git.stella-ops.org/etc/packs-registry.yaml.sample

# StellaOps Packs Registry configuration template.
# Copy to ../etc/packs-registry.yaml (relative to the Packs Registry content root)
# and adjust values as needed. Environment variables prefixed with
# STELLAOPS_PACKSREGISTRY_ override these settings at runtime.

schemaVersion: 1

telemetry:
  enabled: true
  serviceName: "stellaops-packs-registry"
  exportConsole: true
  minimumLogLevel: "Information"
  otlpEndpoint: ""
  resourceAttributes:
    deployment.environment: "local"

authority:
  issuer: "https://authority.stella-ops.local"
  metadataAddress: ""
  requireHttpsMetadata: true
  audiences:
    - "api://packs-registry"
  tenant: "tenant-default"
  # Client credentials for publishing packs into the registry.
  publishClient:
    clientId: "packs-registry"
    clientSecret: ""
    clientSecretFile: "../secrets/packs-registry.secret"
    scopes:
      - "packs.write"
      - "packs.read"
  # Optional read-only client for mirrors or offline tooling.
  readerClient:
    clientId: "packs-reader"
    clientSecret: ""
    clientSecretFile: "../secrets/packs-reader.secret"
    scopes:
      - "packs.read"

storage:
  # PostgreSQL database storing pack metadata and provenance (MongoDB removed in Sprint 4400).
  driver: "postgres"
  connectionString: "Host=postgres;Port=5432;Database=stellaops_platform;Username=stellaops;Password=change-me"
  schema: "packs"
  # Object storage bucket/container for pack bundles and signatures.
  bundleStore: "s3://stellaops-packs"

signing:
  # Trusted keys (PEM paths or Fulcio issuer URLs) used to validate inbound packs.
  trustedKeys:
    - "../certificates/packs-signing.pem"
  # Enforce DSSE attestations for published packs.
  requireDsse: true

mirroring:
  enabled: false
  # Remote registry or file share used to seed mirrors in offline deployments.
  source: ""
  schedule: "00:30:00"

offlineKit:
  enabled: true
  exportDirectory: "out/offline/packs"
  provenanceManifest: "out/offline/packs/provenance.json"