# Modules

## Core services

Authority
- Purpose: issue OpTok tokens with DPoP or mTLS sender constraints.
- Inputs: client credentials, device code, or auth code.
- Outputs: JWT access tokens with tenant, audience, and scope claims.
- Storage: PostgreSQL for client and tenant data, Valkey for DPoP nonce cache.

Signer
- Purpose: produce DSSE envelopes and enforce Proof of Entitlement (PoE).
- Inputs: signing requests from trusted services and PoE proof.
- Outputs: DSSE bundles for SBOMs, reports, and exports.
- Storage: audit logs only; keys live in KMS or keyless providers.

Attestor
- Purpose: log DSSE bundles to Rekor and provide verification APIs.
- Inputs: DSSE bundles from Signer or Scanner.
- Outputs: Rekor entries and proofs, verification results.
- Storage: PostgreSQL for receipts and indexes.

Scanner (Web + Worker)
- Purpose: deterministic SBOM generation, inventory and usage views, diffs.
- Inputs: image digest or SBOM, analyzer manifests, policy snapshots.
- Outputs: SBOMs, diffs, reachability graphs, evidence bundles.
- Storage: RustFS for artifacts, PostgreSQL for metadata, Valkey for queues.

Concelier
- Purpose: ingest and normalize advisory sources under AOC.
- Inputs: vendor and ecosystem advisory feeds.
- Outputs: raw advisory facts, linksets, deterministic exports.
- Storage: PostgreSQL (vuln schema).

Excititor
- Purpose: ingest VEX statements under AOC and preserve conflicts.
- Inputs: OpenVEX, CSAF VEX, CycloneDX VEX.
- Outputs: normalized VEX observations and consensus views.
- Storage: PostgreSQL (vex schema).

Policy Engine
- Purpose: deterministic policy evaluation with explain traces and unknowns.
- Inputs: SBOM inventory, advisory facts, VEX evidence, reachability.
- Outputs: verdicts, effective findings, decision traces, derived VEX.
- Storage: PostgreSQL (policy schema).

Scheduler
- Purpose: impact selection and analysis-only re-evaluation.
- Inputs: advisory and VEX deltas, BOM index metadata.
- Outputs: rescan jobs and delta events.
- Storage: PostgreSQL (scheduler schema), Valkey for queues.

Notify
- Purpose: route events to channels with rules and templates.
- Inputs: scan and scheduler events.
- Outputs: deliveries to Slack, Teams, email, webhooks.
- Storage: PostgreSQL (notify schema), Valkey for queues.

Export Center
- Purpose: deterministic export bundles and offline mirror layouts.
- Inputs: raw facts, policy outputs, SBOMs and evidence bundles.
- Outputs: JSON exports, Trivy DB exports, mirror bundles, offline kits.
- Storage: RustFS and PostgreSQL.

CLI
- Purpose: automation and verification for scanning, export, and replay.
- Inputs: user commands and offline bundles.
- Outputs: API calls, local verification reports.

UI and Console
- Purpose: operator console for scans, policy, VEX, and notifications.
- Inputs: API responses, SSE streams.
- Outputs: operational workflows and audit views.

Advisory AI
- Purpose: evidence-grounded analysis with guardrails.
- Inputs: SBOM and evidence bundles.
- Outputs: structured findings and guidance artifacts.

Orchestrator
- Purpose: job DAGs and pack runs for automation.
- Inputs: job definitions and run requests.
- Outputs: run status, job artifacts.
- Storage: PostgreSQL (orchestrator schema).

Registry Token Service
- Purpose: issue tokens for internal registry and scoped pulls.
- Inputs: client credentials.
- Outputs: short-lived registry tokens.

Graph Explorer
- Purpose: graph indexing and exploration for evidence and relationships.
- Inputs: graph snapshots and overlays.
- Outputs: graph queries and exports.

VEX Lens
- Purpose: reproducible consensus views over VEX statements.
- Inputs: normalized VEX observations and trust weights.
- Outputs: consensus status and evidence refs.

Vulnerability Explorer
- Purpose: triage workflows and evidence ledger views.
- Inputs: effective findings and Decision Capsules.
- Outputs: triage actions and audit records.

Telemetry Stack
- Purpose: metrics, logs, traces, and dashboards.
- Inputs: service telemetry and audit events.
- Outputs: dashboards and alerts.

DevOps and Release
- Purpose: release trains, signing, and distribution workflows.
- Inputs: build artifacts and manifests.
- Outputs: signed releases and offline kit bundles.

Platform
- Purpose: cross-cutting determinism, offline, and identity rules.

CI Recipes
- Purpose: deterministic CI templates and guardrails.

Zastava
- Purpose: runtime observer and optional admission enforcement.
- Inputs: runtime facts and policy verdicts.
- Outputs: runtime events and admission decisions.

## Supporting and adjacent modules

Issuer Directory
- Trust registry for VEX issuers and keys.

VexHub
- Aggregation and distribution of VEX statements for downstream consumers.

SBOM Service
- Deterministic SBOM projections and lineage ledger.

Signals
- Reachability scoring, unknowns registry, and signal APIs.

TaskRunner
- Deterministic task pack execution with approvals and evidence capture.

BinaryIndex
- Binary identity mapping for patch-aware and backport-aware matching.

Benchmark
- Benchmark harness and ground-truth corpus management.

Gateway and Router (optional)
- Edge routing and transport abstraction for deployments that require a shared ingress.