Rename Feedser to Concelier

etc/concelier.yaml.sample

@@ -0,0 +1,97 @@
+# Concelier configuration template for StellaOps deployments.
+# Copy to ../etc/concelier.yaml (relative to the web service content root)
+# and adjust the values to match your environment. Environment variables
+# (prefixed with CONCELIER_) override these settings at runtime.
+
+storage:
+  driver: mongo
+  # Mongo connection string. Use SRV URI or standard connection string.
+  dsn: "mongodb://concelier:concelier@mongo:27017/concelier?authSource=admin"
+  # Optional database name; defaults to the name embedded in the DSN or 'concelier'.
+  database: "concelier"
+  # Mongo command timeout in seconds.
+  commandTimeoutSeconds: 30
+
+plugins:
+  # Concelier resolves plug-ins relative to the content root; override as needed.
+  baseDirectory: ".."
+  directory: "PluginBinaries"
+  searchPatterns:
+    - "StellaOps.Concelier.Plugin.*.dll"
+
+telemetry:
+  enabled: true
+  enableTracing: false
+  enableMetrics: false
+  enableLogging: true
+  minimumLogLevel: "Information"
+  serviceName: "stellaops-concelier"
+  # Configure OTLP endpoint when shipping traces/metrics/logs out-of-band.
+  otlpEndpoint: ""
+  # Optional headers for OTLP exporters, for example authentication tokens.
+  otlpHeaders: {}
+  # Attach additional resource attributes to telemetry exports.
+  resourceAttributes:
+    deployment.environment: "local"
+  # Emit console exporters for local debugging.
+  exportConsole: true
+
+authority:
+  enabled: false
+  # Temporary rollout flag. When true, Concelier logs anonymous access but does not fail requests
+  # without tokens. Set to false before 2025-12-31 UTC to enforce authentication fully.
+  allowAnonymousFallback: true
+  # Issuer advertised by StellaOps Authority (e.g. https://authority.stella-ops.local).
+  issuer: "https://authority.stella-ops.local"
+  # Optional explicit metadata address; defaults to {issuer}/.well-known/openid-configuration.
+  metadataAddress: ""
+  requireHttpsMetadata: true
+  backchannelTimeoutSeconds: 30
+  tokenClockSkewSeconds: 60
+  audiences:
+    - "api://concelier"
+  requiredScopes:
+    - "concelier.jobs.trigger"
+  # Outbound credentials Concelier can use to call Authority (client credentials flow).
+  clientId: "concelier-jobs"
+  # Prefer storing the secret outside of the config file. Provide either clientSecret or clientSecretFile.
+  clientSecret: ""
+  clientSecretFile: ""
+  clientScopes:
+    - "concelier.jobs.trigger"
+  resilience:
+    # Enable deterministic retry/backoff when Authority is briefly unavailable.
+    enableRetries: true
+    retryDelays:
+      - "00:00:01"
+      - "00:00:02"
+      - "00:00:05"
+    # Allow stale discovery/JWKS responses when Authority is offline (extend tolerance as needed for air-gapped mirrors).
+    allowOfflineCacheFallback: true
+    offlineCacheTolerance: "00:10:00"
+  # Networks allowed to bypass authentication (loopback by default for on-host cron jobs).
+  bypassNetworks:
+    - "127.0.0.1/32"
+    - "::1/128"
+
+sources:
+  ghsa:
+    apiToken: "${GITHUB_PAT}"
+    pageSize: 50
+    maxPagesPerFetch: 5
+    requestDelay: "00:00:00.200"
+    failureBackoff: "00:05:00"
+    rateLimitWarningThreshold: 500
+    secondaryRateLimitBackoff: "00:02:00"
+  cve:
+    baseEndpoint: "https://cveawg.mitre.org/api/"
+    apiOrg: ""
+    apiUser: ""
+    apiKey: ""
+    # Optional mirror used when credentials are unavailable.
+    seedDirectory: "./seed-data/cve"
+    pageSize: 200
+    maxPagesPerFetch: 5
+    initialBackfill: "30.00:00:00"
+    requestDelay: "00:00:00.250"
+    failureBackoff: "00:10:00"