System Overview

Community Edition

This documentation covers STING Community Edition (CE) — the free, open-source deployment. Enterprise features available in STING Hive are noted where relevant but are not included in CE.

High-Level Architecture

STING CE is a self-hosted, Docker Compose–orchestrated platform built around a microservices architecture. All services run on a single host within a private Docker bridge network (sting_local), communicating over internal DNS.

┌─────────────────────────────────────────────────────────────────┐
│                         Client (Browser)                        │
└────────────────────────────────┬────────────────────────────────┘
                                 │ HTTPS :8443
┌────────────────────────────────▼────────────────────────────────┐
│               Nginx / React Frontend (frontend)                 │
│         Serves SPA, proxies API requests to backend             │
└──────┬──────────────┬──────────────┬───────────────┬────────────┘
       │              │              │               │
  ┌────▼────┐   ┌─────▼─────┐  ┌────▼─────┐  ┌─────▼──────┐
  │Flask API│   │ Knowledge │  │Messaging │  │ Public Bee │
  │  (app)  │   │  Service  │  │ Service  │  │  Service   │
  │  :5050  │   │   :8090   │  │  :8889   │  │   :8092    │
  └────┬────┘   └─────┬─────┘  └────┬─────┘  └────────────┘
       │              │              │
  ┌────▼──────────────▼──────────────▼────────────────────────┐
  │                      Data Layer                           │
  │  PostgreSQL :5432 │ Redis :6379 │ ChromaDB :8000 │ Vault │
  └───────────────────────────────────────────────────────────┘

Architecture Layers

STING CE is organized into four logical layers:

Layer	Components	Purpose
Client	Browser SPA (React 18)	User interface, passkey/WebAuthn auth
Gateway	Nginx reverse proxy, LLM Gateway Proxy	TLS termination, routing, LLM failover
Application	Flask API, FastAPI services, workers	Business logic, AI orchestration, messaging
Data	PostgreSQL, Redis, ChromaDB, Vault	Persistence, caching, vectors, secrets

Service Inventory

All services run as Docker containers orchestrated by Docker Compose.

Service	Container	Internal Port	Exposed Port	Technology
vault	sting-ce-vault	8200	8200	HashiCorp Vault
utils	sting-ce-utils	—	—	Python init helper
db	sting-ce-db	5432	5433	PostgreSQL 16
kratos	sting-ce-kratos	4433, 4434	4433, 4434	Ory Kratos 1.3
app	sting-ce-app	5050	5050	Flask 2.x + Gunicorn
report-worker	sting-ce-report-worker	—	—	Python (thin proxy → app)
profile-sync-worker	—	—	—	Python background worker
report-bee	—	—	—	Python report quality review
frontend	sting-ce-frontend	80	8443	React 18 + Nginx 1.27
mailpit	sting-ce-mailpit	1025, 8025	1025, 8025	Mailpit (dev only)
chroma	sting-ce-chroma	8000	8000	ChromaDB 0.5.20
searxng	sting-ce-searxng	8080	—	SearXNG metasearch
knowledge	sting-ce-knowledge	8090	8090	FastAPI (Honey Jars)
llm-gateway-proxy	—	8080	8085	Nginx LLM proxy
chatbot	sting-ce-chatbot	8081, 8888	8081, 8888	Python chatbot
messaging	sting-ce-messaging	8889	8889	FastAPI messaging
redis	sting-ce-redis	6379	6379	Redis
external-ai	sting-ce-external-ai	8091	8091	FastAPI LLM gateway
public-bee	sting-ce-public-bee	8092	8092	FastAPI public API
demo-ai	sting-ce-demo-ai	8095	8095	FastAPI mock LLM

Request Flow

Standard API Request

Browser → Nginx (frontend :8443)
       → Flask API (app :5050)
       → Kratos session validation
       → Route handler (Blueprint)
       → PostgreSQL / Redis
       → JSON response

LLM Request Flow

App (or Chatbot)
  → external-ai-service :8091  (FastAPI ProviderRegistry)
  → llm-gateway-proxy :8085   (Nginx reverse proxy)
  → Ollama / OpenAI / Anthropic / LM Studio / vLLM
  → Streamed response back through the chain

The LLM gateway proxy provides upstream failover and streaming support (proxy_buffering off, 300-second timeouts). The external AI service’s singleton ProviderRegistry manages provider configuration and routing.

Knowledge Search Flow

User query
  → knowledge service :8090
  → ChromaDB :8000 (vector similarity search)
  → PostgreSQL (metadata enrichment)
  → Ranked results returned

Docker Compose Orchestration

All services are defined in a single docker-compose.yml and share the sting_local bridge network. Key orchestration patterns:

Health checks — every service defines a HEALTHCHECK in its Dockerfile (30s interval, 10s timeout, 40s start period, 3 retries).
Startup ordering — depends_on with condition: service_healthy ensures services start in the correct order (e.g., db and vault before app).
Environment configuration — each service reads from dedicated .env files in STING/env/.
Resource limits — production deployments use Docker deploy constraints for memory and CPU.

Network Architecture

All containers communicate over a single Docker bridge network:

networks:
  sting_local:
    driver: bridge

No service is exposed to the public internet by default. The Nginx frontend container is the sole entry point, handling TLS termination and proxying requests to internal services.

Design Principles

Principle	Implementation
Microservices	Each service has a single responsibility and its own container
Zero Trust	Every request is authenticated; services validate tokens independently
Data Sovereignty	All data stays on-premises; no external telemetry or cloud dependencies
Graceful Degradation	Services handle dependency failures with retries and fallbacks
Infrastructure as Code	Full stack defined in Docker Compose with environment-driven configuration

Hive-only features: ChatOps connectors (Slack, Teams, Discord), Nectar Worker bot management, and Beeacon observability are available in STING Hive but are not included in Community Edition.

Last updated: March 29, 2026