# Module Landscape Overview The Stella Ops Suite comprises existing modules (vulnerability scanning) and new modules (release orchestration). Modules are organized into **themes** (functional areas). ## Architecture Diagram ``` ┌─────────────────────────────────────────────────────────────────────────────────┐ │ STELLA OPS SUITE │ │ │ │ ┌───────────────────────────────────────────────────────────────────────────┐ │ │ │ EXISTING THEMES (Vulnerability) │ │ │ │ │ │ │ │ INGEST VEXOPS REASON SCANENG EVIDENCE │ │ │ │ ├─concelier ├─excititor ├─policy ├─scanner ├─locker │ │ │ │ └─advisory-ai └─linksets └─opa-runtime ├─sbom-gen ├─export │ │ │ │ └─reachability └─timeline │ │ │ │ │ │ │ │ RUNTIME JOBCTRL OBSERVE REPLAY DEVEXP │ │ │ │ ├─signals ├─scheduler ├─notifier └─replay-core ├─cli │ │ │ │ ├─graph ├─orchestrator └─telemetry ├─web-ui │ │ │ │ └─zastava └─task-runner └─sdk │ │ │ └───────────────────────────────────────────────────────────────────────────┘ │ │ │ │ ┌───────────────────────────────────────────────────────────────────────────┐ │ │ │ NEW THEMES (Release Orchestration) │ │ │ │ │ │ │ │ INTHUB (Integration Hub) │ │ │ │ ├─integration-manager Central registry of configured integrations │ │ │ │ ├─connection-profiles Default settings + credential management │ │ │ │ ├─connector-runtime Plugin connector execution environment │ │ │ │ └─doctor-checks Integration health diagnostics │ │ │ │ │ │ │ │ ENVMGR (Environment & Inventory) │ │ │ │ ├─environment-manager Environment CRUD, ordering, config │ │ │ │ ├─target-registry Deployment targets (hosts/services) │ │ │ │ ├─agent-manager Agent registration, health, capabilities │ │ │ │ └─inventory-sync Drift detection, state reconciliation │ │ │ │ │ │ │ │ RELMAN (Release Management) │ │ │ │ ├─component-registry Image repos → components mapping │ │ │ │ ├─version-manager Tag/digest → semver mapping │ │ │ │ ├─release-manager Release bundle lifecycle │ │ │ │ └─release-catalog Release history, search, compare │ │ │ │ │ │ │ │ WORKFL (Workflow Engine) │ │ │ │ ├─workflow-designer Template creation, step graph editor │ │ │ │ ├─workflow-engine DAG execution, state machine │ │ │ │ ├─step-executor Step dispatch, retry, timeout │ │ │ │ └─step-registry Built-in + plugin-provided steps │ │ │ │ │ │ │ │ PROMOT (Promotion & Approval) │ │ │ │ ├─promotion-manager Promotion request lifecycle │ │ │ │ ├─approval-gateway Approval collection, SoD enforcement │ │ │ │ ├─decision-engine Gate evaluation, policy integration │ │ │ │ └─gate-registry Built-in + custom gates │ │ │ │ │ │ │ │ DEPLOY (Deployment Execution) │ │ │ │ ├─deploy-orchestrator Deployment job coordination │ │ │ │ ├─target-executor Target-specific deployment logic │ │ │ │ ├─runner-executor Script/hook execution sandbox │ │ │ │ ├─artifact-generator Compose/script artifact generation │ │ │ │ └─rollback-manager Rollback orchestration │ │ │ │ │ │ │ │ AGENTS (Deployment Agents) │ │ │ │ ├─agent-core Shared agent runtime │ │ │ │ ├─agent-docker Docker host agent │ │ │ │ ├─agent-compose Docker Compose agent │ │ │ │ ├─agent-ssh SSH remote executor │ │ │ │ ├─agent-winrm WinRM remote executor │ │ │ │ ├─agent-ecs AWS ECS agent │ │ │ │ └─agent-nomad HashiCorp Nomad agent │ │ │ │ │ │ │ │ PROGDL (Progressive Delivery) │ │ │ │ ├─ab-manager A/B release coordination │ │ │ │ ├─traffic-router Router plugin orchestration │ │ │ │ ├─canary-controller Canary ramp automation │ │ │ │ └─rollout-strategy Strategy templates │ │ │ │ │ │ │ │ RELEVI (Release Evidence) │ │ │ │ ├─evidence-collector Evidence aggregation │ │ │ │ ├─evidence-signer Cryptographic signing │ │ │ │ ├─sticker-writer Version sticker generation │ │ │ │ └─audit-exporter Compliance report generation │ │ │ │ │ │ │ │ PLUGIN (Plugin Infrastructure) │ │ │ │ ├─plugin-registry Plugin discovery, versioning │ │ │ │ ├─plugin-loader Plugin lifecycle management │ │ │ │ ├─plugin-sandbox Isolation, resource limits │ │ │ │ └─plugin-sdk SDK for plugin development │ │ │ └───────────────────────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────────────────────┘ ``` ## Theme Summary ### Existing Themes (Vulnerability Scanning) | Theme | Purpose | Key Modules | |-------|---------|-------------| | **INGEST** | Advisory ingestion | concelier, advisory-ai | | **VEXOPS** | VEX document handling | excititor, linksets | | **REASON** | Policy and decisioning | policy, opa-runtime | | **SCANENG** | Scanning and SBOM | scanner, sbom-gen, reachability | | **EVIDENCE** | Evidence and attestation | locker, export, timeline | | **RUNTIME** | Runtime signals | signals, graph, zastava | | **JOBCTRL** | Job orchestration | scheduler, orchestrator, task-runner | | **OBSERVE** | Observability | notifier, telemetry | | **REPLAY** | Deterministic replay | replay-core | | **DEVEXP** | Developer experience | cli, web-ui, sdk | ### New Themes (Release Orchestration) | Theme | Purpose | Key Modules | Documentation | |-------|---------|-------------|---------------| | **INTHUB** | Integration hub | integration-manager, connection-profiles, connector-runtime, doctor-checks | [Details](integration-hub.md) | | **ENVMGR** | Environment & inventory | environment-manager, target-registry, agent-manager, inventory-sync | [Details](environment-manager.md) | | **RELMAN** | Release management | component-registry, version-manager, release-manager, release-catalog | [Details](release-manager.md) | | **WORKFL** | Workflow engine | workflow-designer, workflow-engine, step-executor, step-registry | [Details](workflow-engine.md) | | **PROMOT** | Promotion & approval | promotion-manager, approval-gateway, decision-engine, gate-registry | [Details](promotion-manager.md) | | **DEPLOY** | Deployment execution | deploy-orchestrator, target-executor, runner-executor, artifact-generator, rollback-manager | [Details](deploy-orchestrator.md) | | **AGENTS** | Deployment agents | agent-core, agent-docker, agent-compose, agent-ssh, agent-winrm, agent-ecs, agent-nomad | [Details](agents.md) | | **PROGDL** | Progressive delivery | ab-manager, traffic-router, canary-controller, rollout-strategy | [Details](progressive-delivery.md) | | **RELEVI** | Release evidence | evidence-collector, evidence-signer, sticker-writer, audit-exporter | [Details](evidence.md) | | **PLUGIN** | Plugin infrastructure | plugin-registry, plugin-loader, plugin-sandbox, plugin-sdk | [Details](plugin-system.md) | ## Module Dependencies ``` ┌──────────────┐ │ AUTHORITY │ └──────┬───────┘ │ ┌──────────────────┼──────────────────┐ │ │ │ ▼ ▼ ▼ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐ │ INTHUB │ │ ENVMGR │ │ PLUGIN │ │ (Integrations)│ │ (Environments)│ │ (Plugins) │ └───────┬───────┘ └───────┬───────┘ └───────┬───────┘ │ │ │ └──────────┬───────┴──────────────────┘ │ ▼ ┌───────────────┐ │ RELMAN │ │ (Releases) │ └───────┬───────┘ │ ▼ ┌───────────────┐ │ WORKFL │ │ (Workflows) │ └───────┬───────┘ │ ┌──────────┴──────────┐ │ │ ▼ ▼ ┌───────────────┐ ┌───────────────┐ │ PROMOT │ │ DEPLOY │ │ (Promotion) │ │ (Deployment) │ └───────┬───────┘ └───────┬───────┘ │ │ │ ▼ │ ┌───────────────┐ │ │ AGENTS │ │ │ (Agents) │ │ └───────┬───────┘ │ │ └──────────┬──────────┘ │ ▼ ┌───────────────┐ │ RELEVI │ │ (Evidence) │ └───────────────┘ ``` ## Communication Patterns | Pattern | Usage | |---------|-------| | **Synchronous API** | User-initiated operations (CRUD, queries) | | **Event Bus** | Cross-module notifications (domain events) | | **Task Queue** | Long-running operations (deployments, syncs) | | **WebSocket/SSE** | Real-time UI updates | | **gRPC Streams** | Agent communication | ## Database Schema Organization Each theme owns a PostgreSQL schema: | Schema | Owner Theme | |--------|-------------| | `release.integrations` | INTHUB | | `release.environments` | ENVMGR | | `release.components` | RELMAN | | `release.workflows` | WORKFL | | `release.promotions` | PROMOT | | `release.deployments` | DEPLOY | | `release.agents` | AGENTS | | `release.evidence` | RELEVI | | `release.plugins` | PLUGIN |