stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-11 01:32:14 +02:00
parent 5593212b41
commit cf5b72974f
2316 changed files with 68799 additions and 3808 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
docs/key-features.md
View File

@@ -237,10 +237,12 @@ Fail-closed controls:
- Reject non-canonical paths, JSON ordering, and archive metadata outside policy.
- Require pinned toolchain digests (`@sha256:...`) and deterministic build settings.
- Require DSSE-signed provenance and in-toto link evidence before promotion.
- Apply evidence-based release gates (score thresholds, Rekor freshness, build-link digest binding, and k-of-n DSSE signer requirements) per lane policy.
- Enforce Source Track governance signals in provenance policy (review quorum, no-self-merge, protected branch, status checks, and source policy hash binding).
**Modules:** `Attestor`, `ReleaseOrchestrator`, `EvidenceLocker`, `AirGap`, `Policy`
**Docs:** `docs/modules/attestor/repro-bundle-profile.md`
**Docs:** `docs/modules/attestor/repro-bundle-profile.md`, `docs/modules/release-orchestrator/workflow/evidence-based-release-gates.md`
### 14. Controlled Conversational Advisor
@@ -267,6 +269,20 @@ Key controls:
**Docs:** `docs/modules/scanner/operations/ai-code-guard.md`, `docs/modules/policy/guides/ai-code-guard-policy.md`
### 16. SBOM and Attestation Hot Lookup Plane (Planned)
**Keep hot lookups sub-second without turning OLTP into an analytics warehouse.** Stella keeps full SBOM/attestation payloads in CAS/object storage and projects query-critical fields into a partitioned PostgreSQL hot-lookup plane.
Key controls:
- Narrow relational keys for exact matching (`payload_digest`, canonical SBOM hash, insertion time).
- JSONB search slices for component/VEX triage queries with bounded index scope.
- Time partitioning for deterministic retention and cheap partition-drop cleanup.
- Separation of concerns: replay/audit blobs stay in CAS; analytics stays in `analytics.*` and can be exported to external columnar systems when needed.
**Modules:** `Scanner`, `Attestor`, `Policy`, `Analytics`
**Docs:** `docs/modules/scanner/sbom-attestation-hot-lookup-profile.md`
---
## Competitive Moats Summary
@@ -299,4 +315,5 @@ Key controls:
- **Competitive Landscape**: [`docs/product/competitive-landscape.md`](product/competitive-landscape.md)
- **Quickstart**: [`docs/quickstart.md`](quickstart.md)
- **Feature Matrix**: [`docs/FEATURE_MATRIX.md`](FEATURE_MATRIX.md)
- **SBOM/Attestation Hot Lookup Profile**: [`docs/modules/scanner/sbom-attestation-hot-lookup-profile.md`](modules/scanner/sbom-attestation-hot-lookup-profile.md)
- **Controlled Conversational Interface Advisory**: [`docs-archived/product/advisories/13-Jan-2026 - Controlled Conversational Interface.md`](../docs-archived/product/advisories/13-Jan-2026%20-%20Controlled%20Conversational%20Interface.md)