Add Decision Capsules, hybrid reachability, and evidence-linked VEX docs
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Introduces new marketing bridge documents for Decision Capsules, Hybrid Reachability, and Evidence-Linked VEX. Updates product vision, README, key features, moat, reachability, and VEX consensus docs to reflect four differentiating capabilities: signed reachability (hybrid static/runtime), deterministic replay, explainable policy with evidence-linked VEX, and sovereign/offline operation. All scan decisions are now described as sealed, reproducible, and audit-grade, with explicit handling of 'Unknown' states and hybrid reachability evidence.
This commit is contained in:
Vladimir Moushkov
16
docs/moat.md
16
docs/moat.md
@@ -1,13 +1,23 @@
|
||||
# StellaOps Moat Track — Spec Outline v0.3
|
||||
# StellaOps Moat Track — Spec Outline v0.4
|
||||
|
||||
> Stella Ops isn't just another scanner—it's a different product category: **deterministic, evidence-linked vulnerability decisions** that survive auditors, regulators, and supply-chain propagation.
|
||||
|
||||
<!-- TODO: Review for separate approval - updated moat introduction -->
|
||||
**Four capabilities no competitor offers together:**
|
||||
|
||||
1. **Signed Reachability** – Every reachability graph is sealed with DSSE; optional edge-bundle attestations for runtime/init/contested paths. Both static call-graph edges and runtime-derived edges can be attested—true hybrid reachability.
|
||||
2. **Deterministic Replay** – Scans run bit-for-bit identical from frozen feeds and analyzer manifests. Decision Capsules seal all evidence for audit-grade reproducibility.
|
||||
3. **Explainable Policy (Lattice VEX)** – The lattice engine merges SBOM data, advisories, VEX statements, and waivers into a single verdict with human-readable justifications. Evidence-linked VEX decisions with explicit "Unknown" state handling.
|
||||
4. **Sovereign + Offline Operation** – FIPS, eIDAS, GOST, SM, or PQC profiles are first-class toggles. Offline Kits and regional crypto profiles keep every decision inside your perimeter.
|
||||
|
||||
**Scope of this doc:**
|
||||
(1) Deterministic Replayable Scans (SRM), (2) Policy Engine & Lattice UI, (3) Sovereign Readiness (CryptoProfile + RootPack), (4) Attestation Observability Graph (AOG), (5) Procurement‑Grade Trust Statement, (6) Third‑Party Proof Channel, (7) Zastava differential SBOM + AI scheduler.
|
||||
(1) Decision Capsules, (2) Deterministic Replayable Scans (SRM), (3) Policy Engine & Lattice UI, (4) Sovereign Readiness (CryptoProfile + RootPack), (5) Attestation Observability Graph (AOG), (6) Procurement‑Grade Trust Statement, (7) Third‑Party Proof Channel, (8) Zastava differential SBOM + AI scheduler.
|
||||
|
||||
Cross‑cutting principles: offline‑first, cryptographic determinism, evidence‑bound decisions, regional crypto compliance, minimal operational friction.
|
||||
|
||||
---
|
||||
|
||||
## 0) Shared Concepts (applies to all 7)
|
||||
## 0) Shared Concepts (applies to all 8)
|
||||
|
||||
* **Artifact identity:** digest-first (OCI image digest, file sha256).
|
||||
* **Canonicalization:** all structured payloads (SBOM, SRM, Trust Statement JSON, VEX) are normalized via Canonical JSON (RFC‑8785‑like) prior to hashing/signing.
|
||||
|
||||
Reference in New Issue
Block a user