release orchestrator pivot, architecture and planning
This commit is contained in:
27
AGENTS.md
27
AGENTS.md
@@ -15,27 +15,20 @@ Unless explicitly told otherwise, assume you are working inside the StellaOps mo
|
||||
|
||||
---
|
||||
|
||||
### 1) What is StellaOps?
|
||||
## Project Overview
|
||||
|
||||
**StellaOps** is a next-generation, sovereign container-security toolkit built for high-speed, offline operation and released under AGPL-3.0-or-later.
|
||||
**Stella Ops Suite** is a self-hostable, sovereign release control plane for non-Kubernetes container estates, released under AGPL-3.0-or-later. It orchestrates environment promotions (Dev → Stage → Prod), gates releases using reachability-aware security and policy, and produces verifiable evidence for every release decision.
|
||||
|
||||
StellaOps is a self-hostable, sovereign container-security platform that makes proof—not promises—default. It binds every container digest to content-addressed SBOMs (SPDX 3.0.1 and CycloneDX 1.6), in-toto/DSSE attestations, and optional Sigstore Rekor transparency, then layers deterministic, replayable scanning with entry-trace and VEX-first decisioning.
|
||||
The platform combines:
|
||||
- **Release orchestration** — UI-driven promotion, approvals, policy gates, rollbacks; hook-able with scripts
|
||||
- **Security decisioning as a gate** — Scan on build, evaluate on release, re-evaluate on CVE updates
|
||||
- **OCI-digest-first releases** — Immutable digest-based release identity with "what is deployed where" tracking
|
||||
- **Toolchain-agnostic integrations** — Plug into any SCM, CI, registry, and secrets system
|
||||
- **Auditability + standards** — Evidence packets, SBOM/VEX/attestation support, deterministic replay
|
||||
|
||||
“Next-gen” means:
|
||||
Existing capabilities (operational): Reproducible vulnerability scanning with VEX-first decisioning, SBOM generation (SPDX 2.2/2.3 and CycloneDX 1.7; SPDX 3.0.1 planned), in-toto/DSSE attestations, and optional Sigstore Rekor transparency. The platform is designed for offline/air-gapped operation with regional crypto support (eIDAS/FIPS/GOST/SM).
|
||||
|
||||
* Findings are reproducible and explainable.
|
||||
* Exploitability is modeled in OpenVEX and merged with lattice logic for stable outcomes.
|
||||
* The same workflow runs online or fully air-gapped.
|
||||
|
||||
“Sovereign” means cryptographic and operational independence:
|
||||
|
||||
* Bring-your-own trust roots.
|
||||
* Regional crypto readiness (eIDAS/FIPS/GOST/SM).
|
||||
* Offline bundles and post-quantum-ready modes.
|
||||
|
||||
Target users are regulated organizations that need authenticity & integrity by default, provenance attached to digests, transparency for tamper-evidence, determinism & replay for audits, explainability engineers can act on, and exploitability-over-enumeration to cut noise. We minimize trust and blast radius with short-lived keys, least-privilege, and content-addressed caches; we stay air-gap friendly with mirrored feeds; and we keep governance honest with reviewable OPA/Rego policy gates and VEX-based waivers.
|
||||
|
||||
More documentation is in `./docs/*.md`. Start with `docs/README.md` to discover available documentation. When needed, you may request specific documents to be provided (e.g., `docs/modules/scanner/architecture.md`).
|
||||
Planned capabilities (release orchestration): Environment management, release bundles, promotion workflows, deployment execution (Docker/Compose/ECS/Nomad agents), progressive delivery (A/B, canary), and a three-surface plugin system. See `docs/modules/release-orchestrator/README.md` for the full specification.
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user