up

deploy/README.md

@@ -0,0 +1,19 @@
+# Deployment Profiles
+
+This directory contains deterministic deployment bundles for the core Stella Ops stack. All manifests reference immutable image digests and map 1:1 to the release manifests stored under `deploy/releases/`.
+
+## Structure
+
+- `releases/` – canonical release manifests (edge, stable, airgap) used to source image digests.
+- `compose/` – Docker Compose bundles for dev/stage/airgap targets plus `.env` seed files.
+- `helm/stellaops/` – multi-profile Helm chart with values files for dev/stage/airgap.
+- `tools/validate-profiles.sh` – helper that runs `docker compose config` and `helm lint/template` for every profile.
+
+## Workflow
+
+1. Update or add a release manifest under `releases/` with the new digests.
+2. Mirror the digests into the Compose and Helm profiles that correspond to that channel.
+3. Run `deploy/tools/validate-profiles.sh` (requires Docker CLI and Helm) to ensure the bundles lint and template cleanly.
+4. Commit the change alongside any documentation updates (e.g. install guide cross-links).
+
+Maintaining the digest linkage keeps offline/air-gapped installs reproducible and avoids tag drift between environments.

deploy/compose/README.md

@@ -0,0 +1,30 @@
+# Stella Ops Compose Profiles
+
+These Compose bundles ship the minimum services required to exercise the scanner pipeline plus control-plane dependencies. Every profile is pinned to immutable image digests sourced from `deploy/releases/*.yaml` and is linted via `docker compose config` in CI.
+
+## Layout
+
+| Path | Purpose |
+| ---- | ------- |
+| `docker-compose.dev.yaml` | Edge/nightly stack tuned for laptops and iterative work. |
+| `docker-compose.stage.yaml` | Stable channel stack mirroring pre-production clusters. |
+| `docker-compose.airgap.yaml` | Stable stack with air-gapped defaults (no outbound hostnames). |
+| `env/*.env.example` | Seed `.env` files that document required secrets and ports per profile. |
+
+## Usage
+
+```bash
+cp env/dev.env.example dev.env
+docker compose --env-file dev.env -f docker-compose.dev.yaml config
+docker compose --env-file dev.env -f docker-compose.dev.yaml up -d
+```
+
+The stage and airgap variants behave the same way—swap the file names accordingly. All profiles expose 443/8443 for the UI and REST APIs, and they share a `stellaops` Docker network scoped to the compose project.
+
+### Updating to a new release
+
+1. Import the new manifest into `deploy/releases/` (see `deploy/README.md`).
+2. Update image digests in the relevant Compose file(s).
+3. Re-run `docker compose config` to confirm the bundle is deterministic.
+
+Keep digests synchronized between Compose, Helm, and the release manifest to preserve reproducibility guarantees. `deploy/tools/validate-profiles.sh` performs a quick audit.

deploy/compose/docker-compose.airgap.yaml

@@ -0,0 +1,190 @@
+version: "3.9"
+
+x-release-labels: &release-labels
+  com.stellaops.release.version: "2025.09.2-airgap"
+  com.stellaops.release.channel: "airgap"
+  com.stellaops.profile: "airgap"
+
+networks:
+  stellaops:
+    driver: bridge
+
+volumes:
+  mongo-data:
+  minio-data:
+  concelier-jobs:
+  nats-data:
+
+services:
+  mongo:
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    command: ["mongod", "--bind_ip_all"]
+    restart: unless-stopped
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: "${MONGO_INITDB_ROOT_USERNAME}"
+      MONGO_INITDB_ROOT_PASSWORD: "${MONGO_INITDB_ROOT_PASSWORD}"
+    volumes:
+      - mongo-data:/data/db
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  minio:
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    command: ["server", "/data", "--console-address", ":9001"]
+    restart: unless-stopped
+    environment:
+      MINIO_ROOT_USER: "${MINIO_ROOT_USER}"
+      MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD}"
+    volumes:
+      - minio-data:/data
+    ports:
+      - "${MINIO_CONSOLE_PORT:-29001}:9001"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  nats:
+    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
+    command:
+      - "-js"
+      - "-sd"
+      - /data
+    restart: unless-stopped
+    ports:
+      - "${NATS_CLIENT_PORT:-24222}:4222"
+    volumes:
+      - nats-data:/data
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  authority:
+    image: registry.stella-ops.org/stellaops/authority@sha256:5551a3269b7008cd5aceecf45df018c67459ed519557ccbe48b093b926a39bcc
+    restart: unless-stopped
+    depends_on:
+      - mongo
+    environment:
+      STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
+      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
+      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
+    volumes:
+      - ../../etc/authority.yaml:/etc/authority.yaml:ro
+      - ../../etc/authority.plugins:/app/etc/authority.plugins:ro
+    ports:
+      - "${AUTHORITY_PORT:-8440}:8440"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  signer:
+    image: registry.stella-ops.org/stellaops/signer@sha256:ddbbd664a42846cea6b40fca6465bc679b30f72851158f300d01a8571c5478fc
+    restart: unless-stopped
+    depends_on:
+      - authority
+    environment:
+      SIGNER__AUTHORITY__BASEURL: "https://authority:8440"
+      SIGNER__POE__INTROSPECTURL: "${SIGNER_POE_INTROSPECT_URL}"
+      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    ports:
+      - "${SIGNER_PORT:-8441}:8441"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  attestor:
+    image: registry.stella-ops.org/stellaops/attestor@sha256:1ff0a3124d66d3a2702d8e421df40fbd98cc75cb605d95510598ebbae1433c50
+    restart: unless-stopped
+    depends_on:
+      - signer
+    environment:
+      ATTESTOR__SIGNER__BASEURL: "https://signer:8441"
+      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    ports:
+      - "${ATTESTOR_PORT:-8442}:8442"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:29e2e1a0972707e092cbd3d370701341f9fec2aa9316fb5d8100480f2a1c76b5
+    restart: unless-stopped
+    depends_on:
+      - mongo
+      - minio
+    environment:
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      CONCELIER__AUTHORITY__BASEURL: "https://authority:8440"
+      CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
+      CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}"
+    volumes:
+      - concelier-jobs:/var/lib/concelier/jobs
+    ports:
+      - "${CONCELIER_PORT:-8445}:8445"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  scanner-web:
+    image: registry.stella-ops.org/stellaops/scanner-web@sha256:3df8ca21878126758203c1a0444e39fd97f77ddacf04a69685cda9f1e5e94718
+    restart: unless-stopped
+    depends_on:
+      - concelier
+      - minio
+      - nats
+    environment:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+    ports:
+      - "${SCANNER_WEB_PORT:-8444}:8444"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  scanner-worker:
+    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:eea5d6cfe7835950c5ec7a735a651f2f0d727d3e470cf9027a4a402ea89c4fb5
+    restart: unless-stopped
+    depends_on:
+      - scanner-web
+      - nats
+    environment:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:65c0ee13f773efe920d7181512349a09d363ab3f3e177d276136bd2742325a68
+    restart: unless-stopped
+    depends_on:
+      - concelier
+    environment:
+      EXCITITOR__CONCELIER__BASEURL: "https://concelier:8445"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  web-ui:
+    image: registry.stella-ops.org/stellaops/web-ui@sha256:bee9668011ff414572131dc777faab4da24473fe12c230893f161cabee092a1d
+    restart: unless-stopped
+    depends_on:
+      - scanner-web
+    environment:
+      STELLAOPS_UI__BACKEND__BASEURL: "https://scanner-web:8444"
+    ports:
+      - "${UI_PORT:-9443}:8443"
+    networks:
+      - stellaops
+    labels: *release-labels

deploy/compose/docker-compose.dev.yaml

@@ -0,0 +1,188 @@
+version: "3.9"
+
+x-release-labels: &release-labels
+  com.stellaops.release.version: "2025.10.0-edge"
+  com.stellaops.release.channel: "edge"
+  com.stellaops.profile: "dev"
+
+networks:
+  stellaops:
+    driver: bridge
+
+volumes:
+  mongo-data:
+  minio-data:
+  concelier-jobs:
+  nats-data:
+
+services:
+  mongo:
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    command: ["mongod", "--bind_ip_all"]
+    restart: unless-stopped
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: "${MONGO_INITDB_ROOT_USERNAME}"
+      MONGO_INITDB_ROOT_PASSWORD: "${MONGO_INITDB_ROOT_PASSWORD}"
+    volumes:
+      - mongo-data:/data/db
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  minio:
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    command: ["server", "/data", "--console-address", ":9001"]
+    restart: unless-stopped
+    environment:
+      MINIO_ROOT_USER: "${MINIO_ROOT_USER}"
+      MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD}"
+    volumes:
+      - minio-data:/data
+    ports:
+      - "${MINIO_CONSOLE_PORT:-9001}:9001"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  nats:
+    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
+    command:
+      - "-js"
+      - "-sd"
+      - /data
+    restart: unless-stopped
+    ports:
+      - "${NATS_CLIENT_PORT:-4222}:4222"
+    volumes:
+      - nats-data:/data
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  authority:
+    image: registry.stella-ops.org/stellaops/authority@sha256:a8e8faec44a579aa5714e58be835f25575710430b1ad2ccd1282a018cd9ffcdd
+    restart: unless-stopped
+    depends_on:
+      - mongo
+    environment:
+      STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
+      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
+      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
+    volumes:
+      - ../../etc/authority.yaml:/etc/authority.yaml:ro
+      - ../../etc/authority.plugins:/app/etc/authority.plugins:ro
+    ports:
+      - "${AUTHORITY_PORT:-8440}:8440"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  signer:
+    image: registry.stella-ops.org/stellaops/signer@sha256:8bfef9a75783883d49fc18e3566553934e970b00ee090abee9cb110d2d5c3298
+    restart: unless-stopped
+    depends_on:
+      - authority
+    environment:
+      SIGNER__AUTHORITY__BASEURL: "https://authority:8440"
+      SIGNER__POE__INTROSPECTURL: "${SIGNER_POE_INTROSPECT_URL}"
+      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    ports:
+      - "${SIGNER_PORT:-8441}:8441"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  attestor:
+    image: registry.stella-ops.org/stellaops/attestor@sha256:5cc417948c029da01dccf36e4645d961a3f6d8de7e62fe98d845f07cd2282114
+    restart: unless-stopped
+    depends_on:
+      - signer
+    environment:
+      ATTESTOR__SIGNER__BASEURL: "https://signer:8441"
+      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    ports:
+      - "${ATTESTOR_PORT:-8442}:8442"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:dafef3954eb4b837e2c424dd2d23e1e4d60fa83794840fac9cd3dea1d43bd085
+    restart: unless-stopped
+    depends_on:
+      - mongo
+      - minio
+    environment:
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      CONCELIER__AUTHORITY__BASEURL: "https://authority:8440"
+    volumes:
+      - concelier-jobs:/var/lib/concelier/jobs
+    ports:
+      - "${CONCELIER_PORT:-8445}:8445"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  scanner-web:
+    image: registry.stella-ops.org/stellaops/scanner-web@sha256:e0dfdb087e330585a5953029fb4757f5abdf7610820a085bd61b457dbead9a11
+    restart: unless-stopped
+    depends_on:
+      - concelier
+      - minio
+      - nats
+    environment:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+    ports:
+      - "${SCANNER_WEB_PORT:-8444}:8444"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  scanner-worker:
+    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:92dda42f6f64b2d9522104a5c9ffb61d37b34dd193132b68457a259748008f37
+    restart: unless-stopped
+    depends_on:
+      - scanner-web
+      - nats
+    environment:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:d9bd5cadf1eab427447ce3df7302c30ded837239771cc6433b9befb895054285
+    restart: unless-stopped
+    depends_on:
+      - concelier
+    environment:
+      EXCITITOR__CONCELIER__BASEURL: "https://concelier:8445"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  web-ui:
+    image: registry.stella-ops.org/stellaops/web-ui@sha256:38b225fa7767a5b94ebae4dae8696044126aac429415e93de514d5dd95748dcf
+    restart: unless-stopped
+    depends_on:
+      - scanner-web
+    environment:
+      STELLAOPS_UI__BACKEND__BASEURL: "https://scanner-web:8444"
+    ports:
+      - "${UI_PORT:-8443}:8443"
+    networks:
+      - stellaops
+    labels: *release-labels

deploy/compose/docker-compose.stage.yaml

@@ -0,0 +1,188 @@
+version: "3.9"
+
+x-release-labels: &release-labels
+  com.stellaops.release.version: "2025.09.2"
+  com.stellaops.release.channel: "stable"
+  com.stellaops.profile: "stage"
+
+networks:
+  stellaops:
+    driver: bridge
+
+volumes:
+  mongo-data:
+  minio-data:
+  concelier-jobs:
+  nats-data:
+
+services:
+  mongo:
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    command: ["mongod", "--bind_ip_all"]
+    restart: unless-stopped
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: "${MONGO_INITDB_ROOT_USERNAME}"
+      MONGO_INITDB_ROOT_PASSWORD: "${MONGO_INITDB_ROOT_PASSWORD}"
+    volumes:
+      - mongo-data:/data/db
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  minio:
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    command: ["server", "/data", "--console-address", ":9001"]
+    restart: unless-stopped
+    environment:
+      MINIO_ROOT_USER: "${MINIO_ROOT_USER}"
+      MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD}"
+    volumes:
+      - minio-data:/data
+    ports:
+      - "${MINIO_CONSOLE_PORT:-9001}:9001"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  nats:
+    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
+    command:
+      - "-js"
+      - "-sd"
+      - /data
+    restart: unless-stopped
+    ports:
+      - "${NATS_CLIENT_PORT:-4222}:4222"
+    volumes:
+      - nats-data:/data
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  authority:
+    image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5
+    restart: unless-stopped
+    depends_on:
+      - mongo
+    environment:
+      STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
+      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
+      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
+    volumes:
+      - ../../etc/authority.yaml:/etc/authority.yaml:ro
+      - ../../etc/authority.plugins:/app/etc/authority.plugins:ro
+    ports:
+      - "${AUTHORITY_PORT:-8440}:8440"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  signer:
+    image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e
+    restart: unless-stopped
+    depends_on:
+      - authority
+    environment:
+      SIGNER__AUTHORITY__BASEURL: "https://authority:8440"
+      SIGNER__POE__INTROSPECTURL: "${SIGNER_POE_INTROSPECT_URL}"
+      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    ports:
+      - "${SIGNER_PORT:-8441}:8441"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  attestor:
+    image: registry.stella-ops.org/stellaops/attestor@sha256:0534985f978b0b5d220d73c96fddd962cd9135f616811cbe3bff4666c5af568f
+    restart: unless-stopped
+    depends_on:
+      - signer
+    environment:
+      ATTESTOR__SIGNER__BASEURL: "https://signer:8441"
+      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    ports:
+      - "${ATTESTOR_PORT:-8442}:8442"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5
+    restart: unless-stopped
+    depends_on:
+      - mongo
+      - minio
+    environment:
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      CONCELIER__AUTHORITY__BASEURL: "https://authority:8440"
+    volumes:
+      - concelier-jobs:/var/lib/concelier/jobs
+    ports:
+      - "${CONCELIER_PORT:-8445}:8445"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  scanner-web:
+    image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
+    restart: unless-stopped
+    depends_on:
+      - concelier
+      - minio
+      - nats
+    environment:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+    ports:
+      - "${SCANNER_WEB_PORT:-8444}:8444"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  scanner-worker:
+    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab
+    restart: unless-stopped
+    depends_on:
+      - scanner-web
+      - nats
+    environment:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER}"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD}"
+      SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa
+    restart: unless-stopped
+    depends_on:
+      - concelier
+    environment:
+      EXCITITOR__CONCELIER__BASEURL: "https://concelier:8445"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME}:${MONGO_INITDB_ROOT_PASSWORD}@mongo:27017"
+    networks:
+      - stellaops
+    labels: *release-labels
+
+  web-ui:
+    image: registry.stella-ops.org/stellaops/web-ui@sha256:10d924808c48e4353e3a241da62eb7aefe727a1d6dc830eb23a8e181013b3a23
+    restart: unless-stopped
+    depends_on:
+      - scanner-web
+    environment:
+      STELLAOPS_UI__BACKEND__BASEURL: "https://scanner-web:8444"
+    ports:
+      - "${UI_PORT:-8443}:8443"
+    networks:
+      - stellaops
+    labels: *release-labels

deploy/compose/env/airgap.env.example

@@ -0,0 +1,17 @@
+# Substitutions for docker-compose.airgap.yaml
+MONGO_INITDB_ROOT_USERNAME=stellaops
+MONGO_INITDB_ROOT_PASSWORD=airgap-password
+MINIO_ROOT_USER=stellaops-offline
+MINIO_ROOT_PASSWORD=airgap-minio-secret
+MINIO_CONSOLE_PORT=29001
+AUTHORITY_ISSUER=https://authority.airgap.local
+AUTHORITY_PORT=8440
+SIGNER_POE_INTROSPECT_URL=file:///offline/poe/introspect.json
+SIGNER_PORT=8441
+ATTESTOR_PORT=8442
+CONCELIER_PORT=8445
+SCANNER_WEB_PORT=8444
+UI_PORT=9443
+NATS_CLIENT_PORT=24222
+SCANNER_QUEUE_BROKER=nats://nats:4222
+AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:45:00

deploy/compose/env/dev.env.example

@@ -0,0 +1,16 @@
+# Substitutions for docker-compose.dev.yaml
+MONGO_INITDB_ROOT_USERNAME=stellaops
+MONGO_INITDB_ROOT_PASSWORD=dev-password
+MINIO_ROOT_USER=stellaops
+MINIO_ROOT_PASSWORD=dev-minio-secret
+MINIO_CONSOLE_PORT=9001
+AUTHORITY_ISSUER=https://authority.localtest.me
+AUTHORITY_PORT=8440
+SIGNER_POE_INTROSPECT_URL=https://licensing.svc.local/introspect
+SIGNER_PORT=8441
+ATTESTOR_PORT=8442
+CONCELIER_PORT=8445
+SCANNER_WEB_PORT=8444
+UI_PORT=8443
+NATS_CLIENT_PORT=4222
+SCANNER_QUEUE_BROKER=nats://nats:4222

deploy/compose/env/stage.env.example

@@ -0,0 +1,16 @@
+# Substitutions for docker-compose.stage.yaml
+MONGO_INITDB_ROOT_USERNAME=stellaops
+MONGO_INITDB_ROOT_PASSWORD=stage-password
+MINIO_ROOT_USER=stellaops-stage
+MINIO_ROOT_PASSWORD=stage-minio-secret
+MINIO_CONSOLE_PORT=19001
+AUTHORITY_ISSUER=https://authority.stage.stella-ops.internal
+AUTHORITY_PORT=8440
+SIGNER_POE_INTROSPECT_URL=https://licensing.stage.stella-ops.internal/introspect
+SIGNER_PORT=8441
+ATTESTOR_PORT=8442
+CONCELIER_PORT=8445
+SCANNER_WEB_PORT=8444
+UI_PORT=8443
+NATS_CLIENT_PORT=4222
+SCANNER_QUEUE_BROKER=nats://nats:4222

deploy/helm/stellaops/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: stellaops
+description: Stella Ops core stack (authority, signing, scanner, UI) with infrastructure primitives.
+type: application
+version: 0.1.0
+appVersion: "2025.10.0"

deploy/helm/stellaops/templates/_helpers.tpl

@@ -0,0 +1,31 @@
+{{- define "stellaops.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "stellaops.fullname" -}}
+{{- $name := default .root.Chart.Name .root.Values.fullnameOverride -}}
+{{- printf "%s-%s" $name .name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "stellaops.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "stellaops.name" .root | quote }}
+app.kubernetes.io/instance: {{ .root.Release.Name | quote }}
+app.kubernetes.io/component: {{ .name | quote }}
+{{- if .svc.class }}
+app.kubernetes.io/part-of: {{ printf "stellaops-%s" .svc.class | quote }}
+{{- else }}
+app.kubernetes.io/part-of: "stellaops-core"
+{{- end }}
+{{- end -}}
+
+{{- define "stellaops.labels" -}}
+{{ include "stellaops.selectorLabels" . }}
+helm.sh/chart: {{ printf "%s-%s" .root.Chart.Name .root.Chart.Version | quote }}
+app.kubernetes.io/version: {{ .root.Values.global.release.version | quote }}
+app.kubernetes.io/managed-by: {{ .root.Release.Service | quote }}
+stellaops.release/channel: {{ .root.Values.global.release.channel | quote }}
+stellaops.profile: {{ .root.Values.global.profile | quote }}
+{{- range $k, $v := .root.Values.global.labels }}
+{{ $k }}: {{ $v | quote }}
+{{- end }}
+{{- end -}}

deploy/helm/stellaops/templates/configmap-release.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "stellaops.fullname" (dict "root" . "name" "release") }}
+  labels:
+    {{- include "stellaops.labels" (dict "root" . "name" "release" "svc" (dict "class" "meta")) | nindent 4 }}
+data:
+  version: {{ .Values.global.release.version | quote }}
+  channel: {{ .Values.global.release.channel | quote }}
+  manifestSha256: {{ default "" .Values.global.release.manifestSha256 | quote }}

deploy/helm/stellaops/templates/core.yaml

@@ -0,0 +1,125 @@
+{{- $root := . -}}
+{{- range $name, $svc := .Values.services }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "stellaops.fullname" (dict "root" $root "name" $name) }}
+  labels:
+    {{- include "stellaops.labels" (dict "root" $root "name" $name "svc" $svc) | nindent 4 }}
+spec:
+  replicas: {{ default 1 $svc.replicas }}
+  selector:
+    matchLabels:
+      {{- include "stellaops.selectorLabels" (dict "root" $root "name" $name "svc" $svc) | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "stellaops.selectorLabels" (dict "root" $root "name" $name "svc" $svc) | nindent 8 }}
+      annotations:
+        stellaops.release/version: {{ $root.Values.global.release.version | quote }}
+        stellaops.release/channel: {{ $root.Values.global.release.channel | quote }}
+    spec:
+      containers:
+        - name: {{ $name }}
+          image: {{ $svc.image | quote }}
+          imagePullPolicy: {{ default $root.Values.global.image.pullPolicy $svc.imagePullPolicy }}
+{{- if $svc.command }}
+          command:
+{{- range $cmd := $svc.command }}
+            - {{ $cmd | quote }}
+{{- end }}
+{{- end }}
+{{- if $svc.args }}
+          args:
+{{- range $arg := $svc.args }}
+            - {{ $arg | quote }}
+{{- end }}
+{{- end }}
+{{- if $svc.env }}
+          env:
+{{- range $envName, $envValue := $svc.env }}
+            - name: {{ $envName }}
+              value: {{ $envValue | quote }}
+{{- end }}
+{{- end }}
+{{- if $svc.envFrom }}
+          envFrom:
+{{ toYaml $svc.envFrom | nindent 12 }}
+{{- end }}
+{{- if $svc.ports }}
+          ports:
+{{- range $port := $svc.ports }}
+            - name: {{ default (printf "%s-%v" $name $port.containerPort) $port.name | trunc 63 | trimSuffix "-" }}
+              containerPort: {{ $port.containerPort }}
+              protocol: {{ default "TCP" $port.protocol }}
+{{- end }}
+{{- else if $svc.service.port }}
+          ports:
+            - name: {{ printf "%s-http" $name | trunc 63 | trimSuffix "-" }}
+              containerPort: {{ $svc.service.targetPort | default $svc.service.port }}
+              protocol: TCP
+{{- end }}
+{{- if $svc.resources }}
+          resources:
+{{ toYaml $svc.resources | nindent 12 }}
+{{- end }}
+{{- if $svc.livenessProbe }}
+          livenessProbe:
+{{ toYaml $svc.livenessProbe | nindent 12 }}
+{{- end }}
+{{- if $svc.readinessProbe }}
+          readinessProbe:
+{{ toYaml $svc.readinessProbe | nindent 12 }}
+{{- end }}
+{{- if $svc.volumeMounts }}
+          volumeMounts:
+{{ toYaml $svc.volumeMounts | nindent 12 }}
+{{- end }}
+      {{- if or $svc.volumes $svc.volumeClaims }}
+      volumes:
+{{- if $svc.volumes }}
+{{ toYaml $svc.volumes | nindent 8 }}
+{{- end }}
+{{- if $svc.volumeClaims }}
+{{- range $claim := $svc.volumeClaims }}
+        - name: {{ $claim.name }}
+          persistentVolumeClaim:
+            claimName: {{ $claim.claimName }}
+{{- end }}
+{{- end }}
+      {{- end }}
+      {{- if $svc.serviceAccount }}
+      serviceAccountName: {{ $svc.serviceAccount | quote }}
+      {{- end }}
+      {{- if $svc.nodeSelector }}
+      nodeSelector:
+{{ toYaml $svc.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if $svc.affinity }}
+      affinity:
+{{ toYaml $svc.affinity | nindent 8 }}
+      {{- end }}
+      {{- if $svc.tolerations }}
+      tolerations:
+{{ toYaml $svc.tolerations | nindent 8 }}
+      {{- end }}
+---
+{{- if $svc.service }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "stellaops.fullname" (dict "root" $root "name" $name) }}
+  labels:
+    {{- include "stellaops.labels" (dict "root" $root "name" $name "svc" $svc) | nindent 4 }}
+spec:
+  type: {{ default "ClusterIP" $svc.service.type }}
+  selector:
+    {{- include "stellaops.selectorLabels" (dict "root" $root "name" $name "svc" $svc) | nindent 4 }}
+  ports:
+    - name: {{ default "http" $svc.service.portName }}
+      port: {{ $svc.service.port }}
+      targetPort: {{ $svc.service.targetPort | default $svc.service.port }}
+      protocol: {{ default "TCP" $svc.service.protocol }}
+---
+{{- end }}
+{{- end }}

deploy/helm/stellaops/values-airgap.yaml

@@ -0,0 +1,133 @@
+global:
+  profile: airgap
+  release:
+    version: "2025.09.2-airgap"
+    channel: airgap
+    manifestSha256: "b787b833dddd73960c31338279daa0b0a0dce2ef32bd32ef1aaf953d66135f94"
+  image:
+    pullPolicy: IfNotPresent
+  labels:
+    stellaops.io/channel: airgap
+services:
+  authority:
+    image: registry.stella-ops.org/stellaops/authority@sha256:5551a3269b7008cd5aceecf45df018c67459ed519557ccbe48b093b926a39bcc
+    service:
+      port: 8440
+    env:
+      STELLAOPS_AUTHORITY__ISSUER: "https://stellaops-authority:8440"
+      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+      STELLAOPS_AUTHORITY__ALLOWANONYMOUSFALLBACK: "false"
+  signer:
+    image: registry.stella-ops.org/stellaops/signer@sha256:ddbbd664a42846cea6b40fca6465bc679b30f72851158f300d01a8571c5478fc
+    service:
+      port: 8441
+    env:
+      SIGNER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+      SIGNER__POE__INTROSPECTURL: "file:///offline/poe/introspect.json"
+      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+  attestor:
+    image: registry.stella-ops.org/stellaops/attestor@sha256:1ff0a3124d66d3a2702d8e421df40fbd98cc75cb605d95510598ebbae1433c50
+    service:
+      port: 8442
+    env:
+      ATTESTOR__SIGNER__BASEURL: "https://stellaops-signer:8441"
+      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:29e2e1a0972707e092cbd3d370701341f9fec2aa9316fb5d8100480f2a1c76b5
+    service:
+      port: 8445
+    env:
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "stellaops-airgap"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "airgap-minio-secret"
+      CONCELIER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+      CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
+      CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "00:45:00"
+    volumeMounts:
+      - name: concelier-jobs
+        mountPath: /var/lib/concelier/jobs
+    volumeClaims:
+      - name: concelier-jobs
+        claimName: stellaops-concelier-jobs
+  scanner-web:
+    image: registry.stella-ops.org/stellaops/scanner-web@sha256:3df8ca21878126758203c1a0444e39fd97f77ddacf04a69685cda9f1e5e94718
+    service:
+      port: 8444
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-airgap"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "airgap-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+  scanner-worker:
+    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:eea5d6cfe7835950c5ec7a735a651f2f0d727d3e470cf9027a4a402ea89c4fb5
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-airgap"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "airgap-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:65c0ee13f773efe920d7181512349a09d363ab3f3e177d276136bd2742325a68
+    env:
+      EXCITITOR__CONCELIER__BASEURL: "https://stellaops-concelier:8445"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-airgap:stellaops-airgap@stellaops-mongo:27017"
+  web-ui:
+    image: registry.stella-ops.org/stellaops/web-ui@sha256:bee9668011ff414572131dc777faab4da24473fe12c230893f161cabee092a1d
+    service:
+      port: 9443
+      targetPort: 8443
+    env:
+      STELLAOPS_UI__BACKEND__BASEURL: "https://stellaops-scanner-web:8444"
+  mongo:
+    class: infrastructure
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    service:
+      port: 27017
+    command:
+      - mongod
+      - --bind_ip_all
+    env:
+      MONGO_INITDB_ROOT_USERNAME: stellaops-airgap
+      MONGO_INITDB_ROOT_PASSWORD: stellaops-airgap
+    volumeMounts:
+      - name: mongo-data
+        mountPath: /data/db
+    volumeClaims:
+      - name: mongo-data
+        claimName: stellaops-mongo-data
+  minio:
+    class: infrastructure
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    service:
+      port: 9000
+    command:
+      - server
+      - /data
+      - --console-address
+      - :9001
+    env:
+      MINIO_ROOT_USER: stellaops-airgap
+      MINIO_ROOT_PASSWORD: airgap-minio-secret
+    volumeMounts:
+      - name: minio-data
+        mountPath: /data
+    volumeClaims:
+      - name: minio-data
+        claimName: stellaops-minio-data
+  nats:
+    class: infrastructure
+    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
+    service:
+      port: 4222
+    command:
+      - -js
+      - -sd
+      - /data
+    volumeMounts:
+      - name: nats-data
+        mountPath: /data
+    volumeClaims:
+      - name: nats-data
+        claimName: stellaops-nats-data

deploy/helm/stellaops/values-dev.yaml

@@ -0,0 +1,131 @@
+global:
+  profile: dev
+  release:
+    version: "2025.10.0-edge"
+    channel: edge
+    manifestSha256: "822f82987529ea38d2321dbdd2ef6874a4062a117116a20861c26a8df1807beb"
+  image:
+    pullPolicy: IfNotPresent
+  labels:
+    stellaops.io/channel: edge
+services:
+  authority:
+    image: registry.stella-ops.org/stellaops/authority@sha256:a8e8faec44a579aa5714e58be835f25575710430b1ad2ccd1282a018cd9ffcdd
+    service:
+      port: 8440
+    env:
+      STELLAOPS_AUTHORITY__ISSUER: "https://stellaops-authority:8440"
+      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
+      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
+  signer:
+    image: registry.stella-ops.org/stellaops/signer@sha256:8bfef9a75783883d49fc18e3566553934e970b00ee090abee9cb110d2d5c3298
+    service:
+      port: 8441
+    env:
+      SIGNER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+      SIGNER__POE__INTROSPECTURL: "https://licensing.svc.local/introspect"
+      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+  attestor:
+    image: registry.stella-ops.org/stellaops/attestor@sha256:5cc417948c029da01dccf36e4645d961a3f6d8de7e62fe98d845f07cd2282114
+    service:
+      port: 8442
+    env:
+      ATTESTOR__SIGNER__BASEURL: "https://stellaops-signer:8441"
+      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:dafef3954eb4b837e2c424dd2d23e1e4d60fa83794840fac9cd3dea1d43bd085
+    service:
+      port: 8445
+    env:
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "stellaops"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "dev-minio-secret"
+      CONCELIER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+    volumeMounts:
+      - name: concelier-jobs
+        mountPath: /var/lib/concelier/jobs
+    volumes:
+      - name: concelier-jobs
+        emptyDir: {}
+  scanner-web:
+    image: registry.stella-ops.org/stellaops/scanner-web@sha256:e0dfdb087e330585a5953029fb4757f5abdf7610820a085bd61b457dbead9a11
+    service:
+      port: 8444
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "dev-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+  scanner-worker:
+    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:92dda42f6f64b2d9522104a5c9ffb61d37b34dd193132b68457a259748008f37
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "dev-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:d9bd5cadf1eab427447ce3df7302c30ded837239771cc6433b9befb895054285
+    env:
+      EXCITITOR__CONCELIER__BASEURL: "https://stellaops-concelier:8445"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops:stellaops@stellaops-mongo:27017"
+  web-ui:
+    image: registry.stella-ops.org/stellaops/web-ui@sha256:38b225fa7767a5b94ebae4dae8696044126aac429415e93de514d5dd95748dcf
+    service:
+      port: 8443
+    env:
+      STELLAOPS_UI__BACKEND__BASEURL: "https://stellaops-scanner-web:8444"
+  mongo:
+    class: infrastructure
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    service:
+      port: 27017
+    command:
+      - mongod
+      - --bind_ip_all
+    env:
+      MONGO_INITDB_ROOT_USERNAME: stellaops
+      MONGO_INITDB_ROOT_PASSWORD: stellaops
+    volumeMounts:
+      - name: mongo-data
+        mountPath: /data/db
+    volumes:
+      - name: mongo-data
+        emptyDir: {}
+  minio:
+    class: infrastructure
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    service:
+      port: 9000
+    command:
+      - server
+      - /data
+      - --console-address
+      - :9001
+    env:
+      MINIO_ROOT_USER: stellaops
+      MINIO_ROOT_PASSWORD: dev-minio-secret
+    volumeMounts:
+      - name: minio-data
+        mountPath: /data
+    volumes:
+      - name: minio-data
+        emptyDir: {}
+  nats:
+    class: infrastructure
+    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
+    service:
+      port: 4222
+    command:
+      - -js
+      - -sd
+      - /data
+    volumeMounts:
+      - name: nats-data
+        mountPath: /data
+    volumes:
+      - name: nats-data
+        emptyDir: {}

deploy/helm/stellaops/values-stage.yaml

@@ -0,0 +1,132 @@
+global:
+  profile: stage
+  release:
+    version: "2025.09.2"
+    channel: stable
+    manifestSha256: "dc3c8fe1ab83941c838ccc5a8a5862f7ddfa38c2078e580b5649db26554565b7"
+  image:
+    pullPolicy: IfNotPresent
+  labels:
+    stellaops.io/channel: stable
+services:
+  authority:
+    image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5
+    service:
+      port: 8440
+    env:
+      STELLAOPS_AUTHORITY__ISSUER: "https://stellaops-authority:8440"
+      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
+      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority.plugins"
+  signer:
+    image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e
+    service:
+      port: 8441
+    env:
+      SIGNER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+      SIGNER__POE__INTROSPECTURL: "https://licensing.stage.stella-ops.internal/introspect"
+      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+  attestor:
+    image: registry.stella-ops.org/stellaops/attestor@sha256:0534985f978b0b5d220d73c96fddd962cd9135f616811cbe3bff4666c5af568f
+    service:
+      port: 8442
+    env:
+      ATTESTOR__SIGNER__BASEURL: "https://stellaops-signer:8441"
+      ATTESTOR__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5
+    service:
+      port: 8445
+    env:
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "stellaops-stage"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "stage-minio-secret"
+      CONCELIER__AUTHORITY__BASEURL: "https://stellaops-authority:8440"
+    volumeMounts:
+      - name: concelier-jobs
+        mountPath: /var/lib/concelier/jobs
+    volumeClaims:
+      - name: concelier-jobs
+        claimName: stellaops-concelier-jobs
+  scanner-web:
+    image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
+    service:
+      port: 8444
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-stage"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "stage-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+  scanner-worker:
+    image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab
+    replicas: 2
+    env:
+      SCANNER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+      SCANNER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      SCANNER__STORAGE__S3__ACCESSKEYID: "stellaops-stage"
+      SCANNER__STORAGE__S3__SECRETACCESSKEY: "stage-minio-secret"
+      SCANNER__QUEUE__BROKER: "nats://stellaops-nats:4222"
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa
+    env:
+      EXCITITOR__CONCELIER__BASEURL: "https://stellaops-concelier:8445"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops-stage:stellaops-stage@stellaops-mongo:27017"
+  web-ui:
+    image: registry.stella-ops.org/stellaops/web-ui@sha256:10d924808c48e4353e3a241da62eb7aefe727a1d6dc830eb23a8e181013b3a23
+    service:
+      port: 8443
+    env:
+      STELLAOPS_UI__BACKEND__BASEURL: "https://stellaops-scanner-web:8444"
+  mongo:
+    class: infrastructure
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    service:
+      port: 27017
+    command:
+      - mongod
+      - --bind_ip_all
+    env:
+      MONGO_INITDB_ROOT_USERNAME: stellaops-stage
+      MONGO_INITDB_ROOT_PASSWORD: stellaops-stage
+    volumeMounts:
+      - name: mongo-data
+        mountPath: /data/db
+    volumeClaims:
+      - name: mongo-data
+        claimName: stellaops-mongo-data
+  minio:
+    class: infrastructure
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    service:
+      port: 9000
+    command:
+      - server
+      - /data
+      - --console-address
+      - :9001
+    env:
+      MINIO_ROOT_USER: stellaops-stage
+      MINIO_ROOT_PASSWORD: stage-minio-secret
+    volumeMounts:
+      - name: minio-data
+        mountPath: /data
+    volumeClaims:
+      - name: minio-data
+        claimName: stellaops-minio-data
+  nats:
+    class: infrastructure
+    image: docker.io/library/nats@sha256:c82559e4476289481a8a5196e675ebfe67eea81d95e5161e3e78eccfe766608e
+    service:
+      port: 4222
+    command:
+      - -js
+      - -sd
+      - /data
+    volumeMounts:
+      - name: nats-data
+        mountPath: /data
+    volumeClaims:
+      - name: nats-data
+        claimName: stellaops-nats-data

deploy/helm/stellaops/values.yaml

@@ -0,0 +1,10 @@
+global:
+  release:
+    version: ""
+    channel: ""
+    manifestSha256: ""
+  profile: ""
+  image:
+    pullPolicy: IfNotPresent
+  labels: {}
+services: {}

deploy/releases/2025.09-airgap.yaml

@@ -0,0 +1,29 @@
+release:
+  version: "2025.09.2-airgap"
+  channel: "airgap"
+  date: "2025-09-20T00:00:00Z"
+  calendar: "2025.09"
+  components:
+    - name: authority
+      image: registry.stella-ops.org/stellaops/authority@sha256:5551a3269b7008cd5aceecf45df018c67459ed519557ccbe48b093b926a39bcc
+    - name: signer
+      image: registry.stella-ops.org/stellaops/signer@sha256:ddbbd664a42846cea6b40fca6465bc679b30f72851158f300d01a8571c5478fc
+    - name: attestor
+      image: registry.stella-ops.org/stellaops/attestor@sha256:1ff0a3124d66d3a2702d8e421df40fbd98cc75cb605d95510598ebbae1433c50
+    - name: scanner-web
+      image: registry.stella-ops.org/stellaops/scanner-web@sha256:3df8ca21878126758203c1a0444e39fd97f77ddacf04a69685cda9f1e5e94718
+    - name: scanner-worker
+      image: registry.stella-ops.org/stellaops/scanner-worker@sha256:eea5d6cfe7835950c5ec7a735a651f2f0d727d3e470cf9027a4a402ea89c4fb5
+    - name: concelier
+      image: registry.stella-ops.org/stellaops/concelier@sha256:29e2e1a0972707e092cbd3d370701341f9fec2aa9316fb5d8100480f2a1c76b5
+    - name: excititor
+      image: registry.stella-ops.org/stellaops/excititor@sha256:65c0ee13f773efe920d7181512349a09d363ab3f3e177d276136bd2742325a68
+    - name: web-ui
+      image: registry.stella-ops.org/stellaops/web-ui@sha256:bee9668011ff414572131dc777faab4da24473fe12c230893f161cabee092a1d
+  infrastructure:
+    mongo:
+      image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    minio:
+      image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+  checksums:
+    releaseManifestSha256: b787b833dddd73960c31338279daa0b0a0dce2ef32bd32ef1aaf953d66135f94

deploy/releases/2025.09-stable.yaml

@@ -0,0 +1,29 @@
+release:
+  version: "2025.09.2"
+  channel: "stable"
+  date: "2025-09-20T00:00:00Z"
+  calendar: "2025.09"
+  components:
+    - name: authority
+      image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5
+    - name: signer
+      image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e
+    - name: attestor
+      image: registry.stella-ops.org/stellaops/attestor@sha256:0534985f978b0b5d220d73c96fddd962cd9135f616811cbe3bff4666c5af568f
+    - name: scanner-web
+      image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
+    - name: scanner-worker
+      image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab
+    - name: concelier
+      image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5
+    - name: excititor
+      image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa
+    - name: web-ui
+      image: registry.stella-ops.org/stellaops/web-ui@sha256:10d924808c48e4353e3a241da62eb7aefe727a1d6dc830eb23a8e181013b3a23
+  infrastructure:
+    mongo:
+      image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    minio:
+      image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+  checksums:
+    releaseManifestSha256: dc3c8fe1ab83941c838ccc5a8a5862f7ddfa38c2078e580b5649db26554565b7

deploy/releases/2025.10-edge.yaml

@@ -0,0 +1,29 @@
+release:
+  version: "2025.10.0-edge"
+  channel: "edge"
+  date: "2025-10-01T00:00:00Z"
+  calendar: "2025.10"
+  components:
+    - name: authority
+      image: registry.stella-ops.org/stellaops/authority@sha256:a8e8faec44a579aa5714e58be835f25575710430b1ad2ccd1282a018cd9ffcdd
+    - name: signer
+      image: registry.stella-ops.org/stellaops/signer@sha256:8bfef9a75783883d49fc18e3566553934e970b00ee090abee9cb110d2d5c3298
+    - name: attestor
+      image: registry.stella-ops.org/stellaops/attestor@sha256:5cc417948c029da01dccf36e4645d961a3f6d8de7e62fe98d845f07cd2282114
+    - name: scanner-web
+      image: registry.stella-ops.org/stellaops/scanner-web@sha256:e0dfdb087e330585a5953029fb4757f5abdf7610820a085bd61b457dbead9a11
+    - name: scanner-worker
+      image: registry.stella-ops.org/stellaops/scanner-worker@sha256:92dda42f6f64b2d9522104a5c9ffb61d37b34dd193132b68457a259748008f37
+    - name: concelier
+      image: registry.stella-ops.org/stellaops/concelier@sha256:dafef3954eb4b837e2c424dd2d23e1e4d60fa83794840fac9cd3dea1d43bd085
+    - name: excititor
+      image: registry.stella-ops.org/stellaops/excititor@sha256:d9bd5cadf1eab427447ce3df7302c30ded837239771cc6433b9befb895054285
+    - name: web-ui
+      image: registry.stella-ops.org/stellaops/web-ui@sha256:38b225fa7767a5b94ebae4dae8696044126aac429415e93de514d5dd95748dcf
+  infrastructure:
+    mongo:
+      image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    minio:
+      image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+  checksums:
+    releaseManifestSha256: 822f82987529ea38d2321dbdd2ef6874a4062a117116a20861c26a8df1807beb

deploy/tools/validate-profiles.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+COMPOSE_DIR="$ROOT_DIR/compose"
+HELM_DIR="$ROOT_DIR/helm/stellaops"
+
+compose_profiles=(
+  "docker-compose.dev.yaml:env/dev.env.example"
+  "docker-compose.stage.yaml:env/stage.env.example"
+  "docker-compose.airgap.yaml:env/airgap.env.example"
+)
+
+if command -v docker >/dev/null 2>&1; then
+  for entry in "${compose_profiles[@]}"; do
+    IFS=":" read -r compose_file env_file <<<"$entry"
+    printf '→ validating %s with %s\n' "$compose_file" "$env_file"
+    docker compose \
+      --env-file "$COMPOSE_DIR/$env_file" \
+      -f "$COMPOSE_DIR/$compose_file" config >/dev/null
+  done
+else
+  echo "⚠️  docker CLI not found; skipping compose validation" >&2
+fi
+
+helm_values=(
+  "$HELM_DIR/values-dev.yaml"
+  "$HELM_DIR/values-stage.yaml"
+  "$HELM_DIR/values-airgap.yaml"
+)
+
+if command -v helm >/dev/null 2>&1; then
+  for values in "${helm_values[@]}"; do
+    printf '→ linting Helm chart with %s\n' "$(basename "$values")"
+    helm lint "$HELM_DIR" -f "$values"
+    helm template test-release "$HELM_DIR" -f "$values" >/dev/null
+  done
+else
+  echo "⚠️  helm CLI not found; skipping Helm lint/template" >&2
+fi
+
+printf 'Profiles validated (where tooling was available).\n'