stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

consolidation of some of the modules, localization fixes, product advisories work, qa work

Browse Source
This commit is contained in:
master
2026-03-05 03:54:22 +02:00
parent 7bafcc3eef
commit 8e1cb9448d
3878 changed files with 72600 additions and 46861 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
devops/compose/.env
View File

@@ -151,6 +151,15 @@ SM_REMOTE_HSM_URL=
SM_REMOTE_HSM_API_KEY=
SM_REMOTE_HSM_TIMEOUT=30000
# =============================================================================
# ROUTER IDENTITY ENVELOPE
# =============================================================================
# HMAC-SHA256 shared signing key for gateway identity envelopes.
# Generate with: openssl rand -base64 32
# For production: use Docker secrets or vault injection.
STELLAOPS_IDENTITY_ENVELOPE_SIGNING_KEY=xPGV6S6dlS3JsLw3DuPRAEAXqJ9JOsfWE/8oIiplGRk=
# =============================================================================
# NETWORKING
# =============================================================================

122
devops/compose/docker-compose.stella-ops.yml
View File

@@ -61,6 +61,8 @@ x-router-microservice-defaults: &router-microservice-defaults
Router__Messaging__HeartbeatInterval: "10s"
Router__Messaging__valkey__ConnectionString: "cache.stella-ops.local:6379"
Router__Messaging__valkey__Database: "0"
# Identity envelope verification (signed by gateway, verified by services)
Router__IdentityEnvelopeSigningKey: "${STELLAOPS_IDENTITY_ENVELOPE_SIGNING_KEY}"
# ---------------------------------------------------------------------------
# Common anchors for the 60-service stack
@@ -105,6 +107,7 @@ volumes:
advisory-ai-plans:
advisory-ai-outputs:
evidence-data:
taskrunner-artifacts-data:
services:
# ===========================================================================
@@ -299,6 +302,8 @@ services:
Gateway__Transports__Messaging__LeaseDuration: "5m"
Gateway__Transports__Messaging__BatchSize: "10"
Gateway__Transports__Messaging__HeartbeatInterval: "10s"
# Identity envelope signing (gateway -> microservice auth)
Gateway__Auth__IdentityEnvelopeSigningKey: "${STELLAOPS_IDENTITY_ENVELOPE_SIGNING_KEY}"
# Audience validation disabled until authority includes aud in access tokens
# Gateway__Auth__Authority__Audiences__0: "stella-ops-api"
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
@@ -337,11 +342,16 @@ services:
Platform__Authority__Issuer: "https://authority.stella-ops.local/"
Platform__Authority__RequireHttpsMetadata: "false"
Platform__Authority__BypassNetworks__0: "172.19.0.0/16"
Logging__LogLevel__StellaOps.Auth: "Debug"
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
Logging__LogLevel__Microsoft.AspNetCore.Authorization: "Debug"
Platform__Storage__Driver: "postgres"
Platform__Storage__PostgresConnectionString: *postgres-connection
Platform__EnvironmentSettings__RedirectUri: "https://stella-ops.local/auth/callback"
Platform__EnvironmentSettings__PostLogoutRedirectUri: "https://stella-ops.local/"
Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit"
Platform__EnvironmentSettings__AuthorizeEndpoint: "https://127.1.0.1/connect/authorize"
Platform__EnvironmentSettings__TokenEndpoint: "https://127.1.0.1/connect/token"
Platform__EnvironmentSettings__RedirectUri: "https://127.1.0.1/auth/callback"
Platform__EnvironmentSettings__PostLogoutRedirectUri: "https://127.1.0.1/"
Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate timeline:read timeline:write"
STELLAOPS_ROUTER_URL: "http://router.stella-ops.local"
STELLAOPS_PLATFORM_URL: "http://platform.stella-ops.local"
STELLAOPS_AUTHORITY_URL: "http://authority.stella-ops.local"
@@ -357,7 +367,7 @@ services:
STELLAOPS_POLICY_ENGINE_URL: "http://policy-engine.stella-ops.local"
STELLAOPS_POLICY_GATEWAY_URL: "http://policy-gateway.stella-ops.local"
STELLAOPS_RISKENGINE_URL: "http://riskengine.stella-ops.local"
STELLAOPS_ORCHESTRATOR_URL: "http://orchestrator.stella-ops.local"
STELLAOPS_JOBENGINE_URL: "http://jobengine.stella-ops.local"
STELLAOPS_TASKRUNNER_URL: "http://taskrunner.stella-ops.local"
STELLAOPS_SCHEDULER_URL: "http://scheduler.stella-ops.local"
STELLAOPS_GRAPH_URL: "http://graph.stella-ops.local"
@@ -437,7 +447,11 @@ services:
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__Enabled: "true"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__TenantId: "demo-prod"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Username: "admin"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Password: "password"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Password: "Admin@Stella2026!"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Roles__0: "admin"
STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__ID: "demo-prod"
STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__DISPLAYNAME: "Demo Production"
STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__STATUS: "active"
<<: *router-microservice-defaults
Router__Enabled: "${AUTHORITY_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "authority"
@@ -751,6 +765,14 @@ services:
CONCELIER_POSTGRESSTORAGE__CONNECTIONSTRING: *postgres-connection
CONCELIER_POSTGRESSTORAGE__ENABLED: "true"
CONCELIER_S3__ENDPOINT: "http://s3.stella-ops.local:8333"
CONCELIER_AUTHORITY__ENABLED: "true"
CONCELIER_AUTHORITY__ISSUER: "https://authority.stella-ops.local/"
CONCELIER_AUTHORITY__REQUIREHTTPSMETADATA: "false"
CONCELIER_AUTHORITY__METADATAADDRESS: "https://authority.stella-ops.local/.well-known/openid-configuration"
CONCELIER_AUTHORITY__BYPASSNETWORKS__0: "172.19.0.0/16"
CONCELIER_AUTHORITY__BYPASSNETWORKS__1: "172.20.0.0/16"
CONCELIER_AUTHORITY__BYPASSNETWORKS__2: "0.0.0.0/0"
CONCELIER_AUTHORITY__AUDIENCES__0: "stellaops"
CONCELIER_AUTHORITY__BASEURL: "https://authority.stella-ops.local"
CONCELIER_AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
CONCELIER_AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}"
@@ -897,7 +919,7 @@ services:
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 13: VulnExplorer (api) -------------------------------------------
# --- Slot 13: VulnExplorer (api) [src/Findings/StellaOps.VulnExplorer.Api] ---
api:
image: stellaops/api:dev
container_name: stellaops-api
@@ -1015,7 +1037,7 @@ services:
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 16: RiskEngine ---------------------------------------------------
# --- Slot 16: RiskEngine [src/Findings/StellaOps.RiskEngine.*] ---------------
riskengine-web:
image: stellaops/riskengine-web:dev
container_name: stellaops-riskengine-web
@@ -1026,6 +1048,8 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
RISKENGINE__STORAGE__DRIVER: "postgres"
RISKENGINE__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
Router__Enabled: "${RISKENGINE_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "riskengine"
volumes:
@@ -1062,9 +1086,9 @@ services:
labels: *release-labels
# --- Slot 17: Orchestrator -------------------------------------------------
orchestrator:
image: stellaops/orchestrator:dev
container_name: stellaops-orchestrator
jobengine:
image: stellaops/jobengine:dev
container_name: stellaops-jobengine
restart: unless-stopped
depends_on: *depends-infra
environment:
@@ -1072,25 +1096,35 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
Authority__ResourceServer__BypassNetworks__2: "::1/128"
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
Authority__ResourceServer__BypassNetworks__4: "::/0"
Router__Enabled: "${ORCHESTRATOR_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "orchestrator"
Router__Messaging__ConsumerGroup: "jobengine"
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.17:80:80"
networks:
stellaops:
aliases:
- orchestrator.stella-ops.local
- jobengine.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
orchestrator-worker:
image: stellaops/orchestrator-worker:dev
container_name: stellaops-orchestrator-worker
jobengine-worker:
image: stellaops/jobengine-worker:dev
container_name: stellaops-jobengine-worker
restart: unless-stopped
depends_on: *depends-infra
environment:
@@ -1104,7 +1138,7 @@ services:
networks:
stellaops:
aliases:
- orchestrator-worker.stella-ops.local
- jobengine-worker.stella-ops.local
labels: *release-labels
# --- Slot 18: TaskRunner ---------------------------------------------------
@@ -1118,10 +1152,15 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
TASKRUNNER__STORAGE__DRIVER: "postgres"
TASKRUNNER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
TASKRUNNER__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
TASKRUNNER__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/app/artifacts"
Router__Enabled: "${TASKRUNNER_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "taskrunner"
volumes:
- *cert-volume
- taskrunner-artifacts-data:/app/artifacts
ports:
- "127.1.0.18:80:80"
networks:
@@ -1143,14 +1182,18 @@ services:
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
TASKRUNNER__STORAGE__DRIVER: "postgres"
TASKRUNNER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
TASKRUNNER__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
TASKRUNNER__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/app/artifacts"
# AirGap egress policy (disable for dev)
AirGap__Egress__Enabled: "false"
volumes:
- *cert-volume
- taskrunner-artifacts-data:/app/artifacts
tmpfs:
- /app/queue:mode=1777
- /app/state:mode=1777
- /app/artifacts:mode=1777
- /app/approvals:mode=1777
- /app/logs:mode=1777
networks:
@@ -1376,6 +1419,11 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "http://authority.stella-ops.local/"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "172.20.0.0/16"
Router__Enabled: "${TIMELINE_SERVICE_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "timeline"
volumes:
@@ -1489,7 +1537,7 @@ services:
- doctor-scheduler.stella-ops.local
labels: *release-labels
# --- Slot 27: OpsMemory ---------------------------------------------------
# --- Slot 27: OpsMemory (src/AdvisoryAI/StellaOps.OpsMemory.WebService) ---
opsmemory-web:
image: stellaops/opsmemory-web:dev
container_name: stellaops-opsmemory-web
@@ -1527,10 +1575,20 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
Authority__ResourceServer__BypassNetworks__2: "::1/128"
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
Authority__ResourceServer__BypassNetworks__4: "::/0"
Router__Enabled: "${NOTIFIER_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "notifier"
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.28:80:80"
networks:
@@ -1722,6 +1780,10 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
PACKSREGISTRY__STORAGE__DRIVER: "postgres"
PACKSREGISTRY__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
PACKSREGISTRY__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
PACKSREGISTRY__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/app/data/packs"
Router__Enabled: "${PACKSREGISTRY_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "packsregistry"
volumes:
@@ -1990,6 +2052,10 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
REPLAY__STORAGE__DRIVER: "postgres"
REPLAY__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
REPLAY__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
REPLAY__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/app/data/replay-snapshots"
Router__Enabled: "${REPLAY_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "replay"
volumes:
@@ -2018,10 +2084,20 @@ services:
ConnectionStrings__IntegrationsDb: *postgres-connection
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
Authority__ResourceServer__BypassNetworks__2: "::1/128"
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
Authority__ResourceServer__BypassNetworks__4: "::/0"
Router__Enabled: "${INTEGRATIONS_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "integrations"
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.42:80:80"
networks:
@@ -2087,10 +2163,20 @@ services:
<<: [*kestrel-cert, *router-microservice-defaults]
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
Authority__ResourceServer__BypassNetworks__2: "::1/128"
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
Authority__ResourceServer__BypassNetworks__4: "::/0"
Router__Enabled: "${SIGNALS_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "signals"
volumes:
- *cert-volume
- *ca-bundle
ports:
- "127.1.0.43:80:80"
networks:

10
devops/compose/docker-compose.testing.yml
View File

@@ -157,9 +157,9 @@ services:
# ---------------------------------------------------------------------------
# Orchestrator mock
# ---------------------------------------------------------------------------
orchestrator:
image: registry.stella-ops.org/stellaops/orchestrator@sha256:97f12856ce870bafd3328bda86833bcccbf56d255941d804966b5557f6610119
container_name: stellaops-orchestrator-mock
jobengine:
image: registry.stella-ops.org/stellaops/jobengine@sha256:97f12856ce870bafd3328bda86833bcccbf56d255941d804966b5557f6610119
container_name: stellaops-jobengine-mock
profiles: ["mock", "all"]
command: ["dotnet", "StellaOps.Orchestrator.WebService.dll"]
depends_on:
@@ -252,6 +252,8 @@ services:
environment:
PACKSREGISTRY__STORAGE__DRIVER: "postgres"
PACKSREGISTRY__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres-test;Port=5432;Database=stellaops_test;Username=stellaops_ci;Password=ci_test_password"
PACKSREGISTRY__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
PACKSREGISTRY__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/tmp/packs-seedfs"
networks:
- testing-net
labels: *testing-labels
@@ -270,6 +272,8 @@ services:
environment:
TASKRUNNER__STORAGE__DRIVER: "postgres"
TASKRUNNER__STORAGE__POSTGRES__CONNECTIONSTRING: "Host=postgres-test;Port=5432;Database=stellaops_test;Username=stellaops_ci;Password=ci_test_password"
TASKRUNNER__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
TASKRUNNER__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/tmp/taskrunner-seedfs"
networks:
- testing-net
labels: *testing-labels

100
devops/compose/envsettings-override.json
View File

@@ -1,12 +1,12 @@
{
"authority": {
"issuer": "https://stella-ops.local/",
"issuer": "https://authority.stella-ops.local/",
"clientId": "stella-ops-ui",
"authorizeEndpoint": "https://stella-ops.local/connect/authorize",
"tokenEndpoint": "https://stella-ops.local/connect/token",
"redirectUri": "https://stella-ops.local/auth/callback",
"postLogoutRedirectUri": "https://stella-ops.local/",
"scope": "openid profile email offline_access ui.read ui.admin authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin",
"authorizeEndpoint": "https://127.1.0.1/connect/authorize",
"tokenEndpoint": "https://127.1.0.1/connect/token",
"redirectUri": "https://127.1.0.1/auth/callback",
"postLogoutRedirectUri": "https://127.1.0.1/",
"scope": "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate timeline:read timeline:write",
"audience": "stella-ops-api",
"dpopAlgorithms": [
"ES256"
@@ -14,50 +14,50 @@
"refreshLeewaySeconds": 60
},
"apiBaseUrls": {
"vulnexplorer": "https://stella-ops.local",
"replay": "https://stella-ops.local",
"notify": "https://stella-ops.local",
"notifier": "https://stella-ops.local",
"airgapController": "https://stella-ops.local",
"gateway": "https://stella-ops.local",
"doctor": "https://stella-ops.local",
"taskrunner": "https://stella-ops.local",
"timelineindexer": "https://stella-ops.local",
"timeline": "https://stella-ops.local",
"packsregistry": "https://stella-ops.local",
"findingsLedger": "https://stella-ops.local",
"policyGateway": "https://stella-ops.local",
"registryTokenservice": "https://stella-ops.local",
"graph": "https://stella-ops.local",
"issuerdirectory": "https://stella-ops.local",
"router": "https://stella-ops.local",
"integrations": "https://stella-ops.local",
"platform": "https://stella-ops.local",
"smremote": "https://stella-ops.local",
"signals": "https://stella-ops.local",
"vexlens": "https://stella-ops.local",
"scheduler": "https://stella-ops.local",
"concelier": "https://stella-ops.local",
"opsmemory": "https://stella-ops.local",
"binaryindex": "https://stella-ops.local",
"signer": "https://stella-ops.local",
"reachgraph": "https://stella-ops.local",
"authority": "https://stella-ops.local",
"unknowns": "https://stella-ops.local",
"scanner": "https://stella-ops.local",
"sbomservice": "https://stella-ops.local",
"symbols": "https://stella-ops.local",
"orchestrator": "https://stella-ops.local",
"policyEngine": "https://stella-ops.local",
"attestor": "https://stella-ops.local",
"vexhub": "https://stella-ops.local",
"riskengine": "https://stella-ops.local",
"airgapTime": "https://stella-ops.local",
"advisoryai": "https://stella-ops.local",
"excititor": "https://stella-ops.local",
"cartographer": "https://stella-ops.local",
"evidencelocker": "https://stella-ops.local",
"exportcenter": "https://stella-ops.local"
"vulnexplorer": "https://127.1.0.1",
"replay": "https://127.1.0.1",
"notify": "https://127.1.0.1",
"notifier": "https://127.1.0.1",
"airgapController": "https://127.1.0.1",
"gateway": "https://127.1.0.1",
"doctor": "https://127.1.0.1",
"taskrunner": "https://127.1.0.1",
"timelineindexer": "https://127.1.0.1",
"timeline": "https://127.1.0.1",
"packsregistry": "https://127.1.0.1",
"findingsLedger": "https://127.1.0.1",
"policyGateway": "https://127.1.0.1",
"registryTokenservice": "https://127.1.0.1",
"graph": "https://127.1.0.1",
"issuerdirectory": "https://127.1.0.1",
"router": "https://127.1.0.1",
"integrations": "https://127.1.0.1",
"platform": "https://127.1.0.1",
"smremote": "https://127.1.0.1",
"signals": "https://127.1.0.1",
"vexlens": "https://127.1.0.1",
"scheduler": "https://127.1.0.1",
"concelier": "https://127.1.0.1",
"opsmemory": "https://127.1.0.1",
"binaryindex": "https://127.1.0.1",
"signer": "https://127.1.0.1",
"reachgraph": "https://127.1.0.1",
"authority": "https://127.1.0.1",
"unknowns": "https://127.1.0.1",
"scanner": "https://127.1.0.1",
"sbomservice": "https://127.1.0.1",
"symbols": "https://127.1.0.1",
"jobengine": "https://127.1.0.1",
"policyEngine": "https://127.1.0.1",
"attestor": "https://127.1.0.1",
"vexhub": "https://127.1.0.1",
"riskengine": "https://127.1.0.1",
"airgapTime": "https://127.1.0.1",
"advisoryai": "https://127.1.0.1",
"excititor": "https://127.1.0.1",
"cartographer": "https://127.1.0.1",
"evidencelocker": "https://127.1.0.1",
"exportcenter": "https://127.1.0.1"
},
"setup": "complete"
}

1262
devops/compose/openapi_current.json
View File

File diff suppressed because it is too large Load Diff

103
devops/compose/router-gateway-local.json
View File

@@ -18,7 +18,7 @@
{
"Type": "Microservice",
"Path": "/api/v1/release-orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/release-orchestrator",
"TranslatesTo": "http://jobengine.stella-ops.local/api/v1/release-orchestrator",
"PreserveAuthHeaders": true
},
{
@@ -113,8 +113,8 @@
},
{
"Type": "Microservice",
"Path": "/api/v1/orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/orchestrator",
"Path": "/api/v1/jobengine",
"TranslatesTo": "http://jobengine.stella-ops.local/api/v1/jobengine",
"PreserveAuthHeaders": true
},
{
@@ -153,6 +153,72 @@
"TranslatesTo": "http://timelineindexer.stella-ops.local/api/v1/timeline",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/audit",
"TranslatesTo": "http://timeline.stella-ops.local/api/v1/audit",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v1/advisory-sources",
"TranslatesTo": "http://concelier.stella-ops.local/api/v1/advisory-sources",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v1/notifier/delivery",
"TranslatesTo": "http://notifier.stella-ops.local/api/v2/notify/deliveries",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v1/release-control",
"TranslatesTo": "http://platform.stella-ops.local/api/v1/release-control",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v2/context",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/context",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v2/releases",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/releases",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v2/security",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/security",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v2/topology",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/topology",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v2/integrations",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/integrations",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/authority/console",
"TranslatesTo": "https://authority.stella-ops.local/console",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/policy/shadow",
"TranslatesTo": "http://policy-gateway.stella-ops.local/policy/shadow",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/v1/advisory-ai/adapters",
@@ -252,7 +318,7 @@
{
"Type": "Microservice",
"Path": "/api/v1/workflows",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/workflows",
"TranslatesTo": "http://jobengine.stella-ops.local/api/v1/workflows",
"PreserveAuthHeaders": true
},
{
@@ -270,7 +336,7 @@
{
"Type": "Microservice",
"Path": "/v1/runs",
"TranslatesTo": "http://orchestrator.stella-ops.local/v1/runs",
"TranslatesTo": "http://jobengine.stella-ops.local/v1/runs",
"PreserveAuthHeaders": true
},
{
@@ -324,19 +390,19 @@
{
"Type": "Microservice",
"Path": "/api/release-orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/release-orchestrator",
"TranslatesTo": "http://jobengine.stella-ops.local/api/release-orchestrator",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/releases",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/releases",
"TranslatesTo": "http://jobengine.stella-ops.local/api/releases",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Path": "/api/approvals",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/approvals",
"TranslatesTo": "http://jobengine.stella-ops.local/api/approvals",
"PreserveAuthHeaders": true
},
{
@@ -383,8 +449,8 @@
},
{
"Type": "Microservice",
"Path": "/api/orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/orchestrator",
"Path": "/api/jobengine",
"TranslatesTo": "http://jobengine.stella-ops.local/api/jobengine",
"PreserveAuthHeaders": true
},
{
@@ -444,12 +510,14 @@
{
"Type": "ReverseProxy",
"Path": "/platform/envsettings.json",
"TranslatesTo": "http://platform.stella-ops.local/platform/envsettings.json"
"TranslatesTo": "http://platform.stella-ops.local/platform/envsettings.json",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/platform",
"TranslatesTo": "http://platform.stella-ops.local/platform"
"TranslatesTo": "http://platform.stella-ops.local/platform",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
@@ -470,13 +538,13 @@
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Type": "ReverseProxy",
"Path": "/authority",
"TranslatesTo": "https://authority.stella-ops.local/authority",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Type": "ReverseProxy",
"Path": "/console",
"TranslatesTo": "https://authority.stella-ops.local/console",
"PreserveAuthHeaders": true
@@ -489,7 +557,8 @@
{
"Type": "ReverseProxy",
"Path": "/envsettings.json",
"TranslatesTo": "http://platform.stella-ops.local/platform/envsettings.json"
"TranslatesTo": "http://platform.stella-ops.local/platform/envsettings.json",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
@@ -563,8 +632,8 @@
},
{
"Type": "Microservice",
"Path": "/orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local"
"Path": "/jobengine",
"TranslatesTo": "http://jobengine.stella-ops.local"
},
{
"Type": "Microservice",

107
devops/compose/router-gateway-local.reverseproxy.json
View File

@@ -1,4 +1,5 @@
{
"_deprecated": "Legacy fallback config. The canonical default is router-gateway-local.json (Microservice routing via Valkey). Use ROUTER_GATEWAY_CONFIG=./router-gateway-local.reverseproxy.json only when debugging transport issues. Will be removed in a future release.",
"Gateway": {
"Auth": {
"DpopEnabled": false,
@@ -18,7 +19,7 @@
{
"Type": "ReverseProxy",
"Path": "/api/v1/release-orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/release-orchestrator",
"TranslatesTo": "http://jobengine.stella-ops.local/api/v1/release-orchestrator",
"PreserveAuthHeaders": true
},
{
@@ -39,16 +40,34 @@
"TranslatesTo": "http://notify.stella-ops.local/api/v1/notify",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/notifier/delivery",
"TranslatesTo": "http://notifier.stella-ops.local/api/v2/notify/deliveries",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/notifier",
"TranslatesTo": "http://notifier.stella-ops.local/api/v1/notifier",
"TranslatesTo": "http://notifier.stella-ops.local/api/v2/notify",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/concelier",
"TranslatesTo": "http://concelier.stella-ops.local/api/v1/concelier",
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/advisory-sources",
"TranslatesTo": "http://concelier.stella-ops.local/api/v1/advisory-sources",
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/release-control",
"TranslatesTo": "http://platform.stella-ops.local/api/v1/release-control",
"PreserveAuthHeaders": true
},
{
@@ -108,13 +127,13 @@
{
"Type": "ReverseProxy",
"Path": "/api/v1/signals",
"TranslatesTo": "http://signals.stella-ops.local/api/v1/signals",
"TranslatesTo": "http://signals.stella-ops.local/signals",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/orchestrator",
"Path": "/api/v1/jobengine",
"TranslatesTo": "http://jobengine.stella-ops.local/api/v1/jobengine",
"PreserveAuthHeaders": true
},
{
@@ -153,6 +172,12 @@
"TranslatesTo": "http://timelineindexer.stella-ops.local/api/v1/timeline",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/audit",
"TranslatesTo": "http://timeline.stella-ops.local/api/v1/audit",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v1/advisory-ai/adapters",
@@ -223,7 +248,7 @@
"Type": "ReverseProxy",
"Path": "/api/v1/governance",
"TranslatesTo": "http://policy-gateway.stella-ops.local/api/v1/governance",
"PreserveAuthHeaders": true
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
@@ -252,7 +277,7 @@
{
"Type": "ReverseProxy",
"Path": "/api/v1/workflows",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/workflows",
"TranslatesTo": "http://jobengine.stella-ops.local/api/v1/workflows",
"PreserveAuthHeaders": true
},
{
@@ -264,13 +289,13 @@
{
"Type": "ReverseProxy",
"Path": "/v1/evidence-packs",
"TranslatesTo": "https://evidencelocker.stella-ops.local/v1/evidence-packs",
"TranslatesTo": "http://advisoryai.stella-ops.local/v1/evidence-packs",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/v1/runs",
"TranslatesTo": "http://orchestrator.stella-ops.local/v1/runs",
"TranslatesTo": "http://jobengine.stella-ops.local/v1/runs",
"PreserveAuthHeaders": true
},
{
@@ -303,17 +328,23 @@
"TranslatesTo": "http://policy-gateway.stella-ops.local/api/cvss",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/policy/shadow",
"TranslatesTo": "http://policy-gateway.stella-ops.local/policy/shadow",
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
"Path": "/api/policy",
"TranslatesTo": "http://policy-gateway.stella-ops.local/api/policy",
"PreserveAuthHeaders": true
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
"Path": "/api/risk",
"TranslatesTo": "http://policy-engine.stella-ops.local/api/risk",
"PreserveAuthHeaders": true
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
@@ -324,32 +355,32 @@
{
"Type": "ReverseProxy",
"Path": "/api/release-orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/release-orchestrator",
"TranslatesTo": "http://jobengine.stella-ops.local/api/release-orchestrator",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/releases",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/releases",
"TranslatesTo": "http://jobengine.stella-ops.local/api/releases",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/approvals",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/approvals",
"TranslatesTo": "http://jobengine.stella-ops.local/api/approvals",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/gate",
"TranslatesTo": "http://policy-gateway.stella-ops.local/api/gate",
"PreserveAuthHeaders": true
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
"Path": "/api/risk-budget",
"TranslatesTo": "http://policy-engine.stella-ops.local/api/risk-budget",
"PreserveAuthHeaders": true
"PreserveAuthHeaders": false
},
{
"Type": "ReverseProxy",
@@ -383,8 +414,8 @@
},
{
"Type": "ReverseProxy",
"Path": "/api/orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local/api/orchestrator",
"Path": "/api/jobengine",
"TranslatesTo": "http://jobengine.stella-ops.local/api/jobengine",
"PreserveAuthHeaders": true
},
{
@@ -435,6 +466,36 @@
"TranslatesTo": "http://doctor.stella-ops.local/api/doctor",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v2/context",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/context",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v2/releases",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/releases",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v2/security",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/security",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v2/topology",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/topology",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api/v2/integrations",
"TranslatesTo": "http://platform.stella-ops.local/api/v2/integrations",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/api",
@@ -469,6 +530,12 @@
"TranslatesTo": "https://authority.stella-ops.local/jwks",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/authority/console",
"TranslatesTo": "https://authority.stella-ops.local/console",
"PreserveAuthHeaders": true
},
{
"Type": "ReverseProxy",
"Path": "/authority",
@@ -563,8 +630,8 @@
},
{
"Type": "ReverseProxy",
"Path": "/orchestrator",
"TranslatesTo": "http://orchestrator.stella-ops.local"
"Path": "/jobengine",
"TranslatesTo": "http://jobengine.stella-ops.local"
},
{
"Type": "ReverseProxy",