# StellaOps Production Environment
# Copy to .env in repository root: cp etc/env/prod.env.sample .env
#
# SECURITY: In production, prefer injecting secrets via:
# - Kubernetes secrets
# - Vault/external secret manager
# - Environment variables from CI/CD
# DO NOT commit production secrets to version control

# ============================================================================
# PROFILE IDENTIFICATION
# ============================================================================
STELLAOPS_PROFILE=prod
STELLAOPS_LOG_LEVEL=Information

# ============================================================================
# POSTGRES DATABASE
# ============================================================================
# Use environment injection or secret manager for credentials
POSTGRES_HOST=postgres.internal
POSTGRES_PORT=5432
POSTGRES_USER=stellaops
# POSTGRES_PASSWORD=<inject-from-secret-manager>
POSTGRES_DB=stellaops_platform

# Connection pool settings
POSTGRES_MAX_POOL_SIZE=100
POSTGRES_MIN_POOL_SIZE=10
POSTGRES_COMMAND_TIMEOUT=60

# ============================================================================
# VALKEY (REDIS-COMPATIBLE CACHE)
# ============================================================================
VALKEY_HOST=valkey.internal
VALKEY_PORT=6379
# VALKEY_PASSWORD=<inject-from-secret-manager>

# ============================================================================
# NATS MESSAGING
# ============================================================================
NATS_URL=nats://nats.internal:4222
NATS_CLIENT_PORT=4222
# NATS_TOKEN=<inject-from-secret-manager>

# ============================================================================
# RUSTFS ARTIFACT STORAGE
# ============================================================================
RUSTFS_ENDPOINT=http://rustfs.internal:8080
RUSTFS_HTTP_PORT=8080

# ============================================================================
# AUTHORITY SERVICE
# ============================================================================
AUTHORITY_PORT=8440
AUTHORITY_ISSUER=https://auth.yourdomain.com

# ============================================================================
# SIGNER SERVICE
# ============================================================================
SIGNER_PORT=8441
SIGNER_POE_INTROSPECT_URL=https://auth.yourdomain.com/connect/introspect

# ============================================================================
# ATTESTOR SERVICE
# ============================================================================
ATTESTOR_PORT=8442

# ============================================================================
# SCANNER SERVICE
# ============================================================================
SCANNER_WEB_PORT=8444
SCANNER_EVENTS_ENABLED=true
SCANNER_EVENTS_DRIVER=valkey
SCANNER_EVENTS_DSN=valkey.internal:6379
SCANNER_EVENTS_STREAM=stella.events
SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
SCANNER_EVENTS_MAX_STREAM_LENGTH=100000

# Offline kit (enable if operating in restricted network)
SCANNER_OFFLINEKIT_ENABLED=false
SCANNER_OFFLINEKIT_REQUIREDSSE=true
SCANNER_OFFLINEKIT_REKOROFFLINEMODE=false

# ============================================================================
# CONCELIER SERVICE
# ============================================================================
CONCELIER_PORT=8445

# ============================================================================
# NOTIFY SERVICE
# ============================================================================
NOTIFY_WEB_PORT=8446

# ============================================================================
# ISSUER DIRECTORY SERVICE
# ============================================================================
ISSUER_DIRECTORY_PORT=8447
ISSUER_DIRECTORY_SEED_CSAF=false

# ============================================================================
# ADVISORY AI SERVICE
# ============================================================================
ADVISORY_AI_WEB_PORT=8448
ADVISORY_AI_INFERENCE_MODE=Remote
# ADVISORY_AI_REMOTE_BASEADDRESS=https://api.anthropic.com
# ADVISORY_AI_REMOTE_APIKEY=<inject-from-secret-manager>

# ============================================================================
# SCHEDULER SERVICE
# ============================================================================
SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web.internal:8444

# ============================================================================
# WEB UI
# ============================================================================
UI_PORT=8443

# ============================================================================
# CRYPTO PROFILE
# ============================================================================
# Select regional crypto profile based on compliance requirements:
# - us-fips: FIPS 140-3 (US federal)
# - eu: eIDAS qualified signatures
# - ru: GOST R 34.10/34.11/34.12
# - cn: GM/T SM2/SM3/SM4
# - kr: KCMVP
STELLAOPS_CRYPTO_PROFILE=us-fips

# ============================================================================
# TELEMETRY
# ============================================================================
STELLAOPS_TELEMETRY_ENABLED=true
STELLAOPS_TELEMETRY_ENDPOINT=http://otel-collector.internal:4317
STELLAOPS_TELEMETRY_SERVICE_NAME=stellaops
STELLAOPS_TELEMETRY_SERVICE_VERSION=${STELLAOPS_RELEASE_VERSION:-2025.10.0}

# ============================================================================
# TLS CONFIGURATION
# ============================================================================
STELLAOPS_TLS_ENABLED=true
# STELLAOPS_TLS_CERT_PATH=/etc/ssl/certs/stellaops/server.crt
# STELLAOPS_TLS_KEY_PATH=/etc/ssl/private/stellaops/server.key

# ============================================================================
# RATE LIMITING
# ============================================================================
STELLAOPS_RATELIMIT_ENABLED=true
STELLAOPS_RATELIMIT_REQUESTS_PER_MINUTE=1000