stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Gaps fill up, fixes, ui restructuring

Browse Source
This commit is contained in:
master
2026-02-19 22:10:54 +02:00
parent b5829dce5c
commit 04cacdca8a
331 changed files with 42859 additions and 2174 deletions
Download Patch File Download Diff File Expand all files Collapse all files

160
docs/modules/platform/moat-gap-analysis.md
View File

@@ -26,15 +26,22 @@ This document captures the gap analysis between the competitive moat advisory an
| Feature | Moat | Current % | Key Gaps | Sprint Coverage |
|---------|------|-----------|----------|-----------------|
| Signed, replayable risk verdicts | 5 | 70% | OCI push, one-command replay | 4300_0001_* |
| VEX decisioning engine | 4 | 85% | Evidence hooks | Minimal |
| Reachability with proof | 4 | 75% | Standalone artifact | 4400_0001_0002 |
| Smart-Diff semantic delta | 4 | 80% | Signed delta verdict | 4400_0001_0001 |
| Unknowns as first-class state | 4 | 75% | Policy budgets, attestations | 4300_0002_* |
| Air-gapped epistemic mode | 4 | 70% | Sealed snapshot workflow | 4300_0003_0001 |
| SBOM ledger + lineage | 3 | 60% | Historical tracking, BYOS | 4600_0001_* |
| Policy engine with proofs | 3 | 85% | Compilation to artifact | Minimal |
| VEX distribution network | 3-4 | 30% | Hub layer entirely | 4500_0001_* |
| Signed, replayable risk verdicts | 5 | 85% | OCI push polish | 4300_0001_* |
| VEX decisioning engine | 4 | 90% | Evidence hooks polish | Minimal |
| Reachability with proof | 4 | 85% | Standalone artifact polish | 4400_0001_0002 |
| Smart-Diff semantic delta | 4 | 85% | Signed delta verdict | 4400_0001_0001 |
| Unknowns as first-class state | 4 | 80% | Policy budgets, attestations | 4300_0002_* |
| Air-gapped epistemic mode | 4 | 80% | Sealed snapshot workflow | 4300_0003_0001 |
| SBOM ledger + lineage | 3 | 70% | Historical tracking, BYOS | 4600_0001_* |
| Policy engine with proofs | 3 | 90% | Compilation to artifact | Minimal |
| VEX distribution network | 3-4 | 50% | Hub layer refinement | 4500_0001_* |
| Symbolized call-stack proofs | 4 | 95% | Rust/Ruby/PHP language support | Sprint 0401+, 20260220_001-002 (marketplace) |
| Deterministic signed scoring | 5 | 85% | SLO formalization | Existing |
| Rekor size-aware pointer strategy | 4 | 90% | Documentation polish | Existing |
| Signed execution evidence | 3-4 | 40% | Trace-to-DSSE pipeline, policy gate | 20260219_013 |
| Runtime beacon attestations | 3 | 20% | Beacon fact type, attestation pipeline | 20260219_014 |
| Privacy-preserving federated telemetry | 5 | 0% | Full stack: privacy primitives, sync, API, UI | 20260220_005-009 |
| Remediation marketplace (signed-PR fixes) | 4 | 0% | Full stack: registry, webhook, verification, UI | 20260220_010-015 |
---
@@ -209,6 +216,106 @@ This document captures the gap analysis between the competitive moat advisory an
---
### 10. Signed Execution Evidence (Moat 3-4)
> *Added 2026-02-19 from advisory review (rescoped from external "sandbox traces" proposal).*
**What exists:**
- `RuntimeTracesEndpoints` — runtime trace ingestion in Findings module
- `RuntimeSignalIngester` — containment/blast-radius signal ingestion in Unknowns
- `SignalSnapshotBuilder` — signal snapshot composition for replay/audit
- Signals `POST /signals/runtime-facts` — runtime fact ingestion (eBPF/ETW)
- `InMemoryRuntimeInstrumentationServices` — address canonicalization, hot-symbol aggregation
**Gaps:**
| Gap | Sprint |
|-----|--------|
| `executionEvidence@v1` predicate type | 20260219_013 (SEE-01) |
| Trace-to-DSSE pipeline (canonicalize → aggregate → sign) | 20260219_013 (SEE-02) |
| Policy gate: require execution evidence before promotion | 20260219_013 (SEE-03) |
| Execution evidence in audit packs | 20260219_013 (SEE-04) |
**Moat Thesis**: "We don't just claim it ran — we provide signed, replayable proof of execution with deterministic trace summarization."
**Moat Strategy**: Elevates from Level 3 (runtime instrumentation exists elsewhere) to Level 4 when combined with existing proof chain (signed execution evidence + verdict + reachability = attestable decision lifecycle).
---
### 11. Runtime Beacon Attestations (Moat 3)
> *Added 2026-02-19 from advisory review (rescoped from external "canary beacons" proposal).*
**What exists:**
- Signals runtime-facts ingestion pipeline
- Zastava module (planned runtime protection/admission controller)
- Doctor module runtime host capabilities (eBPF, ETW, dyld agents)
**Gaps:**
| Gap | Sprint |
|-----|--------|
| `beacon` fact type in Signals | 20260219_014 (BEA-01) |
| `beaconAttestation@v1` predicate type | 20260219_014 (BEA-01) |
| Beacon ingestion + batched attestation pipeline | 20260219_014 (BEA-02) |
| Beacon verification rate as policy input | 20260219_014 (BEA-03) |
| Beacon attestations in audit packs | 20260219_014 (BEA-04) |
**Moat Thesis**: "Low-volume signed proof that this artifact actually ran in this environment — verifiable offline, no image modification required."
**Moat Strategy**: Level 3 standalone; combined with execution evidence and proof chain, contributes to the "attestable decision lifecycle" story for compliance-oriented customers.
---
### 12. Privacy-Preserving Federated Runtime Telemetry (New L5 — Structural)
> *Added 2026-02-19 from moat-gap advisory.*
**What exists:**
- Signals runtime-facts ingestion pipeline (eBPF/ETW/dyld)
- FederationHub / CrossRegionSync for bundle transport
- DsseEnvelope signing infrastructure
- AirGap egress policy enforcement
**Implementation (Sprints 20260220_005-009):**
| Component | Sprint |
|-----------|--------|
| Privacy primitives (k-anonymity, DP, epsilon budget) | 20260220_005 (FPT-01 → FPT-07) |
| Federation sync + intelligence merger | 20260220_006 (FTS-01 → FTS-06) |
| API endpoints + CLI + Doctor plugin | 20260220_007 (FAC-01 → FAC-05) |
| UI (5 pages under Platform Ops) | 20260220_008 (FUI-01 → FUI-07) |
| Documentation + contracts | 20260220_009 (FDC-01 → FDC-05) |
**Moat Thesis**: "We share exploit intelligence across sites without sharing raw code — privacy-preserving, consent-proven, offline-compatible."
**Moat Strategy**: No competitor has DP + k-anonymity over federated runtime signals with DSSE consent. Network-effect moat: each new participant enriches the shared corpus. Combined with existing proof chain, creates attestable federated intelligence lifecycle.
---
### 13. Developer-Facing Signed-PR Remediation Marketplace (New L4 — Strong)
> *Added 2026-02-19 from moat-gap advisory.*
**What exists:**
- FixChainAttestationService (DSSE-signed fix chain proofs)
- SCM webhook pipeline in Signals
- ReachGraph for reachability delta computation
- Integration Hub plugin framework
**Implementation (Sprints 20260220_010-015):**
| Component | Sprint |
|-----------|--------|
| Registry + persistence + domain models | 20260220_010 (REM-01 → REM-07) |
| Signals webhook handler | 20260220_011 (REM-08 → REM-12) |
| Verification pipeline (scan → delta → attest) | 20260220_012 (REM-13 → REM-17) |
| Matching + marketplace sources + policy | 20260220_013 (REM-18 → REM-22) |
| UI (3 pages + contextual badge) | 20260220_014 (REM-23 → REM-27) |
| Offline bundles + CLI + docs | 20260220_015 (REM-28 → REM-32) |
**Moat Thesis**: "Every remediation PR is verified against reachability proof deltas and cryptographically attested — not just a patch, but proof the fix actually reduces exploitable surface."
**Moat Strategy**: No competitor has PR-level fix attestations verified against reachability proof deltas. Six-module integration depth (Attestor + ReachGraph + Signals + Scanner + Policy + EvidenceLocker) creates deep switching cost.
---
## Sprint Roadmap
### Phase 1: Moat 5 Anchor (P0)
@@ -246,15 +353,46 @@ This document captures the gap analysis between the competitive moat advisory an
└── SBOM becomes historical
```
### Phase 5: Runtime Evidence (P2-P3)
```
20260219_013 (SEE-01 → SEE-04)
└── Execution becomes attestable
20260219_014 (BEA-01 → BEA-04)
└── Presence becomes provable
```
### Phase 6: Moat Expansion — Three New Capabilities (P1)
```
20260220_001 → 20260220_002 → 20260220_003
└── Symbol Marketplace (L4 @ 95%)
20260220_005 → 20260220_006 → 20260220_007 → 20260220_008
└── Federated Telemetry (New L5)
20260220_010 → 20260220_011 → 20260220_012 → 20260220_013 → 20260220_014
└── Remediation Marketplace (New L4)
```
---
## Competitive Positioning Summary
### Where StellaOps Is Strong
1. **VEX decisioning** — Multi-mode consensus engine is ahead of competitors
1. **VEX decisioning** — Multi-mode consensus engine is ahead of all competitors (including Docker Scout, JFrog)
2. **Smart-Diff** — R1-R4 rules with priority scoring is unique
3. **Policy engine** — OPA/Rego with proof output is mature
4. **Attestor** — in-toto/DSSE infrastructure is complete
5. **Symbolized call-stack proofs** — No competitor (Docker Scout, Trivy, JFrog) delivers function-level symbol evidence with demangled names and build-ID binding
6. **Deterministic signed scoring** — JFrog centralizes evidence but can't replay; Stella produces seeded, verifiable scoring envelopes
7. **Rekor size-aware strategy** — Hash pointer in Rekor + full payload in Evidence Locker solves real ~100KB upload constraints
8. **Federated telemetry** — Privacy-preserving cross-site exploit intelligence with DP + k-anonymity + DSSE consent proofs
9. **Remediation marketplace** — Signed-PR fix attestations verified against reachability proof deltas with contributor trust scoring
### Where StellaOps Must Improve
1. **Verdict portability** — OCI push makes verdicts first-class artifacts
@@ -266,6 +404,8 @@ This document captures the gap analysis between the competitive moat advisory an
- **Snyk**: Don't compete on developer UX; compete on proof-carrying reachability
- **Prisma**: Don't compete on CNAPP breadth; compete on decision integrity
- **Anchore**: Don't compete on SBOM storage; compete on semantic diff + VEX reasoning
- **Docker Scout**: Don't compete on registry-native DHI integration; compete on call-stack symbolization, replay, and lattice VEX
- **JFrog**: Don't compete on artifact management breadth; compete on deterministic scoring, replayable verdicts, and function-level proofs
---