Feature/scitt scrapi lifecycle

.env.example

@@ -12,3 +12,12 @@ LOGGING_CONFIG_FILE=server/logging_dev.conf
 
 # Groq API key for Whisper transcription
 GROQ_API_KEY=your_groq_api_key_here
+
+# OpenTelemetry (used when running with docker-compose.signoz.yml)
+# conserver and api send traces/metrics to signoz-otel-collector when the SignOz stack is enabled
+# OTEL_EXPORTER_OTLP_ENDPOINT=http://signoz-otel-collector:4318
+# OTEL_EXPORTER_OTLP_PROTOCOL=http/protobuf
+# OTEL_TRACES_EXPORTER=otlp
+# OTEL_METRICS_EXPORTER=otlp
+# OTEL_LOGS_EXPORTER=otlp
+# OTEL_SERVICE_NAME=conserver

README.md

@@ -688,6 +688,61 @@ The system is designed to scale horizontally. The conserver service can be scale
 docker compose up --scale conserver=4 -d
 ```
 
+## SCITT Lifecycle Registration
+
+The `links.scitt` module registers vCon lifecycle events on a [SCRAPI](https://datatracker.ietf.org/doc/draft-ietf-scitt-scrapi/)-compatible transparency service, creating an immutable audit trail per [draft-howe-vcon-lifecycle](https://www.ietf.org/archive/id/draft-howe-vcon-lifecycle-00.html).
+
+Each registration creates a COSE Sign1 signed statement from the vCon's SHA-256 hash and registers it via `POST /entries`. The receipt is stored as a `scitt_receipt` analysis entry on the vCon.
+
+### Configuration
+
+```yaml
+links:
+  scitt_created:
+    module: links.scitt
+    options:
+      scrapi_url: http://scittles:8000   # SCRAPI service URL
+      signing_key_path: /etc/scitt/signing-key.pem  # EC P-256 key
+      issuer: conserver                   # CWT issuer claim
+      key_id: conserver-key-1             # COSE key ID
+      vcon_operation: vcon_created        # Lifecycle event type
+
+  scitt_enhanced:
+    module: links.scitt
+    options:
+      scrapi_url: http://scittles:8000
+      signing_key_path: /etc/scitt/signing-key.pem
+      issuer: conserver
+      key_id: conserver-key-1
+      vcon_operation: vcon_enhanced
+```
+
+Use two instances in a chain to capture the vCon hash before and after transcription:
+
+```yaml
+chains:
+  transcription_chain:
+    links:
+      - tag
+      - scitt_created       # Hash before transcription
+      - wtf_transcribe
+      - keyword_tagger
+      - scitt_enhanced      # Hash after transcription
+      - expire_vcon
+```
+
+### Signing Key
+
+Generate an EC P-256 signing key:
+
+```bash
+openssl ecparam -name prime256v1 -genkey -noout -out scitt-signing-key.pem
+```
+
+### Transparency Service
+
+The link is compatible with any SCRAPI service. [SCITTLEs](https://github.com/vcon-dev/scittles) is a lightweight, self-hosted option using SQLite.
+
 ## Storage Modules
 
 ### PostgreSQL Storage

docker-compose.signoz.yml

@@ -0,0 +1,158 @@
+# SigNoz Observability Stack
+# Usage: docker compose -f docker-compose.yml -f docker-compose.override.yml -f docker-compose.signoz.yml up -d
+#
+# After first run, execute schema migrations:
+#   docker run --rm --network conserver signoz/signoz-schema-migrator:latest sync --dsn='tcp://signoz-clickhouse:9000'
+#
+# Access UI at: http://localhost:3301
+
+networks:
+  conserver:
+    external: true
+
+volumes:
+  signoz_clickhouse_data:
+  signoz_zookeeper_data:
+  signoz_zookeeper_log:
+  signoz_data:
+
+services:
+  signoz-zookeeper:
+    image: zookeeper:3.9
+    container_name: signoz-zookeeper
+    hostname: signoz-zookeeper
+    environment:
+      - ZOO_AUTOPURGE_PURGEINTERVAL=1
+      - ZOO_4LW_COMMANDS_WHITELIST=mntr,ruok,stat
+    volumes:
+      - signoz_zookeeper_data:/data
+      - signoz_zookeeper_log:/datalog
+    networks:
+      - conserver
+    healthcheck:
+      test: ["CMD-SHELL", "echo ruok | nc localhost 2181 | grep imok"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    restart: unless-stopped
+
+  signoz-clickhouse:
+    image: clickhouse/clickhouse-server:24.1.2-alpine
+    container_name: signoz-clickhouse
+    hostname: signoz-clickhouse
+    tty: true
+    depends_on:
+      signoz-zookeeper:
+        condition: service_healthy
+    volumes:
+      - signoz_clickhouse_data:/var/lib/clickhouse
+      - ./signoz/zz-clickhouse-config.xml:/etc/clickhouse-server/config.d/zz-clickhouse-config.xml:ro
+      - ./signoz/clickhouse-users.xml:/etc/clickhouse-server/users.d/users.xml:ro
+    environment:
+      - CLICKHOUSE_DB=signoz_traces
+      - CLICKHOUSE_USER=default
+      - CLICKHOUSE_PASSWORD=
+    ulimits:
+      nofile:
+        soft: 262144
+        hard: 262144
+    networks:
+      - conserver
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:8123/ping"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    restart: unless-stopped
+
+  signoz-otel-collector:
+    image: signoz/signoz-otel-collector:latest
+    container_name: signoz-otel-collector
+    hostname: signoz-otel-collector
+    command:
+      - "--config=/etc/otel-collector-config.yaml"
+    depends_on:
+      signoz-clickhouse:
+        condition: service_healthy
+    environment:
+      - OTEL_RESOURCE_ATTRIBUTES=host.name=signoz-host,os.type=linux
+    volumes:
+      - ./signoz/otel-collector-config.yaml:/etc/otel-collector-config.yaml:ro
+    ports:
+      - "4317:4317"   # OTLP gRPC receiver
+      - "4318:4318"   # OTLP HTTP receiver
+    networks:
+      - conserver
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:13133/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    restart: unless-stopped
+
+  signoz:
+    image: signoz/query-service:latest
+    container_name: signoz
+    hostname: signoz
+    depends_on:
+      signoz-clickhouse:
+        condition: service_healthy
+    environment:
+      - ClickHouseUrl=tcp://signoz-clickhouse:9000
+      - SIGNOZ_LOCAL_DB_PATH=/var/lib/signoz/signoz.db
+      - DASHBOARDS_PATH=/root/config/dashboards
+      - STORAGE=clickhouse
+      - GODEBUG=netdns=go
+      - TELEMETRY_ENABLED=true
+      - DEPLOYMENT_TYPE=docker-standalone
+    volumes:
+      - signoz_data:/var/lib/signoz
+      - ./signoz/dashboards:/root/config/dashboards
+    ports:
+      - "3301:8080"   # Web UI
+    networks:
+      - conserver
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:8080/api/v1/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    restart: unless-stopped
+
+  # Override conserver and api to send traces/metrics to SignOz (OTLP HTTP)
+  conserver:
+    command: "opentelemetry-instrument python ./server/main.py"
+    environment:
+      OTEL_EXPORTER_OTLP_ENDPOINT: http://signoz-otel-collector:4318
+      OTEL_EXPORTER_OTLP_PROTOCOL: http/protobuf
+      OTEL_TRACES_EXPORTER: otlp
+      OTEL_METRICS_EXPORTER: otlp
+      OTEL_LOGS_EXPORTER: otlp
+      OTEL_SERVICE_NAME: conserver
+    depends_on:
+      signoz-otel-collector:
+        condition: service_healthy
+
+  api:
+    command: /bin/bash -c "opentelemetry-instrument uvicorn server.api:app --host 0.0.0.0 --port 8000"
+    environment:
+      OTEL_EXPORTER_OTLP_ENDPOINT: http://signoz-otel-collector:4318
+      OTEL_EXPORTER_OTLP_PROTOCOL: http/protobuf
+      OTEL_TRACES_EXPORTER: otlp
+      OTEL_METRICS_EXPORTER: otlp
+      OTEL_LOGS_EXPORTER: otlp
+      OTEL_SERVICE_NAME: conserver.api
+    depends_on:
+      signoz-otel-collector:
+        condition: service_healthy
+
+  logspout-signoz:
+      image: pavanputhra/logspout-signoz
+      container_name: logspout-signoz
+      restart: unless-stopped
+      volumes:
+        - /var/run/docker.sock:/var/run/docker.sock
+      environment:
+        SIGNOZ_LOG_ENDPOINT: http://172.17.0.1:8082
+        ENV: prod
+      command: signoz://172.17.0.1:8082

docker/Dockerfile

@@ -10,6 +10,9 @@ ENV VCON_SERVER_VERSION=${VCON_SERVER_VERSION}
 ENV VCON_SERVER_GIT_COMMIT=${VCON_SERVER_GIT_COMMIT}
 ENV VCON_SERVER_BUILD_TIME=${VCON_SERVER_BUILD_TIME}
 
+# Configure apt to use HTTPS sources (required when HTTP port 80 is blocked)
+RUN sed -i 's|http://deb.debian.org|https://deb.debian.org|g' /etc/apt/sources.list.d/debian.sources
+
 RUN apt-get update && \
     apt-get install -y libavdevice-dev ffmpeg