Files

master f98cea3bcf Add Authority Advisory AI and API Lifecycle Configuration

- Introduced AuthorityAdvisoryAiOptions and related classes for managing advisory AI configurations, including remote inference options and tenant-specific settings.
- Added AuthorityApiLifecycleOptions to control API lifecycle settings, including legacy OAuth endpoint configurations.
- Implemented validation and normalization methods for both advisory AI and API lifecycle options to ensure proper configuration.
- Created AuthorityNotificationsOptions and its related classes for managing notification settings, including ack tokens, webhooks, and escalation options.
- Developed IssuerDirectoryClient and related models for interacting with the issuer directory service, including caching mechanisms and HTTP client configurations.
- Added support for dependency injection through ServiceCollectionExtensions for the Issuer Directory Client.
- Updated project file to include necessary package references for the new Issuer Directory Client library.

2025-11-02 13:50:25 +02:00

3.8 KiB

Raw Blame History

Quickstart – First Scan in Five Minutes

Status: public α image ships late 2025 (registry.stella-ops.org/stella-ops/stella-ops:0.1.0-alpha). Commands below are ready the moment the tag lands.

0. Prerequisites (1 min)

Requirement	Minimum	Notes
OS	Ubuntu 22.04 LTS / Alma 9	x86‑64 or arm64
Docker	Engine 25 + Compose v2	`docker -v`
Resources	2 vCPU / 2 GiB RAM / 10 GiB SSD	Fits developer laptops
TLS trust	Built-in self-signed or your own certs	Replace `/certs` before production

Keep Redis and MongoDB bundled unless you already operate managed instances.

1. Download the signed bundles (1 min)

curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml
curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml.sig
curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml
curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml.sig

cosign verify-blob \
  --key https://stella-ops.org/keys/cosign.pub \
  --signature docker-compose.infrastructure.yml.sig \
  docker-compose.infrastructure.yml

cosign verify-blob \
  --key https://stella-ops.org/keys/cosign.pub \
  --signature docker-compose.stella-ops.yml.sig \
  docker-compose.stella-ops.yml

Air-gapped? The Offline Update Kit ships these files plus feeds and plug-ins.

2. Configure `.env` (1 min)

Create .env with the essentials:

STELLA_OPS_COMPANY_NAME="Acme Corp"
STELLA_OPS_DEFAULT_ADMIN_USERNAME="admin"
STELLA_OPS_DEFAULT_ADMIN_PASSWORD="change-me!"
MONGO_INITDB_ROOT_USERNAME=stella_admin
MONGO_INITDB_ROOT_PASSWORD=$(openssl rand -base64 18)
MONGO_URL=mongodb
REDIS_PASSWORD=$(openssl rand -base64 18)
REDIS_URL=redis

Use existing Redis/Mongo endpoints by setting MONGO_URL and REDIS_URL. Keep credentials scoped to Stella Ops; Redis counters enforce the transparent quota ({{ quota_token }} scans/day).

3. Launch services (1 min)

docker compose --env-file .env -f docker-compose.infrastructure.yml up -d
docker compose --env-file .env -f docker-compose.stella-ops.yml up -d

StellaOps.Authority issues short-lived OpToks for CLI/UI.
StellaOps.Scanner hosts /scan, queues work to Workers.
StellaOps.Policy.Engine and StellaOps.Concelier start with seeded policies, feeds sync in the background.

4. Run your first scan (1 min)

stella auth login \
  --device-code \
  --audiences scanner,attestor \
  --scopes attestor.verify,attestor.read
stella scan image \
  --image registry.stella-ops.org/demo/juice-shop:latest \
  --sbom-type cyclonedx-json

Expect <5 s warm scans once the Delta SBOM cache is primed.
CLI exits non-zero if lattice policy blocks the image; use stella policy explain --last for context.
Headers X-Stella-Quota-Remaining and the UI banner keep quota usage transparent.

Need to inspect attestations only? Swap attestor.verify for attestor.read. Submission endpoints still need attestor.write.

5. Verify & explore (1 min)

Check the Console (https://localhost:8443) to view findings, VEX evidence, and deterministic replay manifests.
Export the DSSE bundle: stella export run --format dsse.
Capture evidence for audit: stella attest bundle --output demo.dsse.json.

Sovereign mode in one click

Import the Offline Update Kit (stella offline-kit import ./stella-ouk-2025-alpha.tar.gz) to replace every external feed.
Apply a CryptoProfile (stella authority crypto apply ./profiles/fips.yaml) to swap signing algorithms without rebuilding.

Next steps

Harden the deployment with 17_SECURITY_HARDENING_GUIDE.md.
Explore feature highlights in key-features.md.
Plan the rollout using the evaluation checklist.

3.8 KiB Raw Blame History Unescape Escape