stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
0e764da736ca51bcc64acf7b024f2bc3f2b46c96
git.stella-ops.org/docs/technical/architecture/module-matrix.md

13 KiB
Raw Blame History

Complete Module Matrix

This document provides a comprehensive inventory of all 46+ modules in the StellaOps platform. Module build entry points are the module solutions listed in docs/dev/SOLUTION_BUILD_GUIDE.md.

Table of Contents

1. Module Count Explanation

The solution contains 46 top-level modules in src/. The architecture documentation covers the ~35 core user-facing modules, while the remaining modules fall into:

Category Count Description
Core Platform 4 Authority, Gateway, Router, Platform
Data Ingestion 7 Concelier, Excititor, VexLens, VexHub, IssuerDirectory, Feedser, Mirror
Scanning & Analysis 5 Scanner, BinaryIndex, AdvisoryAI, Symbols, ReachGraph
Artifacts & Evidence 7 Attestor, Signer, SbomService, EvidenceLocker, ExportCenter, Provenance, Provcache
Policy & Risk 4 Policy, RiskEngine, VulnExplorer, Unknowns
Operations 8 Scheduler, Orchestrator, TaskRunner, Notify, Notifier, PacksRegistry, TimelineIndexer, Replay
Integration 5 CLI, Zastava, Web, API, Registry
Infrastructure 6 Cryptography, Telemetry, Graph, Signals, AirGap, AOC
Testing & Benchmarks 2 Benchmark, Bench
Utility & Internal 6+ Cartographer, Findings, SrmRemote, Tools, PluginBinaries, etc.

2. Complete Module Inventory

Core Platform (3 modules)

Module Path Purpose WebService Worker Storage
Authority src/Authority/ Authentication, authorization, OAuth/OIDC, DPoP, tenant management. Includes IssuerDirectory (Sprint 216). Yes No PostgreSQL (authority)
Router src/Router/ Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey) and HTTP ingress gateway. src/Gateway/ deleted (Sprint 200). Yes No Valkey
Platform src/Platform/ Platform Service aggregation APIs, console data composition Yes No Aggregates

Data Ingestion (4 modules)

Module Path Purpose WebService Worker Storage
Concelier src/Concelier/ Vulnerability advisory ingestion (NVD, OSV, GHSA, CSAF), merge engine with AOC. Includes Feedser and Excititor (Sprint 203). Yes Yes PostgreSQL (vuln, vex)
VexLens src/VexLens/ VEX consensus computation across issuers, conflict analysis Yes No PostgreSQL (cache)
VexHub src/VexHub/ VEX distribution and exchange hub Yes No PostgreSQL
Mirror src/Mirror/ Vulnerability feed mirror and distribution Yes Yes RustFS

Scanning & Analysis (4 modules)

Module Path Purpose WebService Worker Storage
Scanner src/Scanner/ Container scanning with SBOM generation (11 language analyzers), call graphs. Includes Cartographer (Sprint 201). Yes Yes PostgreSQL (scanner) + RustFS
BinaryIndex src/BinaryIndex/ Binary identity extraction and fingerprinting. Includes Symbols (Sprint 202). Yes No PostgreSQL
AdvisoryAI src/AdvisoryAI/ AI-assisted advisory analysis and summarization. Includes OpsMemory (Sprint 213). Yes No PostgreSQL
ReachGraph src/ReachGraph/ Reachability graph service, CVE reachability analysis Yes No PostgreSQL

Artifacts & Evidence (5 modules)

Module Path Purpose WebService Worker Storage
Attestor src/Attestor/ in-toto/DSSE attestation generation, Rekor v2 integration. Includes Signer and Provenance (Sprint 204). Yes No PostgreSQL + RustFS
SbomService src/SbomService/ SBOM storage, versioning, and lineage ledger Yes No PostgreSQL + RustFS
EvidenceLocker src/EvidenceLocker/ Sealed evidence storage and export Yes No RustFS
ExportCenter src/ExportCenter/ Batch export and report generation (SARIF, SBOM, evidence bundles) Yes No RustFS
Provcache Library Provenance cache utilities Library N/A N/A

Policy & Risk (3 modules)

Module Path Purpose WebService Worker Storage
Policy src/Policy/ Policy engine with K4 lattice logic, confidence scoring, VEX emission Yes Yes PostgreSQL (policy)
Unknowns src/Unknowns/ Unknown component and symbol tracking registry (boundary preserved, Sprint 206) Yes No PostgreSQL
Findings src/Findings/ Centralized findings aggregation. Includes RiskEngine and VulnExplorer (Sprint 207). Yes No PostgreSQL

Operations (5 modules)

Module Path Purpose WebService Worker Storage
JobEngine src/JobEngine/ Workflow orchestration, scheduling, task execution, pack registry. Includes Scheduler, TaskRunner, PacksRegistry (Sprint 208); renamed from Orchestrator (Sprint 221). Yes Yes PostgreSQL (orchestrator, scheduler)
Notify src/Notify/ Notification toolkit (Email, Slack, Teams, Webhooks) - shared libraries. Boundary preserved with Notifier (Sprint 209). Library N/A N/A
Notifier src/Notifier/ Notifications Studio host (WebService + Worker). Boundary preserved with Notify (Sprint 209). Yes Yes PostgreSQL (notify)
Timeline src/Timeline/ Timeline query, event indexing, and replay. Includes TimelineIndexer (Sprint 210). Yes No PostgreSQL
Replay src/Replay/ Deterministic replay engine Yes No PostgreSQL

Integration (5 modules)

Module Path Purpose WebService Worker Storage
CLI src/Cli/ Command-line interface (Native AOT, multi-platform) CLI N/A N/A
Zastava src/Zastava/ Container registry webhook observer, admission control Yes No PostgreSQL
Web src/Web/ Angular 21 frontend SPA Static N/A N/A
API src/Api/ OpenAPI contracts and governance Library N/A N/A
Registry src/Registry/ Container registry integration, token service Yes No PostgreSQL

Infrastructure (6 modules)

Module Path Purpose WebService Worker Storage
Cryptography src/Cryptography/ Crypto plugins (FIPS, eIDAS, GOST, SM, PQ) Library N/A N/A
Telemetry src/Telemetry/ OpenTelemetry traces, metrics, logging Library N/A N/A
Graph src/Graph/ Call graph and reachability data structures Library N/A N/A
Signals src/Signals/ Runtime signal collection and correlation Library N/A N/A
AirGap src/AirGap/ Air-gapped deployment support, Offline Kit bundling Yes Yes RustFS
AOC src/Aoc/ Append-Only Contract enforcement (Roslyn analyzers) Library N/A N/A

Testing & Benchmarks (2 modules)

Module Path Purpose WebService Worker Storage
Benchmark Scanner library Competitive benchmarking (accuracy comparison) Tool N/A N/A
Bench src/Bench/ Performance benchmarks Tool N/A N/A

Utility & Internal (4+ modules)

Module Path Purpose Notes
Findings src/Findings/ Materializes effective findings from Policy outputs. Includes RiskEngine and VulnExplorer (Sprint 207). Feeds UI/CLI/Notify
SmRemote src/SmRemote/ Remote SM2/SM3/SM4 cryptographic operations Integration utility
Tools src/Tools/ Utility programs (fixture generators, migration scripts). Includes Bench, Verifier, Sdk, DevPortal (Sprint 212). Dev tooling
PluginBinaries Various Authority and Concelier plugin binaries Plugin hosting

3. Module Categories

By Runtime Type

Type Modules
WebService + Worker Scanner, Concelier, Excititor, Policy, Notifier, TaskRunner, AirGap, Mirror
WebService Only Authority, Gateway, Router, Platform, VexLens, VexHub, IssuerDirectory, BinaryIndex, AdvisoryAI, Symbols, ReachGraph, Attestor, Signer, SbomService, EvidenceLocker, ExportCenter, RiskEngine, VulnExplorer, Unknowns, Scheduler, Orchestrator, PacksRegistry, TimelineIndexer, Replay, Zastava, Registry
Library Feedser, Provenance, Provcache, Notify, API, Cryptography, Telemetry, Graph, Signals, AOC
CLI/Tool CLI, Benchmark, Bench, Tools
Static Web (Angular SPA)

By Data Store

Store Modules
PostgreSQL Authority, Concelier, Excititor, VexLens, VexHub, IssuerDirectory, Scanner, BinaryIndex, AdvisoryAI, Symbols, ReachGraph, Attestor, Signer, SbomService, Policy, RiskEngine, VulnExplorer, Unknowns, Scheduler, Orchestrator, TaskRunner, Notifier, PacksRegistry, TimelineIndexer, Replay, Zastava, Registry
RustFS (S3) Scanner, Attestor, SbomService, EvidenceLocker, ExportCenter, AirGap, Mirror
Valkey Gateway, Router, Scanner, Policy, Scheduler, Notifier (for queues/cache)
Stateless Gateway, Platform, CLI, Web

By Communication Pattern

Pattern Modules
HTTP REST All WebService modules
Binary Frame (Router) Gateway to all backend services
Event Streams (Valkey/NATS) Scanner, Concelier, Excititor, Policy, Scheduler, Notifier
Direct Library All Library modules

4. Service Deployment Matrix

Service Container Image Replicas Storage Queue Observable
Authority stellaops/authority 2+ PostgreSQL Valkey (DPoP) Yes
Gateway stellaops/gateway 2+ Stateless - Yes
Scanner.Web stellaops/scanner-web 2+ PostgreSQL + RustFS - Yes
Scanner.Worker stellaops/scanner-worker N RustFS Valkey/NATS Yes
Concelier.Web stellaops/concelier-web 2+ PostgreSQL - Yes
Concelier.Worker stellaops/concelier-worker N PostgreSQL Valkey/NATS Yes
Policy.Engine stellaops/policy-engine 2+ PostgreSQL Valkey Yes
Policy.Worker stellaops/policy-worker N PostgreSQL Valkey Yes
Scheduler stellaops/scheduler 2+ PostgreSQL Valkey Yes
Notifier stellaops/notifier 2+ PostgreSQL Valkey Yes
ExportCenter stellaops/export-center 2+ RustFS - Yes
Web (UI) stellaops/web 2+ Static - Yes

5. Module Dependencies

Core Dependency Graph

                                    +-------------+
                                    |  Authority  |
                                    +------+------+
                                           |
              +----------------------------+----------------------------+
              |                            |                            |
              v                            v                            v
        +----------+                 +----------+                 +----------+
        |  Gateway |---------------->|  Scanner |---------------->|  Policy  |
        +----+-----+                 +----+-----+                 +----+-----+
             |                            |                            |
             |                            v                            v
             |                      +----------+                 +----------+
             |                      | Concelier|                 |   Signer |
             |                      +----+-----+                 +----+-----+
             |                            |                            |
             |                            v                            v
             |                      +----------+                 +----------+
             |                      | Excititor|                 |  Attestor|
             |                      +----------+                 +----------+
             |
             v
        +----------+
        |    UI    |
        +----------+

Key Integration Points

From To Integration
Gateway Authority Token validation (JWKS)
Gateway All Services Binary frame routing
Scanner Signer SBOM signing
Scanner Attestor in-toto attestation
Policy Concelier Advisory data (read-only)
Policy Excititor VEX data (read-only)
Policy Scanner SBOM data (read-only)
Scheduler Scanner Trigger rescans
Scheduler Concelier Observe advisory deltas
Notifier All Services Consume events

Related Documentation