61 KiB
61 KiB
Pack 3 — Security + Evidence & Audit + Operations
This pack adds the missing SBOM/Finding signals, hybrid reachability (build/image/runtime), and a first-class Nightly Ops Report, while keeping the “release/hotfix + security + audit” spine. (Stella Ops Suite)
0) Design rule for this pack (why these screens look the way they do)
When Stella Ops opens, the UI must communicate fast:
- What is deployed where (by digest)
- What is allowed to ship next
- Why it is allowed/blocked (policy + reachability evidence)
- Where the evidence is (one-click proof/export) (Gitea: Git with a cup of tea)
Everything in this pack is arranged to serve that rule.
1) SECURITY — menus + screens
1.1 Security menu graph (Mermaid)
flowchart TD
S0["Security (menu)"]
S1["Security Overview (global)"]
S2["Findings (SBOM + CVE)"]
S3["Finding Detail"]
S4["Hybrid Reachability (build/image/runtime)"]
S5["Reachability Evidence Detail"]
S6["VEX Hub"]
S7["VEX Statement Detail"]
S8["Exceptions"]
S9["Exception Detail"]
S10["SBOM Explorer (Graph)"]
S0 --> S1
S0 --> S2 --> S3 --> S5
S0 --> S4 --> S5
S0 --> S6 --> S7
S0 --> S8 --> S9
S0 --> S10
1.2 Screen — Security Overview (global)
New location: Security → Security Overview
Previously: Security → Overview (“Security Overview”)
Why changed:
- Your dashboard needs emerged SBOM/finding signal and “which env/region is burning” in one glance (not “0 across the board” unless truly 0).
- This overview becomes the security posture rollup across regions/environments with reachability emphasis (reachable CVEs are what matter for decisions).
Screen graph (Mermaid)
flowchart LR
A["Security Overview"] --> B["Findings (filtered)"]
A --> C["Hybrid Reachability"]
A --> D["VEX Hub"]
A --> E["Exceptions"]
A --> F["Evidence Capsule (latest)"]
A --> G["Ops: Nightly Report (security pipelines)"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Stella Ops [Search releases/digests…] |
|--------------------------------------------------------------------------------------------------|
| NAV | Security / Overview |
|------------------------| formerly: Security → Overview (Security Overview) |
| Dashboard |-------------------------------------------------------------------------|
| Release Control | GLOBAL POSTURE (last refresh 2m) |
| Security (YOU ARE) | Reachable CVEs: CRIT [2] HIGH [7] MED [14] LOW [33] |
| Evidence & Audit | Non-reachable CVEs (noise): 1,284 |
| Operations |-------------------------------------------------------------------------|
| Integrations | HOTSPOTS (Reachable CRIT/HIGH by env) |
| Administration | prod/us-east-1 CRIT=2 HIGH=3 | prod/eu-west-1 CRIT=0 HIGH=4 |
| | staging/us-east-1 CRIT=0 HIGH=1 | dev/* CRIT=0 HIGH=0 |
| |-------------------------------------------------------------------------|
| | HYBRID REACHABILITY COVERAGE (must not be “third class”) |
| | Build: 92% | Image (Dover): 100% | Runtime: 63% |
| | Gaps: prod/eu-west-1 runtime ingest delayed (last 6h) |
| |-------------------------------------------------------------------------|
| | Quick actions: [View Findings] [Reachability] [VEX Hub] [Exceptions] |
+--------------------------------------------------------------------------------------------------+
1.3 Screen — Findings (SBOM + CVE unified)
New location: Security → Findings
Previously:
Security → Findings(“Security Findings”)Security → Vulnerabilities(“Vulnerabilities”) Why changed:- One list with consistent semantics: “CVE + package + reachability + environments + releases/bundles impacted”.
- The old “Vulnerabilities” page becomes a redirect to this screen with preset filters (e.g.,
View=CVE Catalog).
Screen graph (Mermaid)
flowchart TD
L["Findings (SBOM + CVE)"] --> F["Finding Detail"]
L --> X["Export CSV"]
L --> V["VEX Hub (context)"]
L --> E["Create Exception (pre-filled)"]
L --> R["Reachability view (hybrid columns)"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Security / Findings [Export CSV] [Saved Views]|
| formerly: Security → Findings (Security Findings) + Security → Vulnerabilities (Vulnerabilities) |
|--------------------------------------------------------------------------------------------------|
| Filters: Severity [All] Reachability [Any/Reachable] Source [Build/Image/Runtime/Any] |
| Region [All] Environment [All] VEX [Any/Has VEX/Needs VEX] |
|--------------------------------------------------------------------------------------------------|
| CVE PACKAGE SEV CVSS REACHABILITY (B/I/R) VEX RELEASE/BUNDLE ENVS |
| CVE-... openssl CRIT 9.8 ✅ / ✅ / ✅ — hotfix-auth 1.2.4 prod/us-east-1|
| CVE-... log4j HIGH 8.1 ✅ / ✅ / ☐ vendor platform 1.3.0 prod/eu-west-1|
| CVE-... zlib MED 6.5 ☐ / ✅ / ☐ local payments 2.8.4 staging/us-e1|
|--------------------------------------------------------------------------------------------------|
| Notes: Reachability columns are hybrid: Build analysis, Image (Dover), Runtime (deployed). |
+--------------------------------------------------------------------------------------------------+
1.4 Screen — Finding Detail (evidence-first)
New location: Security → Findings → (Finding Detail)
Previously: fragmented across Findings + (future) SBOM Graph + VEX Hub
Why changed:
- A decision is only as good as its proof: this page centers reachability evidence, affected environments, VEX, and the promotion impact (blocked vs allowed) with links to Decision Capsule.
Screen graph (Mermaid)
flowchart LR
D["Finding Detail"] --> R["Reachability Evidence (hybrid)"]
D --> V["VEX Statements"]
D --> P["Promotion Impact (gates + approvals)"]
D --> X["Request Exception"]
D --> E["Evidence Capsule (view/download)"]
D --> A["Remediation actions (upgrade/patch)"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Finding: CVE-2026-XXXX (openssl) [Request Exception] |
| formerly: (spread across) Security Findings + VEX Hub + (SBOM Graph placeholder) |
|--------------------------------------------------------------------------------------------------|
| Summary: CRITICAL CVSS 9.8 Package: openssl@3.0.x |
| Affected artifacts (digests): sha256:aaaa… sha256:bbbb… |
|--------------------------------------------------------------------------------------------------|
| Reachability (hybrid) |
| Build: ✅ reachable (call path: api-gateway -> tls -> openssl) |
| Image (Dover): ✅ reachable (static analysis) |
| Runtime: ✅ reachable (trace evidence: prod/us-east-1) |
| [View Reachability Evidence] |
|--------------------------------------------------------------------------------------------------|
| Environments impacted |
| prod/us-east-1 (2 services) prod/eu-west-1 (1 service) |
|--------------------------------------------------------------------------------------------------|
| VEX |
| Vendor VEX: none | Local VEX: draft |
| [Open VEX Hub pre-filtered] |
|--------------------------------------------------------------------------------------------------|
| Promotion impact |
| Gate: "No reachable CRIT" ❌ BLOCKS | Required: patch or approved exception with expiry |
| Evidence capsule: sealed? ✅ [Open Capsule] [Export] |
+--------------------------------------------------------------------------------------------------+
1.5 Screen — Hybrid Reachability (coverage + gaps)
New location: Security → Hybrid Reachability
Previously: not visible as a coherent surface
Why changed:
- You explicitly require reachability from Build, Image (Dover), and Runtime to be second-class (visible), not buried.
- This page answers: “Do we trust our reachability picture for each env/region right now?”
Screen graph (Mermaid)
flowchart TD
H["Hybrid Reachability (Coverage)"] --> M["Coverage Matrix (region/env x source)"]
H --> G["Gap Drilldown (why missing runtime?)"]
H --> F["Findings filtered by 'reachability missing'"]
H --> O["Ops: ingestion pipeline health"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Security / Hybrid Reachability [Export] [Explain] |
| formerly: (missing / implicit) |
|--------------------------------------------------------------------------------------------------|
| Coverage Matrix (last 24h) |
| Region/Env BUILD IMAGE (DOVER) RUNTIME NOTES |
| prod/us-east-1 98% ✅ 100% ✅ 72% ⚠ runtime ingest lag 2h |
| prod/eu-west-1 93% ✅ 100% ✅ 41% ❌ agent offline |
| staging/us-east-1 90% ✅ 100% ✅ 60% ⚠ sampling low |
| dev/us-east-1 80% ⚠ 95% ⚠ 10% ⚠ instrumentation off |
|--------------------------------------------------------------------------------------------------|
| Gap drilldown (selected: prod/eu-west-1 runtime) |
| - Missing agent heartbeat (Integrations: Agents) |
| - Last success: Feb 17 02:10 |
| Links: [Ops Platform Health] [Scheduler Run] [Agent Config] |
+--------------------------------------------------------------------------------------------------+
1.6 Screen — Reachability Evidence Detail
New location: via Finding Detail or Hybrid Reachability drilldowns
Previously: not present
Why changed:
- Reachability must be inspectable and exportable as evidence; otherwise it’s a black box.
Screen graph (Mermaid)
flowchart LR
E["Reachability Evidence Detail"] --> C["Call graph / trace proof"]
E --> S["Source selector: Build vs Image vs Runtime"]
E --> V["Link to VEX statement"]
E --> P["Link to Policy decision + capsule"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Reachability Evidence: CVE-2026-XXXX in prod/us-east-1 [Download Proof] |
| formerly: (missing / implicit) |
|--------------------------------------------------------------------------------------------------|
| Source: [Build ✅] [Image (Dover) ✅] [Runtime ✅] |
|--------------------------------------------------------------------------------------------------|
| Proof summary |
| Entry point: api-gateway |
| Path: api-gateway -> tls_handler -> openssl::SSL_read -> vulnerable_fn |
| Confidence: High |
|--------------------------------------------------------------------------------------------------|
| Linked artifacts |
| SBOM: sbom@sha256:... Trace: runtime-trace@sha256:... Policy: core-pack v12 |
| Capsule: capsule-prod-us-east-1-2026-02-18 |
+--------------------------------------------------------------------------------------------------+
1.7 Screen — VEX Hub
New location: Security → VEX Hub
Previously: Security → VEX Hub (“VEX Statement Dashboard”)
Why changed:
- Keep it in Security, but make it clearly part of the “evidence chain”: VEX must link to findings and reachability proof (not just a statement list). (Gitea: Git with a cup of tea)
Screen graph (Mermaid)
flowchart TD
V["VEX Hub"] --> S["Search Statements"]
V --> I["Import Vendor VEX"]
V --> D["VEX Statement Detail"]
D --> F["Linked Findings"]
D --> E["Evidence Capsule / Proof chain"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Security / VEX Hub [Search] [Import Vendor] |
| formerly: Security → VEX Hub |
|--------------------------------------------------------------------------------------------------|
| Search: [CVE____] [Package____] [Product____] [Issuer____] [Env____] |
|--------------------------------------------------------------------------------------------------|
| STATEMENT ID CVE PRODUCT/BUNDLE ISSUER STATUS LINKED FINDINGS |
| vex-1021 CVE-... platform 1.3.0 vendorA Verified 3 (2 reachable) |
| vex-1022 CVE-... payments 2.8.4 local Draft 1 (reachability pending)|
|--------------------------------------------------------------------------------------------------|
| Note: Statements should reference reachability proof & capsule for audit replay. |
+--------------------------------------------------------------------------------------------------+
1.8 Screen — VEX Statement Detail
New location: Security → VEX Hub → (Statement)
Previously: not clearly separated
Why changed:
- Needed for auditors: statement, issuer, scope, and the linked evidence objects.
Screen graph (Mermaid)
flowchart LR
D["VEX Statement Detail"] --> L["Linked findings + reachability"]
D --> P["Proof chain"]
D --> X["Export VEX + evidence refs"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| VEX Statement: vex-1021 (vendorA) [Export] [Verify] |
| formerly: Security → VEX Hub (inline row) |
|--------------------------------------------------------------------------------------------------|
| CVE: CVE-2026-XXXX Disposition: Not Affected Justification: component not used at runtime |
| Scope: platform-release 1.3.0-rc1 Envs: prod/* |
|--------------------------------------------------------------------------------------------------|
| Linked evidence |
| - Reachability proof: runtime shows NOT reachable in prod/eu-west-1 (trace id …) |
| - Capsule: capsule-prod-eu-west-1-… |
|--------------------------------------------------------------------------------------------------|
| Linked findings |
| Finding list: 3 (reachable: 0) |
+--------------------------------------------------------------------------------------------------+
1.9 Screen — Exceptions (risk exceptions)
New location: Security → Exceptions
Previously: Security → Exceptions (“Security Exceptions”)
Why changed:
- Exceptions must show scope + expiry + approvers + linked evidence, and tie to policy workflow configured in Administration.
Screen graph (Mermaid)
flowchart TD
X["Exceptions"] --> D["Exception Detail"]
X --> R["Request Exception"]
D --> A["Approval trail"]
D --> F["Linked Findings / Bundles"]
D --> E["Evidence capsule references"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Security / Exceptions [Request Exception] |
| formerly: Security → Exceptions |
|--------------------------------------------------------------------------------------------------|
| EXC ID SCOPE REASON REQUESTED BY EXPIRES STATUS |
| exc-221 CVE-… in prod/us-e1 hotfix window alice 2026-03-01 Pending |
| exc-222 bundle payments 2.8.4 vendor patch delayed david 2026-02-25 Approved |
|--------------------------------------------------------------------------------------------------|
| Notes: every exception must be time-bounded and linked to evidence & approver signatures. |
+--------------------------------------------------------------------------------------------------+
1.10 Screen — Exception Detail
New location: Security → Exceptions → (Exception)
Previously: not clearly separated
Why changed:
- Needed for audit and for “why allowed even though finding exists”.
Screen graph (Mermaid)
flowchart LR
D["Exception Detail"] --> S["Scope + expiry"]
D --> J["Justification + attachments"]
D --> A["Approvals/signatures"]
D --> L["Linked findings + affected envs"]
D --> C["Capsules impacted (promotion events)"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Exception: exc-222 (Approved) [Revoke] [Extend] |
| formerly: Security → Exceptions (row) |
|--------------------------------------------------------------------------------------------------|
| Scope: Bundle payments-suite 2.8.4 Env: prod/eu-west-1 |
| Expires: 2026-02-25 23:59 UTC Risk: HIGH reachable allowed with 2 approvals |
|--------------------------------------------------------------------------------------------------|
| Justification: vendor patch ETA + compensating controls |
| Approvals: ✅ alice (sig…) ✅ security-lead (sig…) |
|--------------------------------------------------------------------------------------------------|
| Linked findings: |
| - CVE-… log4j (HIGH reachable) |
| Capsules impacted: |
| - capsule-prod-eu-west-1-2026-02-18 (promotion allowed due to exc-222) |
+--------------------------------------------------------------------------------------------------+
1.11 Screen — SBOM Explorer (Graph)
New location: Security → SBOM Explorer (Graph)
Previously: Security → SBOM Graph (“SBOM Graph”)
Why changed:
- Keep it visible but explicitly “supporting detail”: useful to investigate dependency trees, but not the main control-plane.
- If still not implemented, show it as (coming soon) with deep links to Findings and Coverage metrics.
Screen graph (Mermaid)
flowchart TD
G["SBOM Explorer (Graph)"] --> N["Node detail (package/component)"]
N --> F["Findings for node"]
N --> R["Reachability evidence"]
G --> C["Coverage metrics"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Security / SBOM Explorer (Graph) [Beta] [Open Findings] |
| formerly: Security → SBOM Graph |
|--------------------------------------------------------------------------------------------------|
| If graph rendering is not available in this build: |
| - Show “Graph unavailable” + shortcuts: [Findings filtered by component] [Coverage Metrics] |
|--------------------------------------------------------------------------------------------------|
| Graph area (when enabled): |
| [service: api-gateway] --depends--> [openssl] --depends--> [zlib] |
| click node → right panel: packages, versions, linked CVEs, reachability paths |
+--------------------------------------------------------------------------------------------------+
2) EVIDENCE & AUDIT — menus + screens
2.1 Evidence & Audit menu graph (Mermaid)
flowchart TD
E0["Evidence & Audit (menu)"]
E1["Evidence Home (latest capsules)"]
E2["Decision Capsules (Bundles list)"]
E3["Decision Capsule Detail"]
E4["Evidence Packets"]
E5["Packet Detail"]
E6["Proof Chains"]
E7["Proof Chain Detail"]
E8["Replay / Verify"]
E9["Replay Result Detail"]
E10["Export Center"]
E11["Export Run Detail"]
E12["Coverage Metrics (Attestation coverage)"]
E0 --> E1
E0 --> E2 --> E3
E0 --> E4 --> E5
E0 --> E6 --> E7
E0 --> E8 --> E9
E0 --> E10 --> E11
E0 --> E12
2.2 Screen — Evidence Home (quick proof access)
New location: Evidence & Audit → Home
Previously: no single landing (Evidence items were separate)
Why changed:
- “Where is the evidence?” must be one click. This home page lists latest capsules and quick exports. (Gitea: Git with a cup of tea)
Screen graph (Mermaid)
flowchart LR
H["Evidence Home"] --> C["Decision Capsules"]
H --> P["Evidence Packets"]
H --> R["Replay / Verify"]
H --> X["Export Center"]
H --> M["Coverage Metrics"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit / Home [Export] [Verify Tool] |
| formerly: (no single landing) |
|--------------------------------------------------------------------------------------------------|
| Latest Decision Capsules (sealed) |
| capsule-prod-us-east-1-2026-02-18 bundle: hotfix-auth 1.2.4 verdict: PASS* (exc applied) |
| capsule-prod-eu-west-1-2026-02-18 bundle: platform 1.3.0-rc1 verdict: BLOCK (reachable CRIT)|
| [View all capsules] |
|--------------------------------------------------------------------------------------------------|
| Quick proof actions |
| [Replay a verdict] [Verify signatures] [Export Audit Bundle] [Open Proof Chains] |
|--------------------------------------------------------------------------------------------------|
| Coverage snapshot |
| SBOM: 100% Reachability proofs: 78% VEX: 41% Approvals recorded: 100% |
+--------------------------------------------------------------------------------------------------+
2.3 Screen — Decision Capsules (Evidence Bundles list)
New location: Evidence & Audit → Decision Capsules
Previously: Evidence → Evidence Bundles (“Evidence Bundles”)
Why changed:
- Rename to match the concept used in docs/marketing: a “decision capsule” binds SBOM + frozen inputs + reachability + policy + signatures so audits can replay deterministically. (Stella Ops Suite)
Screen graph (Mermaid)
flowchart TD
L["Decision Capsules (list)"] --> D["Capsule Detail"]
L --> V["Verify bundle signatures"]
L --> X["Export (zip/tgz/oci)"]
D --> R["Replay / Verify"]
D --> P["Proof chain"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit / Decision Capsules [Verify] [Export] |
| formerly: Evidence → Evidence Bundles |
|--------------------------------------------------------------------------------------------------|
| Filters: Region [All] Env [All] Bundle/Release [____] Date [last 30d] Status [All] |
|--------------------------------------------------------------------------------------------------|
| CAPSULE ID BUNDLE/RELEASE ENV VERDICT SEALED ACTIONS |
| capsule-prod-us-e1-... hotfix-auth 1.2.4 prod/us-east-1 PASS ✅ View Export |
| capsule-prod-eu-w1-... platform 1.3.0-rc1 prod/eu-west-1 BLOCK ✅ View Replay |
|--------------------------------------------------------------------------------------------------|
| Each capsule must be exportable and replayable for audit. |
+--------------------------------------------------------------------------------------------------+
2.4 Screen — Decision Capsule Detail
New location: Evidence & Audit → Decision Capsules → (Capsule)
Previously: partially in export flows
Why changed:
- This is the “auditor view”: list exact inputs (SBOM + feed snapshot + policy version), outputs (verdict), and signatures. (Stella Ops Suite)
Screen graph (Mermaid)
flowchart LR
D["Capsule Detail"] --> I["Inputs (SBOM, feeds, policy, tools)"]
D --> O["Outputs (verdict, risk, VEX)"]
D --> S["Signatures (DSSE) + transparency refs"]
D --> P["Proof chain graph"]
D --> R["Replay this capsule"]
D --> X["Export formats"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Capsule: capsule-prod-us-east-1-2026-02-18 [Replay] [Export] [Verify Sig] |
| formerly: Evidence → Evidence Bundles (detail) |
|--------------------------------------------------------------------------------------------------|
| Inputs |
| SBOM: sbom@sha256:... Feed snapshots: osv@... nvd@... Policy: core-pack v12 |
| Tools: scanner@sha256:... Reachability: runtime-proof@sha256:... |
|--------------------------------------------------------------------------------------------------|
| Outputs |
| Verdict: PASS (exception exc-222) Reachable CVEs: 1 HIGH VEX: derived/linked |
|--------------------------------------------------------------------------------------------------|
| Signatures |
| DSSE envelope: ✅ Rekor/log ref: ✅ Certificate chain: ✅ |
|--------------------------------------------------------------------------------------------------|
| Links: [Proof Chain] [Related Approvals] [Related Bundle Version] |
+--------------------------------------------------------------------------------------------------+
2.5 Screen — Evidence Packets (formerly “Packets”)
New location: Evidence & Audit → Evidence Packets
Previously: Evidence → Packets (“Packets”)
Why changed:
- “Packets” is ambiguous; “Evidence Packets” communicates that these are artifact bundles used by capsules/exports/replay.
Screen graph (Mermaid)
flowchart TD
P["Evidence Packets"] --> D["Packet Detail"]
P --> C["Create/collect packet (job output)"]
D --> X["Export packet"]
D --> L["Link to capsules using it"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit / Evidence Packets [Create] [Export] |
| formerly: Evidence → Packets |
|--------------------------------------------------------------------------------------------------|
| PACKET ID TYPE SOURCE JOB CREATED USED BY CAPSULES |
| pkt-7712 build-sbom jenkins#7712 Feb 18 2 |
| pkt-opsv-sync advisory-snap mirror-sync Feb 18 5 |
| pkt-runtime-trace runtime-proof agent/prod-us-e1 Feb 18 1 |
+--------------------------------------------------------------------------------------------------+
2.6 Screen — Packet Detail
New location: Evidence Packets → (Packet)
Previously: not explicit
Why changed:
- Lets operators/auditors see exactly what artifacts are inside and where they were consumed.
Screen graph (Mermaid)
flowchart LR
D["Packet Detail"] --> A["Artifacts list (SBOM, traces, logs, attestations)"]
D --> M["Manifest + hashes"]
D --> U["Used-by capsules"]
D --> X["Export"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Evidence Packet: pkt-7712 (build-sbom) [Export] [Verify Hash] |
| formerly: Evidence → Packets (row) |
|--------------------------------------------------------------------------------------------------|
| Manifest |
| - sbom.cdx.json (sha256:...) |
| - findings.sarif (sha256:...) |
| - build-provenance.json (sha256:...) |
|--------------------------------------------------------------------------------------------------|
| Used by capsules |
| - capsule-prod-us-east-1-2026-02-18 |
| - capsule-staging-us-east-1-2026-02-18 |
+--------------------------------------------------------------------------------------------------+
2.7 Screen — Proof Chains
New location: Evidence & Audit → Proof Chains
Previously: Evidence → Proof Chains
Why changed:
- Proof chain view is a top “audit navigation” path: show chain-of-custody from bundle → scan → reachability → policy → approval → capsule.
Screen graph (Mermaid)
flowchart TD
P["Proof Chains"] --> D["Proof Chain Detail"]
D --> C["Capsules"]
D --> A["Approvals"]
D --> R["Replay entries"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit / Proof Chains [Search] [Export Graph] |
| formerly: Evidence → Proof Chains |
|--------------------------------------------------------------------------------------------------|
| CHAIN ID SUBJECT (digest/bundle) LAST EVENT CAPSULES STATUS |
| chain-901 bundle platform 1.3.0-rc1 promotion blocked 1 ⚠ blocked |
| chain-902 digest sha256:aaaa… (hotfix-auth) promoted to prod 1 ✅ complete |
+--------------------------------------------------------------------------------------------------+
2.8 Screen — Proof Chain Detail
New location: Proof Chains → (Chain)
Previously: not clear
Why changed:
- Auditors want a single timeline/graph; engineers want quick links back to the cause (finding, missing feed, exception).
Screen graph (Mermaid)
flowchart LR
D["Proof Chain Detail"] --> G["Chain graph (events)"]
D --> T["Timeline"]
D --> L["Linked objects (findings, vex, exceptions, capsules)"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Proof Chain: chain-902 (hotfix-auth 1.2.4) [Export] [Replay Capsule] |
| formerly: Evidence → Proof Chains (row) |
|--------------------------------------------------------------------------------------------------|
| Graph (simplified) |
| Digest sha256:aaaa… → SBOM pkt-7712 → Findings → Reachability proof → Policy gates → Approvals → |
| Capsule sealed → Promotion executed |
|--------------------------------------------------------------------------------------------------|
| Timeline |
| 07:10 SBOM created | 07:12 findings evaluated | 07:20 approval signed | 07:30 promoted |
+--------------------------------------------------------------------------------------------------+
2.9 Screen — Replay / Verify
New location: Evidence & Audit → Replay / Verify
Previously: Evidence → Replay/Verify (“Verdict Replay”)
Why changed:
- Deterministic replay is a core audit tool; keep it under Evidence and give it a clear “replay inputs, compare diffs” workflow. (Gitea: Git with a cup of tea)
Screen graph (Mermaid)
flowchart TD
R["Replay / Verify"] --> Q["Request Replay"]
R --> L["Replay Requests list"]
L --> D["Replay Result Detail"]
D --> C["Compare outputs (feeds/policy/tool versions)"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit / Replay / Verify [Request Replay] |
| formerly: Evidence → Replay/Verify (Verdict Replay) |
|--------------------------------------------------------------------------------------------------|
| Request Replay: [Verdict ID or Digest ____] Reason [____________________] [Run] |
|--------------------------------------------------------------------------------------------------|
| Requests |
| rr-001 digest sha256:aaaa… COMPLETED Feb 18 08:30 match: ✅ |
| rr-002 digest sha256:bbbb… RUNNING Feb 18 07:30 |
|--------------------------------------------------------------------------------------------------|
| Determinism: compares outputs to original capsule inputs; highlights feed/policy/tool diffs. |
+--------------------------------------------------------------------------------------------------+
2.10 Screen — Replay Result Detail
New location: Replay/Verify → (Replay Result)
Previously: not explicit
Why changed:
- Needed to explain mismatches (policy pack changed, feed snapshot updated, tool version drift).
Screen graph (Mermaid)
flowchart LR
D["Replay Result Detail"] --> M["Match summary"]
D --> DI["Diff view (inputs/outputs)"]
D --> X["Re-seal capsule (optional)"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Replay Result: rr-001 (MATCH ✅) [Download Diff] |
| formerly: Evidence → Replay/Verify (inline) |
|--------------------------------------------------------------------------------------------------|
| Compared to capsule: capsule-prod-us-east-1-2026-02-18 |
| Inputs: SBOM ✅ same Feeds ✅ same snapshot Policy ✅ same Tools ✅ same |
| Outputs: Findings ✅ same Reachability ✅ same VEX ✅ same Verdict ✅ same |
+--------------------------------------------------------------------------------------------------+
2.11 Screen — Export Center
New location: Evidence & Audit → Export Center
Previously: Evidence → Export (“Export Center”)
Why changed:
- Keep it evidence-centered; export is how auditors receive proof (zip/tgz/OCI).
Screen graph (Mermaid)
flowchart TD
X["Export Center"] --> P["Profiles"]
X --> R["Export Runs"]
P --> E["Edit Profile"]
R --> D["Export Run Detail"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit / Export Center [Create Profile] |
| formerly: Evidence → Export (Export Center) |
|--------------------------------------------------------------------------------------------------|
| Profiles |
| - StellaBundle (OCI referrer) includes: SBOM, findings, attestations, provenance, VEX, policy |
| - Daily Compliance Export schedule: daily → S3 compliance-bucket |
| - Audit Bundle manual zip for external auditors |
|--------------------------------------------------------------------------------------------------|
| Tabs: [Profiles] [Export Runs] |
+--------------------------------------------------------------------------------------------------+
2.12 Screen — Export Run Detail
New location: Export Center → Export Runs → (Run)
Previously: not explicit
Why changed:
- Make exports verifiable: show hash, signature status, destinations, and linked capsules.
Screen graph (Mermaid)
flowchart LR
D["Export Run Detail"] --> A["Artifacts produced"]
D --> S["Signatures + verification"]
D --> DST["Destinations + delivery logs"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Export Run: exp-8812 (SUCCESS ✅) [Download] [Verify] |
| formerly: Evidence → Export (run row) |
|--------------------------------------------------------------------------------------------------|
| Profile: Audit Bundle Output: audit-bundle-2026-02-18.zip sha256:... DSSE: ✅ |
| Contents: 14 capsules, 32 packets, proof graphs, policy pack v12, feed snapshots |
| Destinations: S3://compliance-bucket (ok) |
+--------------------------------------------------------------------------------------------------+
2.13 Screen — Coverage Metrics (Attestation coverage)
New location: Evidence & Audit → Coverage Metrics
Previously: Analytics → SBOM Lake (“SBOM Lake”)
Why changed:
- This is not “analytics for analytics sake”; it’s audit readiness coverage (SBOM, reachability, VEX, policy decision, approvals).
- Renaming aligns it with operational meaning.
Screen graph (Mermaid)
flowchart TD
C["Coverage Metrics"] --> F["Filters (region/env/time/severity)"]
C --> T["Coverage by attestation type"]
C --> G["Gaps list (what's missing where)"]
G --> L["Deep links: jobs/integrations causing gaps"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit / Coverage Metrics [Export CSV] [Refresh] |
| formerly: Analytics → SBOM Lake |
|--------------------------------------------------------------------------------------------------|
| Filters: Region [All] Env [All] Time [30d] Min Severity [All] |
|--------------------------------------------------------------------------------------------------|
| Coverage by attestation type |
| SBOM 100% (0 missing) |
| Reachability 78% (runtime missing in prod/eu-west-1) |
| Policy Decision 100% |
| Human Approval 100% |
| VEX 41% (vendor statements not imported for 12 CVEs) |
|--------------------------------------------------------------------------------------------------|
| Gap list (actionable) |
| - prod/eu-west-1: runtime reachability missing → agent offline (link: Ops Platform Health) |
| - advisory freshness: NVD stale 26h → mirror sync failing (link: Ops Feeds & AirGap) |
+--------------------------------------------------------------------------------------------------+
3) OPERATIONS — menus + screens
3.1 Operations menu graph (Mermaid)
flowchart TD
O0["Operations (menu)"]
O1["Ops Summary / Nightly Ops Report"]
O2["Platform Health"]
O3["Scheduler Runs"]
O4["Scheduler Run Detail"]
O5["Orchestrator Jobs"]
O6["Orchestrator Job Detail"]
O7["Dead Letter Queue"]
O8["Quotas & Throttles"]
O9["Worker Fleet"]
O10["Feeds & AirGap (see Pack 2)"]
O0 --> O1
O0 --> O2
O0 --> O3 --> O4
O0 --> O5 --> O6
O0 --> O7
O0 --> O8
O3 --> O9
O0 --> O10
3.2 Screen — Ops Summary / Nightly Ops Report (NEW)
New location: Operations → Ops Summary / Nightly Report
Previously: missing (signals scattered across Scheduler/Feeds/Integrations)
Why changed:
-
You requested a report that tells you when nightly jobs detect issues:
- SBOM re-scan failures
- CVE source not synced / stale
- integrations not connectable
- reachability ingest gaps
-
This page is the “operators’ morning brief” and feeds both Dashboard and Security coverage.
Screen graph (Mermaid)
flowchart LR
N["Nightly Ops Report"] --> J["Job Health (nightly suites)"]
N --> F["Feed Freshness (OSV/NVD/etc)"]
N --> I["Integration Connectivity"]
N --> C["Coverage Gaps (SBOM/reachability/VEX)"]
N --> D["Deep links: Scheduler run / Mirror detail / Integration detail"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Operations / Nightly Ops Report [Export] [Acknowledge] |
| formerly: (missing / implicit) |
|--------------------------------------------------------------------------------------------------|
| Nightly suites (last run window) |
| ✅ SBOM Rescan (images) 02:00–02:18 ok |
| ⚠ Runtime Reachability Ingest 02:00–02:30 degraded (prod/eu-west-1 no agent) |
| ❌ NVD Mirror Sync 02:00–02:10 failed (timeout) |
| ✅ Evidence Seal/Archive 02:20–02:22 ok |
|--------------------------------------------------------------------------------------------------|
| Impact summary |
| - Promotions at risk: prod policy requires “fresh advisories” → NVD stale blocks promotions |
| - Security signal degraded: runtime reachability coverage down in prod/eu-west-1 |
|--------------------------------------------------------------------------------------------------|
| Deep links |
| [Open Scheduler run: nvd-sync#run-881] [Open Feed mirror: nvd-mirror-1] [Open Agent status] |
+--------------------------------------------------------------------------------------------------+
3.3 Screen — Platform Health (services + security pipelines)
New location: Operations → Platform Health
Previously: Operations → Platform Health (“Platform Health”)
Why changed:
-
This must show not only “docker/service up”, but whether security pipelines are healthy:
- advisory freshness, SBOM ingestion, reachability ingestion, evidence sealing, replay service.
Screen graph (Mermaid)
flowchart TD
P["Platform Health"] --> S["Service health (APIs/workers)"]
P --> D["Dependencies (db/queue/storage)"]
P --> SP["Security pipelines (feeds/sbom/reachability/vex)"]
P --> L["Live incidents (last 24h)"]
SP --> N["Nightly report"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Operations / Platform Health [Refresh] [View Incidents]|
| formerly: Operations → Platform Health |
|--------------------------------------------------------------------------------------------------|
| Core Services | Dependencies | Security Pipelines |
|------------------------------------+---------------------------------+---------------------------|
| API Gateway ✅ | Database ✅ | Advisory freshness ❌ NVD |
| Policy Engine ✅ | Queue / Broker ✅ | SBOM ingest ✅ |
| Evidence Locker ✅ | Object Storage ✅ | Reachability ingest ⚠ |
| Replay Service ✅ | Rekor/Transparency ✅ | VEX import ⚠ |
|--------------------------------------------------------------------------------------------------|
| Incident timeline (24h): no user-facing incidents; 2 pipeline degradations tracked |
+--------------------------------------------------------------------------------------------------+
3.4 Screen — Scheduler Runs
New location: Operations → Scheduler Runs
Previously: Operations → Scheduler (“Scheduler Runs”)
Why changed:
- Keep the page, but make it oriented around nightly suites and data freshness with links back to impact (coverage gaps, blocked promotions).
Screen graph (Mermaid)
flowchart TD
S["Scheduler Runs"] --> R["Run Detail"]
S --> M["Manage Schedules"]
S --> W["Worker Fleet"]
R --> L["Logs"]
R --> I["Impact (coverage/gates)"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Operations / Scheduler Runs [Manage Schedules] |
| formerly: Operations → Scheduler (Scheduler Runs) |
|--------------------------------------------------------------------------------------------------|
| Filters: Status [All] Window [Last 24h] Job type [All] |
|--------------------------------------------------------------------------------------------------|
| JOB LAST RUN STATUS DURATION NEXT RUN ACTIONS |
| nightly-sbom Feb 18 02:00 ✅ 18m Feb 19 View Logs |
| nightly-runtime Feb 18 02:00 ⚠ 30m Feb 19 View Logs View Impact |
| nvd-sync Feb 18 02:00 ❌ 10m retry View Logs Open Mirror |
+--------------------------------------------------------------------------------------------------+
3.5 Screen — Scheduler Run Detail
New location: Scheduler Runs → (Run)
Previously: minimal
Why changed:
- Adds “impact” panel: what did this job affect (coverage, promotions, alerts).
Screen graph (Mermaid)
flowchart LR
D["Scheduler Run Detail"] --> L["Logs"]
D --> E["Errors + retries"]
D --> O["Outputs (packets/snapshots)"]
D --> I["Impact (coverage/gates)"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Scheduler Run: nvd-sync#run-881 (FAILED ❌) [Retry] [Open Mirror] |
| formerly: Operations → Scheduler (inline) |
|--------------------------------------------------------------------------------------------------|
| Error: timeout contacting upstream NVD |
| Outputs: none |
| Impact: |
| - Advisory freshness: NVD stale 26h |
| - Promotion gate: “fresh advisories” will BLOCK prod promotions |
| Links: [Nightly Ops Report] [Feed Mirror Detail] |
+--------------------------------------------------------------------------------------------------+
3.6 Screen — Orchestrator Jobs
New location: Operations → Orchestrator
Previously: Operations → Orchestrator (“Orchestrator Dashboard”)
Why changed:
- Keep access controls, but the main view must be job status + history with drilldowns (promotions, rescans, evidence sealing, backfills).
Screen graph (Mermaid)
flowchart TD
O["Orchestrator Jobs"] --> J["Job list"]
O --> A["Access rights panel"]
J --> D["Job Detail"]
D --> L["Logs"]
D --> DLQ["Send to Dead Letter / recover"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Operations / Orchestrator Jobs [Jobs] [Backfills] |
| formerly: Operations → Orchestrator (Orchestrator Dashboard) |
|--------------------------------------------------------------------------------------------------|
| Access (current user) |
| View jobs: ✅ Granted | Operate: ❌ Denied | Manage quotas: ❌ Denied | Backfill: ❌ Denied |
|--------------------------------------------------------------------------------------------------|
| Recent jobs |
| JOB ID TYPE TARGET/ENV STATUS START ACTIONS |
| job-551 promotion prod/us-east-1 RUNNING 08:10 View |
| job-552 nightly-sbom all COMPLETED 02:00 View |
+--------------------------------------------------------------------------------------------------+
3.7 Screen — Orchestrator Job Detail
New location: Orchestrator → (Job)
Previously: not clear
Why changed:
- Single place for logs, produced artifacts (packets/capsules), and failure recovery actions.
Screen graph (Mermaid)
flowchart LR
D["Job Detail"] --> S["Steps (workflow graph)"]
D --> L["Logs"]
D --> A["Artifacts produced"]
D --> R["Recovery / retry"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Job: job-551 (promotion) [View Capsule] |
| formerly: Operations → Orchestrator (job row) |
|--------------------------------------------------------------------------------------------------|
| Workflow steps: Resolve digests → Evaluate policy → Collect approvals → Deploy → Seal capsule |
| Status: RUNNING (Deploy step) |
| Artifacts: pkt-... capsule-... (pending) |
+--------------------------------------------------------------------------------------------------+
3.8 Screen — Dead Letter Queue
New location: Operations → Dead Letter Queue
Previously: Operations → Dead Letter (“Dead-Letter Queue Management”)
Why changed:
- DLQ is for failed jobs and should integrate with retry/replay and exports (so you can attach failure evidence).
Screen graph (Mermaid)
flowchart TD
D["Dead Letter Queue"] --> E["Entry Detail"]
E --> R["Replay / retry job"]
E --> L["Logs"]
E --> X["Export failure bundle (optional)"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Operations / Dead Letter Queue [Export CSV] [Replay All]|
| formerly: Operations → Dead Letter (Dead-Letter Queue Management) |
|--------------------------------------------------------------------------------------------------|
| Filters: Error type [All] Status [All] Search [job id / entry id] |
|--------------------------------------------------------------------------------------------------|
| ENTRY ID JOB ID ERROR FIRST SEEN STATUS ACTIONS |
| dlq-001 job-77 feed timeout (NVD) Feb 18 02:05 retriable View Replay |
| dlq-002 job-88 agent offline Feb 18 02:06 blocked View Diagnose |
+--------------------------------------------------------------------------------------------------+
3.9 Screen — Quotas & Throttles (runtime ops)
New location: Operations → Quotas & Throttles
Previously: Operations → Quotas (“Operator Quota Dashboard”)
Why changed:
- Separate runtime throttling + recent throttle events (Ops) from tenant quota configuration (Administration → Usage & Limits).
Screen graph (Mermaid)
flowchart LR
Q["Quotas & Throttles"] --> C["Consumption trend (scans/evidence/api)"]
Q --> T["Throttle events"]
Q --> A["Admin: Usage & Limits (configure)"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Operations / Quotas & Throttles [Configure Alerts] |
| formerly: Operations → Quotas (Operator Quota Dashboard) |
|--------------------------------------------------------------------------------------------------|
| Consumption (30d): Scans ████░ Evidence packets ███░ API █████░ Storage ███░ |
|--------------------------------------------------------------------------------------------------|
| Recent throttle events (24h): none |
| Note: configure limits in Administration → Usage & Limits. |
+--------------------------------------------------------------------------------------------------+
3.10 Screen — Worker Fleet
New location: Operations → Scheduler Runs → Worker Fleet
Previously: “Worker Fleet” button existed but not surfaced as a core operational screen
Why changed:
- Reachability runtime ingestion and SBOM jobs depend on workers/agents; fleet health should be one click from Scheduler and from Hybrid Reachability gaps.
Screen graph (Mermaid)
flowchart TD
W["Worker Fleet"] --> N["Nodes/workers list"]
W --> H["Heartbeat + load"]
W --> C["Capabilities (sbom, reachability, export)"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Operations / Worker Fleet [Drain] [Restart] |
| formerly: Scheduler → Worker Fleet (button) |
|--------------------------------------------------------------------------------------------------|
| WORKER ROLE(S) HEARTBEAT LOAD STATUS |
| worker-us-e1-01 sbom, policy, export 10s 0.4 ✅ |
| agent-eu-w1-01 runtime reachability 6h — ❌ offline |
|--------------------------------------------------------------------------------------------------|
| Note: offline runtime agents directly reduce hybrid reachability coverage. |
+--------------------------------------------------------------------------------------------------+
Your “continue” pointer
If you want Pack 4, I’ll cover the remaining Release Control runtime screens (Releases, Approvals, Deployments, Regions/Env detail) with the same: menu mermaid + per-screen mermaid + ASCII + formerly/why—but I didn’t repeat them here to avoid duplicating what we already established in Packs 1–2.