# Stella Ops Suite Documentation **Stella Ops Suite** is a centralized, auditable **release control plane** for **non-Kubernetes container estates**. It orchestrates environment promotions, gates releases using reachability-aware security and policy, and produces **verifiable evidence** for every decision. Stella is designed for teams who deploy containers via **Docker/Compose, hosts/VMs, and scripted automation** and need **certifiable security + auditable releases** without building a bespoke governance pipeline. --- ## What Stella delivers ### Evidence-grade release governance (outside Kubernetes) - **Environment promotions** (Dev -> Stage -> Prod) with explicit policy, approvals, and change control. - **Digest-first release identity**: deployments are tracked by immutable OCI digests so "what is deployed where" is unambiguous. - **Deterministic decision records**: every gate decision is explainable ("why blocked?") and replayable. ### Reachability-aware security decisioning - **Deep scanning** produces SBOM + findings + reachability and hybrid reachability evidence. - **VEX-first decisioning** with consensus and conflict handling across issuers (SBOM/VEX are part of the evidence chain, not a side export). - **Policy-as-code** with deterministic evaluation and traceable outcomes. ### Verifiability, attestability, and audit export - **Evidence packets / decision capsules**: hashable, immutable bundles that capture inputs, verdicts, and approvals. - **Attestations** (DSSE/in-toto, predicates for SBOM/VEX/verdict/reachability; optional Sigstore flows where configured). - **Audit exports** for compliance review, incident response, and forensic reconstruction. ### Offline-first, sovereign operation - Built for **air-gapped** and restricted environments: local databases, offline kits/snapshots, and deterministic replay. - **Regional crypto profiles** (eIDAS/FIPS/GOST/SM and related plugin architecture) to avoid compliance lock-in. ### Toolchain-agnostic integrations - Integrates with common SCM/CI/registries/secrets managers through **connectors and plugins**. - Works alongside existing pipelines: scan-on-build, gate-on-promotion, re-evaluate on advisory updates. --- ## Core differentiators (the "why Stella" set) These concepts appear throughout the docs and are the suite's anchor points: - **Signed, replayable risk verdicts**: decisions can be re-run deterministically from the same evidence. - **Decision capsules**: evidence is packaged for audit, not scattered across logs and screenshots. - **Reachability with portable proofs**: exploitability is evidenced, not asserted. - **Smart-diff / semantic risk delta**: focus on what materially changed between releases. - **Unknowns as first-class state**: uncertainty is tracked and budgeted, not hidden. - **Non-Kubernetes-first**: orchestration and evidence for Compose/hosts/agentless targets as a primary use case. - **Digest-first release identity**: immutable artifacts, immutable accountability. For exhaustive capability detail (including planned items), use the Feature Matrix referenced below. --- ## Two levels of documentation - **High-level (canonical):** curated guides in `docs/*.md`. - **Detailed (reference):** deep dives under `docs/**` (module dossiers, architecture notes, API contracts/samples, runbooks, schemas). Entry point: `docs/technical/README.md`. This documentation set is intentionally consolidated and does not maintain compatibility stubs for old paths. --- ## Start here ### Product understanding | Goal | Open this | | --- | --- | | Understand the suite quickly | `overview.md` | | Capability cards | `key-features.md` | | Full capability matrix | `FEATURE_MATRIX.md` | | Product vision | `product/VISION.md` | | Roadmap (priorities + definition of "done") | `ROADMAP.md` | ### Getting started | Goal | Open this | | --- | --- | | First run and basic workflows | `quickstart.md` | | Ingest advisories (Concelier + CLI) | `CONCELIER_CLI_QUICKSTART.md` | | Console (Web UI) operator guide | `UI_GUIDE.md` | | Offline / air-gap operations | `OFFLINE_KIT.md` | ### Architecture | Goal | Open this | | --- | --- | | Architecture: high-level overview | `ARCHITECTURE_OVERVIEW.md` | | Architecture: full reference map | `ARCHITECTURE_REFERENCE.md` | | Architecture: user flows (UML) | `technical/architecture/user-flows.md` | | Architecture: module matrix | `technical/architecture/module-matrix.md` | | Architecture: data flows | `technical/architecture/data-flows.md` | | Architecture: schema mapping | `technical/architecture/schema-mapping.md` | | Release Orchestration dossier | `modules/release-orchestrator/architecture.md` | ### Development and operations | Goal | Open this | | --- | --- | | Develop plugins/connectors | `PLUGIN_SDK_GUIDE.md` | | Security deployment hardening | `SECURITY_HARDENING_GUIDE.md` | | VEX consensus and issuer trust | `VEX_CONSENSUS_GUIDE.md` | | Vulnerability Explorer guide | `VULNERABILITY_EXPLORER_GUIDE.md` | | SBOM determinism guide | `sboms/DETERMINISM.md` | | Engineering standards (for implementers) | `code-of-conduct/CODE_OF_CONDUCT.md` | | Testing standards (for QA/automation) | `code-of-conduct/TESTING_PRACTICES.md` | --- ## Detailed indexes - Technical index (everything): `docs/technical/README.md` - End-to-end workflow flows: `docs/flows/` - Module dossiers: `docs/modules/` - API contracts and samples: `docs/api/` - Architecture notes / ADRs: `docs/technical/architecture/`, `docs/technical/adr/` - Operations and deployment: `docs/operations/` - Air-gap workflows: `docs/modules/airgap/guides/` - Security deep dives: `docs/security/` - Benchmarks and fixtures: `docs/benchmarks/`, `docs/assets/` - Product advisories: `docs/product/advisories/` --- ## License and notices - Project license (BUSL-1.1 + Additional Use Grant): `LICENSE` - Third-party notices: `NOTICE.md` - Legal and licensing index: `docs/legal/README.md` - Full dependency inventory: `docs/legal/THIRD-PARTY-DEPENDENCIES.md` - Compatibility guidance: `docs/legal/LICENSE-COMPATIBILITY.md` - Cryptography compliance: `docs/legal/crypto-compliance-review.md` --- ## Design principles (non-negotiable) - **Offline-first:** core operations must work in restricted/air-gapped environments. - **Deterministic replay:** same inputs yield the same outputs (stable ordering, canonical hashing). - **Evidence-linked decisions:** every decision links to concrete evidence artifacts. - **Digest-first identity:** releases are immutable OCI digests, not mutable tags. - **Pluggable integrations:** connectors and steps are extensible; the core evidence chain stays stable.