stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

consolidation of some of the modules, localization fixes, product advisories work, qa work

Browse Source
This commit is contained in:
master
2026-03-05 03:54:22 +02:00
parent 7bafcc3eef
commit 8e1cb9448d
3878 changed files with 72600 additions and 46861 deletions
Download Patch File Download Diff File Expand all files Collapse all files

274
docs/modules/README.md
View File

@@ -24,43 +24,36 @@ This directory contains architecture documentation for all StellaOps modules.
| Module | Path | Description |
|--------|------|-------------|
| [Authority](./authority/) | `src/Authority/` | Authentication, authorization, OAuth/OIDC, DPoP |
| [Gateway](./gateway/) | `src/Gateway/` | API gateway with routing and transport abstraction |
| [Router](./router/) | `src/Router/` | Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey). Note: also contains a `StellaOps.Gateway.WebService` for binary protocol bridging, separate from `src/Gateway/`. |
| [Authority](./authority/) | `src/Authority/` | Authentication, authorization, OAuth/OIDC, DPoP. Includes IssuerDirectory (Sprint 216). |
| [Router](./router/) | `src/Router/` | Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey). Also contains `StellaOps.Gateway.WebService` for HTTP ingress and binary protocol bridging. |
| [Platform](./platform/) | `src/Platform/` | Platform architecture and Platform Service aggregation APIs |
### Data Ingestion
| Module | Path | Description |
|--------|------|-------------|
| [Concelier](./concelier/) | `src/Concelier/` | Vulnerability advisory ingestion and merge engine |
| [Excititor](./excititor/) | `src/Excititor/` | VEX document ingestion and export |
| [Concelier](./concelier/) | `src/Concelier/` | Vulnerability advisory ingestion and merge engine. Includes Feedser and Excititor (Sprint 203). |
| [VexLens](./vex-lens/) | `src/VexLens/` | VEX consensus computation across issuers |
| [VexHub](./vex-hub/) | `src/VexHub/` | VEX distribution and exchange hub |
| [IssuerDirectory](./issuer-directory/) | `src/IssuerDirectory/` | Issuer trust registry (CSAF publishers) |
| [Feedser](./feedser/) | `src/Feedser/` | Evidence collection library for backport detection |
| [Mirror](./mirror/) | `src/Mirror/` | Vulnerability feed mirror and distribution |
### Scanning & Analysis
| Module | Path | Description |
|--------|------|-------------|
| [Scanner](./scanner/) | `src/Scanner/` | Container scanning with SBOM generation |
| [BinaryIndex](./binary-index/) | `src/BinaryIndex/` | Binary identity extraction and fingerprinting |
| [AdvisoryAI](./advisory-ai/) | `src/AdvisoryAI/` | AI-assisted advisory analysis |
| [Symbols](./symbols/) | `src/Symbols/` | Symbol resolution and debug information |
| [Scanner](./scanner/) | `src/Scanner/` | Container scanning with SBOM generation. Includes Cartographer (Sprint 201). |
| [BinaryIndex](./binary-index/) | `src/BinaryIndex/` | Binary identity extraction and fingerprinting. Includes Symbols (Sprint 202). |
| [AdvisoryAI](./advisory-ai/) | `src/AdvisoryAI/` | AI-assisted advisory analysis. Includes OpsMemory (Sprint 213). |
| [ReachGraph](./reach-graph/) | `src/ReachGraph/` | Reachability graph service |
### Artifacts & Evidence
| Module | Path | Description |
|--------|------|-------------|
| [Attestor](./attestor/) | `src/Attestor/` | in-toto/DSSE attestation generation |
| [Signer](./signer/) | `src/Signer/` | Cryptographic signing operations |
| [Attestor](./attestor/) | `src/Attestor/` | in-toto/DSSE attestation generation. Includes Signer and Provenance (Sprint 204). |
| [SbomService](./sbom-service/) | `src/SbomService/` | SBOM storage, versioning, and lineage ledger |
| [EvidenceLocker](./evidence-locker/) | `src/EvidenceLocker/` | Sealed evidence storage and export |
| [ExportCenter](./export-center/) | `src/ExportCenter/` | Batch export and report generation |
| [Provenance](./provenance/) | `src/Provenance/` | SLSA/DSSE attestation tooling |
| [Provcache](./prov-cache/) | Library | Production provenance cache shared library family |
### Policy & Risk
@@ -68,20 +61,15 @@ This directory contains architecture documentation for all StellaOps modules.
| Module | Path | Description |
|--------|------|-------------|
| [Policy](./policy/) | `src/Policy/` | Policy engine with K4 lattice logic |
| [RiskEngine](./risk-engine/) | `src/RiskEngine/` | Risk scoring runtime |
| [VulnExplorer](./vuln-explorer/) | `src/VulnExplorer/` | Vulnerability exploration and triage |
| [Unknowns](./unknowns/) | `src/Unknowns/` | Unknown component tracking registry |
| [Findings](./findings-ledger/) | `src/Findings/` | Centralized findings aggregation and evidence graphs |
| [Unknowns](./unknowns/) | `src/Unknowns/` | Unknown component tracking registry (boundary preserved, Sprint 206) |
| [Findings](./findings-ledger/) | `src/Findings/` | Centralized findings aggregation and evidence graphs. Includes RiskEngine and VulnExplorer (Sprint 207). |
### Release & Orchestration
| Module | Path | Description |
|--------|------|-------------|
| [ReleaseOrchestrator](./release-orchestrator/) | `src/ReleaseOrchestrator/` | Central release control plane (active development) |
| [Orchestrator](./orchestrator/) | `src/Orchestrator/` | Workflow orchestration and task coordination |
| [Scheduler](./scheduler/) | `src/Scheduler/` | Job scheduling and queue management |
| [TaskRunner](./taskrunner/) | `src/TaskRunner/` | Task pack execution engine |
| [PacksRegistry](./packs-registry/) | `src/PacksRegistry/` | Task packs registry |
| [ReleaseOrchestrator](./release-jobengine/) | `src/ReleaseOrchestrator/` | Central release control plane (active development) |
| [JobEngine](./jobengine/) | `src/JobEngine/` | Workflow orchestration, job scheduling, task execution, and pack registry. Includes Scheduler, TaskRunner, and PacksRegistry (Sprint 208); renamed from Orchestrator (Sprint 221). |
| [Remediation](./remediation/) | `src/Remediation/` | Fix template marketplace for CVE remediation |
### Operations & Observability
@@ -89,11 +77,9 @@ This directory contains architecture documentation for all StellaOps modules.
| Module | Path | Description |
|--------|------|-------------|
| [Doctor](./doctor/) | `src/Doctor/` | Diagnostic framework for system health validation |
| [Notify](./notify/) | `src/Notify/` | Notification toolkit (Email, Slack, Teams, Webhooks) |
| [Notifier](./notifier/) | `src/Notifier/` | Notifications Studio host |
| [OpsMemory](./opsmemory/) | `src/OpsMemory/` | Decision ledger with similarity-based suggestions |
| [Timeline](./timeline/) | `src/Timeline/` | Timeline query service for event browsing |
| [TimelineIndexer](./timeline-indexer/) | `src/TimelineIndexer/` | Timeline event indexing |
| [Notify](./notify/) | `src/Notify/` | Notification toolkit (Email, Slack, Teams, Webhooks). Boundary preserved with Notifier (Sprint 209). |
| [Notifier](./notifier/) | `src/Notifier/` | Notifications Studio host. Boundary preserved with Notify (Sprint 209). |
| [Timeline](./timeline/) | `src/Timeline/` | Timeline query, event indexing, and replay. Includes TimelineIndexer (Sprint 210). |
| [Replay](./replay/) | `src/Replay/` | Deterministic replay engine |
### Integration & Clients
@@ -105,10 +91,7 @@ This directory contains architecture documentation for all StellaOps modules.
| [Web/UI](./ui/) | `src/Web/` | Angular 21 frontend SPA |
| [API](./api/) | `src/Api/` | OpenAPI contracts and governance |
| [Registry](./registry/) | `src/Registry/` | Container registry integration |
| [Integrations](./integrations/) | `src/Integrations/` | Integration hub for external systems (SCM, CI, registries, secrets) |
| [Extensions](./extensions/) | `src/Extensions/` | IDE extensions for JetBrains and VS Code |
| [Sdk](./sdk/) | `src/Sdk/` | Client SDK generator and release SDK |
| [DevPortal](./devportal/) | `src/DevPortal/` | Developer portal static site |
| [Integrations](./integrations/) | `src/Integrations/` | Integration hub for external systems (SCM, CI, registries, secrets). Includes IDE extensions (VS Code, JetBrains) under `__Extensions/` (Sprint 214). |
### Infrastructure & Libraries
@@ -123,7 +106,6 @@ This directory contains architecture documentation for all StellaOps modules.
| [AOC](./aoc/) | `src/Aoc/` | Append-Only Contract enforcement |
| [Plugin](./plugin/) | `src/Plugin/` | Plugin SDK, registry, sandbox, and host framework |
| [RuntimeInstrumentation](./runtime-instrumentation/) | `src/RuntimeInstrumentation/` | Tetragon-based eBPF runtime instrumentation |
| [Cartographer](./cartographer/) | `src/Cartographer/` | Infrastructure topology discovery |
| [Facet](./facet/) | Library | Production cross-module faceting library (Scanner + Policy) |
### Testing & Benchmarks
@@ -131,9 +113,7 @@ This directory contains architecture documentation for all StellaOps modules.
| Module | Path | Description |
|--------|------|-------------|
| [Benchmark](./benchmark/) | Scanner library | Competitive benchmarking (accuracy comparison) |
| [Bench](./bench/) | `src/Bench/` | Performance benchmarks |
| [Tools](./tools/) | `src/Tools/` | Developer utility tools (fixtures, golden pairs, smoke tests) |
| [Verifier](./verifier/) | `src/Verifier/` | Standalone evidence bundle verification CLI |
| [Tools](./tools/) | `src/Tools/` | Developer utility tools, benchmarks, SDK generator, verifier, dev portal. Includes Bench, Verifier, Sdk, DevPortal (Sprint 212). |
### Cross-Cutting Concepts
@@ -231,14 +211,14 @@ On-premises OIDC/OAuth2 identity service issuing short-lived, sender-constrained
---
### Bench
- **Source**: `src/Bench/`
- **Docs**: [`docs/modules/bench/`](./bench/)
### Bench (archived -- absorbed into Tools)
- **Source**: `src/Tools/StellaOps.Bench/`
- **Docs**: [`docs/modules/tools/`](./tools/)
- **Type**: Tool
- **Database**: None
- **Endpoints**: None
Performance benchmark harnesses (BenchmarkDotNet) for critical platform subsystems including Link-Not-Merge, VEX, Notify, Policy Engine, and Scanner analyzers. Results establish performance baselines and detect regressions.
Performance benchmark harnesses for critical platform subsystems including Link-Not-Merge, VEX, Notify, Policy Engine, and Scanner analyzers. Absorbed into `src/Tools/` as of Sprint 212.
**Dependencies**: None (standalone benchmarks).
@@ -257,14 +237,14 @@ Vulnerable binaries database enabling detection of vulnerable code at the binary
---
### Cartographer
- **Source**: `src/Cartographer/`
- **Docs**: [`docs/modules/cartographer/`](./cartographer/)
### Cartographer (absorbed into Scanner -- Sprint 201)
- **Source**: `src/Scanner/StellaOps.Scanner.Cartographer/` (moved from `src/Cartographer/`)
- **Docs**: Historical doc archived at `docs-archived/modules/cartographer/README.md`; active contract is [`docs/modules/scanner/`](./scanner/)
- **Type**: Service
- **Database**: None
- **Endpoints**: Defined in Program.cs
- **Endpoints**: Defined in Scanner Program.cs
Infrastructure topology discovery and service mapping for container environments. Produces SBOM snapshots and topology graphs consumed by the Graph Indexer. Environment topology and promotion lanes are now owned by the Release Orchestrator.
Infrastructure topology discovery and service mapping for container environments. Produces SBOM snapshots and topology graphs consumed by the Graph Indexer. Environment topology and promotion lanes are now owned by the Release Orchestrator. Consolidated into Scanner per Sprint 201.
**Dependencies**: Graph, Scanner.
@@ -309,14 +289,14 @@ Pluggable cryptographic primitives supporting regional standards (eIDAS, FIPS, G
---
### DevPortal
- **Source**: `src/DevPortal/`
- **Docs**: [`docs/modules/devportal/`](./devportal/)
### DevPortal (archived -- absorbed into Tools)
- **Source**: `src/Tools/StellaOps.DevPortal.Site/`
- **Docs**: [`docs/modules/tools/`](./tools/)
- **Type**: Static Site
- **Database**: None
- **Endpoints**: None
Developer portal static site providing API documentation, integration guides, SDK references, and getting-started tutorials. Aggregates OpenAPI specifications from all services for third-party developers and integrators.
Developer portal static site providing API documentation, integration guides, SDK references, and getting-started tutorials. Absorbed into `src/Tools/` as of Sprint 212.
**Dependencies**: None (static site).
@@ -344,20 +324,20 @@ Diagnostic framework for validating system health, configuration, integration co
Tamper-proof, immutable evidence storage for vulnerability scan evidence, audit logs, and compliance artifacts with cryptographic sealing. Evidence is content-addressable. Once sealed, evidence cannot be modified. Supports threads, verdicts, bundle packaging, and portable bundles for offline compliance audits.
**Dependencies**: Signer, Attestor, Authority, object storage.
**Dependencies**: Attestor, Authority, object storage.
---
### Excititor
- **Source**: `src/Excititor/`
- **Docs**: [`docs/modules/excititor/`](./excititor/)
### Excititor (absorbed into Concelier -- Sprint 203)
- **Source**: `src/Concelier/` (moved from `src/Excititor/`)
- **Docs**: [`docs/modules/excititor/`](./excititor/) (historical reference; see [`docs/modules/concelier/`](./concelier/))
- **Type**: Service
- **Database**: PostgreSQL (10 SQL migrations)
- **Database**: PostgreSQL (10 SQL migrations, separate ExcititorDbContext)
- **Endpoints**: 11 (attestation, evidence, ingest, linkset, mirror, mirror registration, observation, policy, Rekor attestation, resolve, risk feed)
VEX ingestion and consensus pipeline converting heterogeneous VEX statements (OpenVEX, CSAF VEX, CycloneDX VEX) into immutable observations with provenance-preserving linksets. Does not decide PASS/FAIL; supplies evidence with statuses, justifications, and provenance weights. Conflicting observations are preserved unchanged.
VEX ingestion and consensus pipeline converting heterogeneous VEX statements (OpenVEX, CSAF VEX, CycloneDX VEX) into immutable observations with provenance-preserving linksets. Does not decide PASS/FAIL; supplies evidence with statuses, justifications, and provenance weights. Conflicting observations are preserved unchanged. Consolidated into Concelier per Sprint 203; DbContext remains separate.
**Dependencies**: Policy Engine, Concelier, Attestor / Signer, Graph.
**Dependencies**: Policy Engine, Concelier, Attestor, Graph.
---
@@ -370,31 +350,31 @@ VEX ingestion and consensus pipeline converting heterogeneous VEX statements (Op
Evidence and policy overlay packaging service producing reproducible, deterministic export bundles in multiple formats (JSON, SARIF, offline kit). Enforces AOC guardrails and produces deterministic manifests with optional signing and distribution to OCI registries or object storage.
**Dependencies**: Findings Ledger, Policy Engine, Orchestrator, Authority, Signer, object storage.
**Dependencies**: Findings Ledger, Policy Engine, JobEngine, Authority, Attestor, object storage.
---
### Extensions
- **Source**: `src/Extensions/`
- **Docs**: [`docs/modules/extensions/`](./extensions/)
- **Type**: IDE Extensions
### Extensions (absorbed into Integrations -- Sprint 214)
- **Source**: `src/Integrations/__Extensions/` (moved from `src/Extensions/`)
- **Docs**: See [Integrations architecture](./integrations/architecture.md#ide-extensions-vs-code-jetbrains)
- **Type**: IDE Extensions (non-.NET: TypeScript/Kotlin)
- **Database**: None
- **Endpoints**: None
IDE extensions for JetBrains IDEs and Visual Studio Code providing inline vulnerability information, policy status, and StellaOps workflow integration directly within the developer's editor environment.
IDE extensions for JetBrains IDEs and Visual Studio Code providing inline vulnerability information, policy status, and StellaOps workflow integration directly within the developer's editor environment. Now lives under the Integrations module.
**Dependencies**: Platform API.
**Dependencies**: Platform API, JobEngine API, Authority.
---
### Feedser
- **Source**: `src/Feedser/`
- **Docs**: [`docs/modules/feedser/`](./feedser/)
### Feedser (absorbed into Concelier -- Sprint 203)
- **Source**: `src/Concelier/` (moved from `src/Feedser/`)
- **Docs**: [`docs/modules/feedser/`](./feedser/) (historical reference; see [`docs/modules/concelier/`](./concelier/))
- **Type**: Library
- **Database**: None
- **Endpoints**: None
Evidence collection library for backport detection and binary fingerprinting supporting the four-tier backport proof system. Extracts patch signatures from unified diffs and binary fingerprints from compiled code. Consumed primarily by Concelier's ProofService layer. All outputs are deterministic with canonical JSON serialization.
Evidence collection library for backport detection and binary fingerprinting supporting the four-tier backport proof system. Extracts patch signatures from unified diffs and binary fingerprints from compiled code. Consumed primarily by Concelier's ProofService layer. All outputs are deterministic with canonical JSON serialization. Consolidated into Concelier per Sprint 203.
**Dependencies**: None (consumed as a library by Concelier).
@@ -413,16 +393,16 @@ Centralized findings aggregation service providing backport tracking, evidence g
---
### Gateway
- **Source**: `src/Gateway/`
- **Docs**: [`docs/modules/gateway/`](./gateway/)
- **Type**: Service
- **Database**: None (stateless)
- **Endpoints**: None (reverse proxy)
### Gateway (deleted -- Sprint 200)
- **Source**: _(deleted)_ -- Gateway WebService now lives under `src/Router/StellaOps.Gateway.WebService/`
- **Docs**: [`docs-archived/modules/gateway/`](../docs-archived/modules/gateway/) (historical reference)
- **Type**: _(deleted)_
- **Database**: None
- **Endpoints**: None
Single HTTP ingress point for all external traffic providing authentication, routing, OpenAPI aggregation, health monitoring, rate limiting, and tenant propagation. A separate `StellaOps.Gateway.WebService` also exists under `src/Router/` which serves as the transport-layer gateway for the Router's binary protocol.
The standalone `src/Gateway/` module was deleted in Sprint 200. The canonical Gateway WebService (`StellaOps.Gateway.WebService`) now lives under `src/Router/`. The Router module owns HTTP ingress, binary protocol bridging, routing, and transport abstraction.
**Dependencies**: Authority, Router, all microservices (proxied requests).
**Dependencies**: See Router.
---
@@ -452,14 +432,14 @@ Integration hub managing connections to external systems (SCM, CI, registries, s
---
### IssuerDirectory
- **Source**: `src/IssuerDirectory/`
- **Docs**: [`docs/modules/issuer-directory/`](./issuer-directory/)
### IssuerDirectory (absorbed into Authority -- Sprint 216)
- **Source**: `src/Authority/` (moved from `src/IssuerDirectory/`)
- **Docs**: [`docs/modules/issuer-directory/`](./issuer-directory/) (historical reference; see [`docs/modules/authority/`](./authority/))
- **Type**: Service
- **Database**: PostgreSQL (1 SQL migration)
- **Database**: PostgreSQL (1 SQL migration, separate IssuerDirectoryDbContext)
- **Endpoints**: 3 (issuer, issuer key, issuer trust)
Centralized trusted VEX/CSAF publisher metadata registry enabling issuer identity resolution, key management, and trust weight assignment. Key lifecycle management validates Ed25519, X.509, and DSSE public keys with fingerprint deduplication. On startup, imports default CSAF publishers into the global tenant.
Centralized trusted VEX/CSAF publisher metadata registry enabling issuer identity resolution, key management, and trust weight assignment. Key lifecycle management validates Ed25519, X.509, and DSSE public keys with fingerprint deduplication. On startup, imports default CSAF publishers into the global tenant. Consolidated into Authority per Sprint 216; DbContext remains separate for security isolation.
**Dependencies**: Authority.
@@ -504,42 +484,43 @@ Rules-driven, tenant-aware notification engine providing event consumption, oper
---
### OpsMemory
- **Source**: `src/OpsMemory/`
- **Docs**: [`docs/modules/opsmemory/`](./opsmemory/)
### OpsMemory (consolidated into AdvisoryAI)
- **Source**: `src/AdvisoryAI/__Libraries/StellaOps.OpsMemory/` (library), `src/AdvisoryAI/StellaOps.OpsMemory.WebService/` (service)
- **Docs**: [`docs/modules/advisory-ai/architecture.md` section 15](./advisory-ai/architecture.md#15-opsmemory-operational-memory-and-rag)
- **Archived docs**: `docs-archived/modules/opsmemory/`
- **Type**: Service
- **Database**: PostgreSQL (via shared infrastructure, schema managed programmatically)
- **Endpoints**: 1 (OpsMemoryEndpoints)
Decision ledger capturing the lifecycle of security decisions with similarity-based suggestion retrieval for organizational learning. Uses similarity vectors to suggest relevant precedents for new situations. Deterministic with fixed similarity formulas, no randomness in ranking, and multi-tenant isolation.
Decision ledger capturing the lifecycle of security decisions with similarity-based suggestion retrieval for organizational learning. Uses similarity vectors to suggest relevant precedents for new situations. Deterministic with fixed similarity formulas, no randomness in ranking, and multi-tenant isolation. Consolidated from standalone `src/OpsMemory/` module into `src/AdvisoryAI/` per Sprint 213.
**Dependencies**: AdvisoryAI, Authority.
**Dependencies**: AdvisoryAI, Authority, Findings Ledger.
---
### Orchestrator
- **Source**: `src/Orchestrator/`
- **Docs**: [`docs/modules/orchestrator/`](./orchestrator/)
### JobEngine (formerly Orchestrator)
- **Source**: `src/JobEngine/`
- **Docs**: [`docs/modules/jobengine/`](./jobengine/)
- **Type**: Service
- **Database**: PostgreSQL (via shared infrastructure)
- **Endpoints**: 25 (approvals, audit, circuit breakers, DAG, dead letter, export jobs, first signal, health, jobs, KPIs, ledger, OpenAPI, pack registry, pack runs, quotas, governance, release control v2, release dashboard, releases, runs, scale, SLOs, sources, streams, workers)
Source and job orchestration service managing job lifecycle, rate-limit governance, DAG execution, circuit breakers, and worker coordination. Applies quotas and rate limits per tenant/jobType, manages leasing to workers, handles completion tracking with retry policies, and supports replay. SDK bridges exist for Go and Python workers.
Source and job orchestration service managing job lifecycle, rate-limit governance, DAG execution, circuit breakers, and worker coordination. Applies quotas and rate limits per tenant/jobType, manages leasing to workers, handles completion tracking with retry policies, and supports replay. SDK bridges exist for Go and Python workers. Renamed from Orchestrator (Sprint 221). Now includes Scheduler, TaskRunner, and PacksRegistry (Sprint 208).
**Dependencies**: TaskRunner, Concelier / Excititor / Scheduler / ExportCenter / Policy (job producers), Valkey or NATS, Authority.
**Dependencies**: Concelier / Excititor / ExportCenter / Policy (job producers), Valkey or NATS, Authority.
---
### PacksRegistry
- **Source**: `src/PacksRegistry/`
- **Docs**: [`docs/modules/packs-registry/`](./packs-registry/)
### PacksRegistry (absorbed into JobEngine -- Sprint 208)
- **Source**: `src/JobEngine/` (moved from `src/PacksRegistry/`)
- **Docs**: [`docs/modules/packs-registry/`](./packs-registry/) (historical reference; see [`docs/modules/jobengine/`](./jobengine/))
- **Type**: Service
- **Database**: PostgreSQL (`PacksRegistryDbContext`, EF Core managed)
- **Endpoints**: Defined in WebService Program.cs
- **Database**: PostgreSQL (`PacksRegistryDbContext`, EF Core managed, stub)
- **Endpoints**: Defined in JobEngine Program.cs
Centralized registry for distributable task packs, policy packs, and analyzer bundles with versioned management and integrity verification. All packs are content-addressed. Pack execution is handled by TaskRunner.
Centralized registry for distributable task packs, policy packs, and analyzer bundles with versioned management and integrity verification. All packs are content-addressed. Consolidated into JobEngine per Sprint 208.
**Dependencies**: TaskRunner, object storage, Authority.
**Dependencies**: JobEngine, object storage, Authority.
---
@@ -582,16 +563,16 @@ Deterministic policy evaluation engine and gateway service compiling stella-dsl
---
### Provenance
- **Source**: `src/Provenance/`
- **Docs**: [`docs/modules/provenance/`](./provenance/)
### Provenance (absorbed into Attestor -- Sprint 204)
- **Source**: `src/Attestor/` (moved from `src/Provenance/`)
- **Docs**: [`docs/modules/provenance/`](./provenance/) (historical reference; see [`docs/modules/attestor/`](./attestor/))
- **Type**: Library / Tool
- **Database**: None
- **Endpoints**: None
Provenance attestation library and CLI tool for generating and verifying supply-chain provenance records. Creates in-toto attestation statements linking build artifacts to source materials, build systems, and parameters. A separate provenance cache library exists at `src/__Libraries/StellaOps.Provcache.Postgres/`.
Provenance attestation library and CLI tool for generating and verifying supply-chain provenance records. Creates in-toto attestation statements linking build artifacts to source materials, build systems, and parameters. A separate provenance cache library exists at `src/__Libraries/StellaOps.Provcache.Postgres/`. Consolidated into Attestor per Sprint 204.
**Dependencies**: Signer, Attestor.
**Dependencies**: Attestor.
---
@@ -623,7 +604,7 @@ Docker registry bearer token service issuing short-lived tokens for private or m
### ReleaseOrchestrator
- **Source**: `src/ReleaseOrchestrator/`
- **Docs**: [`docs/modules/release-orchestrator/`](./release-orchestrator/)
- **Docs**: [`docs/modules/release-jobengine/`](./release-jobengine/)
- **Type**: Service (Active Development)
- **Database**: PostgreSQL (planned, via Platform migrations)
- **Endpoints**: 1
@@ -661,8 +642,8 @@ Deterministic replay engine ensuring vulnerability assessments can be reproduced
---
### RiskEngine
- **Source**: `src/RiskEngine/`
- **Docs**: [`docs/modules/risk-engine/`](./risk-engine/)
- **Source**: `src/Findings/StellaOps.RiskEngine.*` (consolidated into Findings, Sprint 207)
- **Docs**: [`docs-archived/modules/risk-engine/`](../../docs-archived/modules/risk-engine/)
- **Type**: Service
- **Database**: PostgreSQL (via shared infrastructure)
- **Endpoints**: 1 (exploit maturity)
@@ -680,9 +661,9 @@ Risk scoring runtime computing deterministic, explainable risk scores by aggrega
- **Database**: None
- **Endpoints**: 4
Internal service transport using binary protocol (TCP/TLS/UDP) for microservice-to-gateway communication with pluggable transports. Includes a unified plugin, shared libraries, and example microservices. The Router's `StellaOps.Gateway.WebService` bridges binary protocol connections to HTTP; this is separate from `src/Gateway/` which is the HTTP ingress gateway.
Internal service transport using binary protocol (TCP/TLS/UDP) for microservice-to-gateway communication with pluggable transports. Includes a unified plugin, shared libraries, and example microservices. The `StellaOps.Gateway.WebService` under Router serves as both the HTTP ingress gateway and binary protocol bridge (the standalone `src/Gateway/` was deleted in Sprint 200).
**Dependencies**: Gateway, all microservices, Valkey.
**Dependencies**: Authority, all microservices, Valkey.
---
@@ -725,27 +706,27 @@ Deterministic SBOM generation and vulnerability scanning engine for container im
---
### Scheduler
- **Source**: `src/Scheduler/`
- **Docs**: [`docs/modules/scheduler/`](./scheduler/)
### Scheduler (absorbed into JobEngine -- Sprint 208)
- **Source**: `src/JobEngine/` (moved from `src/Scheduler/`)
- **Docs**: [`docs/modules/scheduler/`](./scheduler/) (historical reference; see [`docs/modules/jobengine/`](./jobengine/))
- **Type**: Service
- **Database**: PostgreSQL (11 SQL migrations)
- **Database**: PostgreSQL (11 SQL migrations, separate SchedulerDbContext)
- **Endpoints**: 8 (event webhook, failure signature, graph job, policy run, policy simulation, run, schedule, resolver job)
Re-evaluation scheduler keeping scan results current by pinpointing affected images when new advisories or VEX claims arrive. Default mode is analysis-only (no image pull). Includes event webhooks, failure signature tracking, graph jobs, policy runs/simulations, and vulnerability resolver jobs.
Re-evaluation scheduler keeping scan results current by pinpointing affected images when new advisories or VEX claims arrive. Default mode is analysis-only (no image pull). Includes event webhooks, failure signature tracking, graph jobs, policy runs/simulations, and vulnerability resolver jobs. Consolidated into JobEngine per Sprint 208; DbContext remains separate.
**Dependencies**: Scanner.WebService, Policy Engine, Concelier / Excititor, Notify, Orchestrator.
**Dependencies**: Scanner.WebService, Policy Engine, Concelier / Excititor, Notify, JobEngine.
---
### Sdk
- **Source**: `src/Sdk/`
- **Docs**: [`docs/modules/sdk/`](./sdk/)
### Sdk (archived -- absorbed into Tools)
- **Source**: `src/Tools/StellaOps.Sdk.Generator/`, `src/Tools/StellaOps.Sdk.Release/`
- **Docs**: [`docs/modules/tools/`](./tools/)
- **Type**: Library / Code Generator
- **Database**: None
- **Endpoints**: None
Client SDK generator and release SDK for producing typed API clients across multiple languages from OpenAPI specifications. Includes `StellaOps.Sdk.Generator` (code generator) and `StellaOps.Sdk.Release` (publishing SDK).
Client SDK generator and release SDK for producing typed API clients across multiple languages from OpenAPI specifications. Absorbed into `src/Tools/` as of Sprint 212.
**Dependencies**: Gateway / OpenAPI specs.
@@ -764,14 +745,14 @@ Unified evidence-weighted scoring system aggregating reachability, runtime obser
---
### Signer
- **Source**: `src/Signer/`
- **Docs**: [`docs/modules/signer/`](./signer/)
### Signer (absorbed into Attestor -- Sprint 204)
- **Source**: `src/Attestor/` (moved from `src/Signer/`)
- **Docs**: [`docs/modules/signer/`](./signer/) (historical reference; see [`docs/modules/attestor/`](./attestor/))
- **Type**: Service
- **Database**: PostgreSQL (`KeyManagementDbContext`, 2 SQL migrations)
- **Database**: PostgreSQL (`KeyManagementDbContext`, 2 SQL migrations, separate DbContext)
- **Endpoints**: 3 (ceremony, key rotation, signer)
The only service permitted to produce Stella Ops-verified DSSE signatures over SBOMs and reports, enforcing entitlement (PoE), sender-constrained auth, and supply-chain integrity. Does not push to Rekor (Attestor does). Stateless for the hot path with keys in KMS/HSM or ephemeral (keyless mode). Supports multi-algorithm signing (ECDSA, EdDSA, eIDAS, FIPS, GOST, SM).
The only service permitted to produce Stella Ops-verified DSSE signatures over SBOMs and reports, enforcing entitlement (PoE), sender-constrained auth, and supply-chain integrity. Does not push to Rekor (Attestor does). Stateless for the hot path with keys in KMS/HSM or ephemeral (keyless mode). Supports multi-algorithm signing (ECDSA, EdDSA, eIDAS, FIPS, GOST, SM). Consolidated into Attestor per Sprint 204; DbContext remains separate for security isolation.
**Dependencies**: Authority, Cryptography library, KMS/HSM.
@@ -790,29 +771,29 @@ Remote service for Chinese SM2/SM3/SM4 cryptographic operations enabling soverei
---
### Symbols
- **Source**: `src/Symbols/`
- **Docs**: [`docs/modules/symbols/`](./symbols/)
### Symbols (absorbed into BinaryIndex -- Sprint 202)
- **Source**: `src/BinaryIndex/StellaOps.Symbols.*` (moved from `src/Symbols/`)
- **Docs**: [`docs/modules/binary-index/architecture.md`](./binary-index/architecture.md) (Symbols section)
- **Type**: Service
- **Database**: None (content-addressed storage)
- **Endpoints**: 1 (symbol source)
Symbol resolution and debug information management service for native binary analysis. Maps symbols to packages, manages debug information, and supports stripped binary analysis. Includes marketplace architecture for community-contributed symbol sources and offline symbol stores.
Symbol resolution and debug information management service for native binary analysis. Maps symbols to packages, manages debug information, and supports stripped binary analysis. Includes marketplace architecture for community-contributed symbol sources and offline symbol stores. Consolidated into BinaryIndex per Sprint 202.
**Dependencies**: Scanner, BinaryIndex.
---
### TaskRunner
- **Source**: `src/TaskRunner/`
- **Docs**: [`docs/modules/taskrunner/`](./taskrunner/)
### TaskRunner (absorbed into JobEngine -- Sprint 208)
- **Source**: `src/JobEngine/` (moved from `src/TaskRunner/`)
- **Docs**: [`docs/modules/taskrunner/`](./taskrunner/) (historical reference; see [`docs/modules/jobengine/`](./jobengine/))
- **Type**: Service
- **Database**: PostgreSQL (via infrastructure layer)
- **Endpoints**: Defined in WebService/Worker Program.cs
- **Database**: PostgreSQL (via infrastructure layer, stub DbContext)
- **Endpoints**: Defined in JobEngine Program.cs
Deterministic task pack execution engine with approvals, sealed-mode enforcement, evidence capture, and DSSE attestation for every completed run. Three-phase execution: Plan (build execution graph), optional Simulation (dry-run with gates), and Execution (verify plan hash, execute steps, stream logs). Operates offline/air-gapped.
Deterministic task pack execution engine with approvals, sealed-mode enforcement, evidence capture, and DSSE attestation for every completed run. Three-phase execution: Plan (build execution graph), optional Simulation (dry-run with gates), and Execution (verify plan hash, execute steps, stream logs). Operates offline/air-gapped. Consolidated into JobEngine per Sprint 208.
**Dependencies**: Orchestrator, PacksRegistry, Authority, Signer / Attestor, object storage.
**Dependencies**: JobEngine, Authority, Attestor, object storage.
---
@@ -838,20 +819,7 @@ Observability library providing OpenTelemetry-based metrics, traces, and logs wi
Timeline query service providing export, replay, and timeline browsing endpoints for vulnerability history and event streams. Uses shared libraries from `StellaOps.Eventing` for event envelope schemas and `StellaOps.Timeline.Core` for core logic including critical path view.
**Dependencies**: All services (event sources), TimelineIndexer.
---
### TimelineIndexer
- **Source**: `src/TimelineIndexer/`
- **Docs**: [`docs/modules/timeline-indexer/`](./timeline-indexer/)
- **Type**: Service
- **Database**: PostgreSQL (1 SQL migration)
- **Endpoints**: Defined in WebService Program.cs
Timeline event indexing and query service providing fast indexed access to events across all StellaOps services. Receives events from NATS/Valkey streams, indexes them, and provides efficient time-range queries with filtering. Enables vulnerability history browsing, scan timeline analysis, and policy evaluation trail inspection.
**Dependencies**: NATS / Valkey, Timeline.
**Dependencies**: All services (event sources). TimelineIndexer is now consolidated into the Timeline module (`src/Timeline/`).
---
@@ -881,14 +849,14 @@ Structured registry for tracking unresolved components, symbols, and incomplete
---
### Verifier
- **Source**: `src/Verifier/`
- **Docs**: [`docs/modules/verifier/`](./verifier/)
### Verifier (archived -- absorbed into Tools)
- **Source**: `src/Tools/StellaOps.Verifier/`
- **Docs**: [`docs/modules/tools/`](./tools/)
- **Type**: CLI Tool
- **Database**: None
- **Endpoints**: None
Standalone CLI tool for verifying the integrity and authenticity of signed evidence bundles produced by the platform. Validates DSSE envelope signatures, Merkle inclusion proofs, and bundle manifest checksums. Designed for operators and auditors who need independent verification without a full StellaOps installation.
Standalone CLI tool for verifying the integrity and authenticity of signed evidence bundles produced by the platform. Absorbed into `src/Tools/` as of Sprint 212.
**Dependencies**: None (standalone verification).
@@ -921,8 +889,8 @@ VEX consensus viewer and analysis service providing issuer-aware VEX statement e
---
### VulnExplorer
- **Source**: `src/VulnExplorer/`
- **Docs**: [`docs/modules/vuln-explorer/`](./vuln-explorer/)
- **Source**: `src/Findings/StellaOps.VulnExplorer.*` (consolidated into Findings, Sprint 207)
- **Docs**: [`docs-archived/modules/vuln-explorer/`](../../docs-archived/modules/vuln-explorer/)
- **Type**: Service
- **Database**: None (reads from other modules' databases)
- **Endpoints**: Defined in Program.cs