2e78085115
Closes DEPRECATE-003 in SPRINT_20260408_005. Pre-release status means the 30/90-day compat windows in the original Decision #5 are moot — no external consumers. Decision #5 amended twice during session. Drop migrations (embedded resources, auto-applied on startup per §2.7): - authority.audit / authority.airgap_audit / authority.offline_kit_audit (002_drop_deprecated_audit_tables.sql) - policy.audit (013; policy.gate_bypass_audit PRESERVED as domain evidence) - notify.audit (008) - scheduler.audit + partitions via CASCADE (009) - proofchain.audit_log (004) Kept by design: - release_orchestrator.audit_entries + audit_sequences (hash chain, Decision #2) - policy.gate_bypass_audit (domain evidence, unique query patterns) - authority.login_attempts (auth protocol state, not audit) Repository neutering — local DB write removed, Timeline emission preserved: - PolicyAuditRepository.CreateAsync → Timeline-only; readers [Obsolete] - NotifyAuditRepository.CreateAsync → Timeline-only; readers [Obsolete] - PostgresSchedulerAuditService → removed INSERT, Timeline-only - PostgresAttestorAuditSink.WriteAsync → no-op (endpoint-level .Audited() filter carries the audit signal) Attestor cleanup: - Deleted AuditLogEntity.cs - Removed DbSet<AuditLogEntity> from ProofChainDbContext - Removed LogAuditAsync / GetAuditLogAsync from IProofChainRepository - Removed "audit_log" from SchemaIsolationService Reconciliation tool substitutes for the 30-day wall-clock window: - scripts/audit-reconciliation.ps1 joins each per-service audit table to timeline.unified_audit_events via the dual-write discriminator (details_jsonb.localAuditId / localEntryId) for deterministic pairs, tuple-matches Authority. Test-Table/to_regclass guards handle post-drop vacuous-pass. Overall PASS across pre/post/final runs. - 4 reports under docs/qa/. Sprint archivals: - SPRINT_20260408_004 (Timeline unified audit sink) — all 7 tasks DONE - SPRINT_20260408_005 (audit endpoint filter deprecation) — all 12 tasks DONE Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Stella Ops Suite Documentation
Stella Ops Suite is a centralized, auditable release control plane for non-Kubernetes container estates. It orchestrates environment promotions, gates releases using reachability-aware security and policy, and produces verifiable evidence for every decision.
Stella is designed for teams who deploy containers via Docker/Compose, hosts/VMs, and scripted automation and need certifiable security + auditable releases without building a bespoke governance pipeline.
What Stella delivers
Evidence-grade release governance (outside Kubernetes)
- Environment promotions (Dev -> Stage -> Prod) with explicit policy, approvals, and change control.
- Digest-first release identity: deployments are tracked by immutable OCI digests so "what is deployed where" is unambiguous.
- Deterministic decision records: every gate decision is explainable ("why blocked?") and replayable.
Reachability-aware security decisioning
- Deep scanning produces SBOM + findings + reachability and hybrid reachability evidence.
- VEX-first decisioning with consensus and conflict handling across issuers (SBOM/VEX are part of the evidence chain, not a side export).
- Policy-as-code with deterministic evaluation and traceable outcomes.
Verifiability, attestability, and audit export
- Evidence packets / decision capsules: hashable, immutable bundles that capture inputs, verdicts, and approvals.
- Attestations (DSSE/in-toto, predicates for SBOM/VEX/verdict/reachability; optional Sigstore flows where configured).
- Audit exports for compliance review, incident response, and forensic reconstruction.
Offline-first, sovereign operation
- Built for air-gapped and restricted environments: local databases, offline kits/snapshots, and deterministic replay.
- Regional crypto profiles (eIDAS/FIPS/GOST/SM and related plugin architecture) to avoid compliance lock-in.
Toolchain-agnostic integrations
- Integrates with common SCM/CI/registries/secrets managers through connectors and plugins.
- Works alongside existing pipelines: scan-on-build, gate-on-promotion, re-evaluate on advisory updates.
Core differentiators (the "why Stella" set)
These concepts appear throughout the docs and are the suite's anchor points:
- Signed, replayable risk verdicts: decisions can be re-run deterministically from the same evidence.
- Decision capsules: evidence is packaged for audit, not scattered across logs and screenshots.
- Reachability with portable proofs: exploitability is evidenced, not asserted.
- Smart-diff / semantic risk delta: focus on what materially changed between releases.
- Unknowns as first-class state: uncertainty is tracked and budgeted, not hidden.
- Non-Kubernetes-first: orchestration and evidence for Compose/hosts/agentless targets as a primary use case.
- Digest-first release identity: immutable artifacts, immutable accountability.
For exhaustive capability detail (including planned items), use the Feature Matrix referenced below.
Two levels of documentation
- High-level (canonical): curated guides in
docs/*.md. - Detailed (reference): deep dives under
docs/**(module dossiers, architecture notes, API contracts/samples, runbooks, schemas).
Entry point:docs/technical/README.md.
This documentation set is intentionally consolidated and does not maintain compatibility stubs for old paths.
Start here
Product understanding
| Goal | Open this |
|---|---|
| Understand the suite quickly | overview.md |
| Capability cards | key-features.md |
| Full capability matrix | FEATURE_MATRIX.md |
| Product vision | product/VISION.md |
Getting started
| Goal | Open this |
|---|---|
| First run and basic workflows | quickstart.md |
| Installation guide | INSTALL_GUIDE.md |
| Runtime data assets (ML models, JDK, certs) | ../devops/runtime-assets/README.md |
| Ingest advisories (Concelier + CLI) | CONCELIER_CLI_QUICKSTART.md |
| Console (Web UI) operator guide | UI_GUIDE.md |
| Offline / air-gap operations | OFFLINE_KIT.md |
Architecture
| Goal | Open this |
|---|---|
| Architecture: high-level overview | ARCHITECTURE_OVERVIEW.md |
| Architecture: canonical system overview | 07_HIGH_LEVEL_ARCHITECTURE.md |
| Architecture: platform overview dossier | modules/platform/architecture-overview.md |
| Architecture: full reference map | ARCHITECTURE_REFERENCE.md |
| Architecture: user flows (UML) | technical/architecture/user-flows.md |
| Architecture: module matrix | technical/architecture/module-matrix.md |
| Architecture: data flows | technical/architecture/data-flows.md |
| Architecture: schema mapping | technical/architecture/schema-mapping.md |
| Release Orchestration dossier | modules/release-jobengine/architecture.md |
| Telemetry federation architecture | modules/telemetry/federation-architecture.md |
| Telemetry federation runbook | runbooks/federated-telemetry-operations.md |
| Telemetry federation contracts | contracts/federated-consent-v1.md, contracts/federated-telemetry-v1.md |
Development and operations
| Goal | Open this |
|---|---|
| Develop plugins/connectors | PLUGIN_SDK_GUIDE.md |
| Security deployment hardening | SECURITY_HARDENING_GUIDE.md |
| VEX consensus and issuer trust | VEX_CONSENSUS_GUIDE.md |
| Vulnerability Explorer guide | modules/vuln-explorer/VULNERABILITY_EXPLORER_GUIDE.md |
| SBOM determinism guide | sboms/DETERMINISM.md |
| Engineering standards (for implementers) | code-of-conduct/CODE_OF_CONDUCT.md |
| Testing standards (for QA/automation) | code-of-conduct/TESTING_PRACTICES.md |
Detailed indexes
- Technical index (everything):
docs/technical/README.md - End-to-end workflow flows:
docs/flows/ - Module dossiers:
docs/modules/ - API contracts and samples:
docs/api/ - Architecture notes / ADRs:
docs/technical/architecture/,docs/technical/adr/ - Operations and deployment:
docs/operations/ - Air-gap workflows:
docs/modules/airgap/guides/ - Security deep dives:
docs/security/ - Benchmarks and fixtures:
docs/benchmarks/,docs/assets/ - Product advisories:
docs/product/advisories/ - Hybrid diff patching blueprint:
docs/hybrid-diff-patching.md
License and notices
- Project license (BUSL-1.1 + Additional Use Grant):
../LICENSE - Third-party notices:
../NOTICE.md - Legal and licensing index:
docs/legal/README.md - Full dependency inventory:
docs/legal/THIRD-PARTY-DEPENDENCIES.md - Compatibility guidance:
docs/legal/LICENSE-COMPATIBILITY.md - Cryptography compliance:
docs/legal/crypto-compliance-review.md
Design principles (non-negotiable)
- Offline-first: core operations must work in restricted/air-gapped environments.
- Deterministic replay: same inputs yield the same outputs (stable ordering, canonical hashing).
- Evidence-linked decisions: every decision links to concrete evidence artifacts.
- Digest-first identity: releases are immutable OCI digests, not mutable tags.
- Pluggable integrations: connectors and steps are extensible; the core evidence chain stays stable.