stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

old sprints work, new sprints for exposing functionality via cli, improve code_of_conduct and other agents instructions

Browse Source
This commit is contained in:
master
2026-01-15 18:37:59 +02:00
parent c631bacee2
commit 88a85cdd92
208 changed files with 32271 additions and 2287 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
docs/README.md
View File

@@ -1,21 +1,50 @@
# Stella Ops Suite Documentation
**Stella Ops Suite** is a centralized, auditable release control plane for non-Kubernetes container estates. It orchestrates environment promotions, gates releases using reachability-aware security and policy, and produces verifiable evidence for every decision.
**Stella Ops Suite** is a centralized, auditable release control plane for **nonKubernetes** container estates. It orchestrates environment promotions, gates releases using reachability-aware security and policy, and produces verifiable evidence for every decision.
The platform combines:
- **Release orchestration** — UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks
- **Security decisioning as a gate** — Scan on build, evaluate on release, re-evaluate on CVE updates
- **OCI-digest-first releases** — Immutable digest-based release identity with "what is deployed where" tracking
- **Toolchain-agnostic integrations** — Plug into any SCM, CI, registry, and secrets system
- **Auditability + standards** — Evidence packets, SBOM/VEX/attestation support, deterministic replay
- **Release orchestration** — UI-driven promotion (Dev -> Stage -> Prod), approvals, policy gates, rollbacks, and step-graph execution (sequential/parallel) with per-step logs
- **Security decisioning as a gate** — scan on build, evaluate on release, re-evaluate on vulnerability intel updates
- **OCI-digest-first releases** — immutable digest-based release identity with authoritative "what is deployed where" tracking
- **Toolchain-agnostic integrations** — plug into any SCM, CI, registry, secrets system, and host access method via plugins
- **Auditability + standards** — evidence packets, SBOM/VEX/attestation support, deterministic replay and explainable decisions
---
## Verified vs Unverified Releases
Stella supports two operational modes:
- **Verified releases (recommended):** promotions require Stella evidence for each new digest (SBOM + reachability + policy decision record + approvals where configured). Intended for certifiable security and audit-grade releases.
- **Unverified releases (CD-only):** orchestration is allowed with evidence gates bypassed. Still tracked and logged, but not intended for security certification.
This documentation emphasizes the **verified release** path as the primary product value.
---
## Licensing model (documentation-level summary)
Stella Ops Suite uses **no feature gating** across plans. Licensing limits apply only to:
- **Environments**
- **New digests deep-scanned per month** (evidence-grade analysis of previously unseen OCI digests)
**Deployment targets are not licensed** (unlimited targets; fair use may apply only under abusive automation patterns).
(See your offer/pricing document if present in the repo; commonly stored under `docs/product/`.)
---
## Two Levels of Documentation
- **High-level (canonical):** the curated guides in `docs/*.md`.
- **Detailed (reference):** deep dives under `docs/**` (module dossiers, architecture notes, API contracts/samples, runbooks, schemas). The entry point is `docs/technical/README.md`.
- **High-level (canonical):** curated guides in `docs/*.md`.
- **Detailed (reference):** deep dives under `docs/**` (module dossiers, architecture notes, API contracts/samples, runbooks, schemas). Entry point: `docs/technical/README.md`.
This documentation set is internal and does not keep compatibility stubs for old paths. Content is consolidated to reduce duplication and outdated pages.
---
## Start Here
### Product Understanding
@@ -27,14 +56,18 @@ This documentation set is internal and does not keep compatibility stubs for old
| Feature matrix | [FEATURE_MATRIX.md](FEATURE_MATRIX.md) |
| Product vision | [product/VISION.md](product/VISION.md) |
| Roadmap (priorities + definition of "done") | [ROADMAP.md](ROADMAP.md) |
| Verified release model (concepts + evidence) | [VERIFIED_RELEASES.md](VERIFIED_RELEASES.md) |
### Getting Started
| Goal | Open this |
| --- | --- |
| First run (minimal install) | [quickstart.md](quickstart.md) |
| Run a first scan (CLI) | [quickstart.md](quickstart.md) |
| Run a first verified promotion (Dev -> Stage -> Prod) | [RELEASE_PROCESS.md](releases/RELEASE_PROCESS.md) |
| Ingest advisories (Concelier + CLI) | [CONCELIER_CLI_QUICKSTART.md](CONCELIER_CLI_QUICKSTART.md) |
| Console (Web UI) operator guide | [UI_GUIDE.md](UI_GUIDE.md) |
| Doctor / self-service diagnostics | [DOCTOR_GUIDE.md](doctor/README.md) |
| Offline / air-gap operations | [OFFLINE_KIT.md](OFFLINE_KIT.md) |
### Architecture
@@ -48,16 +81,21 @@ This documentation set is internal and does not keep compatibility stubs for old
| Architecture: data flows | [technical/architecture/data-flows.md](technical/architecture/data-flows.md) |
| Architecture: schema mapping | [technical/architecture/schema-mapping.md](technical/architecture/schema-mapping.md) |
| Release Orchestrator architecture | [modules/release-orchestrator/architecture.md](modules/release-orchestrator/architecture.md) |
| Evidence and attestations | [modules/evidence/README.md](modules/evidence/README.md) |
### Development & Operations
| Goal | Open this |
| --- | --- |
| Engineering rules (determinism, security, docs discipline) | [code-of-conduct/CODE_OF_CONDUCT.md](code-of-conduct/CODE_OF_CONDUCT.md) |
| Testing standards and evidence expectations | [code-of-conduct/TESTING_PRACTICES.md](code-of-conduct/TESTING_PRACTICES.md) |
| Develop plugins/connectors | [PLUGIN_SDK_GUIDE.md](PLUGIN_SDK_GUIDE.md) |
| Security deployment hardening | [SECURITY_HARDENING_GUIDE.md](SECURITY_HARDENING_GUIDE.md) |
| VEX consensus and issuer trust | [VEX_CONSENSUS_GUIDE.md](VEX_CONSENSUS_GUIDE.md) |
| Vulnerability Explorer guide | [VULNERABILITY_EXPLORER_GUIDE.md](VULNERABILITY_EXPLORER_GUIDE.md) |
---
## Detailed Indexes
- **Technical index (everything):** [docs/technical/README.md](/docs/technical/)
@@ -71,45 +109,13 @@ This documentation set is internal and does not keep compatibility stubs for old
- **Benchmarks and fixtures:** [docs/benchmarks/](/docs/benchmarks/), [docs/assets/](/docs/assets/)
- **Product advisories:** [docs/product/advisories/](/docs/product/advisories/)
## Platform Themes
Stella Ops Suite organizes capabilities into themes:
### Existing Themes (Operational)
| Theme | Purpose | Key Modules |
|-------|---------|-------------|
| **INGEST** | Advisory ingestion | Concelier, Advisory-AI |
| **VEXOPS** | VEX document handling | Excititor, VEX Lens, VEX Hub |
| **REASON** | Policy and decisioning | Policy Engine, OPA Runtime |
| **SCANENG** | Scanning and SBOM | Scanner, SBOM Service, Reachability |
| **EVIDENCE** | Evidence and attestation | Evidence Locker, Attestor, Export Center |
| **RUNTIME** | Runtime signals | Signals, Graph, Zastava |
| **JOBCTRL** | Job orchestration | Scheduler, Orchestrator, TaskRunner |
| **OBSERVE** | Observability | Notifier, Telemetry |
| **REPLAY** | Deterministic replay | Replay Engine |
| **DEVEXP** | Developer experience | CLI, Web UI, SDK |
### Planned Themes (Release Orchestration)
| Theme | Purpose | Key Modules |
|-------|---------|-------------|
| **INTHUB** | Integration hub | Integration Manager, Connection Profiles, Connector Runtime |
| **ENVMGR** | Environment management | Environment Manager, Target Registry, Agent Manager |
| **RELMAN** | Release management | Component Registry, Version Manager, Release Manager |
| **WORKFL** | Workflow engine | Workflow Designer, Workflow Engine, Step Executor |
| **PROMOT** | Promotion and approval | Promotion Manager, Approval Gateway, Decision Engine |
| **DEPLOY** | Deployment execution | Deploy Orchestrator, Target Executor, Artifact Generator |
| **AGENTS** | Deployment agents | Agent Core, Docker/Compose/ECS/Nomad agents |
| **PROGDL** | Progressive delivery | A/B Manager, Traffic Router, Canary Controller |
| **RELEVI** | Release evidence | Evidence Collector, Sticker Writer, Audit Exporter |
| **PLUGIN** | Plugin infrastructure | Plugin Registry, Plugin Loader, Plugin SDK |
---
## Design Principles
- **Offline-first**: All core operations work in air-gapped environments
- **Deterministic replay**: Same inputs yield same outputs (stable ordering, canonical hashing)
- **Evidence-linked decisions**: Every decision links to concrete evidence artifacts
- **Digest-first release identity**: Releases are immutable OCI digests, not mutable tags
- **Pluggable everything**: Integrations are plugins; core orchestration is stable
- **No feature gating**: All plans include all features; limits are environments + new digests/day
- **Offline-first**: core operations work in air-gapped environments
- **Deterministic replay**: same inputs yield same outputs (stable ordering, canonical hashing)
- **Evidence-linked decisions**: every verified release decision links to concrete evidence artifacts
- **Digest-first release identity**: releases are immutable OCI digests, not mutable tags
- **Pluggable everything**: integrations are plugins; core orchestration is stable
- **No feature gating**: all plans include all features; licensing limits are environments + new digests deep-scanned per month; deployment targets are not licensed