        scopes: [ "evidence:read", "evidence:hold" ]
+      observability-incident-commander:
+        scopes: [ "obs:read", "obs:incident", "timeline:read", "timeline:write", "evidence:create", "evidence:read", "attest:read" ]

 security:
  rateLimiting:
@@ -217,23 +217,23 @@ security:
    memorySizeInKib: 19456
    iterations: 2
    parallelism: 1
-  senderConstraints:
-    dpop:
-      enabled: true
-      proofLifetime: "00:05:00"
-      allowedClockSkew: "00:00:10"
-      replayWindow: "00:10:00"
-      nonce:
-        enabled: false
-    mtls:
-      enabled: false
-
-advisoryAi:
-  remoteInference:
-    enabled: false
-    requireTenantConsent: true
-    allowedProfiles: []
-
-bypassNetworks:
-  - "127.0.0.1/32"
-  - "::1/128"
+  senderConstraints:
+    dpop:
+      enabled: true
+      proofLifetime: "00:05:00"
+      allowedClockSkew: "00:00:10"
+      replayWindow: "00:10:00"
+      nonce:
+        enabled: false
+    mtls:
+      enabled: false
+
+advisoryAi:
+  remoteInference:
+    enabled: false
+    requireTenantConsent: true
+    allowedProfiles: []
+
+bypassNetworks:
+  - "127.0.0.1/32"
+  - "::1/128"
--- a/etc/authority.yaml.sample
+++ b/etc/authority.yaml.sample
@@ -17,10 +17,10 @@ identityTokenLifetime: "00:05:00"
 authorizationCodeLifetime: "00:05:00"
 deviceCodeLifetime: "00:15:00"

-# MongoDB storage connection details.
+# PostgreSQL storage connection details (MongoDB removed in Sprint 4400).
 storage:
-  connectionString: "mongodb://localhost:27017/stellaops-authority"
-  # databaseName: "stellaops_authority"
+  driver: "postgres"
+  connectionString: "Host=postgres;Port=5432;Database=stellaops_platform;Username=stellaops;Password=change-me"
  commandTimeout: "00:00:30"

 # Signing configuration for revocation bundles and JWKS.
--- a/etc/concelier.yaml.sample
+++ b/etc/concelier.yaml.sample
@@ -4,21 +4,11 @@
 # (prefixed with CONCELIER_) override these settings at runtime.

 storage:
-  driver: mongo
-  # Mongo connection string. Use SRV URI or standard connection string.
-  dsn: "mongodb://concelier:concelier@mongo:27017/concelier?authSource=admin"
-  # Optional database name; defaults to the name embedded in the DSN or 'concelier'.
-  database: "concelier"
-  # Mongo command timeout in seconds.
-  commandTimeoutSeconds: 30
-
-# PostgreSQL storage for LNM linkset cache (optional).
-# When enabled, the Link-Not-Merge linkset cache is stored in PostgreSQL
-# instead of MongoDB, providing improved query performance for large datasets.
-postgresStorage:
-  enabled: false
-  # PostgreSQL connection string. Required when enabled.
-  connectionString: "Host=localhost;Port=5432;Database=concelier;Username=concelier;Password=concelier"
+  driver: postgres
+  # PostgreSQL connection string (primary storage since Sprint 4400).
+  connectionString: "Host=postgres;Port=5432;Database=stellaops_platform;Username=stellaops;Password=change-me"
+  # PostgreSQL database name (defaults to stellaops_platform).
+  database: "stellaops_platform"
  # Command timeout in seconds.
  commandTimeoutSeconds: 30
  # Connection pool settings.
@@ -117,38 +107,38 @@ mirror:
      requireAuthentication: false
      maxDownloadRequestsPerHour: 1200

-concelier:
-  sources:
-    ghsa:
-      apiToken: "${GITHUB_PAT}"
-      pageSize: 50
-      maxPagesPerFetch: 5
-      requestDelay: "00:00:00.200"
-      failureBackoff: "00:05:00"
-      rateLimitWarningThreshold: 500
-      secondaryRateLimitBackoff: "00:02:00"
-    cve:
-      baseEndpoint: "https://cveawg.mitre.org/api/"
-      apiOrg: ""
-      apiUser: ""
-      apiKey: ""
-      # Optional mirror used when credentials are unavailable.
-      seedDirectory: "./seed-data/cve"
-      pageSize: 200
-      maxPagesPerFetch: 5
-      initialBackfill: "30.00:00:00"
-      requestDelay: "00:00:00.250"
-      failureBackoff: "00:10:00"
-    alpine:
-      baseUri: "https://secdb.alpinelinux.org/"
-      releases:
-        - "v3.18"
-        - "v3.19"
-        - "v3.20"
-      repositories:
-        - "main"
-        - "community"
-      maxDocumentsPerFetch: 20
-      fetchTimeout: "00:00:45"
-      requestDelay: "00:00:00"
-      userAgent: "StellaOps.Concelier.Alpine/0.1 (+https://stella-ops.org)"
+concelier:
+  sources:
+    ghsa:
+      apiToken: "${GITHUB_PAT}"
+      pageSize: 50
+      maxPagesPerFetch: 5
+      requestDelay: "00:00:00.200"
+      failureBackoff: "00:05:00"
+      rateLimitWarningThreshold: 500
+      secondaryRateLimitBackoff: "00:02:00"
+    cve:
+      baseEndpoint: "https://cveawg.mitre.org/api/"
+      apiOrg: ""
+      apiUser: ""
+      apiKey: ""
+      # Optional mirror used when credentials are unavailable.
+      seedDirectory: "./seed-data/cve"
+      pageSize: 200
+      maxPagesPerFetch: 5
+      initialBackfill: "30.00:00:00"
+      requestDelay: "00:00:00.250"
+      failureBackoff: "00:10:00"
+    alpine:
+      baseUri: "https://secdb.alpinelinux.org/"
+      releases:
+        - "v3.18"
+        - "v3.19"
+        - "v3.20"
+      repositories:
+        - "main"
+        - "community"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+      userAgent: "StellaOps.Concelier.Alpine/0.1 (+https://stella-ops.org)"
--- a/etc/issuer-directory.yaml.sample
+++ b/etc/issuer-directory.yaml.sample
@@ -15,10 +15,7 @@ IssuerDirectory:
  tenantHeader: X-StellaOps-Tenant
  seedCsafPublishers: true
  csafSeedPath: data/csaf-publishers.json
-  Mongo:
-    connectionString: mongodb://localhost:27017
-    database: issuer-directory
-    issuersCollection: issuers
-    issuerKeysCollection: issuer_keys
-    issuerTrustCollection: issuer_trust_overrides
-    auditCollection: issuer_audit
+  Postgres:
+    connectionString: "Host=postgres;Port=5432;Database=stellaops_platform;Username=stellaops;Password=change-me"
+    schema: issuer
+    commandTimeoutSeconds: 30
--- a/etc/packs-registry.yaml.sample
+++ b/etc/packs-registry.yaml.sample
@@ -38,8 +38,10 @@ authority:
      - "packs.read"

 storage:
-  # Mongo database storing pack metadata and provenance.
-  mongoConnectionString: "mongodb://packs-registry:registry@mongo:27017/packs-registry?authSource=admin"
+  # PostgreSQL database storing pack metadata and provenance (MongoDB removed in Sprint 4400).
+  driver: "postgres"
+  connectionString: "Host=postgres;Port=5432;Database=stellaops_platform;Username=stellaops;Password=change-me"
+  schema: "packs"
  # Object storage bucket/container for pack bundles and signatures.
  bundleStore: "s3://stellaops-packs"

--- a/etc/policy-engine.yaml.sample
+++ b/etc/policy-engine.yaml.sample
@@ -14,8 +14,9 @@ authority:
  backchannelTimeoutSeconds: 30

 storage:
-  connectionString: "mongodb://localhost:27017/policy-engine"
-  databaseName: "policy_engine"
+  driver: "postgres"
+  connectionString: "Host=postgres;Port=5432;Database=stellaops_platform;Username=stellaops;Password=change-me"
+  schema: "policy"
  commandTimeoutSeconds: 30

 workers:
--- a/etc/secrets/issuer-directory.mongo.secret.example
+++ b/etc/secrets/issuer-directory.mongo.secret.example
@@ -1,6 +0,0 @@
-# Replace this value with the MongoDB connection string used by Issuer Directory.
-# Keep the file out of version control; mount it via docker-compose env_file or
-# your secrets manager when running the service. Compose expects the helper
-# variable below and injects it into ISSUERDIRECTORY__MONGO__CONNECTIONSTRING
-# at container runtime.
-ISSUER_DIRECTORY_MONGO_CONNECTION_STRING=mongodb://stellaops:change-me@mongo:27017
--- a/etc/signals.yaml.sample
+++ b/etc/signals.yaml.sample
@@ -20,11 +20,10 @@ Signals:
    BypassNetworks:
      - "127.0.0.1/32"
      - "::1/128"
-  Mongo:
-    ConnectionString: "mongodb://localhost:27017/signals"
-    Database: "signals"
-    CallgraphsCollection: "callgraphs"
-    ReachabilityFactsCollection: "reachability_facts"
+  Postgres:
+    ConnectionString: "Host=postgres;Port=5432;Database=stellaops_platform;Username=stellaops;Password=change-me"
+    Schema: "signals"
+    CommandTimeoutSeconds: 30
  Storage:
    # Storage driver: "filesystem" (default) or "rustfs" (CAS-backed)
    Driver: "filesystem"
--- a/etc/task-runner.yaml.sample
+++ b/etc/task-runner.yaml.sample
@@ -51,9 +51,10 @@ authority:
 storage:
  # Object storage bucket where run artifacts and evidence bundles are kept.
  artifactsBucket: "s3://stellaops-taskrunner-artifacts"
-  # MongoDB stores run metadata and approval state; update connection string
-  # before deploying.
-  mongoConnectionString: "mongodb://taskrunner:taskrunner@mongo:27017/taskrunner?authSource=admin"
+  # PostgreSQL stores run metadata and approval state (MongoDB removed in Sprint 4400).
+  driver: "postgres"
+  connectionString: "Host=postgres;Port=5432;Database=stellaops_platform;Username=stellaops;Password=change-me"
+  schema: "taskrunner"

 approvals:
  # Default timeout before pending approvals auto-expire.
--- a/etc/vexlens.yaml.sample
+++ b/etc/vexlens.yaml.sample
@@ -4,13 +4,10 @@
 VexLens:
  # Storage configuration for consensus projections
  Storage:
-    # Driver: "memory" for testing, "mongo" for production
-    Driver: mongo
-    ConnectionString: "mongodb://localhost:27017"
-    Database: stellaops
-    ProjectionsCollection: vex_consensus
-    HistoryCollection: vex_consensus_history
-    MaxHistoryEntries: 100
+    # Driver: "memory" for testing, "postgres" for production (MongoDB removed in Sprint 4400)
+    Driver: postgres
+    PostgresConnectionString: "Host=postgres;Port=5432;Database=stellaops_platform;Username=stellaops;Password=change-me"
+    Database: stellaops_platform
    CommandTimeoutSeconds: 30

  # Trust engine configuration