stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

Initial commit (history squashed)
Some checks failed
Build Test Deploy / authority-container (push) Has been cancelled
Details
Build Test Deploy / docs (push) Has been cancelled
Details
Build Test Deploy / deploy (push) Has been cancelled
Details
Build Test Deploy / build-test (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source
This commit is contained in:
master
2025-10-07 10:14:21 +03:00
commit b97fc7685a
1132 changed files with 117842 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
docs/40_ARCHITECTURE_OVERVIEW.md Executable file
View File

@@ -0,0 +1,133 @@
# StellaOps — HighLevel Architecture
<!--
Use constants injected at build:
{{ dotnet }} = "10 LTS"
{{ angular }} = "20"
-->
This document offers a birdseye view of how the major components interact,
why the system leans *monolithplusplugins*, and where extension points live.
> For a *timeline* of when features arrive, see the public
> [roadmap](/roadmap/) — no version details are repeated here.
---
## 0·Guiding principles
| Principle | Rationale |
|-----------|-----------|
| **SBOMfirst** | Scan existing CycloneDX/SPDX if present; fall back to layer unpack. |
| **Δprocessing** | Reanalyse only changed layers; reduces P95 warm path to\<5s. |
| **Allmanaged code** | Entire stack is 100% managed (.NET / TypeScript); no `unsafe` blocks or native extensions — eases review and reproducible builds. |
| **Restarttime plugins** | Avoids the attack surface of runtime DLL injection; still allows custom scanners & exporters. |
| **Sovereignbydesign** | No mandatory outbound traffic; Offline Kit distributes feeds. |
---
## 1·Module graph
```mermaid
graph TD
A(API Gateway)
B1(Scanner Core<br/>.NET latest LTS)
B2(Feedser service\n(vuln ingest/merge/export))
B3(Policy Engine OPA)
C1(Redis 7)
C2(MongoDB 7)
D(UI SPA<br/>Angular latest version)
A -->|gRPC| B1
B1 -->|async| B2
B1 -->|OPA| B3
B1 --> C1
B1 --> C2
A -->|REST/WS| D
````
---
## 2·Key components
| Component | Language / tech | Responsibility |
| ---------------------------- | --------------------- | ---------------------------------------------------- |
| **API Gateway** | ASP.NET Minimal API | Auth (JWT), quotas, request routing |
| **Scanner Core** | C# 12, Polly | Layer diffing, SBOM generation, vuln correlation |
| **Feedser (vulnerability ingest/merge/export service)** | C# source-gen workers | Consolidate NVD + regional CVE feeds into the canonical MongoDB store and drive JSON / Trivy DB exports |
| **Policy Engine** | OPA (Rego) | admission decisions, custom org rules |
| **Redis 7** | KeyDB compatible | LRU cache, quota counters |
| **MongoDB 7** | WiredTiger | SBOM & findings storage |
| **Angular {{ angular }} UI** | RxJS, Tailwind | Dashboard, reports, admin UX |
---
## 3·Plugin system
* Discovered once at startup from `/opt/stella/plugins/**`.
* Runs under Linux user `stellaplugin` (UID1001).
* Extension points:
* `ISbomMutator`
* `IVulnerabilityProvider`
* `IResultSink`
* Policy files (`*.rego`)
* Each DLL is SHA256 hashed; digest embedded in the run report for provenance.
Hotplugging is deferred until after v1.0 for security review.
---
## 4·Data & control flow
1. **Client** calls `/api/scan` with image reference.
2. **Gateway** enforces quota, forwards to **Scanner Core** via gRPC.
3. **Core**:
* Queries Redis for cached SBOM.
* If miss → pulls layers, generates SBOM.
* Executes plugins (mutators, additional scanners).
4. **Policy Engine** evaluates `scanResult` document.
5. **Findings** stored in MongoDB; WebSocket event notifies UI.
6. **ResultSink plugins** export to Slack, Splunk, JSON file, etc.
---
## 5·Security hardening
| Surface | Mitigation |
| ----------------- | ------------------------------------------------------------ |
| Container runtime | Distroless base, nonroot UID, seccomp + AppArmor |
| Plugin sandbox | Separate UID, SELinux profile, cgroup 1 CPU /256MiB |
| Supply chain | Cosign signatures, intoto SLSA Level3 (target) |
| Secrets | `Docker secrets` or K8s `Secret` mounts; never hardcoded |
| Quota abuse | Redis ratelimit gates (see `30_QUOTA_ENFORCEMENT_FLOW1.md`) |
---
## 6·Build & release pipeline (TL;DR)
* **Git commits** trigger CI → unit / integration / E2E tests.
* Successful merge to `main`:
* Build `.NET {{ dotnet }}` trimmed selfcontained binary.
* `docker build --sbom=spdx-json`.
* Sign image and tarball with Cosign.
* Attach SBOM + provenance; push to registry and download portal.
---
## 7·Future extraction path
Although the default deployment is a single container, each subservice can be
extracted:
* Feedser → standalone cron pod.
* Policy Engine → sidecar (OPA) with gRPC contract.
* ResultSink → queue worker (RabbitMQ or Azure Service Bus).
Interfaces are stable **as of v0.2 β**; extraction requires a recompilation
only, not a fork of the core.
---
*Last updated {{ "now" | date: "%Y%m%d" }} constants autoinjected.*