From b19e38729d34015f89773d040c1af99a8a8b3d60 Mon Sep 17 00:00:00 2001 From: master Date: Thu, 15 Jan 2026 21:07:50 +0200 Subject: [PATCH] add offer and pricing details for Stella Ops Suite (On-Prem) --- .../{stella_ops_offer_pricing.md => OFFER.md} | 0 docs/product/moat.md | 549 ------------------ 2 files changed, 549 deletions(-) rename docs/product/{stella_ops_offer_pricing.md => OFFER.md} (100%) delete mode 100644 docs/product/moat.md diff --git a/docs/product/stella_ops_offer_pricing.md b/docs/product/OFFER.md similarity index 100% rename from docs/product/stella_ops_offer_pricing.md rename to docs/product/OFFER.md diff --git a/docs/product/moat.md b/docs/product/moat.md deleted file mode 100644 index 268fd17e0..000000000 --- a/docs/product/moat.md +++ /dev/null @@ -1,549 +0,0 @@ -# StellaOps Moat Track — Spec Outline v0.5 - -> **Core Thesis:** Stella Ops isn't a scanner that outputs findings. It's a platform that outputs **attestable decisions that can be replayed**. That difference survives auditors, regulators, and supply-chain propagation. - ---- - -## The Category Difference - -Traditional scanners output findings: "CVE-2024-1234 exists in package X." - -Stella Ops outputs decisions: "CVE-2024-1234 is reachable via this call path, vendor VEX says not_affected but runtime disagrees (creating a conflict the policy must resolve), and here's the signed proof chain." - -This isn't a feature gap—it's a category difference. - ---- - -## Why Competitors Can't Easily Catch Up - -| Origin | Representatives | What They Optimized For | Architectural Constraint | -|--------|----------------|------------------------|--------------------------| -| **Package Scanners** | Trivy, Syft/Grype | Fast CLI, broad coverage | No forensic reproducibility; VEX is boolean; no DSSE for reachability | -| **Developer UX** | Snyk | IDE integration, fix PRs | SaaS-only; no attestation infrastructure; offline impossible | -| **Policy/Compliance** | Prisma, Aqua | Runtime protection, CNAPP | No deterministic replay; no cryptographic provenance | -| **SBOM Operations** | Anchore | SBOM storage, lifecycle | No lattice VEX; no signed reachability; no regional crypto | - -Retrofitting our capabilities requires fundamental rearchitecture—not just features. - ---- - -## Four Capabilities No Competitor Offers Together - -| # | Capability | What It Is | Why It's Hard to Copy | -|---|-----------|-----------|----------------------| -| 1 | **Signed Reachability** | Every reachability graph sealed with DSSE; optional edge-bundle attestations for runtime/init/contested paths. Hybrid static + runtime. | Requires three-layer instrumentation + cryptographic binding to call paths | -| 2 | **Deterministic Replay** | Scans run bit-for-bit identical from frozen feeds and analyzer manifests. Decision Capsules seal all evidence. | Requires content-addressed evidence model + feed snapshotting + deterministic ordering | -| 3 | **Explainable Policy (K4 Lattice VEX)** | Belnap K4 logic (Unknown/True/False/Conflict) merges SBOM, advisories, VEX, waivers into single verdict with proof links. | Requires rethinking VEX from suppression to logical claims | -| 4 | **Sovereign + Offline Operation** | FIPS/eIDAS/GOST/SM/PQC profiles as config toggles. Sealed knowledge snapshots for air-gap parity. | Requires pluggable crypto + offline trust roots + regional compliance | - -**Scope of this doc:** -(1) Decision Capsules, (2) Deterministic Replayable Scans (SRM), (3) Policy Engine & Lattice UI, (4) Sovereign Readiness (CryptoProfile + RootPack), (5) Attestation Observability Graph (AOG), (6) Procurement‑Grade Trust Statement, (7) Third‑Party Proof Channel, (8) Zastava differential SBOM + AI scheduler. - -Cross‑cutting principles: offline‑first, cryptographic determinism, evidence‑bound decisions, regional crypto compliance, minimal operational friction. - ---- - -## 0) Shared Concepts (applies to all 8) - -* **Artifact identity:** digest-first (OCI image digest, file sha256). -* **Canonicalization:** all structured payloads (SBOM, SRM, Trust Statement JSON, VEX) are normalized via Canonical JSON (RFC‑8785‑like) prior to hashing/signing. -* **Signatures:** DSSE envelopes; **dual‑signing** supported (e.g., FIPS ECDSA + GOST R 34.10; or ECDSA + SM2). -* **Attestation chain:** each decision (scan, VEX merge, policy evaluation) yields a signed, replayable record. -* **Profiles & Packs:** **CryptoProfile** (algorithm + root policy) and **RootPack** (trust anchors + OCSP/CRL/TSA mirrors) are versioned and importable. -* **Policy Unit Tests:** any policy/lattice bundle ships with fixtures expected to pass during CI. - ---- - -## 1) Deterministic Replayable Scans — SRM - -### Objective - -Make every scan a **provable, re‑executable fact**. Auditors can replay; results are bit‑for‑bit reproducible. - -### Deliverables - -* **SRM v0.1** schema (YAML/JSON) -* Deterministic executor + `stella replay` -* Replay diffing and result hashing - -### SRM (Stella Replay Manifest) — schema (abridged) - -```yaml -apiVersion: srm.stellaops.dev/v0.1 -scan: - id: uuid - timestamp: ISO8601 - engine: { name: "stella-scan", version: "1.7.3", build_sha: "" } -environment: - os_image: - kernel: { uname: "...", cgroups: "v2" } - cpu_features: [avx2, sse4.2] -inputs: - image: { name: "reg/app:1.9.2", digest: "", layers: ["", ...] } - sbom: { type: "cyclonedx@1.5", digest: "" } - vex_set: [{ type: "openvex", digest: "" }] - lattice_policy: { id: "corp-policy@2025-08-15", digest: "" } -rules_and_feeds: - rulesets: [{ name: "vuln-core", version: "2025.08.30", digest: "" }] - feeds: - - { name: "nvd", snapshot_date: "2025-08-30", archive_digest: "" } -execution: - mode: deterministic - random_seed: 314159 - ordering: lexical - heuristics: { binary_scan: true, secrets: false } -evidence: - files_hashed: 12873 - samples: [{ path: "/usr/lib/libssl.so.3", sha256: "" }] -outputs: - report_digest: "" # canonical JSON root hash - artifacts: - - { name: "findings.json", sha256: "" } -signatures: - - { scheme: "DSSE", CryptoProfile: "FIPS-140-3", signer: "build-ca@corp" } - - { scheme: "DSSE", CryptoProfile: "GOST-2012", signer: "ru-ca@corp" } -rekor: { entries: ["", ...] } # optional (offline allowed) -``` - -### CLI & API - -* `stella scan --image reg/app@sha256:... --srm-out srm.yaml --findings findings.json` -* `stella replay srm.yaml --out replay.json --assert-digest ` -* `POST /v1/srm/replay` → returns `ok`, `replay_report_digest`, `diff` (if any). - -### Determinism Rules - -* Single thread or ordered parallel with stable scheduling; sorted inputs; fixed random seed; pinned rules/feeds/policies from SRM; identical canonicalization routines. - -### Acceptance Criteria - -* Replaying SRM on a different host returns identical `report_digest`. -* If any feed archive differs by 1 bit, replay fails with a precise diff. -* SRM size ≤ 25 MB for a typical microservice image (excludes large feed archives, which may be referenced by digest and bundled as a side‑car tar). - ---- - -## 2) Policy Engine & Lattice UI - -### Objective - -Turn VEX merging and severity logic into **programmable, testable algebra** with explainability. - -### Trust Algebra Foundation (Implemented 2025-12) - -The lattice engine uses **Belnap K4 four-valued logic** to aggregate heterogeneous security claims: - -* **K4 Values**: Unknown (⊥), True (T), False (F), Conflict (⊤) -* **Security Atoms**: Six orthogonal propositions per Subject: - - PRESENT: component instance exists in artifact - - APPLIES: vulnerability applies to component (version match) - - REACHABLE: vulnerable code reachable from entrypoint - - MITIGATED: controls prevent exploitation - - FIXED: remediation applied - - MISATTRIBUTED: false positive indicator - -* **Claim Resolution**: Multiple VEX sources (CycloneDX, OpenVEX, CSAF) normalized to atoms, aggregated with conflict detection, then disposition selected via priority rules. -* **Implementation**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/` (110 tests passing) - -### Model - -* **Domain:** partial order over vulnerability states: - `unknown < under_investigation < affected || not_affected < fixed`. - Cross‑product with *scope*: `{runtime_path, build_path, optional_path}` and *confidence*: `{low, med, high}`. -* **Merge semantics:** monotonic lattice joins; conflict resolution rules prioritized by signed source trust and policy precedence. - -### DSL (sketch) - -```hocon -policy "corp-runtime" version "2025.08.15" { - sources { - trust_order = ["vendor:redhat", "internal:appsec", "public:nvd"] - require_signatures = true - } - - rules { - when vex.statement == "not_affected" - and evidence.entrypoint_exposes == false - then state := not_affected with confidence := high; - - when package.is_dev_dependency == true - then scope := optional_path; - - when cvss >= 9.0 and reachable == true - then priority := "block"; - } - - guards { - forbid unsigned_sources; - forbid downgrade_of_state_below previous_state; - } -} -``` - -### UI (“Trust Algebra Studio”) - -* Drag‑and‑drop rule blocks, precedence editor, **simulation mode** on sample SBOM/VEX; **policy unit tests**. -* Export **signed** `.lattice.json`; importable into CI. - -### CLI & API - -* `stella policy lint corp-runtime.lattice.json` -* `stella policy test --fixtures fixtures/` -* `POST /v1/policy/evaluate` → normalized decision + proof trail. - -### Acceptance Criteria - -* Given same inputs, policy evaluation yields identical decision + proof trail hash. -* UI can round‑trip DSL ⇄ JSON with no semantic drift. -* Policy pack signature required to run in “enforced” mode. - ---- - -## 3) Sovereign Readiness — CryptoProfile + RootPack - -### Objective - -**Drop‑in regional cryptography** (Russia/China/EU/US) with offline operation. - -### CryptoProfile (attached to every signature/attestation) - -```json -{ - "id": "GOST-2012@v1", - "algorithms": {"sign":"GOST R 34.10-2012","hash":"GOST R 34.11-2012","cipher":"GOST 34.12-2015"}, - "key_policy": {"curve":"id-tc26-gost-3410-2012-256","hsm_required": true}, - "time_stamping": {"tsa": "rootpack://ru/tsa1"}, - "roots": ["rootpack://ru/trustanchors/gost-ca1"] -} -``` - -### RootPack - -* Tarball containing: trust anchors, intermediate CAs, OCSP/CRL snapshots, TSA profiles, policy constraints (e.g., no cross‑sign with foreign roots), and region metadata. -* Installed via: `stella rootpack import rootpack_ru_v1.tar.gz`. - -### Dual‑Signing & Guardrails - -* Policy flags like `allow_dual_signing FIPS+GOST`, `forbid_sm2_for_us_exports` (example only). -* Enforcement happens at signing time and verification time. - -### Acceptance Criteria - -* Offline verification using RootPack succeeds; online OCSP disabled per policy. -* Mis‑profiled signatures are rejected with explicit reason codes. -* Dual‑signed DSSE verifies under both profiles when allowed. - ---- - -## 4) Attestation Observability Graph (AOG) - -### Objective - -Make trust **observable**. Expose SLIs/SLOs for cryptographic posture & policy compliance. - -### Data Model - -* Nodes: `{artifact, sbom, policy, vex, srm, signature, rootpack, runtime_instance}` -* Edges: `derived_from`, `signed_by`, `evaluated_by`, `replayed_by`, `runs_as` - -### Metrics (OpenTelemetry/Prometheus) - -* `stella_trust_sli{service,env}` = fraction of running pods whose image has a valid SRM‑backed attestation chain under the active policy. -* `stella_attestation_latency_seconds` (P50/P95) from build to verified‑ready. -* `stella_policy_drift_events_total` (increment when running policy != signed policy). -* `stella_exception_without_proof_total` (must be 0). -* `stella_replay_success_ratio` (per week). - -**SLO Example** - -* **Trust SLO ≥ 99.9%** measured hourly; error budget resets monthly. - -### Interfaces - -* `stella aog export --format otlp` -* `GET /v1/aog/graph?artifactDigest=...` → subgraph JSON (with signed edge proofs). -* Grafana dashboards (packaged). - -### Acceptance Criteria - -* AOG can reconstruct the full trust lineage for any running pod in ≤ 2s (p95) on a 1k‑service cluster. -* Metrics cardinality bounded (service/env/policy only). - ---- - -## 5) Procurement‑Grade “Trust Statement” - -### Objective - -One **board‑ready** artifact that unifies security posture across vendors; machine‑readable twin for ERP/GRC. - -### Outputs - -* **PDF** (human): signed, watermark, controlled fields for vendor name/version/date, summary graphs, SLOs, exceptions with PCE (proof‑carrying exceptions). -* **JSON** (machine): normalized schema below; DSSE‑signed; includes SRM and policy references. - -```json -{ - "schema": "trust-statement.stellaops.dev/v1", - "vendor": {"name": "Acme","product":"Payments API","version":"1.9.2"}, - "build": {"image_digest":"sha256:...","srm_digest":"sha256:..."}, - "policy": {"id":"corp-runtime@2025-08-15","digest":"sha256:..."}, - "summary": { - "trust_sli": 0.9992, - "exceptions": 1, - "open_findings": {"critical":0,"high":2,"medium":4,"low":12} - }, - "exceptions": [{ - "id":"EXC-2025-0912", - "reason":"not_affected-via-vex", - "proof_digest":"sha256:...", - "expiry":"2026-01-15" - }], - "signatures": [{ "CryptoProfile":"FIPS-140-3" }] -} -``` - -### Integrations - -* Push connectors: **SAP Ariba, ServiceNow, Archer, Jira** (webhooks or SFTP in offline flows). -* CLI: `stella trust-statement generate --srm srm.yaml --policy corp-runtime.lattice.json --out acme-1.9.2.trust.json --pdf`. - -### Acceptance Criteria - -* JSON validates against schema; PDF and JSON hashes match the DSSE statement. -* ERP ingest POC: Ariba/ServiceNow field mapping validated. - ---- - -## 6) Third‑Party Proof Channel - -### Objective - -Create a **publisher ecosystem** for upstream proofs: SBOM, VEX, and **VDR (Vulnerability Derivation Reason)**. - -### Publisher Model - -* **Identity:** publishers obtain a **Publisher Certificate** (could be verified via RootPack‑anchored CA or cross‑signed). -* **Submission:** `stella ledger publish --type {sbom|vex|vdr} --artifact --file proof.json --sign`. -* **Moderation & Revocation:** CRL‑like **Proof Revocation List (PRL)** with signed reasons. - -### VDR (schema sketch) - -```json -{ - "schema":"vdr.stellaops.dev/v1", - "artifact":"sha256:...", - "cve":"CVE-2025-12345", - "claim":"not_affected", - "method":"entrypoint_unreachable|abi_mismatch|dead_code", - "evidence_refs":[{"type":"symbol_map","digest":"sha256:..."}], - "publisher":"redhat://rhel", - "signatures":[...] -} -``` - -### Consumption - -* Policies can **prioritize** publisher channels by trust level. -* AOG shows which proofs originated from which publishers. - -### Acceptance Criteria - -* At least one upstream (e.g., base image vendor) can publish and your policy can consume & rank it. -* PRL revokes a proof and AOG reflects the change within 5 minutes. - ---- - -## 7) Zastava — differential SBOM + AI enrichment scheduler - -### Objective - -Produce **entrypoint‑aware differential SBOMs** and continually **re‑enrich** new/old SBOMs with AI context and exposure‑aware prioritization. - -### Concepts - -* **dSBOM:** SBOM that reflects effective dependency set for a specific `ENTRYPOINT/CMD` and runtime flags (e.g., `--server.urls`, `DOTNET_...`). -* **Scheduler:** rescans **old SBOMs** when: (a) new CVE feeds arrive, (b) new VEX/VDR appear, (c) policy changes, or (d) AI models learn new exploitability signals. - -### Pipeline - -1. **Static slice:** infer reachable packages from entrypoint (e.g., `.NET Kestrel` vs CLI tool). -2. **Runtime slice (optional):** collect process tree, open sockets, and imported modules at startup in a **shadow run** or mirrored traffic. -3. **Diff:** `dSBOM = SBOM ∩ (static_reachable ∪ runtime_observed)`. -4. **AI Enrichment:** Zastava annotates each finding with *context weights* (exposed/not exposed, network scope, RBAC, secrets proximity). -5. **Plan:** produce PRs (Dockerfile base bump, package pin, k8s Service change). -6. **Scheduler:** - - * `stella zastava schedule --query 'service=payments AND env=prod' --interval 6h` - * Triggers re‑evaluation and emits updated SRM + Trust deltas. - -### dSBOM format (addon) - -```json -{ - "schema":"cyclonedx+stella-diff@1.0", - "base_sbom":"sha256:...", - "entrypoint": ["/app/bin/Release/net10.0/app.dll"], - "cmd": ["--urls","http://127.0.0.1:8080"], - "static_reachable": ["pkg:nuget/Kestrel@*", "pkg:nuget/System.Data@*"], - "runtime_observed": ["pkg:rpm/openssl@3.0.9"], - "excluded_paths": ["/usr/share/docs/**"], - "digest":"sha256:..." -} -``` - -### Kestrel example (priority logic) - -* If Kestrel present but Service is `ClusterIP` and no Ingress, **deprioritize**; if `LoadBalancer`/`NodePort` with 0‑RTT TLS disabled, **prioritize**. -* Zastava produces an **explainable card**: “Priority lowered due to non‑exposed runtime path; evidence: `kubectl get svc`, `netstat`, policy rule #42.” - -### Acceptance Criteria - -* Changing `ENTRYPOINT` produces a different, signed dSBOM and updated priorities. -* Scheduler updates stale SBOMs and issues signed deltas without network access (when RootPacks + feed mirrors are available). - ---- - -## Cross‑Cutting Security & Compliance - -* **Sanctions & Guardrails:** per‑profile constraints (e.g., forbid dual‑signing across certain jurisdictions). Policy‑enforced at sign/verify time. -* **HSM Integrations:** PKCS#11 providers for each profile (FIPS, GOST, SM2). -* **Data handling:** SRMs and Trust Statements may contain paths and hashes; optional redaction profiles for vendor sharing. - ---- - -## Interfaces Summary (CLI) - -```bash -# Scans / Replay -stella scan --image --srm-out srm.yaml -stella replay srm.yaml --assert-digest - -# Policy & Lattice -stella policy lint corp.lattice.json -stella policy test --fixtures fixtures/ -stella policy sign --profile FIPS-140-3 - -# Crypto Sovereign -stella rootpack import rootpack_ru_v1.tar.gz -stella attest sign --profile GOST-2012 --in srm.yaml -stella attest verify --profiles GOST-2012,FIPS-140-3 - -# AOG -stella aog export --format otlp -stella aog graph --artifact - -# Trust Statement -stella trust-statement generate --srm srm.yaml --policy corp.lattice.json --pdf out.pdf --json out.json - -# Third-Party Proof Channel -stella ledger publish --type vdr --artifact --file vdr.json --sign -stella ledger revoke --id --reason "superseded" - -# Zastava -stella zastava diff-sbom --image --entrypoint "" --out dsbom.json -stella zastava enrich --sbom dsbom.json --findings findings.json -stella zastava schedule --query 'env=prod' --interval 6h -``` - ---- - -## Success Metrics (per pillar) - -* **SRM:** ≥ 99% of production images have SRM attached; **Replay Success Ratio** ≥ 0.99 weekly. -* **Policy/Lattice:** 100% of exceptions carry proof; policy test coverage ≥ 90% on top CVE classes. -* **Sovereign:** RootPacks for RU/CN/EU/US verified; dual‑signing working in CI; offline verification median < 200 ms. -* **AOG:** Trust SLO ≥ 99.9%; lineage lookup p95 ≤ 2s. -* **Trust Statement:** Accepted by at least one ERP (pilot); generation time ≤ 15s. -* **Third‑Party Channel:** ≥ 3 upstream publishers integrated; PRL revocations flow to AOG within 5 minutes. -* **Zastava:** dSBOM reduces non‑reachable high/critical findings by ≥ 35% without raising exposure incidents. - ---- - -## Risks & Mitigations - -* **Crypto complexity:** profile misuse → strict guardrails + default safe profiles, strong linting. -* **Cardinality/telemetry blow‑ups:** AOG label hygiene + sampling. -* **Vendor adoption (Proof Channel):** seed with your own base images and internal frameworks; provide SDKs and reference publishers. -* **Determinism regressions:** CI runs replay tests on golden SRMs; any drift fails the build. - ---- - -## Competitive Landscape (Jan 2026) - -Based on source-code audit of Trivy v0.55, Grype v0.80, Snyk CLI v1.1292, plus documentation review of Prisma, Aqua, and Anchore. - -### The Nine Structural Gaps We Exploit - -| # | Capability | Industry Status | Stella Ops Advantage | Module(s) | -|---|-----------|-----------------|---------------------|-----------| -| 1 | **SBOM Fidelity** | Static artifact, order-dependent, varies per run | Deterministic per-layer digests + Build-ID mapping; binary crosswalk | `Scanner`, `SbomService`, `BinaryIndex` | -| 2 | **VEX Handling** | Boolean suppression or absent | K4 lattice (Unknown/True/False/Conflict) with trust weighting | `VexLens`, `TrustLatticeEngine`, `Excititor` | -| 3 | **Reachability** | "Runtime context" badge (coarse) | Three-layer call-path proofs (static + binary + runtime) with DSSE | `ReachGraph`, `PathWitnessBuilder` | -| 4 | **Backport Detection** | Version string checks | Four-tier: distro feeds → changelog → patches → binary fingerprints | `Feedser`, `SourceIntel`, `BinaryIndex` | -| 5 | **Smart-Diff** | File-level/hash comparison | Semantic risk deltas ("exploitability dropped 41%") | `MaterialRiskChangeDetector` | -| 6 | **Triage UX** | Loud lists, duplicated root causes | Quiet queue + one finding per root cause + evidence panel | UI + canonical finding keys | -| 7 | **Unknowns** | Hidden/suppressed | First-class state with bands, decay, policy budgets | `UnknownStateLedger`, `Policy` | -| 8 | **Attestations** | Cosign-only or absent | in-toto/DSSE chain for scans, VEX, reachability, fixes | `Attestor`, `Signer` | -| 9 | **Offline** | Partial cache, degraded signals | Full parity with sealed snapshots + regional crypto | `AirGap.Controller`, `CryptoProfile` | - -### Why Competitors Plateau (Architectural) - -| Competitor Class | Origin | Why They Can't Easily Catch Up | -|-----------------|--------|-------------------------------| -| **Trivy/Syft/Grype** | Package scanners | No forensic reproducibility in architecture; evidence model is row-based, not content-addressed; VEX is filter, not logic | -| **Snyk** | Developer UX | SaaS-only means offline impossible; no attestation infrastructure; reachability is language-limited | -| **Prisma/Aqua** | Policy/compliance | No deterministic replay; no cryptographic provenance; verdicts aren't portable | -| **Anchore** | SBOM operations | No lattice VEX; no signed reachability graphs; no regional crypto profiles | - -### Capability Gap Matrix - -| Capability | Trivy | Grype | Snyk | Prisma | Aqua | Anchore | **Stella** | -|-----------|-------|-------|------|--------|------|---------|------------| -| Deterministic replay | No | No | No | No | No | No | **Yes** | -| VEX lattice (K4) | Boolean | Boolean | None | None | Limited | Limited | **Full** | -| Signed reachability | No | No | No | No | No | No | **DSSE** | -| Binary backport detection | No | No | No | No | No | No | **Tier 1-4** | -| Semantic risk diff | No | No | No | No | No | No | **Yes** | -| Unknowns as state | Hidden | Hidden | Hidden | Hidden | Hidden | Hidden | **First-class** | -| Regional crypto | No | No | No | No | No | No | **Yes** | -| Offline parity | Medium | Medium | No | Strong | Medium | Good | **Full** | - -### Where We're Ahead (Unique) - -1. **Deterministic replay** — Bit-for-bit reproducibility with `stella replay` -2. **K4 lattice VEX** — Conflict detection, not suppression -3. **Signed reachability** — DSSE graphs + edge bundles -4. **Smart-Diff** — Semantic risk deltas -5. **Unknowns modeling** — Bands, decay, policy budgets -6. **Regional crypto** — FIPS/eIDAS/GOST/SM/PQC as config - -### Where Competitors Lead (For Now) - -| Area | Leader | Our Response | -|------|--------|--------------| -| Mass-market UX | Snyk | Focus on power users who need proofs | -| SaaS onboarding | Snyk, Prisma | Offer both SaaS and self-hosted | -| Ecosystem breadth | Trivy | Depth over breadth; evidence quality over coverage | -| Marketplace integrations | All | Prioritize based on customer demand | - -### References - -- **Competitive Landscape**: `docs/product/competitive-landscape.md` -- **Claims Index**: `docs/product/claims-citation-index.md` -- **Moat Strategy**: `docs/product/moat-strategy-summary.md` -- **Proof Architecture**: `docs/modules/platform/proof-driven-moats-architecture.md` - ---- - -## 90‑Day Moat‑First Milestones - -1. **SRM v0.1**: schema, deterministic executor, CLI replay, golden tests. -2. **Policy Engine MVP**: DSL + evaluator + UI simulation; policy unit tests; signed policy packs. -3. **CryptoProfile/RootPack MVP**: FIPS + GOST working; dual‑signing; offline verify. -4. **AOG MVP**: lineage service + OTLP exporter + Grafana pack; Trust SLI. -5. **Trust Statement MVP**: JSON + PDF; ServiceNow ingest POC. -6. **Proof Channel alpha**: publisher identity + VDR schema + local ledger; PRL. -7. **Zastava α**: `diff-sbom` + exposure heuristics for `.NET Kestrel`; scheduler with offline mirrors. - ----