# Capability maturity model This document defines what "shipped" means for StellaOps capabilities. Each area progresses through the same maturity levels; the concrete evidence differs by domain. ## Maturity levels | Level | Meaning | Evidence posture | | --- | --- | --- | | **Foundation** | Works end-to-end with deterministic outputs. | Golden fixtures, stable ordering, replay-friendly artifacts. | | **Hardened** | Safe for regulated environments. | Isolation boundaries, audit trail, reproducible upgrades, operational runbooks. | | **Sovereign** | Crypto + operations are independent by default. | Bring-your-own trust roots, offline bundles, configurable crypto profiles. | | **Ecosystem** | Extensible and integrable without losing determinism. | Stable plugin/SDK contracts, compatibility suites, offline distribution story. | ## Scanning & SBOM | Level | What exists | Minimum evidence | | --- | --- | --- | | Foundation | Deterministic SBOM generation and stable identifiers. | Fixture-backed scans producing byte-stable SBOMs and normalized findings. | | Hardened | Deterministic "replay" of scans and decisions. | Replay test vectors and a documented, versioned artifact layout. | | Sovereign | Offline-ready feeds and trust roots. | Fully air-gapped scan runbook and importer/controller workflows. | | Ecosystem | Extensible analyzers and outputs. | Compatibility tests for plugins and exporters; no network required. | ## Advisory ingestion | Level | What exists | Minimum evidence | | --- | --- | --- | | Foundation | Normalizers and deterministic merges into canonical stores. | Repeatable ingestion runs with stable IDs and ordering. | | Hardened | Schema validation and drift controls. | Locked schemas, test fixtures, and failure modes documented. | | Sovereign | Mirror-first and offline bundle imports. | Offline bundle format documented; import determinism verified. | | Ecosystem | Connector library growth without regressions. | Connector conformance suite and fixture discipline. | ## VEX & verdicts | Level | What exists | Minimum evidence | | --- | --- | --- | | Foundation | OpenVEX ingestion and stable verdict outcomes. | Deterministic merges, explainable reasoning, stable verdict IDs. | | Hardened | Trust model and audit trail. | Trust lattice rules documented; replay tests for merges/verdicts. | | Sovereign | Bring-your-own trust roots and issuer governance. | Offline trust root provisioning and rotation procedures. | | Ecosystem | Multiple issuer ecosystems and integrations. | Compatibility tests and validated importer adapters. | ## Policy engine | Level | What exists | Minimum evidence | | --- | --- | --- | | Foundation | Deterministic policy evaluation with consistent precedence. | Policy packs + golden decisions with stable ordering. | | Hardened | Audit-grade policy traces. | Decision trace artifacts and replay tests for policy outputs. | | Sovereign | Operator-controlled policy distribution. | Offline pack distribution and verification story. | | Ecosystem | Policy contracts for third parties. | Compatibility suite and safe upgrade policy guarantees. | ## Offline kit & air-gap workflows | Level | What exists | Minimum evidence | | --- | --- | --- | | Foundation | Documented offline concepts and supported workflows. | `docs/24_OFFLINE_KIT.md` plus importer/controller docs and examples. | | Hardened | Deterministic imports and verified indexes. | Byte-stable indexes with reproducible hash outputs across machines. | | Sovereign | Independent trust anchors and mirrors. | Trust-root provisioning docs and an air-gapped "day-2 ops" runbook. | | Ecosystem | Third-party bundles and toolchain integrations. | Conformance tests and offline bundle validation tooling. | ## Operations, observability, and security | Level | What exists | Minimum evidence | | --- | --- | --- | | Foundation | Clear service boundaries and deployment profiles. | Compose profiles and documented defaults. | | Hardened | Runbooks, dashboards, and incident workflows. | Offline-importable dashboards and operational checklists. | | Sovereign | Crypto agility and least-privilege by default. | Configurable crypto profiles and role/scopes documentation. | | Ecosystem | Stable operator and SDK surfaces. | Versioned APIs and compatibility guarantees. |