# Signal contract mapping

StellaOps implements advisory signal contracts using domain-specific models.
The signals align to five core concepts:

Mapping summary
| Advisory signal | StellaOps equivalent | Purpose |
| --- | --- | --- |
| Signal-10 (SBOM intake) | SBOM ingestion + callgraph ingest | Normalize SBOMs and call graphs with tenant and source metadata. |
| Signal-12 (Evidence) | in-toto statements + DSSE envelopes | Signed attestations and evidence bundles. |
| Signal-14 (Triage fact) | Triage finding, reachability, risk, and VEX entities | Aggregated facts for a vuln and component. |
| Signal-16 (Diff delta) | Triage snapshot + smart-diff + drift causes | Deterministic change detection between runs. |
| Signal-18 (Decision) | Triage decision + policy decision attestation | Final decision with rationale and signatures. |

Evidence references
- DSSE envelopes are addressed by sha256 of the envelope payload.
- CAS URIs reference content-addressed evidence blobs (graphs, traces).

Idempotency
- Event envelopes include explicit idempotency keys.
- Findings use stable identifiers derived from CVE and subject context.

API surface alignment
- SBOM ingest endpoints map to scanner and signals ingest.
- Decision and diff endpoints map to triage and smart-diff APIs.

Key equivalence guarantees
- Subject digests and PURLs are preserved across ingestion and triage.
- Reachability and VEX evidence is attached to findings, not rewritten.
- Decisions carry rationale and policy references suitable for audit.

Related references
- docs/architecture/signal-contract-mapping.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md