# StellaOps Configuration (`etc/`)

This directory contains all configuration for StellaOps services. It is the **single source of truth** for deployment configuration.

## Directory Structure

```
etc/
├── authority/            # Authentication & authorization service
├── certificates/         # Trust anchors and signing keys
├── concelier/            # Advisory ingestion service
├── crypto/               # Regional cryptographic profiles
├── env/                  # Environment-specific profiles (dev/stage/prod/airgap)
├── llm-providers/        # AI/LLM provider configurations
├── notify/               # Notification service & templates
├── plugins/              # Plugin manifests (configuration, not binaries)
├── policy/               # Policy engine configuration & packs
├── router/               # Transport router configuration
├── scanner/              # Container scanning service
├── scheduler/            # Job scheduling service
├── scm-connectors/       # Source control integrations
├── secrets/              # Development secrets only (NEVER for production)
├── signals/              # Runtime signals configuration
└── vex/                  # VEX processing services
```

## File Naming Convention

| Pattern | Purpose | Git Status |
|---------|---------|------------|
| `*.yaml.sample` | Documented template with all options | Committed |
| `*.yaml` | Active configuration | Git-ignored |
| `*.env.sample` | Environment variable template | Committed |
| `env.*` | Active environment file | Git-ignored |

## Quick Start

```bash
# 1. Copy sample to active config
cp etc/scanner/scanner.yaml.sample etc/scanner/scanner.yaml

# 2. Edit for your environment
vi etc/scanner/scanner.yaml

# 3. Copy environment profile
cp etc/env/dev.env.sample etc/env/dev.env
```

## Regional Crypto Profiles

For compliance with regional cryptographic standards:

| Profile | Standard | Use Case |
|---------|----------|----------|
| `us-fips` | FIPS 140-3 | US Federal, DoD |
| `eu` | eIDAS | EU qualified signatures |
| `ru` | GOST R 34.10/11/12 | Russian Federation |
| `cn` | GM/T (SM2/SM3/SM4) | China |
| `kr` | KCMVP | South Korea |

Activate via:
```bash
export STELLAOPS_CRYPTO_PROFILE=us-fips
```

## What Lives Elsewhere

| Directory | Purpose |
|-----------|---------|
| `plugins/` | Compiled plugin binaries (runtime artifacts) |
| `opt/` | Optional vendor packages (CryptoPro, etc.) |
| `offline/` | Air-gap operational state (feeds, packages) |

## Security

- **NEVER commit active configs** (`.yaml` files are git-ignored)
- **Secrets via environment variables** or external secret managers
- **`etc/secrets/`** contains ONLY development/sample keys - never for production
- **Production signing keys** must come from HSM, Vault, or KMS

## Documentation

Full guide: [docs/operations/configuration-guide.md](../docs/operations/configuration-guide.md)