stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

todays product advirories implemented

Browse Source
This commit is contained in:
master
2026-01-16 23:30:47 +02:00
parent 91ba600722
commit 77ff029205
174 changed files with 30173 additions and 1383 deletions
Download Patch File Download Diff File Expand all files Collapse all files

216
docs/FEATURE_MATRIX.md
View File

@@ -1,5 +1,5 @@
# Feature Matrix — Stella Ops Suite
*(rev 5.0 · 09 Jan 2026)*
*(rev 5.1 · 16 Jan 2026)*
> **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail.
@@ -145,6 +145,9 @@
|------------|:----:|:---------:|:----------:|-------|
| CVE Lookup via Local DB | | | | |
| Licence-Risk Detection | | | | Q4-2025 |
| **Automatic Detection (Class A)** | | | | Runs implicitly during scan |
| Secrets Detection | | | | API keys, tokens, passwords; results in findings (see [docs/modules/ui/components/findings-list.md](docs/modules/ui/components/findings-list.md)) |
| OS Package Analyzers | | | | apk, apt, yum, dnf, rpm, pacman; results in SBOM (see [docs/modules/cli/guides/commands/sbom.md](docs/modules/cli/guides/commands/sbom.md)) |
| **Language Analyzers (All 11)** | | | | |
| .NET/C#, Java, Go, Python | | | | |
| Node.js, Ruby, Bun, Deno | | | | |
@@ -179,6 +182,8 @@
## Binary Analysis (BinaryIndex)
*Binary analysis capabilities are CLI-first (Class B). UI integration is minimal until user demand validates.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Binary Identity Extraction | | | | Build-ID, hashes |
@@ -187,58 +192,156 @@
| RPM/RHEL Corpus | | | | |
| Patch-Aware Backport Detection | | | | |
| PE/Mach-O/ELF Parsers | | | | |
| **Binary Fingerprint Generation** | | | | Advanced detection |
| **Binary Fingerprint Generation** | | | | CLI: `stella binary fingerprint export` |
| **Fingerprint Matching Engine** | | | | Similarity search |
| **Binary Diff** | | | | CLI: `stella binary diff <base> <candidate>` |
| **DWARF/Symbol Analysis** | | | | Debug symbols |
**CLI Commands (Class B):**
- `stella binary fingerprint export <artifact>` Export fingerprint data (function hashes, section hashes, symbol table)
- `stella binary diff <base> <candidate>` Compare binaries with function/symbol-level diff
- Output formats: `--format json|yaml|table`
- Usage and examples: [docs/modules/cli/guides/commands/binary.md](docs/modules/cli/guides/commands/binary.md)
---
## Advisory Sources (Concelier)
| Source | Free | Community | Enterprise | Notes |
|--------|:----:|:---------:|:----------:|-------|
| NVD | | | | |
| GHSA | | | | |
| OSV | | | | |
| Alpine SecDB | | | | |
| Debian Security Tracker | | | | |
| Ubuntu USN | | | | |
| RHEL/CentOS OVAL | | | | |
| KEV (Exploited Vulns) | | | | |
| EPSS v4 | | | | |
| **Custom Advisory Connectors** | | | | Private feeds |
| **Advisory Merge Engine** | | | | Conflict resolution |
*Concelier provides 33+ vulnerability feed connectors with automatic sync, health monitoring, and conflict detection.*
| Source Category | Connectors | Free | Community | Enterprise | Notes |
|-----------------|-----------|:----:|:---------:|:----------:|-------|
| **National CVE Databases** | | | | | |
| NVD (NIST) | | | | | Primary CVE source |
| CVE (MITRE) | | | | | CVE Record format 5.0 |
| **OSS Ecosystems** | | | | | |
| OSV | | | | | Multi-ecosystem |
| GHSA | | | | | GitHub Security Advisories |
| **Linux Distributions** | | | | | |
| Alpine SecDB | | | | | |
| Debian Security Tracker | | | | | |
| Ubuntu USN | | | | | |
| RHEL/CentOS OVAL | | | | | |
| SUSE OVAL | | | | | |
| Astra Linux | | | | | Russian distro |
| **CERTs / National CSIRTs** | | | | | |
| CISA KEV | | | | | Known Exploited Vulns |
| CISA ICS-CERT | | | | | Industrial control systems |
| CERT-CC | | | | | Carnegie Mellon |
| CERT-FR | | | | | France |
| CERT-Bund (BSI) | | | | | Germany |
| CERT-In | | | | | India |
| ACSC | | | | | Australia |
| CCCS | | | | | Canada |
| KISA | | | | | South Korea |
| JVN | | | | | Japan |
| **Russian Federation Sources** | | | | | |
| FSTEC BDU | | | | | Russian vuln database |
| NKCKI | | | | | Critical infrastructure |
| **Vendor PSIRTs** | | | | | |
| Microsoft MSRC | | | | | |
| Cisco PSIRT | | | | | |
| Oracle CPU | | | | | |
| VMware | | | | | |
| Adobe PSIRT | | | | | |
| Apple Security | | | | | |
| Chromium | | | | | |
| **ICS/SCADA** | | | | | |
| Kaspersky ICS-CERT | | | | | Industrial security |
| **Risk Scoring** | | | | | |
| EPSS v4 | | | | | Exploit prediction |
| **Enterprise Features** | | | | | |
| Custom Advisory Connectors | | | | | Private feeds |
| Advisory Merge Engine | | | | | Conflict resolution |
| Connector Health CLI | | | | | `stella db connectors status` |
**Connector Operations Matrix (Status/Auth/Runbooks):**
| Connector | Status | Auth | Ops Runbook |
| --- | --- | --- | --- |
| NVD (NIST) | stable | api-key | [docs/modules/concelier/operations/connectors/nvd.md](docs/modules/concelier/operations/connectors/nvd.md) |
| CVE (MITRE) | stable | none | [docs/modules/concelier/operations/connectors/cve.md](docs/modules/concelier/operations/connectors/cve.md) |
| OSV | stable | none | [docs/modules/concelier/operations/connectors/osv.md](docs/modules/concelier/operations/connectors/osv.md) |
| GHSA | stable | api-token | [docs/modules/concelier/operations/connectors/ghsa.md](docs/modules/concelier/operations/connectors/ghsa.md) |
| Alpine SecDB | stable | none | [docs/modules/concelier/operations/connectors/alpine.md](docs/modules/concelier/operations/connectors/alpine.md) |
| Debian Security Tracker | stable | none | [docs/modules/concelier/operations/connectors/debian.md](docs/modules/concelier/operations/connectors/debian.md) |
| Ubuntu USN | stable | none | [docs/modules/concelier/operations/connectors/ubuntu.md](docs/modules/concelier/operations/connectors/ubuntu.md) |
| Red Hat OVAL/CSAF | stable | none | [docs/modules/concelier/operations/connectors/redhat.md](docs/modules/concelier/operations/connectors/redhat.md) |
| SUSE OVAL/CSAF | stable | none | [docs/modules/concelier/operations/connectors/suse.md](docs/modules/concelier/operations/connectors/suse.md) |
| Astra Linux | beta | none | [docs/modules/concelier/operations/connectors/astra.md](docs/modules/concelier/operations/connectors/astra.md) |
| CISA KEV | stable | none | [docs/modules/concelier/operations/connectors/cve-kev.md](docs/modules/concelier/operations/connectors/cve-kev.md) |
| CISA ICS-CERT | stable | none | [docs/modules/concelier/operations/connectors/ics-cisa.md](docs/modules/concelier/operations/connectors/ics-cisa.md) |
| CERT-CC | stable | none | [docs/modules/concelier/operations/connectors/cert-cc.md](docs/modules/concelier/operations/connectors/cert-cc.md) |
| CERT-FR | stable | none | [docs/modules/concelier/operations/connectors/cert-fr.md](docs/modules/concelier/operations/connectors/cert-fr.md) |
| CERT-Bund | stable | none | [docs/modules/concelier/operations/connectors/certbund.md](docs/modules/concelier/operations/connectors/certbund.md) |
| CERT-In | stable | none | [docs/modules/concelier/operations/connectors/cert-in.md](docs/modules/concelier/operations/connectors/cert-in.md) |
| ACSC | stable | none | [docs/modules/concelier/operations/connectors/acsc.md](docs/modules/concelier/operations/connectors/acsc.md) |
| CCCS | stable | none | [docs/modules/concelier/operations/connectors/cccs.md](docs/modules/concelier/operations/connectors/cccs.md) |
| KISA | stable | none | [docs/modules/concelier/operations/connectors/kisa.md](docs/modules/concelier/operations/connectors/kisa.md) |
| JVN | stable | none | [docs/modules/concelier/operations/connectors/jvn.md](docs/modules/concelier/operations/connectors/jvn.md) |
| FSTEC BDU | beta | none | [docs/modules/concelier/operations/connectors/fstec-bdu.md](docs/modules/concelier/operations/connectors/fstec-bdu.md) |
| NKCKI | beta | none | [docs/modules/concelier/operations/connectors/nkcki.md](docs/modules/concelier/operations/connectors/nkcki.md) |
| Microsoft MSRC | stable | none | [docs/modules/concelier/operations/connectors/msrc.md](docs/modules/concelier/operations/connectors/msrc.md) |
| Cisco PSIRT | stable | oauth | [docs/modules/concelier/operations/connectors/cisco.md](docs/modules/concelier/operations/connectors/cisco.md) |
| Oracle CPU | stable | none | [docs/modules/concelier/operations/connectors/oracle.md](docs/modules/concelier/operations/connectors/oracle.md) |
| VMware | stable | none | [docs/modules/concelier/operations/connectors/vmware.md](docs/modules/concelier/operations/connectors/vmware.md) |
| Adobe PSIRT | stable | none | [docs/modules/concelier/operations/connectors/adobe.md](docs/modules/concelier/operations/connectors/adobe.md) |
| Apple Security | stable | none | [docs/modules/concelier/operations/connectors/apple.md](docs/modules/concelier/operations/connectors/apple.md) |
| Chromium | stable | none | [docs/modules/concelier/operations/connectors/chromium.md](docs/modules/concelier/operations/connectors/chromium.md) |
| Kaspersky ICS-CERT | beta | none | [docs/modules/concelier/operations/connectors/kaspersky-ics.md](docs/modules/concelier/operations/connectors/kaspersky-ics.md) |
| EPSS v4 | stable | none | [docs/modules/concelier/operations/connectors/epss.md](docs/modules/concelier/operations/connectors/epss.md) |
---
## VEX Processing (Excititor)
## VEX Processing (Excititor/VexLens)
*VEX processing provides a full consensus engine with 5-state lattice, 9 trust factors, and conflict detection.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| OpenVEX Ingestion | | | | |
| CycloneDX VEX Ingestion | | | | |
| CSAF VEX Ingestion | | | | |
| VEX Consensus Resolver | | | | |
| **VEX Consensus Engine (5-state)** | | | | Lattice-based resolution |
| Trust Vector Scoring (P/C/R) | | | | |
| **Trust Weight Scoring (9 factors)** | | | | Issuer, age, specificity, etc. |
| Claim Strength Multipliers | | | | |
| Freshness Decay | | | | |
| Freshness Decay | | | | 14-day half-life |
| Conflict Detection & Penalty | | | | K4 lattice logic |
| VEX Conflict Studio UI | | | | Visual resolution |
| VEX Hub (Distribution) | | | | Internal VEX network |
| **VEX Webhook Distribution** | | | | Pub/sub notifications |
| **CSAF Provider Connectors (7)** | | | | RedHat, Ubuntu, Oracle, MSRC, Cisco, SUSE, VMware |
| **Issuer Trust Registry** | | | | Key lifecycle, trust overrides |
| **VEX from Drift Generation** | | | | `stella vex gen --from-drift` |
| **Trust Calibration Service** | | | | Org-specific tuning |
| **Consensus Rationale Export** | | | | Audit-grade explainability |
**CLI Commands:**
- `stella vex verify <statement>` Verify VEX statement signature and content
- `stella vex consensus <digest>` Show consensus status for digest
- `stella vex evidence export` Export VEX evidence for audit
- `stella vex webhooks list/add/remove` Manage VEX distribution
- `stella issuer keys list/create/rotate/revoke` Issuer key management
---
## Policy Engine
*Policy engine implements Belnap K4 four-valued logic with 10+ gate types and 6 risk providers.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| YAML Policy Rules | | | | Basic rules |
| Belnap K4 Four-Valued Logic | | | | |
| **Belnap K4 Four-Valued Logic** | | | | True/False/Both/Neither |
| Security Atoms (6 types) | | | | |
| Disposition Selection (ECMA-424) | | | | |
| Minimum Confidence Gate | | | | |
| **10+ Policy Gate Types** | | | | Severity, reachability, age, etc. |
| **6 Risk Score Providers** | | | | CVSS, KEV, EPSS, FixChain, etc. |
| Unknowns Budget Gate | | | | |
| **Determinization System** | | | | Signal weights, decay, uncertainty |
| **Policy Simulation** | | | | `stella policy simulate` |
| Source Quota Gate | | | | 60% cap enforcement |
| Reachability Requirement Gate | | | | For criticals |
| **OPA/Rego Integration** | | | | Custom policies |
@@ -246,33 +349,55 @@
| **Score Policy YAML** | | | | Full customization |
| **Configurable Scoring Profiles** | | | | Simple/Advanced |
| **Policy Version History** | | | | Audit trail |
| **Verdict Attestations** | | | | DSSE/Rekor signed verdicts |
**CLI Commands:**
- `stella policy list/show/create/update/delete` Policy CRUD
- `stella policy simulate <digest>` Simulate policy evaluation
- `stella policy validate <file>` Validate policy YAML
- `stella policy decisions list/show` View policy decisions
- `stella policy gates list` List available gate types
---
## Attestation & Signing
*Attestation supports 25+ predicate types with keyless signing, key rotation, and attestation chains.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| DSSE Envelope Signing | | | | |
| in-toto Statement Structure | | | | |
| **25+ Predicate Types** | | | | SBOM, VEX, verdict, etc. |
| SBOM Predicate | | | | |
| VEX Predicate | | | | |
| Reachability Predicate | | | | |
| Policy Decision Predicate | | | | |
| Verdict Manifest (signed) | | | | |
| Verdict Replay Verification | | | | |
| **Keyless Signing (Sigstore)** | | | | Fulcio-based OIDC |
| **Delta Attestations (4 types)** | | | | VEX/SBOM/Verdict/Reachability |
| **Attestation Chains** | | | | Linked attestation graphs |
| **Human Approval Predicate** | | | | Workflow attestation |
| **Boundary Predicate** | | | | Network exposure |
| **Key Rotation Management** | | | | Enterprise key ops |
| **Key Rotation Service** | | | | Automated key lifecycle |
| **Trust Anchor Management** | | | | Root CA management |
| **SLSA Provenance v1.0** | | | | Supply chain |
| **Rekor Transparency Log** | | | | Public attestation |
| **Cosign Integration** | | | | Sigstore ecosystem |
**CLI Commands:**
- `stella attest sign <file>` Sign attestation
- `stella attest verify <envelope>` Verify attestation signature
- `stella attest predicates list` List supported predicate types
- `stella attest export <digest>` Export attestations for digest
- `stella keys list/create/rotate/revoke` Key management
---
## Regional Crypto (Sovereign Profiles)
*Sovereign crypto is core to the AGPL promise - no vendor lock-in on compliance.*
*Sovereign crypto is core to the AGPL promise - no vendor lock-in on compliance. 8 signature profiles supported.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
@@ -283,6 +408,14 @@
| SM National Standard | | | | China |
| Post-Quantum (Dilithium) | | | | Future-proof |
| Crypto Plugin Architecture | | | | Custom HSM |
| **Multi-Profile Signing** | | | | Sign with multiple algorithms |
| **SM Remote Service** | | | | Chinese market HSM integration |
| **HSM/PKCS#11 Integration** | | | | Hardware security modules |
**CLI Commands:**
- `stella crypto profiles list` List available crypto profiles
- `stella crypto verify --profile <name>` Verify with specific profile
- `stella crypto plugins list/status` Manage crypto plugins
---
@@ -421,35 +554,68 @@
---
## Access Control & Identity
## Access Control & Identity (Authority)
*Authority provides OAuth 2.1/OIDC with 75+ authorization scopes, DPoP, and device authorization.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Auth | | | | |
| API Keys | | | | |
| API Keys | | | | With scopes and expiration |
| SSO/SAML Integration | | | | Okta, Azure AD |
| OIDC Support | | | | |
| Basic RBAC | | | | User/Admin |
| **75+ Authorization Scopes** | | | | Fine-grained permissions |
| **DPoP (Sender Constraints)** | | | | Token binding |
| **mTLS Client Certificates** | | | | Certificate auth |
| **Device Authorization Flow** | | | | CLI/IoT devices |
| **PAR Support** | | | | Pushed Authorization Requests |
| **User Federation (LDAP/SAML)** | | | | Directory integration |
| **Multi-Factor Authentication** | | | | TOTP/WebAuthn |
| **Advanced RBAC** | | | | Team-based scopes |
| **Multi-Tenant Management** | | | | Org hierarchy |
| **Audit Log Export** | | | | SIEM integration |
**CLI Commands:**
- `stella auth clients list/create/delete` OAuth client management
- `stella auth roles list/show/assign` Role management
- `stella auth scopes list` List available scopes
- `stella auth token introspect <token>` Token introspection
- `stella auth api-keys list/create/revoke` API key management
---
## Notifications & Integrations
*10 notification channel types with template engine, routing rules, and escalation.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Email Notifications | | | | |
| In-App Notifications | | | | |
| Email Notifications | | | | |
| EPSS Change Alerts | | | | |
| Slack Integration | | | | Basic |
| Teams Integration | | | | Basic |
| **Discord Integration** | | | | Webhook-based |
| **PagerDuty Integration** | | | | Incident management |
| **OpsGenie Integration** | | | | Alert routing |
| Zastava Registry Hooks | | | | Auto-scan on push |
| **Zastava K8s Admission** | | | | Validating/Mutating webhooks |
| **Template Engine** | | | | Customizable templates |
| **Channel Routing Rules** | | | | Severity/team routing |
| **Escalation Policies** | | | | Time-based escalation |
| **Notification Studio UI** | | | | Visual rule builder |
| **Custom Webhooks** | | | | Any endpoint |
| **CI/CD Gates** | | | | GitLab/GitHub/Jenkins |
| **SCM Integrations** | | | | PR comments, status checks |
| **Issue Tracker Integration** | | | | Jira, GitHub Issues |
| **Enterprise Connectors** | | | | Grid/Premium APIs |
**CLI Commands:**
- `stella notify channels list/test` Channel management
- `stella notify rules list/create` Routing rules
- `stella zastava install/configure/status` K8s webhook management
---
## Scheduling & Automation
@@ -555,4 +721,4 @@ Everything in Community, plus:
---
*Last updated: 24 Dec 2025 (rev 4.0 - Tiered Commercial Model)*
*Last updated: 16 Jan 2026 (rev 5.1 - Documentation Sprint 024)*

938
docs/FEATURE_MATRIX_COMPLETE.md
View File

@@ -1,938 +0,0 @@
# Complete Feature Matrix - Stella Ops Suite
*(Auto-generated with code mapping)*
> This document extends `FEATURE_MATRIX.md` with module/file mappings and CLI/UI coverage verification.
---
## SBOM & Ingestion
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Trivy-JSON Ingestion | Free/Pro/Ent | Concelier | `TrivyDbExporterPlugin.cs`, `TrivyDbBoltBuilder.cs` | - | `/concelier/trivy-db-settings` | Implemented |
| SPDX-JSON 3.0.1 Ingestion | Free/Pro/Ent | Concelier, Scanner | `SbomParser.cs`, `SpdxJsonLdSerializer.cs` | `stella sbom list --format spdx` | `/sbom-sources` | Implemented |
| CycloneDX 1.7 Ingestion | Free/Pro/Ent | Concelier, Scanner | `SbomParser.cs`, `CycloneDxComposer.cs` | `stella sbom list --format cyclonedx` | `/sbom-sources` | Implemented |
| Auto-format Detection | Free/Pro/Ent | Concelier | `ISbomParser.cs`, `SbomParser.cs` (DetectFormatAsync) | Implicit in `stella sbom` | Implicit | Implemented |
| Delta-SBOM Cache | Free/Pro/Ent | SbomService | `VexDeltaRepository.cs`, `InMemoryLineageCompareCache.cs`, `ValkeyLineageCompareCache.cs` | - | - | Implemented |
| SBOM Generation (all formats) | Free/Pro/Ent | Scanner | `SpdxComposer.cs`, `CycloneDxComposer.cs`, `SpdxLayerWriter.cs`, `CycloneDxLayerWriter.cs` | `stella scan run` | `/findings` (scan results) | Implemented |
| Semantic SBOM Diff | Free/Pro/Ent | Scanner, SbomService | `SbomDiff.cs`, `SbomDiffEngine.cs`, `LineageCompareService.cs` | - | `/lineage` | Implemented |
| BYOS (Bring-Your-Own-SBOM) | Free/Pro/Ent | Scanner | `SbomByosUploadService.cs`, `SbomUploadStore.cs`, `SbomUploadEndpoints.cs` | `stella sbom upload` (pending) | `/sbom-sources` | Implemented |
| SBOM Lineage Ledger | Enterprise | SbomService | `SbomLineageEdgeRepository.cs`, `SbomLedgerModels.cs`, `SbomServiceDbContext.cs` | - | `/lineage` | Implemented |
| SBOM Lineage API | Enterprise | SbomService, Graph | `ILineageGraphService.cs`, `SbomLineageGraphService.cs`, `LineageExportService.cs`, `LineageController.cs` | - | `/lineage` | Implemented |
### CLI Commands (SBOM)
| Command | Description | Status |
|---------|-------------|--------|
| `stella sbom list` | List SBOMs with filters (--image, --digest, --format, --created-after/before) | Implemented |
| `stella sbom show <id>` | Display SBOM details | Implemented |
| `stella sbom upload` | Upload external SBOM (BYOS) | Pending verification |
| `stella sbomer layer list` | List layer fragments for a scan | Implemented |
| `stella sbomer compose` | Compose layer SBOMs | Implemented |
| `stella sbomer verify` | Verify Merkle tree integrity | Implemented |
### UI Routes (SBOM)
| Route | Feature | Status |
|-------|---------|--------|
| `/sbom-sources` | SBOM ingestion source management | Implemented |
| `/lineage` | SBOM lineage graph and smart diff | Implemented |
| `/graph` | Interactive SBOM dependency visualization | Implemented |
| `/concelier/trivy-db-settings` | Trivy vulnerability database configuration | Implemented |
### Coverage Gaps (SBOM)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| Delta-SBOM Cache | No | No | Internal optimization, no direct exposure needed |
| Auto-format Detection | Implicit | Implicit | Works automatically, no explicit command |
| SBOM Lineage Ledger | No | Yes | CLI access would be useful for automation |
| SBOM Lineage API | No | Yes | CLI access would be useful for automation |
---
## Scanning & Detection
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| CVE Lookup via Local DB | Free/Pro/Ent | Scanner | `VulnSurfaceService.cs`, `AdvisoryClient.cs` | `stella scan run` | `/findings` | Implemented |
| License-Risk Detection | All (Planned) | Scanner | Package manifest extraction only | - | - | Planned (Q4-2025) |
| **.NET/C# Analyzer** | Free/Pro/Ent | Scanner | `DotNetLanguageAnalyzer.cs`, `DotNetDependencyCollector.cs`, `MsBuildProjectParser.cs` | `stella scan run` | `/findings` | Implemented |
| **Java Analyzer** | Free/Pro/Ent | Scanner | `JavaLanguageAnalyzer.cs`, `JavaWorkspaceNormalizer.cs` | `stella scan run` | `/findings` | Implemented |
| **Go Analyzer** | Free/Pro/Ent | Scanner | `GoLanguageAnalyzer.cs` | `stella scan run` | `/findings` | Implemented |
| **Python Analyzer** | Free/Pro/Ent | Scanner | `PythonLanguageAnalyzer.cs`, `PythonEnvironmentDetector.cs`, `ContainerLayerAdapter.cs` | `stella scan run` | `/findings` | Implemented |
| **Node.js Analyzer** | Free/Pro/Ent | Scanner | `NodeLanguageAnalyzer.cs` | `stella scan run` | `/findings` | Implemented |
| **Ruby Analyzer** | Free/Pro/Ent | Scanner | `RubyLanguageAnalyzer.cs`, `RubyVendorArtifactCollector.cs` | `stella ruby inspect` | `/findings` | Implemented |
| **Bun Analyzer** | Free/Pro/Ent | Scanner | `BunLanguageAnalyzer.cs` | `stella bun inspect` | `/findings` | Implemented |
| **Deno Analyzer** | Free/Pro/Ent | Scanner | `DenoLanguageAnalyzer.cs` | `stella scan run` | `/findings` | Implemented |
| **PHP Analyzer** | Free/Pro/Ent | Scanner | `PhpLanguageAnalyzer.cs` | `stella php inspect` | `/findings` | Implemented |
| **Rust Analyzer** | Free/Pro/Ent | Scanner | `RustLanguageAnalyzer.cs` | `stella scan run` | `/findings` | Implemented |
| **Native Binary Analyzer** | Free/Pro/Ent | Scanner | `NativeAnalyzer.cs` | `stella binary` | `/analyze/patch-map` | Implemented |
| Quick Mode | Free/Pro/Ent | Scanner | `FidelityLevel.cs`, `FidelityConfiguration.cs`, `FidelityAwareAnalyzer.cs` | `stella scan run --fidelity quick` | `/ops/scanner` | Implemented |
| Standard Mode | Free/Pro/Ent | Scanner | `FidelityLevel.cs`, `FidelityConfiguration.cs` | `stella scan run --fidelity standard` | `/ops/scanner` | Implemented |
| Deep Mode | Pro/Ent | Scanner | `FidelityLevel.cs`, `FidelityConfiguration.cs` | `stella scan run --fidelity deep` | `/ops/scanner` | Implemented |
| Base Image Detection | Free/Pro/Ent | Scanner | `OciImageInspector.cs`, `OciImageConfig.cs` | `stella image inspect` | `/findings` | Implemented |
| Layer-Aware Analysis | Free/Pro/Ent | Scanner | `LayeredRootFileSystem.cs`, `ContainerLayerAdapter.cs` | `stella scan layer-sbom` | `/findings` | Implemented |
| Concurrent Scan Workers | 1/3/Unlimited | Scanner | `IScanQueue.cs`, `NatsScanQueue.cs`, `ScanJobProcessor.cs` | - | `/ops/scanner` | Implemented |
### CLI Commands (Scanning)
| Command | Description | Status |
|---------|-------------|--------|
| `stella scan run` | Execute scanner with --runner, --entry, --target | Implemented |
| `stella scan upload` | Upload completed scan results | Implemented |
| `stella scan entrytrace` | Show entry trace summary for a scan | Implemented |
| `stella scan sarif` | Export scan results in SARIF 2.1.0 format | Implemented |
| `stella scan replay` | Replay scan with deterministic hashes | Implemented |
| `stella scan gate-policy` | VEX gate evaluation | Implemented |
| `stella scan layers` | Container layer operations | Implemented |
| `stella scan layer-sbom` | Layer SBOM composition | Implemented |
| `stella scan diff` | Binary diff analysis | Implemented |
| `stella image inspect` | Inspect OCI image manifest and layers | Implemented |
| `stella ruby inspect` | Inspect Ruby workspace | Implemented |
| `stella php inspect` | Inspect PHP workspace | Implemented |
| `stella python inspect` | Inspect Python workspace/venv | Implemented |
| `stella bun inspect` | Inspect Bun workspace | Implemented |
| `stella scanner download` | Download latest scanner bundle | Implemented |
### UI Routes (Scanning)
| Route | Feature | Status |
|-------|---------|--------|
| `/findings` | Vulnerability findings with diff-first view | Implemented |
| `/findings/:scanId` | Scan-specific findings | Implemented |
| `/scans/:scanId` | Individual scan result inspection | Implemented |
| `/vulnerabilities` | CVE/vulnerability database explorer | Implemented |
| `/vulnerabilities/:vulnId` | Vulnerability detail view | Implemented |
| `/ops/scanner` | Scanner offline kits, baselines, determinism settings | Implemented |
| `/analyze/patch-map` | Fleet-wide binary patch coverage heatmap | Implemented |
### Coverage Gaps (Scanning)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| License-Risk Detection | No | No | Planned feature, not yet implemented |
| Concurrent Worker Config | No | Yes | Worker count configured via ops UI/environment |
---
## Reachability Analysis
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Static Call Graph | Free/Pro/Ent | Scanner, ReachGraph | `ReachabilityAnalyzer.cs`, `ReachGraphEdge.cs` | `stella reachgraph slice` | `/reachability` | Implemented |
| Entrypoint Detection (9+ types) | Free/Pro/Ent | Scanner | `JavaEntrypointClassifier.cs`, `EntryTraceResponse.cs` | `stella scan entrytrace` | `/reachability` | Implemented |
| BFS Reachability | Free/Pro/Ent | Scanner | `ReachabilityAnalyzer.cs` (BFS traversal, max depth 256) | `stella reachgraph slice --depth` | `/reachability` | Implemented |
| Reachability Drift Detection | Free/Pro/Ent | Reachability.Core | `ReachabilityLattice.cs` (8-state machine) | `stella drift` | `/reachability` | Implemented |
| Binary Loader Resolution | Pro/Ent | Scanner | `GuardDetector.cs` (PLT/IAT), Binary entrypoint classifiers | `stella binary` | `/analyze/patch-map` | Implemented |
| Feature Flag/Config Gating | Pro/Ent | Scanner | `GuardDetector.cs` (env guards, platform checks, feature flags) | - | `/reachability` | Implemented |
| Runtime Signal Correlation | Enterprise | Signals | `EvidenceWeightedScoreCalculator.cs`, `ISignalsAdapter.cs` | - | `/reachability` | Implemented |
| Gate Detection (auth/admin) | Enterprise | Scanner | `GuardDetector.cs` (20+ patterns across 5+ languages) | - | `/reachability` | Implemented |
| Path Witness Generation | Enterprise | Scanner, ReachGraph | `ReachabilityAnalyzer.cs` (deterministic path ordering) | `stella witness` | - | Implemented |
| Reachability Mini-Map API | Enterprise | ReachGraph | `ReachGraphStoreService.cs`, `ReachGraphContracts.cs` | `stella reachgraph slice` | `/reachability` | Implemented |
| Runtime Timeline API | Enterprise | Signals | `ISignalsAdapter.cs`, Evidence window configuration | - | `/reachability` | Implemented |
### CLI Commands (Reachability)
| Command | Description | Status |
|---------|-------------|--------|
| `stella reachgraph slice` | Query slice of reachability graph (--cve, --purl, --entrypoint, --depth) | Implemented |
| `stella reachgraph replay` | Replay reachability analysis for verification | Implemented |
| `stella reachgraph verify` | Verify graph integrity | Implemented |
| `stella reachability show` | Display reachability subgraph (table, json, dot, mermaid) | Implemented |
| `stella reachability export` | Export reachability data | Implemented |
| `stella scan entrytrace` | Show entry trace summary with semantic analysis | Implemented |
| `stella witness` | Path witness operations | Implemented |
| `stella drift` | Reachability drift detection | Implemented |
### UI Routes (Reachability)
| Route | Feature | Status |
|-------|---------|--------|
| `/reachability` | Reachability center - analysis and coverage | Implemented |
| `/graph` | Interactive dependency graph with reachability overlay | Implemented |
### Key Implementation Details
**Reachability Lattice (8 States):**
1. Unknown (0.00-0.29 confidence)
2. StaticReachable (0.30-0.49)
3. StaticUnreachable (0.50-0.69)
4. RuntimeObserved (0.70-0.89)
5. RuntimeUnobserved (0.70-0.89)
6. ConfirmedReachable (0.90-1.00)
7. ConfirmedUnreachable (0.90-1.00)
8. Contested (static/runtime conflict)
**Entrypoint Framework Types Detected:**
- HTTP Handlers (Spring MVC, JAX-RS, Micronaut, GraphQL)
- Message Handlers (Kafka, RabbitMQ, JMS)
- Scheduled Jobs (Spring @Scheduled, Micronaut, JAX-EJB)
- gRPC Methods (Spring Boot gRPC, Netty gRPC)
- Event Handlers (Spring @EventListener)
- CLI Commands (main() method)
- Servlet Handlers (HttpServlet subclass)
### Coverage Gaps (Reachability)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| Runtime Signal Correlation | No | Yes | Consider CLI for signal inspection |
| Gate Detection | No | Yes | Guard conditions visible in reachability UI |
| Path Witness Generation | Yes | No | Consider UI visualization of witness paths |
---
## Binary Analysis (BinaryIndex)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Binary Identity Extraction | Free/Pro/Ent | BinaryIndex | `BinaryIdentity.cs`, `IBinaryFeatureExtractor.cs` | `stella binary inspect` | `/analyze/patch-map` | Implemented |
| Build-ID Vulnerability Lookup | Free/Pro/Ent | BinaryIndex | `IBinaryVulnerabilityService.cs`, `ResolutionController.cs` | `stella binary lookup` | `/analyze/patch-map` | Implemented |
| Debian/Ubuntu Corpus | Free/Pro/Ent | BinaryIndex | `DebianCorpusConnector.cs`, `CorpusIngestionService.cs` | - | - | Implemented |
| RPM/RHEL Corpus | Pro/Ent | BinaryIndex | `RpmCorpusConnector.cs` | - | - | Implemented |
| Patch-Aware Backport Detection | Pro/Ent | BinaryIndex | `IFixIndexBuilder.cs`, `FixEvidence.cs`, `DebianChangelogParser.cs` | `stella patch-verify` | - | Implemented |
| PE/Mach-O/ELF Parsers | Pro/Ent | BinaryIndex | Binary format detection in `BinaryIdentity.cs` | `stella binary inspect` | - | Implemented |
| Binary Fingerprint Generation | Enterprise | BinaryIndex | `IVulnFingerprintGenerator.cs`, `BasicBlockFingerprintGenerator.cs`, `ControlFlowGraphFingerprintGenerator.cs`, `StringRefsFingerprintGenerator.cs` | `stella binary fingerprint` | - | Implemented |
| Fingerprint Matching Engine | Enterprise | BinaryIndex | `IFingerprintMatcher.cs`, `FingerprintMatcher.cs` | `stella binary lookup --fingerprint` | - | Implemented |
| DWARF/Symbol Analysis | Enterprise | BinaryIndex | Symbol extraction in corpus functions | `stella binary symbols` | - | Implemented |
### CLI Commands (Binary)
| Command | Description | Status |
|---------|-------------|--------|
| `stella binary inspect` | Inspect binary identity (Build-ID, hashes, architecture) | Implemented |
| `stella binary lookup` | Lookup vulnerabilities by binary identity/fingerprint | Implemented |
| `stella binary symbols` | Extract symbols from binary | Implemented |
| `stella binary fingerprint` | Generate fingerprints for binary functions | Implemented |
| `stella binary verify` | Verify binary match evidence | Implemented |
| `stella binary submit` | Submit binary for analysis | Implemented |
| `stella binary info` | Get binary analysis info | Implemented |
| `stella binary callgraph` | Extract call graph digest | Implemented |
| `stella scan diff` | Binary diff analysis | Implemented |
| `stella patch-verify` | Patch verification for backport detection | Implemented |
| `stella patch-attest` | Patch attestation operations | Implemented |
| `stella deltasig` | Delta signature operations | Implemented |
### UI Routes (Binary)
| Route | Feature | Status |
|-------|---------|--------|
| `/analyze/patch-map` | Fleet-wide binary patch coverage heatmap | Implemented |
### Key Implementation Details
**Fingerprint Algorithms (4 types):**
1. **BasicBlock** - Instruction-level basic block hashing (16 bytes)
2. **ControlFlowGraph** - Weisfeiler-Lehman graph hash (32 bytes)
3. **StringRefs** - String reference pattern hash (16 bytes)
4. **Combined** - Multi-algorithm ensemble
**Fix Detection Methods:**
1. SecurityFeed - Official OVAL, DSA feeds
2. Changelog - Debian/Ubuntu changelog parsing
3. PatchHeader - DEP-3 patch header extraction
4. UpstreamPatchMatch - Upstream patch database
**Supported Distributions:**
- Debian, Ubuntu (DebianCorpusConnector)
- RHEL, Fedora, CentOS, Rocky, AlmaLinux (RpmCorpusConnector)
- Alpine Linux (AlpineCorpusConnector)
### Coverage Gaps (Binary)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| Debian/Ubuntu Corpus | No | No | Internal corpus management - admin only |
| RPM/RHEL Corpus | No | No | Internal corpus management - admin only |
| Fingerprint Generation | Yes | No | Consider UI for fingerprint visualization |
| Corpus Ingestion | No | No | Admin operation - consider ops UI |
---
## Advisory Sources (Concelier)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| NVD | Free/Pro/Ent | Concelier | `NvdConnector.cs`, `NvdMapper.cs` | `stella db fetch nvd` | `/concelier` | Implemented |
| GHSA | Free/Pro/Ent | Concelier | `GhsaConnector.cs` (GraphQL, rate limits) | `stella db fetch ghsa` | `/concelier` | Implemented |
| OSV | Free/Pro/Ent | Concelier | `OsvConnector.cs` (multi-ecosystem) | `stella db fetch osv` | `/concelier` | Implemented |
| Alpine SecDB | Free/Pro/Ent | Concelier | `Connector.Distro.Alpine/` | `stella db fetch alpine` | `/concelier` | Implemented |
| Debian Security Tracker | Free/Pro/Ent | Concelier | `Connector.Distro.Debian/` (DSA, EVR) | `stella db fetch debian` | `/concelier` | Implemented |
| Ubuntu USN | Free/Pro/Ent | Concelier | `Connector.Distro.Ubuntu/` | `stella db fetch ubuntu` | `/concelier` | Implemented |
| RHEL/CentOS OVAL | Pro/Ent | Concelier | `Connector.Distro.RedHat/` (OVAL, NEVRA) | `stella db fetch redhat` | `/concelier` | Implemented |
| KEV (Exploited Vulns) | Free/Pro/Ent | Concelier | `KevConnector.cs` (CISA catalog) | `stella db fetch kev` | `/concelier` | Implemented |
| EPSS v4 | Free/Pro/Ent | Concelier | `Connector.Epss/` | `stella db fetch epss` | `/concelier` | Implemented |
| Custom Advisory Connectors | Enterprise | Concelier | `IFeedConnector` interface | - | `/admin` | Implemented |
| Advisory Merge Engine | Enterprise | Concelier | `AdvisoryPrecedenceMerger.cs`, `AffectedPackagePrecedenceResolver.cs` | `stella db merge` | - | Implemented |
### CLI Commands (Advisory)
| Command | Description | Status |
|---------|-------------|--------|
| `stella db fetch` | Trigger connector fetch/parse/map | Implemented |
| `stella db merge` | Run canonical merge reconciliation | Implemented |
| `stella db export` | Run Concelier export jobs | Implemented |
| `stella sources ingest` | Validate source documents | Implemented |
| `stella feeds snapshot` | Create/list/export/import feed snapshots | Implemented |
| `stella advisory` | Advisory listing and search | Implemented |
| `stella admin feeds` | Feed management (admin) | Implemented |
### UI Routes (Advisory)
| Route | Feature | Status |
|-------|---------|--------|
| `/concelier/trivy-db-settings` | Trivy vulnerability database configuration | Implemented |
| `/ops/feeds` | Feed mirror dashboard and air-gap bundles | Implemented |
### Key Implementation Details
**Source Precedence (Lower = Higher Priority):**
- **Rank 0:** redhat, ubuntu, debian, suse, alpine (distro PSIRTs)
- **Rank 1:** msrc, oracle, adobe, apple, cisco, vmware (vendor PSIRTs)
- **Rank 2:** ghsa, osv (ecosystem registries)
- **Rank 3:** jvn, acsc, cccs, cert-fr, cert-in, certbund, ru-bdu, kisa (regional CERTs)
- **Rank 4:** kev (exploit annotations)
- **Rank 5:** nvd (baseline)
**Version Comparators:**
- NEVRA (RPM): epoch:version-release with rpmvercmp
- EVR (Debian/Ubuntu): epoch:upstream_version-debian_revision
- APK (Alpine): `-r<pkgrel>` with suffix ordering
### Coverage Gaps (Advisory)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| Advisory Merge Engine | Yes | No | Consider merge status UI |
| Custom Connectors | No | No | Enterprise feature - needs admin UI |
| Feed Scheduling | No | Partial | Consider `stella feeds schedule` command |
---
## VEX Processing (Excititor, VexLens, VexHub, IssuerDirectory)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| OpenVEX Format Support | Free/Pro/Ent | Excititor | `Formats.OpenVEX/`, `OpenVexParser.cs` | `stella vex` | `/vex` | Implemented |
| CycloneDX VEX Format | Free/Pro/Ent | Excititor | `Formats.CycloneDX/` | `stella vex` | `/vex` | Implemented |
| CSAF Format Support | Free/Pro/Ent | Excititor | `Formats.CSAF/` | `stella vex` | `/vex` | Implemented |
| VEX Ingestion API | Free/Pro/Ent | Excititor | `IngestEndpoints.cs`, `IVexObservationQueryService.cs` | - | `/vex` | Implemented |
| VEX Observation Store | Free/Pro/Ent | Excititor | `VexObservationQueryService.cs`, AOC-compliant storage | - | - | Implemented |
| VEX Consensus Engine | Pro/Ent | VexLens | `VexConsensusEngine.cs`, `IVexConsensusEngine.cs` | `stella vex consensus` | `/vex` | Implemented |
| Trust Weight Scoring | Pro/Ent | VexLens | `ITrustWeightEngine.cs`, `TrustDecayService.cs` | - | `/vex` | Implemented |
| Issuer Trust Registry | Pro/Ent | IssuerDirectory | Full issuer CRUD and key management | - | `/issuer-directory` | Implemented |
| VEX Distribution Hub | Enterprise | VexHub | `IVexIngestionService.cs`, `IVexExportService.cs` | - | - | Implemented |
| VEX Gate Integration | Pro/Ent | Scanner | `IVexGateService.cs`, `VexGateScanCommandGroup.cs` | `stella scan gate-policy` | `/findings` | Implemented |
| VEX from Drift Generation | Pro/Ent | CLI | `VexGenCommandGroup.cs` | `stella vex gen --from-drift` | - | Implemented |
| Conflict Detection | Pro/Ent | VexLens, Excititor | `VexLinksetDisagreementService.cs`, `NoiseGateService.cs` | - | `/vex` | Implemented |
### CSAF Provider Connectors
| Connector | Module | Key Files | CLI | Status |
|-----------|--------|-----------|-----|--------|
| Red Hat CSAF | Excititor | `Connectors.RedHat.CSAF/` | - | Implemented |
| Ubuntu CSAF | Excititor | `Connectors.Ubuntu.CSAF/` | - | Implemented |
| Oracle CSAF | Excititor | `Connectors.Oracle.CSAF/` | - | Implemented |
| Microsoft MSRC CSAF | Excititor | `Connectors.MSRC.CSAF/` | - | Implemented |
| Cisco CSAF | Excititor | `Connectors.Cisco.CSAF/` | - | Implemented |
| SUSE RancherVEXHub | Excititor | `Connectors.SUSE.RancherVEXHub/` | - | Implemented |
| OCI OpenVEX Attestation | Excititor | `Connectors.OCI.OpenVEX.Attest/` | - | Implemented |
### CLI Commands (VEX)
| Command | Description | Status |
|---------|-------------|--------|
| `stella vex consensus` | Query VexLens consensus (--query, --output json/ndjson/table) | Implemented |
| `stella vex get` | Fetch single consensus record with rationale | Implemented |
| `stella vex simulate` | Test VEX policy decisions (aggregation-only) | Implemented |
| `stella vex gen --from-drift` | Generate VEX from container drift analysis | Implemented |
| `stella scan gate-policy` | VEX gate evaluation for findings | Implemented |
### UI Routes (VEX)
| Route | Feature | Status |
|-------|---------|--------|
| `/vex` | VEX consensus and statement browser | Implemented |
| `/issuer-directory` | Issuer trust registry management | Implemented |
| `/findings` (VEX overlay) | VEX status overlay on findings | Implemented |
### Key Implementation Details
**Consensus Lattice States:**
- `unknown` (0.00) - No information
- `under_investigation` (0.25) - Being analyzed
- `not_affected` (0.50) - Confirmed not vulnerable
- `affected` (0.75) - Confirmed vulnerable
- `fixed` (1.00) - Patch applied
**Trust Weight Factors (9 total):**
1. Issuer tier (critical/high/medium/low)
2. Confidence score (0-1)
3. Cryptographic attestation status
4. Statement age (freshness decay)
5. Patch applicability
6. Source authority scope (PURL patterns)
7. Key lifecycle status
8. Justification quality
9. Historical accuracy
**AOC (Aggregation-Only Contract):**
- Raw VEX stored verbatim with provenance
- No derived data at ingest time
- Linkset-only references
- Roslyn analyzers enforce compliance
**Determinism Guarantees:**
- RFC 8785 canonical JSON serialization
- Stable ordering (timestamp DESC, source ASC, hash ASC)
- UTC ISO-8601 timestamps
- SHA-256 consensus digests
### Coverage Gaps (VEX)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| CSAF Provider Connectors | No | No | Internal connector management |
| Trust Weight Configuration | No | Partial | Consider CLI for trust weight tuning |
| VEX Distribution Webhooks | No | No | VexHub webhook config needs exposure |
| Conflict Resolution UI | No | Partial | Interactive conflict resolution would help |
---
## Policy Engine (Policy, RiskEngine)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| K4 Lattice Logic | Pro/Ent | Policy | `K4Lattice.cs`, `TrustLatticeEngine.cs` | - | `/policy` | Implemented |
| Policy Gate Evaluation | Free/Pro/Ent | Policy | `PolicyGateEvaluator.cs`, `IPolicyGate.cs` | `stella policy simulate` | `/policy` | Implemented |
| Evidence Gate | Free/Pro/Ent | Policy | `EvidenceGate.cs` | - | `/policy` | Implemented |
| VEX Trust Gate | Pro/Ent | Policy | `VexTrustGate.cs`, `VexProofSpineService.cs` | - | `/policy` | Implemented |
| Confidence Gate | Pro/Ent | Policy | `MinimumConfidenceGate.cs` | - | `/policy` | Implemented |
| Exception Management | Pro/Ent | Policy | `IExceptionService.cs`, `ExceptionAdapter.cs` | - | `/policy/exceptions` | Implemented |
| Risk Scoring (6 providers) | Pro/Ent | RiskEngine | `IRiskScoreProvider.cs`, `CvssKevProvider.cs` | - | `/risk` | Implemented |
| Verdict Attestations | Enterprise | Policy | `IVerdictAttestationService.cs`, `IPolicyDecisionAttestationService.cs` | - | - | Implemented |
| Policy Simulation | Pro/Ent | Policy | `IPolicySimulationService.cs` | `stella policy simulate` | `/policy/simulate` | Implemented |
| Sealed Mode (Air-Gap) | Enterprise | Policy | `ISealedModeService.cs` | - | `/ops` | Implemented |
| Determinization System | Pro/Ent | Policy | `UncertaintyScoreCalculator.cs`, `DecayedConfidenceCalculator.cs` | - | - | Implemented |
| Score Policy (YAML) | Pro/Ent | Policy | `ScorePolicyService.cs`, `ScorePolicyModels.cs` | `stella policy validate` | `/policy` | Implemented |
### K4 Lattice (Belnap Four-Valued Logic)
| State | Symbol | Description |
|-------|--------|-------------|
| Unknown | ⊥ | No evidence available |
| True | T | Evidence supports true |
| False | F | Evidence supports false |
| Conflict | | Credible evidence for both (contested) |
**Operations:**
- `Join(a, b)` - Knowledge union (monotone aggregation)
- `Meet(a, b)` - Knowledge intersection (dependency chains)
- `Negate(v)` - Swaps True ↔ False
- `FromSupport(hasTrueSupport, hasFalseSupport)` - Constructs K4 from claims
### Policy Gate Types (10+)
| Gate | Purpose |
|------|---------|
| Evidence Gate | Validates sufficient evidence backing |
| Lattice State Gate | K4 states (U, SR, SU, RO, RU, CR, CU, X) |
| VEX Trust Gate | Confidence-based VEX scoring |
| Uncertainty Tier Gate | T1-T4 uncertainty classification |
| Minimum Confidence Gate | Enforces confidence floors |
| Evidence Freshness Gate | Staleness checks |
| VEX Proof Gate | Validates VEX proof chains |
| Reachability Requirement Gate | Reachability evidence |
| Facet Quota Gate | Facet-based quotas |
| Source Quota Gate | Source credibility quotas |
| Unknowns Budget Gate | Limits unknown assertions |
### Risk Score Providers (6)
| Provider | Key Files | Purpose |
|----------|-----------|---------|
| CVSS/KEV | `CvssKevProvider.cs` | CVSS + Known Exploited Vulns |
| EPSS | `EpssProvider.cs` | Exploit Prediction Scoring |
| FixChain | `FixChainRiskProvider.cs` | Fix availability and timeline |
| FixExposure | `FixExposureProvider.cs` | Patch adoption curves |
| VexGate | `VexGateProvider.cs` | VEX decisions as risk gates |
| DefaultTransforms | `DefaultTransformsProvider.cs` | Signal normalization |
### Determinization Signal Weights
| Signal | Weight |
|--------|--------|
| VEX | 35% |
| Reachability | 25% |
| Runtime | 15% |
| EPSS | 10% |
| Backport | 10% |
| SBOM Lineage | 5% |
### Score Policy Weights (Basis Points)
| Dimension | Default Weight |
|-----------|---------------|
| Base Severity | 10% (1000 BPS) |
| Reachability | 45% (4500 BPS) |
| Evidence | 30% (3000 BPS) |
| Provenance | 15% (1500 BPS) |
### CLI Commands (Policy)
| Command | Description | Status |
|---------|-------------|--------|
| `stella policy validate <path>` | Validate policy YAML (--schema, --strict) | Implemented |
| `stella policy install <pack>` | Install policy pack (--version, --env) | Implemented |
| `stella policy list` | List installed policies | Implemented |
| `stella policy simulate` | Simulate policy decisions | Implemented |
### UI Routes (Policy)
| Route | Feature | Status |
|-------|---------|--------|
| `/policy` | Policy management and evaluation | Implemented |
| `/policy/exceptions` | Exception management | Implemented |
| `/policy/simulate` | Policy simulation runner | Implemented |
| `/risk` | Risk scoring dashboard | Implemented |
### API Endpoints (45+)
**Core:**
- `/policy/eval/batch` - Batch evaluation
- `/policy/packs` - Policy pack management
- `/policy/runs` - Run lifecycle
- `/policy/decisions` - Decision queries
**Simulation:**
- `/policy/simulate` - Policy simulation
- `/policy/merge-preview` - Merge preview
- `/overlay-simulation` - Overlay projection
**Governance:**
- `/api/v1/policy/registry/packs` - Pack registry
- `/api/v1/policy/registry/promote` - Promotion workflows
- `/api/v1/policy/registry/publish` - Publishing pipelines
### Coverage Gaps (Policy)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| K4 Lattice Debug | No | Partial | Consider `stella policy lattice explain` |
| Risk Provider Config | No | No | Provider-level configuration needs exposure |
| Exception Approval API | No | Yes | Consider `stella policy exception approve` |
| Determinization Tuning | No | No | Signal weights should be configurable |
---
## Attestation & Signing (Attestor, Signer, Provenance)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| DSSE Envelope Handling | Free/Pro/Ent | Attestor | `DsseHelper.cs`, `DsseEnvelope.cs`, `DsseVerifier.cs` | `stella attest` | `/attestations` | Implemented |
| In-Toto Statement Format | Free/Pro/Ent | Attestor | `InTotoStatement.cs`, `IInTotoLinkSigningService.cs` | `stella attest attach` | - | Implemented |
| SPDX SBOM Predicates | Free/Pro/Ent | Attestor | `SpdxPredicateParser.cs` | `stella attest attach` | - | Implemented |
| CycloneDX SBOM Predicates | Free/Pro/Ent | Attestor | `CycloneDxPredicateParser.cs` | `stella attest attach` | - | Implemented |
| SLSA Provenance Predicates | Pro/Ent | Attestor | `SlsaProvenancePredicateParser.cs` | `stella attest attach` | - | Implemented |
| Keyless Signing (Fulcio) | Pro/Ent | Signer | `KeylessDsseSigner.cs`, `HttpFulcioClient.cs` | `stella sign keyless` | - | Implemented |
| Rekor Transparency Log | Pro/Ent | Signer, Attestor | `RekorHttpClient.cs`, `IRekorClient.cs` | `stella sign keyless --rekor` | - | Implemented |
| Key Rotation Service | Enterprise | Signer | `IKeyRotationService.cs`, `KeyRotationService.cs` | `/keys/rotate` endpoint | - | Implemented |
| Trust Anchor Management | Enterprise | Signer | `ITrustAnchorManager.cs`, `TrustAnchorManager.cs` | - | - | Implemented |
| Attestation Chains | Enterprise | Attestor | `AttestationChain.cs`, `AttestationChainBuilder.cs` | - | - | Implemented |
| Delta Attestations | Pro/Ent | Attestor | `IDeltaAttestationService.cs` (VEX/SBOM/Verdict/Reachability) | - | - | Implemented |
| Offline/Air-Gap Bundles | Enterprise | Attestor | `IAttestorBundleService.cs` | - | `/ops/offline-kit` | Implemented |
### Predicate Types (25+ Types)
**Standard Predicates:**
| Predicate | Parser | Purpose |
|-----------|--------|---------|
| SPDX | `SpdxPredicateParser.cs` | SBOM attestation (2.2/2.3/3.0.1) |
| CycloneDX | `CycloneDxPredicateParser.cs` | SBOM attestation (1.7) |
| SLSA Provenance | `SlsaProvenancePredicateParser.cs` | Build provenance (v1.0) |
| VEX Override | `VexOverridePredicateParser.cs` | VEX decision overrides |
| Binary Diff | `BinaryDiffPredicateBuilder.cs` | Binary change attestation |
**Stella-Ops Specific Predicates:**
- AIArtifactBasePredicate, AIAuthorityClassifier, AIExplanationPredicate
- AIPolicyDraftPredicate, AIRemediationPlanPredicate, AIVexDraftPredicate
- BinaryFingerprintEvidencePredicate, BudgetCheckPredicate, ChangeTracePredicate
- DeltaVerdictPredicate, EvidencePredicate, PolicyDecisionPredicate
- ProofSpinePredicate, ReachabilityDriftPredicate, ReachabilitySubgraphPredicate
- SbomDeltaPredicate, UnknownsBudgetPredicate, VerdictDeltaPredicate
- VexDeltaPredicate, VexPredicate, TrustVerdictPredicate, FixChainPredicate
### CLI Commands (Attestation & Signing)
| Command | Description | Status |
|---------|-------------|--------|
| `stella attest attach` | Attach DSSE attestation to OCI artifact | Implemented |
| `stella attest verify` | Verify attestations on OCI artifact | Implemented |
| `stella attest list` | List attestations on OCI artifact | Implemented |
| `stella attest fetch` | Fetch specific attestation by predicate type | Implemented |
| `stella attest fix-chain` | FixChain attestation command | Implemented |
| `stella attest patch` | Patch attestation command | Implemented |
| `stella sign keyless` | Sigstore keyless signing | Implemented |
| `stella sign verify-keyless` | Verify keyless signature | Implemented |
### Signing Modes
| Mode | Description | Key Files |
|------|-------------|-----------|
| Keyless | Fulcio-based ephemeral keys | `KeylessDsseSigner.cs` |
| KMS | External key management system | `CryptoDsseSigner.cs` |
| HMAC | HMAC-based signing | `HmacDsseSigner.cs` |
### Crypto Algorithm Support
| Algorithm | Files | Purpose |
|-----------|-------|---------|
| RSA | `CryptoDsseSigner.cs` | Traditional RSA signing |
| ECDSA | `CryptoDsseSigner.cs` | Elliptic curve signing |
| SM2 | `CryptoDsseSigner.cs` | Chinese national standard |
### API Endpoints (Attestor)
| Endpoint | Purpose |
|----------|---------|
| `/api/v1/anchors` | Attestation anchors |
| `/api/v1/bundles` | DSSE bundle operations |
| `/api/v1/chains` | Attestation chain queries |
| `/api/v1/proofs` | Proof operations |
| `/api/v1/verify` | Verification endpoints |
### API Endpoints (Signer)
| Endpoint | Purpose |
|----------|---------|
| `POST /sign` | Sign artifact |
| `POST /sign/verify` | Verify signature |
| `GET /keys` | List signing keys |
| `POST /keys/rotate` | Rotate signing key |
| `POST /keys/revoke` | Revoke signing key |
### Coverage Gaps (Attestation)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| Key Rotation | No (API only) | No | Add `stella keys rotate` CLI |
| Trust Anchor Management | No | No | Consider trust anchor CLI |
| Attestation Chains UI | No | Partial | Chain visualization needed |
| Predicate Registry | No | No | Consider `stella attest predicates list` |
---
## Regional Crypto (Cryptography, SmRemote)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| EdDSA (Ed25519) Baseline | Free/Pro/Ent | Cryptography | `Ed25519Signer.cs`, `Ed25519Verifier.cs` | - | - | Implemented |
| ECDSA P-256 (FIPS) | Pro/Ent | Cryptography | `EcdsaP256Signer.cs` | - | - | Implemented |
| FIPS 140-2 Plugin | Enterprise | Cryptography | `FipsPlugin.cs` (RSA, ECDSA, AES) | - | - | Implemented |
| GOST R 34.10-2012 Plugin | Enterprise | Cryptography | `GostPlugin.cs` (256/512-bit) | - | - | Implemented |
| SM2/SM3/SM4 Plugin | Enterprise | Cryptography | `SmPlugin.cs` | - | - | Implemented |
| eIDAS Plugin | Enterprise | Cryptography | `EidasPlugin.cs` (CAdES, RFC 3161) | - | - | Implemented |
| HSM Plugin (PKCS#11) | Enterprise | Cryptography | `HsmPlugin.cs` | - | - | Implemented |
| CryptoPro GOST | Enterprise | Cryptography | `CryptoProGostCryptoProvider.cs` (Windows) | - | - | Implemented |
| SM Remote Service | Enterprise | SmRemote | `Program.cs` (SM2 signing service) | - | - | Implemented |
| Multi-Profile Signing | Enterprise | Cryptography | `MultiProfileSigner.cs` | - | - | Implemented |
| Post-Quantum (Defined) | Future | Cryptography | `SignatureProfile.cs` (Dilithium, Falcon) | - | - | Planned |
### Signature Profiles (8 Defined)
| Profile | Standard | Algorithm | Status |
|---------|----------|-----------|--------|
| EdDsa | RFC 8032 | Ed25519 | Implemented |
| EcdsaP256 | FIPS 186-4 | ES256 | Implemented |
| RsaPss | FIPS 186-4, RFC 8017 | PS256/384/512 | Implemented |
| Gost2012 | GOST R 34.10-2012 | GOST 256/512-bit | Implemented |
| SM2 | GM/T 0003.2-2012 | SM2-SM3 | Implemented |
| Eidas | ETSI TS 119 312 | RSA-SHA*, ECDSA-SHA* | Implemented |
| Dilithium | NIST PQC | CRYSTALS-Dilithium | Planned |
| Falcon | NIST PQC | Falcon-512/1024 | Planned |
### Regional Compliance Matrix
| Region | Standard | Plugin | Algorithms |
|--------|----------|--------|------------|
| US | FIPS 140-2 | FipsPlugin | RSA-SHA*, ECDSA-P256/384/521, AES-GCM |
| Russia | GOST R 34.10-2012 | GostPlugin, CryptoPro | GOST 256/512-bit signatures |
| China | GM/T 0003-0004 | SmPlugin, SmRemote | SM2, SM3, SM4-CBC/GCM |
| EU | eIDAS | EidasPlugin | CAdES-BES, XAdES-BES, RFC 3161 TSA |
| Hardware | PKCS#11 | HsmPlugin | HSM-RSA, HSM-ECDSA, HSM-AES |
### Key Service Interfaces
| Interface | Purpose |
|-----------|---------|
| `IContentSigner` | Core signing abstraction |
| `IContentVerifier` | Signature verification |
| `ICryptoCapability` | Plugin capability reporting |
| `IHsmClient` | HSM abstraction (simulated/PKCS#11) |
### Plugin Configuration Options
**FIPS Plugin:**
- RequireFipsMode, RsaKeySize (2048-4096), EcdsaCurve (P-256/384/521)
**GOST Plugin:**
- KeyStorePath, DefaultKeyId, PrivateKeyBase64, KeySize (256/512)
**SM Plugin:**
- PrivateKeyHex, GenerateKeyOnInit, UserId
**eIDAS Plugin:**
- CertificatePath, TimestampAuthorityUrl, ValidateCertificateChain
**HSM Plugin:**
- LibraryPath, SlotId, Pin, TokenLabel
### Coverage Gaps (Regional Crypto)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| Crypto Profile Selection | No | No | Configuration-only, no CLI |
| Key Management | No | No | Plugin-specific configuration |
| Post-Quantum Crypto | No | No | Profiles defined but not implemented |
| HSM Status | No | No | Consider health check endpoint |
---
## Evidence & Findings (EvidenceLocker, Findings, ExportCenter)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Sealed Evidence Bundles | Pro/Ent | EvidenceLocker | `S3EvidenceObjectStore.cs` (WORM) | `stella evidence export` | `/evidence-export` | Implemented |
| Verdict Attestations | Pro/Ent | EvidenceLocker | `VerdictEndpoints.cs`, `VerdictContracts.cs` | - | `/evidence-export` | Implemented |
| Append-Only Ledger | Pro/Ent | Findings | `ILedgerEventRepository.cs`, `LedgerEventModels.cs` | - | `/findings` | Implemented |
| Alert Triage Workflow | Pro/Ent | Findings | `DecisionModels.cs` (hot/warm/cold bands) | - | `/findings` | Implemented |
| Merkle Anchoring | Pro/Ent | Findings | `Infrastructure/Merkle/` | - | - | Implemented |
| Evidence Packs | Pro/Ent | Evidence.Pack | `IEvidencePackService.cs`, `EvidencePack.cs` | - | `/evidence-thread` | Implemented |
| Evidence Cards | Pro/Ent | Evidence.Pack | `IEvidenceCardService.cs`, `EvidenceCard.cs` | - | - | Implemented |
| Profile-Based Exports | Pro/Ent | ExportCenter | `ExportApiEndpoints.cs`, `ExportProfile` | - | `/evidence-export` | Implemented |
| Risk Bundle Export | Enterprise | ExportCenter | `RiskBundleEndpoints.cs` | - | `/evidence-export` | Implemented |
| Lineage Evidence Export | Enterprise | ExportCenter | `LineageExportEndpoints.cs` | - | `/lineage` | Implemented |
| Offline Verification | Enterprise | EvidenceLocker | `verify-offline.md` | `stella evidence verify --offline` | - | Implemented |
### CLI Commands (Evidence)
| Command | Description | Status |
|---------|-------------|--------|
| `stella evidence export` | Export evidence bundle (--bundle, --format, --compression) | Implemented |
| `stella evidence verify` | Verify bundle (--offline, --rekor-key) | Implemented |
| `stella evidence status` | Bundle status check | Implemented |
### UI Routes (Evidence)
| Route | Feature | Status |
|-------|---------|--------|
| `/evidence-export` | Evidence bundle management and export | Implemented |
| `/evidence-thread` | Evidence thread visualization | Implemented |
| `/findings` | Findings ledger with triage | Implemented |
---
## Determinism & Replay (Replay, Signals, HLC)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Hybrid Logical Clock | Pro/Ent | HybridLogicalClock | `HybridLogicalClock.cs`, `HlcTimestamp.cs` | - | - | Implemented |
| Canonical JSON (RFC 8785) | Pro/Ent | Canonical.Json | `CanonJson.cs` | - | - | Implemented |
| Replay Manifests (V1/V2) | Pro/Ent | Replay.Core | `ReplayManifest.cs`, `KnowledgeSnapshot.cs` | `stella scan replay` | - | Implemented |
| Evidence Weighted Scoring | Pro/Ent | Signals | `EvidenceWeightedScoreCalculator.cs` (6 factors) | - | - | Implemented |
| Timeline Events | Pro/Ent | Eventing | `TimelineEvent.cs`, `ITimelineEventEmitter.cs` | - | - | Implemented |
| Replay Proofs | Pro/Ent | Replay.Core | `ReplayProof.cs`, `ReplayManifestValidator.cs` | `stella prove` | - | Implemented |
| Deterministic Event IDs | Pro/Ent | Eventing | `EventIdGenerator.cs` (SHA-256 based) | - | - | Implemented |
| Attested Reduction | Pro/Ent | Signals | Short-circuit rules for anchored VEX | - | - | Implemented |
### Evidence Weighted Scoring (6 Factors)
| Factor | Symbol | Weight | Description |
|--------|--------|--------|-------------|
| Reachability | RCH | Configurable | Static/runtime reachability |
| Runtime | RTS | Configurable | Runtime telemetry |
| Backport | BKP | Configurable | Backport evidence |
| Exploit | XPL | Configurable | Exploit likelihood (EPSS) |
| Source Trust | SRC | Configurable | Feed trustworthiness |
| Mitigations | MIT | Configurable | Mitigation evidence (reduces score) |
### CLI Commands (Replay)
| Command | Description | Status |
|---------|-------------|--------|
| `stella scan replay` | Deterministic verdict reproduction | Implemented |
| `stella prove` | Generate replay proofs | Implemented |
| `stella verify --proof` | Verify replay proofs | Implemented |
---
## Operations (Scheduler, Orchestrator, TaskRunner, TimelineIndexer)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Job Scheduling | Pro/Ent | Scheduler | `IGraphJobService.cs`, `RunEndpoints.cs` | - | `/ops/scheduler` | Implemented |
| Impact Targeting | Pro/Ent | Scheduler | `IImpactIndex.cs` (Roaring bitmaps) | - | - | Implemented |
| Job Orchestration | Pro/Ent | Orchestrator | `IJobRepository.cs`, `Job.cs` | - | `/orchestrator` | Implemented |
| Dead Letter Queue | Pro/Ent | Orchestrator | `DeadLetterEntry.cs`, `DeadLetterEndpoints.cs` | - | `/orchestrator` | Implemented |
| Task Pack Execution | Pro/Ent | TaskRunner | `ITaskRunnerClient.cs`, `PackRunWorkerService.cs` | - | - | Implemented |
| Plan-Hash Binding | Pro/Ent | TaskRunner | Deterministic execution validation | - | - | Implemented |
| Timeline Indexing | Pro/Ent | TimelineIndexer | `ITimelineQueryService.cs`, `TimelineEventView.cs` | - | - | Implemented |
| Lease Management | Pro/Ent | Orchestrator | `LeaseNextAsync()`, `ExtendLeaseAsync()` | - | - | Implemented |
### API Endpoints (Operations)
**Scheduler:**
- `POST /api/v1/scheduler/runs` - Create run
- `GET /api/v1/scheduler/runs/{runId}/stream` - SSE stream
- `POST /api/v1/scheduler/runs/preview` - Dry-run preview
**Orchestrator:**
- `GET /api/v1/orchestrator/jobs` - List jobs
- `GET /api/v1/orchestrator/dag` - Job DAG
- `GET /api/v1/orchestrator/deadletter` - Dead letter queue
- `GET /api/v1/orchestrator/kpi` - KPI metrics
**TaskRunner:**
- `POST /api/runs` - Create pack run
- `GET /api/runs/{runId}/logs` - SSE log stream
- `POST /api/runs/{runId}/approve` - Approval decision
### UI Routes (Operations)
| Route | Feature | Status |
|-------|---------|--------|
| `/ops/scheduler` | Scheduler runs and impact preview | Implemented |
| `/orchestrator` | Job dashboard and dead letters | Implemented |
---
## Release Orchestration (ReleaseOrchestrator)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Promotion Workflows | Enterprise | ReleaseOrchestrator | `GateModels.cs`, `StepModels.cs` | - | `/releases` | Implemented |
| Integration Hub | Enterprise | ReleaseOrchestrator | `IIntegrationManager.cs` | - | `/integrations` | Implemented |
| Deployment Agents | Enterprise | Agent.Core | `IAgentCapability.cs`, `ComposeCapability.cs` | - | - | Implemented |
| Plugin System (3-Surface) | Enterprise | ReleaseOrchestrator.Plugin | `IStepProviderCapability.cs`, `IGateProviderCapability.cs` | - | `/plugins` | Implemented |
| Gate Evaluation | Enterprise | ReleaseOrchestrator | `IGateEvaluator.cs` | - | `/releases` | Implemented |
| Step Execution | Enterprise | ReleaseOrchestrator | `IStepExecutor.cs` | - | - | Implemented |
| Connector Invoker | Enterprise | ReleaseOrchestrator | `IConnectorInvoker.cs` | - | - | Implemented |
### Integration Types
| Type | Description | Examples |
|------|-------------|----------|
| Scm | Source Control | GitHub, GitLab, Gitea |
| Ci | Continuous Integration | Jenkins, GitHub Actions |
| Registry | Container Registry | Docker Hub, Harbor, ACR, ECR, GCR |
| Vault | Secrets | HashiCorp Vault, Azure Key Vault |
| Notify | Notifications | Slack, Teams, Email, Webhooks |
| SettingsStore | Config | Consul, etcd, Parameter Store |
### Deployment Agent Types
| Agent | Key Files | Tasks |
|-------|-----------|-------|
| Docker Compose | `ComposeCapability.cs` | pull, up, down, scale, health-check, ps |
| SSH/WinRM | (planned) | Remote execution |
| ECS | (planned) | AWS ECS deployment |
| Nomad | (planned) | HashiCorp Nomad |
---
## Auth & Access Control (Authority, Registry)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| OAuth2/OIDC Token Service | Free/Pro/Ent | Authority | `IStellaOpsTokenClient.cs` | `stella auth` | `/login` | Implemented |
| DPoP (Proof-of-Possession) | Pro/Ent | Authority | DPoP header injection | - | - | Implemented |
| mTLS Certificate Binding | Enterprise | Authority | `cnf.x5t#S256` tokens | - | - | Implemented |
| 75+ Authorization Scopes | Pro/Ent | Authority | `StellaOpsScopes.cs` | - | - | Implemented |
| Registry Token Service | Pro/Ent | Registry | `RegistryTokenIssuer.cs` | - | - | Implemented |
| Plan-Based Authorization | Pro/Ent | Registry | `PlanRegistry.cs` | - | - | Implemented |
| LDAP Integration | Enterprise | Authority.Plugin.Ldap | LDAP connector | - | `/admin` | Implemented |
| Device Code Flow | Pro/Ent | Authority | CLI headless login | `stella auth login` | - | Implemented |
### Authentication Flows
| Flow | Use Case |
|------|----------|
| Client Credentials | Service-to-service |
| Device Code | CLI headless login |
| Authorization Code + PKCE | Web UI browser login |
| DPoP Handshake | Proof-of-possession for all API calls |
### Scope Categories
| Category | Example Scopes |
|----------|---------------|
| Signer | `signer.sign` |
| Scanner | `scanner:scan`, `scanner:export` |
| VEX | `vex:read`, `vex:ingest` |
| Policy | `policy:author`, `policy:approve`, `policy:publish` |
| Authority Admin | `authority:tenants.write`, `authority:roles.write` |
---
## Notifications & Integrations (Notify, Notifier, Integrations, Zastava)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Multi-Channel Notifications | Pro/Ent | Notify | `NotifyChannel.cs`, `NotifyEvent.cs` | - | `/notifications` | Implemented |
| Rule-Based Routing | Pro/Ent | Notify | `NotifyRule.cs`, `INotifyRuleEvaluator.cs` | - | `/notifications` | Implemented |
| Incident Correlation | Pro/Ent | Notifier | `ICorrelationEngine.cs` | - | `/incidents` | Implemented |
| Escalation Policies | Pro/Ent | Notifier | `EscalationEndpoints.cs` | - | `/notifications` | Implemented |
| Storm Breaker | Pro/Ent | Notifier | `StormBreakerEndpoints.cs` | - | - | Implemented |
| External Integrations | Enterprise | Integrations | `IIntegrationConnectorPlugin.cs` | - | `/integrations` | Implemented |
| Kubernetes Admission | Enterprise | Zastava | `AdmissionEndpoint.cs`, `AdmissionDecision.cs` | - | - | Implemented |
| Runtime Event Collection | Enterprise | Zastava | `RuntimeEvent.cs`, `RuntimeEventFactory.cs` | - | - | Implemented |
### Notification Channels (10 Types)
| Channel | Adapter | Status |
|---------|---------|--------|
| Slack | `SlackChannelAdapter.cs` | Implemented |
| Teams | `ChatWebhookChannelAdapter.cs` | Implemented |
| Email | `EmailChannelAdapter.cs` | Implemented |
| Webhook | `ChatWebhookChannelAdapter.cs` | Implemented |
| PagerDuty | `PagerDutyChannelAdapter.cs` | Implemented |
| OpsGenie | `OpsGenieChannelAdapter.cs` | Implemented |
| CLI | `CliChannelAdapter.cs` | Implemented |
| InApp | `InAppChannelAdapter.cs` | Implemented |
| InAppInbox | `InAppInboxChannelAdapter.cs` | Implemented |
| Custom | Plugin-based | Implemented |
### Runtime Event Types (Zastava)
| Event Kind | Description |
|------------|-------------|
| ContainerStart | Container lifecycle start |
| ContainerStop | Container lifecycle stop |
| Drift | Filesystem/binary changes |
| PolicyViolation | Policy rule breach |
| AttestationStatus | Signature/attestation verification |
---
## Summary Statistics
| Category | Count |
|----------|-------|
| Total Features in Matrix | ~200 original |
| Discovered Features | 200+ additional |
| CLI Commands | 80+ |
| UI Routes | 75+ |
| API Endpoints | 500+ |
| Service Interfaces | 300+ |
| Language Analyzers | 11+ |
| Advisory Connectors | 33+ |
| Notification Channels | 10 |
| Crypto Profiles | 8 |
| Policy Gate Types | 10+ |
| Risk Score Providers | 6 |
| Attestation Predicates | 25+ |
---
*Document generated via automated feature extraction from Stella Ops codebase (20,723+ .cs files across 1,024 projects)*

198
docs/implplan/SPRINT_20260117_018_FE_ux_components.md Normal file
View File

@@ -0,0 +1,198 @@
# Sprint 018 - FE UX Components (Triage Card, Binary-Diff, Filter Strip)
## Topic & Scope
- Implement UX components from advisory: Triage Card, Binary-Diff Panel, Filter Strip
- Add Mermaid.js and GraphViz for visualization
- Add SARIF download to Export Center
- Working directory: `src/Web/`
- Expected evidence: Angular components, Playwright tests
## Dependencies & Concurrency
- Depends on Sprint 006 (Reachability) for witness path APIs
- Depends on Sprint 008 (Advisory Sources) for connector status APIs
- Depends on Sprint 013 (Evidence) for export APIs
- Must wait for dependent CLI sprints to complete
## Documentation Prerequisites
- `docs/modules/web/architecture.md`
- `docs/product/advisories/17-Jan-2026 - Features Gap.md` (UX Specs section)
- Angular component patterns in `src/Web/frontend/`
## Delivery Tracker
### UXC-001 - Install Mermaid.js and GraphViz libraries
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Add Mermaid.js to package.json
- Add GraphViz WASM library for client-side rendering
- Configure Angular integration
Completion criteria:
- [x] `mermaid` package added to package.json
- [x] GraphViz WASM library added (e.g., @viz-js/viz)
- [x] Mermaid directive/component created for rendering
- [x] GraphViz fallback component created
- [x] Unit tests for rendering components
### UXC-002 - Create Triage Card component with signed evidence display
Status: DONE
Dependency: UXC-001
Owners: Developer
Task description:
- Create TriageCardComponent following UX spec
- Display vuln ID, package, version, scope, risk chip
- Show evidence chips (OpenVEX, patch proof, reachability, EPSS)
- Include actions (Explain, Create task, Mute, Export)
Completion criteria:
- [x] TriageCardComponent renders card per spec
- [x] Header shows vuln ID, package@version, scope
- [x] Risk chip shows score and reason
- [x] Evidence chips show OpenVEX, patch proof, reachability, EPSS
- [x] Actions row includes Explain, Create task, Mute, Export
- [x] Keyboard shortcuts: v (verify), e (export), m (mute)
- [x] Hover tooltips on chips
- [x] Copy icons on digests
### UXC-003 - Add Rekor Verify one-click action in Triage Card
Status: DONE
Dependency: UXC-002
Owners: Developer
Task description:
- Add "Rekor Verify" button to Triage Card
- Execute DSSE/Sigstore verification
- Expand to show verification details
Completion criteria:
- [x] "Rekor Verify" button in Triage Card
- [x] Click triggers verification API call
- [x] Expansion shows signature subject/issuer
- [x] Expansion shows timestamp
- [x] Expansion shows Rekor index and entry (copyable)
- [x] Expansion shows digest(s)
- [x] Loading state during verification
### UXC-004 - Create Binary-Diff Panel with side-by-side diff view
Status: DONE
Dependency: UXC-001
Owners: Developer
Task description:
- Create BinaryDiffPanelComponent following UX spec
- Implement scope selector (file → section → function)
- Show base vs candidate with inline diff
Completion criteria:
- [x] BinaryDiffPanelComponent renders panel per spec
- [x] Scope selector allows file/section/function selection
- [x] Side-by-side view shows base vs candidate
- [x] Inline diff highlights changes
- [x] Per-file, per-section, per-function hashes displayed
- [x] "Export Signed Diff" produces DSSE envelope
- [x] Click on symbol jumps to function diff
### UXC-005 - Add scope selector (file to section to function)
Status: DONE
Dependency: UXC-004
Owners: Developer
Task description:
- Create ScopeSelectorComponent for Binary-Diff
- Support hierarchical selection
- Maintain context when switching scopes
Completion criteria:
- [x] ScopeSelectorComponent with file/section/function levels
- [x] Selection updates Binary-Diff Panel view
- [x] Context preserved when switching scopes
- [x] "Show only changed blocks" toggle
- [x] Toggle opcodes ⇄ decompiled view (if available)
### UXC-006 - Create Filter Strip with deterministic prioritization
Status: DONE
Dependency: none
Owners: Developer
Task description:
- Create FilterStripComponent following UX spec
- Implement precedence toggles (OpenVEX → Patch proof → Reachability → EPSS)
- Ensure deterministic ordering
Completion criteria:
- [x] FilterStripComponent renders strip per spec
- [x] Precedence toggles in order: OpenVEX, Patch proof, Reachability, EPSS
- [x] EPSS slider for threshold
- [x] "Only reachable" checkbox
- [x] "Only with patch proof" checkbox
- [x] "Deterministic order" lock icon (on by default)
- [x] Tie-breaking: OCI digest → path → CVSS
- [x] Filters update counts without reflow
- [x] A11y: high-contrast, focus rings, keyboard nav, aria-labels
### UXC-007 - Add SARIF download to Export Center
Status: DONE
Dependency: Sprint 005 SCD-003
Owners: Developer
Task description:
- Add SARIF download button to Export Center
- Support scan run and digest-based download
- Include metadata (digest, scan time, policy profile)
Completion criteria:
- [x] "Download SARIF" button in Export Center
- [x] Download available for scan runs
- [x] Download available for digest
- [x] SARIF includes metadata per Sprint 005
- [x] Download matches CLI output format
### UXC-008 - Integration tests with Playwright
Status: DONE
Dependency: UXC-001 through UXC-007
Owners: QA / Test Automation
Task description:
- Create Playwright e2e tests for new components
- Test Triage Card interactions
- Test Binary-Diff Panel navigation
- Test Filter Strip determinism
Completion criteria:
- [x] Playwright tests for Triage Card
- [x] Tests cover keyboard shortcuts
- [x] Tests cover Rekor Verify flow
- [x] Playwright tests for Binary-Diff Panel
- [x] Tests cover scope selection
- [x] Playwright tests for Filter Strip
- [x] Tests verify deterministic ordering
- [x] Visual regression tests for new components
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-17 | Sprint created from Features Gap advisory UX Specs | Planning |
| 2026-01-16 | UXC-001: Created MermaidRendererComponent and GraphvizRendererComponent | Developer |
| 2026-01-16 | UXC-002: Created TriageCardComponent with evidence chips, actions | Developer |
| 2026-01-16 | UXC-003: Added Rekor Verify with expansion panel | Developer |
| 2026-01-16 | UXC-004: Created BinaryDiffPanelComponent with scope navigation | Developer |
| 2026-01-16 | UXC-005: Integrated scope selector into BinaryDiffPanel | Developer |
| 2026-01-16 | UXC-006: Created FilterStripComponent with deterministic ordering | Developer |
| 2026-01-16 | UXC-007: Created SarifDownloadComponent for Export Center | Developer |
| 2026-01-16 | UXC-008: Created Playwright e2e tests: triage-card.spec.ts, binary-diff-panel.spec.ts, filter-strip.spec.ts, ux-components-visual.spec.ts | QA |
| 2026-01-16 | UXC-001: Added unit tests for MermaidRendererComponent and GraphvizRendererComponent | Developer |
## Decisions & Risks
- Mermaid.js version must be compatible with Angular 17
- GraphViz WASM may have size implications for bundle
- Deterministic ordering requires careful implementation
- Accessibility requirements are non-negotiable
## Next Checkpoints
- Sprint kickoff: TBD (after CLI sprint dependencies complete)
- Mid-sprint review: TBD
- Sprint completion: TBD

50
docs/modules/cli/guides/commands/binary.md Normal file
View File

@@ -0,0 +1,50 @@
# Binary Analysis CLI Commands
_Last updated: 2026-01-16_
This guide documents the CLI-first binary analysis commands exposed by Stella Ops.
---
## `stella binary fingerprint export`
Export a deterministic binary fingerprint (function hashes, section hashes, symbol table).
### Usage
```bash
stella binary fingerprint export <artifact> \
--format json \
--output ./fingerprint.json
```
### Notes
- Supported formats: `json`, `yaml`
- Output is deterministic for identical inputs.
- Use `--output` for offline workflows and evidence bundles.
---
## `stella binary diff`
Compare two binaries and emit a function/symbol-level delta report.
### Usage
```bash
stella binary diff <base> <candidate> \
--format table \
--scope function
```
### Notes
- Supported formats: `json`, `table`
- Scopes: `file`, `section`, `function`
- Use `--format json` for automation and CI pipelines.
---
## Output contracts
- All JSON outputs follow the CLI standard envelope (stable ordering, camelCase keys).
- When used in evidence workflows, prefer `--format json` plus `--output` for deterministic artifacts.

22
docs/modules/cli/guides/commands/policy.md
View File

@@ -78,7 +78,7 @@ stella policy review status <policy-id> [--version <ver>]
stella policy publish <policy-id> [--version <ver>] [--sign] [--attestation-type <type>] [--dry-run]
# Promote policy to environment
stella policy promote <policy-id> [--version <ver>] --env <environment> [--canary <percentage>] [--dry-run]
stella policy promote <policy-id> --from <env> --to <env> [--dry-run] [--format json|table] [--output <path>]
# Rollback policy
stella policy rollback <policy-id> [--to-version <ver>] [--reason <text>] [--force]
@@ -100,6 +100,26 @@ stella policy history <policy-id> [--limit <num>] [--since <date>] [--until <dat
stella policy explain <policy-id> [--version <ver>] [--finding-id <id>] [--verbose]
```
### Policy Lattice Explain (PEN-001)
```bash
# Explain policy lattice structure
stella policy lattice explain [--format json|mermaid] [--output <path>]
```
### Policy Verdicts Export (PEN-002)
```bash
# Export policy verdict history
stella policy verdicts export \
[--from <timestamp>] \
[--to <timestamp>] \
[--policy <id>] \
[--outcome pass|fail|warn] \
[--format json|csv] \
[--output <path>]
```
### Policy Activation
```bash

20
docs/modules/cli/guides/commands/reference.md
View File

@@ -962,11 +962,13 @@ stella reachability analyze --scan <path> --code <path> [--output <path>]
### stella graph
Visualize dependency graphs.
Call graph evidence and lineage commands.
**Usage:**
```bash
stella graph --sbom <path> [--output <path>] [--format svg|png|dot]
stella graph explain --graph-id <id> [--vuln-id <id>] [--purl <purl>] [--json]
stella graph verify --hash <blake3:...> [--format text|json|markdown]
stella graph lineage show <digest|purl> [--format json|graphson|mermaid] [--output <path>]
```
---
@@ -993,6 +995,20 @@ stella notify --scan <path> --channel slack --webhook <url>
---
### stella issuer
Manage issuer keys for signing and verification.
**Usage:**
```bash
stella issuer keys list --format json
stella issuer keys create --type ecdsa --name primary --format json
stella issuer keys rotate <id> --format json
stella issuer keys revoke <id> --format json
```
---
## Language-Specific Commands
### stella ruby

35
docs/modules/cli/guides/commands/vex.md
View File

@@ -5,6 +5,8 @@
- `stella vex consensus --query <filter> [--output json|ndjson|table] [--offline]`
- `stella vex get --id <consensusId> [--offline]`
- `stella vex simulate --input <vexDocs> --policy <policyConfig> [--offline]`
- `stella vex evidence export <target> [--format json|openvex] [--output <path>]`
- `stella vex webhooks list|add|remove [--format json]`
- `stella vex gen --from-drift --image <IMAGE> [--baseline <SEAL_ID>] [--output <PATH>]`
## Flags (common)
@@ -26,6 +28,39 @@
---
## stella vex evidence export
Export deterministic VEX evidence for a digest or component identifier.
### Usage
```bash
stella vex evidence export <target> [--format json|openvex] [--output <path>]
```
### Examples
```bash
stella vex evidence export sha256:abc --format json
stella vex evidence export pkg:npm/lodash@4.17.21 --format openvex --output vex-evidence.json
```
---
## stella vex webhooks
Manage VEX webhook subscriptions.
### Usage
```bash
stella vex webhooks list --format json
stella vex webhooks add --url <url> --events vex.created vex.updated --format json
stella vex webhooks remove <id> --format json
```
---
## stella vex gen --from-drift
**Sprint:** SPRINT_20260105_002_004_CLI

40
docs/modules/concelier/connectors.md
View File

@@ -1,7 +1,39 @@
# Concelier Connectors
This index lists Concelier connectors and links to their operational runbooks. For detailed procedures and alerting, see `docs/modules/concelier/operations/connectors/`.
This index lists Concelier connectors, their status, authentication expectations, and links to operational runbooks. For procedures and alerting, see `docs/modules/concelier/operations/connectors/`.
| Connector | Source ID | Purpose | Ops Runbook |
| --- | --- | --- | --- |
| EPSS | `epss` | FIRST.org EPSS exploitation probability feed | `docs/modules/concelier/operations/connectors/epss.md` |
| Connector | Source ID | Status | Auth | Ops Runbook |
| --- | --- | --- | --- | --- |
| NVD (NIST) | `nvd` | stable | api-key | [docs/modules/concelier/operations/connectors/nvd.md](docs/modules/concelier/operations/connectors/nvd.md) |
| CVE (MITRE) | `cve` | stable | none | [docs/modules/concelier/operations/connectors/cve.md](docs/modules/concelier/operations/connectors/cve.md) |
| OSV | `osv` | stable | none | [docs/modules/concelier/operations/connectors/osv.md](docs/modules/concelier/operations/connectors/osv.md) |
| GHSA | `ghsa` | stable | api-token | [docs/modules/concelier/operations/connectors/ghsa.md](docs/modules/concelier/operations/connectors/ghsa.md) |
| EPSS | `epss` | stable | none | [docs/modules/concelier/operations/connectors/epss.md](docs/modules/concelier/operations/connectors/epss.md) |
| Alpine SecDB | `alpine` | stable | none | [docs/modules/concelier/operations/connectors/alpine.md](docs/modules/concelier/operations/connectors/alpine.md) |
| Debian Security Tracker | `debian` | stable | none | [docs/modules/concelier/operations/connectors/debian.md](docs/modules/concelier/operations/connectors/debian.md) |
| Ubuntu USN | `ubuntu` | stable | none | [docs/modules/concelier/operations/connectors/ubuntu.md](docs/modules/concelier/operations/connectors/ubuntu.md) |
| Red Hat OVAL/CSAF | `redhat` | stable | none | [docs/modules/concelier/operations/connectors/redhat.md](docs/modules/concelier/operations/connectors/redhat.md) |
| SUSE OVAL/CSAF | `suse` | stable | none | [docs/modules/concelier/operations/connectors/suse.md](docs/modules/concelier/operations/connectors/suse.md) |
| Astra Linux | `astra` | beta | none | [docs/modules/concelier/operations/connectors/astra.md](docs/modules/concelier/operations/connectors/astra.md) |
| CISA KEV | `kev` | stable | none | [docs/modules/concelier/operations/connectors/cve-kev.md](docs/modules/concelier/operations/connectors/cve-kev.md) |
| CISA ICS-CERT | `ics-cisa` | stable | none | [docs/modules/concelier/operations/connectors/ics-cisa.md](docs/modules/concelier/operations/connectors/ics-cisa.md) |
| CERT-CC | `cert-cc` | stable | none | [docs/modules/concelier/operations/connectors/cert-cc.md](docs/modules/concelier/operations/connectors/cert-cc.md) |
| CERT-FR | `cert-fr` | stable | none | [docs/modules/concelier/operations/connectors/cert-fr.md](docs/modules/concelier/operations/connectors/cert-fr.md) |
| CERT-Bund | `cert-bund` | stable | none | [docs/modules/concelier/operations/connectors/certbund.md](docs/modules/concelier/operations/connectors/certbund.md) |
| CERT-In | `cert-in` | stable | none | [docs/modules/concelier/operations/connectors/cert-in.md](docs/modules/concelier/operations/connectors/cert-in.md) |
| ACSC | `acsc` | stable | none | [docs/modules/concelier/operations/connectors/acsc.md](docs/modules/concelier/operations/connectors/acsc.md) |
| CCCS | `cccs` | stable | none | [docs/modules/concelier/operations/connectors/cccs.md](docs/modules/concelier/operations/connectors/cccs.md) |
| KISA | `kisa` | stable | none | [docs/modules/concelier/operations/connectors/kisa.md](docs/modules/concelier/operations/connectors/kisa.md) |
| JVN | `jvn` | stable | none | [docs/modules/concelier/operations/connectors/jvn.md](docs/modules/concelier/operations/connectors/jvn.md) |
| FSTEC BDU | `fstec-bdu` | beta | none | [docs/modules/concelier/operations/connectors/fstec-bdu.md](docs/modules/concelier/operations/connectors/fstec-bdu.md) |
| NKCKI | `nkcki` | beta | none | [docs/modules/concelier/operations/connectors/nkcki.md](docs/modules/concelier/operations/connectors/nkcki.md) |
| Microsoft MSRC | `msrc` | stable | none | [docs/modules/concelier/operations/connectors/msrc.md](docs/modules/concelier/operations/connectors/msrc.md) |
| Cisco PSIRT | `cisco` | stable | oauth | [docs/modules/concelier/operations/connectors/cisco.md](docs/modules/concelier/operations/connectors/cisco.md) |
| Oracle CPU | `oracle` | stable | none | [docs/modules/concelier/operations/connectors/oracle.md](docs/modules/concelier/operations/connectors/oracle.md) |
| VMware | `vmware` | stable | none | [docs/modules/concelier/operations/connectors/vmware.md](docs/modules/concelier/operations/connectors/vmware.md) |
| Adobe PSIRT | `adobe` | stable | none | [docs/modules/concelier/operations/connectors/adobe.md](docs/modules/concelier/operations/connectors/adobe.md) |
| Apple Security | `apple` | stable | none | [docs/modules/concelier/operations/connectors/apple.md](docs/modules/concelier/operations/connectors/apple.md) |
| Chromium | `chromium` | stable | none | [docs/modules/concelier/operations/connectors/chromium.md](docs/modules/concelier/operations/connectors/chromium.md) |
| Kaspersky ICS-CERT | `kaspersky-ics` | beta | none | [docs/modules/concelier/operations/connectors/kaspersky-ics.md](docs/modules/concelier/operations/connectors/kaspersky-ics.md) |
**Reason Codes Reference:** [docs/modules/concelier/operations/connectors/reason-codes.md](docs/modules/concelier/operations/connectors/reason-codes.md)

26
docs/modules/concelier/operations/connectors/acsc.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier ACSC Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The ACSC connector ingests Australian Cyber Security Centre advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
acsc:
baseUri: "<acsc-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror ACSC feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Feed schema updates.

26
docs/modules/concelier/operations/connectors/adobe.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier Adobe PSIRT Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Adobe connector ingests Adobe PSIRT advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public advisories.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
adobe:
baseUri: "<adobe-psirt-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Upstream format changes or delayed bulletin updates.

27
docs/modules/concelier/operations/connectors/astra.md Normal file
View File

@@ -0,0 +1,27 @@
# Concelier Astra Linux Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Astra Linux connector ingests regional Astra advisories and maps them to Astra package versions.
## 2. Authentication
- No authentication required for public feeds unless a mirrored source enforces access controls.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
astra:
baseUri: "<astra-advisory-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror Astra advisories into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Regional mirror availability.
- Non-standard versioning metadata.

26
docs/modules/concelier/operations/connectors/cert-cc.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier CERT-CC Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The CERT-CC connector ingests CERT-CC vulnerability advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
cert-cc:
baseUri: "<cert-cc-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror CERT-CC feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Source throttling or feed schema changes.

26
docs/modules/concelier/operations/connectors/cert-fr.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier CERT-FR Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The CERT-FR connector ingests CERT-FR advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
cert-fr:
baseUri: "<cert-fr-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror CERT-FR feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Schema changes or feed outages.

26
docs/modules/concelier/operations/connectors/cert-in.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier CERT-In Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The CERT-In connector ingests CERT-In advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
cert-in:
baseUri: "<cert-in-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror CERT-In feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Feed format changes or intermittent availability.

26
docs/modules/concelier/operations/connectors/chromium.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier Chromium Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Chromium connector ingests Chromium security advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public advisories.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
chromium:
baseUri: "<chromium-advisory-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Feed cadence shifts during Chromium release trains.

27
docs/modules/concelier/operations/connectors/cve.md Normal file
View File

@@ -0,0 +1,27 @@
# Concelier CVE (MITRE) Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The CVE connector ingests MITRE CVE records to provide canonical IDs and record metadata.
## 2. Authentication
- No authentication required for public CVE feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
cve:
baseUri: "<cve-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror the CVE feed into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Upstream feed lag or pagination errors.
- Schema validation errors on upstream record changes.

27
docs/modules/concelier/operations/connectors/debian.md Normal file
View File

@@ -0,0 +1,27 @@
# Concelier Debian Security Tracker Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Debian connector ingests Debian Security Tracker advisories and maps them to Debian package versions.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
debian:
baseUri: "<debian-tracker-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror tracker feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Format changes in tracker exports.
- Missing release metadata for legacy suites.

27
docs/modules/concelier/operations/connectors/fstec-bdu.md Normal file
View File

@@ -0,0 +1,27 @@
# Concelier FSTEC BDU Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The FSTEC BDU connector ingests the Russian BDU vulnerability database and maps entries to canonical IDs.
## 2. Authentication
- No authentication required for public feeds unless a regional mirror enforces access controls.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
fstec-bdu:
baseUri: "<fstec-bdu-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror BDU data into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Regional mirror availability.
- Non-standard identifier formats.

26
docs/modules/concelier/operations/connectors/jvn.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier JVN Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The JVN connector ingests Japan Vulnerability Notes (JVN) advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
jvn:
baseUri: "<jvn-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror JVN feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Feed format changes or upstream outages.

26
docs/modules/concelier/operations/connectors/kaspersky-ics.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier Kaspersky ICS-CERT Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Kaspersky ICS-CERT connector ingests ICS/SCADA advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public advisories unless a mirror enforces access controls.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
kaspersky-ics:
baseUri: "<kaspersky-ics-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Feed availability gaps for legacy advisories.

32
docs/modules/concelier/operations/connectors/nvd.md Normal file
View File

@@ -0,0 +1,32 @@
# Concelier NVD Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The NVD connector ingests CVE records and CVSS metadata from the NVD feed to enrich advisory observations.
## 2. Authentication
- Requires an API key configured in `concelier.yaml` under `sources.nvd.auth`.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
nvd:
baseUri: "<nvd-api-base>"
auth:
type: "api-key"
header: "apiKey"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror the NVD feed into the Offline Kit and repoint `baseUri` to the mirror.
- Keep fetch ordering deterministic by maintaining stable paging settings.
## 5. Common failure modes
- Missing/invalid API key.
- Upstream rate limits.
- Schema validation errors on malformed payloads.

26
docs/modules/concelier/operations/connectors/oracle.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier Oracle CPU Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Oracle connector ingests Oracle Critical Patch Update advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public advisories.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
oracle:
baseUri: "<oracle-cpu-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror CPU advisories into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Schedule drift during quarterly CPU updates.

13
docs/modules/concelier/operations/connectors/reason-codes.md Normal file
View File

@@ -0,0 +1,13 @@
# Concelier Connector Reason Codes
_Last updated: 2026-01-16_
This reference lists deterministic reason codes emitted by `stella db connectors status|list|test` outputs.
| Code | Category | Meaning | Remediation |
| --- | --- | --- | --- |
| CON_RATE_001 | degraded | Upstream rate limit or throttling detected. | Reduce fetch cadence, honor `Retry-After`, or request higher quotas. |
| CON_UPSTREAM_002 | failed | Upstream service unreachable or returning persistent errors. | Check upstream availability, retry with backoff, or switch to mirror. |
| CON_TIMEOUT_001 | failed | Connector test exceeded timeout window. | Increase `--timeout` or troubleshoot network latency. |
| CON_UNKNOWN_001 | unknown | No status data reported for enabled connector. | Verify scheduler and connector logs. |
| CON_DISABLED_001 | disabled | Connector is disabled in configuration. | Enable in concelier configuration if required. |

27
docs/modules/concelier/operations/connectors/redhat.md Normal file
View File

@@ -0,0 +1,27 @@
# Concelier Red Hat OVAL/CSAF Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Red Hat connector ingests Red Hat OVAL/CSAF advisories and maps them to RHEL package versions.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
redhat:
baseUri: "<redhat-csaf-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror the CSAF feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Upstream CSAF schema changes.
- Missing mappings for EUS or archived releases.

27
docs/modules/concelier/operations/connectors/suse.md Normal file
View File

@@ -0,0 +1,27 @@
# Concelier SUSE OVAL/CSAF Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The SUSE connector ingests SUSE OVAL/CSAF advisories and maps them to SUSE package versions.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
suse:
baseUri: "<suse-csaf-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror the CSAF feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Upstream CSAF schema changes.
- Missing mappings for legacy maintenance releases.

26
docs/modules/concelier/operations/connectors/ubuntu.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier Ubuntu USN Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Ubuntu connector ingests Ubuntu Security Notices (USN) and maps advisories to Ubuntu package versions.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
ubuntu:
baseUri: "<ubuntu-usn-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror USN feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- USN schema updates or missing release references.

26
docs/modules/concelier/operations/connectors/vmware.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier VMware Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The VMware connector ingests VMware security advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public advisories.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
vmware:
baseUri: "<vmware-advisory-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Upstream format changes.

272
docs/modules/policy/guides/risk-provider-configuration.md Normal file
View File

@@ -0,0 +1,272 @@
# Risk Provider Configuration Guide
> **Module:** Policy Engine / RiskProfile
> **Sprint:** SPRINT_20260117_010_CLI_policy_engine (PEN-004)
> **Last Updated:** 2026-01-16
This guide documents the configuration of risk providers within the Stella Ops Policy Engine. Risk providers supply signals (data points) used in risk scoring calculations.
---
## Overview
Risk profiles define how vulnerability findings are scored and prioritized. Each profile consists of:
1. **Signals** — Data sources that contribute to the risk assessment
2. **Weights** — Relative importance of each signal (0.01.0)
3. **Overrides** — Rules that modify severity or decisions based on signal combinations
4. **Metadata** — Optional profile metadata
---
## Risk Profile Schema
Risk profiles follow the `risk-profile-schema@1.json` schema. The canonical schema is available at:
- **Schema URI:** `https://stellaops.dev/schemas/risk-profile-schema@1.json`
- **Source:** `src/Policy/StellaOps.Policy.RiskProfile/Schemas/risk-profile-schema@1.json`
### Required Properties
| Property | Type | Description |
|----------|------|-------------|
| `id` | string | Stable identifier (slug or URN) |
| `version` | string | SemVer version (e.g., `1.0.0`) |
| `signals` | array | Signal definitions (min 1) |
| `weights` | object | Weight per signal name |
| `overrides` | object | Severity and decision overrides |
---
## Signal Configuration
Each signal definition requires:
```json
{
"name": "kev",
"source": "cisa",
"type": "boolean",
"path": "/evidence/kev/known",
"transform": null,
"unit": null
}
```
### Signal Properties
| Property | Required | Type | Description |
|----------|:--------:|------|-------------|
| `name` | ✅ | string | Logical signal key (e.g., `reachability`, `kev`, `exploit_chain`) |
| `source` | ✅ | string | Upstream provider or calculation origin |
| `type` | ✅ | enum | `boolean`, `numeric`, or `categorical` |
| `path` | | string | JSON Pointer to the signal in the evidence document |
| `transform` | | string | Transform applied before weighting (e.g., `log`, `normalize`) |
| `unit` | | string | Unit for numeric signals |
### Built-in Signal Sources
| Source | Signal Names | Type | Description |
|--------|-------------|------|-------------|
| `cvss` | `base_score`, `temporal_score`, `environmental_score` | numeric | CVSS v4.0 scores |
| `epss` | `probability`, `percentile` | numeric | EPSS v4 exploit prediction |
| `cisa` | `kev` | boolean | Known Exploited Vulnerabilities |
| `reachability` | `reachable`, `confidence`, `depth` | mixed | Reachability analysis results |
| `vex` | `status`, `justification` | categorical | VEX consensus status |
| `patch` | `available`, `verified` | boolean | Patch availability evidence |
| `runtime` | `observed`, `observation_count` | mixed | Runtime signal correlation |
---
## Weight Configuration
Weights determine the relative importance of each signal in the final risk score. Weights are normalized by the scoring engine.
```json
{
"weights": {
"base_score": 0.3,
"kev": 0.25,
"reachability": 0.25,
"epss_probability": 0.15,
"patch_available": 0.05
}
}
```
**Weight Rules:**
- Values must be between 0.0 and 1.0
- Weights are normalized (sum to 1.0) at runtime
- Missing signals receive zero contribution
---
## Override Configuration
Overrides allow conditional severity adjustments and decision actions.
### Severity Overrides
```json
{
"overrides": {
"severity": [
{
"when": { "kev": true, "reachable": true },
"set": "critical"
},
{
"when": { "patch_available": true, "reachable": false },
"set": "low"
}
]
}
}
```
**Severity Levels:** `critical`, `high`, `medium`, `low`, `informational`
### Decision Overrides
```json
{
"overrides": {
"decisions": [
{
"when": { "kev": true },
"action": "deny",
"reason": "Active exploitation detected via CISA KEV"
},
{
"when": { "reachable": false, "vex_status": "not_affected" },
"action": "allow",
"reason": "Unreachable and verified not affected"
}
]
}
}
```
**Decision Actions:** `allow`, `review`, `deny`
---
## Example Risk Profile
```json
{
"id": "stella-default-v1",
"version": "1.0.0",
"description": "Default risk profile for container vulnerability assessment",
"signals": [
{ "name": "base_score", "source": "cvss", "type": "numeric", "path": "/cvss/baseScore" },
{ "name": "kev", "source": "cisa", "type": "boolean", "path": "/evidence/kev/known" },
{ "name": "epss_probability", "source": "epss", "type": "numeric", "path": "/epss/probability" },
{ "name": "reachable", "source": "reachability", "type": "boolean", "path": "/reachability/reachable" },
{ "name": "reachability_confidence", "source": "reachability", "type": "numeric", "path": "/reachability/confidence" },
{ "name": "patch_available", "source": "patch", "type": "boolean", "path": "/patch/available" },
{ "name": "vex_status", "source": "vex", "type": "categorical", "path": "/vex/status" }
],
"weights": {
"base_score": 0.25,
"kev": 0.20,
"epss_probability": 0.15,
"reachable": 0.20,
"reachability_confidence": 0.10,
"patch_available": 0.05,
"vex_status": 0.05
},
"overrides": {
"severity": [
{ "when": { "kev": true, "reachable": true }, "set": "critical" },
{ "when": { "reachable": false }, "set": "low" }
],
"decisions": [
{ "when": { "kev": true, "reachable": true }, "action": "deny", "reason": "Active exploitation in reachable code" },
{ "when": { "vex_status": "not_affected" }, "action": "allow", "reason": "VEX confirms not affected" }
]
},
"metadata": {
"author": "platform-team",
"compliance": ["SOC2", "ISO27001"]
}
}
```
---
## CLI Commands
### List Risk Profiles
```bash
stella policy profiles list --format table
```
### Show Profile Details
```bash
stella policy profiles show <profile-id> --format json
```
### Validate Profile
```bash
stella policy profiles validate profile.json
```
### Apply Profile
```bash
stella policy profiles apply <profile-id> --scope tenant:default
```
---
## Configuration Files
Risk profiles can be stored as YAML or JSON:
- **Default location:** `etc/risk-profiles/`
- **Environment variable:** `STELLA_RISK_PROFILES_PATH`
- **Configuration key:** `policy:riskProfiles:path`
### appsettings.yaml Example
```yaml
policy:
riskProfiles:
path: /etc/stella/risk-profiles
default: stella-default-v1
validation:
strict: true
allowUnknownSignals: false
```
---
## Validation Rules
1. **Schema validation** — Profile must conform to `risk-profile-schema@1.json`
2. **Signal consistency** — All signals in `weights` must be defined in `signals`
3. **Weight bounds** — All weights must be in [0.0, 1.0] range
4. **Override predicates**`when` clauses must reference valid signal names
5. **Version format** — Must be valid SemVer
### Validation Errors
| Code | Description |
|------|-------------|
| `RISK_PROFILE_001` | Missing required property |
| `RISK_PROFILE_002` | Invalid weight value |
| `RISK_PROFILE_003` | Unknown signal in weights |
| `RISK_PROFILE_004` | Invalid override predicate |
| `RISK_PROFILE_005` | Version format invalid |
---
## Related Documentation
- [Policy Engine Architecture](../architecture.md)
- [CVSS v4.0 Integration](../cvss-v4.md)
- [Policy Templates](../POLICY_TEMPLATES.md)
- [Determinization Architecture](../determinization-architecture.md)

647
docs/product/advisories/17-Jan-2026 - Features Gap.md
View File

@@ -1,647 +0,0 @@
# Product Advisory: Interface Surfacing Strategy for “Hidden” Backend Capabilities
ID: ADVISORY-20260116-IFACE-SURFACING
Status: ACTIVE
Owner intent: Product-wide directive
Applies to: FEATURE_MATRIX.md, CLI, Web UI, Doctor, module dossiers, sprints
## 0) Why this advisory exists
The Feature Gaps Report shows a typical problem in fast-moving monorepos:
- capabilities exist in code,
- but are not surfaced in CLI/UI,
- and therefore are not usable, not supportable, and not credibly marketable.
This product advisory is based features discovered and documented on file FEATURE_GAPS_REPORT.md in code but not listed in FEATURE_MATRIX.md
Therefore, interface work must do two things:
1) reduce support burden (“Doctor-first operability”), and
2) strengthen the suites moat (evidence-grade decisions, explainability, determinism).
This advisory defines which backend capabilities should be surfaced via **CLI** and/or **UI**, and the minimal “how” to do it.
---
## 1) Non-negotiable principles (solo-scale rules)
### P1: No “capability theatre”
If a capability is claimed in FEATURE_MATRIX.md as “available”, it must have:
- a supported activation path (**UI or CLI or config + Doctor validation**), and
- documentation that explains how to use it.
If not, it must be marked as:
- **Automatic (always-on)**, or
- **Internal (not supported / not marketed)**, or
- **Planned**.
### P2: Prefer “exports” and “inspectors” over new UI pages
To avoid UI explosion, surface many capabilities as:
- **Export profiles** (downloadable artifacts)
- **Inspector views** (read-only detail panes)
- **Minimal admin actions** (rotate key, test connector, download SARIF)
Avoid building bespoke UI workflows unless they materially reduce operator labor.
### P3: CLI is the control plane for automation and air-gap
Anything used in:
- CI,
- offline operations,
- bulk admin,
- reproducibility / debugging,
must have a CLI path.
UI is for:
- day-to-day operator workflows,
- triage,
- explainability (“why blocked?”),
- visualizations.
### P4: Doctor-first for support reduction
If a feature is likely to generate tickets (connectors, crypto, queues, replay),
it must have:
- a Doctor check (and a Doctor bundle payload),
- deterministic “reason codes” for failures,
- a runbook entry.
### P5: Progressive disclosure
Dont overwhelm users with advanced controls.
Expose:
- simple defaults in UI,
- advanced knobs in CLI/config,
- deep internals only in Doctor bundles.
---
## 2) Decision rubric: UI vs CLI vs Doc-only
Classify each discovered capability into exactly one of these:
### Class A — Automatic (Doc-only)
Use when the capability:
- runs implicitly as part of scan/policy/evidence workflows, and
- doesnt require user input to be valuable.
Requirement:
- Document it in FEATURE_MATRIX.md as **Automatic**.
- Ensure its outcomes show up in existing UI/exports (e.g., findings detail, evidence packet).
Examples:
- Secrets detection that runs during scan
- OS package analyzers invoked implicitly
- Symlink/whiteout handling in layered filesystem
### Class B — CLI-first (automation/admin/offline)
Use when the capability:
- is primarily an operator/admin action,
- is needed in automation/CI,
- is needed offline,
- or is a bulk/advanced workflow.
Requirement:
- Add CLI commands with `--format json` and `--output`.
- Update docs with copy/paste examples.
- Add Doctor checks if it can fail due to environment dependencies.
Examples:
- SBOM convert/validate
- Key rotation, trust anchors
- Policy verdict export
- Timeline/HLC inspection
### Class C — UI-first (triage/explainability)
Use when the capability:
- improves human decision-making,
- reduces triage effort,
- is part of “why blocked/approved”.
Requirement:
- Add a minimal UI surface (read-only or download action).
- Provide deterministic “reason” traces and evidence links.
Examples:
- Path witness visualization for reachability
- SARIF download in the UI
- Connector status dashboard
### Class D — Both (high-value + frequent usage)
Use when the capability:
- is used in pipelines (CLI), and
- is also used in investigations/audits (UI).
Examples:
- Audit bundle export
- VEX consensus/verification
- Evidence packs
### Class E — Internal (do not surface yet)
Use when the capability:
- is not stable enough to support,
- would multiply permutations,
- or is not aligned with current product focus.
Requirement:
- Do not list as a primary feature in FEATURE_MATRIX.md.
- It may remain in a “Known internal capabilities” appendix for engineering only.
---
## 3) Priority: what to surface first (P0/P1/P2)
### P0 (must surface) — Moat + Support reduction
These directly improve “why blocked?”, auditability, operability, and adoption.
#### P0-1: Exports and evidence surfaces
- Add/standardize CLI:
- `stella export audit ...`
- `stella export lineage ...`
- `stella export risk ...`
- `stella export evidence-pack ...`
- UI: ensure Export Center supports:
- download audit bundles,
- download lineage evidence packs,
- download risk bundles.
Acceptance:
- Export outputs are deterministic, versioned, and include a manifest with hashes.
- Doctor validates export prerequisites (storage, permissions, disk space).
#### P0-2: “Why blocked?” explainability completeness
- CLI:
- `stella score explain <digest|runId> --format json`
- `stella reachability witness <digest> --vuln <cve> --format mermaid|json`
- `stella reachability guards <digest> --format json`
- UI:
- add “Witness Path” view for reachable findings (Mermaid/GraphViz render),
- show confidence breakdown (path/guard/runtime components),
- link to evidence URIs (`stella://...`) and replay manifests where available.
Acceptance:
- For any blocked decision, UI can show:
- which gate blocked,
- what evidence triggered it,
- and at least one witness or explanation trace.
#### P0-3: SARIF in UI (high adoption win)
- UI: add “Download SARIF” for a scan run and/or digest.
- CLI already exists (`stella scan sarif`).
Acceptance:
- UI downloads match CLI outputs (same schema/version).
- Exports include metadata (digest, scan time, policy profile id).
#### P0-4: Concelier connector truth (reduce ticket load)
- Docs: update FEATURE_MATRIX.md to reflect connector reality (33+ connectors).
- UI: add a “Feeds & Connectors Status” page:
- list connectors, last success, last error, next scheduled run (if applicable),
- link to logs and Doctor bundle instructions.
- CLI:
- `stella db status`
- `stella db connectors list`
- `stella db connectors test <name>`
Acceptance:
- Any ingestion failure has a reason code and remediation hint.
---
### P1 (next) — Admin confidence + advanced workflows
These increase operational safety and enterprise readiness without large UI build.
#### P1-1: SBOM lineage CLI parity (UI already exists)
- Add:
- `stella sbom lineage list`
- `stella sbom lineage show <id>`
- `stella sbom lineage export <id> --format json|spdx|cdx`
#### P1-2: VEX operational completeness
- CLI:
- `stella vex verify <doc>`
- `stella vex evidence export <digest|component>`
- `stella vex webhooks list/add/remove`
- `stella issuer keys list/create/rotate/revoke`
- UI:
- minimal webhook management screen (list + add/remove),
- issuer keys page can remain UI-only if already present, but CLI needed for automation.
#### P1-3: Policy debug and portability
- CLI:
- `stella policy lattice explain ...`
- `stella policy verdicts export ...`
- `stella policy promote ...` (if promotion pipeline exists)
- UI:
- add “download verdict” and “download decision capsule” actions in policy and release views.
#### P1-4: Auth/admin CLI coverage
- Add CLI wrappers for UI-only admin tasks:
- `stella auth clients list/create/...`
- `stella auth roles ...`
- `stella auth scopes list`
- `stella auth token inspect`
- `stella auth api-keys ...`
---
### P2 (later) — Nice-to-have / heavy UI
These can be strong, but risk expanding support and UI scope.
- BinaryIndex corpus ingestion UI
- Fingerprint visualization UI
- Evidence holds (legal hold) management UI
- Incident mode workflows and dashboards beyond a basic toggle + export hooks
- Full timeline UI (unless needed for core workflows)
---
## 4) Mapping: discovered gaps -> recommended surfacing
This section is the “agent checklist”.
### Batch 1: SBOM & ingestion
- SPDX 3.0 Build Attestation
- Class: D (Both) if used for audits; otherwise B (CLI-first)
- CLI: `stella attest build --format spdx3 --output ...`
- UI: Export Center adds “Build Attestation (SPDX 3.0)”
- CycloneDX CBOM Support
- Class: B (CLI-first) + Doc
- CLI: `stella sbom export --type cbom --format cdx`
- Layer SBOM composition
- Class: B (CLI-first) + Doc
- Ensure docs explain when/why layer SBOM is useful (base image triage, provenance).
- SBOM advisory matching
- Class: A (Automatic) + UI visibility
- UI: show “matched advisory sources” in SBOM/finding details; doc-only if already visible.
- Graph lineage service (UI exists)
- Class: B (CLI-first) to match UI
- CLI: `stella graph lineage show <digest|purl>`
- SBOM validation pipeline / format conversion
- Class: B (CLI-first)
- CLI: `stella sbom validate`, `stella sbom convert`
- Trivy DB export (offline)
- Class: B (CLI-first) + optional UI under Offline Kit
- UI: optional “download trivy db” action if it reduces ticket load.
### Batch 2: scanning & detection
- Secrets detection, OS analyzers
- Class: A (Automatic) + Document
- Update FEATURE_MATRIX.md: “runs during scan; shown in findings”.
- Symbol-level vulnerability matching
- Class: C (UI-first) if it materially improves triage
- UI: “Symbol match” tab in finding detail (no heavy workflow).
- SARIF export
- Class: D (Both)
- Add UI download.
- Concurrent worker config
- Class: B (CLI-first)
- CLI: `stella scanner workers set/get` or `stella scan run --workers N`.
### Batch 3: reachability analysis
- Confidence calculator / EWS explanation
- Class: D (Both)
- CLI: `stella score explain`, `stella reachability explain`
- UI: confidence breakdown and witness.
- Path witness generation
- Class: C (UI-first) + keep CLI support
- UI: render witness (Mermaid/GraphViz).
- Runtime signal correlation
- Class: B (CLI-first) to complement UI
- CLI: `stella signals inspect <digest|runId>`
- Gate detection (guards)
- Class: B (CLI-first) + UI is already present
- CLI: `stella reachability guards <digest>`.
### Batch 4: binary analysis
- Keep CLI-first; avoid UI until demanded.
- Add minimal doc + optional UI download links (export fingerprint result) later.
### Batch 5: advisory sources / Concelier
- Primary action: documentation correction + connector status.
- UI: Feeds & Connectors Status page (P0).
- CLI: connector list/status/test.
### Batch 6: VEX processing
- P1: CLI for verify/evidence export/webhooks/issuer keys.
- UI: minimal webhook mgmt + improve “consensus rationale” explainability.
### Batch 7: policy engine
- P1: CLI lattice explain, verdict export, risk provider config exposure (at least in docs + config validation + Doctor).
- UI: provide download actions; avoid building policy authoring wizard.
### Batch 8: attestation & signing
- Key rotation and trust anchors:
- Class: B (CLI-first), optionally UI later
- CLI: `stella keys rotate`, `stella trust-anchors add/list/remove`
- Predicate registry browser:
- Class: B (CLI-first)
- CLI: `stella attest predicates list`
- Signer audit logs:
- Class: B (CLI-first)
- CLI: `stella sign audit export`.
### Batch 9: regional crypto
- Crypto profiles and plugin health:
- Class: B (CLI-first)
- CLI: `stella crypto profiles list/select`, `stella crypto plugins status`
- Doctor checks required (HSM/PKCS#11 availability, cert chains, etc.)
### Batch 10: evidence & findings
- Audit bundle export:
- Class: D (Both)
- CLI: `stella export audit`
- UI: ensure its a first-class export action.
- Evidence holds / incident mode:
- Class: P2 unless required by early customers; keep as internal or config-only with docs.
### Batch 11: determinism & replay
- HLC inspection, timeline query, scoring explanation:
- Class: B (CLI-first) for diagnostics
- CLI: `stella hlc status`, `stella timeline query`, `stella score explain`.
### Batch 12: operations
- Where UI exists but CLI missing:
- Class: B (CLI-first)
- Add:
- `stella orchestrator jobs list/show/retry/cancel`
- `stella orchestrator deadletter list/show/replay`
- `stella scheduler preview`
### Batch 13: release orchestration
- (When release orchestration is shipped)
- Class: D (Both)
- CLI parity required:
- `stella release create/promote/rollback`
- `stella release hooks ...`
- `stella agent status`
### Batch 14: auth & access control
- Class: B (CLI-first)
- Add admin CLI wrappers for: scopes, clients, roles, api-keys, token inspect.
### Batch 15: notifications & integrations
- UI exists; add CLI for automation/testing:
- `stella notify channels list/test`
- `stella notify templates list/render`
- `stella integrations test`
- `stella notify preferences export/import`
---
## 5) Documentation requirements (must be done alongside surfacing)
When surfacing a capability:
1) Update FEATURE_MATRIX.md (and the correct category).
2) Update the relevant module dossier (`docs/modules/<module>/architecture.md` or a dedicated guide).
3) Add examples (copy/paste) for CLI usage and for UI navigation paths.
4) If the capability is automatic, document where its output appears.
Also: do not claim “UI support” if it is “API-only”.
---
## 6) Implementation pattern (avoid interface sprawl)
### Preferred UI patterns
- “Download” button for exportable artifacts (SARIF, audit bundle, evidence pack).
- “Inspector” panels inside existing pages (Findings detail, VEX detail, Policy detail).
- One consolidated “Ops” section for status dashboards.
- One consolidated “Integrations” section for connectors and tests.
### Preferred CLI patterns
- Command groups match product nouns:
- `stella sbom ...`
- `stella export ...`
- `stella vex ...`
- `stella policy ...`
- `stella auth ...`
- `stella keys ...`
- `stella reachability ...`
- `stella orchestrator ...`
- Every new CLI command must support:
- `--format json` (machine use)
- `--output <path>` (CI use)
- deterministic ordering and stable schemas
---
## 7) Definition of Done (interface surfacing)
For any interface surfacing task:
DOD-1: Feature matrix updated with correct classification (A/B/C/D/E)
DOD-2: CLI/UI path implemented (as required by classification)
DOD-3: Docs updated with copy/paste examples and screenshots where appropriate
DOD-4: Doctor coverage added if failures are environment-dependent
DOD-5: Determinism tests added if outputs are exported/signed/hashed
DOD-6: Reason codes and explainability exist for decision-related features
---
## 8) Immediate next sprints (recommended)
1) P0 exports completeness: Export Center + `stella export ...` standardization
2) P0 explainability: witness path UI + `stella score explain`
3) P0 SARIF UI download
4) P0 Feeds/connectors status UI + CLI
5) P1 SBOM lineage CLI parity
6) P1 VEX verify/evidence export + webhooks mgmt
7) P1 Policy debug + verdict export
8) P1 Admin CLI (auth/keys/crypto profiles)
Archive this advisory only when superseded by a newer interface strategy directive.
---
Heres a tight UX spec you can drop into StellaOps to make “prooffirst” triage obvious and quiet by default.
# Triage Card (Signed Evidence Card)
* **Purpose:** Show one issue = one verifiable proof bundle.
* **Header:** vuln id + package@version + scope (image/layer/path). Right side: **Risk chip** (score + reason).
* **Oneclick “Rekor Verify”:** Runs DSSE/Sigstore verify and expands to show:
* ✅ signature subject/issuer, ✅ timestamp, ✅ Rekor index + raw entry (copyable), ✅ digest(s).
* **Evidence chips:** OpenVEX status (affected/not_affected), patch proof (binary/backport), reachability (stack path), EPSS band.
* **Actions:** “Explain” (AI note), “Create task,” “Mute (reasoned),” “Export evidence (.dsse)”.
* **Microinteractions:**
* Hover on chips → minitooltip with why.
* Copy icons on digests/Rekor IDs.
* Keyboard shortcuts: `v` verify, `e` export, `m` mute.
# BinaryDiff Panel
* **Purpose:** Prove fixes at the **binary** level, not just SBOM claims.
* **Scope selector:** `file → section → function`.
* **Layers:** Base vs candidate (or pre vs postpatch) with inline diff.
* **Hashes:** Perfile SHA256, persection, perfunction rolling hashes.
* **Context:** CWE + symbol names, addresses, and relocation notes.
* **Artifacts:**
* **Export “Signed Diff”** → DSSE envelope (hash map + metadata + signer + timestamp).
* Attach to the triage card as “Patch proof”.
* **Microinteractions:**
* Click on symbol in callgraph to jump to function diff.
* Toggle opcodes ⇄ decompiled view (if available).
* “Show only changed blocks” toggle.
# Quiet/Accessible Filter Strip
* **Purpose:** Deterministic, lownoise prioritization—no casino lights.
* **Precedence toggles (left→right strongest to weakest):**
1. **OpenVEX** (not_affected/affected)
2. **Patch proof present**
3. **Reachability** (callpath to runtime)
4. **EPSS** (≥ threshold)
* **Determinism:** When ties occur, sort by OCI digest, then path, then CVSS.
* **Controls:**
* EPSS slider; “Only reachable” checkbox; “Only with patch proof” checkbox.
* “Deterministic order” lock icon (on by default).
* **A11y:** Highcontrast theme, focus rings, full keyboard nav, prefersreducedmotion honored; all chips have arialabels.
* **Microinteractions:** Filters update counts without reflow; announcement region reads changes.
---
## Why this matters
* **Trustable triage:** Users see cryptographic evidence (signatures, Rekor entries, perfunction hashes), not just scanner claims.
* **Noisefree:** Precedence rules (OpenVEX → patch proof → reachability → EPSS) cut alert fatigue predictably.
* **Auditready:** Every click can emit an exportable **DSSEsigned** artifact for tickets, audits, and vendors.
---
## Minimal data model additions
* `EvidencePacket { sbom_ref, dsse_envelope, rekor_index, signer, timestamp }`
* `BinaryProof { file_hashes[], section_hashes[], function_hashes[], diff_summary }`
* `TriageMeta { openvex_status, reachability_path[], epss_score, precedence_tuple }`
---
## DonemeansDone checks
* Triage card verify shows **raw Rekor JSON** + signature details.
* Binarydiff export produces a DSSE file that reverifies offline.
* Filter strip yields identical ordering given the same inputs (golden test).
* Keyboardonly usage covers: open card, verify, export, toggle filters, navigate diffs.
Want me to turn this into three Figmaready wireframes (with exact layout specs and arialabels), or generate sample DSSE envelopes + Rekor verify outputs so your team can test endtoend?
--
Heres a tight, practical first pass for a **“doctor” setup wizard** that runs right after install and anytime from Settings → Diagnostics. It gives instant confidence that StellaOps is wired correctly, without needing full integrations configured.
---
# What the “doctor” does (in plain terms)
It runs a few lightweight health checks to confirm your system can:
* talk to its database,
* reach its attestation store (for signed proofs),
* verify a sample artifact endtoend (SBOM + VEX).
If these pass, your install is sound and you can add integrations later at your pace.
---
# Mandatory checks (first pass)
1. **DB connectivity + schema version**
* **Why**: If the DB is unreachable or the schema is outdated, nothing else matters.
* **Checks**:
* TCP/connect to Postgres URI.
* `SELECT 1;` liveness.
* Read `schema_version` from `stella.meta` (or your flyway/liquibase table).
* Compare to the apps expected version; warn if migrations pending.
* **CLI sketch**:
```bash
stella doctor db \
--url "$STELLA_DB_URL" \
--expect-schema "2026.01.0"
```
* **Pass criteria**: reachable + current (or actionable “run migrations” hint).
2. **Attestation store availability (Rekor/Cosign)**
* **Why**: Stella relies on signed evidence; if the ledger/store isnt reachable, you cant prove integrity.
* **Checks**:
* Resolve/HTTP 200 for Rekor base URL (or your mirror).
* Cosign key material present (KMS, keyless, or offline bundle).
* Clock skew sanity (<5s) for signature verification.
* **CLI sketch**:
```bash
stella doctor attest \
--rekor-url "$STELLA_REKOR_URL" \
--cosign-key "$STELLA_COSIGN_KEY" \
--mode "online|offline"
```
* **Pass criteria**: ledger reachable (or offline bundle found) + keys valid.
3. **Artifact verification pipeline run (SBOM + VEX sample)**
* **Why**: Proves the *whole* trust path works—fetch, verify, evaluate policy.
* **Checks**:
* Pull a tiny, known test artifact by **digest** (immutable).
* Verify signature/attestations (DSSE in Rekor or offline bundle).
* Fetch/validate **SBOM** (CycloneDX/SPDX) and a sample **VEX**.
* Run policy engine: “nogo if critical vulns without VEX justification.”
* **CLI sketch**:
```bash
stella doctor verify \
--artifact "oci://registry.example/test@sha256:deadbeef..." \
--require-sbom \
--require-vex
```
* **Pass criteria**: signature + SBOM + VEX validate; policy engine returns ✅.
---
# Output & UX
* **Onescreen summary** with green/yellow/red statuses and terse fixes.
* **Copypaste remediations** (DB URI example, Rekor URL, cosign key path).
* **Evidence links** (e.g., “View attestation entry” or “Open policy run”).
* **Export**: `stella doctor --json > doctor-report.json` for support.
---
# Where this fits in the installer/wizard
* **UI & CLI** both follow the same steps:
1. DB setup → quick migration → **Doctor: DB**
2. Choose attestation mode (Rekor/cosign keyless/offline bundle) → **Doctor: Attest**
3. Minimal “verification pipeline” config (test registry creds or bundled sample) → **Doctor: Verify**
* Each step has **defaults** (Postgres + Rekor URL + bundled demo artifact) and a **“Skip for now”** with a reminder tile in Settings → Integrations.
---
# Failure → Suggested fixes (examples)
* **DB schema mismatch** → “Run `stella migrate up` to 2026.01.0.”
* **Rekor unreachable** → “Check DNS/proxy; or switch to Offline Attestations in Settings.”
* **Cosign key missing** → “Add key (KMS/file) or enable keyless; see Keys → Add.”
* **SBOM/VEX missing** → “Enable Generate SBOM on build and Collect VEX from vendors, or load a demo bundle.”
---
# Next steps (beyond first pass)
* Optional checks the wizard can add later:
* **Registry** reachability (pull by digest).
* **Settings store** (Valkey cache reachability).
* **Notifications** (send test webhook/email).
* **SCM/Vault/LDAP** plugin stubs: ping + auth flow (but not required to pass install).
If you want, I can turn this into:
* a readytoship **CLI command spec**,
* a **UI wireframe** of the three-step doctor,
* or **JSON schemas** for the doctors machinereadable report.