Add Canonical JSON serialization library with tests and documentation

- Implemented CanonJson class for deterministic JSON serialization and hashing. - Added unit tests for CanonJson functionality, covering various scenarios including key sorting, handling of nested objects, arrays, and special characters. - Created project files for the Canonical JSON library and its tests, including necessary package references. - Added README.md for library usage and API reference. - Introduced RabbitMqIntegrationFactAttribute for conditional RabbitMQ integration tests.
2025-12-19 15:35:00 +02:00
parent 43882078a4
commit 951a38d561
192 changed files with 27550 additions and 2611 deletions
--- a/docs/moat.md
+++ b/docs/moat.md
@@ -427,6 +427,51 @@ stella zastava schedule --query 'env=prod' --interval 6h

 ---

+## Competitive Landscape (Dec 2025)
+
+Based on analysis of Trivy, Syft/Grype, Snyk, Prisma, Aqua, and Anchore:
+
+### Structural Gaps We Exploit
+
+| Capability | Industry Status | Stella Ops Advantage |
+|------------|-----------------|---------------------|
+| **SBOM Fidelity** | Static artifact, no lineage | Stateful ledger with build provenance |
+| **VEX Handling** | Annotation/suppression | Formal lattice reasoning with conflict resolution |
+| **Explainability** | UI hints, remediation text | Proof-linked evidence with falsification conditions |
+| **Smart-Diff** | File-level/hash comparison | Semantic security meaning diff |
+| **Reachability** | "Runtime context" (coarse) | Three-layer call-path proofs |
+| **Scoring** | CVSS + proprietary heuristics | Deterministic, attestable, reproducible |
+| **Unknowns** | Hidden/suppressed | First-class state with risk implications |
+| **Offline** | Operational capability | Epistemic completeness (bound knowledge state) |
+
+### Why Competitors Plateau
+
+1. **Trivy/Syft** grew from package scanners — no forensic reproducibility design
+2. **Snyk** grew from developer UX — no attestation/proof infrastructure
+3. **Prisma/Aqua** grew from policy/compliance — no deterministic replay
+
+None were designed around **forensic reproducibility or trust algebra**.
+
+### Where We're Stronger
+
+- Deterministic replayable scans
+- Formal VEX reasoning
+- Reachability-backed exploitability
+- Semantic smart-diff
+- Evidence-first explainability
+- Unknowns modeling
+- Jurisdiction-ready offline trust
+
+### Where Competitors Remain Ahead (for now)
+
+- Mass-market UX polish
+- SaaS onboarding friction
+- Marketplace integrations
+
+See `docs/benchmarks/competitive-implementation-milestones.md` for implementation roadmap.
+
+---
+
 ## 90‑Day Moat‑First Milestones

 1. **SRM v0.1**: schema, deterministic executor, CLI replay, golden tests.