CD/CD consolidation

devops/compose/env/airgap.env.example

@@ -0,0 +1,91 @@
+# Substitutions for docker-compose.airgap.yaml
+
+# PostgreSQL Database
+POSTGRES_USER=stellaops
+POSTGRES_PASSWORD=airgap-postgres-password
+POSTGRES_DB=stellaops_platform
+POSTGRES_PORT=25432
+
+# Valkey (Redis-compatible cache and messaging)
+VALKEY_PORT=26379
+
+# RustFS Object Storage
+RUSTFS_HTTP_PORT=8080
+
+# Authority (OAuth2/OIDC)
+AUTHORITY_ISSUER=https://authority.airgap.local
+AUTHORITY_PORT=8440
+AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:45:00
+
+# Signer
+SIGNER_POE_INTROSPECT_URL=file:///offline/poe/introspect.json
+SIGNER_PORT=8441
+
+# Attestor
+ATTESTOR_PORT=8442
+
+# Issuer Directory
+ISSUER_DIRECTORY_PORT=8447
+ISSUER_DIRECTORY_SEED_CSAF=true
+
+# Concelier
+CONCELIER_PORT=8445
+
+# Scanner
+SCANNER_WEB_PORT=8444
+SCANNER_QUEUE_BROKER=valkey://valkey:6379
+SCANNER_EVENTS_ENABLED=false
+SCANNER_EVENTS_DRIVER=valkey
+SCANNER_EVENTS_DSN=
+SCANNER_EVENTS_STREAM=stella.events
+SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
+SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
+
+# Surface.Env configuration
+SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080
+SCANNER_SURFACE_FS_BUCKET=surface-cache
+SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
+SCANNER_SURFACE_CACHE_QUOTA_MB=4096
+SCANNER_SURFACE_PREFETCH_ENABLED=false
+SCANNER_SURFACE_TENANT=default
+SCANNER_SURFACE_FEATURES=
+SCANNER_SURFACE_SECRETS_PROVIDER=file
+SCANNER_SURFACE_SECRETS_NAMESPACE=
+SCANNER_SURFACE_SECRETS_ROOT=/etc/stellaops/secrets
+SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER=
+SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
+SURFACE_SECRETS_HOST_PATH=./offline/surface-secrets
+
+# Offline Kit configuration
+SCANNER_OFFLINEKIT_ENABLED=false
+SCANNER_OFFLINEKIT_REQUIREDSSE=true
+SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
+SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
+SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
+SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=./offline/trust-roots
+SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=./offline/rekor-snapshot
+
+# Zastava inherits Scanner defaults; override if Observer/Webhook diverge
+ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
+ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
+
+# Scheduler
+SCHEDULER_QUEUE_KIND=Valkey
+SCHEDULER_QUEUE_VALKEY_URL=valkey:6379
+SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
+
+# Notify
+NOTIFY_WEB_PORT=9446
+
+# Advisory AI
+ADVISORY_AI_WEB_PORT=8448
+ADVISORY_AI_SBOM_BASEADDRESS=http://scanner-web:8444
+ADVISORY_AI_INFERENCE_MODE=Local
+ADVISORY_AI_REMOTE_BASEADDRESS=
+ADVISORY_AI_REMOTE_APIKEY=
+
+# Web UI
+UI_PORT=9443
+
+# NATS
+NATS_CLIENT_PORT=24222

devops/compose/env/cas.env.example

@@ -0,0 +1,118 @@
+# CAS (Content Addressable Storage) Environment Configuration
+# Copy to .env and customize for your deployment
+#
+# Aligned with best-in-class vulnerability scanner retention policies:
+# - Trivy: 7 days vulnerability DB
+# - Grype: 5 days DB, configurable
+# - Anchore Enterprise: 90-365 days typical
+# - Snyk Enterprise: 365 days
+
+# =============================================================================
+# DATA PATHS (ensure directories exist with proper permissions)
+# =============================================================================
+CAS_DATA_PATH=/var/lib/stellaops/cas
+CAS_EVIDENCE_PATH=/var/lib/stellaops/evidence
+CAS_ATTESTATION_PATH=/var/lib/stellaops/attestations
+
+# =============================================================================
+# RUSTFS CONFIGURATION
+# =============================================================================
+RUSTFS_LOG_LEVEL=info
+RUSTFS_COMPRESSION=zstd
+RUSTFS_COMPRESSION_LEVEL=3
+
+# =============================================================================
+# PORTS
+# =============================================================================
+RUSTFS_CAS_PORT=8180
+RUSTFS_EVIDENCE_PORT=8181
+RUSTFS_ATTESTATION_PORT=8182
+
+# =============================================================================
+# ACCESS CONTROL - API KEYS
+# IMPORTANT: Change these in production!
+# =============================================================================
+
+# CAS Storage (mutable, lifecycle-managed)
+RUSTFS_CAS_API_KEY=cas-api-key-CHANGE-IN-PRODUCTION
+RUSTFS_CAS_READONLY_KEY=cas-readonly-key-CHANGE-IN-PRODUCTION
+
+# Evidence Storage (immutable)
+RUSTFS_EVIDENCE_API_KEY=evidence-api-key-CHANGE-IN-PRODUCTION
+RUSTFS_EVIDENCE_READONLY_KEY=evidence-readonly-key-CHANGE-IN-PRODUCTION
+
+# Attestation Storage (immutable)
+RUSTFS_ATTESTATION_API_KEY=attestation-api-key-CHANGE-IN-PRODUCTION
+RUSTFS_ATTESTATION_READONLY_KEY=attestation-readonly-key-CHANGE-IN-PRODUCTION
+
+# =============================================================================
+# SERVICE ACCOUNT KEYS
+# Each service has its own key for fine-grained access control
+# IMPORTANT: Generate unique keys per environment!
+# =============================================================================
+
+# Scanner service - access to scanner artifacts, surface cache, runtime facts
+RUSTFS_SCANNER_KEY=scanner-svc-key-GENERATE-UNIQUE
+# Bucket access: scanner-artifacts (rw), surface-cache (rw), runtime-facts (rw)
+
+# Signals service - access to runtime facts, signals data, provenance feed
+RUSTFS_SIGNALS_KEY=signals-svc-key-GENERATE-UNIQUE
+# Bucket access: runtime-facts (rw), signals-data (rw), provenance-feed (rw)
+
+# Replay service - access to replay bundles, inputs lock files
+RUSTFS_REPLAY_KEY=replay-svc-key-GENERATE-UNIQUE
+# Bucket access: replay-bundles (rw), inputs-lock (rw)
+
+# Ledger service - access to evidence bundles, merkle roots, hash chains
+RUSTFS_LEDGER_KEY=ledger-svc-key-GENERATE-UNIQUE
+# Bucket access: evidence-bundles (rw), merkle-roots (rw), hash-chains (rw)
+
+# Exporter service - read-only access to evidence bundles
+RUSTFS_EXPORTER_KEY=exporter-svc-key-GENERATE-UNIQUE
+# Bucket access: evidence-bundles (r)
+
+# Attestor service - access to attestations, DSSE envelopes, Rekor receipts
+RUSTFS_ATTESTOR_KEY=attestor-svc-key-GENERATE-UNIQUE
+# Bucket access: attestations (rw), dsse-envelopes (rw), rekor-receipts (rw)
+
+# Verifier service - read-only access to attestations
+RUSTFS_VERIFIER_KEY=verifier-svc-key-GENERATE-UNIQUE
+# Bucket access: attestations (r), dsse-envelopes (r), rekor-receipts (r)
+
+# Global read-only key (for debugging/auditing)
+RUSTFS_READONLY_KEY=readonly-global-key-GENERATE-UNIQUE
+# Bucket access: * (r)
+
+# =============================================================================
+# LIFECYCLE MANAGEMENT
+# =============================================================================
+# Cron schedule for retention policy enforcement (default: 3 AM daily)
+LIFECYCLE_CRON=0 3 * * *
+LIFECYCLE_TELEMETRY=true
+
+# =============================================================================
+# RETENTION POLICIES (days, 0 = indefinite)
+# Aligned with enterprise vulnerability scanner best practices
+# =============================================================================
+# Vulnerability DB: 7 days (matches Trivy default, Grype uses 5)
+CAS_RETENTION_VULNERABILITY_DB_DAYS=7
+
+# SBOM artifacts: 365 days (audit compliance - SOC2, ISO27001, FedRAMP)
+CAS_RETENTION_SBOM_ARTIFACTS_DAYS=365
+
+# Scan results: 90 days (common compliance window)
+CAS_RETENTION_SCAN_RESULTS_DAYS=90
+
+# Evidence bundles: indefinite (content-addressed, immutable, audit trail)
+CAS_RETENTION_EVIDENCE_BUNDLES_DAYS=0
+
+# Attestations: indefinite (signed, immutable, verifiable)
+CAS_RETENTION_ATTESTATIONS_DAYS=0
+
+# Temporary artifacts: 1 day (work-in-progress, intermediate files)
+CAS_RETENTION_TEMP_ARTIFACTS_DAYS=1
+
+# =============================================================================
+# TELEMETRY (optional)
+# =============================================================================
+OTLP_ENDPOINT=

devops/compose/env/dev.env.example

@@ -0,0 +1,78 @@
+# Substitutions for docker-compose.dev.yaml
+
+# PostgreSQL Database
+POSTGRES_USER=stellaops
+POSTGRES_PASSWORD=dev-postgres-password
+POSTGRES_DB=stellaops_platform
+POSTGRES_PORT=5432
+
+# Valkey (Redis-compatible cache and messaging)
+VALKEY_PORT=6379
+
+# RustFS Object Storage
+RUSTFS_HTTP_PORT=8080
+
+# Authority (OAuth2/OIDC)
+AUTHORITY_ISSUER=https://authority.localtest.me
+AUTHORITY_PORT=8440
+
+# Signer
+SIGNER_POE_INTROSPECT_URL=https://licensing.svc.local/introspect
+SIGNER_PORT=8441
+
+# Attestor
+ATTESTOR_PORT=8442
+
+# Issuer Directory
+ISSUER_DIRECTORY_PORT=8447
+ISSUER_DIRECTORY_SEED_CSAF=true
+
+# Concelier
+CONCELIER_PORT=8445
+
+# Scanner
+SCANNER_WEB_PORT=8444
+SCANNER_QUEUE_BROKER=nats://nats:4222
+SCANNER_EVENTS_ENABLED=false
+SCANNER_EVENTS_DRIVER=valkey
+SCANNER_EVENTS_DSN=valkey:6379
+SCANNER_EVENTS_STREAM=stella.events
+SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
+SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
+
+# Surface.Env defaults keep worker/web service aligned with local RustFS and inline secrets
+SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080/api/v1
+SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
+SCANNER_SURFACE_SECRETS_PROVIDER=inline
+SCANNER_SURFACE_SECRETS_ROOT=
+
+# Zastava inherits Scanner defaults; override if Observer/Webhook diverge
+ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
+ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
+ZASTAVA_SURFACE_SECRETS_PROVIDER=${SCANNER_SURFACE_SECRETS_PROVIDER}
+ZASTAVA_SURFACE_SECRETS_ROOT=${SCANNER_SURFACE_SECRETS_ROOT}
+
+# Scheduler
+SCHEDULER_QUEUE_KIND=Nats
+SCHEDULER_QUEUE_NATS_URL=nats://nats:4222
+SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
+
+# Notify
+NOTIFY_WEB_PORT=8446
+
+# Advisory AI
+ADVISORY_AI_WEB_PORT=8448
+ADVISORY_AI_SBOM_BASEADDRESS=http://scanner-web:8444
+ADVISORY_AI_INFERENCE_MODE=Local
+ADVISORY_AI_REMOTE_BASEADDRESS=
+ADVISORY_AI_REMOTE_APIKEY=
+
+# Web UI
+UI_PORT=8443
+
+# NATS
+NATS_CLIENT_PORT=4222
+
+# CryptoPro (optional)
+CRYPTOPRO_PORT=18080
+CRYPTOPRO_ACCEPT_EULA=0

devops/compose/env/mirror.env.example

@@ -0,0 +1,64 @@
+# Managed mirror profile substitutions
+
+# Core infrastructure credentials
+MONGO_INITDB_ROOT_USERNAME=stellaops_mirror
+MONGO_INITDB_ROOT_PASSWORD=mirror-password
+MINIO_ROOT_USER=stellaops-mirror
+MINIO_ROOT_PASSWORD=mirror-minio-secret
+RUSTFS_HTTP_PORT=8080
+
+# Scanner surface integration
+SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080/api/v1
+SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
+SCANNER_SURFACE_SECRETS_PROVIDER=file
+SCANNER_SURFACE_SECRETS_ROOT=/etc/stellaops/secrets
+
+# Mirror HTTP listeners
+MIRROR_GATEWAY_HTTP_PORT=8080
+MIRROR_GATEWAY_HTTPS_PORT=9443
+
+# Concelier mirror configuration
+CONCELIER_MIRROR_LATEST_SEGMENT=latest
+CONCELIER_MIRROR_DIRECTORY_SEGMENT=mirror
+CONCELIER_MIRROR_REQUIRE_AUTH=true
+CONCELIER_MIRROR_INDEX_BUDGET=600
+CONCELIER_MIRROR_DOMAIN_PRIMARY_ID=primary
+CONCELIER_MIRROR_DOMAIN_PRIMARY_NAME=Primary Mirror
+CONCELIER_MIRROR_DOMAIN_PRIMARY_AUTH=true
+CONCELIER_MIRROR_DOMAIN_PRIMARY_DOWNLOAD_BUDGET=3600
+CONCELIER_MIRROR_DOMAIN_SECONDARY_ID=community
+CONCELIER_MIRROR_DOMAIN_SECONDARY_NAME=Community Mirror
+CONCELIER_MIRROR_DOMAIN_SECONDARY_AUTH=false
+CONCELIER_MIRROR_DOMAIN_SECONDARY_DOWNLOAD_BUDGET=1800
+
+# Authority integration (tokens issued by production Authority)
+CONCELIER_AUTHORITY_ENABLED=true
+CONCELIER_AUTHORITY_ALLOW_ANON=false
+CONCELIER_AUTHORITY_ISSUER=https://authority.stella-ops.org
+CONCELIER_AUTHORITY_METADATA=
+CONCELIER_AUTHORITY_CLIENT_ID=stellaops-concelier-mirror
+CONCELIER_AUTHORITY_SCOPE=concelier.mirror.read
+CONCELIER_AUTHORITY_AUDIENCE=api://concelier.mirror
+
+# Excititor mirror configuration
+EXCITITOR_MONGO_DATABASE=excititor
+EXCITITOR_FILESYSTEM_OVERWRITE=false
+EXCITITOR_MIRROR_DOMAIN_PRIMARY_ID=primary
+EXCITITOR_MIRROR_DOMAIN_PRIMARY_NAME=Primary Mirror
+EXCITITOR_MIRROR_DOMAIN_PRIMARY_AUTH=true
+EXCITITOR_MIRROR_DOMAIN_PRIMARY_INDEX_BUDGET=300
+EXCITITOR_MIRROR_DOMAIN_PRIMARY_DOWNLOAD_BUDGET=2400
+EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_KEY=consensus-json
+EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_FORMAT=json
+EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_VIEW=consensus
+EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_KEY=consensus-openvex
+EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_FORMAT=openvex
+EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_VIEW=consensus
+EXCITITOR_MIRROR_DOMAIN_SECONDARY_ID=community
+EXCITITOR_MIRROR_DOMAIN_SECONDARY_NAME=Community Mirror
+EXCITITOR_MIRROR_DOMAIN_SECONDARY_AUTH=false
+EXCITITOR_MIRROR_DOMAIN_SECONDARY_INDEX_BUDGET=120
+EXCITITOR_MIRROR_DOMAIN_SECONDARY_DOWNLOAD_BUDGET=600
+EXCITITOR_MIRROR_SECONDARY_EXPORT_KEY=community-consensus
+EXCITITOR_MIRROR_SECONDARY_EXPORT_FORMAT=json
+EXCITITOR_MIRROR_SECONDARY_EXPORT_VIEW=consensus

devops/compose/env/mock.env.example

@@ -0,0 +1,12 @@
+# Dev-only overlay env for docker-compose.mock.yaml
+# Use together with dev.env.example:
+#   docker compose --env-file env/dev.env.example --env-file env/mock.env.example -f docker-compose.dev.yaml -f docker-compose.mock.yaml config
+
+# Optional: override ports if you expose mock services
+ORCHESTRATOR_PORT=8450
+POLICY_REGISTRY_PORT=8451
+VEX_LENS_PORT=8452
+FINDINGS_LEDGER_PORT=8453
+VULN_EXPLORER_API_PORT=8454
+PACKS_REGISTRY_PORT=8455
+TASK_RUNNER_PORT=8456

devops/compose/env/prod.env.example

@@ -0,0 +1,96 @@
+# Substitutions for docker-compose.prod.yaml
+# WARNING: Replace all placeholder secrets with values sourced from your secret manager.
+
+# PostgreSQL Database
+POSTGRES_USER=stellaops-prod
+POSTGRES_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
+POSTGRES_DB=stellaops_platform
+POSTGRES_PORT=5432
+
+# Valkey (Redis-compatible cache and messaging)
+VALKEY_PORT=6379
+
+# RustFS Object Storage
+RUSTFS_HTTP_PORT=8080
+
+# Authority (OAuth2/OIDC)
+AUTHORITY_ISSUER=https://authority.prod.stella-ops.org
+AUTHORITY_PORT=8440
+AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:30:00
+
+# Signer
+SIGNER_POE_INTROSPECT_URL=https://licensing.prod.stella-ops.org/introspect
+SIGNER_PORT=8441
+
+# Attestor
+ATTESTOR_PORT=8442
+
+# Issuer Directory
+ISSUER_DIRECTORY_PORT=8447
+ISSUER_DIRECTORY_SEED_CSAF=true
+
+# Concelier
+CONCELIER_PORT=8445
+
+# Scanner
+SCANNER_WEB_PORT=8444
+SCANNER_QUEUE_BROKER=valkey://valkey:6379
+# `true` enables signed scanner events for Notify ingestion.
+SCANNER_EVENTS_ENABLED=true
+SCANNER_EVENTS_DRIVER=valkey
+SCANNER_EVENTS_DSN=
+SCANNER_EVENTS_STREAM=stella.events
+SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
+SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
+
+# Surface.Env configuration
+SCANNER_SURFACE_FS_ENDPOINT=https://surfacefs.prod.stella-ops.org/api/v1
+SCANNER_SURFACE_FS_BUCKET=surface-cache
+SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
+SCANNER_SURFACE_CACHE_QUOTA_MB=4096
+SCANNER_SURFACE_PREFETCH_ENABLED=false
+SCANNER_SURFACE_TENANT=default
+SCANNER_SURFACE_FEATURES=
+SCANNER_SURFACE_SECRETS_PROVIDER=kubernetes
+SCANNER_SURFACE_SECRETS_NAMESPACE=
+SCANNER_SURFACE_SECRETS_ROOT=stellaops/scanner
+SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER=
+SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
+SURFACE_SECRETS_HOST_PATH=./offline/surface-secrets
+
+# Offline Kit configuration
+SCANNER_OFFLINEKIT_ENABLED=false
+SCANNER_OFFLINEKIT_REQUIREDSSE=true
+SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
+SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
+SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
+SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=./offline/trust-roots
+SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=./offline/rekor-snapshot
+
+# Zastava inherits Scanner defaults; override if Observer/Webhook diverge
+ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
+ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
+
+# Scheduler
+SCHEDULER_QUEUE_KIND=Valkey
+SCHEDULER_QUEUE_VALKEY_URL=valkey:6379
+SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
+
+# Notify
+NOTIFY_WEB_PORT=8446
+
+# Advisory AI
+ADVISORY_AI_WEB_PORT=8448
+ADVISORY_AI_SBOM_BASEADDRESS=https://scanner-web:8444
+ADVISORY_AI_INFERENCE_MODE=Local
+ADVISORY_AI_REMOTE_BASEADDRESS=
+ADVISORY_AI_REMOTE_APIKEY=
+
+# Web UI
+UI_PORT=8443
+
+# NATS
+NATS_CLIENT_PORT=4222
+
+# External reverse proxy (Traefik, Envoy, etc.) that terminates TLS.
+FRONTDOOR_NETWORK=stellaops_frontdoor

devops/compose/env/stage.env.example

@@ -0,0 +1,91 @@
+# Substitutions for docker-compose.stage.yaml
+
+# PostgreSQL Database
+POSTGRES_USER=stellaops
+POSTGRES_PASSWORD=stage-postgres-password
+POSTGRES_DB=stellaops_platform
+POSTGRES_PORT=5432
+
+# Valkey (Redis-compatible cache and messaging)
+VALKEY_PORT=6379
+
+# RustFS Object Storage
+RUSTFS_HTTP_PORT=8080
+
+# Authority (OAuth2/OIDC)
+AUTHORITY_ISSUER=https://authority.stage.stella-ops.internal
+AUTHORITY_PORT=8440
+AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:30:00
+
+# Signer
+SIGNER_POE_INTROSPECT_URL=https://licensing.stage.stella-ops.internal/introspect
+SIGNER_PORT=8441
+
+# Attestor
+ATTESTOR_PORT=8442
+
+# Issuer Directory
+ISSUER_DIRECTORY_PORT=8447
+ISSUER_DIRECTORY_SEED_CSAF=true
+
+# Concelier
+CONCELIER_PORT=8445
+
+# Scanner
+SCANNER_WEB_PORT=8444
+SCANNER_QUEUE_BROKER=valkey://valkey:6379
+SCANNER_EVENTS_ENABLED=false
+SCANNER_EVENTS_DRIVER=valkey
+SCANNER_EVENTS_DSN=
+SCANNER_EVENTS_STREAM=stella.events
+SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
+SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
+
+# Surface.Env configuration
+SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080
+SCANNER_SURFACE_FS_BUCKET=surface-cache
+SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
+SCANNER_SURFACE_CACHE_QUOTA_MB=4096
+SCANNER_SURFACE_PREFETCH_ENABLED=false
+SCANNER_SURFACE_TENANT=default
+SCANNER_SURFACE_FEATURES=
+SCANNER_SURFACE_SECRETS_PROVIDER=kubernetes
+SCANNER_SURFACE_SECRETS_NAMESPACE=
+SCANNER_SURFACE_SECRETS_ROOT=stellaops/scanner
+SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER=
+SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
+SURFACE_SECRETS_HOST_PATH=./offline/surface-secrets
+
+# Offline Kit configuration
+SCANNER_OFFLINEKIT_ENABLED=false
+SCANNER_OFFLINEKIT_REQUIREDSSE=true
+SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
+SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
+SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
+SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=./offline/trust-roots
+SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=./offline/rekor-snapshot
+
+# Zastava inherits Scanner defaults; override if Observer/Webhook diverge
+ZASTAVA_SURFACE_FS_ENDPOINT=${SCANNER_SURFACE_FS_ENDPOINT}
+ZASTAVA_SURFACE_CACHE_ROOT=${SCANNER_SURFACE_CACHE_ROOT}
+
+# Scheduler
+SCHEDULER_QUEUE_KIND=Valkey
+SCHEDULER_QUEUE_VALKEY_URL=valkey:6379
+SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
+
+# Notify
+NOTIFY_WEB_PORT=8446
+
+# Advisory AI
+ADVISORY_AI_WEB_PORT=8448
+ADVISORY_AI_SBOM_BASEADDRESS=http://scanner-web:8444
+ADVISORY_AI_INFERENCE_MODE=Local
+ADVISORY_AI_REMOTE_BASEADDRESS=
+ADVISORY_AI_REMOTE_APIKEY=
+
+# Web UI
+UI_PORT=8443
+
+# NATS
+NATS_CLIENT_PORT=4222