Community Edition
This documentation covers STING Community Edition (CE) — the free, open-source deployment. Enterprise features available in STING Hive are noted where relevant but are not included in CE.Overview
STING CE uses a layered data architecture combining relational storage, key-value caching, vector embeddings, and secrets management. Each technology is purpose-selected for its workload.
┌────────────────────────────────────────────────────────────┐
│ Application Services │
└─────┬──────────┬──────────────┬──────────────┬─────────────┘
│ │ │ │
┌─────▼────┐ ┌──▼───┐ ┌──────▼──────┐ ┌────▼────┐
│PostgreSQL│ │Redis │ │ ChromaDB │ │ Vault │
│ 3 DBs │ │Cache │ │ Vectors │ │ Secrets │
│ :5432 │ │:6379 │ │ :8000 │ │ :8200 │
└──────────┘ └──────┘ └─────────────┘ └─────────┘
PostgreSQL 16
A single PostgreSQL 16 instance (container sting-ce-db, internal port 5432, exposed as 5433) hosts three logically separated databases with dedicated users.
Database Separation
| Database | User | Purpose |
|---|---|---|
sting_app | app_user | Main application data — users, conversations, reports, Honey Jars, settings |
kratos_db | kratos_user | Ory Kratos identity and session management |
sting_messaging | messaging_user | Secure messaging conversations and delivery state |
Each user has the minimum permissions required for its service. This limits the blast radius if any single service is compromised.
Extensions
uuid-ossp— UUID generation for primary keyspgcrypto— cryptographic functions for hashing and encryption at the database level
Migrations
Database migrations live in STING/database/migrations/ as sequentially numbered SQL files. Complex schema changes use companion shell scripts for data transformation.
STING/database/migrations/
├── 001_initial_schema.sql
├── 002_add_honey_jar_tables.sql
├── 003_messaging_schema.sql
└── ...
Redis
Redis (container sting-ce-redis, port 6379) provides fast in-memory data operations across four use cases:
| Use Case | Pattern | Example |
|---|---|---|
| Session storage | Key-value with TTL | User session tokens |
| Caching | Cache-aside | API response caching, query results |
| Pub/Sub | Publish-subscribe | Real-time messaging notifications |
| Rate limiting | Sliding window counters | API endpoint throttling |
Redis is configured as an ephemeral cache — persistent data always lives in PostgreSQL.
ChromaDB 0.5.20
ChromaDB (container sting-ce-chroma, port 8000) stores vector embeddings for semantic search within Honey Jars (knowledge bases).
How It Works
- Document ingestion — when a user uploads content to a Honey Jar, the knowledge service extracts text and splits it into chunks.
- Embedding generation — each chunk is converted into a vector embedding using the configured LLM provider.
- Storage — embeddings are stored in ChromaDB, indexed by collection (one per Honey Jar).
- Search — user queries are embedded and compared against stored vectors using cosine similarity.
Integration
The knowledge service (sting-ce-knowledge, port 8090) acts as the intermediary between application services and ChromaDB. No other service communicates with ChromaDB directly.
User query → Knowledge Service → ChromaDB (vector search)
→ PostgreSQL (metadata)
→ Merged ranked results
File Storage
STING CE stores files on local disk within Docker volumes:
| File Type | Handled By | Storage |
|---|---|---|
| Profile photos | Profile service (via Flask app) | Local volume / S3-compatible |
| Honey Jar documents | Knowledge service | Local volume |
| Report PDFs | Report worker | Local volume |
| Backups | msting backup | Configurable path |
Files are referenced by metadata records in PostgreSQL. The actual binary content lives on the filesystem, keeping the database lean.
HashiCorp Vault
Vault (container sting-ce-vault, port 8200) manages all sensitive configuration:
| Secret Type | Vault Path | Example |
|---|---|---|
| API keys | secret/api-keys/* | OpenAI, Anthropic keys |
| Database credentials | secret/db/* | PostgreSQL passwords |
| Encryption keys | secret/encryption-keys/* | Data-at-rest encryption |
| Service tokens | secret/tokens/* | Inter-service auth tokens |
Key Principles
- No hardcoded credentials — all secrets are fetched from Vault at runtime.
- Auto-unseal — Vault is configured for auto-unseal on startup; manual unseal via
sudo msting unsealif needed. - Key management — API keys can be managed with
sudo msting vault-secret listandsudo msting vault-secret <provider> <key>.
Data Flow: Document Upload
A typical document upload to a Honey Jar illustrates how the storage layers work together:
1. User uploads document via frontend
2. Flask API receives file, validates, stores to disk
3. Knowledge service processes document:
a. Extracts text content
b. Splits into chunks
c. Generates vector embeddings (via external-ai-service)
d. Stores embeddings in ChromaDB
e. Stores metadata in PostgreSQL (sting_app)
4. Redis cache is invalidated for affected Honey Jar
5. Document is now searchable via semantic similarity
Backup and Recovery
The msting backup command creates a comprehensive backup including:
- All three PostgreSQL databases (pg_dump)
- Redis snapshot (if persistent)
- ChromaDB data volume
- Configuration files and environment variables
- Vault data (encrypted)
Backups can optionally be encrypted with --encrypt. Restore with sudo msting restore <file>.