release orchestrator pivot, architecture and planning

docs/README.md

@@ -1,6 +1,13 @@
-# StellaOps Documentation
+# Stella Ops Suite Documentation
 
-StellaOps is a deterministic, offline-first container security platform: every verdict links back to concrete evidence (SBOM slices, advisory/VEX observations, reachability proofs, policy explain traces) and can be replayed for audits.
+**Stella Ops Suite** is a centralized, auditable release control plane for non-Kubernetes container estates. It orchestrates environment promotions, gates releases using reachability-aware security and policy, and produces verifiable evidence for every decision.
+
+The platform combines:
+- **Release orchestration** — UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks
+- **Security decisioning as a gate** — Scan on build, evaluate on release, re-evaluate on CVE updates
+- **OCI-digest-first releases** — Immutable digest-based release identity with "what is deployed where" tracking
+- **Toolchain-agnostic integrations** — Plug into any SCM, CI, registry, and secrets system
+- **Auditability + standards** — Evidence packets, SBOM/VEX/attestation support, deterministic replay
 
 ## Two Levels of Documentation
 
@@ -11,39 +18,98 @@ This documentation set is internal and does not keep compatibility stubs for old
 
 ## Start Here
 
+### Product Understanding
+
 | Goal | Open this |
 | --- | --- |
 | Understand the product in 2 minutes | [overview.md](overview.md) |
-| Run a first scan (CLI) | [quickstart.md](quickstart.md) |
 | Browse capabilities | [key-features.md](key-features.md) |
+| Feature matrix | [FEATURE_MATRIX.md](FEATURE_MATRIX.md) |
+| Product vision | [product/VISION.md](product/VISION.md) |
 | Roadmap (priorities + definition of "done") | [ROADMAP.md](ROADMAP.md) |
+
+### Getting Started
+
+| Goal | Open this |
+| --- | --- |
+| Run a first scan (CLI) | [quickstart.md](quickstart.md) |
+| Ingest advisories (Concelier + CLI) | [CONCELIER_CLI_QUICKSTART.md](CONCELIER_CLI_QUICKSTART.md) |
+| Console (Web UI) operator guide | [UI_GUIDE.md](UI_GUIDE.md) |
+| Offline / air-gap operations | [OFFLINE_KIT.md](OFFLINE_KIT.md) |
+
+### Architecture
+
+| Goal | Open this |
+| --- | --- |
 | Architecture: high-level overview | [ARCHITECTURE_OVERVIEW.md](ARCHITECTURE_OVERVIEW.md) |
 | Architecture: full reference map | [ARCHITECTURE_REFERENCE.md](ARCHITECTURE_REFERENCE.md) |
 | Architecture: user flows (UML) | [technical/architecture/user-flows.md](technical/architecture/user-flows.md) |
-| Architecture: module matrix (46 modules) | [technical/architecture/module-matrix.md](technical/architecture/module-matrix.md) |
+| Architecture: module matrix | [technical/architecture/module-matrix.md](technical/architecture/module-matrix.md) |
 | Architecture: data flows | [technical/architecture/data-flows.md](technical/architecture/data-flows.md) |
 | Architecture: schema mapping | [technical/architecture/schema-mapping.md](technical/architecture/schema-mapping.md) |
-| Offline / air-gap operations | [OFFLINE_KIT.md](OFFLINE_KIT.md) |
-| Security deployment hardening | [SECURITY_HARDENING_GUIDE.md](SECURITY_HARDENING_GUIDE.md) |
-| Ingest advisories (Concelier + CLI) | [CONCELIER_CLI_QUICKSTART.md](CONCELIER_CLI_QUICKSTART.md) |
+| Release Orchestrator architecture | [modules/release-orchestrator/architecture.md](modules/release-orchestrator/architecture.md) |
+
+### Development & Operations
+
+| Goal | Open this |
+| --- | --- |
 | Develop plugins/connectors | [PLUGIN_SDK_GUIDE.md](PLUGIN_SDK_GUIDE.md) |
-| Console (Web UI) operator guide | [UI_GUIDE.md](UI_GUIDE.md) |
+| Security deployment hardening | [SECURITY_HARDENING_GUIDE.md](SECURITY_HARDENING_GUIDE.md) |
 | VEX consensus and issuer trust | [VEX_CONSENSUS_GUIDE.md](VEX_CONSENSUS_GUIDE.md) |
 | Vulnerability Explorer guide | [VULNERABILITY_EXPLORER_GUIDE.md](VULNERABILITY_EXPLORER_GUIDE.md) |
 
 ## Detailed Indexes
 
 - **Technical index (everything):** [docs/technical/README.md](/docs/technical/)
-- **End-to-end workflow flows:** [docs/flows/](/docs/flows/) (16 detailed flow documents)
+- **End-to-end workflow flows:** [docs/flows/](/docs/flows/)
 - **Module dossiers:** [docs/modules/](/docs/modules/)
 - **API contracts and samples:** [docs/api/](/docs/api/)
 - **Architecture notes / ADRs:** [docs/technical/architecture/](/docs/technical/architecture/), [docs/technical/adr/](/docs/technical/adr/)
-- **Operations and deployment:** [docs/operations/](/docs/operations/), [docs/deploy/](/docs/deploy/), [docs/deployment/](/docs/deployment/)
+- **Operations and deployment:** [docs/operations/](/docs/operations/)
 - **Air-gap workflows:** [docs/modules/airgap/guides/](/docs/modules/airgap/guides/)
 - **Security deep dives:** [docs/security/](/docs/security/)
 - **Benchmarks and fixtures:** [docs/benchmarks/](/docs/benchmarks/), [docs/assets/](/docs/assets/)
+- **Product advisories:** [docs/product/advisories/](/docs/product/advisories/)
 
-## Notes
+## Platform Themes
 
-- The product is **offline-first**: docs and examples should avoid network dependencies and prefer deterministic fixtures.
-- Feature exposure is configuration-driven; module dossiers define authoritative schemas and contracts per component.
+Stella Ops Suite organizes capabilities into themes:
+
+### Existing Themes (Operational)
+
+| Theme | Purpose | Key Modules |
+|-------|---------|-------------|
+| **INGEST** | Advisory ingestion | Concelier, Advisory-AI |
+| **VEXOPS** | VEX document handling | Excititor, VEX Lens, VEX Hub |
+| **REASON** | Policy and decisioning | Policy Engine, OPA Runtime |
+| **SCANENG** | Scanning and SBOM | Scanner, SBOM Service, Reachability |
+| **EVIDENCE** | Evidence and attestation | Evidence Locker, Attestor, Export Center |
+| **RUNTIME** | Runtime signals | Signals, Graph, Zastava |
+| **JOBCTRL** | Job orchestration | Scheduler, Orchestrator, TaskRunner |
+| **OBSERVE** | Observability | Notifier, Telemetry |
+| **REPLAY** | Deterministic replay | Replay Engine |
+| **DEVEXP** | Developer experience | CLI, Web UI, SDK |
+
+### Planned Themes (Release Orchestration)
+
+| Theme | Purpose | Key Modules |
+|-------|---------|-------------|
+| **INTHUB** | Integration hub | Integration Manager, Connection Profiles, Connector Runtime |
+| **ENVMGR** | Environment management | Environment Manager, Target Registry, Agent Manager |
+| **RELMAN** | Release management | Component Registry, Version Manager, Release Manager |
+| **WORKFL** | Workflow engine | Workflow Designer, Workflow Engine, Step Executor |
+| **PROMOT** | Promotion and approval | Promotion Manager, Approval Gateway, Decision Engine |
+| **DEPLOY** | Deployment execution | Deploy Orchestrator, Target Executor, Artifact Generator |
+| **AGENTS** | Deployment agents | Agent Core, Docker/Compose/ECS/Nomad agents |
+| **PROGDL** | Progressive delivery | A/B Manager, Traffic Router, Canary Controller |
+| **RELEVI** | Release evidence | Evidence Collector, Sticker Writer, Audit Exporter |
+| **PLUGIN** | Plugin infrastructure | Plugin Registry, Plugin Loader, Plugin SDK |
+
+## Design Principles
+
+- **Offline-first**: All core operations work in air-gapped environments
+- **Deterministic replay**: Same inputs yield same outputs (stable ordering, canonical hashing)
+- **Evidence-linked decisions**: Every decision links to concrete evidence artifacts
+- **Digest-first release identity**: Releases are immutable OCI digests, not mutable tags
+- **Pluggable everything**: Integrations are plugins; core orchestration is stable
+- **No feature gating**: All plans include all features; limits are environments + new digests/day