stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

feat: Document completed tasks for KMS, Cryptography, and Plugin Libraries
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Added detailed task completion records for KMS interface implementation and CLI support for file-based keys.
- Documented security enhancements including Argon2id password hashing, audit event contracts, and rate limiting configurations.
- Included scoped service support and integration updates for the Plugin platform, ensuring proper DI handling and testing coverage.
This commit is contained in:
master
2025-10-31 14:33:05 +02:00
parent 240e8ff25d
commit 9e5e958d42
312 changed files with 6399 additions and 3319 deletions
Download Patch File Download Diff File Expand all files Collapse all files

173
docs/README.md
View File

@@ -1,157 +1,38 @@
# Stella Ops
# StellaOps
> **Selfhosted, SBOMfirst DevSecOps platform offlinefriendly, AGPL3.0, free up to {{ quota_token }} scans per UTC day (soft delay only, never blocks).**
> StellaOps is the sovereign, SBOMfirst security platform that proves every container decision with deterministic scans, explainable policy verdicts, and offlineready provenance.
StellaOps lets you discover container vulnerabilities in **<5s** without sending a single byte outside your network.
Everything here is opensource and versioned when you check out a git tag, the docs match the code you are running.
- **Sovereign by design** bring your own trust roots, vulnerability advisory sources, VEX sources, regional crypto, and Offline Update Kits that never phone home.
- **Deterministic + replayable** every scan can be reproduced bitforbit with DSSE + OpenVEX evidence.
- **Actionable signal** lattice logic ranks exploitability, and the policy engine lets you tailor VEX handling, muting, and expiration rules for your environment.
---
**Proof points:** SBOM dependency and vulnerability dependency cartographing work, deterministic replay manifests, lattice policy UI with OpenVEX, and postquantum trust packs ready for regulated sectors.
## 🚀 Start here (first 60minutes)
## Choose Your Path
| Step | What you will learn | Doc |
|------|--------------------|-----|
| 1 | 90second elevator pitch & pillars | **[What IsStellaOps?](01_WHAT_IS_IT.md)** |
| 2 | Pain points it solves | **[Why DoesItExist?](02_WHY.md)** |
| 3 | Install & run a scan in 10min | **[Install Guide](21_INSTALL_GUIDE.md)** |
| 4 | Components & dataflow | **[HighLevel Architecture](07_HIGH_LEVEL_ARCHITECTURE.md)** |
| 5 | Integrate the CLI / REST API | **[API&CLI Reference](09_API_CLI_REFERENCE.md)** |
| 6 | Vocabulary used throughout the docs | **[Glossary](14_GLOSSARY_OF_TERMS.md)** |
| If you want to… | Open this | Read time |
|-----------------|-----------|-----------|
| Understand the promise and pain we solve | `overview.md` | ≈2min |
| Run a first scan and see the CLI | `quickstart.md` | ≈5min |
| Browse key capabilities at a glance | `key-features.md` | ≈3min |
| Check architecture, road to production, or evaluate fit | See “Dig deeper” below | ≤30min curated set |
---
## Explore the Essentials
## 📚 Complete Table of Contents
1. **Value in context** [Overview](overview.md) compresses the “Why” + “What” stories and shows how StellaOps stands apart.
2. **Try it fast** [Quickstart](quickstart.md) walks through fetching the signed bundles, configuring `.env`, and verifying the first scan.
3. **Feature confidence** [Key Features](key-features.md) gives five capability cards covering Delta SBOM, VEXfirst policy, Sovereign crypto, Deterministic replay, and Transparent quotas.
4. **Upnext checkpoints** [Evaluation checklist](evaluate/checklist.md) helps teams plan Day0 to Day30 adoption milestones.
<details>
<summary>Click to expand the full docs index</summary>
## Dig Deeper (curated reading)
### Overview
- **01[What IsStellaOps?](01_WHAT_IS_IT.md)**
- **02[Why DoesItExist?](02_WHY.md)**
- **03[Vision & Roadmap](03_VISION.md)**
- **04[Feature Matrix](04_FEATURE_MATRIX.md)**
- **Install & operations:** [Installation guide](21_INSTALL_GUIDE.md), [Offline Update Kit](24_OFFLINE_KIT.md), [Security hardening](17_SECURITY_HARDENING_GUIDE.md).
- **Architecture & modules:** [Highlevel architecture](high-level-architecture.md), [Module dossiers](modules/platform/architecture-overview.md), [Strategic differentiators](moat.md).
- **Policy & governance:** [Policy templates](60_POLICY_TEMPLATES.md), [Legal & quota FAQ](29_LEGAL_FAQ_QUOTA.md), [Governance charter](11_GOVERNANCE.md).
- **UI & glossary:** [Console guide](15_UI_GUIDE.md), [Accessibility](accessibility.md), [Glossary](14_GLOSSARY_OF_TERMS.md).
- **Technical documentation:** [Full technical index](technical/README.md) for architecture, APIs, module dossiers, and operations playbooks.
- **FAQs & readiness:** [FAQ matrix](23_FAQ_MATRIX.md), [Roadmap (external)](https://stella-ops.org/roadmap/), [Release engineering playbook](13_RELEASE_ENGINEERING_PLAYBOOK.md).
### Reference & concepts
- **05[System Requirements Specification](05_SYSTEM_REQUIREMENTS_SPEC.md)**
- **07[HighLevel Architecture](07_HIGH_LEVEL_ARCHITECTURE.md)**
- **08[Architecture Decision Records](adr/index.md)**
- **08Module Architecture Dossiers**
- [Architecture Overview](modules/platform/architecture-overview.md)
- [Scanner](modules/scanner/architecture.md)
- [Concelier](modules/concelier/architecture.md)
- [Excititor](modules/excititor/architecture.md)
- [Excititor Mirrors](modules/excititor/mirrors.md)
- [Signer](modules/signer/architecture.md)
- [Attestor](modules/attestor/architecture.md)
- [Authority](modules/authority/architecture.md)
- [Policy Engine](modules/policy/architecture.md)
- [Notify](modules/notify/architecture.md)
- [Scheduler](modules/scheduler/architecture.md)
- [CLI](modules/cli/architecture.md)
- [WebUI](modules/ui/architecture.md)
- [Zastava Runtime](modules/zastava/architecture.md)
- [Release & Operations](modules/devops/architecture.md)
- **09[API&CLI Reference](09_API_CLI_REFERENCE.md)**
- **10[Plugin SDK Guide](10_PLUGIN_SDK_GUIDE.md)**
- **10[Concelier CLI Quickstart](10_CONCELIER_CLI_QUICKSTART.md)**
- **10[BuildX Generator Quickstart](dev/BUILDX_PLUGIN_QUICKSTART.md)**
- **10[Scanner Cache Configuration](dev/SCANNER_CACHE_CONFIGURATION.md)**
- **30[Excititor Connector Packaging Guide](dev/30_EXCITITOR_CONNECTOR_GUIDE.md)**
- **31[Aggregation-Only Contract Reference](ingestion/aggregation-only-contract.md)**
- **31[Advisory Observations & Linksets](advisories/aggregation.md)**
- **31[VEX Observations & Linksets](vex/aggregation.md)**
- **32[Entry-Point Detection Playbook](modules/scanner/operations/entrypoint.md)**
- **30Developer Templates**
- [Excititor Connector Skeleton](dev/templates/excititor-connector/)
- **11[Authority Service](11_AUTHORITY.md)**
- **11[Data Schemas](11_DATA_SCHEMAS.md)**
- **12[Performance Workbook](12_PERFORMANCE_WORKBOOK.md)**
- **13[ReleaseEngineering Playbook](13_RELEASE_ENGINEERING_PLAYBOOK.md)**
- **20[CLI AOC Commands Reference](modules/cli/guides/cli-reference.md)**
- **20[Console CLI Parity Matrix](cli-vs-ui-parity.md)**
- **60[Policy Engine Overview](policy/overview.md)**
- **61[Policy DSL Grammar](policy/dsl.md)**
- **62[Policy Lifecycle & Approvals](policy/lifecycle.md)**
- **63[Policy Runs & Orchestration](policy/runs.md)**
- **64[Policy Exception Effects](policy/exception-effects.md)**
- **65[Policy Engine REST API](api/policy.md)**
- **66[Policy CLI Guide](modules/cli/guides/policy.md)**
- **67[Policy Editor Workspace](ui/policy-editor.md)**
- **68[Policy Observability](observability/policy.md)**
- **69[Console Observability](observability/ui-telemetry.md)**
- **70[Policy Governance & Least Privilege](security/policy-governance.md)**
- **70a[Policy Gateway](policy/gateway.md)**
- **71[Policy Examples](examples/policies/README.md)**
- **72[Policy FAQ](faq/policy-faq.md)**
- **73[Policy Run DTOs](../src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-20-001-POLICY-RUNS.md)**
- **30[Fixture Maintenance](dev/fixtures.md)**
- **74[Export Center Overview](modules/export-center/overview.md)**
- **75[Export Center Architecture](modules/export-center/architecture.md)**
- **76[Export Center Profiles](modules/export-center/profiles.md)**
- **77[Export Center API Reference](modules/export-center/api.md)**
- **78[Export Center CLI Guide](modules/export-center/cli.md)**
- **79[Export Center Trivy Adapters](modules/export-center/trivy-adapter.md)**
- **80[Export Center Mirror Bundles](modules/export-center/mirror-bundles.md)**
- **81[Export Center Provenance & Signing](modules/export-center/provenance-and-signing.md)**
Need more? The full documentation tree ADRs, permodule operations, schemas, developer references stays untouched under the existing directories (`modules/`, `api/`, `dev/`, `ops/`), ready when you are.
### User & operator guides
- **14[Glossary](14_GLOSSARY_OF_TERMS.md)**
- **15[UI Guide](15_UI_GUIDE.md)**
- **16[Console AOC Dashboard](ui/console.md)**
- **16[Console Accessibility Guide](accessibility.md)**
- **17[Security Hardening Guide](17_SECURITY_HARDENING_GUIDE.md)**
- **17[Console Security Posture](security/console-security.md)**
- **18[Coding Standards](18_CODING_STANDARDS.md)**
- **19[TestSuite Overview](19_TEST_SUITE_OVERVIEW.md)**
- **21[Install Guide](21_INSTALL_GUIDE.md)**
- **21[Docker Install Recipes](install/docker.md)**
- **22[CI/CD Recipes Library](ci/20_CI_RECIPES.md)**
- **23[FAQ](23_FAQ_MATRIX.md)**
- **24[Offline Update Kit Admin Guide](24_OFFLINE_KIT.md)**
- **25[Mirror Operations Runbook](ops/concelier-mirror-operations.md)**
- **26[Concelier Apple Connector Operations](ops/concelier-apple-operations.md)**
- **27[Authority Key Rotation Playbook](ops/authority-key-rotation.md)**
- **28[Concelier CCCS Connector Operations](ops/concelier-cccs-operations.md)**
- **29[Concelier CISA ICS Connector Operations](ops/concelier-icscisa-operations.md)**
- **30[Concelier CERT-Bund Connector Operations](ops/concelier-certbund-operations.md)**
- **31[Concelier MSRC Connector AAD Onboarding](ops/concelier-msrc-operations.md)**
- **32[Scanner Analyzer Bench Operations](ops/scanner-analyzers-operations.md)**
- **33[Scanner Artifact Store Migration](ops/scanner-rustfs-migration.md)**
- **34[Zastava Runtime Operations Runbook](ops/zastava-runtime-operations.md)**
- **35[Launch Readiness Checklist](ops/launch-readiness.md)**
- **36[Launch Cutover Runbook](ops/launch-cutover.md)**
- **37[Registry Token Service](ops/registry-token-service.md)**
- **37[Deployment Upgrade & Rollback Runbook](ops/deployment-upgrade-runbook.md)**
- **38[Policy Schema Export Automation](devops/policy-schema-export.md)**
- **40[Observability Guide (AOC)](observability/observability.md)**
- **41[Telemetry Collector Deployment](ops/telemetry-collector.md)**
- **42[Telemetry Storage Deployment](ops/telemetry-storage.md)**
- **43[Authority Scopes & Tenancy](security/authority-scopes.md)**
- **44[Container Deployment (AOC)](deploy/containers.md)**
- **45[Export Center Operations Runbook](operations/export-runbook.md)**
### Notifications Studio
- **81[Notifications Overview](notifications/overview.md)**
- **82[Notifications Architecture](notifications/architecture.md)**
- **83[Notifications Rules](notifications/rules.md)**
- **84[Notifications Templates](notifications/templates.md)**
- **85[Notifications Digests](notifications/digests.md)**
### Legal & licence
- **32[Legal & Quota FAQ](29_LEGAL_FAQ_QUOTA.md)**
</details>
---
## 🧹 Backlog hygiene
> Imposed rule: Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.
- **Aggregation-Only Contract (AOC).** Ingestion services aggregate and link facts only—derived precedence, severity, and safe-fix hints live in Policy overlays and dedicated explorers. Review [`implplan/AGENTS.md`](implplan/AGENTS.md) and the AOC guardrails in [`aoc/aoc-guardrails.md`](aoc/aoc-guardrails.md).
- **Cartographer owns graphs.** SBOM Service emits projections/events; Cartographer (`CARTO-GRAPH-21-00x`) builds graph storage, overlays, and tiles. See `modules/concelier/architecture.md` (Cartographer handshake section) for handoff boundaries.
- **Notifier replaces legacy Notify.** Sprint15 `StellaOps.Notify.*` tasks are frozen; use the Notifications Studio/Notifier backlogs (`NOTIFY-SVC-38..40`, `WEB-NOTIFY-3x-00x`, `CLI-NOTIFY-3x-00x`).
- **Dedicated services for Vuln & Policy.** Vuln Explorer work flows through `src/VulnExplorer/StellaOps.VulnExplorer.Api`/Console/CLI (Sprint 29); gateway routes proxy only. Policy Engine remains the sole source for precedence/suppression overlays.
- **Cleanup log.** The backlog consolidation summary lives in [`backlog/2025-10-cleanup.md`](backlog/2025-10-cleanup.md).
© 2025 StellaOps contributors licensed AGPL3.0orlater
© 2025 StellaOps contributors AGPL3.0orlater