stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Refactor code structure and optimize performance across multiple modules

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-26 20:03:22 +02:00
parent c786faae84
commit b4fc66feb6
3353 changed files with 88254 additions and 1590657 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
etc/README.md Normal file
View File

@@ -0,0 +1,83 @@
# StellaOps Configuration (`etc/`)
This directory contains all configuration for StellaOps services. It is the **single source of truth** for deployment configuration.
## Directory Structure
```
etc/
├── authority/ # Authentication & authorization service
├── certificates/ # Trust anchors and signing keys
├── concelier/ # Advisory ingestion service
├── crypto/ # Regional cryptographic profiles
├── env/ # Environment-specific profiles (dev/stage/prod/airgap)
├── llm-providers/ # AI/LLM provider configurations
├── notify/ # Notification service & templates
├── plugins/ # Plugin manifests (configuration, not binaries)
├── policy/ # Policy engine configuration & packs
├── router/ # Transport router configuration
├── scanner/ # Container scanning service
├── scheduler/ # Job scheduling service
├── scm-connectors/ # Source control integrations
├── secrets/ # Development secrets only (NEVER for production)
├── signals/ # Runtime signals configuration
└── vex/ # VEX processing services
```
## File Naming Convention
| Pattern | Purpose | Git Status |
|---------|---------|------------|
| `*.yaml.sample` | Documented template with all options | Committed |
| `*.yaml` | Active configuration | Git-ignored |
| `*.env.sample` | Environment variable template | Committed |
| `env.*` | Active environment file | Git-ignored |
## Quick Start
```bash
# 1. Copy sample to active config
cp etc/scanner/scanner.yaml.sample etc/scanner/scanner.yaml
# 2. Edit for your environment
vi etc/scanner/scanner.yaml
# 3. Copy environment profile
cp etc/env/dev.env.sample etc/env/dev.env
```
## Regional Crypto Profiles
For compliance with regional cryptographic standards:
| Profile | Standard | Use Case |
|---------|----------|----------|
| `us-fips` | FIPS 140-3 | US Federal, DoD |
| `eu` | eIDAS | EU qualified signatures |
| `ru` | GOST R 34.10/11/12 | Russian Federation |
| `cn` | GM/T (SM2/SM3/SM4) | China |
| `kr` | KCMVP | South Korea |
Activate via:
```bash
export STELLAOPS_CRYPTO_PROFILE=us-fips
```
## What Lives Elsewhere
| Directory | Purpose |
|-----------|---------|
| `plugins/` | Compiled plugin binaries (runtime artifacts) |
| `opt/` | Optional vendor packages (CryptoPro, etc.) |
| `offline/` | Air-gap operational state (feeds, packages) |
## Security
- **NEVER commit active configs** (`.yaml` files are git-ignored)
- **Secrets via environment variables** or external secret managers
- **`etc/secrets/`** contains ONLY development/sample keys - never for production
- **Production signing keys** must come from HSM, Vault, or KMS
## Documentation
Full guide: [docs/operations/configuration-guide.md](../docs/operations/configuration-guide.md)

161
etc/env/airgap.env.sample vendored Normal file
View File

@@ -0,0 +1,161 @@
# StellaOps Air-Gapped Environment
# Copy to .env in repository root: cp etc/env/airgap.env.sample .env
#
# This profile is for fully offline/air-gapped deployments with no external
# network connectivity. All feeds, models, and packages must be pre-loaded.
# ============================================================================
# PROFILE IDENTIFICATION
# ============================================================================
STELLAOPS_PROFILE=airgap
STELLAOPS_LOG_LEVEL=Information
# ============================================================================
# NETWORK ISOLATION
# ============================================================================
# Block all outbound connections (enforced at application level)
STELLAOPS_NETWORK_ISOLATION=strict
STELLAOPS_ALLOWED_HOSTS=localhost,*.internal
# ============================================================================
# POSTGRES DATABASE
# ============================================================================
POSTGRES_HOST=postgres.internal
POSTGRES_PORT=5432
POSTGRES_USER=stellaops
# POSTGRES_PASSWORD=<inject-from-secure-storage>
POSTGRES_DB=stellaops_platform
# ============================================================================
# VALKEY (REDIS-COMPATIBLE CACHE)
# ============================================================================
VALKEY_HOST=valkey.internal
VALKEY_PORT=6379
# ============================================================================
# NATS MESSAGING
# ============================================================================
NATS_URL=nats://nats.internal:4222
NATS_CLIENT_PORT=4222
# ============================================================================
# RUSTFS ARTIFACT STORAGE
# ============================================================================
RUSTFS_ENDPOINT=http://rustfs.internal:8080
RUSTFS_HTTP_PORT=8080
# ============================================================================
# AUTHORITY SERVICE
# ============================================================================
AUTHORITY_PORT=8440
AUTHORITY_ISSUER=https://auth.internal:8440
# ============================================================================
# SIGNER SERVICE (OFFLINE MODE)
# ============================================================================
SIGNER_PORT=8441
SIGNER_POE_INTROSPECT_URL=https://auth.internal:8440/connect/introspect
# Disable Rekor transparency log (requires internet)
SIGNER_REKOR_ENABLED=false
# ============================================================================
# ATTESTOR SERVICE
# ============================================================================
ATTESTOR_PORT=8442
# ============================================================================
# SCANNER SERVICE (OFFLINE MODE)
# ============================================================================
SCANNER_WEB_PORT=8444
SCANNER_EVENTS_ENABLED=true
SCANNER_EVENTS_DRIVER=valkey
SCANNER_EVENTS_DSN=valkey.internal:6379
SCANNER_EVENTS_STREAM=stella.events
# CRITICAL: Enable offline kit for air-gapped operation
SCANNER_OFFLINEKIT_ENABLED=true
SCANNER_OFFLINEKIT_REQUIREDSSE=true
SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=/opt/stellaops/offline/trust-roots
SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=/opt/stellaops/offline/rekor-snapshot
# ============================================================================
# CONCELIER SERVICE (OFFLINE FEEDS)
# ============================================================================
CONCELIER_PORT=8445
# Use pre-loaded vulnerability feeds
CONCELIER_FEED_MODE=offline
CONCELIER_FEED_DIRECTORY=/var/lib/stellaops/feeds
# ============================================================================
# NOTIFY SERVICE
# ============================================================================
NOTIFY_WEB_PORT=8446
# Disable external notification channels
NOTIFY_SLACK_ENABLED=false
NOTIFY_TEAMS_ENABLED=false
NOTIFY_WEBHOOK_ENABLED=false
# Only internal email relay if available
NOTIFY_EMAIL_ENABLED=true
NOTIFY_EMAIL_SMTP_HOST=smtp.internal
# ============================================================================
# ISSUER DIRECTORY SERVICE
# ============================================================================
ISSUER_DIRECTORY_PORT=8447
ISSUER_DIRECTORY_SEED_CSAF=false
# Pre-loaded issuer registry
ISSUER_DIRECTORY_OFFLINE_MODE=true
# ============================================================================
# ADVISORY AI SERVICE (LOCAL INFERENCE)
# ============================================================================
ADVISORY_AI_WEB_PORT=8448
# CRITICAL: Use local inference only (no external API calls)
ADVISORY_AI_INFERENCE_MODE=Local
ADVISORY_AI_MODEL_BUNDLE_PATH=/opt/stellaops/offline/models
# Do NOT set remote inference settings
# ADVISORY_AI_REMOTE_BASEADDRESS=
# ADVISORY_AI_REMOTE_APIKEY=
# ============================================================================
# SCHEDULER SERVICE
# ============================================================================
SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web.internal:8444
# ============================================================================
# WEB UI
# ============================================================================
UI_PORT=8443
# ============================================================================
# CRYPTO PROFILE
# ============================================================================
# Select based on organizational requirements
# Note: Some providers may require additional offline packages
STELLAOPS_CRYPTO_PROFILE=us-fips
# For Russian GOST (requires CryptoPro offline package):
# STELLAOPS_CRYPTO_PROFILE=ru
# CRYPTOPRO_ACCEPT_EULA=1
# ============================================================================
# TELEMETRY (LOCAL COLLECTOR ONLY)
# ============================================================================
STELLAOPS_TELEMETRY_ENABLED=true
STELLAOPS_TELEMETRY_ENDPOINT=http://otel-collector.internal:4317
# Disable cloud exporters
STELLAOPS_TELEMETRY_CLOUD_EXPORT=false
# ============================================================================
# OFFLINE PACKAGE PATHS
# ============================================================================
# Pre-loaded package caches for language ecosystems
STELLAOPS_OFFLINE_NPM_REGISTRY=/opt/stellaops/offline/npm
STELLAOPS_OFFLINE_PYPI_INDEX=/opt/stellaops/offline/pypi
STELLAOPS_OFFLINE_MAVEN_REPO=/opt/stellaops/offline/maven
STELLAOPS_OFFLINE_NUGET_FEED=/opt/stellaops/offline/nuget
STELLAOPS_OFFLINE_CRATES_INDEX=/opt/stellaops/offline/crates
STELLAOPS_OFFLINE_GO_PROXY=/opt/stellaops/offline/goproxy

125
etc/env/dev.env.sample vendored Normal file
View File

@@ -0,0 +1,125 @@
# StellaOps Development Environment
# Copy to .env in repository root: cp etc/env/dev.env.sample .env
# ============================================================================
# PROFILE IDENTIFICATION
# ============================================================================
STELLAOPS_PROFILE=dev
STELLAOPS_LOG_LEVEL=Debug
# ============================================================================
# POSTGRES DATABASE
# ============================================================================
POSTGRES_HOST=localhost
POSTGRES_PORT=5432
POSTGRES_USER=stellaops
POSTGRES_PASSWORD=stellaops
POSTGRES_DB=stellaops_platform
# ============================================================================
# VALKEY (REDIS-COMPATIBLE CACHE)
# ============================================================================
VALKEY_PORT=6379
# ============================================================================
# NATS MESSAGING
# ============================================================================
NATS_CLIENT_PORT=4222
# ============================================================================
# RUSTFS ARTIFACT STORAGE
# ============================================================================
RUSTFS_HTTP_PORT=8080
# ============================================================================
# AUTHORITY SERVICE
# ============================================================================
AUTHORITY_PORT=8440
AUTHORITY_ISSUER=https://localhost:8440
# ============================================================================
# SIGNER SERVICE
# ============================================================================
SIGNER_PORT=8441
SIGNER_POE_INTROSPECT_URL=https://authority:8440/connect/introspect
# ============================================================================
# ATTESTOR SERVICE
# ============================================================================
ATTESTOR_PORT=8442
# ============================================================================
# SCANNER SERVICE
# ============================================================================
SCANNER_WEB_PORT=8444
SCANNER_EVENTS_ENABLED=false
SCANNER_EVENTS_DRIVER=valkey
SCANNER_EVENTS_DSN=valkey:6379
SCANNER_EVENTS_STREAM=stella.events
SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
# Offline kit (disabled for development)
SCANNER_OFFLINEKIT_ENABLED=false
SCANNER_OFFLINEKIT_REQUIREDSSE=true
SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
# ============================================================================
# CONCELIER SERVICE
# ============================================================================
CONCELIER_PORT=8445
# ============================================================================
# NOTIFY SERVICE
# ============================================================================
NOTIFY_WEB_PORT=8446
# ============================================================================
# ISSUER DIRECTORY SERVICE
# ============================================================================
ISSUER_DIRECTORY_PORT=8447
ISSUER_DIRECTORY_SEED_CSAF=true
# ============================================================================
# ADVISORY AI SERVICE
# ============================================================================
ADVISORY_AI_WEB_PORT=8448
ADVISORY_AI_INFERENCE_MODE=Local
# For remote inference (Claude, OpenAI):
# ADVISORY_AI_INFERENCE_MODE=Remote
# ADVISORY_AI_REMOTE_BASEADDRESS=https://api.anthropic.com
# ADVISORY_AI_REMOTE_APIKEY=sk-...
# ============================================================================
# SCHEDULER SERVICE
# ============================================================================
SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
# ============================================================================
# WEB UI
# ============================================================================
UI_PORT=8443
# ============================================================================
# CRYPTOPRO (OPTIONAL - GOST CRYPTO)
# ============================================================================
# Set to 1 to accept CryptoPro EULA (required for GOST support)
CRYPTOPRO_ACCEPT_EULA=0
CRYPTOPRO_PORT=18080
# ============================================================================
# CRYPTO PROFILE (OPTIONAL)
# ============================================================================
# Select regional crypto profile:
# - us-fips: FIPS 140-3 (default for US federal)
# - eu: eIDAS qualified signatures
# - ru: GOST R 34.10/34.11/34.12
# - cn: GM/T SM2/SM3/SM4
# - kr: KCMVP
# STELLAOPS_CRYPTO_PROFILE=us-fips
# ============================================================================
# TELEMETRY (OPTIONAL)
# ============================================================================
STELLAOPS_TELEMETRY_ENABLED=true
STELLAOPS_TELEMETRY_ENDPOINT=http://localhost:4317

148
etc/env/prod.env.sample vendored Normal file
View File

@@ -0,0 +1,148 @@
# StellaOps Production Environment
# Copy to .env in repository root: cp etc/env/prod.env.sample .env
#
# SECURITY: In production, prefer injecting secrets via:
# - Kubernetes secrets
# - Vault/external secret manager
# - Environment variables from CI/CD
# DO NOT commit production secrets to version control
# ============================================================================
# PROFILE IDENTIFICATION
# ============================================================================
STELLAOPS_PROFILE=prod
STELLAOPS_LOG_LEVEL=Information
# ============================================================================
# POSTGRES DATABASE
# ============================================================================
# Use environment injection or secret manager for credentials
POSTGRES_HOST=postgres.internal
POSTGRES_PORT=5432
POSTGRES_USER=stellaops
# POSTGRES_PASSWORD=<inject-from-secret-manager>
POSTGRES_DB=stellaops_platform
# Connection pool settings
POSTGRES_MAX_POOL_SIZE=100
POSTGRES_MIN_POOL_SIZE=10
POSTGRES_COMMAND_TIMEOUT=60
# ============================================================================
# VALKEY (REDIS-COMPATIBLE CACHE)
# ============================================================================
VALKEY_HOST=valkey.internal
VALKEY_PORT=6379
# VALKEY_PASSWORD=<inject-from-secret-manager>
# ============================================================================
# NATS MESSAGING
# ============================================================================
NATS_URL=nats://nats.internal:4222
NATS_CLIENT_PORT=4222
# NATS_TOKEN=<inject-from-secret-manager>
# ============================================================================
# RUSTFS ARTIFACT STORAGE
# ============================================================================
RUSTFS_ENDPOINT=http://rustfs.internal:8080
RUSTFS_HTTP_PORT=8080
# ============================================================================
# AUTHORITY SERVICE
# ============================================================================
AUTHORITY_PORT=8440
AUTHORITY_ISSUER=https://auth.yourdomain.com
# ============================================================================
# SIGNER SERVICE
# ============================================================================
SIGNER_PORT=8441
SIGNER_POE_INTROSPECT_URL=https://auth.yourdomain.com/connect/introspect
# ============================================================================
# ATTESTOR SERVICE
# ============================================================================
ATTESTOR_PORT=8442
# ============================================================================
# SCANNER SERVICE
# ============================================================================
SCANNER_WEB_PORT=8444
SCANNER_EVENTS_ENABLED=true
SCANNER_EVENTS_DRIVER=valkey
SCANNER_EVENTS_DSN=valkey.internal:6379
SCANNER_EVENTS_STREAM=stella.events
SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
SCANNER_EVENTS_MAX_STREAM_LENGTH=100000
# Offline kit (enable if operating in restricted network)
SCANNER_OFFLINEKIT_ENABLED=false
SCANNER_OFFLINEKIT_REQUIREDSSE=true
SCANNER_OFFLINEKIT_REKOROFFLINEMODE=false
# ============================================================================
# CONCELIER SERVICE
# ============================================================================
CONCELIER_PORT=8445
# ============================================================================
# NOTIFY SERVICE
# ============================================================================
NOTIFY_WEB_PORT=8446
# ============================================================================
# ISSUER DIRECTORY SERVICE
# ============================================================================
ISSUER_DIRECTORY_PORT=8447
ISSUER_DIRECTORY_SEED_CSAF=false
# ============================================================================
# ADVISORY AI SERVICE
# ============================================================================
ADVISORY_AI_WEB_PORT=8448
ADVISORY_AI_INFERENCE_MODE=Remote
# ADVISORY_AI_REMOTE_BASEADDRESS=https://api.anthropic.com
# ADVISORY_AI_REMOTE_APIKEY=<inject-from-secret-manager>
# ============================================================================
# SCHEDULER SERVICE
# ============================================================================
SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web.internal:8444
# ============================================================================
# WEB UI
# ============================================================================
UI_PORT=8443
# ============================================================================
# CRYPTO PROFILE
# ============================================================================
# Select regional crypto profile based on compliance requirements:
# - us-fips: FIPS 140-3 (US federal)
# - eu: eIDAS qualified signatures
# - ru: GOST R 34.10/34.11/34.12
# - cn: GM/T SM2/SM3/SM4
# - kr: KCMVP
STELLAOPS_CRYPTO_PROFILE=us-fips
# ============================================================================
# TELEMETRY
# ============================================================================
STELLAOPS_TELEMETRY_ENABLED=true
STELLAOPS_TELEMETRY_ENDPOINT=http://otel-collector.internal:4317
STELLAOPS_TELEMETRY_SERVICE_NAME=stellaops
STELLAOPS_TELEMETRY_SERVICE_VERSION=${STELLAOPS_RELEASE_VERSION:-2025.10.0}
# ============================================================================
# TLS CONFIGURATION
# ============================================================================
STELLAOPS_TLS_ENABLED=true
# STELLAOPS_TLS_CERT_PATH=/etc/ssl/certs/stellaops/server.crt
# STELLAOPS_TLS_KEY_PATH=/etc/ssl/private/stellaops/server.key
# ============================================================================
# RATE LIMITING
# ============================================================================
STELLAOPS_RATELIMIT_ENABLED=true
STELLAOPS_RATELIMIT_REQUESTS_PER_MINUTE=1000

130
etc/env/stage.env.sample vendored Normal file
View File

@@ -0,0 +1,130 @@
# StellaOps Staging Environment
# Copy to .env in repository root: cp etc/env/stage.env.sample .env
#
# Staging environment mirrors production settings but with:
# - More verbose logging
# - Relaxed rate limits
# - Test data integration enabled
# ============================================================================
# PROFILE IDENTIFICATION
# ============================================================================
STELLAOPS_PROFILE=stage
STELLAOPS_LOG_LEVEL=Debug
# ============================================================================
# POSTGRES DATABASE
# ============================================================================
POSTGRES_HOST=postgres-stage.internal
POSTGRES_PORT=5432
POSTGRES_USER=stellaops
POSTGRES_PASSWORD=stellaops-stage
POSTGRES_DB=stellaops_stage
# ============================================================================
# VALKEY (REDIS-COMPATIBLE CACHE)
# ============================================================================
VALKEY_HOST=valkey-stage.internal
VALKEY_PORT=6379
# ============================================================================
# NATS MESSAGING
# ============================================================================
NATS_URL=nats://nats-stage.internal:4222
NATS_CLIENT_PORT=4222
# ============================================================================
# RUSTFS ARTIFACT STORAGE
# ============================================================================
RUSTFS_ENDPOINT=http://rustfs-stage.internal:8080
RUSTFS_HTTP_PORT=8080
# ============================================================================
# AUTHORITY SERVICE
# ============================================================================
AUTHORITY_PORT=8440
AUTHORITY_ISSUER=https://auth-stage.yourdomain.com
# ============================================================================
# SIGNER SERVICE
# ============================================================================
SIGNER_PORT=8441
SIGNER_POE_INTROSPECT_URL=https://auth-stage.yourdomain.com/connect/introspect
# ============================================================================
# ATTESTOR SERVICE
# ============================================================================
ATTESTOR_PORT=8442
# ============================================================================
# SCANNER SERVICE
# ============================================================================
SCANNER_WEB_PORT=8444
SCANNER_EVENTS_ENABLED=true
SCANNER_EVENTS_DRIVER=valkey
SCANNER_EVENTS_DSN=valkey-stage.internal:6379
SCANNER_EVENTS_STREAM=stella.events.stage
SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
SCANNER_EVENTS_MAX_STREAM_LENGTH=50000
# Offline kit (optional for staging)
SCANNER_OFFLINEKIT_ENABLED=false
SCANNER_OFFLINEKIT_REQUIREDSSE=true
SCANNER_OFFLINEKIT_REKOROFFLINEMODE=false
# ============================================================================
# CONCELIER SERVICE
# ============================================================================
CONCELIER_PORT=8445
# ============================================================================
# NOTIFY SERVICE
# ============================================================================
NOTIFY_WEB_PORT=8446
# Use test channels for staging
NOTIFY_SLACK_CHANNEL=#stellaops-stage-alerts
NOTIFY_EMAIL_TO=stage-alerts@yourdomain.com
# ============================================================================
# ISSUER DIRECTORY SERVICE
# ============================================================================
ISSUER_DIRECTORY_PORT=8447
ISSUER_DIRECTORY_SEED_CSAF=true
# ============================================================================
# ADVISORY AI SERVICE
# ============================================================================
ADVISORY_AI_WEB_PORT=8448
ADVISORY_AI_INFERENCE_MODE=Remote
# Use staging/test API keys
# ADVISORY_AI_REMOTE_BASEADDRESS=https://api.anthropic.com
# ADVISORY_AI_REMOTE_APIKEY=<staging-api-key>
# ============================================================================
# SCHEDULER SERVICE
# ============================================================================
SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web-stage.internal:8444
# ============================================================================
# WEB UI
# ============================================================================
UI_PORT=8443
# ============================================================================
# CRYPTO PROFILE
# ============================================================================
STELLAOPS_CRYPTO_PROFILE=us-fips
# ============================================================================
# TELEMETRY
# ============================================================================
STELLAOPS_TELEMETRY_ENABLED=true
STELLAOPS_TELEMETRY_ENDPOINT=http://otel-collector-stage.internal:4317
STELLAOPS_TELEMETRY_SERVICE_NAME=stellaops-stage
STELLAOPS_TELEMETRY_SERVICE_VERSION=${STELLAOPS_RELEASE_VERSION:-2025.10.0-stage}
# ============================================================================
# RATE LIMITING (RELAXED FOR TESTING)
# ============================================================================
STELLAOPS_RATELIMIT_ENABLED=true
STELLAOPS_RATELIMIT_REQUESTS_PER_MINUTE=5000

81
etc/llm-providers/claude.yaml.sample Normal file
View File

@@ -0,0 +1,81 @@
# Claude (Anthropic) LLM Provider configuration template
# Copy to claude.yaml (remove .sample extension) and configure.
# Environment variable ANTHROPIC_API_KEY can be used instead of api.apiKey.
# Provider enabled state and priority (lower = higher priority)
enabled: true
priority: 100
# API Configuration
api:
# API key - use environment variable reference or set directly
# Environment variable: ANTHROPIC_API_KEY
apiKey: "${ANTHROPIC_API_KEY}"
# Base URL for API requests
baseUrl: "https://api.anthropic.com"
# API version header
apiVersion: "2023-06-01"
# Model Configuration
model:
# Primary model name
# Options: claude-sonnet-4-20250514, claude-opus-4-20250514, claude-3-5-sonnet-20241022
name: "claude-sonnet-4-20250514"
# Fallback models (tried in order if primary fails)
fallbacks:
- "claude-3-5-sonnet-20241022"
# Inference Parameters
inference:
# Temperature: 0 = deterministic, higher = more creative
# For reproducibility in StellaOps, use 0
temperature: 0.0
# Maximum tokens to generate
maxTokens: 4096
# Nucleus sampling (top-p)
# 1.0 = disabled, lower values = more focused
topP: 1.0
# Top-k sampling (0 = disabled)
# Lower values = more focused
topK: 0
# Extended Thinking (Claude's reasoning feature)
thinking:
# Enable extended thinking for complex reasoning tasks
enabled: false
# Budget tokens for thinking process
budgetTokens: 10000
# Request Configuration
request:
# Request timeout
timeout: "00:02:00"
# Maximum retries on failure
maxRetries: 3
# Logging Configuration
logging:
# Log request/response bodies (WARNING: may contain sensitive data)
logBodies: false
# Log token usage statistics
logUsage: true
# Rate Limiting
rateLimit:
# Requests per minute limit (0 = no limit)
requestsPerMinute: 0
# Tokens per minute limit (0 = no limit)
tokensPerMinute: 0
# Backoff duration when rate limited
backoff: "00:01:00"

96
etc/llm-providers/llama-server.yaml.sample Normal file
View File

@@ -0,0 +1,96 @@
# llama.cpp Server LLM Provider configuration template
# This is the PRIMARY provider for OFFLINE/AIRGAP deployments.
# Copy to llama-server.yaml (remove .sample extension) and configure.
# Provider enabled state and priority
# Lower priority number = higher preference (10 = prefer over cloud providers)
enabled: true
priority: 10
# Server Configuration
server:
# Base URL for llama.cpp server
# Start llama.cpp with: llama-server -m model.gguf --host 0.0.0.0 --port 8080
baseUrl: "http://localhost:8080"
# API key if server requires authentication (--api-key flag)
apiKey: ""
# Health check endpoint
healthEndpoint: "/health"
# Model Configuration
model:
# Model name (for logging and identification)
name: "llama3-8b-q4km"
# Path to model file (informational, model is loaded on server)
modelPath: "/models/llama-3-8b-instruct.Q4_K_M.gguf"
# Expected model digest (SHA-256) for verification
# Ensures the correct model is loaded in airgap environments
expectedDigest: ""
# Inference Parameters
inference:
# Temperature: 0 = deterministic (REQUIRED for reproducibility)
temperature: 0.0
# Maximum tokens to generate
maxTokens: 4096
# Random seed for reproducibility (REQUIRED for determinism)
seed: 42
# Nucleus sampling (top-p)
topP: 1.0
# Top-k sampling
topK: 40
# Repeat penalty (1.0 = no penalty)
repeatPenalty: 1.1
# Context length (must match server's -c flag)
contextLength: 4096
# Request Configuration
request:
# Request timeout (longer for local inference)
timeout: "00:05:00"
# Maximum retries on failure
maxRetries: 2
# Model Bundle Configuration (for airgap deployments)
bundle:
# Path to signed model bundle (.stellaops-model directory)
# Created using: stella model bundle --sign
bundlePath: ""
# Verify bundle signature before loading
verifySignature: true
# Cryptographic scheme for verification
# Options: ed25519, ecdsa-p256, gost3410, sm2
cryptoScheme: "ed25519"
# Logging Configuration
logging:
# Log health check results
logHealthChecks: false
# Log token usage statistics
logUsage: true
# Performance Tuning
performance:
# Number of threads for inference (-t flag on server)
# 0 = auto-detect
threads: 0
# Batch size for prompt processing
batchSize: 512
# Context size for parallel requests
parallelContexts: 1

87
etc/llm-providers/ollama.yaml.sample Normal file
View File

@@ -0,0 +1,87 @@
# Ollama LLM Provider configuration template
# For local inference using Ollama.
# Copy to ollama.yaml (remove .sample extension) and configure.
# Provider enabled state and priority
# Priority 20 = prefer over cloud, but after llama-server (10)
enabled: true
priority: 20
# Server Configuration
server:
# Base URL for Ollama server
# Default Ollama port is 11434
baseUrl: "http://localhost:11434"
# Health check endpoint
healthEndpoint: "/api/tags"
# Model Configuration
model:
# Primary model name
# Use 'ollama list' to see available models
# Common options: llama3:8b, llama3:70b, codellama:13b, mistral:7b
name: "llama3:8b"
# Fallback models (tried in order if primary fails)
fallbacks:
- "llama3:latest"
- "mistral:7b"
# Keep model loaded in memory (prevents unloading between requests)
# Options: "5m", "10m", "1h", "-1" (forever)
keepAlive: "5m"
# Inference Parameters
inference:
# Temperature: 0 = deterministic (REQUIRED for reproducibility)
temperature: 0.0
# Maximum tokens to generate (-1 = use model default)
maxTokens: 4096
# Random seed for reproducibility (REQUIRED for determinism)
seed: 42
# Nucleus sampling (top-p)
topP: 1.0
# Top-k sampling
topK: 40
# Repeat penalty (1.0 = no penalty)
repeatPenalty: 1.1
# Context window size
numCtx: 4096
# Number of tokens to predict (-1 = unlimited, use maxTokens)
numPredict: -1
# GPU Configuration
gpu:
# Number of GPU layers to offload (0 = CPU only)
# -1 = offload all layers to GPU
numGpu: 0
# Request Configuration
request:
# Request timeout (longer for local inference)
timeout: "00:05:00"
# Maximum retries on failure
maxRetries: 2
# Model Management
management:
# Automatically pull model if not found locally
# WARNING: Requires internet access, disable for airgap
autoPull: false
# Verify model integrity after pull
verifyPull: true
# Logging Configuration
logging:
# Log token usage statistics
logUsage: true

87
etc/llm-providers/openai.yaml.sample Normal file
View File

@@ -0,0 +1,87 @@
# OpenAI LLM Provider configuration template
# Copy to openai.yaml (remove .sample extension) and configure.
# Environment variable OPENAI_API_KEY can be used instead of api.apiKey.
# Provider enabled state and priority (lower = higher priority)
enabled: true
priority: 100
# API Configuration
api:
# API key - use environment variable reference or set directly
# Environment variable: OPENAI_API_KEY
apiKey: "${OPENAI_API_KEY}"
# Base URL for API requests
# Default: https://api.openai.com/v1
# For Azure OpenAI: https://{resource}.openai.azure.com/openai/deployments/{deployment}
baseUrl: "https://api.openai.com/v1"
# Organization ID (optional, for multi-org accounts)
organizationId: ""
# API version (required for Azure OpenAI, e.g., "2024-02-15-preview")
apiVersion: ""
# Model Configuration
model:
# Primary model name
# Options: gpt-4o, gpt-4o-mini, gpt-4-turbo, gpt-4, gpt-3.5-turbo
# For Azure: use your deployment name
name: "gpt-4o"
# Fallback models (tried in order if primary fails)
fallbacks:
- "gpt-4o-mini"
- "gpt-3.5-turbo"
# Inference Parameters
inference:
# Temperature: 0 = deterministic, higher = more creative
# For reproducibility in StellaOps, use 0
temperature: 0.0
# Maximum tokens to generate
maxTokens: 4096
# Random seed for reproducibility (when temperature=0)
seed: 42
# Nucleus sampling (top-p)
# 1.0 = disabled, lower values = more focused
topP: 1.0
# Frequency penalty (-2.0 to 2.0)
# Positive = reduce repetition of tokens already used
frequencyPenalty: 0.0
# Presence penalty (-2.0 to 2.0)
# Positive = encourage new topics
presencePenalty: 0.0
# Request Configuration
request:
# Request timeout
timeout: "00:02:00"
# Maximum retries on failure
maxRetries: 3
# Logging Configuration
logging:
# Log request/response bodies (WARNING: may contain sensitive data)
logBodies: false
# Log token usage statistics
logUsage: true
# Rate Limiting
rateLimit:
# Requests per minute limit (0 = no limit)
requestsPerMinute: 0
# Tokens per minute limit (0 = no limit)
tokensPerMinute: 0
# Backoff duration when rate limited
backoff: "00:01:00"

92
etc/llm-providers/registry.yaml Normal file
View File

@@ -0,0 +1,92 @@
# LLM Provider Registry
# AI/LLM provider configurations for Advisory AI
version: "1.0"
category: llm-providers
# Global LLM settings
defaults:
enabled: false # Explicitly enable providers
timeout: "00:02:00"
maxRetries: 3
# ============================================================================
# LLM PROVIDERS
# ============================================================================
providers:
# Cloud providers
claude:
enabled: false
priority: 100
config: claude.yaml
description: "Anthropic Claude (Claude 3.5/4)"
mode: remote
openai:
enabled: false
priority: 90
config: openai.yaml
description: "OpenAI GPT-4/4o"
mode: remote
azure-openai:
enabled: false
priority: 90
config: azure-openai.yaml
description: "Azure OpenAI Service"
mode: remote
# Local providers (for air-gap)
ollama:
enabled: false
priority: 80
config: ollama.yaml
description: "Ollama local inference"
mode: local
llama-server:
enabled: false
priority: 80
config: llama-server.yaml
description: "llama.cpp HTTP server"
mode: local
vllm:
enabled: false
priority: 80
config: vllm.yaml
description: "vLLM inference server"
mode: local
# ============================================================================
# INFERENCE SETTINGS
# ============================================================================
inference:
# Mode: remote, local, hybrid
mode: "${ADVISORY_AI_INFERENCE_MODE:-local}"
# Fallback chain
fallbackChain:
- claude
- openai
- ollama
# Model selection
modelSelection:
# Task-specific model overrides
explanation: "" # Use default
remediation: "" # Use default
classification: "" # Use default
# ============================================================================
# OFFLINE/AIR-GAP SETTINGS
# ============================================================================
offline:
# Signed model bundle path
modelBundlePath: "${ADVISORY_AI_MODEL_BUNDLE_PATH:-/opt/stellaops/offline/models}"
# Verify bundle signatures
verifySignatures: true
# Public key for signature verification
publicKeyPath: "${ADVISORY_AI_MODEL_PUBKEY:-/etc/stellaops/model-signing-pubkey.pem}"

218
etc/scm-connectors.yaml.sample Normal file
View File

@@ -0,0 +1,218 @@
# SCM Connector configuration template for StellaOps deployments.
# Copy to ../etc/scm-connectors.yaml (relative to the web service content root)
# and adjust the values to match your environment. Environment variables
# (prefixed with STELLAOPS_SCM_) override these settings at runtime.
# Global settings for all SCM connectors
scmConnectors:
# Default timeout for API requests (in seconds)
timeoutSeconds: 30
# User agent string for HTTP requests
userAgent: "StellaOps.AdvisoryAI.Remediation/1.0 (+https://stella-ops.org)"
# Enable/disable specific connector plugins
enabledPlugins:
- github
- gitlab
- azuredevops
- gitea
# GitHub Connector Configuration
# Supports: github.com, GitHub Enterprise Server
github:
enabled: true
# Base URL for GitHub API (leave empty for github.com)
baseUrl: "" # Default: https://api.github.com
# Authentication token (Personal Access Token or GitHub App token)
# Environment variable: STELLAOPS_SCM_GITHUB_TOKEN
apiToken: "${GITHUB_PAT}"
# Alternative: Path to file containing the token
apiTokenFile: ""
# Required scopes: repo, workflow (for PR creation and CI status)
# For GitHub Apps: contents:write, pull_requests:write, checks:read
# Rate limiting
rateLimitWarningThreshold: 500
rateLimitBackoff: "00:01:00"
# Retry configuration
retry:
enabled: true
maxAttempts: 3
delays:
- "00:00:01"
- "00:00:02"
- "00:00:05"
# GitLab Connector Configuration
# Supports: gitlab.com, self-hosted GitLab instances
gitlab:
enabled: true
# Base URL for GitLab API (leave empty for gitlab.com)
baseUrl: "" # Default: https://gitlab.com/api/v4
# Personal Access Token or Project Access Token
# Environment variable: STELLAOPS_SCM_GITLAB_TOKEN
apiToken: "${GITLAB_PAT}"
apiTokenFile: ""
# Required scopes: api, read_repository, write_repository
# Rate limiting (GitLab defaults: 300 requests per minute for authenticated)
rateLimitWarningThreshold: 100
rateLimitBackoff: "00:01:00"
retry:
enabled: true
maxAttempts: 3
delays:
- "00:00:01"
- "00:00:02"
- "00:00:05"
# Azure DevOps Connector Configuration
# Supports: Azure DevOps Services, Azure DevOps Server
azuredevops:
enabled: true
# Base URL (leave empty for Azure DevOps Services)
baseUrl: "" # Default: https://dev.azure.com
# Personal Access Token (PAT)
# Environment variable: STELLAOPS_SCM_AZUREDEVOPS_TOKEN
apiToken: "${AZURE_DEVOPS_PAT}"
apiTokenFile: ""
# Required scopes: Code (Read & Write), Pull Request Contribute, Build (Read)
# Azure DevOps API version
apiVersion: "7.1"
# Organization name (required for Azure DevOps Services)
# Can be overridden per-repository in options
defaultOrganization: ""
retry:
enabled: true
maxAttempts: 3
delays:
- "00:00:01"
- "00:00:02"
- "00:00:05"
# Gitea Connector Configuration
# Supports: Gitea, Forgejo, Codeberg
gitea:
enabled: true
# Base URL (REQUIRED for Gitea - no default)
# Examples:
# - https://gitea.example.com
# - https://codeberg.org
# - https://forgejo.example.com
baseUrl: "https://git.example.com"
# API Token (generated from Gitea Settings > Applications)
# Environment variable: STELLAOPS_SCM_GITEA_TOKEN
apiToken: "${GITEA_TOKEN}"
apiTokenFile: ""
# Required scopes: repo (for full repository access)
retry:
enabled: true
maxAttempts: 3
delays:
- "00:00:01"
- "00:00:02"
- "00:00:05"
# Repository-specific overrides
# Use this section to configure different credentials per repository
repositories:
# Example: Override GitHub token for a specific org
# - pattern: "github.com/my-org/*"
# connector: github
# apiToken: "${GITHUB_PAT_MY_ORG}"
# Example: Use self-hosted GitLab for internal repos
# - pattern: "gitlab.internal.company.com/*"
# connector: gitlab
# baseUrl: "https://gitlab.internal.company.com/api/v4"
# apiToken: "${GITLAB_INTERNAL_TOKEN}"
# Example: Azure DevOps with specific organization
# - pattern: "dev.azure.com/mycompany/*"
# connector: azuredevops
# apiToken: "${AZURE_DEVOPS_PAT_MYCOMPANY}"
# PR Generation Settings
pullRequests:
# Default branch name prefix for remediation PRs
branchPrefix: "stellaops/remediation/"
# Include timestamp in branch name
includeBranchTimestamp: true
# Maximum length for branch names
maxBranchNameLength: 100
# Commit message settings
commit:
# Sign commits (requires GPG key configured)
signCommits: false
# Include StellaOps footer in commit messages
includeFooter: true
footerTemplate: |
---
StellaOps Remediation
Finding: ${findingId}
Plan: ${planId}
# PR body settings
body:
# Include SBOM delta summary
includeDelta: true
# Include risk assessment
includeRiskAssessment: true
# Include attestation reference
includeAttestation: true
# Maximum body length (characters)
maxBodyLength: 65535
# CI Status Polling
ciStatus:
# Enable CI status monitoring
enabled: true
# Polling interval for CI status checks
pollInterval: "00:00:30"
# Maximum time to wait for CI to complete
maxWaitTime: "01:00:00"
# Consider PR successful if no CI is configured
allowNoCi: false
# Required check names (if empty, all checks must pass)
requiredChecks: []
# Checks to ignore (useful for non-blocking status checks)
ignoredChecks:
- "codecov/*"
- "license/*"
# Security Settings
security:
# Verify TLS certificates (disable only for testing)
verifySsl: true
# Allow insecure HTTP connections (not recommended)
allowHttp: false
# Proxy settings (if required)
proxy:
enabled: false
url: ""
username: ""
password: ""
noProxy:
- "localhost"
- "127.0.0.1"
# Telemetry for SCM operations
telemetry:
# Log SCM API calls
logApiCalls: true
# Include response timing
logTiming: true
# Redact sensitive data in logs
redactSensitiveData: true
# Patterns to redact
redactionPatterns:
- "token"
- "password"
- "secret"
- "pat"

83
etc/scm-connectors/github.yaml Normal file
View File

@@ -0,0 +1,83 @@
# GitHub SCM Connector
# GitHub.com and GitHub Enterprise Server integration
id: stellaops.scm.connector.github
name: GitHub Connector
version: 1.0.0
description: |
Integrates with GitHub for remediation automation.
Supports PR creation, status checks, and security alerts.
assembly: StellaOps.AdvisoryAI.ScmConnector.GitHub.dll
capabilities:
- pull-request
- status-check
- security-advisories
- dependabot
- code-scanning
- branch-protection
requirements:
runtime: net10.0
platforms: [linux-x64, linux-arm64, win-x64, osx-arm64]
enabled: false
priority: 100
config:
# GitHub API settings
api:
# Base URL (empty = github.com)
baseUrl: "${GITHUB_BASE_URL:-}"
# API version
apiVersion: "2022-11-28"
# Authentication
auth:
# Authentication type: pat, app, oauth
type: pat
# Personal Access Token
token: "${GITHUB_TOKEN:-}"
# GitHub App credentials (for app type)
appId: "${GITHUB_APP_ID:-}"
privateKeyPath: "${GITHUB_APP_PRIVATE_KEY_PATH:-}"
installationId: "${GITHUB_APP_INSTALLATION_ID:-}"
# Pull request settings
pullRequest:
# Create draft PRs
draft: false
# Request reviewers
requestReviewers: true
defaultReviewers: []
# Labels
labels: ["security", "dependencies", "stellaops"]
# Body template
bodyTemplate: |
## Security Remediation
This PR was automatically created by StellaOps to address:
{{#each vulnerabilities}}
- **{{this.id}}**: {{this.summary}}
{{/each}}
### Changes
{{changes}}
---
🤖 Generated by [StellaOps](https://stellaops.io)
# Status checks
statusCheck:
# Create commit status
enabled: true
# Context name
context: "stellaops/security-gate"
# Rate limiting
rateLimit:
# Respect GitHub rate limits
respectLimits: true
# Retry on rate limit
retryOnLimit: true
maxWaitSeconds: 3600

82
etc/scm-connectors/gitlab.yaml Normal file
View File

@@ -0,0 +1,82 @@
# GitLab SCM Connector
# GitLab.com and self-hosted GitLab integration
id: stellaops.scm.connector.gitlab
name: GitLab Connector
version: 1.0.0
description: |
Integrates with GitLab for remediation automation.
Supports MR creation, pipeline triggers, and security dashboards.
assembly: StellaOps.AdvisoryAI.ScmConnector.GitLab.dll
capabilities:
- merge-request
- pipeline-trigger
- security-dashboard
- dependency-scanning
- container-scanning
requirements:
runtime: net10.0
platforms: [linux-x64, linux-arm64, win-x64, osx-arm64]
enabled: false
priority: 100
config:
# GitLab API settings
api:
# Base URL (empty = gitlab.com)
baseUrl: "${GITLAB_BASE_URL:-}"
# API version
apiVersion: "v4"
# Authentication
auth:
# Authentication type: token, oauth
type: token
# Personal Access Token or Project Token
token: "${GITLAB_TOKEN:-}"
# OAuth credentials (for oauth type)
clientId: "${GITLAB_OAUTH_CLIENT_ID:-}"
clientSecret: "${GITLAB_OAUTH_CLIENT_SECRET:-}"
# Merge request settings
mergeRequest:
# Create as draft
draft: false
# Remove source branch on merge
removeSourceBranch: true
# Squash commits
squash: true
# Assignees
assignees: []
# Labels
labels: ["security", "dependencies", "stellaops"]
# Description template
descriptionTemplate: |
## Security Remediation
This MR was automatically created by StellaOps.
### Vulnerabilities Addressed
{{#each vulnerabilities}}
- **{{this.id}}**: {{this.summary}}
{{/each}}
### Changes
{{changes}}
/label ~security ~dependencies
# Pipeline settings
pipeline:
# Trigger pipeline on MR creation
triggerPipeline: true
# Wait for pipeline
waitForPipeline: false
# Rate limiting
rateLimit:
requestsPerSecond: 10
burstSize: 20

79
etc/scm-connectors/registry.yaml Normal file
View File

@@ -0,0 +1,79 @@
# SCM (Source Control Management) Connector Registry
# Source control integrations for remediation automation
version: "1.0"
category: scm
# Global SCM settings
defaults:
enabled: false # Explicitly enable connectors
timeout: "00:01:00"
retry:
maxRetries: 3
backoffMs: 1000
# ============================================================================
# SCM CONNECTORS
# ============================================================================
connectors:
github:
enabled: false
priority: 100
config: github.yaml
description: "GitHub.com and GitHub Enterprise Server"
gitlab:
enabled: false
priority: 100
config: gitlab.yaml
description: "GitLab.com and self-hosted GitLab"
azure-devops:
enabled: false
priority: 100
config: azure-devops.yaml
description: "Azure DevOps Services and Server"
bitbucket:
enabled: false
priority: 100
config: bitbucket.yaml
description: "Bitbucket Cloud and Data Center"
gitea:
enabled: false
priority: 90
config: gitea.yaml
description: "Gitea, Forgejo, Codeberg"
# ============================================================================
# COMMON SCM SETTINGS
# ============================================================================
common:
# PR/MR creation
pullRequest:
# Default branch for PRs
defaultBaseBranch: main
# PR title prefix
titlePrefix: "[StellaOps]"
# Auto-merge if checks pass
autoMerge: false
# Delete branch after merge
deleteBranchOnMerge: true
# Commit settings
commit:
# Commit message prefix
messagePrefix: "fix:"
# Sign commits
signCommits: true
# Commit author
authorName: "StellaOps Bot"
authorEmail: "bot@stellaops.example.com"
# Branch naming
branch:
# Branch name pattern
pattern: "stellaops/remediate-{vuln-id}"
# Max branch name length
maxLength: 100