stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fda92af9bcbaf6c1677f0d6b13609a8e04222bbc
git.stella-ops.org/etc/airgap.yaml.sample
StellaOps Bot 5146204f1b feat: add security sink detection patterns for JavaScript/TypeScript 
- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations).
- Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns.
- Added `package-lock.json` for dependency management.
2025-12-22 23:21:21 +02:00

137 lines
3.4 KiB
Plaintext
Raw Blame History

# StellaOps Air-Gap Controller configuration template.
# Sprint: SPRINT_4300_0003_0001 (Sealed Knowledge Snapshot Export/Import)
# Task: SEAL-019 - Staleness policy configuration
#
# Copy to airgap.yaml and adjust values to fit your environment.
# Environment variables prefixed with STELLAOPS_AIRGAP_ override these values.
schemaVersion: 1
# Staleness policy configuration
# Controls how long knowledge snapshots remain valid before requiring refresh.
staleness:
# Maximum age before snapshot is rejected (default: 168 hours = 7 days)
maxAgeHours: 168
# Age at which warnings are emitted (default: 72 hours = 3 days)
warnAgeHours: 72
# Whether to require a valid time anchor for import
requireTimeAnchor: true
# Action when snapshot is stale: "warn", "block"
staleAction: block
# Per-content staleness budgets (overrides default)
contentBudgets:
advisories:
warningSeconds: 86400 # 24 hours
breachSeconds: 259200 # 72 hours (3 days)
vex:
warningSeconds: 86400 # 24 hours
breachSeconds: 604800 # 168 hours (7 days)
policy:
warningSeconds: 604800 # 7 days
breachSeconds: 2592000 # 30 days
# Snapshot export configuration
export:
# Default output directory for exported snapshots
outputDirectory: "./snapshots"
# Compression level (0-9, default: 6)
compressionLevel: 6
# Whether to include trust roots in export
includeTrustRoots: true
# Default feeds to include (empty = all)
defaultFeeds: []
# Default ecosystems to include (empty = all)
defaultEcosystems: []
# Snapshot import configuration
import:
# Directory for quarantined failed imports
quarantineDirectory: "./quarantine"
# Quarantine TTL in hours (default: 168 = 7 days)
quarantineTtlHours: 168
# Maximum quarantine size in MB (default: 1024 = 1GB)
quarantineMaxSizeMb: 1024
# Whether to verify signature on import
verifySignature: true
# Whether to verify merkle root on import
verifyMerkleRoot: true
# Whether to enforce version monotonicity (prevent rollback)
enforceMonotonicity: true
# Trust store configuration
trustStore:
# Path to trust roots bundle
rootBundlePath: "/etc/stellaops/trust-roots.pem"
# Allowed signature algorithms
allowedAlgorithms:
- "ES256"
- "ES384"
- "Ed25519"
- "RS256"
- "RS384"
# Key rotation settings
rotation:
# Require approval for key rotation
requireApproval: true
# Pending key timeout in hours
pendingTimeoutHours: 24
# Time anchor configuration
timeAnchor:
# Default time anchor source: "roughtime", "rfc3161", "local"
defaultSource: "roughtime"
# Roughtime server endpoints
roughtimeServers:
- "roughtime.cloudflare.com:2003"
- "roughtime.google.com:2003"
# RFC 3161 TSA endpoints
rfc3161Servers:
- "http://timestamp.digicert.com"
- "http://timestamp.comodoca.com"
# Maximum allowed clock drift in seconds
maxClockDriftSeconds: 60
# Egress policy (network access control in sealed mode)
egressPolicy:
# Policy mode: "allowlist", "denylist"
mode: allowlist
# Allowed hosts when sealed (allowlist mode)
allowedHosts: []
# Denied hosts (denylist mode)
deniedHosts: []
# Allow localhost traffic when sealed
allowLocalhost: true
# Logging and telemetry
telemetry:
# Log staleness warnings
logStalenessWarnings: true
# Emit metrics for staleness tracking
emitStalenessMetrics: true
# Activity source name for tracing
activitySourceName: "StellaOps.AirGap"
Reference in New Issue View Git Blame Copy Permalink