130 lines
6.1 KiB
Markdown
Executable File
130 lines
6.1 KiB
Markdown
Executable File
# Stella Ops Suite Documentation
|
|
|
|
**Stella Ops Suite** is a centralized, auditable **release control plane** for **non-Kubernetes container estates**. It orchestrates environment promotions, gates releases using reachability-aware security and policy, and produces **verifiable evidence** for every decision.
|
|
|
|
Stella is designed for teams who deploy containers via **Docker/Compose, hosts/VMs, and scripted automation** and need **certifiable security + auditable releases** without building a bespoke governance pipeline.
|
|
|
|
---
|
|
|
|
## What Stella delivers
|
|
|
|
### Evidence-grade release governance (outside Kubernetes)
|
|
- **Environment promotions** (Dev -> Stage -> Prod) with explicit policy, approvals, and change control.
|
|
- **Digest-first release identity**: deployments are tracked by immutable OCI digests so "what is deployed where" is unambiguous.
|
|
- **Deterministic decision records**: every gate decision is explainable ("why blocked?") and replayable.
|
|
|
|
### Reachability-aware security decisioning
|
|
- **Deep scanning** produces SBOM + findings + reachability and hybrid reachability evidence.
|
|
- **VEX-first decisioning** with consensus and conflict handling across issuers (SBOM/VEX are part of the evidence chain, not a side export).
|
|
- **Policy-as-code** with deterministic evaluation and traceable outcomes.
|
|
|
|
### Verifiability, attestability, and audit export
|
|
- **Evidence packets / decision capsules**: hashable, immutable bundles that capture inputs, verdicts, and approvals.
|
|
- **Attestations** (DSSE/in-toto, predicates for SBOM/VEX/verdict/reachability; optional Sigstore flows where configured).
|
|
- **Audit exports** for compliance review, incident response, and forensic reconstruction.
|
|
|
|
### Offline-first, sovereign operation
|
|
- Built for **air-gapped** and restricted environments: local databases, offline kits/snapshots, and deterministic replay.
|
|
- **Regional crypto profiles** (eIDAS/FIPS/GOST/SM and related plugin architecture) to avoid compliance lock-in.
|
|
|
|
### Toolchain-agnostic integrations
|
|
- Integrates with common SCM/CI/registries/secrets managers through **connectors and plugins**.
|
|
- Works alongside existing pipelines: scan-on-build, gate-on-promotion, re-evaluate on advisory updates.
|
|
|
|
---
|
|
|
|
## Core differentiators (the "why Stella" set)
|
|
|
|
These concepts appear throughout the docs and are the suite's anchor points:
|
|
|
|
- **Signed, replayable risk verdicts**: decisions can be re-run deterministically from the same evidence.
|
|
- **Decision capsules**: evidence is packaged for audit, not scattered across logs and screenshots.
|
|
- **Reachability with portable proofs**: exploitability is evidenced, not asserted.
|
|
- **Smart-diff / semantic risk delta**: focus on what materially changed between releases.
|
|
- **Unknowns as first-class state**: uncertainty is tracked and budgeted, not hidden.
|
|
- **Non-Kubernetes-first**: orchestration and evidence for Compose/hosts/agentless targets as a primary use case.
|
|
- **Digest-first release identity**: immutable artifacts, immutable accountability.
|
|
|
|
For exhaustive capability detail (including planned items), use the Feature Matrix referenced below.
|
|
|
|
---
|
|
|
|
## Two levels of documentation
|
|
|
|
- **High-level (canonical):** curated guides in `docs/*.md`.
|
|
- **Detailed (reference):** deep dives under `docs/**` (module dossiers, architecture notes, API contracts/samples, runbooks, schemas).
|
|
Entry point: `docs/technical/README.md`.
|
|
|
|
This documentation set is intentionally consolidated and does not maintain compatibility stubs for old paths.
|
|
|
|
---
|
|
|
|
## Start here
|
|
|
|
### Product understanding
|
|
|
|
| Goal | Open this |
|
|
| --- | --- |
|
|
| Understand the suite quickly | `overview.md` |
|
|
| Capability cards | `key-features.md` |
|
|
| Full capability matrix | `FEATURE_MATRIX.md` |
|
|
| Product vision | `product/VISION.md` |
|
|
| Roadmap (priorities + definition of "done") | `ROADMAP.md` |
|
|
|
|
### Getting started
|
|
|
|
| Goal | Open this |
|
|
| --- | --- |
|
|
| First run and basic workflows | `quickstart.md` |
|
|
| Ingest advisories (Concelier + CLI) | `CONCELIER_CLI_QUICKSTART.md` |
|
|
| Console (Web UI) operator guide | `UI_GUIDE.md` |
|
|
| Offline / air-gap operations | `OFFLINE_KIT.md` |
|
|
|
|
### Architecture
|
|
|
|
| Goal | Open this |
|
|
| --- | --- |
|
|
| Architecture: high-level overview | `ARCHITECTURE_OVERVIEW.md` |
|
|
| Architecture: full reference map | `ARCHITECTURE_REFERENCE.md` |
|
|
| Architecture: user flows (UML) | `technical/architecture/user-flows.md` |
|
|
| Architecture: module matrix | `technical/architecture/module-matrix.md` |
|
|
| Architecture: data flows | `technical/architecture/data-flows.md` |
|
|
| Architecture: schema mapping | `technical/architecture/schema-mapping.md` |
|
|
| Release Orchestration dossier | `modules/release-orchestrator/architecture.md` |
|
|
|
|
### Development and operations
|
|
|
|
| Goal | Open this |
|
|
| --- | --- |
|
|
| Develop plugins/connectors | `PLUGIN_SDK_GUIDE.md` |
|
|
| Security deployment hardening | `SECURITY_HARDENING_GUIDE.md` |
|
|
| VEX consensus and issuer trust | `VEX_CONSENSUS_GUIDE.md` |
|
|
| Vulnerability Explorer guide | `VULNERABILITY_EXPLORER_GUIDE.md` |
|
|
| SBOM determinism guide | `sboms/DETERMINISM.md` |
|
|
| Engineering standards (for implementers) | `code-of-conduct/CODE_OF_CONDUCT.md` |
|
|
| Testing standards (for QA/automation) | `code-of-conduct/TESTING_PRACTICES.md` |
|
|
|
|
---
|
|
|
|
## Detailed indexes
|
|
|
|
- Technical index (everything): `docs/technical/README.md`
|
|
- End-to-end workflow flows: `docs/flows/`
|
|
- Module dossiers: `docs/modules/`
|
|
- API contracts and samples: `docs/api/`
|
|
- Architecture notes / ADRs: `docs/technical/architecture/`, `docs/technical/adr/`
|
|
- Operations and deployment: `docs/operations/`
|
|
- Air-gap workflows: `docs/modules/airgap/guides/`
|
|
- Security deep dives: `docs/security/`
|
|
- Benchmarks and fixtures: `docs/benchmarks/`, `docs/assets/`
|
|
- Product advisories: `docs/product/advisories/`
|
|
|
|
---
|
|
|
|
## Design principles (non-negotiable)
|
|
|
|
- **Offline-first:** core operations must work in restricted/air-gapped environments.
|
|
- **Deterministic replay:** same inputs yield the same outputs (stable ordering, canonical hashing).
|
|
- **Evidence-linked decisions:** every decision links to concrete evidence artifacts.
|
|
- **Digest-first identity:** releases are immutable OCI digests, not mutable tags.
|
|
- **Pluggable integrations:** connectors and steps are extensible; the core evidence chain stays stable. |