feat: Document completed tasks for KMS, Cryptography, and Plugin Libraries
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Added detailed task completion records for KMS interface implementation and CLI support for file-based keys. - Documented security enhancements including Argon2id password hashing, audit event contracts, and rate limiting configurations. - Included scoped service support and integration updates for the Plugin platform, ensuring proper DI handling and testing coverage.
This commit is contained in:
master
33
docs/key-features.md
Normal file
33
docs/key-features.md
Normal file
@@ -0,0 +1,33 @@
|
||||
# Key Features – Capability Cards
|
||||
|
||||
Each card is a fast read pairing the headline capability with the evidence that backs it and why it matters day to day.
|
||||
|
||||
## 1. Delta SBOM Engine
|
||||
- **What it is:** Layer-aware ingestion keeps the SBOM catalog content-addressed; rescans only fetch new layers and update dependency/vulnerability cartographs.
|
||||
- **Evidence:** Deterministic Replay Manifest (SRM) captures the exact analyzer inputs/outputs per layer.
|
||||
- **Why it matters:** Warm scans drop below one second, so CI/CD pipelines stay fast even under the free-tier quota.
|
||||
|
||||
## 2. Lattice Policy + OpenVEX
|
||||
- **What it is:** Policy engine merges SBOM, advisories, VEX, and waivers through lattice logic that prioritises exploitability.
|
||||
- **Evidence:** OpenVEX is treated as first-class input; the policy UI renders explain traces, while custom rule packs let teams automate muting, expirations, and non-VEX alert logic.
|
||||
- **Why it matters:** Teams can distinguish exploitable risk from noise, tune the experience beyond VEX statements, and prove why a deployment was blocked or allowed.
|
||||
|
||||
## 3. Sovereign Crypto Profiles
|
||||
- **What it is:** Bring-your-own trust bundles that switch signing algorithms (FIPS, eIDAS, GOST, SM) without code changes.
|
||||
- **Evidence:** Crypto profiles travel with Offline Update Kits and post-quantum trust packs, keeping signatures verifiable in regulated sectors.
|
||||
- **Why it matters:** You meet regional crypto requirements while keeping provenance attestations consistent across tenants.
|
||||
|
||||
## 4. Deterministic Replay & Evidence Bundles
|
||||
- **What it is:** Every scan produces a DSSE + SRM bundle that can be replayed with `stella replay`.
|
||||
- **Evidence:** Replay manifests capture analyzer versions, lattice state, and attestations in content-addressed storage for audit trails.
|
||||
- **Why it matters:** Auditors and incident responders can re-run a historical scan and trust the findings were not tampered with.
|
||||
|
||||
## 5. Transparent Quotas & Offline Operations
|
||||
- **What it is:** Redis-backed counters surface `{{ quota_token }}` scans/day via headers, UI banners, and `/quota` API; Offline Update Kits mirror feeds.
|
||||
- **Evidence:** Quota tokens verify locally using bundled public keys, and Offline Update Kits include mirrored advisories, SBOM feeds, and VEX sources.
|
||||
- **Why it matters:** You stay within predictable limits, avoid surprise throttling, and operate entirely offline when needed.
|
||||
|
||||
### Explore Further
|
||||
- Walk the first deployment in [quickstart.md](quickstart.md).
|
||||
- Dive into architectural flows in [high-level-architecture.md](high-level-architecture.md).
|
||||
- Need detailed matrices? The legacy [feature matrix](04_FEATURE_MATRIX.md) and [vision](03_VISION.md) remain available for deep dives.
|
||||
Reference in New Issue
Block a user