# Roadmap

This repository is the source of truth for StellaOps direction. The roadmap is expressed as stable, evidence-based capability milestones (not calendar promises) so it stays correct during long audits and offline operation.

## How to read this
- **Now / Next / Later** are priority bands, not dates.
- A capability is "done" when the required evidence exists and is reproducible (see `docs/roadmap/maturity-model.md`).

## Now (Foundation)
- Deterministic scan pipeline: image -> SBOMs (SPDX 3.0.1 + CycloneDX 1.6) with stable identifiers and replayable outputs.
- Advisory ingestion with offline-friendly mirrors, normalization, and deterministic merges.
- VEX-first triage: OpenVEX ingestion/consensus with explainable, stable verdicts.
- Policy gates: deterministic policy evaluation (OPA/Rego where applicable) with audit-friendly decision traces.
- Offline Kit workflows (bundle -> import -> verify) with signed artifacts and deterministic indexes.

## Next (Hardening)
- Multi-tenant isolation (tenancy boundaries + RLS where applicable) and an audit trail built for replay.
- Signing and provenance hardening: DSSE/in-toto everywhere; configurable crypto profiles (FIPS/GOST/SM) where enabled.
- Determinism gates and replay tests in CI to prevent output drift across time and environments.

## Later (Ecosystem)
- Wider connector/plugin ecosystem, operator tooling, and SDKs.
- Expanded graph/reachability capabilities and export/pack formats for regulated environments.

## Detailed breakdown
- `docs/roadmap/README.md`
- `docs/roadmap/maturity-model.md`

## Related high-level docs
- `docs/03_VISION.md`
- `docs/04_FEATURE_MATRIX.md`
- `docs/40_ARCHITECTURE_OVERVIEW.md`
- `docs/24_OFFLINE_KIT.md`
- `docs/key-features.md`