# Product overview

## Problem and promise
StellaOps is a deterministic, evidence-linked container security platform that works the same
online or fully air-gapped. It focuses on reproducible decisions, explainable evidence, and
offline-first operations rather than opaque SaaS judgments.

## Core capabilities
1) Decision Capsules
- Every decision is packaged as a content-addressed bundle with the exact SBOM, feed snapshots,
  reachability evidence, policy version, derived VEX, and signatures.

2) Deterministic replay
- Scans are reproducible using pinned inputs and snapshots. The same inputs yield the same outputs.

3) Evidence-linked policy (lattice VEX)
- Policy decisions merge SBOM, advisories, VEX, and waivers through deterministic logic with
  explicit Unknown handling and explainable traces.

4) Hybrid reachability
- Static call graphs and runtime traces are combined; the resulting reachability evidence is
  attestable and replayable.

5) Sovereign and offline operation
- Offline kits, mirrored feeds, and bring-your-own trust roots enable regulated or air-gapped use.

## Capability clusters (what ships)
- SBOM-first scanning with delta reuse and inventory vs usage views
- Explainable policy and VEX-first decisioning with unknowns surfaced
- Attestation and transparency via DSSE and optional Rekor
- Offline operations with signed kits and local verification
- Governance and observability with audit trails and quotas

## Standards and interoperability
- SBOM: CycloneDX 1.7 (CycloneDX 1.6 accepted for ingest), SPDX 3.0.1 for relationships
- VEX: OpenVEX and CSAF VEX, CycloneDX VEX where applicable
- Attestations: in-toto statements in DSSE envelopes
- Transparency: Rekor (optional, mirror supported)
- Findings interchange: SARIF optional for tooling compatibility

## Target users
- Security engineering: explainable, replayable decisions with verifiable evidence
- Platform and SRE: deterministic scanning that works offline
- Compliance and audit: signed evidence bundles and traceable policy decisions

## Non-goals
- Not a new package manager
- Not a hosted-only scanner or closed pipeline
- No hidden trust in external services for core verification

## Requirements snapshot
- Deterministic outputs, stable ordering, and UTC timestamps
- Offline-first operation with mirrored feeds and local verification
- Policy decisions always explainable and evidence-linked
- Short-lived credentials and least-privilege design
- Baseline deployment uses Linux, Docker or Kubernetes, and local storage