# Roadmap This repository is the source of truth for Stella Ops Suite direction. The roadmap is expressed as stable, evidence-based capability milestones (not calendar promises) so it stays correct during long audits and offline operation. ## Strategic Direction **Stella Ops Suite** is evolving from a vulnerability scanning platform into a **centralized, auditable release control plane** for non-Kubernetes container estates. The existing scanning capabilities become security gates within release orchestration. - **Release orchestration** — UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks - **Security decisioning as a gate** — Scan on build, evaluate on release, re-evaluate on CVE updates - **OCI-digest-first releases** — Immutable digest-based release identity - **Non-Kubernetes specialization** — Docker hosts, Compose, ECS, Nomad as first-class targets ## How to Read This - **Operational** = capabilities that are implemented and working - **Now / Next / Later** = priority bands for new development (not calendar dates) - A capability is "done" when the required evidence exists and is reproducible (see `docs/product/roadmap/maturity-model.md`) --- ## Operational (Existing Capabilities) These capabilities are implemented and serve as the foundation for security gates: - **Deterministic scan pipeline** — Image → SBOMs (SPDX 3.0.1 + CycloneDX 1.7) with stable identifiers and replayable outputs - **Advisory ingestion** — Offline-friendly mirrors, normalization, deterministic merges (Concelier) - **VEX-first triage** — OpenVEX ingestion/consensus with explainable, stable verdicts (VEX Lens) - **Policy gates** — Deterministic policy evaluation (OPA/Rego) with audit-friendly decision traces - **Offline Kit workflows** — Bundle → import → verify with signed artifacts and deterministic indexes - **Signing and provenance** — DSSE/in-toto attestations; configurable crypto profiles (FIPS/eIDAS/GOST/SM) - **Determinism guarantees** — Replay tests in CI; frozen feeds; stable ordering --- ## Now (Release Orchestration Foundation) Priority: Building the core release orchestration infrastructure. ### Phase 1: Foundation - **Environment management** — Environment CRUD, freeze windows, approval policies - **Integration hub** — Connection profiles, basic connectors (GitHub, Harbor) - **Release bundles** — Component registry, release creation, tag → digest resolution - **Database schemas** — Core release, environment, target tables ### Phase 2: Workflow Engine - **DAG execution** — Directed acyclic graph workflow processing - **Step registry** — Built-in steps (script, approval, deploy, gate) - **Workflow templates** — Reusable workflow definitions - **Script execution** — C# compiled scripts + sandboxed bash --- ## Next (Promotion & Deployment) Priority: Enabling end-to-end release flow. ### Phase 3: Promotion & Decision - **Approval gateway** — Approval collection, separation of duties - **Security gates** — Integration with scan verdicts for gate evaluation - **Decision engine** — Gate aggregation, decision record generation - **Evidence packets** — Sealed, signed evidence bundles ### Phase 4: Deployment Execution - **Agent framework** — Core agent infrastructure, heartbeat, capability advertisement - **Docker/Compose agents** — Agent-based deployment to Docker and Compose targets - **Artifact generation** — `compose.stella.lock.yml`, deployment scripts - **Rollback support** — Previous version restoration - **Version stickers** — On-target deployment records for drift detection ### Phase 5: UI & Polish - **Release dashboard** — Release list, status, promotion history - **Promotion UI** — Request, approve, track promotions - **Environment management UI** — Environment configuration, freeze windows --- ## Later (Advanced Capabilities) Priority: Expanding target support and delivery strategies. ### Phase 6: Progressive Delivery - **A/B releases** — Traffic splitting between versions - **Canary deployments** — Gradual rollout with health checks - **Traffic routing plugins** — Nginx, HAProxy, Traefik, AWS ALB integration ### Phase 7: Extended Targets - **ECS agent** — AWS ECS service deployment - **Nomad agent** — HashiCorp Nomad job deployment - **SSH/WinRM agentless** — Remote execution without installed agent ### Phase 8: Plugin Ecosystem - **Full plugin system** — Three-surface plugin model (manifest, connector, step provider) - **Plugin SDK** — Development kit for custom integrations - **Additional connectors** — Expanded SCM, CI, registry, vault support --- ## Detailed Breakdown - `docs/product/roadmap/README.md` — Detailed roadmap documentation - `docs/product/roadmap/maturity-model.md` — Capability maturity definitions - `docs/modules/release-orchestrator/architecture.md` — Release orchestrator architecture ## Related Documents - [Product Vision](product/VISION.md) - [Architecture Overview](ARCHITECTURE_OVERVIEW.md) - [Feature Matrix](FEATURE_MATRIX.md) - [Key Features](key-features.md) - [Offline Kit](OFFLINE_KIT.md) - [Release Orchestrator Specification](product/advisories/09-Jan-2026%20-%20Stella%20Ops%20Orchestrator%20Architecture.md)