# StellaOps Module Documentation Index This directory contains architecture documentation for all StellaOps modules. --- ## Platform Statistics | Metric | Count | |--------|-------| | Source modules | 63 | | Documented modules | 79 | | Runnable services (Program.cs) | 47 | | Modules with workers | 19 | | PostgreSQL databases | 30 | | SQL migration files | ~180 | | Total .csproj files | 1,105 | --- ## Module Categories ### Core Platform | Module | Path | Description | |--------|------|-------------| | [Authority](./authority/) | `src/Authority/` | Authentication, authorization, OAuth/OIDC, DPoP. Includes IssuerDirectory (Sprint 216). | | [Router](./router/) | `src/Router/` | Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey). Also contains `StellaOps.Gateway.WebService` for HTTP ingress and binary protocol bridging. | | [Platform](./platform/) | `src/Platform/` | Platform architecture and Platform Service aggregation APIs | ### Data Ingestion | Module | Path | Description | |--------|------|-------------| | [Concelier](./concelier/) | `src/Concelier/` | Vulnerability advisory ingestion and merge engine. Includes Feedser and Excititor (Sprint 203). | | [VexLens](./vex-lens/) | `src/VexLens/` | VEX consensus computation across issuers | | [VexHub](./vex-hub/) | `src/VexHub/` | VEX distribution and exchange hub | | [Mirror](./mirror/) | `src/Mirror/` | Vulnerability feed mirror and distribution | ### Scanning & Analysis | Module | Path | Description | |--------|------|-------------| | [Scanner](./scanner/) | `src/Scanner/` | Container scanning with SBOM generation. Includes Cartographer (Sprint 201). | | [BinaryIndex](./binary-index/) | `src/BinaryIndex/` | Binary identity extraction and fingerprinting. Includes Symbols (Sprint 202). | | [AdvisoryAI](./advisory-ai/) | `src/AdvisoryAI/` | AI-assisted advisory analysis. Includes OpsMemory (Sprint 213). | | [ReachGraph](./reach-graph/) | `src/ReachGraph/` | Reachability graph service | ### Artifacts & Evidence | Module | Path | Description | |--------|------|-------------| | [Attestor](./attestor/) | `src/Attestor/` | in-toto/DSSE attestation generation. Includes Signer and Provenance (Sprint 204). | | [SbomService](./sbom-service/) | `src/SbomService/` | SBOM storage, versioning, and lineage ledger | | [EvidenceLocker](./evidence-locker/) | `src/EvidenceLocker/` | Sealed evidence storage and export | | [ExportCenter](./export-center/) | `src/ExportCenter/` | Batch export and report generation | | [Provcache](./prov-cache/) | Library | Production provenance cache shared library family | ### Policy & Risk | Module | Path | Description | |--------|------|-------------| | [Policy](./policy/) | `src/Policy/` | Policy engine with K4 lattice logic | | [Unknowns](./unknowns/) | `src/Unknowns/` | Unknown component tracking registry (boundary preserved, Sprint 206) | | [Findings](./findings-ledger/) | `src/Findings/` | Centralized findings aggregation and evidence graphs. Includes RiskEngine and VulnExplorer (Sprint 207). | ### Release & Orchestration | Module | Path | Description | |--------|------|-------------| | [ReleaseOrchestrator](./release-jobengine/) | `src/ReleaseOrchestrator/` | Central release control plane (active development) | | [JobEngine](./jobengine/) | `src/JobEngine/` | Workflow orchestration, job scheduling, task execution, and pack registry. Includes Scheduler, TaskRunner, and PacksRegistry (Sprint 208); renamed from Orchestrator (Sprint 221). | | [Remediation](./remediation/) | `src/Remediation/` | Fix template marketplace for CVE remediation | ### Operations & Observability | Module | Path | Description | |--------|------|-------------| | [Doctor](./doctor/) | `src/Doctor/` | Diagnostic framework for system health validation | | [Notify](./notify/) | `src/Notify/` | Notification toolkit (Email, Slack, Teams, Webhooks). Boundary preserved with Notifier (Sprint 209). | | [Notifier](./notifier/) | `src/Notifier/` | Notifications Studio host. Boundary preserved with Notify (Sprint 209). | | [Timeline](./timeline/) | `src/Timeline/` | Timeline query, event indexing, and replay. Includes TimelineIndexer (Sprint 210). | | [Replay](./replay/) | `src/Replay/` | Deterministic replay engine | ### Integration & Clients | Module | Path | Description | |--------|------|-------------| | [CLI](./cli/) | `src/Cli/` | Command-line interface (Native AOT) | | [Zastava](./zastava/) | `src/Zastava/` | Container registry webhook observer | | [Web/UI](./ui/) | `src/Web/` | Angular 21 frontend SPA | | [API](./api/) | `src/Api/` | OpenAPI contracts and governance | | [Registry](./registry/) | `src/Registry/` | Container registry integration | | [Integrations](./integrations/) | `src/Integrations/` | Integration hub for external systems (SCM, CI, registries, secrets). Includes IDE extensions (VS Code, JetBrains) under `__Extensions/` (Sprint 214). | ### Infrastructure & Libraries | Module | Path | Description | |--------|------|-------------| | [Cryptography](./cryptography/) | `src/Cryptography/` | Crypto plugins (FIPS, eIDAS, GOST, SM, PQ) | | [SmRemote](./sm-remote/) | `src/SmRemote/` | Remote SM2/SM3/SM4 cryptographic operations | | [Telemetry](./telemetry/) | `src/Telemetry/` | OpenTelemetry traces, metrics, logging | | [Graph](./graph/) | `src/Graph/` | Call graph and reachability data structures | | [Signals](./signals/) | `src/Signals/` | Runtime signal collection and correlation | | [AirGap](./airgap/) | `src/AirGap/` | Air-gapped deployment support | | [AOC](./aoc/) | `src/Aoc/` | Append-Only Contract enforcement | | [Plugin](./plugin/) | `src/Plugin/` | Plugin SDK, registry, sandbox, and host framework | | [RuntimeInstrumentation](./runtime-instrumentation/) | `src/RuntimeInstrumentation/` | Tetragon-based eBPF runtime instrumentation | | [Facet](./facet/) | Library | Production cross-module faceting library (Scanner + Policy) | ### Testing & Benchmarks | Module | Path | Description | |--------|------|-------------| | [Benchmark](./benchmark/) | Scanner library | Competitive benchmarking (accuracy comparison) | | [Tools](./tools/) | `src/Tools/` | Developer utility tools, benchmarks, SDK generator, verifier, dev portal. Includes Bench, Verifier, Sdk, DevPortal (Sprint 212). | ### Cross-Cutting Concepts | Folder | Purpose | |--------|---------| | [Analytics](./analytics/) | Analytics capabilities (embedded in Platform) | | [Evidence](./evidence/) | Unified evidence model specification | | [Eventing](./eventing/) | Event envelope schemas and libraries | | [Snapshot](./snapshot/) | Knowledge snapshot and replay concepts | | [Triage](./triage/) | Vulnerability triage workflows | | [DevOps](./devops/) | DevOps and CI/CD infrastructure | | [CI](./ci/) | CI pipeline documentation | | [Reachability](./reachability/) | Reachability concepts (split between ReachGraph and Scanner) | | [SARIF Export](./sarif-export/) | SARIF export format (capability within ExportCenter) | --- ## Module Catalog ### AdvisoryAI - **Source**: `src/AdvisoryAI/` - **Docs**: [`docs/modules/advisory-ai/`](./advisory-ai/) - **Type**: Service - **Database**: PostgreSQL (2 SQL migrations: chat audit, knowledge search) - **Endpoints**: 7 (attestation, chat, evidence pack, knowledge search, LLM adapter, run, companion explain) AI-powered advisory summarization and knowledge search service using LLM inference to explain vulnerability advisories, VEX evidence, and remediation guidance. Uses retrieval-augmented generation (RAG) over advisories, VEX, and platform documentation with configurable LLM backends (Claude, OpenAI, Ollama, Gemini). Includes chat audit logging, doctor-search controls, and guardrails for determinism and offline operation. **Dependencies**: Concelier, VEX Lens / Excititor, Policy Engine, SBOM Service, LLM providers. --- ### AirGap - **Source**: `src/AirGap/` - **Docs**: [`docs/modules/airgap/`](./airgap/) - **Type**: Service - **Database**: PostgreSQL (1 SQL migration) - **Endpoints**: 1 (AirGapEndpoints) Air-gapped deployment controller, importer, and cryptographic time anchor enabling StellaOps operation in fully disconnected environments. Handles bundle import/export, trust verification, and sealed-mode enforcement. Time service provides cryptographic time anchors using Roughtime or RFC3161. **Dependencies**: Authority, Concelier / Excititor, Signer / Attestor. --- ### Aoc - **Source**: `src/Aoc/` - **Docs**: [`docs/modules/aoc/`](./aoc/) - **Type**: CLI / Library - **Database**: None - **Endpoints**: None CLI tool and Roslyn analyzers enforcing the Aggregation-Only Contract (AOC) across the platform. Validates that ingestion services preserve raw upstream data without modification, maintain full provenance chains, and never merge conflicting observations. **Dependencies**: None (standalone validation tool). --- ### Api - **Source**: `src/Api/` - **Docs**: [`docs/modules/api/`](./api/) - **Type**: Library - **Database**: None - **Endpoints**: None Shared API contracts, governance rules, and OpenAPI generation libraries used across all StellaOps services. Includes `StellaOps.Api` (core contracts), `StellaOps.Api.Governance` (validators), and `StellaOps.Api.OpenApi` (specification generation). **Dependencies**: None (consumed as a library). --- ### Attestor - **Source**: `src/Attestor/` - **Docs**: [`docs/modules/attestor/`](./attestor/) - **Type**: Service - **Database**: PostgreSQL (`ProofChainDbContext`, 10 SQL migrations) - **Endpoints**: 6 (verdict, predicate registry, core attestor, watchlist, and more) Transparency-logged attestation service that submits DSSE envelopes to Rekor v2, retrieves inclusion proofs, and exposes verification APIs. Accepts DSSE only from the Signer over mTLS and enforces chain-of-trust to Stella Ops roots. Includes predicate type registry, identity watchlist, and trust verdict storage. **Dependencies**: Signer, Rekor v2, Authority. --- ### Authority - **Source**: `src/Authority/` - **Docs**: [`docs/modules/authority/`](./authority/) - **Type**: Service - **Database**: PostgreSQL (7 SQL migrations) - **Endpoints**: 4+ (authorize, token, JWKS, discovery) On-premises OIDC/OAuth2 identity service issuing short-lived, sender-constrained operational tokens (OpToks) with DPoP and mTLS binding. Supports RBAC scopes, multi-tenant claims with header-based tenant selection, deterministic validation, console admin endpoints, and LDAP/Standard client provisioning plugins. **Dependencies**: Valkey (DPoP nonce store, token caching). --- ### Bench (archived -- absorbed into Tools) - **Source**: `src/Tools/StellaOps.Bench/` - **Docs**: [`docs/modules/tools/`](./tools/) - **Type**: Tool - **Database**: None - **Endpoints**: None Performance benchmark harnesses for critical platform subsystems including Link-Not-Merge, VEX, Notify, Policy Engine, and Scanner analyzers. Absorbed into `src/Tools/` as of Sprint 212. **Dependencies**: None (standalone benchmarks). --- ### BinaryIndex - **Source**: `src/BinaryIndex/` - **Docs**: [`docs/modules/binary-index/`](./binary-index/) - **Type**: Service - **Database**: PostgreSQL (`BinaryIndexDbContext`, 5 SQL migrations) - **Endpoints**: Defined in WebService Program.cs Vulnerable binaries database enabling detection of vulnerable code at the binary level, independent of package metadata, using fingerprint claims and delta signatures. Addresses unreliable package version strings (backports, custom builds, stripped metadata). **Dependencies**: Scanner, Concelier. --- ### Cartographer (absorbed into Scanner -- Sprint 201) - **Source**: `src/Scanner/StellaOps.Scanner.Cartographer/` (moved from `src/Cartographer/`) - **Docs**: Historical doc archived at `docs-archived/modules/cartographer/README.md`; active contract is [`docs/modules/scanner/`](./scanner/) - **Type**: Service - **Database**: None - **Endpoints**: Defined in Scanner Program.cs Infrastructure topology discovery and service mapping for container environments. Produces SBOM snapshots and topology graphs consumed by the Graph Indexer. Environment topology and promotion lanes are now owned by the Release Orchestrator. Consolidated into Scanner per Sprint 201. **Dependencies**: Graph, Scanner. --- ### CLI - **Source**: `src/Cli/` - **Docs**: [`docs/modules/cli/`](./cli/) - **Type**: CLI - **Database**: None - **Endpoints**: None Command-line interface for driving StellaOps workflows including scanning, policy operations, VEX/vulnerability data pulls, verification, offline kit administration, knowledge search, and migration management. Supports build-time SBOM generation via Buildx orchestration and authenticates via Authority DPoP tokens. **Dependencies**: Scanner.WebService, Authority, AdvisoryAI, Policy Engine, Concelier / Excititor, Signer / Attestor, Platform. --- ### Concelier - **Source**: `src/Concelier/` - **Docs**: [`docs/modules/concelier/`](./concelier/) - **Type**: Service - **Database**: PostgreSQL (24 SQL migrations) - **Endpoints**: 9 (advisory source, air-gap, canonical advisory, federation, feed mirror, feed snapshot, interest score, mirror, SBOM) Advisory ingestion and Link-Not-Merge (LNM) observation pipeline producing deterministic raw observations, correlation linksets, and evidence events. Acquires authoritative vulnerability advisories from vendor PSIRTs, distros, OSS ecosystems, and CERTs, persisting them as immutable observations under AOC. **Dependencies**: Policy Engine, Excititor, Graph, AirGap, Feedser. --- ### Cryptography - **Source**: `src/Cryptography/` - **Docs**: [`docs/modules/cryptography/`](./cryptography/) - **Type**: Library - **Database**: None - **Endpoints**: None Pluggable cryptographic primitives supporting regional standards (eIDAS, FIPS, GOST, SM) with algorithm-agile signing operations. Plugins include HSM integration, ECDSA, and EdDSA signing profiles. All operations are deterministic and support offline operation. **Dependencies**: None (consumed as a library by Signer, Attestor, and other services). --- ### DevPortal (archived -- absorbed into Tools) - **Source**: `src/Tools/StellaOps.DevPortal.Site/` - **Docs**: [`docs/modules/tools/`](./tools/) - **Type**: Static Site - **Database**: None - **Endpoints**: None Developer portal static site providing API documentation, integration guides, SDK references, and getting-started tutorials. Absorbed into `src/Tools/` as of Sprint 212. **Dependencies**: None (static site). --- ### Doctor - **Source**: `src/Doctor/` - **Docs**: [`docs/modules/doctor/`](./doctor/) - **Type**: Service - **Database**: None (uses Valkey for caching) - **Endpoints**: 3 (doctor, scheduler, timestamping) Diagnostic framework for validating system health, configuration, integration connectivity, and OCI registry compatibility. Plugin-based architecture with binary analysis, notification validation, and observability probing. Integrates with AdvisoryAI knowledge search for diagnostic assistance. **Dependencies**: All platform services (health check targets), external registries, AdvisoryAI. --- ### EvidenceLocker - **Source**: `src/EvidenceLocker/` - **Docs**: [`docs/modules/evidence-locker/`](./evidence-locker/) - **Type**: Service - **Database**: PostgreSQL (`EvidenceDbContext`, 5 SQL migrations) - **Endpoints**: 4 (evidence audit, evidence thread, export, verdict) Tamper-proof, immutable evidence storage for vulnerability scan evidence, audit logs, and compliance artifacts with cryptographic sealing. Evidence is content-addressable. Once sealed, evidence cannot be modified. Supports threads, verdicts, bundle packaging, and portable bundles for offline compliance audits. **Dependencies**: Attestor, Authority, object storage. --- ### Excititor (absorbed into Concelier -- Sprint 203) - **Source**: `src/Concelier/` (moved from `src/Excititor/`) - **Docs**: [`docs/modules/excititor/`](./excititor/) (historical reference; see [`docs/modules/concelier/`](./concelier/)) - **Type**: Service - **Database**: PostgreSQL (10 SQL migrations, separate ExcititorDbContext) - **Endpoints**: 11 (attestation, evidence, ingest, linkset, mirror, mirror registration, observation, policy, Rekor attestation, resolve, risk feed) VEX ingestion and consensus pipeline converting heterogeneous VEX statements (OpenVEX, CSAF VEX, CycloneDX VEX) into immutable observations with provenance-preserving linksets. Does not decide PASS/FAIL; supplies evidence with statuses, justifications, and provenance weights. Conflicting observations are preserved unchanged. Consolidated into Concelier per Sprint 203; DbContext remains separate. **Dependencies**: Policy Engine, Concelier, Attestor, Graph. --- ### ExportCenter - **Source**: `src/ExportCenter/` - **Docs**: [`docs/modules/export-center/`](./export-center/) - **Type**: Service - **Database**: PostgreSQL (1 SQL migration) - **Endpoints**: 15 (profile management, export runs, distribution, status, download) Evidence and policy overlay packaging service producing reproducible, deterministic export bundles in multiple formats (JSON, SARIF, offline kit). Enforces AOC guardrails and produces deterministic manifests with optional signing and distribution to OCI registries or object storage. **Dependencies**: Findings Ledger, Policy Engine, JobEngine, Authority, Attestor, object storage. --- ### Extensions (absorbed into Integrations -- Sprint 214) - **Source**: `src/Integrations/__Extensions/` (moved from `src/Extensions/`) - **Docs**: See [Integrations architecture](./integrations/architecture.md#ide-extensions-vs-code-jetbrains) - **Type**: IDE Extensions (non-.NET: TypeScript/Kotlin) - **Database**: None - **Endpoints**: None IDE extensions for JetBrains IDEs and Visual Studio Code providing inline vulnerability information, policy status, and StellaOps workflow integration directly within the developer's editor environment. Now lives under the Integrations module. **Dependencies**: Platform API, JobEngine API, Authority. --- ### Feedser (absorbed into Concelier -- Sprint 203) - **Source**: `src/Concelier/` (moved from `src/Feedser/`) - **Docs**: [`docs/modules/feedser/`](./feedser/) (historical reference; see [`docs/modules/concelier/`](./concelier/)) - **Type**: Library - **Database**: None - **Endpoints**: None Evidence collection library for backport detection and binary fingerprinting supporting the four-tier backport proof system. Extracts patch signatures from unified diffs and binary fingerprints from compiled code. Consumed primarily by Concelier's ProofService layer. All outputs are deterministic with canonical JSON serialization. Consolidated into Concelier per Sprint 203. **Dependencies**: None (consumed as a library by Concelier). --- ### Findings - **Source**: `src/Findings/` - **Docs**: [`docs/modules/findings-ledger/`](./findings-ledger/) - **Type**: Service - **Database**: PostgreSQL (via shared libraries) - **Endpoints**: 8 (backport, evidence graph, finding summary, reachability map, runtime timeline, runtime traces, scoring, webhook) Centralized findings aggregation service providing backport tracking, evidence graphs, finding summaries, reachability maps, runtime timelines, scoring, and webhook notifications. Aggregates vulnerability findings from Scanner, Policy, Concelier, and Excititor into a unified query surface. Includes a LedgerReplayHarness tool for deterministic replay testing. **Dependencies**: Scanner, Policy Engine, Concelier / Excititor, Attestor. --- ### Gateway (deleted -- Sprint 200) - **Source**: _(deleted)_ -- Gateway WebService now lives under `src/Router/StellaOps.Gateway.WebService/` - **Docs**: [`docs-archived/modules/gateway/`](../docs-archived/modules/gateway/) (historical reference) - **Type**: _(deleted)_ - **Database**: None - **Endpoints**: None The standalone `src/Gateway/` module was deleted in Sprint 200. The canonical Gateway WebService (`StellaOps.Gateway.WebService`) now lives under `src/Router/`. The Router module owns HTTP ingress, binary protocol bridging, routing, and transport abstraction. **Dependencies**: See Router. --- ### Graph - **Source**: `src/Graph/` - **Docs**: [`docs/modules/graph/`](./graph/) - **Type**: Service - **Database**: PostgreSQL (1 SQL migration in Graph Indexer Persistence) - **Endpoints**: 3 (graph query, analytics, overlay) SBOM dependency graph store with a rich node/edge model covering artifacts, SBOMs, components, advisories, VEX statements, and policy versions with reachability overlays. The Graph Indexer processes events from Cartographer/SBOM Service, Concelier/Excititor, and policy runs to maintain the graph. **Dependencies**: Cartographer / SBOM Service, Concelier / Excititor, Policy Engine, Scanner. --- ### Integrations - **Source**: `src/Integrations/` - **Docs**: [`docs/modules/integrations/`](./integrations/) - **Type**: Service - **Database**: PostgreSQL (`IntegrationDbContext`, EF Core managed) - **Endpoints**: 2 Integration hub managing connections to external systems (SCM, CI, registries, secrets vaults) with health monitoring. Stores connection profiles, manages credential references, and monitors integration health. Plugins under `__Plugins` provide specific connector implementations. **Dependencies**: Authority, external SCM/CI/Registry/Vault systems. --- ### IssuerDirectory (absorbed into Authority -- Sprint 216) - **Source**: `src/Authority/` (moved from `src/IssuerDirectory/`) - **Docs**: [`docs/modules/issuer-directory/`](./issuer-directory/) (historical reference; see [`docs/modules/authority/`](./authority/)) - **Type**: Service - **Database**: PostgreSQL (1 SQL migration, separate IssuerDirectoryDbContext) - **Endpoints**: 3 (issuer, issuer key, issuer trust) Centralized trusted VEX/CSAF publisher metadata registry enabling issuer identity resolution, key management, and trust weight assignment. Key lifecycle management validates Ed25519, X.509, and DSSE public keys with fingerprint deduplication. On startup, imports default CSAF publishers into the global tenant. Consolidated into Authority per Sprint 216; DbContext remains separate for security isolation. **Dependencies**: Authority. --- ### Mirror - **Source**: `src/Mirror/` - **Docs**: [`docs/modules/mirror/`](./mirror/) - **Type**: Library / Tool - **Database**: None - **Endpoints**: None Vulnerability feed mirror and distribution utility for offline operation and reduced latency. Produces bundles for air-gapped distribution with cryptographic verification. Primary component is `StellaOps.Mirror.Creator` for assembling mirror bundles. **Dependencies**: Upstream vulnerability feeds (NVD, OSV, GHSA), Concelier. --- ### Notifier - **Source**: `src/Notifier/` - **Docs**: [`docs/modules/notifier/`](./notifier/) - **Type**: Service - **Database**: None (uses Notify's persistence layer) - **Endpoints**: 14 (escalation, fallback, incident, localization, observability, operator override, quiet hours, rule, security, simulation, storm breaker, template, throttle, notify API) Notifications Studio host application composing the Notify toolkit libraries into a full-featured notification management service. Provides 73+ routes covering escalation policies, fallback routing, incident tracking, localization, security controls, simulation testing, storm breaking (anti-spam), and more. **Dependencies**: Notify libraries, Authority, Slack/Teams/Email/Webhook channels. --- ### Notify - **Source**: `src/Notify/` - **Docs**: [`docs/modules/notify/`](./notify/) - **Type**: Service / Library - **Database**: PostgreSQL (2 SQL migrations) - **Endpoints**: 2 (via WebService Program.cs) Rules-driven, tenant-aware notification engine providing event consumption, operator-defined routing, channel-specific rendering, and reliable delivery with idempotency, throttling, and digests. Foundation library consumed by the Notifier host application. Secrets for channels are referenced, not stored raw. **Dependencies**: Scanner / Scheduler / Excititor / Concelier / Attestor / Zastava (event sources), Slack/Teams/Email/Webhook, Authority. --- ### OpsMemory (consolidated into AdvisoryAI) - **Source**: `src/AdvisoryAI/__Libraries/StellaOps.OpsMemory/` (library), `src/AdvisoryAI/StellaOps.OpsMemory.WebService/` (service) - **Docs**: [`docs/modules/advisory-ai/architecture.md` section 15](./advisory-ai/architecture.md#15-opsmemory-operational-memory-and-rag) - **Archived docs**: `docs-archived/modules/opsmemory/` - **Type**: Service - **Database**: PostgreSQL (via shared infrastructure, schema managed programmatically) - **Endpoints**: 1 (OpsMemoryEndpoints) Decision ledger capturing the lifecycle of security decisions with similarity-based suggestion retrieval for organizational learning. Uses similarity vectors to suggest relevant precedents for new situations. Deterministic with fixed similarity formulas, no randomness in ranking, and multi-tenant isolation. Consolidated from standalone `src/OpsMemory/` module into `src/AdvisoryAI/` per Sprint 213. **Dependencies**: AdvisoryAI, Authority, Findings Ledger. --- ### JobEngine (formerly Orchestrator) - **Source**: `src/JobEngine/` - **Docs**: [`docs/modules/jobengine/`](./jobengine/) - **Type**: Service - **Database**: PostgreSQL (via shared infrastructure) - **Endpoints**: 25 (approvals, audit, circuit breakers, DAG, dead letter, export jobs, first signal, health, jobs, KPIs, ledger, OpenAPI, pack registry, pack runs, quotas, governance, release control v2, release dashboard, releases, runs, scale, SLOs, sources, streams, workers) Source and job orchestration service managing job lifecycle, rate-limit governance, DAG execution, circuit breakers, and worker coordination. Applies quotas and rate limits per tenant/jobType, manages leasing to workers, handles completion tracking with retry policies, and supports replay. SDK bridges exist for Go and Python workers. Renamed from Orchestrator (Sprint 221). Now includes Scheduler, TaskRunner, and PacksRegistry (Sprint 208). **Dependencies**: Concelier / Excititor / ExportCenter / Policy (job producers), Valkey or NATS, Authority. --- ### PacksRegistry (absorbed into JobEngine -- Sprint 208) - **Source**: `src/JobEngine/` (moved from `src/PacksRegistry/`) - **Docs**: [`docs/modules/packs-registry/`](./packs-registry/) (historical reference; see [`docs/modules/jobengine/`](./jobengine/)) - **Type**: Service - **Database**: PostgreSQL (`PacksRegistryDbContext`, EF Core managed, stub) - **Endpoints**: Defined in JobEngine Program.cs Centralized registry for distributable task packs, policy packs, and analyzer bundles with versioned management and integrity verification. All packs are content-addressed. Consolidated into JobEngine per Sprint 208. **Dependencies**: JobEngine, object storage, Authority. --- ### Platform - **Source**: `src/Platform/` - **Docs**: [`docs/modules/platform/`](./platform/) - **Type**: Service - **Database**: PostgreSQL (57 SQL migrations, `stellaops` shared database) - **Endpoints**: 45+ (analytics, context, environment settings, evidence thread, federation telemetry, function map, integration read model, legacy alias, pack adapter, platform, policy interop, release control, release read model, score, security read model, topology read model, trust signing, and more) Central platform service providing analytics, context management, environment settings, evidence threading, federation telemetry, function maps, integration health, release control, scoring, security, and topology read models. Largest module by migration count. Owns the migration consolidation framework (`MigrationModuleRegistry`, `MigrationModulePluginDiscovery`, `MigrationModuleConsolidation`). **Dependencies**: Authority, all modules (migration coordination), PostgreSQL. --- ### Plugin - **Source**: `src/Plugin/` - **Docs**: [`docs/modules/plugin/`](./plugin/) - **Type**: Library / Framework - **Database**: PostgreSQL (Plugin Registry, 1 SQL migration) - **Endpoints**: None Plugin SDK, registry, sandbox, and host framework enabling extensibility across the platform. Includes Abstractions (contracts), Sdk (development SDK), Host (lifecycle management), Registry (PostgreSQL persistence), Sandbox (isolated execution), Cli (management tool), Testing (test harness), and Samples. **Dependencies**: None (framework consumed by other modules). --- ### Policy - **Source**: `src/Policy/` - **Docs**: [`docs/modules/policy/`](./policy/) - **Type**: Service (Engine + Gateway) - **Database**: PostgreSQL (5 SQL migrations plus demo seed) - **Endpoints**: 59 (49 Engine + 10 Gateway) Deterministic policy evaluation engine and gateway service compiling stella-dsl policy packs into verdicts by joining SBOM inventory, advisories, and VEX evidence. The Engine provides extensive coverage across advisory AI knobs, attestation reports, batch evaluation, budgets, conflicts, CVSS receipts, determinization, effective policy, merge previews, risk profiles/simulations, sealed mode, verification policy, and violation tracking. The Gateway handles admission decisions, deltas, exception approvals, gates, governance, and registry webhooks. **Dependencies**: Concelier, Excititor, SBOM Service, Scanner, Authority, Scheduler. --- ### Provenance (absorbed into Attestor -- Sprint 204) - **Source**: `src/Attestor/` (moved from `src/Provenance/`) - **Docs**: [`docs/modules/provenance/`](./provenance/) (historical reference; see [`docs/modules/attestor/`](./attestor/)) - **Type**: Library / Tool - **Database**: None - **Endpoints**: None Provenance attestation library and CLI tool for generating and verifying supply-chain provenance records. Creates in-toto attestation statements linking build artifacts to source materials, build systems, and parameters. A separate provenance cache library exists at `src/__Libraries/StellaOps.Provcache.Postgres/`. Consolidated into Attestor per Sprint 204. **Dependencies**: Attestor. --- ### ReachGraph - **Source**: `src/ReachGraph/` - **Docs**: [`docs/modules/reach-graph/`](./reach-graph/) - **Type**: Service - **Database**: PostgreSQL (1 SQL migration in shared library) - **Endpoints**: Defined in Program.cs Unified reachability subgraph store providing fast, deterministic, audit-ready answers about why a dependency is reachable. Consolidates reachability data from Scanner (call graphs), Signals (runtime observations), and Attestor (PoE JSON) into content-addressed artifacts with edge-level explainability. **Dependencies**: Scanner, Signals, Attestor. --- ### Registry - **Source**: `src/Registry/` - **Docs**: [`docs/modules/registry/`](./registry/) - **Type**: Service - **Database**: None (stateless) - **Endpoints**: 2 (token issuance) Docker registry bearer token service issuing short-lived tokens for private or mirrored registries with license/plan enforcement. Validates caller identity using Authority-issued tokens, authorizes requested registry scopes against a configured plan catalogue, and mints Docker-registry-compatible JWTs. **Dependencies**: Authority. --- ### ReleaseOrchestrator - **Source**: `src/ReleaseOrchestrator/` - **Docs**: [`docs/modules/release-jobengine/`](./release-jobengine/) - **Type**: Service (Active Development) - **Database**: PostgreSQL (planned, via Platform migrations) - **Endpoints**: 1 Central release control plane for non-Kubernetes container estates governing promotion across environments (Dev, Stage, Prod), enforcing security and policy gates, and producing verifiable evidence. Contains API, agents, apps, and libraries sub-directories with 140K+ lines of production code. Owns environment topology and promotion lanes. **Dependencies**: Platform, Policy Engine, Scanner, Authority. --- ### Remediation - **Source**: `src/Remediation/` - **Docs**: [`docs/modules/remediation/`](./remediation/) - **Type**: Service - **Database**: PostgreSQL (1 SQL migration) - **Endpoints**: 3 Developer-facing signed-PR remediation marketplace enabling discovery, application, and verification of community-contributed fix templates for known CVEs. Templates include unified diff content, version range applicability, and trust scores. Tracks PR submission lifecycle with attestation evidence. **Dependencies**: Scanner, Signer / Attestor, Authority. --- ### Replay - **Source**: `src/Replay/` - **Docs**: [`docs/modules/replay/`](./replay/) - **Type**: Service - **Database**: PostgreSQL (via shared infrastructure) - **Endpoints**: 2 (point-in-time query, verdict replay) Deterministic replay engine ensuring vulnerability assessments can be reproduced byte-for-byte given the same inputs. Manages replay tokens (cryptographically bound to input digests), manifests, feed snapshots, and verification workflows. Stores content-addressed references, not actual data. **Dependencies**: Policy Engine, Scanner, Concelier / Excititor. --- ### RiskEngine - **Source**: `src/Findings/StellaOps.RiskEngine.*` (consolidated into Findings, Sprint 207) - **Docs**: [`docs-archived/modules/risk-engine/`](../../docs-archived/modules/risk-engine/) - **Type**: Service - **Database**: PostgreSQL (via shared infrastructure) - **Endpoints**: 1 (exploit maturity) Risk scoring runtime computing deterministic, explainable risk scores by aggregating signals from EPSS, CVSS, KEV, VEX, and reachability data. Produces audit trails and explainability payloads for every scoring decision. Does not make PASS/FAIL decisions; provides scores to the Policy Engine. Supports offline operation via factor bundles. **Dependencies**: Concelier, Excititor, Signals, Policy Engine. --- ### Router - **Source**: `src/Router/` - **Docs**: [`docs/modules/router/`](./router/) - **Type**: Service / Framework - **Database**: None - **Endpoints**: 4 Internal service transport using binary protocol (TCP/TLS/UDP) for microservice-to-gateway communication with pluggable transports. Includes a unified plugin, shared libraries, and example microservices. The `StellaOps.Gateway.WebService` under Router serves as both the HTTP ingress gateway and binary protocol bridge (the standalone `src/Gateway/` was deleted in Sprint 200). **Dependencies**: Authority, all microservices, Valkey. --- ### RuntimeInstrumentation - **Source**: `src/RuntimeInstrumentation/` - **Docs**: [`docs/modules/runtime-instrumentation/`](./runtime-instrumentation/) - **Type**: Library - **Database**: None - **Endpoints**: None Tetragon-based runtime instrumentation library for eBPF-based process and syscall monitoring. Provides integration with Cilium Tetragon enabling observation of actual process execution, file access, and network activity at the kernel level for runtime evidence collection. **Dependencies**: Tetragon (eBPF runtime), Zastava / Signals (evidence consumers). --- ### SbomService - **Source**: `src/SbomService/` - **Docs**: [`docs/modules/sbom-service/`](./sbom-service/) - **Type**: Service - **Database**: PostgreSQL (1 SQL migration in Lineage persistence) - **Endpoints**: 5 Canonical SBOM projection, lookup, and timeline API serving deterministic, tenant-scoped SBOM data. Does not perform scanning; consumes Scanner outputs or supplied SPDX/CycloneDX blobs. SBOMs are append-only with mutations via new versions only. Owns the SBOM lineage ledger for versioned uploads, diffs, and retention pruning. **Dependencies**: Scanner, Graph, AdvisoryAI, Policy Engine. --- ### Scanner - **Source**: `src/Scanner/` - **Docs**: [`docs/modules/scanner/`](./scanner/) - **Type**: Service - **Database**: PostgreSQL (36 SQL migrations, multiple DbContexts including `TriageDbContext`) - **Endpoints**: 77 (EPSS, observability, reachability evidence, replay, score replay, unknowns, scan, and 71 more) Deterministic SBOM generation and vulnerability scanning engine for container images and filesystems with three-way diffs, per-layer caching, and attestation hand-off. Emits Inventory and Usage views. Does not produce PASS/FAIL verdicts. Second-highest migration count covering scans, findings, call graphs, EPSS, smart diffs, unknowns, reachability, binary evidence, secret detection, runtime observations, and score history. **Dependencies**: Signer, Attestor, Authority, object storage / RustFS, SBOM Service, Concelier / Excititor. --- ### Scheduler (absorbed into JobEngine -- Sprint 208) - **Source**: `src/JobEngine/` (moved from `src/Scheduler/`) - **Docs**: [`docs/modules/scheduler/`](./scheduler/) (historical reference; see [`docs/modules/jobengine/`](./jobengine/)) - **Type**: Service - **Database**: PostgreSQL (11 SQL migrations, separate SchedulerDbContext) - **Endpoints**: 8 (event webhook, failure signature, graph job, policy run, policy simulation, run, schedule, resolver job) Re-evaluation scheduler keeping scan results current by pinpointing affected images when new advisories or VEX claims arrive. Default mode is analysis-only (no image pull). Includes event webhooks, failure signature tracking, graph jobs, policy runs/simulations, and vulnerability resolver jobs. Consolidated into JobEngine per Sprint 208; DbContext remains separate. **Dependencies**: Scanner.WebService, Policy Engine, Concelier / Excititor, Notify, JobEngine. --- ### Sdk (archived -- absorbed into Tools) - **Source**: `src/Tools/StellaOps.Sdk.Generator/`, `src/Tools/StellaOps.Sdk.Release/` - **Docs**: [`docs/modules/tools/`](./tools/) - **Type**: Library / Code Generator - **Database**: None - **Endpoints**: None Client SDK generator and release SDK for producing typed API clients across multiple languages from OpenAPI specifications. Absorbed into `src/Tools/` as of Sprint 212. **Dependencies**: Gateway / OpenAPI specs. --- ### Signals - **Source**: `src/Signals/` - **Docs**: [`docs/modules/signals/`](./signals/) - **Type**: Service - **Database**: PostgreSQL (6 SQL migrations) - **Endpoints**: 1 (SCM webhook) Unified evidence-weighted scoring system aggregating reachability, runtime observations, backport detection, exploit intelligence, source trust, and mitigations into a single 0-100 score. Maintains determinism, provides score decomposition with explanations, and supports SCM webhook integration for change-triggered re-scoring. **Dependencies**: Scanner, Concelier / Excititor, RuntimeInstrumentation, Policy Engine. --- ### Signer (absorbed into Attestor -- Sprint 204) - **Source**: `src/Attestor/` (moved from `src/Signer/`) - **Docs**: [`docs/modules/signer/`](./signer/) (historical reference; see [`docs/modules/attestor/`](./attestor/)) - **Type**: Service - **Database**: PostgreSQL (`KeyManagementDbContext`, 2 SQL migrations, separate DbContext) - **Endpoints**: 3 (ceremony, key rotation, signer) The only service permitted to produce Stella Ops-verified DSSE signatures over SBOMs and reports, enforcing entitlement (PoE), sender-constrained auth, and supply-chain integrity. Does not push to Rekor (Attestor does). Stateless for the hot path with keys in KMS/HSM or ephemeral (keyless mode). Supports multi-algorithm signing (ECDSA, EdDSA, eIDAS, FIPS, GOST, SM). Consolidated into Attestor per Sprint 204; DbContext remains separate for security isolation. **Dependencies**: Authority, Cryptography library, KMS/HSM. --- ### SmRemote - **Source**: `src/SmRemote/` - **Docs**: [`docs/modules/sm-remote/`](./sm-remote/) - **Type**: Service - **Database**: None - **Endpoints**: Defined in Program.cs Remote service for Chinese SM2/SM3/SM4 cryptographic operations enabling sovereign crypto compliance. Allows deployments requiring SM compliance to offload operations to a dedicated service rather than requiring SM crypto libraries on every host. **Dependencies**: Cryptography Plugin.Sm. --- ### Symbols (absorbed into BinaryIndex -- Sprint 202) - **Source**: `src/BinaryIndex/StellaOps.Symbols.*` (moved from `src/Symbols/`) - **Docs**: [`docs/modules/binary-index/architecture.md`](./binary-index/architecture.md) (Symbols section) - **Type**: Service - **Database**: None (content-addressed storage) - **Endpoints**: 1 (symbol source) Symbol resolution and debug information management service for native binary analysis. Maps symbols to packages, manages debug information, and supports stripped binary analysis. Includes marketplace architecture for community-contributed symbol sources and offline symbol stores. Consolidated into BinaryIndex per Sprint 202. **Dependencies**: Scanner, BinaryIndex. --- ### TaskRunner (absorbed into JobEngine -- Sprint 208) - **Source**: `src/JobEngine/` (moved from `src/TaskRunner/`) - **Docs**: [`docs/modules/taskrunner/`](./taskrunner/) (historical reference; see [`docs/modules/jobengine/`](./jobengine/)) - **Type**: Service - **Database**: PostgreSQL (via infrastructure layer, stub DbContext) - **Endpoints**: Defined in JobEngine Program.cs Deterministic task pack execution engine with approvals, sealed-mode enforcement, evidence capture, and DSSE attestation for every completed run. Three-phase execution: Plan (build execution graph), optional Simulation (dry-run with gates), and Execution (verify plan hash, execute steps, stream logs). Operates offline/air-gapped. Consolidated into JobEngine per Sprint 208. **Dependencies**: JobEngine, Authority, Attestor, object storage. --- ### Telemetry - **Source**: `src/Telemetry/` - **Docs**: [`docs/modules/telemetry/`](./telemetry/) - **Type**: Library - **Database**: None - **Endpoints**: None Observability library providing OpenTelemetry-based metrics, traces, and logs with Roslyn analyzers ensuring telemetry best practices. Supports multiple pipeline profiles (default, forensic, airgap) with allow-listed exporters for sovereign readiness. Forensic archives produce signed bundles of raw OTLP records. **Dependencies**: Prometheus, Tempo/Jaeger, Loki. --- ### Timeline - **Source**: `src/Timeline/` - **Docs**: [`docs/modules/timeline/`](./timeline/) - **Type**: Service - **Database**: PostgreSQL (1 SQL migration in Timeline.Core) - **Endpoints**: 3 (export, replay, timeline) Timeline query service providing export, replay, and timeline browsing endpoints for vulnerability history and event streams. Uses shared libraries from `StellaOps.Eventing` for event envelope schemas and `StellaOps.Timeline.Core` for core logic including critical path view. **Dependencies**: All services (event sources). TimelineIndexer is now consolidated into the Timeline module (`src/Timeline/`). --- ### Tools - **Source**: `src/Tools/` - **Docs**: [`docs/modules/tools/`](./tools/) - **Type**: CLI Tools - **Database**: None - **Endpoints**: None Developer utility tools including FixtureUpdater, GoldenPairs generator, LanguageAnalyzerSmoke, NotifySmokeCheck, PolicyDslValidator, PolicySchemaExporter, PolicySimulationSmoke, RustFsMigrator, WorkflowGenerator, and a Python CERT-Bund offline snapshot tool. **Dependencies**: Various (tool-specific). --- ### Unknowns - **Source**: `src/Unknowns/` - **Docs**: [`docs/modules/unknowns/`](./unknowns/) - **Type**: Service - **Database**: PostgreSQL (`UnknownsDbContext`, 4 SQL migrations) - **Endpoints**: 2 (grey queue, unknowns) Structured registry for tracking unresolved components, symbols, and incomplete mappings that Scanner and other analyzers cannot definitively identify. Includes a Grey Queue for lifecycle management (queueing, triage, resolution). Does not guess identities; records what cannot be determined. **Dependencies**: Scanner, Signals. --- ### Verifier (archived -- absorbed into Tools) - **Source**: `src/Tools/StellaOps.Verifier/` - **Docs**: [`docs/modules/tools/`](./tools/) - **Type**: CLI Tool - **Database**: None - **Endpoints**: None Standalone CLI tool for verifying the integrity and authenticity of signed evidence bundles produced by the platform. Absorbed into `src/Tools/` as of Sprint 212. **Dependencies**: None (standalone verification). --- ### VexHub - **Source**: `src/VexHub/` - **Docs**: [`docs/modules/vex-hub/`](./vex-hub/) - **Type**: Service - **Database**: PostgreSQL (1 SQL migration) - **Endpoints**: 1 (VexHubEndpointExtensions) VEX document hub providing centralized management, distribution, and integration of VEX statements across the platform. Stores VEX statements from various sources and distributes data to Excititor for processing. **Dependencies**: Excititor, IssuerDirectory, Authority. --- ### VexLens - **Source**: `src/VexLens/` - **Docs**: [`docs/modules/vex-lens/`](./vex-lens/) - **Type**: Service - **Database**: PostgreSQL (1 SQL migration) - **Endpoints**: 2 (export, VexLens) VEX consensus viewer and analysis service providing issuer-aware VEX statement evaluation with export capabilities. Evaluates VEX statements from multiple issuers, computes consensus views considering trust weights and provenance, and integrates with IssuerDirectory for owner manifest resolution. **Dependencies**: Excititor, IssuerDirectory, Policy Engine. --- ### VulnExplorer - **Source**: `src/Findings/StellaOps.VulnExplorer.*` (consolidated into Findings, Sprint 207) - **Docs**: [`docs-archived/modules/vuln-explorer/`](../../docs-archived/modules/vuln-explorer/) - **Type**: Service - **Database**: None (reads from other modules' databases) - **Endpoints**: Defined in Program.cs Vulnerability exploration API providing rich querying, filtering, and analysis of vulnerability findings across the platform. Aggregates data from Scanner, Concelier, Excititor, Policy, and Signals to present a unified vulnerability view with concept-based navigation and evidence links. **Dependencies**: Scanner, Concelier, Excititor, Policy Engine, Signals, Findings Ledger. --- ### Web - **Source**: `src/Web/` - **Docs**: [`docs/modules/ui/`](./ui/) - **Type**: UI (Angular SPA) - **Database**: None - **Endpoints**: None Angular single-page application providing the operator console with vulnerability dashboard, release management, policy studio, evidence browser, SBOM exploration, notification management, and administrative controls. Includes search client APIs for knowledge search integration, smart diff visualization, AI UX patterns, and competitive triage workflows. **Dependencies**: Gateway (API proxy), all backend APIs. --- ### Zastava - **Source**: `src/Zastava/` - **Docs**: [`docs/modules/zastava/`](./zastava/) - **Type**: Service (three processes: Agent, Observer, Webhook) - **Database**: None (stateless agents) - **Endpoints**: Webhook endpoints, agent APIs defined in Program.cs Runtime inspector and enforcer watching real workloads, detecting drift from scanned baselines, verifying image/SBOM/attestation posture, and optionally admitting/blocking deployments. Observer inventories containers and verifies signatures; Admission (optional Kubernetes webhook) enforces minimal posture pre-flight. On non-Kubernetes Docker hosts, runs as a host service with observer-only features. **Dependencies**: Scanner.WebService, Policy Engine, Signals, Attestor, Authority. --- ## Documentation Standards Each module folder should contain: | File | Purpose | |------|---------| | `README.md` | Quick overview, purpose, components | | `architecture.md` | Detailed architecture specification | | `AGENTS.md` | (Optional) Claude Code agent guidance | | `operations/` | (Optional) Operational runbooks | See the [Documentation Template Standard](../implplan/SPRINT_1228_0001_DOCS_module_documentation_consolidation.md#documentation-template-standard) for the full architecture.md template.