# Release Orchestrator

> Central release control plane for non-Kubernetes container estates.

**Status:** Planned (not yet implemented)
**Source:** [Full Architecture Specification](../../product/advisories/09-Jan-2026%20-%20Stella%20Ops%20Orchestrator%20Architecture.md)

## Purpose

The Release Orchestrator extends Stella Ops from a vulnerability scanning platform into **Stella Ops Suite** — a unified release control plane for non-Kubernetes container environments. It integrates:

- **Existing capabilities**: SBOM generation, reachability-aware vulnerability analysis, VEX support, policy engine, evidence locker, deterministic replay
- **New capabilities**: Environment management, release orchestration, promotion workflows, deployment execution, progressive delivery, audit-grade release governance

## Scope

| In Scope | Out of Scope |
|----------|--------------|
| Non-K8s container deployments (Docker, Compose, ECS, Nomad) | Kubernetes deployments (use ArgoCD, Flux) |
| Release identity via OCI digests | Tag-based release identity |
| Plugin-extensible integrations | Hard-coded vendor integrations |
| SSH/WinRM + agent-based deployment | Cloud-native serverless deployments |
| L4/L7 traffic management via router plugins | Built-in service mesh |

## Documentation Structure

### Design & Principles
- [Design Principles](design/principles.md) — Core principles and invariants
- [Key Decisions](design/decisions.md) — Architectural decision record

### Implementation
- [Implementation Guide](implementation-guide.md) — .NET 10 patterns and best practices
- [Test Structure](test-structure.md) — Test organization and guidelines

### Module Architecture
- [Module Overview](modules/overview.md) — All modules and themes
- [Integration Hub (INTHUB)](modules/integration-hub.md) — External integrations
- [Environment Manager (ENVMGR)](modules/environment-manager.md) — Environments and targets
- [Release Manager (RELMAN)](modules/release-manager.md) — Release bundles and versions
- [Workflow Engine (WORKFL)](modules/workflow-engine.md) — DAG execution
- [Promotion Manager (PROMOT)](modules/promotion-manager.md) — Approvals and gates
- [Deploy Orchestrator (DEPLOY)](modules/deploy-orchestrator.md) — Deployment execution
- [Agents (AGENTS)](modules/agents.md) — Deployment agents
- [Progressive Delivery (PROGDL)](modules/progressive-delivery.md) — A/B and canary
- [Release Evidence (RELEVI)](modules/evidence.md) — Evidence packets
- [Plugin System (PLUGIN)](modules/plugin-system.md) — Plugin infrastructure

### Data Model
- [Database Schema](data-model/schema.md) — PostgreSQL schema specification
- [Entity Definitions](data-model/entities.md) — Entity descriptions

### API Specification
- [API Overview](api/overview.md) — API design principles
- [Environment APIs](api/environments.md) — Environment endpoints
- [Release APIs](api/releases.md) — Release endpoints
- [Promotion APIs](api/promotions.md) — Promotion endpoints
- [Workflow APIs](api/workflows.md) — Workflow endpoints
- [Agent APIs](api/agents.md) — Agent endpoints
- [WebSocket APIs](api/websockets.md) — Real-time endpoints

### Workflow Engine
- [Template Structure](workflow/templates.md) — Workflow template specification
- [Execution State Machine](workflow/execution.md) — Workflow state machine
- [Promotion State Machine](workflow/promotion.md) — Promotion state machine

### Security
- [Security Overview](security/overview.md) — Security principles
- [Authentication & Authorization](security/auth.md) — AuthN/AuthZ
- [Agent Security](security/agent-security.md) — Agent security model
- [Threat Model](security/threat-model.md) — Threats and mitigations
- [Audit Trail](security/audit-trail.md) — Audit logging

### Integrations
- [Integration Overview](integrations/overview.md) — Integration types
- [Connector Interface](integrations/connectors.md) — Connector specification
- [Webhook Architecture](integrations/webhooks.md) — Webhook handling
- [CI/CD Patterns](integrations/ci-cd.md) — CI/CD integration patterns

### Deployment
- [Deployment Overview](deployment/overview.md) — Architecture overview
- [Deployment Strategies](deployment/strategies.md) — Deployment strategies
- [Agent-Based Deployment](deployment/agent-based.md) — Agent deployment
- [Agentless Deployment](deployment/agentless.md) — SSH/WinRM deployment
- [Artifact Generation](deployment/artifacts.md) — Generated artifacts

### Progressive Delivery
- [Progressive Overview](progressive-delivery/overview.md) — Progressive delivery architecture
- [A/B Releases](progressive-delivery/ab-releases.md) — A/B release models
- [Canary Controller](progressive-delivery/canary.md) — Canary implementation
- [Router Plugins](progressive-delivery/routers.md) — Traffic routing plugins

### UI/UX
- [Dashboard Specification](ui/dashboard.md) — Dashboard screens
- [Workflow Editor](ui/workflow-editor.md) — Workflow editor
- [Screen Reference](ui/screens.md) — Key UI screens

### Operations
- [Metrics](operations/metrics.md) — Metrics specification
- [Logging](operations/logging.md) — Logging patterns
- [Tracing](operations/tracing.md) — Distributed tracing
- [Alerting](operations/alerting.md) — Alert rules

### Implementation
- [Roadmap](roadmap.md) — Implementation phases
- [Resource Requirements](roadmap.md#resource-requirements) — Sizing

### Appendices
- [Glossary](appendices/glossary.md) — Term definitions
- [Configuration Reference](appendices/config.md) — Configuration options
- [Error Codes](appendices/errors.md) — API error codes
- [Evidence Schema](appendices/evidence-schema.md) — Evidence packet format

## Quick Reference

### Key Principles

1. **Digest-first release identity** — Releases are immutable OCI digests, not tags
2. **Evidence for every decision** — Every promotion/deployment produces sealed evidence
3. **Pluggable everything, stable core** — Integrations are plugins; core is stable
4. **No feature gating** — All plans include all features
5. **Offline-first operation** — Core works in air-gapped environments
6. **Immutable generated artifacts** — Every deployment generates stored artifacts

### Platform Themes

| Theme | Purpose |
|-------|---------|
| **INTHUB** | Integration hub — external system connections |
| **ENVMGR** | Environment management — environments, targets, agents |
| **RELMAN** | Release management — components, versions, releases |
| **WORKFL** | Workflow engine — DAG execution, steps |
| **PROMOT** | Promotion — approvals, gates, decisions |
| **DEPLOY** | Deployment — execution, artifacts, rollback |
| **AGENTS** | Agents — Docker, Compose, ECS, Nomad |
| **PROGDL** | Progressive delivery — A/B, canary |
| **RELEVI** | Evidence — packets, stickers, audit |
| **PLUGIN** | Plugins — registry, loader, SDK |