StellaOps Export Center
Export Center packages reproducible evidence bundles (JSON, Trivy DB, mirror) with provenance metadata and optional signing for offline or mirrored deployments.
Latest updates (2025-11-30)
- Sprint tracker
docs/implplan/SPRINT_0320_0001_0001_docs_modules_export_center.mdand moduleTASKS.mdadded to mirror status. - Observability runbook stub + dashboard placeholder added under
operations/(offline import). - Bundle/profile/offline manifest guidance reaffirmed (
devportal-offline*.md,mirror-bundles.md,provenance-and-signing.md).
Responsibilities
- Coordinate export jobs based on profiles and scope selectors.
- Assemble manifests, provenance documents, and cosign signatures.
- Stream bundles via HTTP/OCI and stage them for Offline Kit uses.
- Expose CLI/API surfaces for automation.
Key components
StellaOps.ExportCenter.WebServiceplanner.StellaOps.ExportCenter.Workerbundle builder.- Adapters in
StellaOps.ExportCenter.*for JSON/Trivy/mirror variants.
Profiles at a glance
- json:raw / json:policy — Evidence bundles with raw ingestion facts or policy overlays.
- trivy:db / trivy:java-db — Trivy-compatible vulnerability feeds with deterministic manifests.
- mirror:full / mirror:delta — OCI-style mirrors with provenance, TUF metadata, and optional encryption.
- devportal:offline — Developer portal static assets, specs, SDKs, and changelogs packaged with
manifest.json,checksums.txt, helper scripts, and a DSSE-signed manifest (manifest.dsse.json) for offline verification.
Integrations & dependencies
- Concelier/Excititor/Policy data stores for evidence.
- Signer/Attestor for provenance signing.
- CLI for operator-managed exports.
Operational notes
- Runbooks in ./operations/ for deployment and monitoring.
- Observability assets:
operations/observability.mdandoperations/dashboards/export-center-observability.json(offline import). - Mirror bundle instructions and validation notes.
- Telemetry dashboards for export latency and retry rates.
Related resources
- ./operations/runbook.md
- ./devportal-offline.md (bundle structure, verification workflow, DSSE signature details)
- ./provenance-and-signing.md (manifest/provenance schema, signing pipeline, verification)
Backlog references
- DOCS-EXPORT-35-001 … DOCS-EXPORT-37-002 in ../../TASKS.md.
- EXPORT-ATTEST-75-002 cross-team deliverable.
Epic alignment
- Epic 10 – Export Center: deliver canonical JSON, Trivy DB, and mirror bundle workflows with provenance, signatures, and offline parity.
Implementation Status
Delivery Phases
- Phase 1 – JSON & mirror foundations: Stand up service + worker, deliver canonical JSON and mirror profiles, seed schema migrations, publish manifest/provenance formats
- Phase 2 – Trivy adapters & distribution: Implement Trivy DB/Java DB adapters, wire OCI/object storage distribution, expose policy snapshot embedding + verification
- Phase 3 – Delta, encryption, scheduling: Release mirror deltas, bundle encryption, advanced scheduling/automation, resumable downloads, CLI/Console verification workflows
Acceptance Criteria
- Operators can create, monitor, and download exports; verification succeeds against manifest + provenance
- Trivy bundles import cleanly; mirror bundles run in Offline Kit reference environment (full + delta)
- Policy snapshot runs reproduce deterministic decisions with embedded policyVersion + inputsHash
- Tenant scoping and RBAC block unauthorized actions; encryption-enabled bundles lock data to recipient keys
- Metrics and dashboards reflect live runs; alerts trigger on sustained failure rates
- Retried runs remain idempotent with matching manifests, hashes, and distribution artefacts
Key Risks & Mitigations
- Schema drift: Versioned adapters with compatibility gates, CI integration tests, fail-fast with actionable errors
- Bundle bloat: zstd compression, sharding, delta exports, OCI dedupe
- Data leakage: Strict schema allowlists, tenancy filters, redaction enforcement, encryption options
- Non-determinism: Embed policy snapshots, enforce deterministic ordering, include content hashes in manifest
Recent Updates
- Sprint tracker and module TASKS.md added to mirror status
- Observability runbook stub + dashboard placeholder added under operations/
- Bundle/profile/offline manifest guidance reaffirmed