# Complete Feature Matrix - Stella Ops Suite *(Auto-generated with code mapping)* > This document extends `FEATURE_MATRIX.md` with module/file mappings and CLI/UI coverage verification. --- ## SBOM & Ingestion | Feature | Tiers | Module | Key Files | CLI | UI | Status | |---------|-------|--------|-----------|-----|----|----| | Trivy-JSON Ingestion | Free/Pro/Ent | Concelier | `TrivyDbExporterPlugin.cs`, `TrivyDbBoltBuilder.cs` | - | `/concelier/trivy-db-settings` | Implemented | | SPDX-JSON 3.0.1 Ingestion | Free/Pro/Ent | Concelier, Scanner | `SbomParser.cs`, `SpdxJsonLdSerializer.cs` | `stella sbom list --format spdx` | `/sbom-sources` | Implemented | | CycloneDX 1.7 Ingestion | Free/Pro/Ent | Concelier, Scanner | `SbomParser.cs`, `CycloneDxComposer.cs` | `stella sbom list --format cyclonedx` | `/sbom-sources` | Implemented | | Auto-format Detection | Free/Pro/Ent | Concelier | `ISbomParser.cs`, `SbomParser.cs` (DetectFormatAsync) | Implicit in `stella sbom` | Implicit | Implemented | | Delta-SBOM Cache | Free/Pro/Ent | SbomService | `VexDeltaRepository.cs`, `InMemoryLineageCompareCache.cs`, `ValkeyLineageCompareCache.cs` | - | - | Implemented | | SBOM Generation (all formats) | Free/Pro/Ent | Scanner | `SpdxComposer.cs`, `CycloneDxComposer.cs`, `SpdxLayerWriter.cs`, `CycloneDxLayerWriter.cs` | `stella scan run` | `/findings` (scan results) | Implemented | | Semantic SBOM Diff | Free/Pro/Ent | Scanner, SbomService | `SbomDiff.cs`, `SbomDiffEngine.cs`, `LineageCompareService.cs` | - | `/lineage` | Implemented | | BYOS (Bring-Your-Own-SBOM) | Free/Pro/Ent | Scanner | `SbomByosUploadService.cs`, `SbomUploadStore.cs`, `SbomUploadEndpoints.cs` | `stella sbom upload` (pending) | `/sbom-sources` | Implemented | | SBOM Lineage Ledger | Enterprise | SbomService | `SbomLineageEdgeRepository.cs`, `SbomLedgerModels.cs`, `SbomServiceDbContext.cs` | - | `/lineage` | Implemented | | SBOM Lineage API | Enterprise | SbomService, Graph | `ILineageGraphService.cs`, `SbomLineageGraphService.cs`, `LineageExportService.cs`, `LineageController.cs` | - | `/lineage` | Implemented | ### CLI Commands (SBOM) | Command | Description | Status | |---------|-------------|--------| | `stella sbom list` | List SBOMs with filters (--image, --digest, --format, --created-after/before) | Implemented | | `stella sbom show ` | Display SBOM details | Implemented | | `stella sbom upload` | Upload external SBOM (BYOS) | Pending verification | | `stella sbomer layer list` | List layer fragments for a scan | Implemented | | `stella sbomer compose` | Compose layer SBOMs | Implemented | | `stella sbomer verify` | Verify Merkle tree integrity | Implemented | ### UI Routes (SBOM) | Route | Feature | Status | |-------|---------|--------| | `/sbom-sources` | SBOM ingestion source management | Implemented | | `/lineage` | SBOM lineage graph and smart diff | Implemented | | `/graph` | Interactive SBOM dependency visualization | Implemented | | `/concelier/trivy-db-settings` | Trivy vulnerability database configuration | Implemented | ### Coverage Gaps (SBOM) | Feature | Has CLI | Has UI | Notes | |---------|---------|--------|-------| | Delta-SBOM Cache | No | No | Internal optimization, no direct exposure needed | | Auto-format Detection | Implicit | Implicit | Works automatically, no explicit command | | SBOM Lineage Ledger | No | Yes | CLI access would be useful for automation | | SBOM Lineage API | No | Yes | CLI access would be useful for automation | --- ## Scanning & Detection | Feature | Tiers | Module | Key Files | CLI | UI | Status | |---------|-------|--------|-----------|-----|----|----| | CVE Lookup via Local DB | Free/Pro/Ent | Scanner | `VulnSurfaceService.cs`, `AdvisoryClient.cs` | `stella scan run` | `/findings` | Implemented | | License-Risk Detection | All (Planned) | Scanner | Package manifest extraction only | - | - | Planned (Q4-2025) | | **.NET/C# Analyzer** | Free/Pro/Ent | Scanner | `DotNetLanguageAnalyzer.cs`, `DotNetDependencyCollector.cs`, `MsBuildProjectParser.cs` | `stella scan run` | `/findings` | Implemented | | **Java Analyzer** | Free/Pro/Ent | Scanner | `JavaLanguageAnalyzer.cs`, `JavaWorkspaceNormalizer.cs` | `stella scan run` | `/findings` | Implemented | | **Go Analyzer** | Free/Pro/Ent | Scanner | `GoLanguageAnalyzer.cs` | `stella scan run` | `/findings` | Implemented | | **Python Analyzer** | Free/Pro/Ent | Scanner | `PythonLanguageAnalyzer.cs`, `PythonEnvironmentDetector.cs`, `ContainerLayerAdapter.cs` | `stella scan run` | `/findings` | Implemented | | **Node.js Analyzer** | Free/Pro/Ent | Scanner | `NodeLanguageAnalyzer.cs` | `stella scan run` | `/findings` | Implemented | | **Ruby Analyzer** | Free/Pro/Ent | Scanner | `RubyLanguageAnalyzer.cs`, `RubyVendorArtifactCollector.cs` | `stella ruby inspect` | `/findings` | Implemented | | **Bun Analyzer** | Free/Pro/Ent | Scanner | `BunLanguageAnalyzer.cs` | `stella bun inspect` | `/findings` | Implemented | | **Deno Analyzer** | Free/Pro/Ent | Scanner | `DenoLanguageAnalyzer.cs` | `stella scan run` | `/findings` | Implemented | | **PHP Analyzer** | Free/Pro/Ent | Scanner | `PhpLanguageAnalyzer.cs` | `stella php inspect` | `/findings` | Implemented | | **Rust Analyzer** | Free/Pro/Ent | Scanner | `RustLanguageAnalyzer.cs` | `stella scan run` | `/findings` | Implemented | | **Native Binary Analyzer** | Free/Pro/Ent | Scanner | `NativeAnalyzer.cs` | `stella binary` | `/analyze/patch-map` | Implemented | | Quick Mode | Free/Pro/Ent | Scanner | `FidelityLevel.cs`, `FidelityConfiguration.cs`, `FidelityAwareAnalyzer.cs` | `stella scan run --fidelity quick` | `/ops/scanner` | Implemented | | Standard Mode | Free/Pro/Ent | Scanner | `FidelityLevel.cs`, `FidelityConfiguration.cs` | `stella scan run --fidelity standard` | `/ops/scanner` | Implemented | | Deep Mode | Pro/Ent | Scanner | `FidelityLevel.cs`, `FidelityConfiguration.cs` | `stella scan run --fidelity deep` | `/ops/scanner` | Implemented | | Base Image Detection | Free/Pro/Ent | Scanner | `OciImageInspector.cs`, `OciImageConfig.cs` | `stella image inspect` | `/findings` | Implemented | | Layer-Aware Analysis | Free/Pro/Ent | Scanner | `LayeredRootFileSystem.cs`, `ContainerLayerAdapter.cs` | `stella scan layer-sbom` | `/findings` | Implemented | | Concurrent Scan Workers | 1/3/Unlimited | Scanner | `IScanQueue.cs`, `NatsScanQueue.cs`, `ScanJobProcessor.cs` | - | `/ops/scanner` | Implemented | ### CLI Commands (Scanning) | Command | Description | Status | |---------|-------------|--------| | `stella scan run` | Execute scanner with --runner, --entry, --target | Implemented | | `stella scan upload` | Upload completed scan results | Implemented | | `stella scan entrytrace` | Show entry trace summary for a scan | Implemented | | `stella scan sarif` | Export scan results in SARIF 2.1.0 format | Implemented | | `stella scan replay` | Replay scan with deterministic hashes | Implemented | | `stella scan gate-policy` | VEX gate evaluation | Implemented | | `stella scan layers` | Container layer operations | Implemented | | `stella scan layer-sbom` | Layer SBOM composition | Implemented | | `stella scan diff` | Binary diff analysis | Implemented | | `stella image inspect` | Inspect OCI image manifest and layers | Implemented | | `stella ruby inspect` | Inspect Ruby workspace | Implemented | | `stella php inspect` | Inspect PHP workspace | Implemented | | `stella python inspect` | Inspect Python workspace/venv | Implemented | | `stella bun inspect` | Inspect Bun workspace | Implemented | | `stella scanner download` | Download latest scanner bundle | Implemented | ### UI Routes (Scanning) | Route | Feature | Status | |-------|---------|--------| | `/findings` | Vulnerability findings with diff-first view | Implemented | | `/findings/:scanId` | Scan-specific findings | Implemented | | `/scans/:scanId` | Individual scan result inspection | Implemented | | `/vulnerabilities` | CVE/vulnerability database explorer | Implemented | | `/vulnerabilities/:vulnId` | Vulnerability detail view | Implemented | | `/ops/scanner` | Scanner offline kits, baselines, determinism settings | Implemented | | `/analyze/patch-map` | Fleet-wide binary patch coverage heatmap | Implemented | ### Coverage Gaps (Scanning) | Feature | Has CLI | Has UI | Notes | |---------|---------|--------|-------| | License-Risk Detection | No | No | Planned feature, not yet implemented | | Concurrent Worker Config | No | Yes | Worker count configured via ops UI/environment | --- ## Reachability Analysis | Feature | Tiers | Module | Key Files | CLI | UI | Status | |---------|-------|--------|-----------|-----|----|----| | Static Call Graph | Free/Pro/Ent | Scanner, ReachGraph | `ReachabilityAnalyzer.cs`, `ReachGraphEdge.cs` | `stella reachgraph slice` | `/reachability` | Implemented | | Entrypoint Detection (9+ types) | Free/Pro/Ent | Scanner | `JavaEntrypointClassifier.cs`, `EntryTraceResponse.cs` | `stella scan entrytrace` | `/reachability` | Implemented | | BFS Reachability | Free/Pro/Ent | Scanner | `ReachabilityAnalyzer.cs` (BFS traversal, max depth 256) | `stella reachgraph slice --depth` | `/reachability` | Implemented | | Reachability Drift Detection | Free/Pro/Ent | Reachability.Core | `ReachabilityLattice.cs` (8-state machine) | `stella drift` | `/reachability` | Implemented | | Binary Loader Resolution | Pro/Ent | Scanner | `GuardDetector.cs` (PLT/IAT), Binary entrypoint classifiers | `stella binary` | `/analyze/patch-map` | Implemented | | Feature Flag/Config Gating | Pro/Ent | Scanner | `GuardDetector.cs` (env guards, platform checks, feature flags) | - | `/reachability` | Implemented | | Runtime Signal Correlation | Enterprise | Signals | `EvidenceWeightedScoreCalculator.cs`, `ISignalsAdapter.cs` | - | `/reachability` | Implemented | | Gate Detection (auth/admin) | Enterprise | Scanner | `GuardDetector.cs` (20+ patterns across 5+ languages) | - | `/reachability` | Implemented | | Path Witness Generation | Enterprise | Scanner, ReachGraph | `ReachabilityAnalyzer.cs` (deterministic path ordering) | `stella witness` | - | Implemented | | Reachability Mini-Map API | Enterprise | ReachGraph | `ReachGraphStoreService.cs`, `ReachGraphContracts.cs` | `stella reachgraph slice` | `/reachability` | Implemented | | Runtime Timeline API | Enterprise | Signals | `ISignalsAdapter.cs`, Evidence window configuration | - | `/reachability` | Implemented | ### CLI Commands (Reachability) | Command | Description | Status | |---------|-------------|--------| | `stella reachgraph slice` | Query slice of reachability graph (--cve, --purl, --entrypoint, --depth) | Implemented | | `stella reachgraph replay` | Replay reachability analysis for verification | Implemented | | `stella reachgraph verify` | Verify graph integrity | Implemented | | `stella reachability show` | Display reachability subgraph (table, json, dot, mermaid) | Implemented | | `stella reachability export` | Export reachability data | Implemented | | `stella scan entrytrace` | Show entry trace summary with semantic analysis | Implemented | | `stella witness` | Path witness operations | Implemented | | `stella drift` | Reachability drift detection | Implemented | ### UI Routes (Reachability) | Route | Feature | Status | |-------|---------|--------| | `/reachability` | Reachability center - analysis and coverage | Implemented | | `/graph` | Interactive dependency graph with reachability overlay | Implemented | ### Key Implementation Details **Reachability Lattice (8 States):** 1. Unknown (0.00-0.29 confidence) 2. StaticReachable (0.30-0.49) 3. StaticUnreachable (0.50-0.69) 4. RuntimeObserved (0.70-0.89) 5. RuntimeUnobserved (0.70-0.89) 6. ConfirmedReachable (0.90-1.00) 7. ConfirmedUnreachable (0.90-1.00) 8. Contested (static/runtime conflict) **Entrypoint Framework Types Detected:** - HTTP Handlers (Spring MVC, JAX-RS, Micronaut, GraphQL) - Message Handlers (Kafka, RabbitMQ, JMS) - Scheduled Jobs (Spring @Scheduled, Micronaut, JAX-EJB) - gRPC Methods (Spring Boot gRPC, Netty gRPC) - Event Handlers (Spring @EventListener) - CLI Commands (main() method) - Servlet Handlers (HttpServlet subclass) ### Coverage Gaps (Reachability) | Feature | Has CLI | Has UI | Notes | |---------|---------|--------|-------| | Runtime Signal Correlation | No | Yes | Consider CLI for signal inspection | | Gate Detection | No | Yes | Guard conditions visible in reachability UI | | Path Witness Generation | Yes | No | Consider UI visualization of witness paths | --- ## Binary Analysis (BinaryIndex) | Feature | Tiers | Module | Key Files | CLI | UI | Status | |---------|-------|--------|-----------|-----|----|----| | Binary Identity Extraction | Free/Pro/Ent | BinaryIndex | `BinaryIdentity.cs`, `IBinaryFeatureExtractor.cs` | `stella binary inspect` | `/analyze/patch-map` | Implemented | | Build-ID Vulnerability Lookup | Free/Pro/Ent | BinaryIndex | `IBinaryVulnerabilityService.cs`, `ResolutionController.cs` | `stella binary lookup` | `/analyze/patch-map` | Implemented | | Debian/Ubuntu Corpus | Free/Pro/Ent | BinaryIndex | `DebianCorpusConnector.cs`, `CorpusIngestionService.cs` | - | - | Implemented | | RPM/RHEL Corpus | Pro/Ent | BinaryIndex | `RpmCorpusConnector.cs` | - | - | Implemented | | Patch-Aware Backport Detection | Pro/Ent | BinaryIndex | `IFixIndexBuilder.cs`, `FixEvidence.cs`, `DebianChangelogParser.cs` | `stella patch-verify` | - | Implemented | | PE/Mach-O/ELF Parsers | Pro/Ent | BinaryIndex | Binary format detection in `BinaryIdentity.cs` | `stella binary inspect` | - | Implemented | | Binary Fingerprint Generation | Enterprise | BinaryIndex | `IVulnFingerprintGenerator.cs`, `BasicBlockFingerprintGenerator.cs`, `ControlFlowGraphFingerprintGenerator.cs`, `StringRefsFingerprintGenerator.cs` | `stella binary fingerprint` | - | Implemented | | Fingerprint Matching Engine | Enterprise | BinaryIndex | `IFingerprintMatcher.cs`, `FingerprintMatcher.cs` | `stella binary lookup --fingerprint` | - | Implemented | | DWARF/Symbol Analysis | Enterprise | BinaryIndex | Symbol extraction in corpus functions | `stella binary symbols` | - | Implemented | ### CLI Commands (Binary) | Command | Description | Status | |---------|-------------|--------| | `stella binary inspect` | Inspect binary identity (Build-ID, hashes, architecture) | Implemented | | `stella binary lookup` | Lookup vulnerabilities by binary identity/fingerprint | Implemented | | `stella binary symbols` | Extract symbols from binary | Implemented | | `stella binary fingerprint` | Generate fingerprints for binary functions | Implemented | | `stella binary verify` | Verify binary match evidence | Implemented | | `stella binary submit` | Submit binary for analysis | Implemented | | `stella binary info` | Get binary analysis info | Implemented | | `stella binary callgraph` | Extract call graph digest | Implemented | | `stella scan diff` | Binary diff analysis | Implemented | | `stella patch-verify` | Patch verification for backport detection | Implemented | | `stella patch-attest` | Patch attestation operations | Implemented | | `stella deltasig` | Delta signature operations | Implemented | ### UI Routes (Binary) | Route | Feature | Status | |-------|---------|--------| | `/analyze/patch-map` | Fleet-wide binary patch coverage heatmap | Implemented | ### Key Implementation Details **Fingerprint Algorithms (4 types):** 1. **BasicBlock** - Instruction-level basic block hashing (16 bytes) 2. **ControlFlowGraph** - Weisfeiler-Lehman graph hash (32 bytes) 3. **StringRefs** - String reference pattern hash (16 bytes) 4. **Combined** - Multi-algorithm ensemble **Fix Detection Methods:** 1. SecurityFeed - Official OVAL, DSA feeds 2. Changelog - Debian/Ubuntu changelog parsing 3. PatchHeader - DEP-3 patch header extraction 4. UpstreamPatchMatch - Upstream patch database **Supported Distributions:** - Debian, Ubuntu (DebianCorpusConnector) - RHEL, Fedora, CentOS, Rocky, AlmaLinux (RpmCorpusConnector) - Alpine Linux (AlpineCorpusConnector) ### Coverage Gaps (Binary) | Feature | Has CLI | Has UI | Notes | |---------|---------|--------|-------| | Debian/Ubuntu Corpus | No | No | Internal corpus management - admin only | | RPM/RHEL Corpus | No | No | Internal corpus management - admin only | | Fingerprint Generation | Yes | No | Consider UI for fingerprint visualization | | Corpus Ingestion | No | No | Admin operation - consider ops UI | --- ## Advisory Sources (Concelier) | Feature | Tiers | Module | Key Files | CLI | UI | Status | |---------|-------|--------|-----------|-----|----|----| | NVD | Free/Pro/Ent | Concelier | `NvdConnector.cs`, `NvdMapper.cs` | `stella db fetch nvd` | `/concelier` | Implemented | | GHSA | Free/Pro/Ent | Concelier | `GhsaConnector.cs` (GraphQL, rate limits) | `stella db fetch ghsa` | `/concelier` | Implemented | | OSV | Free/Pro/Ent | Concelier | `OsvConnector.cs` (multi-ecosystem) | `stella db fetch osv` | `/concelier` | Implemented | | Alpine SecDB | Free/Pro/Ent | Concelier | `Connector.Distro.Alpine/` | `stella db fetch alpine` | `/concelier` | Implemented | | Debian Security Tracker | Free/Pro/Ent | Concelier | `Connector.Distro.Debian/` (DSA, EVR) | `stella db fetch debian` | `/concelier` | Implemented | | Ubuntu USN | Free/Pro/Ent | Concelier | `Connector.Distro.Ubuntu/` | `stella db fetch ubuntu` | `/concelier` | Implemented | | RHEL/CentOS OVAL | Pro/Ent | Concelier | `Connector.Distro.RedHat/` (OVAL, NEVRA) | `stella db fetch redhat` | `/concelier` | Implemented | | KEV (Exploited Vulns) | Free/Pro/Ent | Concelier | `KevConnector.cs` (CISA catalog) | `stella db fetch kev` | `/concelier` | Implemented | | EPSS v4 | Free/Pro/Ent | Concelier | `Connector.Epss/` | `stella db fetch epss` | `/concelier` | Implemented | | Custom Advisory Connectors | Enterprise | Concelier | `IFeedConnector` interface | - | `/admin` | Implemented | | Advisory Merge Engine | Enterprise | Concelier | `AdvisoryPrecedenceMerger.cs`, `AffectedPackagePrecedenceResolver.cs` | `stella db merge` | - | Implemented | ### CLI Commands (Advisory) | Command | Description | Status | |---------|-------------|--------| | `stella db fetch` | Trigger connector fetch/parse/map | Implemented | | `stella db merge` | Run canonical merge reconciliation | Implemented | | `stella db export` | Run Concelier export jobs | Implemented | | `stella sources ingest` | Validate source documents | Implemented | | `stella feeds snapshot` | Create/list/export/import feed snapshots | Implemented | | `stella advisory` | Advisory listing and search | Implemented | | `stella admin feeds` | Feed management (admin) | Implemented | ### UI Routes (Advisory) | Route | Feature | Status | |-------|---------|--------| | `/concelier/trivy-db-settings` | Trivy vulnerability database configuration | Implemented | | `/ops/feeds` | Feed mirror dashboard and air-gap bundles | Implemented | ### Key Implementation Details **Source Precedence (Lower = Higher Priority):** - **Rank 0:** redhat, ubuntu, debian, suse, alpine (distro PSIRTs) - **Rank 1:** msrc, oracle, adobe, apple, cisco, vmware (vendor PSIRTs) - **Rank 2:** ghsa, osv (ecosystem registries) - **Rank 3:** jvn, acsc, cccs, cert-fr, cert-in, certbund, ru-bdu, kisa (regional CERTs) - **Rank 4:** kev (exploit annotations) - **Rank 5:** nvd (baseline) **Version Comparators:** - NEVRA (RPM): epoch:version-release with rpmvercmp - EVR (Debian/Ubuntu): epoch:upstream_version-debian_revision - APK (Alpine): `-r` with suffix ordering ### Coverage Gaps (Advisory) | Feature | Has CLI | Has UI | Notes | |---------|---------|--------|-------| | Advisory Merge Engine | Yes | No | Consider merge status UI | | Custom Connectors | No | No | Enterprise feature - needs admin UI | | Feed Scheduling | No | Partial | Consider `stella feeds schedule` command | --- ## VEX Processing (Excititor, VexLens, VexHub, IssuerDirectory) | Feature | Tiers | Module | Key Files | CLI | UI | Status | |---------|-------|--------|-----------|-----|----|----| | OpenVEX Format Support | Free/Pro/Ent | Excititor | `Formats.OpenVEX/`, `OpenVexParser.cs` | `stella vex` | `/vex` | Implemented | | CycloneDX VEX Format | Free/Pro/Ent | Excititor | `Formats.CycloneDX/` | `stella vex` | `/vex` | Implemented | | CSAF Format Support | Free/Pro/Ent | Excititor | `Formats.CSAF/` | `stella vex` | `/vex` | Implemented | | VEX Ingestion API | Free/Pro/Ent | Excititor | `IngestEndpoints.cs`, `IVexObservationQueryService.cs` | - | `/vex` | Implemented | | VEX Observation Store | Free/Pro/Ent | Excititor | `VexObservationQueryService.cs`, AOC-compliant storage | - | - | Implemented | | VEX Consensus Engine | Pro/Ent | VexLens | `VexConsensusEngine.cs`, `IVexConsensusEngine.cs` | `stella vex consensus` | `/vex` | Implemented | | Trust Weight Scoring | Pro/Ent | VexLens | `ITrustWeightEngine.cs`, `TrustDecayService.cs` | - | `/vex` | Implemented | | Issuer Trust Registry | Pro/Ent | IssuerDirectory | Full issuer CRUD and key management | - | `/issuer-directory` | Implemented | | VEX Distribution Hub | Enterprise | VexHub | `IVexIngestionService.cs`, `IVexExportService.cs` | - | - | Implemented | | VEX Gate Integration | Pro/Ent | Scanner | `IVexGateService.cs`, `VexGateScanCommandGroup.cs` | `stella scan gate-policy` | `/findings` | Implemented | | VEX from Drift Generation | Pro/Ent | CLI | `VexGenCommandGroup.cs` | `stella vex gen --from-drift` | - | Implemented | | Conflict Detection | Pro/Ent | VexLens, Excititor | `VexLinksetDisagreementService.cs`, `NoiseGateService.cs` | - | `/vex` | Implemented | ### CSAF Provider Connectors | Connector | Module | Key Files | CLI | Status | |-----------|--------|-----------|-----|--------| | Red Hat CSAF | Excititor | `Connectors.RedHat.CSAF/` | - | Implemented | | Ubuntu CSAF | Excititor | `Connectors.Ubuntu.CSAF/` | - | Implemented | | Oracle CSAF | Excititor | `Connectors.Oracle.CSAF/` | - | Implemented | | Microsoft MSRC CSAF | Excititor | `Connectors.MSRC.CSAF/` | - | Implemented | | Cisco CSAF | Excititor | `Connectors.Cisco.CSAF/` | - | Implemented | | SUSE RancherVEXHub | Excititor | `Connectors.SUSE.RancherVEXHub/` | - | Implemented | | OCI OpenVEX Attestation | Excititor | `Connectors.OCI.OpenVEX.Attest/` | - | Implemented | ### CLI Commands (VEX) | Command | Description | Status | |---------|-------------|--------| | `stella vex consensus` | Query VexLens consensus (--query, --output json/ndjson/table) | Implemented | | `stella vex get` | Fetch single consensus record with rationale | Implemented | | `stella vex simulate` | Test VEX policy decisions (aggregation-only) | Implemented | | `stella vex gen --from-drift` | Generate VEX from container drift analysis | Implemented | | `stella scan gate-policy` | VEX gate evaluation for findings | Implemented | ### UI Routes (VEX) | Route | Feature | Status | |-------|---------|--------| | `/vex` | VEX consensus and statement browser | Implemented | | `/issuer-directory` | Issuer trust registry management | Implemented | | `/findings` (VEX overlay) | VEX status overlay on findings | Implemented | ### Key Implementation Details **Consensus Lattice States:** - `unknown` (0.00) - No information - `under_investigation` (0.25) - Being analyzed - `not_affected` (0.50) - Confirmed not vulnerable - `affected` (0.75) - Confirmed vulnerable - `fixed` (1.00) - Patch applied **Trust Weight Factors (9 total):** 1. Issuer tier (critical/high/medium/low) 2. Confidence score (0-1) 3. Cryptographic attestation status 4. Statement age (freshness decay) 5. Patch applicability 6. Source authority scope (PURL patterns) 7. Key lifecycle status 8. Justification quality 9. Historical accuracy **AOC (Aggregation-Only Contract):** - Raw VEX stored verbatim with provenance - No derived data at ingest time - Linkset-only references - Roslyn analyzers enforce compliance **Determinism Guarantees:** - RFC 8785 canonical JSON serialization - Stable ordering (timestamp DESC, source ASC, hash ASC) - UTC ISO-8601 timestamps - SHA-256 consensus digests ### Coverage Gaps (VEX) | Feature | Has CLI | Has UI | Notes | |---------|---------|--------|-------| | CSAF Provider Connectors | No | No | Internal connector management | | Trust Weight Configuration | No | Partial | Consider CLI for trust weight tuning | | VEX Distribution Webhooks | No | No | VexHub webhook config needs exposure | | Conflict Resolution UI | No | Partial | Interactive conflict resolution would help | --- ## Policy Engine (Policy, RiskEngine) | Feature | Tiers | Module | Key Files | CLI | UI | Status | |---------|-------|--------|-----------|-----|----|----| | K4 Lattice Logic | Pro/Ent | Policy | `K4Lattice.cs`, `TrustLatticeEngine.cs` | - | `/policy` | Implemented | | Policy Gate Evaluation | Free/Pro/Ent | Policy | `PolicyGateEvaluator.cs`, `IPolicyGate.cs` | `stella policy simulate` | `/policy` | Implemented | | Evidence Gate | Free/Pro/Ent | Policy | `EvidenceGate.cs` | - | `/policy` | Implemented | | VEX Trust Gate | Pro/Ent | Policy | `VexTrustGate.cs`, `VexProofSpineService.cs` | - | `/policy` | Implemented | | Confidence Gate | Pro/Ent | Policy | `MinimumConfidenceGate.cs` | - | `/policy` | Implemented | | Exception Management | Pro/Ent | Policy | `IExceptionService.cs`, `ExceptionAdapter.cs` | - | `/policy/exceptions` | Implemented | | Risk Scoring (6 providers) | Pro/Ent | RiskEngine | `IRiskScoreProvider.cs`, `CvssKevProvider.cs` | - | `/risk` | Implemented | | Verdict Attestations | Enterprise | Policy | `IVerdictAttestationService.cs`, `IPolicyDecisionAttestationService.cs` | - | - | Implemented | | Policy Simulation | Pro/Ent | Policy | `IPolicySimulationService.cs` | `stella policy simulate` | `/policy/simulate` | Implemented | | Sealed Mode (Air-Gap) | Enterprise | Policy | `ISealedModeService.cs` | - | `/ops` | Implemented | | Determinization System | Pro/Ent | Policy | `UncertaintyScoreCalculator.cs`, `DecayedConfidenceCalculator.cs` | - | - | Implemented | | Score Policy (YAML) | Pro/Ent | Policy | `ScorePolicyService.cs`, `ScorePolicyModels.cs` | `stella policy validate` | `/policy` | Implemented | ### K4 Lattice (Belnap Four-Valued Logic) | State | Symbol | Description | |-------|--------|-------------| | Unknown | ⊥ | No evidence available | | True | T | Evidence supports true | | False | F | Evidence supports false | | Conflict | ⊤ | Credible evidence for both (contested) | **Operations:** - `Join(a, b)` - Knowledge union (monotone aggregation) - `Meet(a, b)` - Knowledge intersection (dependency chains) - `Negate(v)` - Swaps True ↔ False - `FromSupport(hasTrueSupport, hasFalseSupport)` - Constructs K4 from claims ### Policy Gate Types (10+) | Gate | Purpose | |------|---------| | Evidence Gate | Validates sufficient evidence backing | | Lattice State Gate | K4 states (U, SR, SU, RO, RU, CR, CU, X) | | VEX Trust Gate | Confidence-based VEX scoring | | Uncertainty Tier Gate | T1-T4 uncertainty classification | | Minimum Confidence Gate | Enforces confidence floors | | Evidence Freshness Gate | Staleness checks | | VEX Proof Gate | Validates VEX proof chains | | Reachability Requirement Gate | Reachability evidence | | Facet Quota Gate | Facet-based quotas | | Source Quota Gate | Source credibility quotas | | Unknowns Budget Gate | Limits unknown assertions | ### Risk Score Providers (6) | Provider | Key Files | Purpose | |----------|-----------|---------| | CVSS/KEV | `CvssKevProvider.cs` | CVSS + Known Exploited Vulns | | EPSS | `EpssProvider.cs` | Exploit Prediction Scoring | | FixChain | `FixChainRiskProvider.cs` | Fix availability and timeline | | FixExposure | `FixExposureProvider.cs` | Patch adoption curves | | VexGate | `VexGateProvider.cs` | VEX decisions as risk gates | | DefaultTransforms | `DefaultTransformsProvider.cs` | Signal normalization | ### Determinization Signal Weights | Signal | Weight | |--------|--------| | VEX | 35% | | Reachability | 25% | | Runtime | 15% | | EPSS | 10% | | Backport | 10% | | SBOM Lineage | 5% | ### Score Policy Weights (Basis Points) | Dimension | Default Weight | |-----------|---------------| | Base Severity | 10% (1000 BPS) | | Reachability | 45% (4500 BPS) | | Evidence | 30% (3000 BPS) | | Provenance | 15% (1500 BPS) | ### CLI Commands (Policy) | Command | Description | Status | |---------|-------------|--------| | `stella policy validate ` | Validate policy YAML (--schema, --strict) | Implemented | | `stella policy install ` | Install policy pack (--version, --env) | Implemented | | `stella policy list` | List installed policies | Implemented | | `stella policy simulate` | Simulate policy decisions | Implemented | ### UI Routes (Policy) | Route | Feature | Status | |-------|---------|--------| | `/policy` | Policy management and evaluation | Implemented | | `/policy/exceptions` | Exception management | Implemented | | `/policy/simulate` | Policy simulation runner | Implemented | | `/risk` | Risk scoring dashboard | Implemented | ### API Endpoints (45+) **Core:** - `/policy/eval/batch` - Batch evaluation - `/policy/packs` - Policy pack management - `/policy/runs` - Run lifecycle - `/policy/decisions` - Decision queries **Simulation:** - `/policy/simulate` - Policy simulation - `/policy/merge-preview` - Merge preview - `/overlay-simulation` - Overlay projection **Governance:** - `/api/v1/policy/registry/packs` - Pack registry - `/api/v1/policy/registry/promote` - Promotion workflows - `/api/v1/policy/registry/publish` - Publishing pipelines ### Coverage Gaps (Policy) | Feature | Has CLI | Has UI | Notes | |---------|---------|--------|-------| | K4 Lattice Debug | No | Partial | Consider `stella policy lattice explain` | | Risk Provider Config | No | No | Provider-level configuration needs exposure | | Exception Approval API | No | Yes | Consider `stella policy exception approve` | | Determinization Tuning | No | No | Signal weights should be configurable | --- ## Attestation & Signing (Attestor, Signer, Provenance) | Feature | Tiers | Module | Key Files | CLI | UI | Status | |---------|-------|--------|-----------|-----|----|----| | DSSE Envelope Handling | Free/Pro/Ent | Attestor | `DsseHelper.cs`, `DsseEnvelope.cs`, `DsseVerifier.cs` | `stella attest` | `/attestations` | Implemented | | In-Toto Statement Format | Free/Pro/Ent | Attestor | `InTotoStatement.cs`, `IInTotoLinkSigningService.cs` | `stella attest attach` | - | Implemented | | SPDX SBOM Predicates | Free/Pro/Ent | Attestor | `SpdxPredicateParser.cs` | `stella attest attach` | - | Implemented | | CycloneDX SBOM Predicates | Free/Pro/Ent | Attestor | `CycloneDxPredicateParser.cs` | `stella attest attach` | - | Implemented | | SLSA Provenance Predicates | Pro/Ent | Attestor | `SlsaProvenancePredicateParser.cs` | `stella attest attach` | - | Implemented | | Keyless Signing (Fulcio) | Pro/Ent | Signer | `KeylessDsseSigner.cs`, `HttpFulcioClient.cs` | `stella sign keyless` | - | Implemented | | Rekor Transparency Log | Pro/Ent | Signer, Attestor | `RekorHttpClient.cs`, `IRekorClient.cs` | `stella sign keyless --rekor` | - | Implemented | | Key Rotation Service | Enterprise | Signer | `IKeyRotationService.cs`, `KeyRotationService.cs` | `/keys/rotate` endpoint | - | Implemented | | Trust Anchor Management | Enterprise | Signer | `ITrustAnchorManager.cs`, `TrustAnchorManager.cs` | - | - | Implemented | | Attestation Chains | Enterprise | Attestor | `AttestationChain.cs`, `AttestationChainBuilder.cs` | - | - | Implemented | | Delta Attestations | Pro/Ent | Attestor | `IDeltaAttestationService.cs` (VEX/SBOM/Verdict/Reachability) | - | - | Implemented | | Offline/Air-Gap Bundles | Enterprise | Attestor | `IAttestorBundleService.cs` | - | `/ops/offline-kit` | Implemented | ### Predicate Types (25+ Types) **Standard Predicates:** | Predicate | Parser | Purpose | |-----------|--------|---------| | SPDX | `SpdxPredicateParser.cs` | SBOM attestation (2.2/2.3/3.0.1) | | CycloneDX | `CycloneDxPredicateParser.cs` | SBOM attestation (1.7) | | SLSA Provenance | `SlsaProvenancePredicateParser.cs` | Build provenance (v1.0) | | VEX Override | `VexOverridePredicateParser.cs` | VEX decision overrides | | Binary Diff | `BinaryDiffPredicateBuilder.cs` | Binary change attestation | **Stella-Ops Specific Predicates:** - AIArtifactBasePredicate, AIAuthorityClassifier, AIExplanationPredicate - AIPolicyDraftPredicate, AIRemediationPlanPredicate, AIVexDraftPredicate - BinaryFingerprintEvidencePredicate, BudgetCheckPredicate, ChangeTracePredicate - DeltaVerdictPredicate, EvidencePredicate, PolicyDecisionPredicate - ProofSpinePredicate, ReachabilityDriftPredicate, ReachabilitySubgraphPredicate - SbomDeltaPredicate, UnknownsBudgetPredicate, VerdictDeltaPredicate - VexDeltaPredicate, VexPredicate, TrustVerdictPredicate, FixChainPredicate ### CLI Commands (Attestation & Signing) | Command | Description | Status | |---------|-------------|--------| | `stella attest attach` | Attach DSSE attestation to OCI artifact | Implemented | | `stella attest verify` | Verify attestations on OCI artifact | Implemented | | `stella attest list` | List attestations on OCI artifact | Implemented | | `stella attest fetch` | Fetch specific attestation by predicate type | Implemented | | `stella attest fix-chain` | FixChain attestation command | Implemented | | `stella attest patch` | Patch attestation command | Implemented | | `stella sign keyless` | Sigstore keyless signing | Implemented | | `stella sign verify-keyless` | Verify keyless signature | Implemented | ### Signing Modes | Mode | Description | Key Files | |------|-------------|-----------| | Keyless | Fulcio-based ephemeral keys | `KeylessDsseSigner.cs` | | KMS | External key management system | `CryptoDsseSigner.cs` | | HMAC | HMAC-based signing | `HmacDsseSigner.cs` | ### Crypto Algorithm Support | Algorithm | Files | Purpose | |-----------|-------|---------| | RSA | `CryptoDsseSigner.cs` | Traditional RSA signing | | ECDSA | `CryptoDsseSigner.cs` | Elliptic curve signing | | SM2 | `CryptoDsseSigner.cs` | Chinese national standard | ### API Endpoints (Attestor) | Endpoint | Purpose | |----------|---------| | `/api/v1/anchors` | Attestation anchors | | `/api/v1/bundles` | DSSE bundle operations | | `/api/v1/chains` | Attestation chain queries | | `/api/v1/proofs` | Proof operations | | `/api/v1/verify` | Verification endpoints | ### API Endpoints (Signer) | Endpoint | Purpose | |----------|---------| | `POST /sign` | Sign artifact | | `POST /sign/verify` | Verify signature | | `GET /keys` | List signing keys | | `POST /keys/rotate` | Rotate signing key | | `POST /keys/revoke` | Revoke signing key | ### Coverage Gaps (Attestation) | Feature | Has CLI | Has UI | Notes | |---------|---------|--------|-------| | Key Rotation | No (API only) | No | Add `stella keys rotate` CLI | | Trust Anchor Management | No | No | Consider trust anchor CLI | | Attestation Chains UI | No | Partial | Chain visualization needed | | Predicate Registry | No | No | Consider `stella attest predicates list` | --- ## Regional Crypto (Cryptography, SmRemote) | Feature | Tiers | Module | Key Files | CLI | UI | Status | |---------|-------|--------|-----------|-----|----|----| | EdDSA (Ed25519) Baseline | Free/Pro/Ent | Cryptography | `Ed25519Signer.cs`, `Ed25519Verifier.cs` | - | - | Implemented | | ECDSA P-256 (FIPS) | Pro/Ent | Cryptography | `EcdsaP256Signer.cs` | - | - | Implemented | | FIPS 140-2 Plugin | Enterprise | Cryptography | `FipsPlugin.cs` (RSA, ECDSA, AES) | - | - | Implemented | | GOST R 34.10-2012 Plugin | Enterprise | Cryptography | `GostPlugin.cs` (256/512-bit) | - | - | Implemented | | SM2/SM3/SM4 Plugin | Enterprise | Cryptography | `SmPlugin.cs` | - | - | Implemented | | eIDAS Plugin | Enterprise | Cryptography | `EidasPlugin.cs` (CAdES, RFC 3161) | - | - | Implemented | | HSM Plugin (PKCS#11) | Enterprise | Cryptography | `HsmPlugin.cs` | - | - | Implemented | | CryptoPro GOST | Enterprise | Cryptography | `CryptoProGostCryptoProvider.cs` (Windows) | - | - | Implemented | | SM Remote Service | Enterprise | SmRemote | `Program.cs` (SM2 signing service) | - | - | Implemented | | Multi-Profile Signing | Enterprise | Cryptography | `MultiProfileSigner.cs` | - | - | Implemented | | Post-Quantum (Defined) | Future | Cryptography | `SignatureProfile.cs` (Dilithium, Falcon) | - | - | Planned | ### Signature Profiles (8 Defined) | Profile | Standard | Algorithm | Status | |---------|----------|-----------|--------| | EdDsa | RFC 8032 | Ed25519 | Implemented | | EcdsaP256 | FIPS 186-4 | ES256 | Implemented | | RsaPss | FIPS 186-4, RFC 8017 | PS256/384/512 | Implemented | | Gost2012 | GOST R 34.10-2012 | GOST 256/512-bit | Implemented | | SM2 | GM/T 0003.2-2012 | SM2-SM3 | Implemented | | Eidas | ETSI TS 119 312 | RSA-SHA*, ECDSA-SHA* | Implemented | | Dilithium | NIST PQC | CRYSTALS-Dilithium | Planned | | Falcon | NIST PQC | Falcon-512/1024 | Planned | ### Regional Compliance Matrix | Region | Standard | Plugin | Algorithms | |--------|----------|--------|------------| | US | FIPS 140-2 | FipsPlugin | RSA-SHA*, ECDSA-P256/384/521, AES-GCM | | Russia | GOST R 34.10-2012 | GostPlugin, CryptoPro | GOST 256/512-bit signatures | | China | GM/T 0003-0004 | SmPlugin, SmRemote | SM2, SM3, SM4-CBC/GCM | | EU | eIDAS | EidasPlugin | CAdES-BES, XAdES-BES, RFC 3161 TSA | | Hardware | PKCS#11 | HsmPlugin | HSM-RSA, HSM-ECDSA, HSM-AES | ### Key Service Interfaces | Interface | Purpose | |-----------|---------| | `IContentSigner` | Core signing abstraction | | `IContentVerifier` | Signature verification | | `ICryptoCapability` | Plugin capability reporting | | `IHsmClient` | HSM abstraction (simulated/PKCS#11) | ### Plugin Configuration Options **FIPS Plugin:** - RequireFipsMode, RsaKeySize (2048-4096), EcdsaCurve (P-256/384/521) **GOST Plugin:** - KeyStorePath, DefaultKeyId, PrivateKeyBase64, KeySize (256/512) **SM Plugin:** - PrivateKeyHex, GenerateKeyOnInit, UserId **eIDAS Plugin:** - CertificatePath, TimestampAuthorityUrl, ValidateCertificateChain **HSM Plugin:** - LibraryPath, SlotId, Pin, TokenLabel ### Coverage Gaps (Regional Crypto) | Feature | Has CLI | Has UI | Notes | |---------|---------|--------|-------| | Crypto Profile Selection | No | No | Configuration-only, no CLI | | Key Management | No | No | Plugin-specific configuration | | Post-Quantum Crypto | No | No | Profiles defined but not implemented | | HSM Status | No | No | Consider health check endpoint | --- ## Evidence & Findings (EvidenceLocker, Findings, ExportCenter) | Feature | Tiers | Module | Key Files | CLI | UI | Status | |---------|-------|--------|-----------|-----|----|----| | Sealed Evidence Bundles | Pro/Ent | EvidenceLocker | `S3EvidenceObjectStore.cs` (WORM) | `stella evidence export` | `/evidence-export` | Implemented | | Verdict Attestations | Pro/Ent | EvidenceLocker | `VerdictEndpoints.cs`, `VerdictContracts.cs` | - | `/evidence-export` | Implemented | | Append-Only Ledger | Pro/Ent | Findings | `ILedgerEventRepository.cs`, `LedgerEventModels.cs` | - | `/findings` | Implemented | | Alert Triage Workflow | Pro/Ent | Findings | `DecisionModels.cs` (hot/warm/cold bands) | - | `/findings` | Implemented | | Merkle Anchoring | Pro/Ent | Findings | `Infrastructure/Merkle/` | - | - | Implemented | | Evidence Packs | Pro/Ent | Evidence.Pack | `IEvidencePackService.cs`, `EvidencePack.cs` | - | `/evidence-thread` | Implemented | | Evidence Cards | Pro/Ent | Evidence.Pack | `IEvidenceCardService.cs`, `EvidenceCard.cs` | - | - | Implemented | | Profile-Based Exports | Pro/Ent | ExportCenter | `ExportApiEndpoints.cs`, `ExportProfile` | - | `/evidence-export` | Implemented | | Risk Bundle Export | Enterprise | ExportCenter | `RiskBundleEndpoints.cs` | - | `/evidence-export` | Implemented | | Lineage Evidence Export | Enterprise | ExportCenter | `LineageExportEndpoints.cs` | - | `/lineage` | Implemented | | Offline Verification | Enterprise | EvidenceLocker | `verify-offline.md` | `stella evidence verify --offline` | - | Implemented | ### CLI Commands (Evidence) | Command | Description | Status | |---------|-------------|--------| | `stella evidence export` | Export evidence bundle (--bundle, --format, --compression) | Implemented | | `stella evidence verify` | Verify bundle (--offline, --rekor-key) | Implemented | | `stella evidence status` | Bundle status check | Implemented | ### UI Routes (Evidence) | Route | Feature | Status | |-------|---------|--------| | `/evidence-export` | Evidence bundle management and export | Implemented | | `/evidence-thread` | Evidence thread visualization | Implemented | | `/findings` | Findings ledger with triage | Implemented | --- ## Determinism & Replay (Replay, Signals, HLC) | Feature | Tiers | Module | Key Files | CLI | UI | Status | |---------|-------|--------|-----------|-----|----|----| | Hybrid Logical Clock | Pro/Ent | HybridLogicalClock | `HybridLogicalClock.cs`, `HlcTimestamp.cs` | - | - | Implemented | | Canonical JSON (RFC 8785) | Pro/Ent | Canonical.Json | `CanonJson.cs` | - | - | Implemented | | Replay Manifests (V1/V2) | Pro/Ent | Replay.Core | `ReplayManifest.cs`, `KnowledgeSnapshot.cs` | `stella scan replay` | - | Implemented | | Evidence Weighted Scoring | Pro/Ent | Signals | `EvidenceWeightedScoreCalculator.cs` (6 factors) | - | - | Implemented | | Timeline Events | Pro/Ent | Eventing | `TimelineEvent.cs`, `ITimelineEventEmitter.cs` | - | - | Implemented | | Replay Proofs | Pro/Ent | Replay.Core | `ReplayProof.cs`, `ReplayManifestValidator.cs` | `stella prove` | - | Implemented | | Deterministic Event IDs | Pro/Ent | Eventing | `EventIdGenerator.cs` (SHA-256 based) | - | - | Implemented | | Attested Reduction | Pro/Ent | Signals | Short-circuit rules for anchored VEX | - | - | Implemented | ### Evidence Weighted Scoring (6 Factors) | Factor | Symbol | Weight | Description | |--------|--------|--------|-------------| | Reachability | RCH | Configurable | Static/runtime reachability | | Runtime | RTS | Configurable | Runtime telemetry | | Backport | BKP | Configurable | Backport evidence | | Exploit | XPL | Configurable | Exploit likelihood (EPSS) | | Source Trust | SRC | Configurable | Feed trustworthiness | | Mitigations | MIT | Configurable | Mitigation evidence (reduces score) | ### CLI Commands (Replay) | Command | Description | Status | |---------|-------------|--------| | `stella scan replay` | Deterministic verdict reproduction | Implemented | | `stella prove` | Generate replay proofs | Implemented | | `stella verify --proof` | Verify replay proofs | Implemented | --- ## Operations (Scheduler, Orchestrator, TaskRunner, TimelineIndexer) | Feature | Tiers | Module | Key Files | CLI | UI | Status | |---------|-------|--------|-----------|-----|----|----| | Job Scheduling | Pro/Ent | Scheduler | `IGraphJobService.cs`, `RunEndpoints.cs` | - | `/ops/scheduler` | Implemented | | Impact Targeting | Pro/Ent | Scheduler | `IImpactIndex.cs` (Roaring bitmaps) | - | - | Implemented | | Job Orchestration | Pro/Ent | Orchestrator | `IJobRepository.cs`, `Job.cs` | - | `/orchestrator` | Implemented | | Dead Letter Queue | Pro/Ent | Orchestrator | `DeadLetterEntry.cs`, `DeadLetterEndpoints.cs` | - | `/orchestrator` | Implemented | | Task Pack Execution | Pro/Ent | TaskRunner | `ITaskRunnerClient.cs`, `PackRunWorkerService.cs` | - | - | Implemented | | Plan-Hash Binding | Pro/Ent | TaskRunner | Deterministic execution validation | - | - | Implemented | | Timeline Indexing | Pro/Ent | TimelineIndexer | `ITimelineQueryService.cs`, `TimelineEventView.cs` | - | - | Implemented | | Lease Management | Pro/Ent | Orchestrator | `LeaseNextAsync()`, `ExtendLeaseAsync()` | - | - | Implemented | ### API Endpoints (Operations) **Scheduler:** - `POST /api/v1/scheduler/runs` - Create run - `GET /api/v1/scheduler/runs/{runId}/stream` - SSE stream - `POST /api/v1/scheduler/runs/preview` - Dry-run preview **Orchestrator:** - `GET /api/v1/orchestrator/jobs` - List jobs - `GET /api/v1/orchestrator/dag` - Job DAG - `GET /api/v1/orchestrator/deadletter` - Dead letter queue - `GET /api/v1/orchestrator/kpi` - KPI metrics **TaskRunner:** - `POST /api/runs` - Create pack run - `GET /api/runs/{runId}/logs` - SSE log stream - `POST /api/runs/{runId}/approve` - Approval decision ### UI Routes (Operations) | Route | Feature | Status | |-------|---------|--------| | `/ops/scheduler` | Scheduler runs and impact preview | Implemented | | `/orchestrator` | Job dashboard and dead letters | Implemented | --- ## Release Orchestration (ReleaseOrchestrator) | Feature | Tiers | Module | Key Files | CLI | UI | Status | |---------|-------|--------|-----------|-----|----|----| | Promotion Workflows | Enterprise | ReleaseOrchestrator | `GateModels.cs`, `StepModels.cs` | - | `/releases` | Implemented | | Integration Hub | Enterprise | ReleaseOrchestrator | `IIntegrationManager.cs` | - | `/integrations` | Implemented | | Deployment Agents | Enterprise | Agent.Core | `IAgentCapability.cs`, `ComposeCapability.cs` | - | - | Implemented | | Plugin System (3-Surface) | Enterprise | ReleaseOrchestrator.Plugin | `IStepProviderCapability.cs`, `IGateProviderCapability.cs` | - | `/plugins` | Implemented | | Gate Evaluation | Enterprise | ReleaseOrchestrator | `IGateEvaluator.cs` | - | `/releases` | Implemented | | Step Execution | Enterprise | ReleaseOrchestrator | `IStepExecutor.cs` | - | - | Implemented | | Connector Invoker | Enterprise | ReleaseOrchestrator | `IConnectorInvoker.cs` | - | - | Implemented | ### Integration Types | Type | Description | Examples | |------|-------------|----------| | Scm | Source Control | GitHub, GitLab, Gitea | | Ci | Continuous Integration | Jenkins, GitHub Actions | | Registry | Container Registry | Docker Hub, Harbor, ACR, ECR, GCR | | Vault | Secrets | HashiCorp Vault, Azure Key Vault | | Notify | Notifications | Slack, Teams, Email, Webhooks | | SettingsStore | Config | Consul, etcd, Parameter Store | ### Deployment Agent Types | Agent | Key Files | Tasks | |-------|-----------|-------| | Docker Compose | `ComposeCapability.cs` | pull, up, down, scale, health-check, ps | | SSH/WinRM | (planned) | Remote execution | | ECS | (planned) | AWS ECS deployment | | Nomad | (planned) | HashiCorp Nomad | --- ## Auth & Access Control (Authority, Registry) | Feature | Tiers | Module | Key Files | CLI | UI | Status | |---------|-------|--------|-----------|-----|----|----| | OAuth2/OIDC Token Service | Free/Pro/Ent | Authority | `IStellaOpsTokenClient.cs` | `stella auth` | `/login` | Implemented | | DPoP (Proof-of-Possession) | Pro/Ent | Authority | DPoP header injection | - | - | Implemented | | mTLS Certificate Binding | Enterprise | Authority | `cnf.x5t#S256` tokens | - | - | Implemented | | 75+ Authorization Scopes | Pro/Ent | Authority | `StellaOpsScopes.cs` | - | - | Implemented | | Registry Token Service | Pro/Ent | Registry | `RegistryTokenIssuer.cs` | - | - | Implemented | | Plan-Based Authorization | Pro/Ent | Registry | `PlanRegistry.cs` | - | - | Implemented | | LDAP Integration | Enterprise | Authority.Plugin.Ldap | LDAP connector | - | `/admin` | Implemented | | Device Code Flow | Pro/Ent | Authority | CLI headless login | `stella auth login` | - | Implemented | ### Authentication Flows | Flow | Use Case | |------|----------| | Client Credentials | Service-to-service | | Device Code | CLI headless login | | Authorization Code + PKCE | Web UI browser login | | DPoP Handshake | Proof-of-possession for all API calls | ### Scope Categories | Category | Example Scopes | |----------|---------------| | Signer | `signer.sign` | | Scanner | `scanner:scan`, `scanner:export` | | VEX | `vex:read`, `vex:ingest` | | Policy | `policy:author`, `policy:approve`, `policy:publish` | | Authority Admin | `authority:tenants.write`, `authority:roles.write` | --- ## Notifications & Integrations (Notify, Notifier, Integrations, Zastava) | Feature | Tiers | Module | Key Files | CLI | UI | Status | |---------|-------|--------|-----------|-----|----|----| | Multi-Channel Notifications | Pro/Ent | Notify | `NotifyChannel.cs`, `NotifyEvent.cs` | - | `/notifications` | Implemented | | Rule-Based Routing | Pro/Ent | Notify | `NotifyRule.cs`, `INotifyRuleEvaluator.cs` | - | `/notifications` | Implemented | | Incident Correlation | Pro/Ent | Notifier | `ICorrelationEngine.cs` | - | `/incidents` | Implemented | | Escalation Policies | Pro/Ent | Notifier | `EscalationEndpoints.cs` | - | `/notifications` | Implemented | | Storm Breaker | Pro/Ent | Notifier | `StormBreakerEndpoints.cs` | - | - | Implemented | | External Integrations | Enterprise | Integrations | `IIntegrationConnectorPlugin.cs` | - | `/integrations` | Implemented | | Kubernetes Admission | Enterprise | Zastava | `AdmissionEndpoint.cs`, `AdmissionDecision.cs` | - | - | Implemented | | Runtime Event Collection | Enterprise | Zastava | `RuntimeEvent.cs`, `RuntimeEventFactory.cs` | - | - | Implemented | ### Notification Channels (10 Types) | Channel | Adapter | Status | |---------|---------|--------| | Slack | `SlackChannelAdapter.cs` | Implemented | | Teams | `ChatWebhookChannelAdapter.cs` | Implemented | | Email | `EmailChannelAdapter.cs` | Implemented | | Webhook | `ChatWebhookChannelAdapter.cs` | Implemented | | PagerDuty | `PagerDutyChannelAdapter.cs` | Implemented | | OpsGenie | `OpsGenieChannelAdapter.cs` | Implemented | | CLI | `CliChannelAdapter.cs` | Implemented | | InApp | `InAppChannelAdapter.cs` | Implemented | | InAppInbox | `InAppInboxChannelAdapter.cs` | Implemented | | Custom | Plugin-based | Implemented | ### Runtime Event Types (Zastava) | Event Kind | Description | |------------|-------------| | ContainerStart | Container lifecycle start | | ContainerStop | Container lifecycle stop | | Drift | Filesystem/binary changes | | PolicyViolation | Policy rule breach | | AttestationStatus | Signature/attestation verification | --- ## Summary Statistics | Category | Count | |----------|-------| | Total Features in Matrix | ~200 original | | Discovered Features | 200+ additional | | CLI Commands | 80+ | | UI Routes | 75+ | | API Endpoints | 500+ | | Service Interfaces | 300+ | | Language Analyzers | 11+ | | Advisory Connectors | 33+ | | Notification Channels | 10 | | Crypto Profiles | 8 | | Policy Gate Types | 10+ | | Risk Score Providers | 6 | | Attestation Predicates | 25+ | --- *Document generated via automated feature extraction from Stella Ops codebase (20,723+ .cs files across 1,024 projects)*