stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

consolidation of some of the modules, localization fixes, product advisories work, qa work

Browse Source
This commit is contained in:
master
2026-03-05 03:54:22 +02:00
parent 7bafcc3eef
commit 8e1cb9448d
3878 changed files with 72600 additions and 46861 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
devops/compose/.env
View File

@@ -151,6 +151,15 @@ SM_REMOTE_HSM_URL=
SM_REMOTE_HSM_API_KEY=
SM_REMOTE_HSM_TIMEOUT=30000
# =============================================================================
# ROUTER IDENTITY ENVELOPE
# =============================================================================
# HMAC-SHA256 shared signing key for gateway identity envelopes.
# Generate with: openssl rand -base64 32
# For production: use Docker secrets or vault injection.
STELLAOPS_IDENTITY_ENVELOPE_SIGNING_KEY=xPGV6S6dlS3JsLw3DuPRAEAXqJ9JOsfWE/8oIiplGRk=
# =============================================================================
# NETWORKING
# =============================================================================

122
devops/compose/docker-compose.stella-ops.yml
View File

@@ -61,6 +61,8 @@ x-router-microservice-defaults: &router-microservice-defaults
Router__Messaging__HeartbeatInterval: "10s"
Router__Messaging__valkey__ConnectionString: "cache.stella-ops.local:6379"
Router__Messaging__valkey__Database: "0"
# Identity envelope verification (signed by gateway, verified by services)
Router__IdentityEnvelopeSigningKey: "${STELLAOPS_IDENTITY_ENVELOPE_SIGNING_KEY}"
# ---------------------------------------------------------------------------
# Common anchors for the 60-service stack
@@ -105,6 +107,7 @@ volumes:
advisory-ai-plans:
advisory-ai-outputs:
evidence-data:
taskrunner-artifacts-data:
services:
# ===========================================================================
@@ -299,6 +302,8 @@ services:
Gateway__Transports__Messaging__LeaseDuration: "5m"
Gateway__Transports__Messaging__BatchSize: "10"
Gateway__Transports__Messaging__HeartbeatInterval: "10s"
# Identity envelope signing (gateway -> microservice auth)
Gateway__Auth__IdentityEnvelopeSigningKey: "${STELLAOPS_IDENTITY_ENVELOPE_SIGNING_KEY}"
# Audience validation disabled until authority includes aud in access tokens
# Gateway__Auth__Authority__Audiences__0: "stella-ops-api"
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
@@ -337,11 +342,16 @@ services:
Platform__Authority__Issuer: "https://authority.stella-ops.local/"
Platform__Authority__RequireHttpsMetadata: "false"
Platform__Authority__BypassNetworks__0: "172.19.0.0/16"
Logging__LogLevel__StellaOps.Auth: "Debug"
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
Logging__LogLevel__Microsoft.AspNetCore.Authorization: "Debug"
Platform__Storage__Driver: "postgres"
Platform__Storage__PostgresConnectionString: *postgres-connection
Platform__EnvironmentSettings__RedirectUri: "https://stella-ops.local/auth/callback"
Platform__EnvironmentSettings__PostLogoutRedirectUri: "https://stella-ops.local/"
Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit"
Platform__EnvironmentSettings__AuthorizeEndpoint: "https://127.1.0.1/connect/authorize"
Platform__EnvironmentSettings__TokenEndpoint: "https://127.1.0.1/connect/token"
Platform__EnvironmentSettings__RedirectUri: "https://127.1.0.1/auth/callback"
Platform__EnvironmentSettings__PostLogoutRedirectUri: "https://127.1.0.1/"
Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate timeline:read timeline:write"
STELLAOPS_ROUTER_URL: "http://router.stella-ops.local"
STELLAOPS_PLATFORM_URL: "http://platform.stella-ops.local"
STELLAOPS_AUTHORITY_URL: "http://authority.stella-ops.local"
@@ -357,7 +367,7 @@ services:
STELLAOPS_POLICY_ENGINE_URL: "http://policy-engine.stella-ops.local"
STELLAOPS_POLICY_GATEWAY_URL: "http://policy-gateway.stella-ops.local"
STELLAOPS_RISKENGINE_URL: "http://riskengine.stella-ops.local"
STELLAOPS_ORCHESTRATOR_URL: "http://orchestrator.stella-ops.local"
STELLAOPS_JOBENGINE_URL: "http://jobengine.stella-ops.local"
STELLAOPS_TASKRUNNER_URL: "http://taskrunner.stella-ops.local"
STELLAOPS_SCHEDULER_URL: "http://scheduler.stella-ops.local"
STELLAOPS_GRAPH_URL: "http://graph.stella-ops.local"
@@ -437,7 +447,11 @@ services:
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__Enabled: "true"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__TenantId: "demo-prod"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Username: "admin"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Password: "password"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Password: "Admin@Stella2026!"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Roles__0: "admin"
STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__ID: "demo-prod"
STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__DISPLAYNAME: "Demo Production"
STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__STATUS: "active"
<<: *router-microservice-defaults
Router__Enabled: "${AUTHORITY_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "authority"
@@ -751,6 +765,14 @@ services:
CONCELIER_POSTGRESSTORAGE__CONNECTIONSTRING: *postgres-connection
CONCELIER_POSTGRESSTORAGE__ENABLED: "true"
CONCELIER_S3__ENDPOINT: "http://s3.stella-ops.local:8333"
CONCELIER_AUTHORITY__ENABLED: "true"
CONCELIER_AUTHORITY__ISSUER: "https://authority.stella-ops.local/"
CONCELIER_AUTHORITY__REQUIREHTTPSMETADATA: "false"
CONCELIER_AUTHORITY__METADATAADDRESS: "https://authority.stella-ops.local/.well-known/openid-configuration"
CONCELIER_AUTHORITY__BYPASSNETWORKS__0: "172.19.0.0/16"
CONCELIER_AUTHORITY__BYPASSNETWORKS__1: "172.20.0.0/16"
CONCELIER_AUTHORITY__BYPASSNETWORKS__2: "0.0.0.0/0"
CONCELIER_AUTHORITY__AUDIENCES__0: "stellaops"
CONCELIER_AUTHORITY__BASEURL: "https://authority.stella-ops.local"
CONCELIER_AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
CONCELIER_AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}"
@@ -897,7 +919,7 @@ services:
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 13: VulnExplorer (api) -------------------------------------------
# --- Slot 13: VulnExplorer (api) [src/Findings/StellaOps.VulnExplorer.Api] ---
api:
image: stellaops/api:dev
container_name: stellaops-api
@@ -1015,7 +1037,7 @@ services:
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 16: RiskEngine ---------------------------------------------------
# --- Slot 16: RiskEngine [src/Findings/StellaOps.RiskEngine.*] ---------------
riskengine-web:
image: stellaops/riskengine-web:dev
container_name: stellaops-riskengine-web
@@ -1026,6 +1048,8 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
RISKENGINE__STORAGE__DRIVER: "postgres"
RISKENGINE__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
Router__Enabled: "${RISKENGINE_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "riskengine"
volumes:
@@ -1062,9 +1086,9 @@ services:
labels: *release-labels
# --- Slot 17: Orchestrator -------------------------------------------------
orchestrator:
image: stellaops/orchestrator:dev
container_name: stellaops-orchestrator
jobengine:
image: stellaops/jobengine:dev
container_name: stellaops-jobengine
restart: unless-stopped
depends_on: *depends-infra
environment:
@@ -1072,25 +1096,35 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
Authority__ResourceServer__BypassNetworks__2: "::1/128"
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
Authority__ResourceServer__BypassNetworks__4: "::/0"
Router__Enabled: "${ORCHESTRATOR_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "orchestrator"
Router__Messaging__ConsumerGroup: "jobengine"
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.17:80:80"
networks:
stellaops:
aliases:
- orchestrator.stella-ops.local
- jobengine.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
orchestrator-worker:
image: stellaops/orchestrator-worker:dev
container_name: stellaops-orchestrator-worker
jobengine-worker:
image: stellaops/jobengine-worker:dev
container_name: stellaops-jobengine-worker
restart: unless-stopped
depends_on: *depends-infra
environment:
@@ -1104,7 +1138,7 @@ services:
networks:
stellaops:
aliases:
- orchestrator-worker.stella-ops.local
- jobengine-worker.stella-ops.local
labels: *release-labels
# --- Slot 18: TaskRunner ---------------------------------------------------
@@ -1118,10 +1152,15 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
TASKRUNNER__STORAGE__DRIVER: "postgres"
TASKRUNNER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
TASKRUNNER__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
TASKRUNNER__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/app/artifacts"
Router__Enabled: "${TASKRUNNER_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "taskrunner"
volumes:
- *cert-volume
- taskrunner-artifacts-data:/app/artifacts
ports:
- "127.1.0.18:80:80"
networks:
@@ -1143,14 +1182,18 @@ services:
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
TASKRUNNER__STORAGE__DRIVER: "postgres"
TASKRUNNER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
TASKRUNNER__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
TASKRUNNER__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/app/artifacts"
# AirGap egress policy (disable for dev)
AirGap__Egress__Enabled: "false"
volumes:
- *cert-volume
- taskrunner-artifacts-data:/app/artifacts
tmpfs:
- /app/queue:mode=1777
- /app/state:mode=1777
- /app/artifacts:mode=1777
- /app/approvals:mode=1777
- /app/logs:mode=1777
networks:
@@ -1376,6 +1419,11 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "http://authority.stella-ops.local/"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "172.20.0.0/16"
Router__Enabled: "${TIMELINE_SERVICE_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "timeline"
volumes:
@@ -1489,7 +1537,7 @@ services:
- doctor-scheduler.stella-ops.local
labels: *release-labels
# --- Slot 27: OpsMemory ---------------------------------------------------
# --- Slot 27: OpsMemory (src/AdvisoryAI/StellaOps.OpsMemory.WebService) ---
opsmemory-web:
image: stellaops/opsmemory-web:dev
container_name: stellaops-opsmemory-web
@@ -1527,10 +1575,20 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
Authority__ResourceServer__BypassNetworks__2: "::1/128"
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
Authority__ResourceServer__BypassNetworks__4: "::/0"
Router__Enabled: "${NOTIFIER_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "notifier"
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.28:80:80"
networks:
@@ -1722,6 +1780,10 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
PACKSREGISTRY__STORAGE__DRIVER: "postgres"
PACKSREGISTRY__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
PACKSREGISTRY__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
PACKSREGISTRY__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/app/data/packs"
Router__Enabled: "${PACKSREGISTRY_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "packsregistry"
volumes:
@@ -1990,6 +2052,10 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
REPLAY__STORAGE__DRIVER: "postgres"
REPLAY__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
REPLAY__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
REPLAY__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/app/data/replay-snapshots"
Router__Enabled: "${REPLAY_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "replay"
volumes:
@@ -2018,10 +2084,20 @@ services:
ConnectionStrings__IntegrationsDb: *postgres-connection
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
Authority__ResourceServer__BypassNetworks__2: "::1/128"
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
Authority__ResourceServer__BypassNetworks__4: "::/0"
Router__Enabled: "${INTEGRATIONS_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "integrations"
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.42:80:80"
networks:
@@ -2087,10 +2163,20 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
Authority__ResourceServer__BypassNetworks__2: "::1/128"
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
Authority__ResourceServer__BypassNetworks__4: "::/0"
Router__Enabled: "${SIGNALS_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "signals"
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.43:80:80"
networks:

10
devops/compose/docker-compose.testing.yml
View File

@@ -157,9 +157,9 @@ services:
# ---------------------------------------------------------------------------
# Orchestrator mock
# ---------------------------------------------------------------------------
orchestrator:
image: registry.stella-ops.org/stellaops/orchestrator@sha256:97f12856ce870bafd3328bda86833bcccbf56d255941d804966b5557f6610119
container_name: stellaops-orchestrator-mock
jobengine:
image: registry.stella-ops.org/stellaops/jobengine@sha256:97f12856ce870bafd3328bda86833bcccbf56d255941d804966b5557f6610119
container_name: stellaops-jobengine-mock
profiles: ["mock", "all"]
command: ["dotnet", "StellaOps.Orchestrator.WebService.dll"]
depends_on:
@@ -252,6 +252,8 @@ services:
environment:
PACKSREGISTRY__STORAGE__DRIVER: "postgres"
PACKSREGISTRY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres-test;Port=5432;Database=stellaops_test;Username=stellaops_ci;Password=ci_test_password"
PACKSREGISTRY__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
PACKSREGISTRY__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/tmp/packs-seedfs"
networks:
- testing-net
labels: *testing-labels
@@ -270,6 +272,8 @@ services:
environment:
TASKRUNNER__STORAGE__DRIVER: "postgres"
TASKRUNNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres-test;Port=5432;Database=stellaops_test;Username=stellaops_ci;Password=ci_test_password"
TASKRUNNER__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
TASKRUNNER__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/tmp/taskrunner-seedfs"
networks:
- testing-net
labels: *testing-labels

100
devops/compose/envsettings-override.json
View File

@@ -1,12 +1,12 @@
{
"authority": {
"issuer": "https://stella-ops.local/",
"issuer": "https://authority.stella-ops.local/",
"clientId": "stella-ops-ui",
"authorizeEndpoint": "https://stella-ops.local/connect/authorize",
"tokenEndpoint": "https://stella-ops.local/connect/token",
"redirectUri": "https://stella-ops.local/auth/callback",
"postLogoutRedirectUri": "https://stella-ops.local/",
"scope": "openid profile email offline_access ui.read ui.admin authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin",
"authorizeEndpoint": "https://127.1.0.1/connect/authorize",
"tokenEndpoint": "https://127.1.0.1/connect/token",
"redirectUri": "https://127.1.0.1/auth/callback",
"postLogoutRedirectUri": "https://127.1.0.1/",
"scope": "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate timeline:read timeline:write",
"audience": "stella-ops-api",
"dpopAlgorithms": [
"ES256"
@@ -14,50 +14,50 @@
"refreshLeewaySeconds": 60
},
"apiBaseUrls": {
"vulnexplorer": "https://stella-ops.local",
"replay": "https://stella-ops.local",
"notify": "https://stella-ops.local",
"notifier": "https://stella-ops.local",
"airgapController": "https://stella-ops.local",
"gateway": "https://stella-ops.local",
"doctor": "https://stella-ops.local",
"taskrunner": "https://stella-ops.local",
"timelineindexer": "https://stella-ops.local",
"timeline": "https://stella-ops.local",
"packsregistry": "https://stella-ops.local",
"findingsLedger": "https://stella-ops.local",
"policyGateway": "https://stella-ops.local",
"registryTokenservice": "https://stella-ops.local",
"graph": "https://stella-ops.local",
"issuerdirectory": "https://stella-ops.local",
"router": "https://stella-ops.local",
"integrations": "https://stella-ops.local",
"platform": "https://stella-ops.local",
"smremote": "https://stella-ops.local",
"signals": "https://stella-ops.local",
"vexlens": "https://stella-ops.local",
"scheduler": "https://stella-ops.local",
"concelier": "https://stella-ops.local",
"opsmemory": "https://stella-ops.local",
"binaryindex": "https://stella-ops.local",
"signer": "https://stella-ops.local",
"reachgraph": "https://stella-ops.local",
"authority": "https://stella-ops.local",
"unknowns": "https://stella-ops.local",
"scanner": "https://stella-ops.local",
"sbomservice": "https://stella-ops.local",
"symbols": "https://stella-ops.local",
"orchestrator": "https://stella-ops.local",
"policyEngine": "https://stella-ops.local",
"attestor": "https://stella-ops.local",
"vexhub": "https://stella-ops.local",
"riskengine": "https://stella-ops.local",
"airgapTime": "https://stella-ops.local",
"advisoryai": "https://stella-ops.local",
"excititor": "https://stella-ops.local",
"cartographer": "https://stella-ops.local",
"evidencelocker": "https://stella-ops.local",
"exportcenter": "https://stella-ops.local"
"vulnexplorer": "https://127.1.0.1",
"replay": "https://127.1.0.1",
"notify": "https://127.1.0.1",
"notifier": "https://127.1.0.1",
"airgapController": "https://127.1.0.1",
"gateway": "https://127.1.0.1",
"doctor": "https://127.1.0.1",
"taskrunner": "https://127.1.0.1",
"timelineindexer": "https://127.1.0.1",
"timeline": "https://127.1.0.1",
"packsregistry": "https://127.1.0.1",
"findingsLedger": "https://127.1.0.1",
"policyGateway": "https://127.1.0.1",
"registryTokenservice": "https://127.1.0.1",
"graph": "https://127.1.0.1",
"issuerdirectory": "https://127.1.0.1",
"router": "https://127.1.0.1",
"integrations": "https://127.1.0.1",
"platform": "https://127.1.0.1",
"smremote": "https://127.1.0.1",
"signals": "https://127.1.0.1",
"vexlens": "https://127.1.0.1",
"scheduler": "https://127.1.0.1",
"concelier": "https://127.1.0.1",
"opsmemory": "https://127.1.0.1",
"binaryindex": "https://127.1.0.1",
"signer": "https://127.1.0.1",
"reachgraph": "https://127.1.0.1",
"authority": "https://127.1.0.1",
"unknowns": "https://127.1.0.1",
"scanner": "https://127.1.0.1",
"sbomservice": "https://127.1.0.1",
"symbols": "https://127.1.0.1",
"jobengine": "https://127.1.0.1",
"policyEngine": "https://127.1.0.1",
"attestor": "https://127.1.0.1",
"vexhub": "https://127.1.0.1",
"riskengine": "https://127.1.0.1",
"airgapTime": "https://127.1.0.1",
"advisoryai": "https://127.1.0.1",
"excititor": "https://127.1.0.1",
"cartographer": "https://127.1.0.1",
"evidencelocker": "https://127.1.0.1",
"exportcenter": "https://127.1.0.1"
},
"setup": "complete"
}

1262
devops/compose/openapi_current.json
View File

File diff suppressed because it is too large Load Diff

103
devops/compose/router-gateway-local.json
View File

@@ -18,7 +18,7 @@
{
"Type": "Microservice",
"Path": "/api/v1/release-orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/release-orchestrator",
"TranslatesTo": "http://jobengine.stella-ops.local/api/v1/release-orchestrator",
"PreserveAuthHeaders": true
},
{
@@ -113,8 +113,8 @@
},
{
"Type": "Microservice",
"Path": "/api/v1/orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/orchestrator",
"Path": "/api/v1/jobengine",
"TranslatesTo": "http://jobengine.stella-ops.local/api/v1/jobengine",
"PreserveAuthHeaders": true
},
{
@@ -153,6 +153,72 @@
"TranslatesTo": "http://timelineindexer.stella-ops.local/api/v1/timeline",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/audit",
"TranslatesTo": "http://timeline.stella-ops.local/api/v1/audit",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v1/advisory-sources",
"TranslatesTo": "http://concelier.stella-ops.local/api/v1/advisory-sources",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v1/notifier/delivery",
"TranslatesTo": "http://notifier.stella-ops.local/api/v2/notify/deliveries",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v1/release-control",
"TranslatesTo": "http://platform.stella-ops.local/api/v1/release-control",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v2/context",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/context",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v2/releases",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/releases",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v2/security",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/security",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v2/topology",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/topology",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v2/integrations",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/integrations",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/authority/console",
"TranslatesTo": "https://authority.stella-ops.local/console",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/policy/shadow",
"TranslatesTo": "http://policy-gateway.stella-ops.local/policy/shadow",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v1/advisory-ai/adapters",
@@ -252,7 +318,7 @@
{
"Type": "Microservice",
"Path": "/api/v1/workflows",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/workflows",
"TranslatesTo": "http://jobengine.stella-ops.local/api/v1/workflows",
"PreserveAuthHeaders": true
},
{
@@ -270,7 +336,7 @@
{
"Type": "Microservice",
"Path": "/v1/runs",
"TranslatesTo": "http://orchestrator.stella-ops.local/v1/runs",
"TranslatesTo": "http://jobengine.stella-ops.local/v1/runs",
"PreserveAuthHeaders": true
},
{
@@ -324,19 +390,19 @@
{
"Type": "Microservice",
"Path": "/api/release-orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/release-orchestrator",
"TranslatesTo": "http://jobengine.stella-ops.local/api/release-orchestrator",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/releases",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/releases",
"TranslatesTo": "http://jobengine.stella-ops.local/api/releases",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/approvals",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/approvals",
"TranslatesTo": "http://jobengine.stella-ops.local/api/approvals",
"PreserveAuthHeaders": true
},
{
@@ -383,8 +449,8 @@
},
{
"Type": "Microservice",
"Path": "/api/orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/orchestrator",
"Path": "/api/jobengine",
"TranslatesTo": "http://jobengine.stella-ops.local/api/jobengine",
"PreserveAuthHeaders": true
},
{
@@ -444,12 +510,14 @@
{
"Type": "ReverseProxy",
"Path": "/platform/envsettings.json",
"TranslatesTo": "http://platform.stella-ops.local/platform/envsettings.json"
"TranslatesTo": "http://platform.stella-ops.local/platform/envsettings.json",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/platform",
"TranslatesTo": "http://platform.stella-ops.local/platform"
"TranslatesTo": "http://platform.stella-ops.local/platform",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
@@ -470,13 +538,13 @@
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Type": "ReverseProxy",
"Path": "/authority",
"TranslatesTo": "https://authority.stella-ops.local/authority",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Type": "ReverseProxy",
"Path": "/console",
"TranslatesTo": "https://authority.stella-ops.local/console",
"PreserveAuthHeaders": true
@@ -489,7 +557,8 @@
{
"Type": "ReverseProxy",
"Path": "/envsettings.json",
"TranslatesTo": "http://platform.stella-ops.local/platform/envsettings.json"
"TranslatesTo": "http://platform.stella-ops.local/platform/envsettings.json",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
@@ -563,8 +632,8 @@
},
{
"Type": "Microservice",
"Path": "/orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local"
"Path": "/jobengine",
"TranslatesTo": "http://jobengine.stella-ops.local"
},
{
"Type": "Microservice",

107
devops/compose/router-gateway-local.reverseproxy.json
View File

@@ -1,4 +1,5 @@
{
"_deprecated": "Legacy fallback config. The canonical default is router-gateway-local.json (Microservice routing via Valkey). Use ROUTER_GATEWAY_CONFIG=./router-gateway-local.reverseproxy.json only when debugging transport issues. Will be removed in a future release.",
"Gateway": {
"Auth": {
"DpopEnabled": false,
@@ -18,7 +19,7 @@
{
"Type": "ReverseProxy",
"Path": "/api/v1/release-orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/release-orchestrator",
"TranslatesTo": "http://jobengine.stella-ops.local/api/v1/release-orchestrator",
"PreserveAuthHeaders": true
},
{
@@ -39,16 +40,34 @@
"TranslatesTo": "http://notify.stella-ops.local/api/v1/notify",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/notifier/delivery",
"TranslatesTo": "http://notifier.stella-ops.local/api/v2/notify/deliveries",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/notifier",
"TranslatesTo": "http://notifier.stella-ops.local/api/v1/notifier",
"TranslatesTo": "http://notifier.stella-ops.local/api/v2/notify",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/concelier",
"TranslatesTo": "http://concelier.stella-ops.local/api/v1/concelier",
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/advisory-sources",
"TranslatesTo": "http://concelier.stella-ops.local/api/v1/advisory-sources",
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/release-control",
"TranslatesTo": "http://platform.stella-ops.local/api/v1/release-control",
"PreserveAuthHeaders": true
},
{
@@ -108,13 +127,13 @@
{
"Type": "ReverseProxy",
"Path": "/api/v1/signals",
"TranslatesTo": "http://signals.stella-ops.local/api/v1/signals",
"TranslatesTo": "http://signals.stella-ops.local/signals",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/orchestrator",
"Path": "/api/v1/jobengine",
"TranslatesTo": "http://jobengine.stella-ops.local/api/v1/jobengine",
"PreserveAuthHeaders": true
},
{
@@ -153,6 +172,12 @@
"TranslatesTo": "http://timelineindexer.stella-ops.local/api/v1/timeline",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/audit",
"TranslatesTo": "http://timeline.stella-ops.local/api/v1/audit",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/advisory-ai/adapters",
@@ -223,7 +248,7 @@
"Type": "ReverseProxy",
"Path": "/api/v1/governance",
"TranslatesTo": "http://policy-gateway.stella-ops.local/api/v1/governance",
"PreserveAuthHeaders": true
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
@@ -252,7 +277,7 @@
{
"Type": "ReverseProxy",
"Path": "/api/v1/workflows",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/workflows",
"TranslatesTo": "http://jobengine.stella-ops.local/api/v1/workflows",
"PreserveAuthHeaders": true
},
{
@@ -264,13 +289,13 @@
{
"Type": "ReverseProxy",
"Path": "/v1/evidence-packs",
"TranslatesTo": "https://evidencelocker.stella-ops.local/v1/evidence-packs",
"TranslatesTo": "http://advisoryai.stella-ops.local/v1/evidence-packs",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/v1/runs",
"TranslatesTo": "http://orchestrator.stella-ops.local/v1/runs",
"TranslatesTo": "http://jobengine.stella-ops.local/v1/runs",
"PreserveAuthHeaders": true
},
{
@@ -303,17 +328,23 @@
"TranslatesTo": "http://policy-gateway.stella-ops.local/api/cvss",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/policy/shadow",
"TranslatesTo": "http://policy-gateway.stella-ops.local/policy/shadow",
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
"Path": "/api/policy",
"TranslatesTo": "http://policy-gateway.stella-ops.local/api/policy",
"PreserveAuthHeaders": true
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
"Path": "/api/risk",
"TranslatesTo": "http://policy-engine.stella-ops.local/api/risk",
"PreserveAuthHeaders": true
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
@@ -324,32 +355,32 @@
{
"Type": "ReverseProxy",
"Path": "/api/release-orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/release-orchestrator",
"TranslatesTo": "http://jobengine.stella-ops.local/api/release-orchestrator",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/releases",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/releases",
"TranslatesTo": "http://jobengine.stella-ops.local/api/releases",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/approvals",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/approvals",
"TranslatesTo": "http://jobengine.stella-ops.local/api/approvals",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/gate",
"TranslatesTo": "http://policy-gateway.stella-ops.local/api/gate",
"PreserveAuthHeaders": true
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
"Path": "/api/risk-budget",
"TranslatesTo": "http://policy-engine.stella-ops.local/api/risk-budget",
"PreserveAuthHeaders": true
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
@@ -383,8 +414,8 @@
},
{
"Type": "ReverseProxy",
"Path": "/api/orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/orchestrator",
"Path": "/api/jobengine",
"TranslatesTo": "http://jobengine.stella-ops.local/api/jobengine",
"PreserveAuthHeaders": true
},
{
@@ -435,6 +466,36 @@
"TranslatesTo": "http://doctor.stella-ops.local/api/doctor",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v2/context",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/context",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v2/releases",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/releases",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v2/security",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/security",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v2/topology",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/topology",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v2/integrations",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/integrations",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api",
@@ -469,6 +530,12 @@
"TranslatesTo": "https://authority.stella-ops.local/jwks",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/authority/console",
"TranslatesTo": "https://authority.stella-ops.local/console",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/authority",
@@ -563,8 +630,8 @@
},
{
"Type": "ReverseProxy",
"Path": "/orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local"
"Path": "/jobengine",
"TranslatesTo": "http://jobengine.stella-ops.local"
},
{
"Type": "ReverseProxy",

8
devops/docker/Dockerfile.platform
View File

@@ -31,12 +31,12 @@ COPY src/Attestor/ ./src/Attestor/
COPY src/Concelier/ ./src/Concelier/
COPY src/Scanner/ ./src/Scanner/
COPY src/AirGap/ ./src/AirGap/
COPY src/Excititor/ ./src/Excititor/
# Excititor source absorbed into Concelier (Sprint 203) - no separate COPY needed
COPY src/Policy/ ./src/Policy/
COPY src/Scheduler/ ./src/Scheduler/
COPY src/Notify/ ./src/Notify/
COPY src/Zastava/ ./src/Zastava/
COPY src/Gateway/ ./src/Gateway/
COPY src/Router/ ./src/Router/
COPY src/Cli/ ./src/Cli/
# Copy shared libraries
@@ -65,7 +65,7 @@ RUN dotnet publish src/Concelier/StellaOps.Concelier.WebService/StellaOps.Concel
RUN dotnet publish src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj \
--configuration Release --no-build --output /app/publish/scanner
RUN dotnet publish src/Excititor/StellaOps.Excititor.WebService/StellaOps.Excititor.WebService.csproj \
RUN dotnet publish src/Concelier/StellaOps.Excititor.WebService/StellaOps.Excititor.WebService.csproj \
--configuration Release --no-build --output /app/publish/excititor
RUN dotnet publish src/Policy/StellaOps.Policy.WebService/StellaOps.Policy.WebService.csproj \
@@ -80,7 +80,7 @@ RUN dotnet publish src/Notify/StellaOps.Notify.WebService/StellaOps.Notify.WebSe
RUN dotnet publish src/Zastava/StellaOps.Zastava.WebService/StellaOps.Zastava.WebService.csproj \
--configuration Release --no-build --output /app/publish/zastava
RUN dotnet publish src/Gateway/StellaOps.Gateway.WebService/StellaOps.Gateway.WebService.csproj \
RUN dotnet publish src/Router/StellaOps.Gateway.WebService/StellaOps.Gateway.WebService.csproj \
--configuration Release --no-build --output /app/publish/gateway
RUN dotnet publish src/AirGap/StellaOps.AirGap.Importer/StellaOps.AirGap.Importer.csproj \

44
devops/docker/services-matrix.env
View File

@@ -9,8 +9,8 @@ router-gateway|devops/docker/Dockerfile.hardened.template|src/Router/StellaOps.G
platform|devops/docker/Dockerfile.hardened.template|src/Platform/StellaOps.Platform.WebService/StellaOps.Platform.WebService.csproj|StellaOps.Platform.WebService|8080
# ── Slot 2: Authority ───────────────────────────────────────────────────────────
authority|devops/docker/Dockerfile.hardened.template|src/Authority/StellaOps.Authority/StellaOps.Authority/StellaOps.Authority.csproj|StellaOps.Authority|8440
# ── Slot 3: Gateway ─────────────────────────────────────────────────────────────
gateway|devops/docker/Dockerfile.hardened.template|src/Gateway/StellaOps.Gateway.WebService/StellaOps.Gateway.WebService.csproj|StellaOps.Gateway.WebService|8080
# ── Slot 3: Gateway (legacy alias -> Router Gateway) ───────────────────────────
gateway|devops/docker/Dockerfile.hardened.template|src/Router/StellaOps.Gateway.WebService/StellaOps.Gateway.WebService.csproj|StellaOps.Gateway.WebService|8080
# ── Slot 4: Attestor ────────────────────────────────────────────────────────────
attestor|devops/docker/Dockerfile.hardened.template|src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/StellaOps.Attestor.WebService.csproj|StellaOps.Attestor.WebService|8442
# ── Slot 5: Attestor TileProxy ──────────────────────────────────────────────────
@@ -24,39 +24,39 @@ scanner-worker|devops/docker/Dockerfile.hardened.template|src/Scanner/StellaOps.
# ── Slot 9: Concelier ───────────────────────────────────────────────────────────
concelier|devops/docker/Dockerfile.hardened.template|src/Concelier/StellaOps.Concelier.WebService/StellaOps.Concelier.WebService.csproj|StellaOps.Concelier.WebService|8080
# ── Slot 10: Excititor ──────────────────────────────────────────────────────────
excititor|devops/docker/Dockerfile.hardened.template|src/Excititor/StellaOps.Excititor.WebService/StellaOps.Excititor.WebService.csproj|StellaOps.Excititor.WebService|8080
excititor-worker|devops/docker/Dockerfile.hardened.template|src/Excititor/StellaOps.Excititor.Worker/StellaOps.Excititor.Worker.csproj|StellaOps.Excititor.Worker|8080
excititor|devops/docker/Dockerfile.hardened.template|src/Concelier/StellaOps.Excititor.WebService/StellaOps.Excititor.WebService.csproj|StellaOps.Excititor.WebService|8080
excititor-worker|devops/docker/Dockerfile.hardened.template|src/Concelier/StellaOps.Excititor.Worker/StellaOps.Excititor.Worker.csproj|StellaOps.Excititor.Worker|8080
# ── Slot 11: VexHub ─────────────────────────────────────────────────────────────
vexhub-web|devops/docker/Dockerfile.hardened.template|src/VexHub/StellaOps.VexHub.WebService/StellaOps.VexHub.WebService.csproj|StellaOps.VexHub.WebService|8080
# ── Slot 12: VexLens ────────────────────────────────────────────────────────────
vexlens-web|devops/docker/Dockerfile.hardened.template|src/VexLens/StellaOps.VexLens.WebService/StellaOps.VexLens.WebService.csproj|StellaOps.VexLens.WebService|8080
# ── Slot 13: VulnExplorer (api) ─────────────────────────────────────────────────
api|devops/docker/Dockerfile.hardened.template|src/VulnExplorer/StellaOps.VulnExplorer.Api/StellaOps.VulnExplorer.Api.csproj|StellaOps.VulnExplorer.Api|8080
api|devops/docker/Dockerfile.hardened.template|src/Findings/StellaOps.VulnExplorer.Api/StellaOps.VulnExplorer.Api.csproj|StellaOps.VulnExplorer.Api|8080
# ── Slot 14: Policy Engine ──────────────────────────────────────────────────────
policy-engine|devops/docker/Dockerfile.hardened.template|src/Policy/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj|StellaOps.Policy.Engine|8080
# ── Slot 15: Policy Gateway ─────────────────────────────────────────────────────
policy|devops/docker/Dockerfile.hardened.template|src/Policy/StellaOps.Policy.Gateway/StellaOps.Policy.Gateway.csproj|StellaOps.Policy.Gateway|8084
# ── Slot 16: RiskEngine ─────────────────────────────────────────────────────────
riskengine-web|devops/docker/Dockerfile.hardened.template|src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/StellaOps.RiskEngine.WebService.csproj|StellaOps.RiskEngine.WebService|8080
riskengine-worker|devops/docker/Dockerfile.hardened.template|src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/StellaOps.RiskEngine.Worker.csproj|StellaOps.RiskEngine.Worker|8080
riskengine-web|devops/docker/Dockerfile.hardened.template|src/Findings/StellaOps.RiskEngine.WebService/StellaOps.RiskEngine.WebService.csproj|StellaOps.RiskEngine.WebService|8080
riskengine-worker|devops/docker/Dockerfile.hardened.template|src/Findings/StellaOps.RiskEngine.Worker/StellaOps.RiskEngine.Worker.csproj|StellaOps.RiskEngine.Worker|8080
# ── Slot 17: Orchestrator ───────────────────────────────────────────────────────
orchestrator|devops/docker/Dockerfile.hardened.template|src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/StellaOps.Orchestrator.WebService.csproj|StellaOps.Orchestrator.WebService|8080
orchestrator-worker|devops/docker/Dockerfile.hardened.template|src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/StellaOps.Orchestrator.Worker.csproj|StellaOps.Orchestrator.Worker|8080
orchestrator|devops/docker/Dockerfile.hardened.template|src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService/StellaOps.JobEngine.WebService.csproj|StellaOps.JobEngine.WebService|8080
orchestrator-worker|devops/docker/Dockerfile.hardened.template|src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Worker/StellaOps.JobEngine.Worker.csproj|StellaOps.JobEngine.Worker|8080
# ── Slot 18: TaskRunner ─────────────────────────────────────────────────────────
taskrunner-web|devops/docker/Dockerfile.hardened.template|src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/StellaOps.TaskRunner.WebService.csproj|StellaOps.TaskRunner.WebService|8080
taskrunner-worker|devops/docker/Dockerfile.hardened.template|src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/StellaOps.TaskRunner.Worker.csproj|StellaOps.TaskRunner.Worker|8080
taskrunner-web|devops/docker/Dockerfile.hardened.template|src/JobEngine/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/StellaOps.TaskRunner.WebService.csproj|StellaOps.TaskRunner.WebService|8080
taskrunner-worker|devops/docker/Dockerfile.hardened.template|src/JobEngine/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/StellaOps.TaskRunner.Worker.csproj|StellaOps.TaskRunner.Worker|8080
# ── Slot 19: Scheduler ──────────────────────────────────────────────────────────
scheduler-web|devops/docker/Dockerfile.hardened.template|src/Scheduler/StellaOps.Scheduler.WebService/StellaOps.Scheduler.WebService.csproj|StellaOps.Scheduler.WebService|8080
scheduler-worker|devops/docker/Dockerfile.hardened.template|src/Scheduler/StellaOps.Scheduler.Worker.Host/StellaOps.Scheduler.Worker.Host.csproj|StellaOps.Scheduler.Worker.Host|8080
scheduler-web|devops/docker/Dockerfile.hardened.template|src/JobEngine/StellaOps.Scheduler.WebService/StellaOps.Scheduler.WebService.csproj|StellaOps.Scheduler.WebService|8080
scheduler-worker|devops/docker/Dockerfile.hardened.template|src/JobEngine/StellaOps.Scheduler.Worker.Host/StellaOps.Scheduler.Worker.Host.csproj|StellaOps.Scheduler.Worker.Host|8080
# ── Slot 20: Graph ──────────────────────────────────────────────────────────────
graph-api|devops/docker/Dockerfile.hardened.template|src/Graph/StellaOps.Graph.Api/StellaOps.Graph.Api.csproj|StellaOps.Graph.Api|8080
# ── Slot 21: Cartographer ───────────────────────────────────────────────────────
cartographer|devops/docker/Dockerfile.hardened.template|src/Cartographer/StellaOps.Cartographer/StellaOps.Cartographer.csproj|StellaOps.Cartographer|8080
cartographer|devops/docker/Dockerfile.hardened.template|src/Scanner/StellaOps.Scanner.Cartographer/StellaOps.Scanner.Cartographer.csproj|StellaOps.Scanner.Cartographer|8080
# ── Slot 22: ReachGraph ─────────────────────────────────────────────────────────
reachgraph-web|devops/docker/Dockerfile.hardened.template|src/ReachGraph/StellaOps.ReachGraph.WebService/StellaOps.ReachGraph.WebService.csproj|StellaOps.ReachGraph.WebService|8080
# ── Slot 23: Timeline Indexer ───────────────────────────────────────────────────
timeline-indexer-web|devops/docker/Dockerfile.hardened.template|src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/StellaOps.TimelineIndexer.WebService.csproj|StellaOps.TimelineIndexer.WebService|8080
timeline-indexer-worker|devops/docker/Dockerfile.hardened.template|src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/StellaOps.TimelineIndexer.Worker.csproj|StellaOps.TimelineIndexer.Worker|8080
timeline-indexer-web|devops/docker/Dockerfile.hardened.template|src/Timeline/StellaOps.TimelineIndexer.WebService/StellaOps.TimelineIndexer.WebService.csproj|StellaOps.TimelineIndexer.WebService|8080
timeline-indexer-worker|devops/docker/Dockerfile.hardened.template|src/Timeline/StellaOps.TimelineIndexer.Worker/StellaOps.TimelineIndexer.Worker.csproj|StellaOps.TimelineIndexer.Worker|8080
# ── Slot 24: Timeline ───────────────────────────────────────────────────────────
timeline-web|devops/docker/Dockerfile.hardened.template|src/Timeline/StellaOps.Timeline.WebService/StellaOps.Timeline.WebService.csproj|StellaOps.Timeline.WebService|8080
# ── Slot 25: Findings Ledger ────────────────────────────────────────────────────
@@ -65,14 +65,14 @@ findings-ledger-web|devops/docker/Dockerfile.hardened.template|src/Findings/Stel
doctor-web|devops/docker/Dockerfile.hardened.template|src/Doctor/StellaOps.Doctor.WebService/StellaOps.Doctor.WebService.csproj|StellaOps.Doctor.WebService|8080
doctor-scheduler|devops/docker/Dockerfile.hardened.template|src/Doctor/StellaOps.Doctor.Scheduler/StellaOps.Doctor.Scheduler.csproj|StellaOps.Doctor.Scheduler|8080
# ── Slot 27: OpsMemory ──────────────────────────────────────────────────────────
opsmemory-web|devops/docker/Dockerfile.hardened.template|src/OpsMemory/StellaOps.OpsMemory.WebService/StellaOps.OpsMemory.WebService.csproj|StellaOps.OpsMemory.WebService|8080
opsmemory-web|devops/docker/Dockerfile.hardened.template|src/AdvisoryAI/StellaOps.OpsMemory.WebService/StellaOps.OpsMemory.WebService.csproj|StellaOps.OpsMemory.WebService|8080
# ── Slot 28: Notifier ───────────────────────────────────────────────────────────
notifier-web|devops/docker/Dockerfile.hardened.template|src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/StellaOps.Notifier.WebService.csproj|StellaOps.Notifier.WebService|8080
notifier-worker|devops/docker/Dockerfile.hardened.template|src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/StellaOps.Notifier.Worker.csproj|StellaOps.Notifier.Worker|8080
# ── Slot 29: Notify ─────────────────────────────────────────────────────────────
notify-web|devops/docker/Dockerfile.hardened.template|src/Notify/StellaOps.Notify.WebService/StellaOps.Notify.WebService.csproj|StellaOps.Notify.WebService|8080
# ── Slot 30: Signer ─────────────────────────────────────────────────────────────
signer|devops/docker/Dockerfile.hardened.template|src/Signer/StellaOps.Signer/StellaOps.Signer.WebService/StellaOps.Signer.WebService.csproj|StellaOps.Signer.WebService|8441
signer|devops/docker/Dockerfile.hardened.template|src/Attestor/StellaOps.Signer/StellaOps.Signer.WebService/StellaOps.Signer.WebService.csproj|StellaOps.Signer.WebService|8441
# ── Slot 31: SmRemote ───────────────────────────────────────────────────────────
smremote|devops/docker/Dockerfile.hardened.template|src/SmRemote/StellaOps.SmRemote.Service/StellaOps.SmRemote.Service.csproj|StellaOps.SmRemote.Service|8080
# ── Slot 32: AirGap Controller ──────────────────────────────────────────────────
@@ -80,16 +80,16 @@ airgap-controller|devops/docker/Dockerfile.hardened.template|src/AirGap/StellaOp
# ── Slot 33: AirGap Time ────────────────────────────────────────────────────────
airgap-time|devops/docker/Dockerfile.hardened.template|src/AirGap/StellaOps.AirGap.Time/StellaOps.AirGap.Time.csproj|StellaOps.AirGap.Time|8080
# ── Slot 34: PacksRegistry ──────────────────────────────────────────────────────
packsregistry-web|devops/docker/Dockerfile.hardened.template|src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/StellaOps.PacksRegistry.WebService.csproj|StellaOps.PacksRegistry.WebService|8080
packsregistry-worker|devops/docker/Dockerfile.hardened.template|src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/StellaOps.PacksRegistry.Worker.csproj|StellaOps.PacksRegistry.Worker|8080
packsregistry-web|devops/docker/Dockerfile.hardened.template|src/JobEngine/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/StellaOps.PacksRegistry.WebService.csproj|StellaOps.PacksRegistry.WebService|8080
packsregistry-worker|devops/docker/Dockerfile.hardened.template|src/JobEngine/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/StellaOps.PacksRegistry.Worker.csproj|StellaOps.PacksRegistry.Worker|8080
# ── Slot 35: Registry Token ─────────────────────────────────────────────────────
registry-token|devops/docker/Dockerfile.hardened.template|src/Registry/StellaOps.Registry.TokenService/StellaOps.Registry.TokenService.csproj|StellaOps.Registry.TokenService|8080
# ── Slot 36: BinaryIndex ────────────────────────────────────────────────────────
binaryindex-web|devops/docker/Dockerfile.hardened.template|src/BinaryIndex/StellaOps.BinaryIndex.WebService/StellaOps.BinaryIndex.WebService.csproj|StellaOps.BinaryIndex.WebService|8080
# ── Slot 37: IssuerDirectory ────────────────────────────────────────────────────
issuer-directory-web|devops/docker/Dockerfile.hardened.template|src/IssuerDirectory/StellaOps.IssuerDirectory/StellaOps.IssuerDirectory.WebService/StellaOps.IssuerDirectory.WebService.csproj|StellaOps.IssuerDirectory.WebService|8080
issuer-directory-web|devops/docker/Dockerfile.hardened.template|src/Authority/StellaOps.IssuerDirectory/StellaOps.IssuerDirectory.WebService/StellaOps.IssuerDirectory.WebService.csproj|StellaOps.IssuerDirectory.WebService|8080
# ── Slot 38: Symbols ────────────────────────────────────────────────────────────
symbols|devops/docker/Dockerfile.hardened.template|src/Symbols/StellaOps.Symbols.Server/StellaOps.Symbols.Server.csproj|StellaOps.Symbols.Server|8080
symbols|devops/docker/Dockerfile.hardened.template|src/BinaryIndex/StellaOps.Symbols.Server/StellaOps.Symbols.Server.csproj|StellaOps.Symbols.Server|8080
# ── Slot 39: SbomService ────────────────────────────────────────────────────────
sbomservice|devops/docker/Dockerfile.hardened.template|src/SbomService/StellaOps.SbomService/StellaOps.SbomService.csproj|StellaOps.SbomService|8080
# ── Slot 40: ExportCenter ───────────────────────────────────────────────────────

12
devops/helm/stellaops/templates/orchestrator-mock.yaml → devops/helm/stellaops/templates/jobengine-mock.yaml
View File

@@ -2,21 +2,21 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: orchestrator-mock
name: jobengine-mock
annotations:
stellaops.dev/mock: "true"
spec:
replicas: 1
selector:
matchLabels:
app: orchestrator-mock
app: jobengine-mock
template:
metadata:
labels:
app: orchestrator-mock
app: jobengine-mock
spec:
containers:
- name: orchestrator
image: "{{ .Values.mock.orchestrator.image }}"
args: ["dotnet", "StellaOps.Orchestrator.WebService.dll"]
- name: jobengine
image: "{{ .Values.mock.jobengine.image }}"
args: ["dotnet", "StellaOps.JobEngine.WebService.dll"]
{{- end }}

74
devops/helm/stellaops/values-orchestrator.yaml → devops/helm/stellaops/values-jobengine.yaml
View File

@@ -1,19 +1,19 @@
# Orchestrator Service Helm Values Overlay
# JobEngine Service Helm Values Overlay
# Enables job scheduling, DAG planning, and worker coordination.
#
# Usage:
# helm upgrade stellaops ./stellaops -f values.yaml -f values-orchestrator.yaml
# helm upgrade stellaops ./stellaops -f values.yaml -f values-jobengine.yaml
global:
labels:
stellaops.io/component: orchestrator
stellaops.io/component: jobengine
# Orchestrator-specific ConfigMaps
# JobEngine-specific ConfigMaps
configMaps:
orchestrator-config:
jobengine-config:
data:
orchestrator.yaml: |
Orchestrator:
jobengine.yaml: |
JobEngine:
# Telemetry configuration
telemetry:
minimumLogLevel: Information
@@ -27,16 +27,16 @@ configMaps:
requireHttpsMetadata: true
audiences:
- stellaops-platform
readScope: orchestrator:read
writeScope: orchestrator:write
adminScope: orchestrator:admin
readScope: jobengine:read
writeScope: jobengine:write
adminScope: jobengine:admin
# Tenant resolution
tenantHeader: X-StellaOps-Tenant
# PostgreSQL connection
# PostgreSQL connection (schema name "orchestrator" preserved for data continuity — Sprint 221)
storage:
connectionString: "Host=orchestrator-postgres;Database=stellaops_orchestrator;Username=orchestrator;Password=${POSTGRES_PASSWORD}"
connectionString: "Host=jobengine-postgres;Database=stellaops_jobengine;Username=jobengine;Password=${POSTGRES_PASSWORD}"
commandTimeoutSeconds: 60
enableSensitiveDataLogging: false
@@ -98,22 +98,22 @@ configMaps:
# Service definitions
services:
orchestrator-web:
image: registry.stella-ops.org/stellaops/orchestrator-web:2025.10.0-edge
jobengine-web:
image: registry.stella-ops.org/stellaops/jobengine-web:2025.10.0-edge
replicas: 2
service:
port: 8080
configMounts:
- name: orchestrator-config
configMap: orchestrator-config
mountPath: /app/etc/orchestrator.yaml
subPath: orchestrator.yaml
- name: jobengine-config
configMap: jobengine-config
mountPath: /app/etc/jobengine.yaml
subPath: jobengine.yaml
envFrom:
- secretRef:
name: orchestrator-secrets
name: jobengine-secrets
env:
ASPNETCORE_ENVIRONMENT: Production
ORCHESTRATOR__CONFIG: /app/etc/orchestrator.yaml
JOBENGINE__CONFIG: /app/etc/jobengine.yaml
ports:
- containerPort: 8080
resources:
@@ -148,20 +148,20 @@ services:
timeoutSeconds: 3
failureThreshold: 30
orchestrator-worker:
image: registry.stella-ops.org/stellaops/orchestrator-worker:2025.10.0-edge
jobengine-worker:
image: registry.stella-ops.org/stellaops/jobengine-worker:2025.10.0-edge
replicas: 1
configMounts:
- name: orchestrator-config
configMap: orchestrator-config
mountPath: /app/etc/orchestrator.yaml
subPath: orchestrator.yaml
- name: jobengine-config
configMap: jobengine-config
mountPath: /app/etc/jobengine.yaml
subPath: jobengine.yaml
envFrom:
- secretRef:
name: orchestrator-secrets
name: jobengine-secrets
env:
DOTNET_ENVIRONMENT: Production
ORCHESTRATOR__CONFIG: /app/etc/orchestrator.yaml
JOBENGINE__CONFIG: /app/etc/jobengine.yaml
resources:
requests:
memory: "128Mi"
@@ -170,31 +170,31 @@ services:
memory: "512Mi"
cpu: "500m"
orchestrator-postgres:
jobengine-postgres:
class: infrastructure
image: docker.io/library/postgres:16-alpine
service:
port: 5432
envFrom:
- secretRef:
name: orchestrator-postgres-secrets
name: jobengine-postgres-secrets
env:
POSTGRES_DB: stellaops_orchestrator
POSTGRES_USER: orchestrator
POSTGRES_DB: stellaops_jobengine
POSTGRES_USER: jobengine
volumeMounts:
- name: postgres-data
mountPath: /var/lib/postgresql/data
volumeClaims:
- name: postgres-data
claimName: orchestrator-postgres-data
claimName: jobengine-postgres-data
readinessProbe:
exec:
command:
- pg_isready
- -U
- orchestrator
- jobengine
- -d
- stellaops_orchestrator
- stellaops_jobengine
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
@@ -202,8 +202,8 @@ services:
command:
- pg_isready
- -U
- orchestrator
- jobengine
- -d
- stellaops_orchestrator
- stellaops_jobengine
initialDelaySeconds: 15
periodSeconds: 30

4
devops/helm/stellaops/values-mock.yaml
View File

@@ -1,7 +1,7 @@
mock:
enabled: true
orchestrator:
image: registry.stella-ops.org/stellaops/orchestrator@sha256:97f12856ce870bafd3328bda86833bcccbf56d255941d804966b5557f6610119
jobengine:
image: registry.stella-ops.org/stellaops/jobengine@sha256:97f12856ce870bafd3328bda86833bcccbf56d255941d804966b5557f6610119
policyRegistry:
image: registry.stella-ops.org/stellaops/policy-registry@sha256:c6cad8055e9827ebcbebb6ad4d6866dce4b83a0a49b0a8a6500b736a5cb26fa7
packsRegistry:

4
devops/helm/stellaops/values.yaml
View File

@@ -263,8 +263,8 @@ services:
mock:
enabled: false
orchestrator:
image: registry.stella-ops.org/stellaops/orchestrator@sha256:97f12856ce870bafd3328bda86833bcccbf56d255941d804966b5557f6610119
jobengine:
image: registry.stella-ops.org/stellaops/jobengine@sha256:97f12856ce870bafd3328bda86833bcccbf56d255941d804966b5557f6610119
policyRegistry:
image: registry.stella-ops.org/stellaops/policy-registry@sha256:c6cad8055e9827ebcbebb6ad4d6866dce4b83a0a49b0a8a6500b736a5cb26fa7
packsRegistry:

4
devops/releases/2025.09-mock-dev.yaml
View File

@@ -24,8 +24,8 @@ release:
image: registry.stella-ops.org/stellaops/advisory-ai-worker:2025.09.2
- name: web-ui
image: registry.stella-ops.org/stellaops/web-ui@sha256:10d924808c48e4353e3a241da62eb7aefe727a1d6dc830eb23a8e181013b3a23
- name: orchestrator
image: registry.stella-ops.org/stellaops/orchestrator@sha256:97f12856ce870bafd3328bda86833bcccbf56d255941d804966b5557f6610119
- name: jobengine
image: registry.stella-ops.org/stellaops/jobengine@sha256:97f12856ce870bafd3328bda86833bcccbf56d255941d804966b5557f6610119
- name: policy-registry
image: registry.stella-ops.org/stellaops/policy-registry@sha256:c6cad8055e9827ebcbebb6ad4d6866dce4b83a0a49b0a8a6500b736a5cb26fa7
- name: vex-lens

2
devops/releases/service-versions.json
View File

@@ -94,7 +94,7 @@
"sbomDigest": null,
"signatureDigest": null
},
"orchestrator": {
"jobengine": {
"name": "Orchestrator",
"version": "1.0.0",
"dockerTag": null,

2
devops/scripts/lib/ci-common.sh
View File

@@ -299,7 +299,7 @@ declare -A MODULE_PATHS=(
["Findings"]="src/Findings"
["SbomService"]="src/SbomService"
["Notify"]="src/Notify src/Notifier"
["Router"]="src/Router src/Gateway"
["Router"]="src/Router"
["Cryptography"]="src/Cryptography"
["AirGap"]="src/AirGap"
["Cli"]="src/Cli"

4
devops/telemetry/dashboards/stella-ops-performance.json
View File

@@ -57,7 +57,7 @@
"pluginVersion": "9.0.0",
"targets": [
{
"expr": "avg(stella_cpu_usage_ratio{component=\"orchestrator\"})",
"expr": "avg(stella_cpu_usage_ratio{component=\"jobengine\"})",
"legendFormat": "",
"refId": "A"
}
@@ -94,7 +94,7 @@
"pluginVersion": "9.0.0",
"targets": [
{
"expr": "avg(stella_memory_usage_ratio{component=\"orchestrator\"})",
"expr": "avg(stella_memory_usage_ratio{component=\"jobengine\"})",
"legendFormat": "",
"refId": "A"
}