Refactor code structure and optimize performance across multiple modules

etc/env/airgap.env.sample

@@ -0,0 +1,161 @@
+# StellaOps Air-Gapped Environment
+# Copy to .env in repository root: cp etc/env/airgap.env.sample .env
+#
+# This profile is for fully offline/air-gapped deployments with no external
+# network connectivity. All feeds, models, and packages must be pre-loaded.
+
+# ============================================================================
+# PROFILE IDENTIFICATION
+# ============================================================================
+STELLAOPS_PROFILE=airgap
+STELLAOPS_LOG_LEVEL=Information
+
+# ============================================================================
+# NETWORK ISOLATION
+# ============================================================================
+# Block all outbound connections (enforced at application level)
+STELLAOPS_NETWORK_ISOLATION=strict
+STELLAOPS_ALLOWED_HOSTS=localhost,*.internal
+
+# ============================================================================
+# POSTGRES DATABASE
+# ============================================================================
+POSTGRES_HOST=postgres.internal
+POSTGRES_PORT=5432
+POSTGRES_USER=stellaops
+# POSTGRES_PASSWORD=<inject-from-secure-storage>
+POSTGRES_DB=stellaops_platform
+
+# ============================================================================
+# VALKEY (REDIS-COMPATIBLE CACHE)
+# ============================================================================
+VALKEY_HOST=valkey.internal
+VALKEY_PORT=6379
+
+# ============================================================================
+# NATS MESSAGING
+# ============================================================================
+NATS_URL=nats://nats.internal:4222
+NATS_CLIENT_PORT=4222
+
+# ============================================================================
+# RUSTFS ARTIFACT STORAGE
+# ============================================================================
+RUSTFS_ENDPOINT=http://rustfs.internal:8080
+RUSTFS_HTTP_PORT=8080
+
+# ============================================================================
+# AUTHORITY SERVICE
+# ============================================================================
+AUTHORITY_PORT=8440
+AUTHORITY_ISSUER=https://auth.internal:8440
+
+# ============================================================================
+# SIGNER SERVICE (OFFLINE MODE)
+# ============================================================================
+SIGNER_PORT=8441
+SIGNER_POE_INTROSPECT_URL=https://auth.internal:8440/connect/introspect
+# Disable Rekor transparency log (requires internet)
+SIGNER_REKOR_ENABLED=false
+
+# ============================================================================
+# ATTESTOR SERVICE
+# ============================================================================
+ATTESTOR_PORT=8442
+
+# ============================================================================
+# SCANNER SERVICE (OFFLINE MODE)
+# ============================================================================
+SCANNER_WEB_PORT=8444
+SCANNER_EVENTS_ENABLED=true
+SCANNER_EVENTS_DRIVER=valkey
+SCANNER_EVENTS_DSN=valkey.internal:6379
+SCANNER_EVENTS_STREAM=stella.events
+
+# CRITICAL: Enable offline kit for air-gapped operation
+SCANNER_OFFLINEKIT_ENABLED=true
+SCANNER_OFFLINEKIT_REQUIREDSSE=true
+SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
+SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
+SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
+SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=/opt/stellaops/offline/trust-roots
+SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=/opt/stellaops/offline/rekor-snapshot
+
+# ============================================================================
+# CONCELIER SERVICE (OFFLINE FEEDS)
+# ============================================================================
+CONCELIER_PORT=8445
+# Use pre-loaded vulnerability feeds
+CONCELIER_FEED_MODE=offline
+CONCELIER_FEED_DIRECTORY=/var/lib/stellaops/feeds
+
+# ============================================================================
+# NOTIFY SERVICE
+# ============================================================================
+NOTIFY_WEB_PORT=8446
+# Disable external notification channels
+NOTIFY_SLACK_ENABLED=false
+NOTIFY_TEAMS_ENABLED=false
+NOTIFY_WEBHOOK_ENABLED=false
+# Only internal email relay if available
+NOTIFY_EMAIL_ENABLED=true
+NOTIFY_EMAIL_SMTP_HOST=smtp.internal
+
+# ============================================================================
+# ISSUER DIRECTORY SERVICE
+# ============================================================================
+ISSUER_DIRECTORY_PORT=8447
+ISSUER_DIRECTORY_SEED_CSAF=false
+# Pre-loaded issuer registry
+ISSUER_DIRECTORY_OFFLINE_MODE=true
+
+# ============================================================================
+# ADVISORY AI SERVICE (LOCAL INFERENCE)
+# ============================================================================
+ADVISORY_AI_WEB_PORT=8448
+# CRITICAL: Use local inference only (no external API calls)
+ADVISORY_AI_INFERENCE_MODE=Local
+ADVISORY_AI_MODEL_BUNDLE_PATH=/opt/stellaops/offline/models
+# Do NOT set remote inference settings
+# ADVISORY_AI_REMOTE_BASEADDRESS=
+# ADVISORY_AI_REMOTE_APIKEY=
+
+# ============================================================================
+# SCHEDULER SERVICE
+# ============================================================================
+SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web.internal:8444
+
+# ============================================================================
+# WEB UI
+# ============================================================================
+UI_PORT=8443
+
+# ============================================================================
+# CRYPTO PROFILE
+# ============================================================================
+# Select based on organizational requirements
+# Note: Some providers may require additional offline packages
+STELLAOPS_CRYPTO_PROFILE=us-fips
+
+# For Russian GOST (requires CryptoPro offline package):
+# STELLAOPS_CRYPTO_PROFILE=ru
+# CRYPTOPRO_ACCEPT_EULA=1
+
+# ============================================================================
+# TELEMETRY (LOCAL COLLECTOR ONLY)
+# ============================================================================
+STELLAOPS_TELEMETRY_ENABLED=true
+STELLAOPS_TELEMETRY_ENDPOINT=http://otel-collector.internal:4317
+# Disable cloud exporters
+STELLAOPS_TELEMETRY_CLOUD_EXPORT=false
+
+# ============================================================================
+# OFFLINE PACKAGE PATHS
+# ============================================================================
+# Pre-loaded package caches for language ecosystems
+STELLAOPS_OFFLINE_NPM_REGISTRY=/opt/stellaops/offline/npm
+STELLAOPS_OFFLINE_PYPI_INDEX=/opt/stellaops/offline/pypi
+STELLAOPS_OFFLINE_MAVEN_REPO=/opt/stellaops/offline/maven
+STELLAOPS_OFFLINE_NUGET_FEED=/opt/stellaops/offline/nuget
+STELLAOPS_OFFLINE_CRATES_INDEX=/opt/stellaops/offline/crates
+STELLAOPS_OFFLINE_GO_PROXY=/opt/stellaops/offline/goproxy

etc/env/dev.env.sample

@@ -0,0 +1,125 @@
+# StellaOps Development Environment
+# Copy to .env in repository root: cp etc/env/dev.env.sample .env
+
+# ============================================================================
+# PROFILE IDENTIFICATION
+# ============================================================================
+STELLAOPS_PROFILE=dev
+STELLAOPS_LOG_LEVEL=Debug
+
+# ============================================================================
+# POSTGRES DATABASE
+# ============================================================================
+POSTGRES_HOST=localhost
+POSTGRES_PORT=5432
+POSTGRES_USER=stellaops
+POSTGRES_PASSWORD=stellaops
+POSTGRES_DB=stellaops_platform
+
+# ============================================================================
+# VALKEY (REDIS-COMPATIBLE CACHE)
+# ============================================================================
+VALKEY_PORT=6379
+
+# ============================================================================
+# NATS MESSAGING
+# ============================================================================
+NATS_CLIENT_PORT=4222
+
+# ============================================================================
+# RUSTFS ARTIFACT STORAGE
+# ============================================================================
+RUSTFS_HTTP_PORT=8080
+
+# ============================================================================
+# AUTHORITY SERVICE
+# ============================================================================
+AUTHORITY_PORT=8440
+AUTHORITY_ISSUER=https://localhost:8440
+
+# ============================================================================
+# SIGNER SERVICE
+# ============================================================================
+SIGNER_PORT=8441
+SIGNER_POE_INTROSPECT_URL=https://authority:8440/connect/introspect
+
+# ============================================================================
+# ATTESTOR SERVICE
+# ============================================================================
+ATTESTOR_PORT=8442
+
+# ============================================================================
+# SCANNER SERVICE
+# ============================================================================
+SCANNER_WEB_PORT=8444
+SCANNER_EVENTS_ENABLED=false
+SCANNER_EVENTS_DRIVER=valkey
+SCANNER_EVENTS_DSN=valkey:6379
+SCANNER_EVENTS_STREAM=stella.events
+SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
+SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
+
+# Offline kit (disabled for development)
+SCANNER_OFFLINEKIT_ENABLED=false
+SCANNER_OFFLINEKIT_REQUIREDSSE=true
+SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
+
+# ============================================================================
+# CONCELIER SERVICE
+# ============================================================================
+CONCELIER_PORT=8445
+
+# ============================================================================
+# NOTIFY SERVICE
+# ============================================================================
+NOTIFY_WEB_PORT=8446
+
+# ============================================================================
+# ISSUER DIRECTORY SERVICE
+# ============================================================================
+ISSUER_DIRECTORY_PORT=8447
+ISSUER_DIRECTORY_SEED_CSAF=true
+
+# ============================================================================
+# ADVISORY AI SERVICE
+# ============================================================================
+ADVISORY_AI_WEB_PORT=8448
+ADVISORY_AI_INFERENCE_MODE=Local
+# For remote inference (Claude, OpenAI):
+# ADVISORY_AI_INFERENCE_MODE=Remote
+# ADVISORY_AI_REMOTE_BASEADDRESS=https://api.anthropic.com
+# ADVISORY_AI_REMOTE_APIKEY=sk-...
+
+# ============================================================================
+# SCHEDULER SERVICE
+# ============================================================================
+SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
+
+# ============================================================================
+# WEB UI
+# ============================================================================
+UI_PORT=8443
+
+# ============================================================================
+# CRYPTOPRO (OPTIONAL - GOST CRYPTO)
+# ============================================================================
+# Set to 1 to accept CryptoPro EULA (required for GOST support)
+CRYPTOPRO_ACCEPT_EULA=0
+CRYPTOPRO_PORT=18080
+
+# ============================================================================
+# CRYPTO PROFILE (OPTIONAL)
+# ============================================================================
+# Select regional crypto profile:
+# - us-fips: FIPS 140-3 (default for US federal)
+# - eu: eIDAS qualified signatures
+# - ru: GOST R 34.10/34.11/34.12
+# - cn: GM/T SM2/SM3/SM4
+# - kr: KCMVP
+# STELLAOPS_CRYPTO_PROFILE=us-fips
+
+# ============================================================================
+# TELEMETRY (OPTIONAL)
+# ============================================================================
+STELLAOPS_TELEMETRY_ENABLED=true
+STELLAOPS_TELEMETRY_ENDPOINT=http://localhost:4317

etc/env/prod.env.sample

@@ -0,0 +1,148 @@
+# StellaOps Production Environment
+# Copy to .env in repository root: cp etc/env/prod.env.sample .env
+#
+# SECURITY: In production, prefer injecting secrets via:
+# - Kubernetes secrets
+# - Vault/external secret manager
+# - Environment variables from CI/CD
+# DO NOT commit production secrets to version control
+
+# ============================================================================
+# PROFILE IDENTIFICATION
+# ============================================================================
+STELLAOPS_PROFILE=prod
+STELLAOPS_LOG_LEVEL=Information
+
+# ============================================================================
+# POSTGRES DATABASE
+# ============================================================================
+# Use environment injection or secret manager for credentials
+POSTGRES_HOST=postgres.internal
+POSTGRES_PORT=5432
+POSTGRES_USER=stellaops
+# POSTGRES_PASSWORD=<inject-from-secret-manager>
+POSTGRES_DB=stellaops_platform
+
+# Connection pool settings
+POSTGRES_MAX_POOL_SIZE=100
+POSTGRES_MIN_POOL_SIZE=10
+POSTGRES_COMMAND_TIMEOUT=60
+
+# ============================================================================
+# VALKEY (REDIS-COMPATIBLE CACHE)
+# ============================================================================
+VALKEY_HOST=valkey.internal
+VALKEY_PORT=6379
+# VALKEY_PASSWORD=<inject-from-secret-manager>
+
+# ============================================================================
+# NATS MESSAGING
+# ============================================================================
+NATS_URL=nats://nats.internal:4222
+NATS_CLIENT_PORT=4222
+# NATS_TOKEN=<inject-from-secret-manager>
+
+# ============================================================================
+# RUSTFS ARTIFACT STORAGE
+# ============================================================================
+RUSTFS_ENDPOINT=http://rustfs.internal:8080
+RUSTFS_HTTP_PORT=8080
+
+# ============================================================================
+# AUTHORITY SERVICE
+# ============================================================================
+AUTHORITY_PORT=8440
+AUTHORITY_ISSUER=https://auth.yourdomain.com
+
+# ============================================================================
+# SIGNER SERVICE
+# ============================================================================
+SIGNER_PORT=8441
+SIGNER_POE_INTROSPECT_URL=https://auth.yourdomain.com/connect/introspect
+
+# ============================================================================
+# ATTESTOR SERVICE
+# ============================================================================
+ATTESTOR_PORT=8442
+
+# ============================================================================
+# SCANNER SERVICE
+# ============================================================================
+SCANNER_WEB_PORT=8444
+SCANNER_EVENTS_ENABLED=true
+SCANNER_EVENTS_DRIVER=valkey
+SCANNER_EVENTS_DSN=valkey.internal:6379
+SCANNER_EVENTS_STREAM=stella.events
+SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
+SCANNER_EVENTS_MAX_STREAM_LENGTH=100000
+
+# Offline kit (enable if operating in restricted network)
+SCANNER_OFFLINEKIT_ENABLED=false
+SCANNER_OFFLINEKIT_REQUIREDSSE=true
+SCANNER_OFFLINEKIT_REKOROFFLINEMODE=false
+
+# ============================================================================
+# CONCELIER SERVICE
+# ============================================================================
+CONCELIER_PORT=8445
+
+# ============================================================================
+# NOTIFY SERVICE
+# ============================================================================
+NOTIFY_WEB_PORT=8446
+
+# ============================================================================
+# ISSUER DIRECTORY SERVICE
+# ============================================================================
+ISSUER_DIRECTORY_PORT=8447
+ISSUER_DIRECTORY_SEED_CSAF=false
+
+# ============================================================================
+# ADVISORY AI SERVICE
+# ============================================================================
+ADVISORY_AI_WEB_PORT=8448
+ADVISORY_AI_INFERENCE_MODE=Remote
+# ADVISORY_AI_REMOTE_BASEADDRESS=https://api.anthropic.com
+# ADVISORY_AI_REMOTE_APIKEY=<inject-from-secret-manager>
+
+# ============================================================================
+# SCHEDULER SERVICE
+# ============================================================================
+SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web.internal:8444
+
+# ============================================================================
+# WEB UI
+# ============================================================================
+UI_PORT=8443
+
+# ============================================================================
+# CRYPTO PROFILE
+# ============================================================================
+# Select regional crypto profile based on compliance requirements:
+# - us-fips: FIPS 140-3 (US federal)
+# - eu: eIDAS qualified signatures
+# - ru: GOST R 34.10/34.11/34.12
+# - cn: GM/T SM2/SM3/SM4
+# - kr: KCMVP
+STELLAOPS_CRYPTO_PROFILE=us-fips
+
+# ============================================================================
+# TELEMETRY
+# ============================================================================
+STELLAOPS_TELEMETRY_ENABLED=true
+STELLAOPS_TELEMETRY_ENDPOINT=http://otel-collector.internal:4317
+STELLAOPS_TELEMETRY_SERVICE_NAME=stellaops
+STELLAOPS_TELEMETRY_SERVICE_VERSION=${STELLAOPS_RELEASE_VERSION:-2025.10.0}
+
+# ============================================================================
+# TLS CONFIGURATION
+# ============================================================================
+STELLAOPS_TLS_ENABLED=true
+# STELLAOPS_TLS_CERT_PATH=/etc/ssl/certs/stellaops/server.crt
+# STELLAOPS_TLS_KEY_PATH=/etc/ssl/private/stellaops/server.key
+
+# ============================================================================
+# RATE LIMITING
+# ============================================================================
+STELLAOPS_RATELIMIT_ENABLED=true
+STELLAOPS_RATELIMIT_REQUESTS_PER_MINUTE=1000

etc/env/stage.env.sample

@@ -0,0 +1,130 @@
+# StellaOps Staging Environment
+# Copy to .env in repository root: cp etc/env/stage.env.sample .env
+#
+# Staging environment mirrors production settings but with:
+# - More verbose logging
+# - Relaxed rate limits
+# - Test data integration enabled
+
+# ============================================================================
+# PROFILE IDENTIFICATION
+# ============================================================================
+STELLAOPS_PROFILE=stage
+STELLAOPS_LOG_LEVEL=Debug
+
+# ============================================================================
+# POSTGRES DATABASE
+# ============================================================================
+POSTGRES_HOST=postgres-stage.internal
+POSTGRES_PORT=5432
+POSTGRES_USER=stellaops
+POSTGRES_PASSWORD=stellaops-stage
+POSTGRES_DB=stellaops_stage
+
+# ============================================================================
+# VALKEY (REDIS-COMPATIBLE CACHE)
+# ============================================================================
+VALKEY_HOST=valkey-stage.internal
+VALKEY_PORT=6379
+
+# ============================================================================
+# NATS MESSAGING
+# ============================================================================
+NATS_URL=nats://nats-stage.internal:4222
+NATS_CLIENT_PORT=4222
+
+# ============================================================================
+# RUSTFS ARTIFACT STORAGE
+# ============================================================================
+RUSTFS_ENDPOINT=http://rustfs-stage.internal:8080
+RUSTFS_HTTP_PORT=8080
+
+# ============================================================================
+# AUTHORITY SERVICE
+# ============================================================================
+AUTHORITY_PORT=8440
+AUTHORITY_ISSUER=https://auth-stage.yourdomain.com
+
+# ============================================================================
+# SIGNER SERVICE
+# ============================================================================
+SIGNER_PORT=8441
+SIGNER_POE_INTROSPECT_URL=https://auth-stage.yourdomain.com/connect/introspect
+
+# ============================================================================
+# ATTESTOR SERVICE
+# ============================================================================
+ATTESTOR_PORT=8442
+
+# ============================================================================
+# SCANNER SERVICE
+# ============================================================================
+SCANNER_WEB_PORT=8444
+SCANNER_EVENTS_ENABLED=true
+SCANNER_EVENTS_DRIVER=valkey
+SCANNER_EVENTS_DSN=valkey-stage.internal:6379
+SCANNER_EVENTS_STREAM=stella.events.stage
+SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
+SCANNER_EVENTS_MAX_STREAM_LENGTH=50000
+
+# Offline kit (optional for staging)
+SCANNER_OFFLINEKIT_ENABLED=false
+SCANNER_OFFLINEKIT_REQUIREDSSE=true
+SCANNER_OFFLINEKIT_REKOROFFLINEMODE=false
+
+# ============================================================================
+# CONCELIER SERVICE
+# ============================================================================
+CONCELIER_PORT=8445
+
+# ============================================================================
+# NOTIFY SERVICE
+# ============================================================================
+NOTIFY_WEB_PORT=8446
+# Use test channels for staging
+NOTIFY_SLACK_CHANNEL=#stellaops-stage-alerts
+NOTIFY_EMAIL_TO=stage-alerts@yourdomain.com
+
+# ============================================================================
+# ISSUER DIRECTORY SERVICE
+# ============================================================================
+ISSUER_DIRECTORY_PORT=8447
+ISSUER_DIRECTORY_SEED_CSAF=true
+
+# ============================================================================
+# ADVISORY AI SERVICE
+# ============================================================================
+ADVISORY_AI_WEB_PORT=8448
+ADVISORY_AI_INFERENCE_MODE=Remote
+# Use staging/test API keys
+# ADVISORY_AI_REMOTE_BASEADDRESS=https://api.anthropic.com
+# ADVISORY_AI_REMOTE_APIKEY=<staging-api-key>
+
+# ============================================================================
+# SCHEDULER SERVICE
+# ============================================================================
+SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web-stage.internal:8444
+
+# ============================================================================
+# WEB UI
+# ============================================================================
+UI_PORT=8443
+
+# ============================================================================
+# CRYPTO PROFILE
+# ============================================================================
+STELLAOPS_CRYPTO_PROFILE=us-fips
+
+# ============================================================================
+# TELEMETRY
+# ============================================================================
+STELLAOPS_TELEMETRY_ENABLED=true
+STELLAOPS_TELEMETRY_ENDPOINT=http://otel-collector-stage.internal:4317
+STELLAOPS_TELEMETRY_SERVICE_NAME=stellaops-stage
+STELLAOPS_TELEMETRY_SERVICE_VERSION=${STELLAOPS_RELEASE_VERSION:-2025.10.0-stage}
+
+# ============================================================================
+# RATE LIMITING (RELAXED FOR TESTING)
+# ============================================================================
+STELLAOPS_RATELIMIT_ENABLED=true
+STELLAOPS_RATELIMIT_REQUESTS_PER_MINUTE=5000