30 KiB
30 KiB
Pack 1 — Release Control (root menus)
Legend (used everywhere)
- CritR = Critical Reachable findings count (hybrid reachability)
- SBOM = SBOM presence + freshness (OK / Stale / Missing)
- Cov = reachability coverage sources: B/I/R = Build / Image (Dover/Docker) / Runtime
Example:
Cov 2/3means two sources available; hover shows which. - Hybrid Reachability = union/merge of Build + Image + Runtime reachability signals.
0) Left-nav structure (Release Control as root)
flowchart TB
subgraph LeftNav["Left Nav"]
subgraph RC["Release Control (ROOT)"]
DASH["Dashboard<br/>(formerly: Control Plane)"]
REL["Releases<br/>(formerly: Releases)"]
BUN["Bundles<br/>(NEW: Release Bundle Organizer)"]
APR["Approvals<br/>(formerly: Approvals)"]
DEP["Deployments<br/>(formerly: Active Deployments widget)"]
REG["Regions & Environments<br/>(formerly: env pipeline widget)"]
end
subgraph SR["Security & Risk (group)"]
SR1["Risk Overview (formerly: Security Overview)"]
SR2["Findings (formerly: Security Findings)"]
SR3["Reachability Coverage (NEW)"]
SR4["SBOM Explorer (formerly: SBOM Graph)"]
SR5["VEX Hub (formerly: VEX Hub)"]
SR6["Exceptions (formerly: Exceptions)"]
end
subgraph EA["Evidence & Audit (group)"]
EA1["Decision Capsules (formerly: Evidence Bundles / Packets)"]
EA2["Proof Chains (formerly: Proof Chains)"]
EA3["Replay / Verify (formerly: Replay/Verify)"]
EA4["Export Center (formerly: Export)"]
EA5["Coverage Metrics (formerly: SBOM Lake)"]
end
subgraph IN["Integrations (group)"]
IN1["Integrations Hub (formerly: Integrations)"]
IN2["Feeds & Mirrors (formerly: Operations → Feeds)"]
end
subgraph PO["Platform Ops (group)"]
PO1["Nightly Ops Report (NEW)"]
PO2["Platform Health (formerly: Platform Health)"]
PO3["Jobs / Orchestrator (formerly: Orchestrator)"]
PO4["Scheduler Runs (formerly: Scheduler)"]
PO5["Dead Letter (formerly: Dead Letter)"]
PO6["Quotas & Usage (formerly: Quotas)"]
end
subgraph AD["Administration (group)"]
AD1["Policy Governance"]
AD2["Trust & Signing"]
AD3["Identity & Access"]
AD4["System"]
end
end
1) Release Control — menu/screen graph (Pack 1 scope)
flowchart LR
DASH --> REL
DASH --> BUN
DASH --> APR
DASH --> DEP
DASH --> REG
REL --> RDETAIL["Release Detail"]
BUN --> BDETAIL["Bundle Detail / Compose"]
APR --> ADETAIL["Approval Detail"]
REG --> EDETAIL["Environment Detail"]
DEP --> DDETAIL["Deployment Detail"]
%% common crosslinks (second-class but not buried)
DASH -. "CritR hotspots" .-> FIND["Security & Risk → Findings"]
RDETAIL -. "Risk tab" .-> FIND
BDETAIL -. "Component findings" .-> FIND
ADETAIL -. "Evidence preview" .-> CAPS["Evidence & Audit → Decision Capsule"]
DDETAIL -. "Proof" .-> CAPS
%% nightly ops signal (dashboard card)
DASH -. "Nightly failures" .-> NIGHT["Platform Ops → Nightly Ops Report"]
Screen 1 — Dashboard (Release Control)
Formerly: Control Plane (plus some signals scattered in Security Overview, Integrations, Platform Health).
Why changed: Stella Ops needs a release-centric “mission board”: what is promoting, what is blocked, and what is risky by region/env — including SBOM status + hybrid reachability (CritR) and nightly data freshness. This prevents “green deploy / red risk” blind spots.
Mermaid — Dashboard navigation graph
flowchart TB
DASH["Dashboard"] -->|click release row| RDETAIL["Release Detail"]
DASH -->|pending approvals| APR["Approvals"]
DASH -->|active deployments| DEP["Deployments"]
DASH -->|region pipeline| REG["Regions & Environments"]
DASH -->|CritR hotspot| FIND["Security & Risk → Findings (filtered)"]
DASH -->|Nightly failures| NIGHT["Platform Ops → Nightly Ops Report"]
ASCII wireframe — Dashboard
+----------------------------------------------------------------------------------+
| Stella Ops [Search releases/digests/CVEs] Region: All▼ Env: All▼ Time: 24h▼ |
| Status: Offline OK | Feed: Live | Policy Pack: latest | Evidence: ON |
+----------------------------------------------------------------------------------+
| RELEASE CONTROL DASHBOARD (formerly: Control Plane) |
|----------------------------------------------------------------------------------|
| Region Pipelines (Deploy + SBOM + Risk) |
| US-East: Dev[Deploy OK|SBOM OK|CritR 0|Cov 3/3] -> Stg[OK|OK|0|3/3] -> |
| Prod[DEGRADED|SBOM STALE|CritR 4|Cov 2/3] |
| EU-West: Dev[OK|OK|0|3/3] -> Stg[OK|MISSING|CritR ?|Cov 1/3] -> Prod[OK|OK|1|3/3]|
| APAC: ... |
|----------------------------------------------------------------------------------|
| Pending Approvals (2) | Active Deployments (1) |
| - API Gateway v2.1.0 US-E/Prod | - Hotfix 1.2.4 US-East/Prod RUNNING |
| Gate: PASS Approvals: 1/2 | Targets: 1/1 Evidence: sealing... |
| - User Service v3.0.0-rc1 EU/Prod| |
| Gate: BLOCK (CritR 2) | |
|----------------------------------------------------------------------------------|
| Critical Reachable Hotspots (CritR) | Nightly Ops Signals |
| - US-East/Prod: CritR 4 (openssl, log4j...) | SBOM Rescan: WARN (1 failed) |
| - EU-West/Prod: CritR 1 (glibc...) | CVE Feeds: ERROR (NVD stale 18h)|
| - APAC/Stg: CritR 2 (xz...) | Integrations: DEGRADED (Jenkins)|
| [View Findings] | Reachability ingest: WARN (Runtime)|
|----------------------------------------------------------------------------------|
| Recent Releases / Promotions |
| Release Type Status Regions CritR max Evidence |
| Hotfix 1.2.4 Single PROMOTING US-East 4 Sealing... |
| Platform 1.3.0-rc1 Bundle READY All 0 Ready |
|----------------------------------------------------------------------------------|
Screen 2 — Releases (ledger)
Formerly: Releases.
Why changed: keep the ledger, but make it digest-first + bundle-aware, and show risk + SBOM freshness + reachability coverage at the list level so operators don’t need to click into each release to see “is it actually safe to promote”.
Mermaid — Releases navigation graph
flowchart TB
REL["Releases"] -->|select row| RDETAIL["Release Detail"]
REL -->|Create Hotfix| NEWREL["New Release (Single Digest)"]
REL -->|Create from Bundle| BUN["Bundles"]
REL -->|Compare| COMP["Compare Releases (diff)"]
REL -. "Export evidence" .-> EA4["Export Center"]
ASCII wireframe — Releases
+----------------------------------------------------------------------------------+
| Releases (formerly: Releases) [Create Hotfix] [Create from Bundle] |
| Filters: Region▼ Env Path▼ Type▼ Status▼ Search... |
+----------------------------------------------------------------------------------+
| Release / Version Type Status Regions Env Path CritR SBOM |
|----------------------------------------------------------------------------------|
| Hotfix 1.2.4 Single PROMOTING US-East Stg→Prod 4 STALE |
| Platform Release 1.3.0-rc1 Bundle READY All Stg→Prod 0 OK |
| Platform Release 1.2.3 Bundle DEPLOYED All Prod 0 OK |
| Feature Branch 2.0.0-a Bundle DRAFT EU-West Dev - - |
| Platform Release 1.2.2 Bundle ROLLED_BACK US-East Prod - OK |
|----------------------------------------------------------------------------------|
| Row actions: [View] [Compare] [Evidence] [Rollback] [Promote] |
+----------------------------------------------------------------------------------+
Screen 3 — Release Detail (case file)
Formerly: scattered between Releases (list), Approvals (decision context), Security Findings (risk details), and Export/Replay.
Why changed: Stella Ops’ center of gravity is a release decision bound to a digest (or bundle digest). This screen becomes the “case file”: promotion edge, risk, reachability sources, policy inputs, approvals, deployment, and evidence — in one place.
Mermaid — Release Detail navigation graph
flowchart TB
RDETAIL["Release Detail"] --> APR["Approvals (filtered to this release)"]
RDETAIL --> DEP["Deployments (filtered)"]
RDETAIL --> FIND["Findings (filtered)"]
RDETAIL --> CAPS["Decision Capsule (for this edge)"]
RDETAIL --> BDETAIL["Bundle Detail (if Type=Bundle)"]
RDETAIL --> REG["Regions & Environments (focus edge)"]
ASCII wireframe — Release Detail
+----------------------------------------------------------------------------------+
| Release: Hotfix 1.2.4 Type: Single Digest Digest: sha256:abcd... |
| Path: US-East Staging → Production Status: PROMOTING |
| Summary: CritR 4 | SBOM STALE | Cov 2/3 (Build+Image; Runtime missing) |
|----------------------------------------------------------------------------------|
| Promotion Timeline (edges) | Gate Summary |
| Staging → Prod [BLOCKED?] | Policy: PASS |
| - Findings: CritR 4 | Data freshness: WARN (SBOM stale) |
| - Approvals: 1/2 | Reachability: WARN (Runtime missing) |
| - Evidence: Sealing... | Human: PENDING (1 remaining) |
|----------------------------------------------------------------------------------|
| Tabs: [Overview] [Components] [Risk] [Reachability] [Approvals] [Deployments] [Evidence] |
|----------------------------------------------------------------------------------|
| Overview: |
| - Requested by: security-team - Change summary: "Critical security patch" |
| - Inputs frozen: Policy Pack vX.Y - SBOM scan time: 18h ago (stale threshold 6h)|
|----------------------------------------------------------------------------------|
| Risk (summary): |
| CritR: 4 HighR: 7 MedR: 12 (hybrid reachability) |
| Top drivers: openssl CVE-xxxx, libxml2 CVE-yyyy |
| [Open Findings (filtered)] |
|----------------------------------------------------------------------------------|
| Evidence: |
| Decision Capsule: DSSE ✓ Rekor ✓ Replayable ✓ [View Capsule] [Export] |
+----------------------------------------------------------------------------------+
Screen 4 — Bundles (Release Bundle Organizer) NEW
Formerly: not present; closest concept was Export Center → StellaBundle but that is an audit/export artifact, not an operator workflow for composing deployable multi-service releases.
Why added / why here: You need a bundle organizer to turn “microservice digest + env-derived variables + other microservices + changelog” into a bundle version with a bundle digest. This stays digest-first (everything pinned by digest), but becomes human-operable for multi-service systems.
Bundle concept (explicit)
A Bundle =
- Components:
service/repo → digest → derived component version - Config Snapshot per region/env: references to Vault/Consul inputs + hashes (no secret values)
- Changelog per repo: commit/PR range between previous bundle and this bundle
- Bundle digest: hash of the bundle manifest (components + config snapshot refs + metadata)
- Used to create Releases (promotions) across environments.
Mermaid — Bundles navigation graph
flowchart TB
BUN["Bundles"] -->|select bundle| BDETAIL["Bundle Detail / Compose"]
BUN -->|Create bundle| BCREATE["Create Bundle (from repos/services)"]
BDETAIL -->|Generate Release Candidate| REL["Releases (new release from bundle)"]
BDETAIL -->|Compare to previous bundle| BDIFF["Bundle Diff (components+config+changelog)"]
BDETAIL -->|Fetch config snapshot| CFG["Config Snapshot (Vault/Consul refs)"]
BDETAIL -. "Risk preview" .-> FIND["Findings (bundle-filtered)"]
ASCII wireframe — Bundles (Organizer)
+----------------------------------------------------------------------------------+
| Bundles (NEW) (formerly: N/A; concept overlaps Export Center but different) |
| [Create Bundle] Filters: Repo▼ Region▼ Env▼ Status▼ Search... |
+----------------------------------------------------------------------------------+
| Bundle / Version Status Components Regions Env Baseline CritR SBOM |
|----------------------------------------------------------------------------------|
| Platform Bundle 1.3.0 READY 12 All Stg baseline 0 OK |
| Checkout Bundle 2026.02 DRAFT 7 EU-West Dev baseline - - |
| Hotfix Set 1.2.4 READY 1 US-East Prod baseline 4 STALE|
|----------------------------------------------------------------------------------|
| Row actions: [Compose] [Compare] [Create Release] [Export Manifest] |
+----------------------------------------------------------------------------------+
Screen 5 — Bundle Detail / Compose (Bundle “case file”)
Formerly: not present; composition typically happens in external tooling (CI/CD templates, Helm charts, spreadsheets). Why changed: This is the missing “organizer” you called out. It makes bundles auditable, repeatable, and env-config-aware, while preserving digest-first identity.
Mermaid — Bundle Detail / Compose graph
flowchart TB
BDETAIL["Bundle Detail / Compose"] -->|Edit components| COMP["Component Picker (repo/service)"]
BDETAIL -->|Pin digest & derive version| MAP["Digest→Version Mapping"]
BDETAIL -->|Fetch env config refs| CFG["Config Snapshot (Vault/Consul)"]
BDETAIL -->|View changelog| CHG["Changelog (per repo)"]
BDETAIL -->|Validate| VAL["Bundle Validation (SBOM, attestation, policy inputs)"]
BDETAIL -->|Lock| LOCK["Lock Bundle (freeze manifest)"]
BDETAIL -->|Create Release| REL["Create Release from Bundle"]
BDETAIL -. "Preview risk" .-> FIND["Findings (bundle-filtered)"]
ASCII wireframe — Bundle Detail / Compose
+----------------------------------------------------------------------------------+
| Bundle: Platform Bundle 1.3.0 Status: DRAFT Bundle Digest: sha256:bund... |
| Baseline: Staging Regions: All Last updated: 5m ago |
| Actions: [Validate] [Lock Bundle] [Create Release] [Export Manifest] |
+----------------------------------------------------------------------------------+
| Tabs: [Components] [Config Snapshots] [Changelog] [Risk Preview] [Evidence Inputs]|
|----------------------------------------------------------------------------------|
| Components (12) |
| Service/Repo Digest Derived Ver SBOM CritR Prov |
| api-service sha256:aaa... 2.1.0 OK 0 SLSA ✓ |
| web-frontend sha256:bbb... 2.0.0 OK 0 SLSA ✓ |
| worker sha256:ccc... 3.1.0 STALE 1 SLSA ✓ |
| ... |
| [Add Component] [Pin Digest] [Import from CI] |
|----------------------------------------------------------------------------------|
| Config Snapshots (refs only — no secret values) |
| Region/Env Vault paths (count) Consul prefixes (count) Snapshot Hash |
| US-East/Prod 12 6 sha256:cfg1... |
| EU-West/Prod 11 6 sha256:cfg2... |
| Notes: "Vault unreachable" would show as ERROR and block Lock/Release optionally |
| [Fetch Snapshots] [View Ref List] [Diff vs previous bundle] |
|----------------------------------------------------------------------------------|
| Changelog (per repo) |
| api-service: v2.0.8 → v2.1.0 (12 PRs) [View] |
| web-frontend: v1.9.1 → v2.0.0 (30 PRs) [View] |
|----------------------------------------------------------------------------------|
Screen 6 — Approvals (queue)
Formerly: Approvals.
Why changed: Keep it, but make approvals explicitly tied to promotion edges and show the risk + freshness + reachability context right in the queue so reviewers don’t approve blind.
Mermaid — Approvals navigation graph
flowchart TB
APR["Approvals"] -->|open request| ADETAIL["Approval Detail"]
APR -->|filter by region/env| APR
ADETAIL -->|Approve/Reject| APR
ADETAIL -. "Open release case file" .-> RDETAIL["Release Detail"]
ADETAIL -. "Open findings" .-> FIND["Findings (filtered)"]
ADETAIL -. "Open capsule preview" .-> CAPS["Decision Capsule"]
ASCII wireframe — Approvals
+----------------------------------------------------------------------------------+
| Approvals (formerly: Approvals) Filters: Region▼ Env▼ Status▼ Risk▼ Search... |
+----------------------------------------------------------------------------------+
| Request Edge Gate Approvals CritR SBOM |
|----------------------------------------------------------------------------------|
| API Gateway v2.1.0 US-East Stg→Prod PASS 1/2 0 OK |
| User Service v3.0.0-rc1 EU-West Stg→Prod BLOCK 0/2 2 OK |
| Notes: BLOCK reasons show inline: (Policy fail / CritR / data stale / missing Cov)|
|----------------------------------------------------------------------------------|
| Actions per row: [Approve] [Reject] [View Detail] |
+----------------------------------------------------------------------------------+
Screen 7 — Approval Detail (gate breakdown + evidence preview)
Formerly: “View Details” from Approvals (implied) + bits from Findings and Export/Replay.
Why changed: The approver needs a single page that explains why an edge is blocked/passing, with hybrid reachability and data freshness spelled out, plus a preview of the evidence capsule that will be sealed.
Mermaid — Approval Detail graph
flowchart TB
ADETAIL["Approval Detail"] -->|Approve| ACT1["Approve action"]
ADETAIL -->|Reject| ACT2["Reject action"]
ADETAIL --> RDETAIL["Release Detail"]
ADETAIL --> FIND["Findings (edge-filtered)"]
ADETAIL --> CAPS["Decision Capsule Preview"]
ASCII wireframe — Approval Detail
+----------------------------------------------------------------------------------+
| Approval Detail (formerly: Approvals → View Details) |
| Release: User Service v3.0.0-rc1 Edge: EU-West Staging → Production |
|----------------------------------------------------------------------------------|
| Gate Summary: BLOCK |
| - Policy: PASS |
| - Risk: CritR 2 (Hybrid reachability) |
| - SBOM: OK (fresh) |
| - Reachability Coverage: 3/3 (Build+Image+Runtime) |
| - Data Freshness: OK (Feeds synced 2h ago) |
|----------------------------------------------------------------------------------|
| Risk Drivers (CritR): |
| - CVE-XXXX in package foo@1.2.3 Reachable via path: foo->bar->... |
| - CVE-YYYY in package baz@4.5.6 Reachable via runtime trace |
| [Open Findings (filtered)] |
|----------------------------------------------------------------------------------|
| Evidence Preview: |
| Capsule will include: policy inputs, SBOM refs, reachability sources, decision log|
| DSSE: pending seal Rekor: pending Replay: enabled |
| [View Capsule Draft] [Approve] [Reject] |
+----------------------------------------------------------------------------------+
Screen 8 — Regions & Environments (promotion graph + env tiles)
Formerly: pipeline widget on Control Plane (flat, not region-first).
Why changed: You explicitly need Region → Environments as a first-class topology, and each env must summarize not only “deploy health” but also SBOM + CritR + Cov.
Mermaid — Regions & Environments graph
flowchart TB
REG["Regions & Environments"] -->|select env node| EDETAIL["Environment Detail"]
REG -->|select edge| EDGE["Edge Inspector (gates, approvals, evidence)"]
REG -. "View findings for env" .-> FIND["Findings (env-filtered)"]
REG -. "View deployments for env" .-> DEP["Deployments (env-filtered)"]
ASCII wireframe — Regions & Environments
+----------------------------------------------------------------------------------+
| Regions & Environments (formerly: Control Plane pipeline) Region: US-East▼ |
| [Edit Graph] (role-gated) |
+----------------------------------------------------------------------------------+
| Promotion Graph (US-East) |
| Dev [OK|SBOM OK|CritR 0|Cov 3/3] --> Staging [OK|OK|0|3/3] --> Prod [DEG|STALE|4|2/3] |
| |
| Right Inspector (selected: Prod node) |
| - Deploy health: DEGRADED (1 target failing) |
| - SBOM: STALE (last scan 18h) |
| - CritR: 4 (hybrid) |
| - Coverage: Build ✓ Image ✓ Runtime ✗ |
| - Feed freshness: NVD stale 18h (WARN/ERROR) |
| Actions: [View Findings] [View Deployments] [View Config Snapshot] |
+----------------------------------------------------------------------------------+
Screen 9 — Environment Detail (region/env “single pane”)
Formerly: no dedicated page; fragments in Control Plane, Platform Health, Findings, and CI/CD/inventory.
Why changed: Operators need a per region/env summary showing what’s deployed and what’s risky with SBOM status and reachability source coverage — so it’s clear if risk posture is trustworthy.
Mermaid — Environment Detail graph
flowchart TB
EDETAIL["Environment Detail"] --> FIND["Findings (env-filtered)"]
EDETAIL --> DEP["Deployments (env-filtered)"]
EDETAIL --> CFG["Config Snapshot refs (env)"]
EDETAIL -. "Nightly issues affecting this env" .-> NIGHT["Nightly Ops Report"]
ASCII wireframe — Environment Detail
+----------------------------------------------------------------------------------+
| Environment Detail US-East / Production (formerly: N/A) |
| Deploy: DEGRADED | SBOM: STALE | CritR: 4 | Cov: 2/3 | Feeds: NVD stale 18h |
+----------------------------------------------------------------------------------+
| Deployed Workloads (by digest) |
| Service Image Digest Version SBOM CritR Last Deploy |
| api-service sha256:aaa... 2.1.0 OK 0 08:12 |
| web-frontend sha256:bbb... 2.0.0 OK 0 08:12 |
| worker sha256:ccc... 3.1.0 STALE 1 08:12 |
|----------------------------------------------------------------------------------|
| Critical Reachable Findings (CritR 4) [Open Findings] |
| - CVE-XXXX foo@1.2.3 reachable via ... |
| - CVE-YYYY bar@4.5.6 reachable via runtime traces (missing today!) |
|----------------------------------------------------------------------------------|
| Config Snapshot (refs only) |
| Vault refs: 12 paths | Consul refs: 6 prefixes | Snapshot hash: sha256:cfg1... |
| [View refs] [Diff vs last snapshot] |
|----------------------------------------------------------------------------------|
| Related: [Deployments] [Approvals] [Evidence] |
+----------------------------------------------------------------------------------+
Screen 10 — Deployments (promotion execution view)
Formerly: “Active Deployments” widget + implicit status in Releases list. Why changed: Keep the operational view, but tie it to release/bundle digests and show SBOM/risk context so deployments aren’t treated as purely operational success/failure.
Mermaid — Deployments graph
flowchart TB
DEP["Deployments"] -->|select run| DDETAIL["Deployment Detail"]
DEP -->|filter by release/env| DEP
DDETAIL --> RDETAIL["Release Detail"]
DDETAIL --> CAPS["Decision Capsule"]
ASCII wireframe — Deployments
+----------------------------------------------------------------------------------+
| Deployments (formerly: Active Deployments widget) |
| Filters: Region▼ Env▼ Status▼ Release▼ Search... |
+----------------------------------------------------------------------------------+
| Release Region/Env Status Targets SBOM CritR Evidence |
|----------------------------------------------------------------------------------|
| Hotfix 1.2.4 US-East/Prod RUNNING 1/1 STALE 4 Sealing... |
| Platform 1.2.3 EU-West/Prod COMPLETED 3/3 OK 0 Sealed ✓ |
|----------------------------------------------------------------------------------|
| Actions: [View Detail] |
+----------------------------------------------------------------------------------+
Screen 11 — Deployment Detail (run + proof)
Formerly: not a dedicated PoC screen (implied behind deployment status). Why changed: When something fails, you need traceability: what digest was applied, where, what verification occurred, and what evidence was produced.
Mermaid — Deployment Detail graph
flowchart TB
DDETAIL["Deployment Detail"] --> CAPS["Decision Capsule (final)"]
DDETAIL --> EDETAIL["Environment Detail"]
DDETAIL --> RDETAIL["Release Detail"]
ASCII wireframe — Deployment Detail
+----------------------------------------------------------------------------------+
| Deployment Detail (formerly: N/A) |
| Release: Hotfix 1.2.4 Edge: US-East Staging→Prod Run: dep-0042 |
| Status: RUNNING Targets: 1/1 Started: 08:12 Actor: deploy-bot |
+----------------------------------------------------------------------------------+
| Steps / Timeline |
| 1) Resolve artifact digests ✓ |
| 2) Fetch config snapshot refs ✓ (vault ok, consul ok) |
| 3) Apply to target(s) ✓ |
| 4) Post-deploy verification WARN (runtime reachability missing) |
| 5) Seal evidence capsule IN PROGRESS |
|----------------------------------------------------------------------------------|
| Deployed Digests |
| - api-service sha256:aaa... - worker sha256:ccc... |
|----------------------------------------------------------------------------------|
| Evidence |
| Capsule: DSSE pending | Rekor pending | Replay enabled |
| [View Capsule] [Replay/Verify] [Export] |
+----------------------------------------------------------------------------------+
Release Bundle Organizer — key design notes (so it matches your requirement)
What you asked for, explicitly, is now represented in Bundles + Bundle Detail:
-
“microservice with digest becomes version X”
- Bundle composer maintains a Digest→Version mapping per component (derived from git tag/build metadata or manually pinned).
-
“variables derived from vaults and consul for this env”
- Bundle stores config snapshot references + hashes per region/env; values are not shown, but the snapshot is reproducible and auditable.
-
“other microservices becomes bundle along with change log. per repository.”
- Bundle includes per-repo changelog (diff vs prior bundle baseline).
-
“release digest first”
- The bundle itself has a bundle digest (manifest hash). Promotions can be bound to that digest exactly like a single-image hotfix.