git.stella-ops.org/docs/README.md

# Stella Ops

> **Self‑hosted, SBOM‑first DevSecOps platform – offline‑friendly, AGPL‑3.0, free up to {{ quota_token }} scans per UTC day (soft delay only, never blocks).**

Stella Ops lets you discover container vulnerabilities in **< 5 s** without sending a single byte outside your network.  
Everything here is open‑source and versioned — when you check out a git tag, the docs match the code you are running.

---

## 🚀 Start here (first 60 minutes)

| Step | What you will learn | Doc |
|------|--------------------|-----|
| 1 ️⃣ | 90‑second elevator pitch & pillars | **[What Is Stella Ops?](01_WHAT_IS_IT.md)** |
| 2 ️⃣ | Pain points it solves | **[Why Does It Exist?](02_WHY.md)** |
| 3 ️⃣ | Install & run a scan in 10 min | **[Install Guide](21_INSTALL_GUIDE.md)** |
| 4 ️⃣ | Components & data‑flow | **[High‑Level Architecture](07_HIGH_LEVEL_ARCHITECTURE.md)** |
| 5 ️⃣ | Integrate the CLI / REST API | **[API & CLI Reference](09_API_CLI_REFERENCE.md)** |
| 6 ️⃣ | Vocabulary used throughout the docs | **[Glossary](14_GLOSSARY_OF_TERMS.md)** |

---

## 📚 Complete Table of Contents

<details>
<summary>Click to expand the full docs index</summary>

### Overview
- **01 – [What Is Stella Ops?](01_WHAT_IS_IT.md)**
- **02 – [Why Does It Exist?](02_WHY.md)**
- **03 – [Vision & Road‑map](03_VISION.md)**
- **04 – [Feature Matrix](04_FEATURE_MATRIX.md)**

### Reference & concepts
- **05 – [System Requirements Specification](05_SYSTEM_REQUIREMENTS_SPEC.md)**
- **07 – [High‑Level Architecture](07_HIGH_LEVEL_ARCHITECTURE.md)**
- **08 – [Architecture Decision Records](adr/index.md)**
- **08 – Module Architecture Dossiers**  
  - [Architecture Overview](modules/platform/architecture-overview.md)  
  - [Scanner](modules/scanner/architecture.md)  
  - [Concelier](modules/concelier/architecture.md)  
  - [Excititor](modules/excititor/architecture.md)  
  - [Excititor Mirrors](modules/excititor/mirrors.md)  
  - [Signer](modules/signer/architecture.md)  
  - [Attestor](modules/attestor/architecture.md)  
  - [Authority](modules/authority/architecture.md)
  - [Policy Engine](modules/policy/architecture.md)
  - [Notify](modules/notify/architecture.md)
  - [Scheduler](modules/scheduler/architecture.md)  
  - [CLI](modules/cli/architecture.md)  
  - [Web UI](modules/ui/architecture.md)  
  - [Zastava Runtime](modules/zastava/architecture.md)  
  - [Release & Operations](modules/devops/architecture.md)
- **09 – [API & CLI Reference](09_API_CLI_REFERENCE.md)**
- **10 – [Plug‑in SDK Guide](10_PLUGIN_SDK_GUIDE.md)**
- **10 – [Concelier CLI Quickstart](10_CONCELIER_CLI_QUICKSTART.md)**
- **10 – [BuildX Generator Quickstart](dev/BUILDX_PLUGIN_QUICKSTART.md)**
- **10 – [Scanner Cache Configuration](dev/SCANNER_CACHE_CONFIGURATION.md)**
- **30 – [Excititor Connector Packaging Guide](dev/30_EXCITITOR_CONNECTOR_GUIDE.md)**
- **31 – [Aggregation-Only Contract Reference](ingestion/aggregation-only-contract.md)**
- **31 – [Advisory Observations & Linksets](advisories/aggregation.md)**
- **31 – [VEX Observations & Linksets](vex/aggregation.md)**
- **32 – [Entry-Point Detection Playbook](modules/scanner/operations/entrypoint.md)**
- **30 – Developer Templates**  
  - [Excititor Connector Skeleton](dev/templates/excititor-connector/)
- **11 – [Authority Service](11_AUTHORITY.md)**
- **11 – [Data Schemas](11_DATA_SCHEMAS.md)**
- **12 – [Performance Workbook](12_PERFORMANCE_WORKBOOK.md)**
- **13 – [Release‑Engineering Playbook](13_RELEASE_ENGINEERING_PLAYBOOK.md)**
- **20 – [CLI AOC Commands Reference](modules/cli/guides/cli-reference.md)**
- **20 – [Console CLI Parity Matrix](cli-vs-ui-parity.md)**
- **60 – [Policy Engine Overview](policy/overview.md)**
- **61 – [Policy DSL Grammar](policy/dsl.md)**
- **62 – [Policy Lifecycle & Approvals](policy/lifecycle.md)**
- **63 – [Policy Runs & Orchestration](policy/runs.md)**
- **64 – [Policy Exception Effects](policy/exception-effects.md)**
- **65 – [Policy Engine REST API](api/policy.md)**
- **66 – [Policy CLI Guide](modules/cli/guides/policy.md)**
- **67 – [Policy Editor Workspace](ui/policy-editor.md)**
- **68 – [Policy Observability](observability/policy.md)**
- **69 – [Console Observability](observability/ui-telemetry.md)**
- **70 – [Policy Governance & Least Privilege](security/policy-governance.md)**
- **70a – [Policy Gateway](policy/gateway.md)**
- **71 – [Policy Examples](examples/policies/README.md)**
- **72 – [Policy FAQ](faq/policy-faq.md)**
- **73 – [Policy Run DTOs](../src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-20-001-POLICY-RUNS.md)**
- **30 – [Fixture Maintenance](dev/fixtures.md)**
- **74 – [Export Center Overview](modules/export-center/overview.md)**
- **75 – [Export Center Architecture](modules/export-center/architecture.md)**
- **76 – [Export Center Profiles](modules/export-center/profiles.md)**
- **77 – [Export Center API Reference](modules/export-center/api.md)**
- **78 – [Export Center CLI Guide](modules/export-center/cli.md)**
- **79 – [Export Center Trivy Adapters](modules/export-center/trivy-adapter.md)**
- **80 – [Export Center Mirror Bundles](modules/export-center/mirror-bundles.md)**
- **81 – [Export Center Provenance & Signing](modules/export-center/provenance-and-signing.md)**

### User & operator guides
- **14 – [Glossary](14_GLOSSARY_OF_TERMS.md)**
- **15 – [UI Guide](15_UI_GUIDE.md)**
- **16 – [Console AOC Dashboard](ui/console.md)**
- **16 – [Console Accessibility Guide](accessibility.md)**
- **17 – [Security Hardening Guide](17_SECURITY_HARDENING_GUIDE.md)**
- **17 – [Console Security Posture](security/console-security.md)**
- **18 – [Coding Standards](18_CODING_STANDARDS.md)**
- **19 – [Test‑Suite Overview](19_TEST_SUITE_OVERVIEW.md)**
- **21 – [Install Guide](21_INSTALL_GUIDE.md)**
- **21 – [Docker Install Recipes](install/docker.md)**
- **22 – [CI/CD Recipes Library](ci/20_CI_RECIPES.md)**
- **23 – [FAQ](23_FAQ_MATRIX.md)**
- **24 – [Offline Update Kit Admin Guide](24_OFFLINE_KIT.md)**
- **25 – [Mirror Operations Runbook](ops/concelier-mirror-operations.md)**
- **26 – [Concelier Apple Connector Operations](ops/concelier-apple-operations.md)**
- **27 – [Authority Key Rotation Playbook](ops/authority-key-rotation.md)**
- **28 – [Concelier CCCS Connector Operations](ops/concelier-cccs-operations.md)**
- **29 – [Concelier CISA ICS Connector Operations](ops/concelier-icscisa-operations.md)**
- **30 – [Concelier CERT-Bund Connector Operations](ops/concelier-certbund-operations.md)**
- **31 – [Concelier MSRC Connector – AAD Onboarding](ops/concelier-msrc-operations.md)**
  - **32 – [Scanner Analyzer Bench Operations](ops/scanner-analyzers-operations.md)**
  - **33 – [Scanner Artifact Store Migration](ops/scanner-rustfs-migration.md)**
  - **34 – [Zastava Runtime Operations Runbook](ops/zastava-runtime-operations.md)**
  - **35 – [Launch Readiness Checklist](ops/launch-readiness.md)**
- **36 – [Launch Cutover Runbook](ops/launch-cutover.md)**
- **37 – [Registry Token Service](ops/registry-token-service.md)**
- **37 – [Deployment Upgrade & Rollback Runbook](ops/deployment-upgrade-runbook.md)**
- **38 – [Policy Schema Export Automation](devops/policy-schema-export.md)**
- **40 – [Observability Guide (AOC)](observability/observability.md)**
- **41 – [Telemetry Collector Deployment](ops/telemetry-collector.md)**
- **42 – [Telemetry Storage Deployment](ops/telemetry-storage.md)**
- **43 – [Authority Scopes & Tenancy](security/authority-scopes.md)**
- **44 – [Container Deployment (AOC)](deploy/containers.md)**
- **45 – [Export Center Operations Runbook](operations/export-runbook.md)**

### Notifications Studio
- **81 – [Notifications Overview](notifications/overview.md)**
- **82 – [Notifications Architecture](notifications/architecture.md)**
- **83 – [Notifications Rules](notifications/rules.md)**
- **84 – [Notifications Templates](notifications/templates.md)**
- **85 – [Notifications Digests](notifications/digests.md)**

### Legal & licence
- **32 – [Legal & Quota FAQ](29_LEGAL_FAQ_QUOTA.md)**

</details>

---

## 🧹 Backlog hygiene

> Imposed rule: Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.

- **Aggregation-Only Contract (AOC).** Ingestion services aggregate and link facts only—derived precedence, severity, and safe-fix hints live in Policy overlays and dedicated explorers. Review [`implplan/AGENTS.md`](implplan/AGENTS.md) and the AOC guardrails in [`aoc/aoc-guardrails.md`](aoc/aoc-guardrails.md).
- **Cartographer owns graphs.** SBOM Service emits projections/events; Cartographer (`CARTO-GRAPH-21-00x`) builds graph storage, overlays, and tiles. See `modules/concelier/architecture.md` (Cartographer handshake section) for handoff boundaries.
- **Notifier replaces legacy Notify.** Sprint‑15 `StellaOps.Notify.*` tasks are frozen; use the Notifications Studio/Notifier backlogs (`NOTIFY-SVC-38..40`, `WEB-NOTIFY-3x-00x`, `CLI-NOTIFY-3x-00x`).
- **Dedicated services for Vuln & Policy.** Vuln Explorer work flows through `src/VulnExplorer/StellaOps.VulnExplorer.Api`/Console/CLI (Sprint 29); gateway routes proxy only. Policy Engine remains the sole source for precedence/suppression overlays.
- **Cleanup log.** The backlog consolidation summary lives in [`backlog/2025-10-cleanup.md`](backlog/2025-10-cleanup.md).

© 2025 Stella Ops contributors – licensed AGPL‑3.0‑or‑later