c5cc11c28f
Brings Authority into §2.7 compliance. Previously AutoMigrate=true was set
in Program.cs but no runner was wired; 001_initial_schema.sql was
non-idempotent so wiring AddStartupMigrations against a pre-bootstrapped
DB crash-looped. Discovered during DEPRECATE-003 when the new drop
migration couldn't apply via Authority's own startup path.
Idempotency fixes in 001_initial_schema.sql:
- CREATE INDEX → CREATE INDEX IF NOT EXISTS (27 indexes)
- CREATE TRIGGER → DROP TRIGGER IF EXISTS + CREATE TRIGGER (3 triggers)
- CREATE POLICY → DROP POLICY IF EXISTS + CREATE POLICY (12 policies)
- CREATE TABLE / FUNCTION (OR REPLACE) / RLS ENABLE / role DO blocks were
already idempotent — left unchanged
Wiring:
- AddStartupMigrations("authority", "Authority", typeof(AuthorityDataSource)
.Assembly) called inside RegisterAuthorityServices (canonical
Signals/Scanner pattern).
- Stale options.AutoMigrate = true + options.MigrationsPath removed from
Program.cs.
- Migrations\_archived\** excluded from the EmbeddedResource glob.
Init script cleanup (migrations own schema authority now):
- 04-authority-schema.sql: 569 lines → 60 lines (schema shells + guarded
default-tenant seed fallback only; all DDL removed)
- 04b-authority-dedicated-schema.sql: same reduction for dedicated DB
Verification sequence — all PASS:
1. Green-field replay: 001 runs twice with zero semantic drift (pg_dump
diff shows only session restrict nonce).
2. Wire against pre-migrated volume: runner applies 001+002 in 209ms, no
crash-loop.
3. Wire + fresh schema: migrates 20 tables from empty in 395ms.
4. Idempotent restart: "Database is up to date", pure no-op.
Sprint SPRINT_20260422_003_Authority_auto_migration_compliance created
and archived in the same pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DevOps
Deployment infrastructure for StellaOps.
Stack
| Component | Technology |
|---|---|
| Database | PostgreSQL 18.1 |
| Cache/Queue | Valkey 9.0.1 |
| Storage | RustFS |
| Transparency | Rekor v2 |
Structure
devops/
├── compose/ # Docker Compose files
├── helm/ # Kubernetes Helm chart
├── docker/ # Dockerfiles
├── runtime-assets/ # Runtime data assets (ML models, JDK, Ghidra, certs)
├── database/ # PostgreSQL migrations
├── scripts/ # Operational scripts
├── offline/ # Air-gap support
├── telemetry/ # Alerts & dashboards
├── logging/ # Log config templates
├── release/ # Release tools
├── releases/ # Release manifests
├── secrets/ # Secret templates
└── tools/ # Validation scripts
Runtime Data Assets
Services require certain files at runtime that are not produced by dotnet publish
or npm run build: ML model weights, JDK/Ghidra for binary analysis, certificates,
and more. Before building Docker images or creating offline bundles, run:
./devops/runtime-assets/acquire.sh --all # download and verify
./devops/runtime-assets/acquire.sh --verify # check existing assets
./devops/runtime-assets/acquire.sh --package # create air-gap tarball
See devops/runtime-assets/README.md for the full inventory and provisioning guide.
Quick Start
# Local stack
docker compose -f devops/compose/docker-compose.stella-ops.yml up -d
# With telemetry
docker compose -f devops/compose/docker-compose.stella-ops.yml \
-f devops/compose/docker-compose.telemetry.yml up -d
# Kubernetes
helm install stellaops devops/helm/stellaops \
-f devops/helm/stellaops/values-prod.yaml \
-n stellaops --create-namespace
Compose Files
| File | Purpose |
|---|---|
stella-ops.yml |
Main stack |
telemetry.yml |
Observability |
testing.yml |
CI infrastructure |
compliance-china.yml |
SM2/SM3/SM4 |
compliance-russia.yml |
GOST |
compliance-eu.yml |
eIDAS |