Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools

- Implemented PolicyDslValidator with command-line options for strict mode and JSON output.
- Created PolicySchemaExporter to generate JSON schemas for policy-related models.
- Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes.
- Added project files and necessary dependencies for each tool.
- Ensured proper error handling and usage instructions across tools.

deploy/helm/stellaops/files/otel-collector-config.yaml

@@ -0,0 +1,64 @@
+receivers:
+  otlp:
+    protocols:
+      grpc:
+        endpoint: 0.0.0.0:4317
+        tls:
+          cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
+          key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
+          client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
+          require_client_certificate: ${STELLAOPS_OTEL_REQUIRE_CLIENT_CERT:true}
+      http:
+        endpoint: 0.0.0.0:4318
+        tls:
+          cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
+          key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
+          client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
+          require_client_certificate: ${STELLAOPS_OTEL_REQUIRE_CLIENT_CERT:true}
+
+processors:
+  attributes/tenant-tag:
+    actions:
+      - key: tenant.id
+        action: insert
+        value: ${STELLAOPS_TENANT_ID:unknown}
+  batch:
+    send_batch_size: 1024
+    timeout: 5s
+
+exporters:
+  logging:
+    verbosity: normal
+  prometheus:
+    endpoint: ${STELLAOPS_OTEL_PROMETHEUS_ENDPOINT:0.0.0.0:9464}
+    enable_open_metrics: true
+    metric_expiration: 5m
+    tls:
+      cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
+      key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
+      client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
+
+extensions:
+  health_check:
+    endpoint: ${STELLAOPS_OTEL_HEALTH_ENDPOINT:0.0.0.0:13133}
+  pprof:
+    endpoint: ${STELLAOPS_OTEL_PPROF_ENDPOINT:0.0.0.0:1777}
+
+service:
+  telemetry:
+    logs:
+      level: ${STELLAOPS_OTEL_LOG_LEVEL:info}
+  extensions: [health_check, pprof]
+  pipelines:
+    traces:
+      receivers: [otlp]
+      processors: [attributes/tenant-tag, batch]
+      exporters: [logging]
+    metrics:
+      receivers: [otlp]
+      processors: [attributes/tenant-tag, batch]
+      exporters: [logging, prometheus]
+    logs:
+      receivers: [otlp]
+      processors: [attributes/tenant-tag, batch]
+      exporters: [logging]

deploy/helm/stellaops/templates/_helpers.tpl

@@ -1,6 +1,18 @@
 {{- define "stellaops.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
+{{- end -}}
+
+{{- define "stellaops.telemetryCollector.config" -}}
+{{- if .Values.telemetry.collector.config }}
+{{ tpl .Values.telemetry.collector.config . }}
+{{- else }}
+{{ tpl (.Files.Get "files/otel-collector-config.yaml") . }}
+{{- end }}
+{{- end -}}
+
+{{- define "stellaops.telemetryCollector.fullname" -}}
+{{- printf "%s-otel-collector" (include "stellaops.name" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
 
 {{- define "stellaops.fullname" -}}
 {{- $name := default .root.Chart.Name .root.Values.fullnameOverride -}}

deploy/helm/stellaops/templates/otel-collector.yaml

@@ -0,0 +1,121 @@
+{{- if .Values.telemetry.collector.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "stellaops.telemetryCollector.fullname" . }}
+  labels:
+    {{- include "stellaops.labels" (dict "root" . "name" "otel-collector" "svc" (dict "class" "telemetry")) | nindent 4 }}
+data:
+  config.yaml: |
+{{ include "stellaops.telemetryCollector.config" . | indent 4 }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "stellaops.telemetryCollector.fullname" . }}
+  labels:
+    {{- include "stellaops.labels" (dict "root" . "name" "otel-collector" "svc" (dict "class" "telemetry")) | nindent 4 }}
+spec:
+  replicas: {{ .Values.telemetry.collector.replicas | default 1 }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "stellaops.name" . | quote }}
+      app.kubernetes.io/component: "otel-collector"
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "stellaops.name" . | quote }}
+        app.kubernetes.io/component: "otel-collector"
+        stellaops.profile: {{ .Values.global.profile | quote }}
+    spec:
+      containers:
+        - name: otel-collector
+          image: {{ .Values.telemetry.collector.image | default "otel/opentelemetry-collector:0.105.0" | quote }}
+          args:
+            - "--config=/etc/otel/config.yaml"
+          ports:
+            - name: otlp-grpc
+              containerPort: 4317
+            - name: otlp-http
+              containerPort: 4318
+            - name: metrics
+              containerPort: 9464
+            - name: health
+              containerPort: 13133
+            - name: pprof
+              containerPort: 1777
+          env:
+            - name: STELLAOPS_OTEL_TLS_CERT
+              value: {{ .Values.telemetry.collector.tls.certPath | default "/etc/otel/tls/tls.crt" | quote }}
+            - name: STELLAOPS_OTEL_TLS_KEY
+              value: {{ .Values.telemetry.collector.tls.keyPath | default "/etc/otel/tls/tls.key" | quote }}
+            - name: STELLAOPS_OTEL_TLS_CA
+              value: {{ .Values.telemetry.collector.tls.caPath | default "/etc/otel/tls/ca.crt" | quote }}
+            - name: STELLAOPS_OTEL_PROMETHEUS_ENDPOINT
+              value: {{ .Values.telemetry.collector.prometheusEndpoint | default "0.0.0.0:9464" | quote }}
+            - name: STELLAOPS_OTEL_REQUIRE_CLIENT_CERT
+              value: {{ .Values.telemetry.collector.requireClientCert | default true | quote }}
+            - name: STELLAOPS_TENANT_ID
+              value: {{ .Values.telemetry.collector.defaultTenant | default "unknown" | quote }}
+            - name: STELLAOPS_OTEL_LOG_LEVEL
+              value: {{ .Values.telemetry.collector.logLevel | default "info" | quote }}
+          volumeMounts:
+            - name: config
+              mountPath: /etc/otel/config.yaml
+              subPath: config.yaml
+              readOnly: true
+            - name: tls
+              mountPath: /etc/otel/tls
+              readOnly: true
+          livenessProbe:
+            httpGet:
+              scheme: HTTPS
+              port: health
+              path: /healthz
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              scheme: HTTPS
+              port: health
+              path: /healthz
+            initialDelaySeconds: 5
+            periodSeconds: 15
+{{- with .Values.telemetry.collector.resources }}
+          resources:
+{{ toYaml . | indent 12 }}
+{{- end }}
+      volumes:
+        - name: config
+          configMap:
+            name: {{ include "stellaops.telemetryCollector.fullname" . }}
+        - name: tls
+          secret:
+            secretName: {{ .Values.telemetry.collector.tls.secretName | required "telemetry.collector.tls.secretName is required" }}
+{{- if .Values.telemetry.collector.tls.items }}
+            items:
+{{ toYaml .Values.telemetry.collector.tls.items | indent 14 }}
+{{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "stellaops.telemetryCollector.fullname" . }}
+  labels:
+    {{- include "stellaops.labels" (dict "root" . "name" "otel-collector" "svc" (dict "class" "telemetry")) | nindent 4 }}
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: {{ include "stellaops.name" . | quote }}
+    app.kubernetes.io/component: "otel-collector"
+  ports:
+    - name: otlp-grpc
+      port: {{ .Values.telemetry.collector.service.grpcPort | default 4317 }}
+      targetPort: otlp-grpc
+    - name: otlp-http
+      port: {{ .Values.telemetry.collector.service.httpPort | default 4318 }}
+      targetPort: otlp-http
+    - name: metrics
+      port: {{ .Values.telemetry.collector.service.metricsPort | default 9464 }}
+      targetPort: metrics
+{{- end }}

deploy/helm/stellaops/values-dev.yaml

@@ -1,15 +1,22 @@
-global:
-  profile: dev
-  release:
-    version: "2025.10.0-edge"
-    channel: edge
-    manifestSha256: "822f82987529ea38d2321dbdd2ef6874a4062a117116a20861c26a8df1807beb"
-  image:
-    pullPolicy: IfNotPresent
-  labels:
-    stellaops.io/channel: edge
-
-configMaps:
+global:
+  profile: dev
+  release:
+    version: "2025.10.0-edge"
+    channel: edge
+    manifestSha256: "822f82987529ea38d2321dbdd2ef6874a4062a117116a20861c26a8df1807beb"
+  image:
+    pullPolicy: IfNotPresent
+  labels:
+    stellaops.io/channel: edge
+
+telemetry:
+  collector:
+    enabled: true
+    defaultTenant: dev
+    tls:
+      secretName: stellaops-otel-tls
+
+configMaps:
   notify-config:
     data:
       notify.yaml: |

deploy/helm/stellaops/values-prod.yaml

@@ -0,0 +1,221 @@
+global:
+  profile: prod
+  release:
+    version: "2025.09.2"
+    channel: stable
+    manifestSha256: "dc3c8fe1ab83941c838ccc5a8a5862f7ddfa38c2078e580b5649db26554565b7"
+  image:
+    pullPolicy: IfNotPresent
+  labels:
+    stellaops.io/channel: stable
+    stellaops.io/profile: prod
+
+configMaps:
+  notify-config:
+    data:
+      notify.yaml: |
+        storage:
+          driver: mongo
+          connectionString: "mongodb://stellaops-mongo:27017"
+          database: "stellaops_notify_prod"
+          commandTimeoutSeconds: 45
+
+        authority:
+          enabled: true
+          issuer: "https://authority.prod.stella-ops.org"
+          metadataAddress: "https://authority.prod.stella-ops.org/.well-known/openid-configuration"
+          requireHttpsMetadata: true
+          allowAnonymousFallback: false
+          backchannelTimeoutSeconds: 30
+          tokenClockSkewSeconds: 60
+          audiences:
+            - notify
+          readScope: notify.read
+          adminScope: notify.admin
+
+        api:
+          basePath: "/api/v1/notify"
+          internalBasePath: "/internal/notify"
+          tenantHeader: "X-StellaOps-Tenant"
+
+        plugins:
+          baseDirectory: "/opt/stellaops"
+          directory: "plugins/notify"
+          searchPatterns:
+            - "StellaOps.Notify.Connectors.*.dll"
+          orderedPlugins:
+            - StellaOps.Notify.Connectors.Slack
+            - StellaOps.Notify.Connectors.Teams
+            - StellaOps.Notify.Connectors.Email
+            - StellaOps.Notify.Connectors.Webhook
+
+        telemetry:
+          enableRequestLogging: true
+          minimumLogLevel: Information
+services:
+  authority:
+    image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5
+    service:
+      port: 8440
+    env:
+      STELLAOPS_AUTHORITY__ISSUER: "https://authority.prod.stella-ops.org"
+      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
+      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+  signer:
+    image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e
+    service:
+      port: 8441
+    env:
+      SIGNER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+      SIGNER__POE__INTROSPECTURL: "https://licensing.prod.stella-ops.org/introspect"
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+  attestor:
+    image: registry.stella-ops.org/stellaops/attestor@sha256:0534985f978b0b5d220d73c96fddd962cd9135f616811cbe3bff4666c5af568f
+    service:
+      port: 8442
+    env:
+      ATTESTOR__SIGNER__BASEURL: "https://stellaops-signer:8441"
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5
+    service:
+      port: 8445
+    env:
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      CONCELIER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+    volumeMounts:
+      - name: concelier-jobs
+        mountPath: /var/lib/concelier/jobs
+    volumeClaims:
+      - name: concelier-jobs
+        claimName: stellaops-concelier-jobs
+  scanner-web:
+    image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
+    service:
+      port: 8444
+    env:
+      SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
+      SCANNER__ARTIFACTSTORE__ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
+      SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
+      SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+      SCANNER__EVENTS__ENABLED: "true"
+      SCANNER__EVENTS__DRIVER: "redis"
+      SCANNER__EVENTS__DSN: ""
+      SCANNER__EVENTS__STREAM: "stella.events"
+      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
+      SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+  scanner-worker:
+    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab
+    replicas: 3
+    env:
+      SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
+      SCANNER__ARTIFACTSTORE__ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
+      SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
+      SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+      SCANNER__EVENTS__ENABLED: "true"
+      SCANNER__EVENTS__DRIVER: "redis"
+      SCANNER__EVENTS__DSN: ""
+      SCANNER__EVENTS__STREAM: "stella.events"
+      SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
+      SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+  notify-web:
+    image: registry.stella-ops.org/stellaops/notify-web:2025.09.2
+    service:
+      port: 8446
+    env:
+      DOTNET_ENVIRONMENT: Production
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-notify
+    configMounts:
+      - name: notify-config
+        mountPath: /app/etc/notify.yaml
+        subPath: notify.yaml
+        configMap: notify-config
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa
+    env:
+      EXCITITOR__CONCELIER__BASEURL: "https://stellaops-concelier:8445"
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-core
+  web-ui:
+    image: registry.stella-ops.org/stellaops/web-ui@sha256:10d924808c48e4353e3a241da62eb7aefe727a1d6dc830eb23a8e181013b3a23
+    service:
+      port: 8443
+    env:
+      STELLAOPS_UI__BACKEND__BASEURL: "https://stellaops-scanner-web:8444"
+  mongo:
+    class: infrastructure
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    service:
+      port: 27017
+    command:
+      - mongod
+      - --bind_ip_all
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-mongo
+    volumeMounts:
+      - name: mongo-data
+        mountPath: /data/db
+    volumeClaims:
+      - name: mongo-data
+        claimName: stellaops-mongo-data
+  minio:
+    class: infrastructure
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    service:
+      port: 9000
+    command:
+      - server
+      - /data
+      - --console-address
+      - :9001
+    envFrom:
+      - secretRef:
+          name: stellaops-prod-minio
+    volumeMounts:
+      - name: minio-data
+        mountPath: /data
+    volumeClaims:
+      - name: minio-data
+        claimName: stellaops-minio-data
+  rustfs:
+    class: infrastructure
+    image: registry.stella-ops.org/stellaops/rustfs:2025.10.0-edge
+    service:
+      port: 8080
+    command:
+      - serve
+      - --listen
+      - 0.0.0.0:8080
+      - --root
+      - /data
+    env:
+      RUSTFS__LOG__LEVEL: info
+      RUSTFS__STORAGE__PATH: /data
+    volumeMounts:
+      - name: rustfs-data
+        mountPath: /data
+    volumeClaims:
+      - name: rustfs-data
+        claimName: stellaops-rustfs-data

deploy/helm/stellaops/values-stage.yaml

@@ -1,13 +1,20 @@
-global:
-  profile: stage
-  release:
-    version: "2025.09.2"
+global:
+  profile: stage
+  release:
+    version: "2025.09.2"
     channel: stable
     manifestSha256: "dc3c8fe1ab83941c838ccc5a8a5862f7ddfa38c2078e580b5649db26554565b7"
   image:
     pullPolicy: IfNotPresent
-  labels:
-    stellaops.io/channel: stable
+  labels:
+    stellaops.io/channel: stable
+
+telemetry:
+  collector:
+    enabled: true
+    defaultTenant: stage
+    tls:
+      secretName: stellaops-otel-tls-stage
 
 configMaps:
   notify-config:

deploy/helm/stellaops/values.yaml

@@ -1,10 +1,37 @@
-global:
-  release:
-    version: ""
-    channel: ""
-    manifestSha256: ""
-  profile: ""
-  image:
-    pullPolicy: IfNotPresent
-  labels: {}
-services: {}
+global:
+  release:
+    version: ""
+    channel: ""
+    manifestSha256: ""
+  profile: ""
+  image:
+    pullPolicy: IfNotPresent
+  labels: {}
+
+telemetry:
+  collector:
+    enabled: false
+    replicas: 1
+    image: otel/opentelemetry-collector:0.105.0
+    requireClientCert: true
+    defaultTenant: unknown
+    logLevel: info
+    tls:
+      secretName: ""
+      certPath: /etc/otel/tls/tls.crt
+      keyPath: /etc/otel/tls/tls.key
+      caPath: /etc/otel/tls/ca.crt
+      items:
+        - key: tls.crt
+          path: tls.crt
+        - key: tls.key
+          path: tls.key
+        - key: ca.crt
+          path: ca.crt
+    service:
+      grpcPort: 4317
+      httpPort: 4318
+      metricsPort: 9464
+    resources: {}
+
+services: {}