# Stella Ops Suite — 2-Minute Overview

## What Stella Ops Suite Is

**Stella Ops Suite is a centralized, auditable release control plane for non-Kubernetes container estates.**

It sits between your CI and your runtime targets, governs promotion across environments, enforces security and policy gates, and produces verifiable evidence for every release decision—while remaining plug-in friendly to any SCM/CI/registry/secrets stack.

## The Problems We Solve

- **Release governance is fragmented:** CI tools run pipelines but lack central release authority; deployment tools promote but bolt on security as an afterthought.
- **Non-Kubernetes targets are second-class:** Docker hosts, Compose, ECS, and Nomad deployments lack the GitOps tooling that Kubernetes enjoys.
- **Security blocks releases without explanation:** Scanners find vulnerabilities but don't integrate with promotion workflows; teams bypass gates or ignore findings.
- **Audit trails are scattered:** Release decisions live in CI logs, approval emails, and Slack threads—not in a unified, cryptographically verifiable ledger.
- **Pricing punishes automation:** Per-project, per-seat, or per-deployment billing creates friction for teams that deploy frequently.

## What Stella Ops Suite Does

| Capability | Description |
|------------|-------------|
| **Release orchestration** | UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks; steps are hook-able with scripts and step providers |
| **Security decisioning as a gate** | Scan on build, evaluate on release, re-evaluate when vulnerability intelligence updates—without forcing re-scans |
| **OCI-digest-first releases** | A release is an immutable digest (or bundle of digests); track "what is deployed where" with integrity |
| **Toolchain-agnostic integrations** | Plug into any SCM, any CI, any registry, any secrets system; customers reuse their existing stack |
| **Auditability + standards** | Audit log + evidence packets (exportable), SBOM/VEX/attestation-friendly, standards-first approach |

## Core Strengths

| Strength | Why It Matters |
|----------|----------------|
| **Non-Kubernetes specialization** | Docker hosts, Compose, ECS, Nomad-style targets are first-class, not an afterthought |
| **Reproducibility** | Deterministic release decisions captured as evidence (inputs + policy hash + verdict + approvals) |
| **Attestability** | Produces and verifies release evidence/attestations (provenance, SBOM linkage, decision records) in standard formats |
| **Verity (integrity)** | Digest-based release identity; signature/provenance verification; tamper-evident audit trail |
| **Hybrid reachability** | Reachability-aware vulnerability prioritization (static + runtime signals) to reduce noise and focus on exploitable paths |
| **Cost that doesn't punish automation** | No per-project tax, no per-seat tax, no "deployments bill." Limits are only: (1) number of environments and (2) number of new digests analyzed per day |

## Who Benefits

| Persona | Outcome |
|---------|---------|
| **Release managers** | Central control plane for promotions; clear approval workflows; audit-ready evidence |
| **Security engineering** | Security gates integrated into release flow; reachability-aware prioritization; VEX support |
| **Platform / SRE** | Deploy to Docker/Compose/ECS/Nomad with agents or agentless; rollback with confidence |
| **Compliance & risk** | Every release decision is cryptographically signed and replayable; export compliance reports |
| **DevOps / CI owners** | Integrate via webhooks; keep existing CI/SCM/registry; add release governance without replacing tools |

## Platform Capabilities

### Operational Today

- **Vulnerability scanning** with SBOM-first approach and delta-layer caching
- **Advisory ingestion** from multiple sources with aggregation-not-merge semantics
- **VEX support** for exploitability decisioning (OpenVEX + SPDX 3.0.1 relationships)
- **Policy engine** with lattice logic for explainable, deterministic verdicts
- **Attestation and signing** (DSSE/in-toto) with optional Sigstore Rekor transparency
- **Offline operations** via Offline Kit bundles for air-gapped deployments
- **Sovereign crypto profiles** (eIDAS, FIPS, GOST, SM)

### Planned (Release Orchestration)

- **Environment management** — Define Dev/Stage/Prod environments with freeze windows and approval policies
- **Release bundles** — Compose releases from component digests with semantic versioning
- **Promotion workflows** — DAG-based workflow engine with approvals, gates, and hooks
- **Deployment execution** — Agents for Docker, Compose, ECS, Nomad; agentless via SSH/WinRM
- **Progressive delivery** — A/B releases, canary deployments, traffic routing
- **Plugin system** — Three-surface plugin model for integrations, steps, and agents
- **Version stickers** — Tamper-evident deployment records on targets for drift detection

## Where to Go Next

- Ready to try it? Head to [quickstart.md](quickstart.md)
- Want capability details? Browse [key-features.md](key-features.md)
- Understand the architecture? See [ARCHITECTURE_OVERVIEW.md](ARCHITECTURE_OVERVIEW.md)
- Review the roadmap? Check [ROADMAP.md](ROADMAP.md)