## Pack 3 — Security + Evidence & Audit + Operations This pack adds the missing **SBOM/Finding signals**, **hybrid reachability (build/image/runtime)**, and a first-class **Nightly Ops Report**, while keeping the “release/hotfix + security + audit” spine. ([Stella Ops Suite][1]) --- # 0) Design rule for this pack (why these screens look the way they do) When Stella Ops opens, the UI must communicate fast: * **What is deployed where (by digest)** * **What is allowed to ship next** * **Why it is allowed/blocked (policy + reachability evidence)** * **Where the evidence is (one-click proof/export)** ([Gitea: Git with a cup of tea][2]) Everything in this pack is arranged to serve that rule. --- # 1) SECURITY — menus + screens ## 1.1 Security menu graph (Mermaid) ```mermaid flowchart TD S0["Security (menu)"] S1["Security Overview (global)"] S2["Findings (SBOM + CVE)"] S3["Finding Detail"] S4["Hybrid Reachability (build/image/runtime)"] S5["Reachability Evidence Detail"] S6["VEX Hub"] S7["VEX Statement Detail"] S8["Exceptions"] S9["Exception Detail"] S10["SBOM Explorer (Graph)"] S0 --> S1 S0 --> S2 --> S3 --> S5 S0 --> S4 --> S5 S0 --> S6 --> S7 S0 --> S8 --> S9 S0 --> S10 ``` --- ## 1.2 Screen — Security Overview (global) **New location:** `Security → Security Overview` **Previously:** `Security → Overview` (“Security Overview”) **Why changed:** * Your dashboard needs **emerged SBOM/finding signal** and “which env/region is burning” in one glance (not “0 across the board” unless truly 0). * This overview becomes the **security posture rollup** across regions/environments with **reachability emphasis** (reachable CVEs are what matter for decisions). ### Screen graph (Mermaid) ```mermaid flowchart LR A["Security Overview"] --> B["Findings (filtered)"] A --> C["Hybrid Reachability"] A --> D["VEX Hub"] A --> E["Exceptions"] A --> F["Evidence Capsule (latest)"] A --> G["Ops: Nightly Report (security pipelines)"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Stella Ops [Search releases/digests…] | |--------------------------------------------------------------------------------------------------| | NAV | Security / Overview | |------------------------| formerly: Security → Overview (Security Overview) | | Dashboard |-------------------------------------------------------------------------| | Release Control | GLOBAL POSTURE (last refresh 2m) | | Security (YOU ARE) | Reachable CVEs: CRIT [2] HIGH [7] MED [14] LOW [33] | | Evidence & Audit | Non-reachable CVEs (noise): 1,284 | | Operations |-------------------------------------------------------------------------| | Integrations | HOTSPOTS (Reachable CRIT/HIGH by env) | | Administration | prod/us-east-1 CRIT=2 HIGH=3 | prod/eu-west-1 CRIT=0 HIGH=4 | | | staging/us-east-1 CRIT=0 HIGH=1 | dev/* CRIT=0 HIGH=0 | | |-------------------------------------------------------------------------| | | HYBRID REACHABILITY COVERAGE (must not be “third class”) | | | Build: 92% | Image (Dover): 100% | Runtime: 63% | | | Gaps: prod/eu-west-1 runtime ingest delayed (last 6h) | | |-------------------------------------------------------------------------| | | Quick actions: [View Findings] [Reachability] [VEX Hub] [Exceptions] | +--------------------------------------------------------------------------------------------------+ ``` --- ## 1.3 Screen — Findings (SBOM + CVE unified) **New location:** `Security → Findings` **Previously:** * `Security → Findings` (“Security Findings”) * `Security → Vulnerabilities` (“Vulnerabilities”) **Why changed:** * **One list** with consistent semantics: “CVE + package + reachability + environments + releases/bundles impacted”. * The old “Vulnerabilities” page becomes a **redirect** to this screen with preset filters (e.g., `View=CVE Catalog`). ### Screen graph (Mermaid) ```mermaid flowchart TD L["Findings (SBOM + CVE)"] --> F["Finding Detail"] L --> X["Export CSV"] L --> V["VEX Hub (context)"] L --> E["Create Exception (pre-filled)"] L --> R["Reachability view (hybrid columns)"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Security / Findings [Export CSV] [Saved Views]| | formerly: Security → Findings (Security Findings) + Security → Vulnerabilities (Vulnerabilities) | |--------------------------------------------------------------------------------------------------| | Filters: Severity [All] Reachability [Any/Reachable] Source [Build/Image/Runtime/Any] | | Region [All] Environment [All] VEX [Any/Has VEX/Needs VEX] | |--------------------------------------------------------------------------------------------------| | CVE PACKAGE SEV CVSS REACHABILITY (B/I/R) VEX RELEASE/BUNDLE ENVS | | CVE-... openssl CRIT 9.8 ✅ / ✅ / ✅ — hotfix-auth 1.2.4 prod/us-east-1| | CVE-... log4j HIGH 8.1 ✅ / ✅ / ☐ vendor platform 1.3.0 prod/eu-west-1| | CVE-... zlib MED 6.5 ☐ / ✅ / ☐ local payments 2.8.4 staging/us-e1| |--------------------------------------------------------------------------------------------------| | Notes: Reachability columns are hybrid: Build analysis, Image (Dover), Runtime (deployed). | +--------------------------------------------------------------------------------------------------+ ``` --- ## 1.4 Screen — Finding Detail (evidence-first) **New location:** `Security → Findings → (Finding Detail)` **Previously:** fragmented across Findings + (future) SBOM Graph + VEX Hub **Why changed:** * A decision is only as good as its proof: this page centers **reachability evidence**, **affected environments**, **VEX**, and **the promotion impact** (blocked vs allowed) with links to **Decision Capsule**. ### Screen graph (Mermaid) ```mermaid flowchart LR D["Finding Detail"] --> R["Reachability Evidence (hybrid)"] D --> V["VEX Statements"] D --> P["Promotion Impact (gates + approvals)"] D --> X["Request Exception"] D --> E["Evidence Capsule (view/download)"] D --> A["Remediation actions (upgrade/patch)"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Finding: CVE-2026-XXXX (openssl) [Request Exception] | | formerly: (spread across) Security Findings + VEX Hub + (SBOM Graph placeholder) | |--------------------------------------------------------------------------------------------------| | Summary: CRITICAL CVSS 9.8 Package: openssl@3.0.x | | Affected artifacts (digests): sha256:aaaa… sha256:bbbb… | |--------------------------------------------------------------------------------------------------| | Reachability (hybrid) | | Build: ✅ reachable (call path: api-gateway -> tls -> openssl) | | Image (Dover): ✅ reachable (static analysis) | | Runtime: ✅ reachable (trace evidence: prod/us-east-1) | | [View Reachability Evidence] | |--------------------------------------------------------------------------------------------------| | Environments impacted | | prod/us-east-1 (2 services) prod/eu-west-1 (1 service) | |--------------------------------------------------------------------------------------------------| | VEX | | Vendor VEX: none | Local VEX: draft | | [Open VEX Hub pre-filtered] | |--------------------------------------------------------------------------------------------------| | Promotion impact | | Gate: "No reachable CRIT" ❌ BLOCKS | Required: patch or approved exception with expiry | | Evidence capsule: sealed? ✅ [Open Capsule] [Export] | +--------------------------------------------------------------------------------------------------+ ``` --- ## 1.5 Screen — Hybrid Reachability (coverage + gaps) **New location:** `Security → Hybrid Reachability` **Previously:** *not visible as a coherent surface* **Why changed:** * You explicitly require reachability from **Build**, **Image (Dover)**, and **Runtime** to be **second-class (visible)**, not buried. * This page answers: “Do we trust our reachability picture for each env/region right now?” ### Screen graph (Mermaid) ```mermaid flowchart TD H["Hybrid Reachability (Coverage)"] --> M["Coverage Matrix (region/env x source)"] H --> G["Gap Drilldown (why missing runtime?)"] H --> F["Findings filtered by 'reachability missing'"] H --> O["Ops: ingestion pipeline health"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Security / Hybrid Reachability [Export] [Explain] | | formerly: (missing / implicit) | |--------------------------------------------------------------------------------------------------| | Coverage Matrix (last 24h) | | Region/Env BUILD IMAGE (DOVER) RUNTIME NOTES | | prod/us-east-1 98% ✅ 100% ✅ 72% ⚠ runtime ingest lag 2h | | prod/eu-west-1 93% ✅ 100% ✅ 41% ❌ agent offline | | staging/us-east-1 90% ✅ 100% ✅ 60% ⚠ sampling low | | dev/us-east-1 80% ⚠ 95% ⚠ 10% ⚠ instrumentation off | |--------------------------------------------------------------------------------------------------| | Gap drilldown (selected: prod/eu-west-1 runtime) | | - Missing agent heartbeat (Integrations: Agents) | | - Last success: Feb 17 02:10 | | Links: [Ops Platform Health] [Scheduler Run] [Agent Config] | +--------------------------------------------------------------------------------------------------+ ``` --- ## 1.6 Screen — Reachability Evidence Detail **New location:** via `Finding Detail` or `Hybrid Reachability` drilldowns **Previously:** not present **Why changed:** * Reachability must be inspectable and exportable as evidence; otherwise it’s a black box. ### Screen graph (Mermaid) ```mermaid flowchart LR E["Reachability Evidence Detail"] --> C["Call graph / trace proof"] E --> S["Source selector: Build vs Image vs Runtime"] E --> V["Link to VEX statement"] E --> P["Link to Policy decision + capsule"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Reachability Evidence: CVE-2026-XXXX in prod/us-east-1 [Download Proof] | | formerly: (missing / implicit) | |--------------------------------------------------------------------------------------------------| | Source: [Build ✅] [Image (Dover) ✅] [Runtime ✅] | |--------------------------------------------------------------------------------------------------| | Proof summary | | Entry point: api-gateway | | Path: api-gateway -> tls_handler -> openssl::SSL_read -> vulnerable_fn | | Confidence: High | |--------------------------------------------------------------------------------------------------| | Linked artifacts | | SBOM: sbom@sha256:... Trace: runtime-trace@sha256:... Policy: core-pack v12 | | Capsule: capsule-prod-us-east-1-2026-02-18 | +--------------------------------------------------------------------------------------------------+ ``` --- ## 1.7 Screen — VEX Hub **New location:** `Security → VEX Hub` **Previously:** `Security → VEX Hub` (“VEX Statement Dashboard”) **Why changed:** * Keep it in Security, but make it clearly part of the “evidence chain”: VEX must link to findings and reachability proof (not just a statement list). ([Gitea: Git with a cup of tea][3]) ### Screen graph (Mermaid) ```mermaid flowchart TD V["VEX Hub"] --> S["Search Statements"] V --> I["Import Vendor VEX"] V --> D["VEX Statement Detail"] D --> F["Linked Findings"] D --> E["Evidence Capsule / Proof chain"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Security / VEX Hub [Search] [Import Vendor] | | formerly: Security → VEX Hub | |--------------------------------------------------------------------------------------------------| | Search: [CVE____] [Package____] [Product____] [Issuer____] [Env____] | |--------------------------------------------------------------------------------------------------| | STATEMENT ID CVE PRODUCT/BUNDLE ISSUER STATUS LINKED FINDINGS | | vex-1021 CVE-... platform 1.3.0 vendorA Verified 3 (2 reachable) | | vex-1022 CVE-... payments 2.8.4 local Draft 1 (reachability pending)| |--------------------------------------------------------------------------------------------------| | Note: Statements should reference reachability proof & capsule for audit replay. | +--------------------------------------------------------------------------------------------------+ ``` --- ## 1.8 Screen — VEX Statement Detail **New location:** `Security → VEX Hub → (Statement)` **Previously:** not clearly separated **Why changed:** * Needed for auditors: statement, issuer, scope, and the linked evidence objects. ### Screen graph (Mermaid) ```mermaid flowchart LR D["VEX Statement Detail"] --> L["Linked findings + reachability"] D --> P["Proof chain"] D --> X["Export VEX + evidence refs"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | VEX Statement: vex-1021 (vendorA) [Export] [Verify] | | formerly: Security → VEX Hub (inline row) | |--------------------------------------------------------------------------------------------------| | CVE: CVE-2026-XXXX Disposition: Not Affected Justification: component not used at runtime | | Scope: platform-release 1.3.0-rc1 Envs: prod/* | |--------------------------------------------------------------------------------------------------| | Linked evidence | | - Reachability proof: runtime shows NOT reachable in prod/eu-west-1 (trace id …) | | - Capsule: capsule-prod-eu-west-1-… | |--------------------------------------------------------------------------------------------------| | Linked findings | | Finding list: 3 (reachable: 0) | +--------------------------------------------------------------------------------------------------+ ``` --- ## 1.9 Screen — Exceptions (risk exceptions) **New location:** `Security → Exceptions` **Previously:** `Security → Exceptions` (“Security Exceptions”) **Why changed:** * Exceptions must show **scope + expiry + approvers + linked evidence**, and tie to policy workflow configured in Administration. ### Screen graph (Mermaid) ```mermaid flowchart TD X["Exceptions"] --> D["Exception Detail"] X --> R["Request Exception"] D --> A["Approval trail"] D --> F["Linked Findings / Bundles"] D --> E["Evidence capsule references"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Security / Exceptions [Request Exception] | | formerly: Security → Exceptions | |--------------------------------------------------------------------------------------------------| | EXC ID SCOPE REASON REQUESTED BY EXPIRES STATUS | | exc-221 CVE-… in prod/us-e1 hotfix window alice 2026-03-01 Pending | | exc-222 bundle payments 2.8.4 vendor patch delayed david 2026-02-25 Approved | |--------------------------------------------------------------------------------------------------| | Notes: every exception must be time-bounded and linked to evidence & approver signatures. | +--------------------------------------------------------------------------------------------------+ ``` --- ## 1.10 Screen — Exception Detail **New location:** `Security → Exceptions → (Exception)` **Previously:** not clearly separated **Why changed:** * Needed for audit and for “why allowed even though finding exists”. ### Screen graph (Mermaid) ```mermaid flowchart LR D["Exception Detail"] --> S["Scope + expiry"] D --> J["Justification + attachments"] D --> A["Approvals/signatures"] D --> L["Linked findings + affected envs"] D --> C["Capsules impacted (promotion events)"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Exception: exc-222 (Approved) [Revoke] [Extend] | | formerly: Security → Exceptions (row) | |--------------------------------------------------------------------------------------------------| | Scope: Bundle payments-suite 2.8.4 Env: prod/eu-west-1 | | Expires: 2026-02-25 23:59 UTC Risk: HIGH reachable allowed with 2 approvals | |--------------------------------------------------------------------------------------------------| | Justification: vendor patch ETA + compensating controls | | Approvals: ✅ alice (sig…) ✅ security-lead (sig…) | |--------------------------------------------------------------------------------------------------| | Linked findings: | | - CVE-… log4j (HIGH reachable) | | Capsules impacted: | | - capsule-prod-eu-west-1-2026-02-18 (promotion allowed due to exc-222) | +--------------------------------------------------------------------------------------------------+ ``` --- ## 1.11 Screen — SBOM Explorer (Graph) **New location:** `Security → SBOM Explorer (Graph)` **Previously:** `Security → SBOM Graph` (“SBOM Graph”) **Why changed:** * Keep it visible but explicitly “supporting detail”: useful to investigate dependency trees, but not the main control-plane. * If still not implemented, show it as **(coming soon)** with deep links to Findings and Coverage metrics. ### Screen graph (Mermaid) ```mermaid flowchart TD G["SBOM Explorer (Graph)"] --> N["Node detail (package/component)"] N --> F["Findings for node"] N --> R["Reachability evidence"] G --> C["Coverage metrics"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Security / SBOM Explorer (Graph) [Beta] [Open Findings] | | formerly: Security → SBOM Graph | |--------------------------------------------------------------------------------------------------| | If graph rendering is not available in this build: | | - Show “Graph unavailable” + shortcuts: [Findings filtered by component] [Coverage Metrics] | |--------------------------------------------------------------------------------------------------| | Graph area (when enabled): | | [service: api-gateway] --depends--> [openssl] --depends--> [zlib] | | click node → right panel: packages, versions, linked CVEs, reachability paths | +--------------------------------------------------------------------------------------------------+ ``` --- # 2) EVIDENCE & AUDIT — menus + screens ## 2.1 Evidence & Audit menu graph (Mermaid) ```mermaid flowchart TD E0["Evidence & Audit (menu)"] E1["Evidence Home (latest capsules)"] E2["Decision Capsules (Bundles list)"] E3["Decision Capsule Detail"] E4["Evidence Packets"] E5["Packet Detail"] E6["Proof Chains"] E7["Proof Chain Detail"] E8["Replay / Verify"] E9["Replay Result Detail"] E10["Export Center"] E11["Export Run Detail"] E12["Coverage Metrics (Attestation coverage)"] E0 --> E1 E0 --> E2 --> E3 E0 --> E4 --> E5 E0 --> E6 --> E7 E0 --> E8 --> E9 E0 --> E10 --> E11 E0 --> E12 ``` --- ## 2.2 Screen — Evidence Home (quick proof access) **New location:** `Evidence & Audit → Home` **Previously:** no single landing (Evidence items were separate) **Why changed:** * “Where is the evidence?” must be one click. This home page lists latest capsules and quick exports. ([Gitea: Git with a cup of tea][2]) ### Screen graph (Mermaid) ```mermaid flowchart LR H["Evidence Home"] --> C["Decision Capsules"] H --> P["Evidence Packets"] H --> R["Replay / Verify"] H --> X["Export Center"] H --> M["Coverage Metrics"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Evidence & Audit / Home [Export] [Verify Tool] | | formerly: (no single landing) | |--------------------------------------------------------------------------------------------------| | Latest Decision Capsules (sealed) | | capsule-prod-us-east-1-2026-02-18 bundle: hotfix-auth 1.2.4 verdict: PASS* (exc applied) | | capsule-prod-eu-west-1-2026-02-18 bundle: platform 1.3.0-rc1 verdict: BLOCK (reachable CRIT)| | [View all capsules] | |--------------------------------------------------------------------------------------------------| | Quick proof actions | | [Replay a verdict] [Verify signatures] [Export Audit Bundle] [Open Proof Chains] | |--------------------------------------------------------------------------------------------------| | Coverage snapshot | | SBOM: 100% Reachability proofs: 78% VEX: 41% Approvals recorded: 100% | +--------------------------------------------------------------------------------------------------+ ``` --- ## 2.3 Screen — Decision Capsules (Evidence Bundles list) **New location:** `Evidence & Audit → Decision Capsules` **Previously:** `Evidence → Evidence Bundles` (“Evidence Bundles”) **Why changed:** * Rename to match the concept used in docs/marketing: a “decision capsule” binds SBOM + frozen inputs + reachability + policy + signatures so audits can replay deterministically. ([Stella Ops Suite][4]) ### Screen graph (Mermaid) ```mermaid flowchart TD L["Decision Capsules (list)"] --> D["Capsule Detail"] L --> V["Verify bundle signatures"] L --> X["Export (zip/tgz/oci)"] D --> R["Replay / Verify"] D --> P["Proof chain"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Evidence & Audit / Decision Capsules [Verify] [Export] | | formerly: Evidence → Evidence Bundles | |--------------------------------------------------------------------------------------------------| | Filters: Region [All] Env [All] Bundle/Release [____] Date [last 30d] Status [All] | |--------------------------------------------------------------------------------------------------| | CAPSULE ID BUNDLE/RELEASE ENV VERDICT SEALED ACTIONS | | capsule-prod-us-e1-... hotfix-auth 1.2.4 prod/us-east-1 PASS ✅ View Export | | capsule-prod-eu-w1-... platform 1.3.0-rc1 prod/eu-west-1 BLOCK ✅ View Replay | |--------------------------------------------------------------------------------------------------| | Each capsule must be exportable and replayable for audit. | +--------------------------------------------------------------------------------------------------+ ``` --- ## 2.4 Screen — Decision Capsule Detail **New location:** `Evidence & Audit → Decision Capsules → (Capsule)` **Previously:** partially in export flows **Why changed:** * This is the “auditor view”: list exact inputs (SBOM + feed snapshot + policy version), outputs (verdict), and signatures. ([Stella Ops Suite][4]) ### Screen graph (Mermaid) ```mermaid flowchart LR D["Capsule Detail"] --> I["Inputs (SBOM, feeds, policy, tools)"] D --> O["Outputs (verdict, risk, VEX)"] D --> S["Signatures (DSSE) + transparency refs"] D --> P["Proof chain graph"] D --> R["Replay this capsule"] D --> X["Export formats"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Capsule: capsule-prod-us-east-1-2026-02-18 [Replay] [Export] [Verify Sig] | | formerly: Evidence → Evidence Bundles (detail) | |--------------------------------------------------------------------------------------------------| | Inputs | | SBOM: sbom@sha256:... Feed snapshots: osv@... nvd@... Policy: core-pack v12 | | Tools: scanner@sha256:... Reachability: runtime-proof@sha256:... | |--------------------------------------------------------------------------------------------------| | Outputs | | Verdict: PASS (exception exc-222) Reachable CVEs: 1 HIGH VEX: derived/linked | |--------------------------------------------------------------------------------------------------| | Signatures | | DSSE envelope: ✅ Rekor/log ref: ✅ Certificate chain: ✅ | |--------------------------------------------------------------------------------------------------| | Links: [Proof Chain] [Related Approvals] [Related Bundle Version] | +--------------------------------------------------------------------------------------------------+ ``` --- ## 2.5 Screen — Evidence Packets (formerly “Packets”) **New location:** `Evidence & Audit → Evidence Packets` **Previously:** `Evidence → Packets` (“Packets”) **Why changed:** * “Packets” is ambiguous; “Evidence Packets” communicates that these are artifact bundles used by capsules/exports/replay. ### Screen graph (Mermaid) ```mermaid flowchart TD P["Evidence Packets"] --> D["Packet Detail"] P --> C["Create/collect packet (job output)"] D --> X["Export packet"] D --> L["Link to capsules using it"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Evidence & Audit / Evidence Packets [Create] [Export] | | formerly: Evidence → Packets | |--------------------------------------------------------------------------------------------------| | PACKET ID TYPE SOURCE JOB CREATED USED BY CAPSULES | | pkt-7712 build-sbom jenkins#7712 Feb 18 2 | | pkt-opsv-sync advisory-snap mirror-sync Feb 18 5 | | pkt-runtime-trace runtime-proof agent/prod-us-e1 Feb 18 1 | +--------------------------------------------------------------------------------------------------+ ``` --- ## 2.6 Screen — Packet Detail **New location:** `Evidence Packets → (Packet)` **Previously:** not explicit **Why changed:** * Lets operators/auditors see exactly what artifacts are inside and where they were consumed. ### Screen graph (Mermaid) ```mermaid flowchart LR D["Packet Detail"] --> A["Artifacts list (SBOM, traces, logs, attestations)"] D --> M["Manifest + hashes"] D --> U["Used-by capsules"] D --> X["Export"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Evidence Packet: pkt-7712 (build-sbom) [Export] [Verify Hash] | | formerly: Evidence → Packets (row) | |--------------------------------------------------------------------------------------------------| | Manifest | | - sbom.cdx.json (sha256:...) | | - findings.sarif (sha256:...) | | - build-provenance.json (sha256:...) | |--------------------------------------------------------------------------------------------------| | Used by capsules | | - capsule-prod-us-east-1-2026-02-18 | | - capsule-staging-us-east-1-2026-02-18 | +--------------------------------------------------------------------------------------------------+ ``` --- ## 2.7 Screen — Proof Chains **New location:** `Evidence & Audit → Proof Chains` **Previously:** `Evidence → Proof Chains` **Why changed:** * Proof chain view is a top “audit navigation” path: show chain-of-custody from bundle → scan → reachability → policy → approval → capsule. ### Screen graph (Mermaid) ```mermaid flowchart TD P["Proof Chains"] --> D["Proof Chain Detail"] D --> C["Capsules"] D --> A["Approvals"] D --> R["Replay entries"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Evidence & Audit / Proof Chains [Search] [Export Graph] | | formerly: Evidence → Proof Chains | |--------------------------------------------------------------------------------------------------| | CHAIN ID SUBJECT (digest/bundle) LAST EVENT CAPSULES STATUS | | chain-901 bundle platform 1.3.0-rc1 promotion blocked 1 ⚠ blocked | | chain-902 digest sha256:aaaa… (hotfix-auth) promoted to prod 1 ✅ complete | +--------------------------------------------------------------------------------------------------+ ``` --- ## 2.8 Screen — Proof Chain Detail **New location:** `Proof Chains → (Chain)` **Previously:** not clear **Why changed:** * Auditors want a single timeline/graph; engineers want quick links back to the cause (finding, missing feed, exception). ### Screen graph (Mermaid) ```mermaid flowchart LR D["Proof Chain Detail"] --> G["Chain graph (events)"] D --> T["Timeline"] D --> L["Linked objects (findings, vex, exceptions, capsules)"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Proof Chain: chain-902 (hotfix-auth 1.2.4) [Export] [Replay Capsule] | | formerly: Evidence → Proof Chains (row) | |--------------------------------------------------------------------------------------------------| | Graph (simplified) | | Digest sha256:aaaa… → SBOM pkt-7712 → Findings → Reachability proof → Policy gates → Approvals → | | Capsule sealed → Promotion executed | |--------------------------------------------------------------------------------------------------| | Timeline | | 07:10 SBOM created | 07:12 findings evaluated | 07:20 approval signed | 07:30 promoted | +--------------------------------------------------------------------------------------------------+ ``` --- ## 2.9 Screen — Replay / Verify **New location:** `Evidence & Audit → Replay / Verify` **Previously:** `Evidence → Replay/Verify` (“Verdict Replay”) **Why changed:** * Deterministic replay is a core audit tool; keep it under Evidence and give it a clear “replay inputs, compare diffs” workflow. ([Gitea: Git with a cup of tea][5]) ### Screen graph (Mermaid) ```mermaid flowchart TD R["Replay / Verify"] --> Q["Request Replay"] R --> L["Replay Requests list"] L --> D["Replay Result Detail"] D --> C["Compare outputs (feeds/policy/tool versions)"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Evidence & Audit / Replay / Verify [Request Replay] | | formerly: Evidence → Replay/Verify (Verdict Replay) | |--------------------------------------------------------------------------------------------------| | Request Replay: [Verdict ID or Digest ____] Reason [____________________] [Run] | |--------------------------------------------------------------------------------------------------| | Requests | | rr-001 digest sha256:aaaa… COMPLETED Feb 18 08:30 match: ✅ | | rr-002 digest sha256:bbbb… RUNNING Feb 18 07:30 | |--------------------------------------------------------------------------------------------------| | Determinism: compares outputs to original capsule inputs; highlights feed/policy/tool diffs. | +--------------------------------------------------------------------------------------------------+ ``` --- ## 2.10 Screen — Replay Result Detail **New location:** `Replay/Verify → (Replay Result)` **Previously:** not explicit **Why changed:** * Needed to explain mismatches (policy pack changed, feed snapshot updated, tool version drift). ### Screen graph (Mermaid) ```mermaid flowchart LR D["Replay Result Detail"] --> M["Match summary"] D --> DI["Diff view (inputs/outputs)"] D --> X["Re-seal capsule (optional)"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Replay Result: rr-001 (MATCH ✅) [Download Diff] | | formerly: Evidence → Replay/Verify (inline) | |--------------------------------------------------------------------------------------------------| | Compared to capsule: capsule-prod-us-east-1-2026-02-18 | | Inputs: SBOM ✅ same Feeds ✅ same snapshot Policy ✅ same Tools ✅ same | | Outputs: Findings ✅ same Reachability ✅ same VEX ✅ same Verdict ✅ same | +--------------------------------------------------------------------------------------------------+ ``` --- ## 2.11 Screen — Export Center **New location:** `Evidence & Audit → Export Center` **Previously:** `Evidence → Export` (“Export Center”) **Why changed:** * Keep it evidence-centered; export is how auditors receive proof (zip/tgz/OCI). ### Screen graph (Mermaid) ```mermaid flowchart TD X["Export Center"] --> P["Profiles"] X --> R["Export Runs"] P --> E["Edit Profile"] R --> D["Export Run Detail"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Evidence & Audit / Export Center [Create Profile] | | formerly: Evidence → Export (Export Center) | |--------------------------------------------------------------------------------------------------| | Profiles | | - StellaBundle (OCI referrer) includes: SBOM, findings, attestations, provenance, VEX, policy | | - Daily Compliance Export schedule: daily → S3 compliance-bucket | | - Audit Bundle manual zip for external auditors | |--------------------------------------------------------------------------------------------------| | Tabs: [Profiles] [Export Runs] | +--------------------------------------------------------------------------------------------------+ ``` --- ## 2.12 Screen — Export Run Detail **New location:** `Export Center → Export Runs → (Run)` **Previously:** not explicit **Why changed:** * Make exports verifiable: show hash, signature status, destinations, and linked capsules. ### Screen graph (Mermaid) ```mermaid flowchart LR D["Export Run Detail"] --> A["Artifacts produced"] D --> S["Signatures + verification"] D --> DST["Destinations + delivery logs"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Export Run: exp-8812 (SUCCESS ✅) [Download] [Verify] | | formerly: Evidence → Export (run row) | |--------------------------------------------------------------------------------------------------| | Profile: Audit Bundle Output: audit-bundle-2026-02-18.zip sha256:... DSSE: ✅ | | Contents: 14 capsules, 32 packets, proof graphs, policy pack v12, feed snapshots | | Destinations: S3://compliance-bucket (ok) | +--------------------------------------------------------------------------------------------------+ ``` --- ## 2.13 Screen — Coverage Metrics (Attestation coverage) **New location:** `Evidence & Audit → Coverage Metrics` **Previously:** `Analytics → SBOM Lake` (“SBOM Lake”) **Why changed:** * This is not “analytics for analytics sake”; it’s **audit readiness coverage** (SBOM, reachability, VEX, policy decision, approvals). * Renaming aligns it with operational meaning. ### Screen graph (Mermaid) ```mermaid flowchart TD C["Coverage Metrics"] --> F["Filters (region/env/time/severity)"] C --> T["Coverage by attestation type"] C --> G["Gaps list (what's missing where)"] G --> L["Deep links: jobs/integrations causing gaps"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Evidence & Audit / Coverage Metrics [Export CSV] [Refresh] | | formerly: Analytics → SBOM Lake | |--------------------------------------------------------------------------------------------------| | Filters: Region [All] Env [All] Time [30d] Min Severity [All] | |--------------------------------------------------------------------------------------------------| | Coverage by attestation type | | SBOM 100% (0 missing) | | Reachability 78% (runtime missing in prod/eu-west-1) | | Policy Decision 100% | | Human Approval 100% | | VEX 41% (vendor statements not imported for 12 CVEs) | |--------------------------------------------------------------------------------------------------| | Gap list (actionable) | | - prod/eu-west-1: runtime reachability missing → agent offline (link: Ops Platform Health) | | - advisory freshness: NVD stale 26h → mirror sync failing (link: Ops Feeds & AirGap) | +--------------------------------------------------------------------------------------------------+ ``` --- # 3) OPERATIONS — menus + screens ## 3.1 Operations menu graph (Mermaid) ```mermaid flowchart TD O0["Operations (menu)"] O1["Ops Summary / Nightly Ops Report"] O2["Platform Health"] O3["Scheduler Runs"] O4["Scheduler Run Detail"] O5["Orchestrator Jobs"] O6["Orchestrator Job Detail"] O7["Dead Letter Queue"] O8["Quotas & Throttles"] O9["Worker Fleet"] O10["Feeds & AirGap (see Pack 2)"] O0 --> O1 O0 --> O2 O0 --> O3 --> O4 O0 --> O5 --> O6 O0 --> O7 O0 --> O8 O3 --> O9 O0 --> O10 ``` --- ## 3.2 Screen — Ops Summary / Nightly Ops Report (NEW) **New location:** `Operations → Ops Summary / Nightly Report` **Previously:** *missing* (signals scattered across Scheduler/Feeds/Integrations) **Why changed:** * You requested a report that tells you when nightly jobs detect issues: * SBOM re-scan failures * CVE source not synced / stale * integrations not connectable * reachability ingest gaps * This page is the “operators’ morning brief” and feeds both Dashboard and Security coverage. ### Screen graph (Mermaid) ```mermaid flowchart LR N["Nightly Ops Report"] --> J["Job Health (nightly suites)"] N --> F["Feed Freshness (OSV/NVD/etc)"] N --> I["Integration Connectivity"] N --> C["Coverage Gaps (SBOM/reachability/VEX)"] N --> D["Deep links: Scheduler run / Mirror detail / Integration detail"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Operations / Nightly Ops Report [Export] [Acknowledge] | | formerly: (missing / implicit) | |--------------------------------------------------------------------------------------------------| | Nightly suites (last run window) | | ✅ SBOM Rescan (images) 02:00–02:18 ok | | ⚠ Runtime Reachability Ingest 02:00–02:30 degraded (prod/eu-west-1 no agent) | | ❌ NVD Mirror Sync 02:00–02:10 failed (timeout) | | ✅ Evidence Seal/Archive 02:20–02:22 ok | |--------------------------------------------------------------------------------------------------| | Impact summary | | - Promotions at risk: prod policy requires “fresh advisories” → NVD stale blocks promotions | | - Security signal degraded: runtime reachability coverage down in prod/eu-west-1 | |--------------------------------------------------------------------------------------------------| | Deep links | | [Open Scheduler run: nvd-sync#run-881] [Open Feed mirror: nvd-mirror-1] [Open Agent status] | +--------------------------------------------------------------------------------------------------+ ``` --- ## 3.3 Screen — Platform Health (services + security pipelines) **New location:** `Operations → Platform Health` **Previously:** `Operations → Platform Health` (“Platform Health”) **Why changed:** * This must show not only “docker/service up”, but whether **security pipelines** are healthy: * advisory freshness, SBOM ingestion, reachability ingestion, evidence sealing, replay service. ### Screen graph (Mermaid) ```mermaid flowchart TD P["Platform Health"] --> S["Service health (APIs/workers)"] P --> D["Dependencies (db/queue/storage)"] P --> SP["Security pipelines (feeds/sbom/reachability/vex)"] P --> L["Live incidents (last 24h)"] SP --> N["Nightly report"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Operations / Platform Health [Refresh] [View Incidents]| | formerly: Operations → Platform Health | |--------------------------------------------------------------------------------------------------| | Core Services | Dependencies | Security Pipelines | |------------------------------------+---------------------------------+---------------------------| | API Gateway ✅ | Database ✅ | Advisory freshness ❌ NVD | | Policy Engine ✅ | Queue / Broker ✅ | SBOM ingest ✅ | | Evidence Locker ✅ | Object Storage ✅ | Reachability ingest ⚠ | | Replay Service ✅ | Rekor/Transparency ✅ | VEX import ⚠ | |--------------------------------------------------------------------------------------------------| | Incident timeline (24h): no user-facing incidents; 2 pipeline degradations tracked | +--------------------------------------------------------------------------------------------------+ ``` --- ## 3.4 Screen — Scheduler Runs **New location:** `Operations → Scheduler Runs` **Previously:** `Operations → Scheduler` (“Scheduler Runs”) **Why changed:** * Keep the page, but make it oriented around **nightly suites** and **data freshness** with links back to impact (coverage gaps, blocked promotions). ### Screen graph (Mermaid) ```mermaid flowchart TD S["Scheduler Runs"] --> R["Run Detail"] S --> M["Manage Schedules"] S --> W["Worker Fleet"] R --> L["Logs"] R --> I["Impact (coverage/gates)"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Operations / Scheduler Runs [Manage Schedules] | | formerly: Operations → Scheduler (Scheduler Runs) | |--------------------------------------------------------------------------------------------------| | Filters: Status [All] Window [Last 24h] Job type [All] | |--------------------------------------------------------------------------------------------------| | JOB LAST RUN STATUS DURATION NEXT RUN ACTIONS | | nightly-sbom Feb 18 02:00 ✅ 18m Feb 19 View Logs | | nightly-runtime Feb 18 02:00 ⚠ 30m Feb 19 View Logs View Impact | | nvd-sync Feb 18 02:00 ❌ 10m retry View Logs Open Mirror | +--------------------------------------------------------------------------------------------------+ ``` --- ## 3.5 Screen — Scheduler Run Detail **New location:** `Scheduler Runs → (Run)` **Previously:** minimal **Why changed:** * Adds “impact” panel: what did this job affect (coverage, promotions, alerts). ### Screen graph (Mermaid) ```mermaid flowchart LR D["Scheduler Run Detail"] --> L["Logs"] D --> E["Errors + retries"] D --> O["Outputs (packets/snapshots)"] D --> I["Impact (coverage/gates)"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Scheduler Run: nvd-sync#run-881 (FAILED ❌) [Retry] [Open Mirror] | | formerly: Operations → Scheduler (inline) | |--------------------------------------------------------------------------------------------------| | Error: timeout contacting upstream NVD | | Outputs: none | | Impact: | | - Advisory freshness: NVD stale 26h | | - Promotion gate: “fresh advisories” will BLOCK prod promotions | | Links: [Nightly Ops Report] [Feed Mirror Detail] | +--------------------------------------------------------------------------------------------------+ ``` --- ## 3.6 Screen — Orchestrator Jobs **New location:** `Operations → Orchestrator` **Previously:** `Operations → Orchestrator` (“Orchestrator Dashboard”) **Why changed:** * Keep access controls, but the main view must be **job status + history** with drilldowns (promotions, rescans, evidence sealing, backfills). ### Screen graph (Mermaid) ```mermaid flowchart TD O["Orchestrator Jobs"] --> J["Job list"] O --> A["Access rights panel"] J --> D["Job Detail"] D --> L["Logs"] D --> DLQ["Send to Dead Letter / recover"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Operations / Orchestrator Jobs [Jobs] [Backfills] | | formerly: Operations → Orchestrator (Orchestrator Dashboard) | |--------------------------------------------------------------------------------------------------| | Access (current user) | | View jobs: ✅ Granted | Operate: ❌ Denied | Manage quotas: ❌ Denied | Backfill: ❌ Denied | |--------------------------------------------------------------------------------------------------| | Recent jobs | | JOB ID TYPE TARGET/ENV STATUS START ACTIONS | | job-551 promotion prod/us-east-1 RUNNING 08:10 View | | job-552 nightly-sbom all COMPLETED 02:00 View | +--------------------------------------------------------------------------------------------------+ ``` --- ## 3.7 Screen — Orchestrator Job Detail **New location:** `Orchestrator → (Job)` **Previously:** not clear **Why changed:** * Single place for logs, produced artifacts (packets/capsules), and failure recovery actions. ### Screen graph (Mermaid) ```mermaid flowchart LR D["Job Detail"] --> S["Steps (workflow graph)"] D --> L["Logs"] D --> A["Artifacts produced"] D --> R["Recovery / retry"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Job: job-551 (promotion) [View Capsule] | | formerly: Operations → Orchestrator (job row) | |--------------------------------------------------------------------------------------------------| | Workflow steps: Resolve digests → Evaluate policy → Collect approvals → Deploy → Seal capsule | | Status: RUNNING (Deploy step) | | Artifacts: pkt-... capsule-... (pending) | +--------------------------------------------------------------------------------------------------+ ``` --- ## 3.8 Screen — Dead Letter Queue **New location:** `Operations → Dead Letter Queue` **Previously:** `Operations → Dead Letter` (“Dead-Letter Queue Management”) **Why changed:** * DLQ is for failed jobs and should integrate with retry/replay and exports (so you can attach failure evidence). ### Screen graph (Mermaid) ```mermaid flowchart TD D["Dead Letter Queue"] --> E["Entry Detail"] E --> R["Replay / retry job"] E --> L["Logs"] E --> X["Export failure bundle (optional)"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Operations / Dead Letter Queue [Export CSV] [Replay All]| | formerly: Operations → Dead Letter (Dead-Letter Queue Management) | |--------------------------------------------------------------------------------------------------| | Filters: Error type [All] Status [All] Search [job id / entry id] | |--------------------------------------------------------------------------------------------------| | ENTRY ID JOB ID ERROR FIRST SEEN STATUS ACTIONS | | dlq-001 job-77 feed timeout (NVD) Feb 18 02:05 retriable View Replay | | dlq-002 job-88 agent offline Feb 18 02:06 blocked View Diagnose | +--------------------------------------------------------------------------------------------------+ ``` --- ## 3.9 Screen — Quotas & Throttles (runtime ops) **New location:** `Operations → Quotas & Throttles` **Previously:** `Operations → Quotas` (“Operator Quota Dashboard”) **Why changed:** * Separate **runtime throttling + recent throttle events** (Ops) from **tenant quota configuration** (Administration → Usage & Limits). ### Screen graph (Mermaid) ```mermaid flowchart LR Q["Quotas & Throttles"] --> C["Consumption trend (scans/evidence/api)"] Q --> T["Throttle events"] Q --> A["Admin: Usage & Limits (configure)"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Operations / Quotas & Throttles [Configure Alerts] | | formerly: Operations → Quotas (Operator Quota Dashboard) | |--------------------------------------------------------------------------------------------------| | Consumption (30d): Scans ████░ Evidence packets ███░ API █████░ Storage ███░ | |--------------------------------------------------------------------------------------------------| | Recent throttle events (24h): none | | Note: configure limits in Administration → Usage & Limits. | +--------------------------------------------------------------------------------------------------+ ``` --- ## 3.10 Screen — Worker Fleet **New location:** `Operations → Scheduler Runs → Worker Fleet` **Previously:** “Worker Fleet” button existed but not surfaced as a core operational screen **Why changed:** * Reachability runtime ingestion and SBOM jobs depend on workers/agents; fleet health should be one click from Scheduler and from Hybrid Reachability gaps. ### Screen graph (Mermaid) ```mermaid flowchart TD W["Worker Fleet"] --> N["Nodes/workers list"] W --> H["Heartbeat + load"] W --> C["Capabilities (sbom, reachability, export)"] ``` ### ASCII mock ```text +--------------------------------------------------------------------------------------------------+ | Operations / Worker Fleet [Drain] [Restart] | | formerly: Scheduler → Worker Fleet (button) | |--------------------------------------------------------------------------------------------------| | WORKER ROLE(S) HEARTBEAT LOAD STATUS | | worker-us-e1-01 sbom, policy, export 10s 0.4 ✅ | | agent-eu-w1-01 runtime reachability 6h — ❌ offline | |--------------------------------------------------------------------------------------------------| | Note: offline runtime agents directly reduce hybrid reachability coverage. | +--------------------------------------------------------------------------------------------------+ ``` --- ## Your “continue” pointer If you want **Pack 4**, I’ll cover the remaining *Release Control* runtime screens (Releases, Approvals, Deployments, Regions/Env detail) with the same: **menu mermaid + per-screen mermaid + ASCII + formerly/why**—but I didn’t repeat them here to avoid duplicating what we already established in Packs 1–2. [1]: https://stella-ops.org/?utm_source=chatgpt.com "Stella Ops Suite - Evidence-Grade Release Control for Non ..." [2]: https://git.stella-ops.org/stella-ops.org/git.stella-ops.org/src/commit/490339561842d30f212e390efb9e8409cd395fe3/docs-archived/ui-analysis/rework/01-ui-rework-adivsory.md?utm_source=chatgpt.com "git.stella-ops.org/01-ui-rework-adivsory.md at ... - Stella Ops Suite" [3]: https://git.stella-ops.org/stella-ops.org/git.stella-ops.org/src/commit/3130cdb702f34e550725717c6f13a4919bac0bb3/docs/marketing/evidence-linked-vex.md?utm_source=chatgpt.com "git.stella-ops.org/evidence-linked-vex.md at ... - Stella Ops Suite" [4]: https://stella-ops.org/docs/key-features/?utm_source=chatgpt.com "Stella Ops – Signed Reachability · Deterministic Replay · Sovereign ..." [5]: https://git.stella-ops.org/stella-ops.org/git.stella-ops.org/src/commit/342c35f8ce1544cf816d8a4b41ebaff6187e7016/docs/replay/DEVS_GUIDE_REPLAY.md?utm_source=chatgpt.com "Stella Ops — Developer Guide: Deterministic Replay"